Selective Routing with Asuswrt-Merlin

[GTi-6]

@Martineau, thanks for the script. Again it is not working for me. How did you save this file? openvpn-event or wan-start?

I just see this entry in my log:

(openvpn-event): 5209 VyprVPN Selective customisation starting.... /jffs/scripts/openvpn-event tun11 1500 1542 10.9.1.33 255.255.0.0 init.^M

 

[Martineau]

@Martineau, thanks for the script. Again it is not working for me. How did you save this file? openvpn-event or wan-start?

I just see this entry in my log:

(openvpn-event): 5209 VyprVPN Selective customisation starting.... /jffs/scripts/openvpn-event tun11 1500 1542 10.9.1.33 255.255.0.0 init.^M

The script is saved as

HMA_Select.sh

Here is the Syslog, after a reboot of my RT-N66U running 374.33_Beta3b.

Because I run Dual-Wan with USB failover, I artifically ensure only the WAN instance of wan-start will perform any RT-N66U reconfiguration and it sleeps before calling the script.

Sep 27 16:13:14 syslogd started: BusyBox v1.20.2
Sep 27 16:13:14 (syslog-move.sh): 1135 SYSLOG Housekeeping Complete..... Fri Sep 27 16:13:14 DST 2013 for /tmp/mnt/RT-N66U/Syslog/syslog.log-20130927-161314
Sep 27 16:13:14 (wan-start): 676 Martineau customisation complete....
Sep 27 16:13:14 (wan-start): 676 wan-start UNLOCKED Sat Jan 1 00:01:06 GMT 2011
Sep 27 16:22:01 (HMA_Select.sh): 1168 HMA VPN Selective customisation starting....  ./HMA_Select.sh.
Sep 27 16:22:01 (HMA_Select.sh): 1168 HMA VPN Table 100 added entry: xx.xx.xx.xx dev ppp1 proto kernel scope link src xxx.xxx.xxx.xxx
Sep 27 16:22:01 (HMA_Select.sh): 1168 HMA VPN Table 100 added entry: isp.isp.176.1 dev ppp0 proto kernel scope link src isp.isp.180.124
Sep 27 16:22:01 (HMA_Select.sh): 1168 HMA VPN Table 100 added entry: 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.100
Sep 27 16:22:01 (HMA_Select.sh): 1168 HMA VPN Table 100 added entry: 10.88.8.0/24 dev br0 proto kernel scope link src 10.88.8.1
Sep 27 16:22:01 (HMA_Select.sh): 1168 HMA VPN Table 100 added entry: 127.0.0.0/8 dev lo scope link
Sep 27 16:22:01 (HMA_Select.sh): 1168 HMA VPN default added to Table 100 for isp.isp.176.1
Sep 27 16:22:01 (HMA_Select.sh): 1168 HMA VPN Selective customisation for: $PS3_Bedroom 10.88.8.142
Sep 27 16:22:01 rc_service: service 1217:notify_rc start_vpnclient1
Sep 27 16:22:01 (HMA_Select.sh): 1168 HMA VPN Selective customisation completed.
Sep 27 16:22:01 openvpn[1224]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 22 2013
Sep 27 16:22:01 openvpn[1224]: Socket Buffers: R=[116736->131072] S=[116736->131072]
Sep 27 16:22:01 openvpn[1228]: UDPv4 link local: [undef]
Sep 27 16:22:01 openvpn[1228]: UDPv4 link remote: [AF_INET]hma.hma.hma.hma:53
Sep 27 16:22:02 openvpn[1228]: TLS: Initial packet from [AF_INET]hma.hma.hma.hma:53, sid=01234567 89abcdef
Sep 27 16:22:02 openvpn[1228]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep 27 16:22:05 openvpn[1228]: VERIFY OK: depth=1, C=UK, ST=NR, L=Attleborough, O=Hide My butt! Pro, OU=VPN, CN=vpn.hidemyass.com, emailAddress=ca@hidemyass.com
Sep 27 16:22:05 openvpn[1228]: VERIFY OK: nsCertType=SERVER
Sep 27 16:22:05 openvpn[1228]: VERIFY OK: depth=0, C=UK, ST=NR, L=Attleborough, O=Hide My butt! Pro, OU=VPN, CN=server, emailAddress=vpn@hidemyass.com
Sep 27 16:22:11 openvpn[1228]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 27 16:22:11 openvpn[1228]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 27 16:22:11 openvpn[1228]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 27 16:22:11 openvpn[1228]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 27 16:22:11 openvpn[1228]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sep 27 16:22:11 openvpn[1228]: [server] Peer Connection Initiated with [AF_INET]hma.hma.hma.hma:53
Sep 27 16:22:13 openvpn[1228]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sep 27 16:22:16 openvpn[1228]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway hma.hma.4.1,dhcp-option DNS hma.hma.222.222,dhcp-option DNS hma.hma.220.220,ping 10,ping-restart 90,redirect-gateway def1,ifconfig xxx.xxx.xxx.21 255.255.252.0'
Sep 27 16:22:16 openvpn[1228]: OPTIONS IMPORT: timers and/or timeouts modified
Sep 27 16:22:16 openvpn[1228]: OPTIONS IMPORT: --ifconfig/up options modified
Sep 27 16:22:16 openvpn[1228]: OPTIONS IMPORT: route options modified
Sep 27 16:22:16 openvpn[1228]: OPTIONS IMPORT: route-related options modified
Sep 27 16:22:16 openvpn[1228]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sep 27 16:22:16 openvpn[1228]: TUN/TAP device tun11 opened
Sep 27 16:22:16 openvpn[1228]: TUN/TAP TX queue length set to 100
Sep 27 16:22:16 openvpn[1228]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sep 27 16:22:16 openvpn[1228]: /sbin/ifconfig tun11 10.200.5.21 netmask 255.255.252.0 mtu 1500 broadcast 10.200.7.255
Sep 27 16:22:16 openvpn[1228]: /sbin/route add -net hma.hma.114.68 netmask 255.255.255.255 gw isp.isp.176.1
Sep 27 16:22:16 openvpn[1228]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.200.4.1
Sep 27 16:22:16 openvpn[1228]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.200.4.1
Sep 27 16:22:16 openvpn[1228]: Initialization Sequence Completed

