I've got a Buffalo WHR-HP-G54 running Victek's Tomato firmware Tomato-RAF-1.28.8525_VPN. I've gotten the VPN working, but I'm wondering if there's any way to bypass the VPN selectively for certain machines, so some would connect through the VPN running on the router, and some would connect directly (bypassing the VPN). Any ideas?
First, I'll assume your router is a VPN client, and that your redirecting Internet traffic over the VPN. Theoretically, yes, it's possible. However, I haven't heard any reports of anybody getting it to work. First, Linux supports multiple routing tables, so one may be able to set it up so some devices use an alternate routing table that isn't redirected. Second, the ROUTE iptables target is supposed to have the capability to modify the gateway used for a given packet, so one may be able to set up a rule for certain source IPs to use the regular gateway instead of the VPN gateway.
Thanks... Yes, the router is the VPN client. It sounds like there may be hope. Otherwise, plan 2 is to get a second router just for the VPN traffic and have it connect to the first non-vpn router. My router uses DHCP for the clients right now, but I think if I've got two routers on the network, I'd need to use a static IP and gateway for clients connecting to the second one.
Hi SgtPepperKSU, I have the reverse problem. There are is one IP addresse on my LAN that I want to force to connect through the VPN tunnel to "back home" then to the internet while I want the rest of the traffic to connect through the local router directly to the internet. For example : static ip 192.168.5.100 in North Carolina connects through client 192.168.5.1 with a VPN tunnel established to server 192.168.0.10 in NJ. All other machines at 192.168.5.xxx connect through 192.168.5.1 directly to internet. Both routers are WRT54GL running version 1.25
I have tried the first solution which seemed to work. input the script below in firewall script tab Code: ip route add default dev ppp0(if your internet connection is via pppoe, or change it to your own interface name) table 200(any number between 1 and 253) ip rule add from xxx.xxx.xxx.xxx(the pc's ip address that accesses internet via vpn) table 200
Awesome! I thought what I saw indicated our builds would support that. Glad it's working. I may need to make a post on the TomatoVPN blog about this if you don't report problems after a while.
Thanks TT76, Since I am a complete NOOB here, please forgive me! I looked on the Tomato VPN interface on my remote WRT54GL and do not see a "firewall script tab". Is this a hidden menu somewhere? On the VPN tab there is a Auto/Custom drop down selection but I do not see any place to enter the code you offered. Would it be possible to forward a single IP address using the Advanced>Routing and set a static route? For example on the remote LAN there is machine 192.168.7.100 that I want to use the internet connection on my home site. At home the gateway is 192.168.0.18 and the VPN box is 192.168.0.10. Could I configure a static route as follows: Code: Destination Gateway Subnet Metric Interface Coments 192.168.7.100 192.168.0.18 255.255.255.0 0 LAN Or should I use 192.168.0.10 as the gateway? My current routing is: Code: Destination Gateway Subnet Mask Metric Interface 10.8.0.5 * 255.255.255.255 0 tun11 10.7.102.1 * 255.255.255.255 0 ppp0 192.168.7.0 * 255.255.255.0 0 br0 (LAN) 192.168.3.0 10.8.0.5 255.255.255.0 0 tun11 10.8.0.0 10.8.0.5 255.255.255.0 0 tun11 192.168.0.0 10.8.0.5 255.255.255.0 0 tun11 127.0.0.0 * 255.0.0.0 0 lo default 10.7.102.1 0.0.0.0 0 ppp0
Problems with "ip rule" commands I've been trying to get selective routing to work with tomato-vpn v1.27vpn3.6.4b6645f6(ND) running on an ASUS WL-500G v2, but I cannot get the "ip rule" commands to work. For example, when I try to set up a rule table, I get the following error: # ip rule add from 192.168.50.198 table 100 RTNETLINK answers: Invalid argument I even get errors when I simply try to list the table: # ip rule list RTNETLINK answers: Invalid argument Dump terminated Is "ip rule" broken under tomato-vpn? Or is there a config option that needs to be activated? I've used the same commands to set up source routing on other Linux routers with no problem, but I can't figure out why they don't work with tomato-vpn. Any ideas about how to fix the problem?
OK, I found the firewall script tab, thanks, SgtPepperKSU . So in my case I would want this: Code: ip route add default dev ppp0 table 200 ip rule add from 192.168.7.100 table 200 However, will this force 192.168.7.100 to use the VPN or will it cause the device to bypass the VPN. I want to have all the devices on the 192.168.7.* network to directly access the 'Net but have 192.168.7.100 connect through the VPN. Should I replace the ppp0 with tun11 in the above script to make this happen? My current routing is in the post from last night, for reference. Also, should I use Automatic or Custom firewall in the VPN>Basic tab with this script? Thanks, Tim
Does "ip rule add" work for you? I'm trying to do the same thing, but the "ip rule add" command always fails with an error (see previous post for details). What version of Tomato are you using?
I haven't actually tried this myself. It's possible that this method is only functional in the Linux 2.6 kernel builds (which I don't provide - however, TomatoUSB has flavors that include all my VPN stuff)... If that's the case and switching to the 2.6 builds is desired, investigating the iptables ROUTE target method may also work - and that target is "functional" in the builds I provide. (note: I put "functional" in quotes because the ROUTE target is a bit flaky and has been all but disowned by the people that provide iptables).
Thanks, SgtPepperKSU! I will be at the beach house in a few weeks (when it warms up a little!) and give it a try then. Will report back with results when I do so you can update the KB on this feature. Tim
It seemed that everything's fine. I haven't found any problem with it. my firmware is teddy bear mod k26noUSBvpn 1.28, it is perhaps that ip command is not included in 1.27 version. you can try k261.28
I did get a second router and dedicated it for the VPN network, running the VPN client. Systems that use it as a gateway are routed automatically over the VPN. It's working ok for my purposes.
