Solved: Protocol based VPN ( Port 5060 Blocked )

[Asad Ali]

Hello so my ISP is blocking SIP/UDP protocol so is there anyway i can setup a VPN server just for that protocol as I dont want to disturb any other traffic going through the router. Hopefuly I am making some sense to you guys lol.

 

[RMerlin]

Are you sure they are actually blocking UDP? Because DNS, one of the building blocks of the Internet, relies on UDP traffic.

 

[Asad Ali]

They are not blocking UDP protocol totally but only SIP/UDP protocol SIP/TCP protocol is open and accessible on my ISP.

 

[RMerlin]

They are not blocking UDP protocol totally but only SIP/UDP protocol SIP/TCP protocol is open and accessible on my ISP.

If you are using a SIP client to connect to a specific server, try a VPN policy rule for the IP address of the SIP server.

Make sure you use UDP - OpenVPN's TCP support can be problematic with SIP (or that's at least what an engineer recently told me at a customer meeting - I was a bit skeptical but didn't argue with him...)

 

[Asad Ali]

If you are using a SIP client to connect to a specific server, try a VPN policy rule for the IP address of the SIP server.

Make sure you use UDP - OpenVPN's TCP support can be problematic with SIP (or that's at least what an engineer recently told me at a customer meeting - I was a bit skeptical but didn't argue with him...)

Hello I've tried that and it partially working so is there anyway I can also add port with my sip server address? Like 114.x.x.x:5060

 

[Asad Ali]

Also is there a way to add a policy based on ports like all the traffic going with 5060 port will go via VPN I think that will solve all the problems.

 

[RMerlin]

Hello I've tried that and it partially working so is there anyway I can also add port with my sip server address? Like 114.x.x.x:5060

No. Policy rules work at the routing level, they cannot deal with ports.

 

[Asad Ali]

Note: "Dont use the script on this post, read the further posts below for a better option"

First of all thanks RMerlin for doing the awesome work you're doing and helping me with my problem and guiding me in the correct direction.

Okay so my problem is my ISP is blocking UDP port 5060 and as I am using a mobile app for VoIP which dont have any option for changing ports so the only way I have is to do it myself on router level.

What I end up doing is use OpenVPN with selective routing ( Policy based routing ) to ONLY route traffic on UDP port 5060 to VPN and everything else on my network to bypass it, this way I can use my Internet directly without compromising any speeds due to OpenVPN and I can access my router by WAN without any issues and use my ISP's public IP.

So if anyone of you want to do the same thing this is what I end up doing:

Setup OpenVPN on your router and make sure it's working, after that make a "openvpn-event" script to handle all the routing, make sure you add "route-nopull" in your OpenVPN "Custom Configuration" box.

( I am not the creator of this script I just found it on the Forum here and just edit it a little bit for my issue )

#!/bin/sh
 
sleep 2
 
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 5060 -j MARK --set-mark 10

exit

 

[Martineau]

So if anyone of you want to do the same thing this is what I end up doing:

Setup OpenVPN on your router and make sure it's working, after that make a "openvpn-event" script to handle all the routing, make sure you add "route-nopull" in your OpenVPN "Custom Configuration" box.

( I am not the creator of this script I just found it on the Forum here and just edit it a little bit for my issue )

As previously posted; the script template you have used is flawed and should not be used see https://www.snbforums.com/threads/a...through-vpn-settings.41047/page-2#post-348358

For Selective Port routing do not add 'route-nopull' to the OpenVPN Client 'Custom Configuration' but simply modify

/jffs/scripts/nat-start
e.g.

VPN_ID=1       # VPN Client #; Change to the appropriate VPN Client to be used (1-5, if available)
DPORT=5060     # Port number (or CSV list of ports) to be routed via VPN Client #

TAG_MARK=0x${VPN_ID}000
PRIO=999${VPN_ID}
 
ip rule del prio $PRIO 2> /dev/null
ip rule add from 0/0 fwmark $TAG_MARK/$TAG_MARK table 11$VPN_ID prio $PRIO

ip route flush cache

iptables -t mangle -D PREROUTING -i br0 -p udp -m multiport --dport $DPORT -j MARK --set-mark $TAG_MARK/$TAG_MARK 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 -p udp -m multiport --dport $DPORT -j MARK --set-mark $TAG_MARK/$TAG_MARK

NOTE: For advanced Selective routing, rather than have explicit PREROUTING rules for IPs/Ports/MAC addresses, they can be defined in custom IPSETs, although you do lose the ability to visually quickly identify/track the number of successful matching 'hits'.

 

[Asad Ali]

As previously posted; the script template you have used is flawed and should not be used see https://www.snbforums.com/threads/a...through-vpn-settings.41047/page-2#post-348358

For Selective Port routing do not add 'route-nopull' to the OpenVPN Client 'Custom Configuration' but simply modify

/jffs/scripts/nat-start
e.g.