and I am able to switch the laptop as follows

Redirect U200-115 thru' the VPN....

ASUSWRT-Merlin RT-N66U_3.0.0.4 Sun Sep 22 04:50:29 UTC 2013
admin@RT-N66U:/tmp/home/root# iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.88.8.115  -j MARK --set-mark 0
 
Redirect U200-115 back thru' my ISP
 
admin@RT-N66U:/tmp/home/root# iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.88.8.115  -j MARK --set-mark 1
admin@RT-N66U:/tmp/home/root#

 

[GTi-6]

Wow. You really know what you are doing. I am just a noob trying to make a copy/paste. You have everything customized.

So you are calling this script before an openvpn-event and at the end you are calling start vpnclient1 for starting the service. If I place this script in wan-start, will it make any difference or how are you calling HMA-Select.sh and when?

Edit: I finally got it to work. Don't know how exactly. But I keep getting this message:

Sep 27 22:22:56 miniupnpd[2583]: SSDP packet sender 192.168.0.254:1025 not from a LAN, ignoring

How can I resolve it?

 

[Martineau]

Wow. You really know what you are doing. I am just a noob trying to make a copy/paste. You have everything customized.

So you are calling this script before an openvpn-event and at the end you are calling start vpnclient1 for starting the service. If I place this script in wan-start, will it make any difference or how are you calling HMA-Select.sh and when?

Edit: I finally got it to work. Don't know how exactly. But I keep getting this message:

Sep 27 22:22:56 miniupnpd[2583]: SSDP packet sender 192.168.0.254:1025 not from a LAN, ignoring

How can I resolve it?

Glad you finally got it working!

However, I'm afraid a lot of credit must go to RMerlin/Janosek and others....