After some more testing with various 2.4 builds, it appears that the 2.4 kernel version does NOT support the "ip rule" commands. Something must be missing from the build config, because I have used "ip rule" on other 2.4 Linux systems in the past. However, when I loaded the 2.6 kernel version (tomato-K26USB-1.28.9054MIPSR1-beta-vpn3.6) on my WL-500gp the "ip rule" commands seem to work. I haven't tested the source routing thru the VPN yet -- will report on that later.
Does VPN 1.25 build contain the 2.6 kernel? The add route command does not seem to work with my 1.25 build. By adding the route into the firewall tab, there is no change in routing on my target device. Any suggestions as to what I should try loading into my Linksys WRT54GL router to get the 2.6 kernel. This box, of course, does not have a USB port so probably don't want to load a USB build, correct? Tim
BUMP... If I want to use a 1.28 VPN build, containing the 2.6 kernel without the USB support, which version should I try? There appear to be about 9 build versions of the Victec modification avaiable. Some are called MIPSR2 and some are MIPSR1 - what is the difference here? This will be used on a WRT54GL V1.0
Hi David3, So if I understand what you did... You set up a router, lets say 192.168.0.1 that connects to the WAN. This has DHCP enabled and will allow clients that connect to it to directly access the internet. You then set up a second router with a VPN client, with an address of lets say 192.168.0.2 disabled the WAN interface, assigned the gateway field to 192.168.0.1 , gave it a DNS server (like 4.2.2.2) and turned off DHCP. 192.168.0.2 has a VPN client running with "redirect internet traffic" checked. For a client that is forced through the VPN tunnel you assign a static IP address, a subnet and 192.168.0.2 as the gateway. For a client that is allowed direct internet access, you let the 192.168.0.1 router do the client configuration or manually assign it a 192.168.0.1 gateway. Anything else?
That's close. I didn't think of trying to disable the WAN interface on the VPN router, though, so I'm not sure how that would work. Maybe it would be better? Here's what I did. My main router (Router #1) has the LAN IP address set to 192.168.3.1 with a subnet mask of 255.255.255.0, and DHCP enabled (I use static DHCP as well, with all the clients including router #2 defined). Normal clients connect to this router with DHCP and get routed directly through my DSL line. My VPN router (Router #2) has the WAN setup with a Static IP address of 192.168.3.5, a subnet mask of 255.255.255.128, and a gateway of 192.168.3.1. The LAN IP address is set to 192.168.3.130 with a subnet mask of 255.255.255.128. So the VPN router's WAN connects as a normal client to router #1, except it's using a static IP address so it can be set with a more exclusive subnet mask. The WAN is on the lower portion of 192.168.3.* and the LAN is on the upper portion of 192.168.3.* It didn't like it if the WAN and LAN overlapped. The 255.255.255.128 subnet on the VPN router is just for the router's benefit. Clients are still set to 255.255.255.0 so they can see the whole network. I configure VPN clients with a static IP address, like 192.168.3.151 (in the upper portion of 192.168.3.*) and a gateway address of 192.168.3.130, and subnet mask of 255.255.255.0. This way, the VPN clients' internet traffic gets routed through the VPN router, and they can also still access non-VPN clients on the local network (file shares, media servers, etc.). Here's Router #1 (main router): Here's Router #2 (VPN router): My main router is a Buffalo WHR-HP-G54 and my VPN router is an Asus WL-520GU. I notice the cpu gets up to around 60-70% streaming 2mbps over the VPN router, and I suspect it would max out around 3mbps. I'd probably need to upgrade to an Asus RT-N16 or similar if I wanted to go faster.
Thanks for sharing that David3. I will give your way a try in the next week or so when I am the remote site. I will also try turning off the WAN interface in router 2 and see if that also works. I currently have a WRT54GL @192.168.0.10 running as VPN a server inside my LAN that has a 192.168.0.18 gateway. That seems to be OK with the WAN set to disabled and reusing the WAN port for a LAN port. When I get a chance to test the client running inside the LAN, I will report back to add to the community of knowledge here. Tim
I tried disabling the WAN interface on the VPN router, and setting the subnet mask to 255.255.255.0 and setting the gateway to my main router. I hadn't noticed before that the Default Gateway setting appears under the LAN when you disable the WAN. That works well, too, and it looks like a better way to do it. However, the vpnclient wasn't starting with the "Start with WAN" setting when the router first boots (makes sense, since the WAN is disabled). I added a "service vpnclient1 start" as an Init Script and "service vpnclient1 stop" as a Shutdown Script. That seems to work just as well, and the vpnclient starts when the router first boots now. Thanks for the tip.
Hi David3, GOOD CATCH! I just took a quick look at my VPN server router which is running VPN build 1.25 and the "start box" is "start with router" However the 1.27 version says 'start with WAN". It looks like there was a change between V1.25 and V1.27. I will need to make sure I add the init and shutdown script on the 1.27 version. Tim
The "Start with Router" vs "Start with WAN" discrepancy that causes problems for people with WAN disabled was an oversight on my part, is fixed in my GIT tree, and will be corrected in the next release. In the meantime, you've already found the correct workaround.