VPN_ID=1       # VPN Client #; Change to the appropriate VPN Client to be used (1-5, if available)
DPORT=5090     # Port number (or CSV list of ports) to be routed via VPN Client #

TAG_MARK=0x${VPN_ID}000
PRIO=999${VPN_ID}
 
ip rule del prio $PRIO 2> /dev/null
ip rule add from 0/0 fwmark $TAG_MARK/$TAG_MARK table 11$VPN_ID prio $PRIO

ip route flush cache

iptables -t mangle -D PREROUTING -i br0 -p tcp -m multiport --dport $DPORT -j MARK --set-mark $TAG_MARK/$TAG_MARK 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $DPORT -j MARK --set-mark $TAG_MARK/$TAG_MARK

NOTE: For advanced Selective routing, rather than have explicit PREROUTING rules for IPs/Ports/MAC addresses, they can be defined in custom IPSETs, although you do lose the ability to visually quickly identify/track the number of successful matching 'hits'.

Thanks for telling me about my flawed script but unfortunately the new way you told me is way above my current knowledge so can you please tell me in steps what I need to do here thanks.

I just want to route the traffic on UDP port 5060 via VPN and EVERYTHING ELSE on my network via WAN , I do want to use my ISP's public IP and DNS and also I want to access my router via WAN.

The script I posted above allowed me to do all of this but how can I change it to the new way you told me.

Best Regards!!

 

[Martineau]

Thanks for telling me about my flawed script but unfortunately the new way you told me is way above my current knowledge so can you please tell me in steps what I need to do here thanks.

I just want to route the traffic on UDP port 5060 via VPN and EVERYTHING ELSE on my network via WAN , I do want to use my ISP's public IP and DNS and also I want to access my router via WAN.

The script I posted above allowed me to do all of this but how can I change it to the new way you told me.

Obviously you may continue to use your custom script as-is in your environment but please do not recommend it for others.

Since you were able to copy'n'paste the flawed script and tweak it for your needs, then I assume you are more than capable of simply copy'n'pasting the code I provided 'as-is' (no modifications required) into the relevant script to see if it also meets your requirements.

NOTE: You will need to enable 'Policy Rules' in the OpenVPN Client GUI to have the firmware configure the correct routing tables etc.

 

[Asad Ali]

Thanks for replying.

I'm just confused that do I have to make a new nat-start script with your script contents and remove the openvpn-event script and route-nopull from openvpn configuration ?

Or just remove route-nopull from configuration box and use both scripts?

 

[Martineau]

Thanks for replying.

I'm just confused that do I have to make a new nat-start script with your script contents and remove the openvpn-event script and route-nopull from openvpn configuration ?

Or just remove route-nopull from configuration box and use both scripts?

Simply by enabling 'Policy Rules' mode in the OpenVPN Client GUI creates the robust environment for Selective Routing.

However, the GUI (currently) does not support Selective routing of Ports (nor MAC addresses / IPSETs).

So disable the openvpn-event script and remove 'route-nopull' from the OpenVPN configuration.

At this point when the OpenVPN client is started, ALL traffic will be via the WAN, until the two rules are added either by the nat-start script or manually entered via the command line:

ip rule add from 0/0 fwmark 0x1000/0x1000 table 111 prio 9991

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 5060 -j MARK --set-mark 0x1000/0x1000

 

[Asad Ali]

Thanks a lot for replying again, now I understand a lot more what I need to do here. I'll play with it and report back.

 

[Asad Ali]

OK so I used your way now and it's working great, thanks a lot. Just two lines of code replaces twenty lines lol.

I just changed the "nat-start" script to use a different port protocol and number.

#!/bin/sh

ip rule add from 0/0 fwmark 0x1000/0x1000 table 111 prio 9991

iptables -t mangle -A PREROUTING -i br0 -p udp -m multiport --dport 5060 -j MARK --set-mark 0x1000/0x1000

By the way when I manually stop the VPN I see two errors in the web log and according to my search it's due to some permission issues so anyway I can fix them? I dont think I am getting any issues due to that but I just dont like errors hehe

