Menu
What's new
By:
Filters Better Search

Selective route for an application

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

B

bluemouseios

New Around Here
I tried my best to do a search but found no luck, so have to ask here. Let me know if my question was posted before that I did not find by myself.

My router runs merlin v384.11_2, and I also run aria2c on the router for torrenting. I have two openvpn clients config for tcp and udp respectively. When the two vpn clients enabled, all my traffic goes through the VPN server flawlessly.

However, I'd like config it so that only the torrent traffic goes through vpn while other traffic still go wan. Is there a way to config that. I looked at iptables but clueless about it.

If torrent is running on a different server with a different ip address, I know I can config it through selective routing, but since the torrent is on the router and thus has ip: 192.168.1.1

Is it possible to config iptables to route port through the vpn interface (eg. tun12 in my case) while others go through wan (eth0)?

Here is routing table when two vpn clients enabled:
Code: 
admin@nas:/tmp/home/root# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
67.(wan ip)     0.0.0.0         255.255.255.255 UH        0 0          0 eth0
23.(vpn server1)  67.x.x.1     255.255.255.255 UGH       0 0          0 eth0
23.(vpn server2)  67.x.x.1    255.255.255.255 UGH       0 0          0 eth0
10.28.16.0      0.0.0.0         255.255.255.0   U         0 0          0 tun11
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br0
10.28.15.0      0.0.0.0         255.255.255.0   U         0 0          0 tun12
67.x.x.0         0.0.0.0         255.255.254.0   U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         10.28.15.1      128.0.0.0       UG        0 0          0 tun12
128.0.0.0       10.28.15.1      128.0.0.0       UG        0 0          0 tun12
0.0.0.0         67.x.x.1           0.0.0.0         UG        0 0          0 eth0
 
bluemouseios said:
I tried my best to do a search but found no luck, so have to ask here. Let me know if my question was posted before that I did not find by myself.

My router runs merlin v384.11_2, and I also run aria2c on the router for torrenting. I have two openvpn clients config for tcp and udp respectively. When the two vpn clients enabled, all my traffic goes through the VPN server flawlessly.

However, I'd like config it so that only the torrent traffic goes through vpn while other traffic still go wan. Is there a way to config that. I looked at iptables but clueless about it.

If torrent is running on a different server with a different ip address, I know I can config it through selective routing, but since the torrent is on the router and thus has ip: 192.168.1.1

Is it possible to config iptables to route port through the vpn interface (eg. tun12 in my case) while others go through wan (eth0)?

Here is routing table when two vpn clients enabled:
Code: 
admin@nas:/tmp/home/root# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
67.(wan ip)     0.0.0.0         255.255.255.255 UH        0 0          0 eth0
23.(vpn server1)  67.x.x.1     255.255.255.255 UGH       0 0          0 eth0
23.(vpn server2)  67.x.x.1    255.255.255.255 UGH       0 0          0 eth0
10.28.16.0      0.0.0.0         255.255.255.0   U         0 0          0 tun11
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br0
10.28.15.0      0.0.0.0         255.255.255.0   U         0 0          0 tun12
67.x.x.0         0.0.0.0         255.255.254.0   U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         10.28.15.1      128.0.0.0       UG        0 0          0 tun12
128.0.0.0       10.28.15.1      128.0.0.0       UG        0 0          0 tun12
0.0.0.0         67.x.x.1           0.0.0.0         UG        0 0          0 eth0
Click to expand...
This can be configured in the VPN client settings using "Policy based routing". See the RMerlin Wiki how to article.
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing[URL]https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing[/URL]
 
Hi Butterfly, thanks for the reply.

However, I've actually tried the method in the wiki, as well as alternate manual method, neither works. I believe the main reason is the app is running on the router itself, so set a policy with source ip 192.168.1.1 won't work, maybe there are other rules overwrite it I am not sure.

The policy I've set, with both Redirect Internet traffic=Policy Rules (strict)
  • Source IP=192.168.1.1 Dest IP=0.0.0.0 iface=VPN (this rule does not work though that's what I want, the app is running on it)
  • Source IP=192.168.1.187 Dest IP=0.0.0.0 iface=VPN (this rule works perfectly but not what I need)

Butterfly Bones said:
This can be configured in the VPN client settings using "Policy based routing". See the RMerlin Wiki how to article.
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routinghttps://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
Click to expand...
 
bluemouseios said:
I tried my best to do a search but found no luck, so have to ask here. Let me know if my question was posted before that I did not find by myself.

My router runs merlin v384.11_2, and I also run aria2c on the router for torrenting. I have two openvpn clients config for tcp and udp respectively. When the two vpn clients enabled, all my traffic goes through the VPN server flawlessly.