VPN selective routing script I have created the script below to handle selective routing of certain IPs thru the VPN. It tags traffic based on the IP source and routes them via the VPN. When the VPN starts, it changes to default gateway to route all traffic through the VPN. So this script resets the default back to the WAN gateway. That way all the normal traffic goes thru the WAN gateway and only the specified IPs go through the VPN. It needs a little cleanup and more testing, but it seems to work. However, I cannot figure out how to save it in order to make it run automatically. It is too big to save as a custom script (max 2048 bytes) or with "nvram setfile2nvram" I could not find any hooks for VPN up/down, so I had intended to run it as a scheduled script and let it monitor the connection every minute. But I was unable to save the script because of the 2K limit. Any ideas about how to implement this script and make it run automatically? If there were some custom scripts for VPN client up/down, it would be much easier to make this work. Or even better, modify the current VPN client configuration to add a few extra boxes that would allow you specify which IPs should be routed thru the VPN. Code: #!/bin/sh # IP range to route thru VPN VPN_IP_LIST="192.168.51.151 192.168.51.152" VPN_DEV="tun11" # VPN gateway device, normally "tun11" for client1 #------------------------------------------------------------------- export VPN_IP export VPN_IP_LIST export VPN_DEV # get WAN gateway GW=`nvram get wan_gateway` # get VPN gateway VPN_GW=`ip route show | awk '$2 == "dev" && $3 == ENVIRON["VPN_DEV"] && $4 == "proto" {print $1}'` export VPN_GW # get current default gateway DEFAULT_GW=`ip route show | awk '$1 == "default" && $2 == "via" {print $3}'` VPN_TBL=100 export VPN_TBL if [ "$VPN_GW" != "" ] then echo "VPN is active" # jjj # VPN is active # route normal traffic thru WAN gateway if [ "$DEFAULT_GW" != "" -a "$GW" != "" -a "$DEFAULT_GW" != "$GW" ] then echo ip route change default via $GW # jjj ip route change default via $GW FLUSH_CACHE="yes" fi # set up source routing rules to tag VPN IPs for VPN_IP in $VPN_IP_LIST do echo VPN_IP=$VPN_IP # jjj VPN_RULES=`ip rule show | awk '$2 == "from" && $3 == ENVIRON["VPN_IP"] && $4 == "lookup" && $5 == ENVIRON["VPN_TBL"]'` echo "VPN_RULES=$VPN_RULES" # jjj if [ "$VPN_RULES" = "" ] then echo ip rule add from $VPN_IP table $VPN_TBL # jjj ip rule add from $VPN_IP table $VPN_TBL fi done # route VPN table IPs thru VPN gateway VPN_ROUTES=`ip route show table $VPN_TBL | awk '$1 == "default" && $2 == "via" && $3 == ENVIRON["VPN_GW"]'` echo "VPN_ROUTES=$VPN_ROUTES" # jjj if [ "$VPN_ROUTES" = "" ] then echo ip route add default via $VPN_GW table $VPN_TBL # jjj ip route add default via $VPN_GW table $VPN_TBL FLUSH_CACHE="yes" fi if [ "$FLUSH_CACHE" = "yes" ] then ip route flush cache logger "Routing $VPN_IP_LIST thru VPN gateway $VPN_GW" fi else echo "VPN is not active" # jjj # VPN is not active # delete any default VPN routes VPN_ROUTES=`ip route show table $VPN_TBL` echo "VPN_ROUTES=$VPN_ROUTES" # jjj if [ "$VPN_ROUTES" != "" ] then ip route del default table $VPN_TBL ip route flush cache logger "VPN not active, disabled VPN routing" fi # delete any VPN table rules VPN_RULE_IP_LIST=`ip rule show | awk '$2 == "from" && $4 == "lookup" && $5 == ENVIRON["VPN_TBL"] {print $3}'` echo "VPN_RULE_IP_LIST=$VPN_RULE_IP_LIST" if [ "$VPN_RULE_IP_LIST" != "" ] then for VPN_RULE_IP in $VPN_RULE_IP_LIST do echo "VPN_RULE_IP=$VPN_RULE_IP" # jjj echo ip rule del table $VPN_TBL # jjj ip rule del table $VPN_TBL done logger "Deleted entries from VPN rule table" fi fi Please note that this script only works with the K26 version, as the K24 version does not implement the "ip rule" commands correctly.
Wow, that would be excellent if everything could work on one router with that script! I have an Asus N16 on order, so maybe I'll try the script with it once I receive it. If I remove the comments and extra spaces/formatting from your script, it gets the size down to 1,982 bytes, so maybe that would work for saving it as a custom script?
At least for my purposes, I leave the VPN up all the time. And if it stops for some reason, it's preferable that the systems being routed through the VPN remain down until the VPN is back up. So that might simplify things.
Great! Thanks for your work! There are VPN up/down hooks. Just add "up /path/to/script.sh" and/or "down /path/to/script" to the VPN custom config. However, the up/down script is already taken if you use the "Accept DNS" options. If you do, you can disable "Accept DNS" and call /rom/openvpn/updown.sh (with proper parameters) from your script. If you can't get it small enough to fit in NVRAM/JFFS, you can always save it to a CIFS share.
What does the "Accept DNS configuration" option do? Mine is set to "Exclusive" but I don't understand what it does and whether I really need it. I noticed the /rom/openvpn/updown.sh script earlier, but I couldn't figure out how it was called. How are parameters passed to it? I saw that the script referenced a variable named "$script_type" but I was unable to determine where this was set. I've trimmed my script to under 2K and I'll play with the VPN up/down hooks you mentioned. If I can figure out how the current updown.sh script works, I may be able to modify it to include my routing functions or create a wrapper script that calls it. Will report back in a few days -- gotta do some work to pay the bills right now.
Search for "--up cmd" in the OpenVPN documentation for details on how up/down scripts are called. Accept DNS: Disabled Ignores DNS stuff sent from server Relaxed Adds the DNS servers sent from the server to our list, but doesn't guarantee that they're always used (dnsmasq, by default tries to use the fastest in the list) Strict Adds the DNS servers sent from the server to the top of our list, and instructs dnsmasq to use the servers in order (so the added entries will always be used until they fail) Exclusive Adds the DNS servers sent from the server to our list, and removes the existing ones (so the only DNS servers we know about are the ones sent from the server)
Can I use any of the OpenVPN options in the custom configuration section? Or does it only support certain options? Instead of using "--up cmd" I'd prefer to use "--route-up cmd" Could I do this by adding "route-up /path/to/my-route-up.sh" to custom config?