Oct 15 04:53:28 rc_service: httpd 480:notify_rc stop_vpnclient1
Oct 15 04:53:29 openvpn[22585]: event_wait : Interrupted system call (code=4)
Oct 15 04:53:29 openvpn[22585]: vpnrouting.sh tun11 1500 1557 10.211.2.5 10.211.2.6 init
Oct 15 04:53:29 openvpn-routing: Configuring policy rules for client 1
Oct 15 04:53:29 openvpn[22585]: /usr/sbin/ip route del 222.97.145.240/32
Oct 15 04:53:29 openvpn[22585]: /usr/sbin/ip route del 0.0.0.0/1
Oct 15 04:53:29 openvpn[22585]: ERROR: Linux route delete command failed: external program exited with error status: 2
Oct 15 04:53:29 openvpn[22585]: /usr/sbin/ip route del 128.0.0.0/1
Oct 15 04:53:29 openvpn[22585]: ERROR: Linux route delete command failed: external program exited with error status: 2
Oct 15 04:53:29 openvpn[22585]: Closing TUN/TAP interface
Oct 15 04:53:29 openvpn[22585]: /usr/sbin/ip addr del dev tun11 local 10.211.2.5 peer 10.211.2.6
Oct 15 04:53:29 openvpn[22585]: SIGTERM[hard,] received, process exiting

 

[Asad Ali]

Also just for my own understanding if I call this script with "openvpn-event" instead of "nat-start" is there any issues in doing that?

Because I assume "nat-start" only run once on reboot so what if the VPN get disconnected or I disconnect it myself will the "nat-start" script runs again like "openvpn-event" or it's not needed?

 

[john9527]

By the way when I manually stop the VPN I see two errors in the web log and according to my search it's due to some permission issues so anyway I can fix them? I dont think I am getting any issues due to that but I just dont like errors hehe

No, its not a permissions problem....vpnrouting.sh cleans up and deletes the added routes.....then openvpn tries to delete the same routes and complains when it can't find them. Just ignore the error.

 

[Asad Ali]

Ah ok thanks, also can you please clear my doubt in post # 16

 

[Martineau]

Also just for my own understanding if I call this script with "openvpn-event" instead of "nat-start" is there any issues in doing that?

Because I assume "nat-start" only run once on reboot so what if the VPN get disconnected or I disconnect it myself will the "nat-start" script runs again like "openvpn-event" or it's not needed?

In an ideal world, once set, the Selective routing fwmark rules (when added to the '-t mangle' PREROUTING chain) would be permanent.

If you manually stop the OpenVPN Client, you can prove to yourself that both the PREROUTING and RPDB rules correctly remain.

Unfortunately if you have a TrendMicro enabled router, the DPI engine will arbitrarily flush the '-t mangle' PREROUTING chain, wiping out your Selective Port fwmark routing.

So using nat-start ensures that if the DPI (flush) engine runs, your custom Selective Port routing commands will be reapplied.

NOTE: I believe the DPI engine will randomly kick-in when required by TrendMicro (@02:00?) to perform its signature housekeeping i.e. it doesn't happen every day)

However, now that you have proved that the two (safe) rules are way better than a flawed script, you should now prudently add the appropriate logic to the openvpn-event 'route-up' script:

i.e. Check if the expected Selective Port routing rules are missing; if so then re-add them.

NOTE: Ideally you should create a separate script such as 'VPNPortRouting.sh' (which is then called from both nat-start and vpnclient1-route-up) to ensure that your Selective Port routing tagging will hopefully survive any unexpected event.

 

[Asad Ali]

NOTE: Ideally you should create a separate script such as 'VPNPortRouting.sh' (which is then called from both nat-start and vpnclient1-route-up) to ensure that your Selective Port routing tagging will hopefully survive any unexpected event.

Alright so what I did now is I create a "VPNPortRouting.sh" file in /jffs/scripts/ and I am calling it from "nat-start" like this:

#!/bin/sh

sh /jffs/scripts/VPNPortRouting.sh

And then in "openvpn-event" file I add this code ( found it from this forum )

Spoiler: openvpn-event

#!/bin/sh

scr_name="$(basename $0)[$$]"

case "$dev" in
"tun11")
vpn_name="client1"
;;
"tun12")
vpn_name="client2"
;;
"tun13")
vpn_name="client3"
;;
"tun14")
vpn_name="client4"
;;
"tun15")
vpn_name="client5"
;;
"tun21")
vpn_name="server1"
;;
"tun22")
vpn_name="server2"
;;
*)
vpn_name=""
;;
esac

# Call appropriate script based on script_type
vpn_script_name="vpn$vpn_name-$script_type"

# Check script state/use nvram to save last script run
vpn_script_state=$(nvram get vpn_script_state)
nvram set vpn_script_state="$vpn_script_name"
if [ "$vpn_script_name" = "$vpn_script_state" ]; then
echo "VPN script" $vpn_script_name "already run" | logger -t "$scr_name"
exit 0
fi

if [[ -f "/jffs/scripts/$vpn_script_name" ]] ; then
sh /jffs/scripts/$vpn_script_name $*
else
echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
exit 0
fi

exit 0

This way I'm calling the required "vpnclient1-route-up" so I want to know is this still the preferred method to call this file? I'm just new to all this and trying to learn myself

Thanks for all the help