However, I'd like config it so that only the torrent traffic goes through vpn while other traffic still go wan. Is there a way to config that. I looked at iptables but clueless about it.

If torrent is running on a different server with a different ip address, I know I can config it through selective routing, but since the torrent is on the router and thus has ip: 192.168.1.1

Is it possible to config iptables to route port through the vpn interface (eg. tun12 in my case) while others go through wan (eth0)?

Here is routing table when two vpn clients enabled:
Code: 
admin@nas:/tmp/home/root# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
67.(wan ip)     0.0.0.0         255.255.255.255 UH        0 0          0 eth0
23.(vpn server1)  67.x.x.1     255.255.255.255 UGH       0 0          0 eth0
23.(vpn server2)  67.x.x.1    255.255.255.255 UGH       0 0          0 eth0
10.28.16.0      0.0.0.0         255.255.255.0   U         0 0          0 tun11
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br0
10.28.15.0      0.0.0.0         255.255.255.0   U         0 0          0 tun12
67.x.x.0         0.0.0.0         255.255.254.0   U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         10.28.15.1      128.0.0.0       UG        0 0          0 tun12
128.0.0.0       10.28.15.1      128.0.0.0       UG        0 0          0 tun12
0.0.0.0         67.x.x.1           0.0.0.0         UG        0 0          0 eth0
Click to expand...


Not sure if this Aria2c application thread is of help? Aria2c command to download thru VPN tunnel

However, if there are ports uniquely specific to the Aria2c application that can be identified then see Wiki Selective Port Routing
 
Problem sovled, the solution is much easier. I just need create a br0 alias with a different ip and bind aria2 to that ip, then I can use the policy rule to route that ip to vpn only.

1. Set DHCP range start from 192.168.1.10, so that 192.168.1.[2-9] is reserved
2. add one line to /opt/etc/init.d/S81aria2 and update the args to bind to the new ip
Code: 
ifconfig br0:0 192.168.1.2 up    # create br0 alias with a new ip
ARGS="--conf-path=/opt/etc/aria2.conf --interface=192.168.1.2"
3. In admin UI for openvpn client, set following rule:
Source IP=192.168.1.2 Dest IP=0.0.0.0 iface=VPN
4. restart the router

I've tested with ipleak.net and it works. The only issue left is that seems aria2 started before vpn client that the first connections are still through wan and quickly switched to vpn.

Is there a way to delay /opt/etc/init.d/ service to start after vpn client is up and running?
 
bluemouseios said:
The only issue left is that seems aria2 started before vpn client that the first connections are still through wan and quickly switched to vpn.
Click to expand...
If you have the KILL-Switch enabled for the VPN, then the Aria2c alias will not have access to the WAN.

Alternatively.....
bluemouseios said:
Is there a way to delay /opt/etc/init.d/ service to start after vpn client is up and running?
Click to expand...
Since you now have a custom S81aria2 script, you could move it from /opt/etc/init.d/ to /jffs/scripts/and simply call it from the openvpn-event UP script?
 
You are right. I enabled kill-switch but need wait nat rules applied to make it effective.

I moved S81aria2 out and added it to /jffs/script/nat-start, tested couple of times, now there is no leak anymore during the router start.

Now it is perfect. Thanks everyone's help here!
 
You must log in or register to reply here.

Similar threads

CaptnDanLKW
Simple Route Add Command
Replies
9
Views
608
ColinTaylor
C
A
ASUS Dual WAN Failover, Then Failback, Leaves Secondary LAN in "Hot Standby"
Replies
4
Views
697
Kingp1n
K
A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
1K
Don->
D
J
unknown private IP address in routing table
Replies
2
Views
607
Justinh
J
gallahermike
GT-BE98 Pro and OpenVPN problem
Replies
7
Views
713
gallahermike
gallahermike
Similar threads
Thread starter Title Forum Replies Date
E Multi source selective port forward? Asuswrt-Merlin 1
S Route add via SSH - persistent-how? Asuswrt-Merlin 4
M IPv6 and Router Advertisement adding route to delegated /56 via WAN interface Asuswrt-Merlin 0
B How to setup IPV6 static route for Docker IPVLAN Asuswrt-Merlin 0
CaptnDanLKW Simple Route Add Command Asuswrt-Merlin 9
L Openvpn internal error add route Asuswrt-Merlin 0
E Static route vs manually assigned IP around DHCP list? Asuswrt-Merlin 13
B IPv6 static route Asuswrt-Merlin 3
H Does VPN Director Use Routes or IPTables Rules To Route Clients Over a VPN Connection? Asuswrt-Merlin 5
H Can VPN Director Route Guest Wifi Network Traffic Over VPN Connection? Asuswrt-Merlin 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 639 (members: 22, guests: 617)
Top