After some testing, it appears that I can use the custom configuration to specify a "route-up" script, which should make things fairly simple. Am working on modifying my current script so that it will be called automatically when the VPN goes up or down.
Sounds like you've already figured it out, but you can use any of the commands there (just drop the leading --). Whatever is in the custom config section just gets tacked on to the end of the auto-generated config built from the GUI input.
Thanks for confirming that information. I had suspected that was how it works, but didn't want to hack through the source code to make sure. One thing I'm trying to figure out... If I specify new "up" and "down" scripts, will they replace the /rom/openvpn/updown.sh script and prevent it from being called? If so, then my scripts include the original script to make sure it is still called.
You'll have to do trial and error there. I'm not sure, if the config file contains multiple "up" and "down" directives whether the first will be used, the last will be used, or if an error will be given.
I have selective VPN routing working with Tomato running the 2.6 kernel... First, save the following script as /root/vpn_route.sh Code: #!/bin/sh if [ "$script_type" == "up" -o "$script_type" == "down" ] then /rom/openvpn/updown.sh fi if [ "$route_gateway_1" != "" ] then VPN_IP_LIST=$(nvram get vpn_client1_ip_list) VPN_TBL=$(nvram get vpn_tbl_1) if [ "$VPN_TBL" == "" ] then VPN_TBL=101 fi elif [ "$route_gateway_2" != "" ] then VPN_IP_LIST=$(nvram get vpn_client2_ip_list) VPN_TBL=$(nvram get vpn_tbl_2) if [ "$VPN_TBL" == "" ] then VPN_TBL=102 fi fi export VPN_GW VPN_IP VPN_TBL # delete rules for IPs not on list IP_LIST=`ip rule show|awk '$2 == "from" && $4=="lookup" && $5==ENVIRON["VPN_TBL"] {print $3}'` for IP in $IP_LIST do DEL_IP="y" for VPN_IP in $VPN_IP_LIST do if [ "$IP" == "$VPN_IP" ] then DEL_IP= fi done if [ "$DEL_IP" == "y" ] then ip rule del from $IP table $VPN_TBL fi done # add rules for any new IPs for VPN_IP in $VPN_IP_LIST do IP_LIST=`ip rule show|awk '$2=="from" && $3==ENVIRON["VPN_IP"] && $4=="lookup" && $5==ENVIRON["VPN_TBL"] {print $3}'` if [ "$IP_LIST" == "" ] then ip rule add from $VPN_IP table $VPN_TBL fi done if [ "$script_type" == "route-up" ] then VPN_GW=$route_vpn_gateway else VPN_GW=127.0.0.1 # if VPN down, block VPN IPs from WAN fi # delete VPN routes NET_LIST=`ip route show|awk '$2=="via" && $3==ENVIRON["VPN_GW"] && $4=="dev" && $5==ENVIRON["dev"] {print $1}'` for NET in $NET_LIST do ip route del $NET dev $dev done # route VPN IPs thru VPN gateway if [ "$VPN_IP_LIST" != "" ] then ip route del default table $VPN_TBL ip route add default via $VPN_GW table $VPN_TBL logger "Routing $VPN_IP_LIST via VPN gateway $VPN_GW" fi # route other IPs thru WAN gateway if [ "$route_net_gateway" != "" ] then ip route del default ip route add default via $route_net_gateway fi ip route flush cache exit 0 Make it executable and save in NVRAM: Code: chmod 755 /root/vpn_route.sh nvram setfile2nvram /root/vpn_route.sh nvram commit Now configure the "Custom Configuration" section of the VPN Client Configuration: Code: script-security 2 route-up /root/vpn_route.sh down /root/vpn_route.sh You can specify the IPs you want routed through the VPN by setting the vpn_client1_ip_list variable: Code: nvram set vpn_client1_ip_list="192.168.1.10 192.168.1.11 192.168.1.12" nvram commit If you change the value of vpn_client1_ip_list, you must restart the VPN to force it to read the new value. If you are using Client 2 VPN, use the vpn_client2_ip_list variable. I have not tested Client 2, but it should work. After doing some testing, the VPN routing seems to work. However, my VOIP phones quit working after all my trial and error experimentation. The problem seems to have something to do with the VPN or maybe my NVRAM is corrupted. All the routing tables look OK, but the VOIP phones don't register. I didn't have any problems with the VOIP phones until I started playing with the routing and VPN, so something is probably screwed up. I think I'll reload the router from scratch and see if that fixes the VOIP problem. Fortunately, I did all the work on my dev router and was able to get the phones working by just switching back the main router (which was not touched). If anybody has any ideas about what could cause problems with the VOIP, please let me know.
After erasing NVRAM and reconfiguring the router from scratch, the VOIP problems were fixed and script in the previous post is working fine. It is now routing ONLY the specified IP addresses via the VPN. All the other IPs (like my VOIP phones) are routed via the WAN gateway.
Excuse me for not starting a new thread, but I think this is a somewhat related question. The solution to route all data from specific IPs trough VPN could work for me, but I wonder if it is possible to conditionally route specified traffic through the VPN and leave all the rest to route directly? E.g. by having a list of IPs, and when an IP-address on the list is requested, then all data is routed through the VPN. If all other IPs are requested, it will happen directly through WAN. Would anything like this be possible using the Tomato VPN firmware on a wrt54GL?
That's not a related question - it's the exact same question :tongue: Look just a few posts back for an example.
Ok, maybe it's just me then So by using lfjeff's script it is possible to specify that www.google.com (hostname or IP?) should be routed through the VPN and all other requests should be routed directly? Where can I specify which IPs get routed through VPN?