....I simply cherry-pick from various talented forum members (with more technical knowledge than myself) who take the time to provide the wiki and real-world solutions to fully exploit the ASUS routers.)

I personally use wan-start to execute functions such as

1. automatically authenticate with Unblock-US when the WAN IP address changes

2. email the results /status of what caused the wan-start event and I/P WAN address in case DYNDNS update fails fails!

3. Set cron scripts etc.

so I don't use the OpenVPN-event.

P.S. I am not experiencing the SSDP error, but a quick Google shows several potential solutions to the SSDP issue...

http://miniupnp.tuxfamily.org/forum/viewtopic.php?p=3453

Regards,

 

[wiz561]

conduits

One question. I have things working good with this now, but I have some firewall rules that are incoming on the non-openvpn interface. So, for example, before the VPN, I have 22, smtp, and imap open. After the VPN, these don't work anymore.

I tried some iptables commands, but i have no clue what I'm doing and it didn't work. Can you post an example of how to create an incoming rule over the non-vpn interface/ip?

Thanks!

 

[janosek]

Sorry, wish I could help. I have a similar issue, but with aicloud ports when vpn is active

 

[GTi-6]

Glad you finally got it working!

However, I'm afraid a lot of credit must go to RMerlin/Janosek and others....

....I simply cherry-pick from various talented forum members (with more technical knowledge than myself) who take the time to provide the wiki and real-world solutions to fully exploit the ASUS routers.)

I personally use wan-start to execute functions such as

1. automatically authenticate with Unblock-US when the WAN IP address changes

2. email the results /status of what caused the wan-start event and I/P WAN address in case DYNDNS update fails fails!

3. Set cron scripts etc.

so I don't use the OpenVPN-event.

P.S. I am not experiencing the SSDP error, but a quick Google shows several potential solutions to the SSDP issue...

http://miniupnp.tuxfamily.org/forum/viewtopic.php?p=3453

Regards,

Yes, it is working perfectly now. I am calling this script from wan-start.

But I couldn't figure out the problem with miniupnpd. It is flooding the system-log very badly. For every 20 seconds it is giving this message for 10 times and there are no working solution to this. I am stuck.

 

[mw0208]

First I want to say Thank you to Merlin. Great work.
I just started using Asuswrt-Merlin comiing from Tomato and ddwrt. You included exactly the features I need to use like OpenVPN.

I am using the posted script for selective routing for a long tme on my ddwrt and tomato devices. Unfortunately I was not able to get it working on my new Asus with Asuswrt. As I read some other users have the same problem as I had. All traffic is routed through OpenVPN and no selective routing is done.

I started to check the script and had a look at the created routing table 100. There was no standard gateway set and so of course the routing could not work, as there is only a standard gateway in the main table. So all traffic use the standard OpenVPN gateway set in the main table.

After checking the nvram command "nvram get wan_gateway" there was no valid value returned, just 0.0.0.0. So I doublechekcked nvram show and found out there is a wan0_gateway. Wan0_gateway returns the correct IP. I guess this has been implemented because of the dual wan option of my ac56.

So for all having problems getting the script working on their device with dual_wan just use this command instead of the one posted in the script.

ip route add default table 100 via $(nvram get wan0_gateway)

Maybe wizin can add this to his post on page 2, so that other users don't need to read until my post.

​

Hope that this helps some of you guys.

Regards,
Marius

 

[RMerlin]

Just like wifi, the wan interface is instanced. What this means is that you have:

wan_*: what is being written by the webui when you save any settings
wan0_*: after saving, the httpd daemon copies the wan_* entries to the appropriate instance based on whether you were editing the primary (wan0_) or secondary (wan1_ WAN interface.

So, people should never use wan_* (or wl_*) when dealing with actual interface settings: always use the one that has a number. wl0_* for 2.4 GHz, wan0_ primary WAN, etc...

There might be a few exceptions for settings that are global to all interfaces, but the vast majority of the time, it's in the instanced version.