Oh, no, I didn't realize you meant destination IPs. That's a much, much simpler problem. Just add Code: route www.google.com to your custom config. However, the routing table is IP-based and that will only add one of "www.google.com"'s IP addresses (whatever it resolved to when the command was run). If you want to add multiple IP addresses for one DNS name, you'll have to do it manually (separate route lines per IP). If the site you're wanting to redirect only has one IP address, then specifying the name should work fine. Of course, you can always just use the IP address anyway.
If you want to route to a "normal" website that has only one address, it would be easy to add a specific route. However, busy sites like google.com probably have a dozen or more IP addresses and they are constantly changing. You could get a list of some of the IPs by using this command: Code: nslookup google.com Server: 127.0.0.1 Address 1: 127.0.0.1 localhost Name: google.com Address 1: 72.14.204.104 iad04s01-in-f104.1e100.net Address 2: 72.14.204.103 iad04s01-in-f103.1e100.net Address 3: 72.14.204.147 iad04s01-in-f147.1e100.net Address 4: 72.14.204.99 iad04s01-in-f99.1e100.net If you wanted to get a little clever, it would be possible to write a simple script that would run under the Tomato cron and periodically look up the current IP addresses for your desired destination and add them to the routing table. It would be somewhat similar to the script I wrote above. I don't have to time to write a full script right now, but here's a quick example of how to get a list of the IP addresses for google.com and add them to the routing table for the VPN gateway: Code: VPN_GW="1.2.3.4" # IP address of VPN gateway IP_LIST=`nslookup google.com | awk '$1 == "Address" && $3 != "127.0.0.1" {print $3}'` for IP in $IP_LIST do ip route add $IP via $VPN_GW done
I just received an Asus N16 today so I tried lfjeff's script out, but so far I'm not having much luck. Everything still gets routed through the vpn regardless of the vpn_client1_ip_list setting. I've also got IPv6 setup on the router, and when the vpn connection is active, sites that have IPv6 addresses available have a long delay while they timeout.
I should learn to read logs before I post. There was an error in the log that said something about requiring "script-security 2" to run external scripts. So I added it to the vpn client custom configuration: script-security 2 route-up /root/vpn_route.sh down /root/vpn_route.sh And now it looks like it's working fine! Thanks!
Thanks for the configuration tip. I added your extra option to my original post (although it doesn't make any difference on my particular router). Mine seems to work with or without the "script-security 2" setting. I'm not using IPv6, so I don't know if that has anything to do with the problem or not.
lfjeff> That little script works perfectly. Thanks! Can I add two (or more eventually) sites to look up ip addresses for and add them to the routing table? And is it possible to add ranges, or does the IP have to be specified?
You can specify more than one IP address in the list, for example: Code: nvram set vpn_client1_ip_list="192.168.1.111 192.168.1.112 192.168.1.115 192.168.1.157" Only single IP addresses are allowed, you cannot use network ranges. I originally tried using network ranges, but it made the code more complex and I had to keep the size of the script below 2048 bytes to make it fit in NVRAM.
I just wanted to say I've been using that script for awhile now on a recent version of TomatoUSB on an Asus N16, and it's been working really well. Thanks again.
I used vi, saved the file, used chmod, went to "setfile2nvram" and received the following error "file too big". Yo!Adrian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Edited: I went to sleep scratching my head about this but woke up with a much clearer head (note to self, don't think that late at night) setfile2nvram=file too big=nvram is probably full, duh! I reset the router and and checked the nvram commitment is now 32.00 KB / 12.30 KB (38.43%). Will try running the script again later.
Restrict outbound traffic to VPN only? Is it possible for me to configure the VPN client so that for all clients the only traffic being passed through the router is through the VPN? Right now, if the VPN fails it defaults to the local internet connection. I would like there to be no connectivity at all when the VPN is down. Thanks. -Andrew
Resetting the router and reconfiguring everything from scratch can often solve a lot of problems. When I was developing and testing the script, I was constantly adding and deleting stuff to NVRAM and started to get a lot of strange errors and general weirdness. After I reset the router and reconfigured, the problems disappeared.
lfjeff, I'm planning on using the solution described here: http://vpnblog.info/strongvpn-open-on-tomato.html. I'm struglling/wrestling with sending all router traffic via the VPN if I use the described method from that post vs. sending only specific IP's as your script doe and what OpenVPN solution I might be able to use. Or is it that by combining the StronVPN solution only Client1 IP's from the script implementation would use the tunnel and all other traffic would be exempt? Yo!Adrian
Do the following (steps): Get VPN to work the regular way as described http://vpnblog.info/strongvpn-open-on-tomato.html. Backup configuration (.cfg) of the working setup. (just in case : )) Do the slight change as described in lfjeff's post Backup configuration!
Windozer's advice in the previous post is good... If you use the VPN without my script, then ALL traffic will go through the VPN by default. If you turn off the VPN, then the traffic will go through the regular WAN. If my script is active, then ONLY the selected IP addresses (like your Boxee) will go through the VPN and everything else (like your VOIP devices) will go through the WAN. I created the script because I did not want my VOIP devices to have the extra latency that would be added by going through the VPN.
I got as far as "script-security 2" but I get the following error "-sh: script-security: not found" I have everything else more or less under control and my OpenVPN config is running under Client 1 in Tomato. Yo!Adrian
script-security 2 has to be in the Custom Configuration text-box found in VPN Tunneling > Client > Client1 (tab) > Advanced (tab) It looks like this: Are you sure you've typed it there?
Amazing what happens when you read the instructions properly...I had entered that into the Telnet session. I entered it into the Custom Config above the Auth Key info and started the service, it appears to be running but that entry is no longer there, just the key info I had before for OpenVPN. Like this: tls-auth ta.key 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- 09cea02ae8e2cf9b3333eeb857f5bcd4 <snip> This may sound like a dumb question, how do I check to see if it's running or not...? Yo!Adrian
@yo_adrian_eh, You can find the log at Status > Logs > View all. I'd suggest you to quicky look over this helpful but long thread at VPN build with Web GUI. Read atleast the last 50 pages or so to get a good idea for using openvpn & tomato. Please remember that this thread is a discussion for those who can access internet via vpn , and want to bypass/selectively use vpn for whatever reason.
Dear Tomato lovers, I followed closely this thread as it it exactly what I am looking for. My router (Netgear WNR3500L) is running as in the gateway/dhcp modes behind - in the DMZ of my ISP box (modem/router/phone). This router runs Tomato Firmware v1.28.9054 MIPSR2-beta K26 USB vpn3.6 in order to be similar to the one used by lfjeff. I have carefully followed lfjeff post http://www.linksysinfo.org/forums/showpost.php?p=373431&postcount=43 with nvram erase, hard reset, and reconfigure by hand. all seems OK, VPN up and running, etc... but all the connected PCs are routed thru the vpn, even the one with the nvram variable vpn_client1_ip_list=192.168.1.10. I am a little puzzeled: I must have missed something but what? I re-read back and forth the 7 pages of this thread without any new ideas. Shall I uncheck Redirect Internet traffic? something else? Any ideas welcomed! thanks in advance. Cheers, Zul'
This selective VPN function is still working great for me. "Redirect Internet traffic" in the Advanced VPN Client tab is unchecked in my configuration, so you may want to give that a try.
Code: # route other IPs thru WAN gateway if [ "$route_net_gateway" != "" ] then ip route del default ip route add default via $route_net_gateway fi I don't think this works properly. What I noticed is the 'default' route is setup as 0.0.0.0/1 not as "default". So 'ip route del default' won't properly route other IPs through the WAN gateway??
I've followed (hopefully) these instructions very very carefully, and i still can't seem to get it to work... I'm running this firmware on a E4200 router; tomato-E4200-NVRAM60K-1.28.7471MIPSR2-Toastman-RT-VPN I'm trying to get the router to use VPN only for 192.168.1.91 and 192.168.1.150, but all computers (incl those) seem to be on my normal WAN (no VPN active)... When i remove "route-up /root/vpn_route.sh" and "down /root/vpn_route.sh" from my custom configuration, the VPN works as intended (for all computers), since the script isn't called. My log file:
Hi I have a netgear 3500dl running tomato 1.28. I'm able to connect via Open VPN and it's very stable - however I cannot presently get the selective routing (as per the above script) to work, when I try to 'connect' via one of the identified client IP's ...nothing seems to happen. Please can someone give me a little advice how to track the issue down? TIA My motivation is to have all devices in my lan to connect to the internet via the ISP, but have 2 devices with fixed IP's initiate a openVPN session for watching bbc iplayer etc. I'm a brit overseas needing uk tv, thats my reason. I was hoping this script would do that so when I boot the PS3 or ipad (both over wireless with fixed IP's), it would initiate an openVPN connection and that wouldnt affect the other devices that can still connect over the normal ISP route. I copied/pasted the script and entered it via telnet, using vi. The script is saved as /root/vpn_route.sh and when I open it up all looks as above. I've done the permissions and rest as per above, I think, and committed to nvram without apparent error. it's I can also execute vpn-route.sh without apparent error.. what am I doing wrong, can I post the log here without giving out any private info and would that help? my script under INIT looks like this: echo "user password" > /tmp/openvpn-client1-userpass.conf sh /root/vpn_route.sh and in custom configuration: script-security 2 ns-cert-type server auth-nocache auth-user-pass /tmp/openvpn-client1-userpass.conf route-up /root/vpn_route.sh down /root/vpn_route.sh Thanks in advance and extra thanks to lfjeff and contributors of course for what appears to be a great bit of script thanks for any pointers! Iain
hello, i've tried everything as per lfjeff, but still my selected ip for VPN side doesnt work, ,while the rest of the ip address can traverse the WAN. im running out of idea's why regards, noyp
Is the selective script currently working for anyone? If so, can you post your exact firmware version and setup? Thanks!
Please guy's add me to this request. I have searched the internet for hours and this thread sounds exactly what I need. In my case I am in Mexico and want to selectively switch via VPN to watch BBC iplayer!
Although this thread looks dead , I'll ask you (and anybody else who has managed to make the script work) anyway. Would you, please, be so kind to post your router configuration and the vpn_route.sh script? I have tried the vpn_route.sh script from post number 43 to no avail. All it does is delete the tunnel and leave my IP address exposed to the world.