 

[dyce1980]

Just like wifi, the wan interface is instanced. What this means is that you have:

wan_*: what is being written by the webui when you save any settings
wan0_*: after saving, the httpd daemon copies the wan_* entries to the appropriate instance based on whether you were editing the primary (wan0_) or secondary (wan1_ WAN interface.

So, people should never use wan_* (or wl_*) when dealing with actual interface settings: always use the one that has a number. wl0_* for 2.4 GHz, wan0_ primary WAN, etc...

There might be a few exceptions for settings that are global to all interfaces, but the vast majority of the time, it's in the instanced version.

Would just like to add that after upgrading my N66 to the latest 374.33 merlin fw, I could not get selective routing working. Everything just went through the VPN. After adding this all-important 0, it's all working fine now. PCs and devices through WAN, AppleTV through VPN.

To expand on this further, just wondering if it is possible to add and connect to a second OpenVPN server and change the script around so that default is through wan (mark 1), IP1 goes through VPN1 (mark 0) and IP2 goes through VPN2 (mark 2?). Would be cool if possible, but even if so, not sure what effect it would have on the RT66 as far as processing power/heat/etc. as well as on overall network speed.

 

[Wysie]

I just wanted to thank everyone in this thread for the helpful discussion. Based on the existing scripts here, I managed to get my home network setup exactly the way I want it to, and thought it may be useful to share it with everyone.

#!/bin/sh

# Script to route traffic from home network through VPN selectively.
# Based off the discussion at http://www.smallnetbuilder.com/forums/showthread.php?t=9311
# The setup is a Roku box, a Home PC running Plex, and a Synology NAS with a torrent client running a web interface.
# The aim is to have all traffic from Roku go through the VPN, all traffic from the Home PC (and all other devices) bypassing the VPN, 
# and the Synology NAS using the VPN. There are however some exceptions. Since Plex uses port 32400, Roku has to bypass the VPN when
# using that port. In addition, port 9091 has to bypass the VPN as well in order to access the Synology torrent client. Lastly, ports 5000
# and 5001 has to bypass the VPN for the Synology Management UI.
#
# Requirements: Asuswrt-Merlin with OpenVPN already set up

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization Starting... " $0${*:+ $*}."

PC_Home="192.168.1.50"
Synology_NAS="192.168.1.51"
Roku="192.168.1.52"

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
# List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
# Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING

#
# Disable Reverse Path Filtering on all current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
tun_if="tun11"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE
logger -t "($(basename $0))" $$ ExpressVPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ Selective customisation for: "$"Roku $Roku
# By default Roku uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $Roku -j MARK --set-mark 0

logger -t "($(basename $0))" $$ Selective customisation for: "$"Synology_NAS $Synology_NAS
# By default Synology uses the VPN, and FORCES the use of the VPN tunnel except for port 9091, 5000 and 5001
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $Synology_NAS -j MARK --set-mark 0
iptables -I FORWARD -i br0 -s $Synology_NAS -o eth0 -j DROP
iptables -I FORWARD -i br0 -s $Synology_NAS -o eth0 -p tcp -m multiport --port 9091,5000,5001 -j ACCEPT

# Ports 22 (SSH), 9091 (Torrent RPC/WebUI) and 32400 (Plex) will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port 22,9091,5000,5001,32400 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization completed.

I name it as openvpn-event and place it in the scripts folder. Also made a gist for this: https://gist.github.com/Wysie/7487571

 

[Wysie]

Small issue I noticed, whenever I make any changes via the web interface on port forwarding (and possibly other areas), all my traffic ends up routing through VPN and I need to reboot the router to have it back the way I want.

 

[mobileman88]

I just wanted to thank everyone in this thread for the helpful discussion. Based on the existing scripts here, I managed to get my home network setup exactly the way I want it to, and thought it may be useful to share it with everyone.