My vpn_route.sh script looks like the same one in post number 43. Here it is: Code: #!/bin/sh if [ "$script_type" == "up" -o "$script_type" == "down" ] then /rom/openvpn/updown.sh fi if [ "$route_gateway_1" != "" ] then VPN_IP_LIST=$(nvram get vpn_client1_ip_list) VPN_TBL=$(nvram get vpn_tbl_1) if [ "$VPN_TBL" == "" ] then VPN_TBL=101 fi elif [ "$route_gateway_2" != "" ] then VPN_IP_LIST=$(nvram get vpn_client2_ip_list) VPN_TBL=$(nvram get vpn_tbl_2) if [ "$VPN_TBL" == "" ] then VPN_TBL=102 fi fi export VPN_GW VPN_IP VPN_TBL # delete rules for IPs not on list IP_LIST=`ip rule show|awk '$2 == "from" && $4=="lookup" && $5==ENVIRON["VPN_TBL"] {print $3}'` for IP in $IP_LIST do DEL_IP="y" for VPN_IP in $VPN_IP_LIST do if [ "$IP" == "$VPN_IP" ] then DEL_IP= fi done if [ "$DEL_IP" == "y" ] then ip rule del from $IP table $VPN_TBL fi done # add rules for any new IPs for VPN_IP in $VPN_IP_LIST do IP_LIST=`ip rule show|awk '$2=="from" && $3==ENVIRON["VPN_IP"] && $4=="lookup" && $5==ENVIRON["VPN_TBL"] {print $3}'` if [ "$IP_LIST" == "" ] then ip rule add from $VPN_IP table $VPN_TBL fi done if [ "$script_type" == "route-up" ] then VPN_GW=$route_vpn_gateway else VPN_GW=127.0.0.1 # if VPN down, block VPN IPs from WAN fi # delete VPN routes NET_LIST=`ip route show|awk '$2=="via" && $3==ENVIRON["VPN_GW"] && $4=="dev" && $5==ENVIRON["dev"] {print $1}'` for NET in $NET_LIST do ip route del $NET dev $dev done # route VPN IPs thru VPN gateway if [ "$VPN_IP_LIST" != "" ] then ip route del default table $VPN_TBL ip route add default via $VPN_GW table $VPN_TBL logger "Routing $VPN_IP_LIST via VPN gateway $VPN_GW" fi # route other IPs thru WAN gateway if [ "$route_net_gateway" != "" ] then ip route del default ip route add default via $route_net_gateway fi ip route flush cache exit 0 NOTE: When I paste that in, it turns the tabs into spaces, but there are tabs for the indentation on the version that's saved on my router. Not sure if that makes a difference. I'm using an Asus N16 router with this version of TomatoUSB: I suspect a newer version should still work fine, too. That's just the last time I upgraded the firmware. Here's the VPN Client Configuration screens for my setup: You might double check to make sure that you've got "vpn_client1_ip_list" set in nvram. You can check from the shell: nvram get vpn_client1_ip_list That should return the list of local client IPs that will be routed through the VPN. If it's not set yet, you'd set it like this (replace with the IPs you're using): nvram set vpn_client1_ip_list="192.168.1.5 192.168.1.6 192.168.1.7" nvram commit vpn_route.sh is saved to nvram and permissions are set correctly, too, right? Code: # ls -al vpn_route.sh -rwxr-xr-x 1 root root 1769 Jan 1 1970 vpn_route.sh Hope that helps. Everything's still working great for me.
@David3 Hey David. Thank you for your detailed reply. I have not managed to make it work. Except for a couple options (Redirect internet traffic and Accept DNS configuration) my setup looks much like yours. Just in case you can give me a hand, I'm uploading my routing table before and after running the vpn_route script: BEFORE AFTER
For what it's worth, I just upgraded the firmware in my N16 to the latest Toastman build (including clearing the NVRAM): tomato-K26USB-1.28.7495.1MIPSR2-Toastman-RT-VPN And re-input all my settings, and set up this selective VPN again from scratch. It all still works fine for me.
Thank you David. I think I'll tweak the script code and see what I get. My guess is the routing table is the issue.
I used the script here and it served me well for a little while until i wanted to add some static routes that didn't work because the script wasn't referencing the main routing tables. I have been able to find a simpler way to do this including adding ip ranges! The only catch is that the range you specify is the range that doesn't go through your vpn conection. Here's what i did... I copied the code below into Administration > Scripts > Init (Tab) Code: service vpnclient1 start ping -c4 localhost # Clean up by flushing table 4 and deleting all ip rules ip route flush table 4 ip route flush cache # Create backup of default route table ip route show table main > /root/route.isp # Add rules for all DHCP routes (192.168.1.100 -> 192.168.1.255) ip rule add from 192.168.1.100/30 lookup 4 ip rule add from 192.168.1.104/29 lookup 4 ip rule add from 192.168.1.112/28 lookup 4 ip rule add from 192.168.1.128/25 lookup 4 # Flush route cache ip route flush cache # Use original (pre-openvpn) route for table 4 cat /root/route.isp | while read ROUTE; do ip route add table 4 $ROUTE; done For a different ip range you would need to update as required. The script essentially starts vpn connection on boot and creates a routing table 4 that is used by ip ranges that you don't want to go via vpn gateway. It's as simple as that! Remember to remove or comment out "route-up" and "down" in your vpn custom configuration entry. Please post back if you have issues with this method.
@Tunde Oloworaran, I have "Start with WAN" checked in the Openvpn Client setting. Should I uncheck that option if I had to use the above init-script? Edit: lfjeff's script on post #43 is the best for tomato user (i mean myself) because you can 'bypass' the Openvpn client 1 or 2 I am still using it with latest (as of today) toastman VPN build.
I pasted the script into Notepad2, saved it on my pc as vpn_route.sh , then transferred it to /root. Then I had trouble with the script not running and as a result all IPs were using the vpn connection. My log showed: Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: TUN/TAP device tun11 opened Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: TUN/TAP TX queue length set to 100 Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: /sbin/ifconfig tun11 10.8.0.14 pointopoint 10.8.0.13 mtu 1500 Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: /sbin/route add -net 69.64.49.238 netmask 255.255.255.255 gw 195.229.244.26 Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.13 Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.13 Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.13 Feb 27 18:26:24 unknown daemon.warn openvpn[1155]: Route script failed: could not execute external program Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: Initialization Sequence Completed Then I used WinSCP, created a file in /root with it's built-in editor, pasted the script code from lfjeff's post #43 and saved as vpn_route.sh, it worked! (Remember to run the nvram setfile2nvram and commit commands again if you edited the existing script like I did.) WinSCP is a fool-proof way if you want to do it right. : D
To answer your question: You don't necessarily need to enable "start with wan" as the init scripts run as soon as router is done with background tasks. On your comment about bypassing both clients 1 and 2. If the original script works better for you then stick with it. As i said it wasn't perfect for me hence the need for change. My situation is that: 1. I wanted certain devices e.g. Sonos & WD TV live streamer to be always routed through vpn 2. I wanted some computers always routed through my ISP 3. I wanted my laptop routed through vpn for hulu, netflix etc. but i also wanted some local traffic from this laptop routed through my ISP (hence the need to create a static routing table) What i found with lfjeff's script is that static routing is always ignored. With my solution i can easily address all my needs and it is a very simple single step process.