#!/bin/sh

# Script to route traffic from home network through VPN selectively.
# Based off the discussion at http://www.smallnetbuilder.com/forums/showthread.php?t=9311
# The setup is a Roku box, a Home PC running Plex, and a Synology NAS with a torrent client running a web interface.
# The aim is to have all traffic from Roku go through the VPN, all traffic from the Home PC (and all other devices) bypassing the VPN, 
# and the Synology NAS using the VPN. There are however some exceptions. Since Plex uses port 32400, Roku has to bypass the VPN when
# using that port. In addition, port 9091 has to bypass the VPN as well in order to access the Synology torrent client. Lastly, ports 5000
# and 5001 has to bypass the VPN for the Synology Management UI.
#
# Requirements: Asuswrt-Merlin with OpenVPN already set up

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization Starting... " $0${*:+ $*}."

PC_Home="192.168.1.50"
Synology_NAS="192.168.1.51"
Roku="192.168.1.52"

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
# List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
# Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING

#
# Disable Reverse Path Filtering on all current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
tun_if="tun11"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE
logger -t "($(basename $0))" $$ ExpressVPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ Selective customisation for: "$"Roku $Roku
# By default Roku uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $Roku -j MARK --set-mark 0

logger -t "($(basename $0))" $$ Selective customisation for: "$"Synology_NAS $Synology_NAS
# By default Synology uses the VPN, and FORCES the use of the VPN tunnel except for port 9091, 5000 and 5001
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $Synology_NAS -j MARK --set-mark 0
iptables -I FORWARD -i br0 -s $Synology_NAS -o eth0 -j DROP
iptables -I FORWARD -i br0 -s $Synology_NAS -o eth0 -p tcp -m multiport --port 9091,5000,5001 -j ACCEPT

# Ports 22 (SSH), 9091 (Torrent RPC/WebUI) and 32400 (Plex) will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port 22,9091,5000,5001,32400 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization completed.

I name it as openvpn-event and place it in the scripts folder. Also made a gist for this: https://gist.github.com/Wysie/7487571

Thanks.... this looks pretty good.
So all I need to do is to setup the VPN client then name the above script as openvpn-event in /jffs?

How would this play out if I am also doing the following ?
- Running my Asus as OpenVPN Server so that I can VPN back home to use the LAN
- Running my Asus as OpenVPN server with all traffic from openvpn client directed through it when I am at a Wifi Hotspot
- What becomes of all my NAT/QOS rules?

Thanks . You guys are all great

 

[Wysie]

Hey mobileman88,

Unfortunately I haven't tinked with the AC66 as an OpenVPN server and am not familiar with how you can go about achieving what you want.

Regarding NAT/QoS rules, it seems to be functioning well as far as I can tell.

 

[josh.zyman]

Will wait for Janoesk to make a proper wiki but for extreme novice users like me - got it working with the help of Janosek and here are the steps
...
GOOD TO GO

Hi,
I am trying to run this script on my Asus RT-AC68U router (with asuswrt-merlin version 3.0.0.4.374.38_1) and I receive the following error:
RTNETLINK answers: No such process

Google seems useless. Do you have an idea what the problem is?

 

[fe1509]

i was wondering that perhaps this might help with my situation.

i have two rt66u (router 1), one at home and one at my gfs home (router 2) and im trying to make the router's 2 vpn client connects to router's 1 vpn server so i can have access to my lan network (hdd, pcs etc) but i dont want the web traffic from router 2 to be forwarded to router 1.

if i just let this script running with all traffic not going through vpn, using only
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
would i still have access to the subnet on router 1 ?

 

[dP21]

Hi,
I am trying to run this script on my Asus RT-AC68U router (with asuswrt-merlin version 3.0.0.4.374.38_1) and I receive the following error:
RTNETLINK answers: No such process

Google seems useless. Do you have an idea what the problem is?

Same issue for me. I'm on 3.0.0.4.374.38_2 though.

 

[ozgurcnbyz]

did you try changing the part wan_gateway to wan0_gateway ? that worked for me

 

[dP21]

did you try changing the part wan_gateway to wan0_gateway ? that worked for me

Yes, tried that as well. Still no go.

 

[ozgurcnbyz]

tun_if variable is set to tun11 which means the script will work for client1..you didn't set the client2 did you ? that'd be tun12