Somewhat of a different question, but is there a way to except local servers from the site to site VPN. I tried entering things in the route table, but that doesn't seem to work once the site to site vpn comes up.
Hi, I have followed this thread with interest, one question Instead of have selected machine ip's been routed through vpn etc is it possibe to have a single ip go straight through the WAN. My bank does not likes vpns and keeps locking me out so I need that IP to bypass the vpn. I know this is possible on DDWRT I had it working but since changing to Tomato I cant get this working. Can anybody help ? Thanks Paul
@Tunde Oloworaran Works great for my Tomato Firmware v1.28.7500 MIPSR2Toastman-VLAN-RT K26 USB VPN-NOCAT on Netgear WNR3500L/U/v2. Thank you very much. This script takes a lot of the work out of something I'm trying to accomplish. Use this website if you have never encountered CIDR before: https://www.countryipblocks.net/create_network_cidr.php It will make those 192.168.1.100/30 etc. numbers for you (a.k.a. CIDR).
After struggling to no avail with lfjeff's script, I (finally) managed to figure out a similar procedure to selectively bypass VPN on a Linksys E4200 - Shibby's Tomato Firmware 1.28.0000 MIPSR2-085V K26 USB AIO: By default once a router is running a VPN client every device using that connection goes through the tunnel, If you want to filter devices to connect via the ISP's IP address bypassing VPN, do this: Transient solution A- Go to TOOLS - SYSTEM - EXECUTE SYTEM COMMANDS and get the value of wan_gateway by running this command: nvram get wan_gateway B- Run a couple more commands: ip route add default via (what you got in A) table 10 e. g. ip route add default via 173.234.216.1 table 10 ip rule add from (IP address you want to filter) table 10 e. g. ip rule add from 192.168.1.10 table 10 ip route flush cache Permanent solution that survives reboots 1. Go to TOOLS - SYSTEM - EXECUTE SYTEM COMMANDS and create a nvram variable wich will contain a list of the IP Addresses you want to filter, like this: nvram set no_vpn_lst="192.168.1.11 192.168.1.12 192.168.1.13" nvram commit 2. Download this script from http://pastebin.com/....php?i=nttcdVX3 3. Copy the script contents and paste to ADMINISTRATION - SCRIPTS - WAN UP, click Save 4. Reboot 5. That's it. Now the devices on your NO_VPN_LST list will be routed outside the VPN tunnel.
@ quidagis Not sure of syntax; I was wondering if it would work like this for ipa not in $NO_VPN_LST; do
No windozer, it wouldn't work. What the for loop does is populate the table with values that will bypass the VPN tunnel. BTW, the not is not part of the for loop syntax.
Hey Tunde Oloworaran, reporting back with one issue. I created a separate VLAN and SSID using essentially this guide: https://code.google.com/p/tomato-sdhc-vlan/wiki/ExperimentalMultiSSID. Upon creation, the new second SSID / VLAN / Bridge would not connect to the WAN. So, I added the new second ip range to the script thus excluding it from the VPN. This seems to have fixed it, however, I thought you might like to know. Here is what it looks like: # Add rules for all DHCP routes (192.168.29.100 -> 192.168.29.255)ip rule add from 192.168.1.90/31 lookup 4ip rule add from 192.168.1.92/30 lookup 4ip rule add from 192.168.2.96/30 lookup 4ip rule add from 192.168.2.2/31 lookup 4ip rule add from 192.168.2.4/31 lookup 4 The 192.168.2.x is the second SSID that I had to add in order to get it to connect to the WAN. Like I said, it isn't a big deal for me but others might profit if both VLANs connected through the VPN automatically.
I'm trying to do like in post #48 - I want to send certain destination IPs through the VPN, but have other traffic go through the normal ISP connection. I understand that I need to add Code: route-nopull route a.b.c.d x.x.x.x lines in my custom config. However, the list of route IP addresses I have is over 400 lines long, and when I naively pasted it in the box it caused issues which I am guessing were because it was too big for NVRAM. (I have a script which tries to discover all IP ranges for a given list of domains) Is the best workaround for this to set up a CIFS mount and read a script from there? I have a fileserver so I can easily add a mount, but how would I tell OpenVPN to use a file there instead of where-ever it is currently getting the client configuration?
I answered my own question in the end, after doing some research. The config file for openvpn can include a 'config' directive which refers to another file to load. So I set up a CIFS mount and I put the file with my routes there. Then in the VPN client 'Custom Configuration' settings on Tomato I add in: Code: routes-nopull config /cifs1/openvpn/routes.conf The routes file I'm using now is actually smaller than the 400 line one, because I decided I didn't need every domain I had put in, so I haven't entirely tested what I was trying to do. But I have a setup which seems to work.
I'm hoping someone can help me here. I have a new Asus RT-N66U router with the latest shibby Tomato on it, and I want to get the script to make certain internal IPs go over the VPN, as posted above, work. I have the VPN working, but I can't get the script to work, when set it up as above then all my computers are still on the VPN even though I only added one to the vpn_client1_ip_list. My questions are: 1. Should I turn on Create NAT on tunnel? 2. Is the Accept DNS configuration setting important, I currently have it set to disable with a static DNS to 8.8.8.8 and 8.8.4.4? 2. As you can see from my log below I am getting a few messages that so far I haven't been able to get rid of. I think they may have something to do with my problem: Thanks for any help, I'd love to get this working!
@ ds408User: You have to file-permission of /root/vpn_route.sh to executable. Use Winscp program to set file permission. The connection settings window to make Winscp work with the router looks like this:
Thanks for the reply, I logged on with WinSCP and checked the permissions, they are set to 775 as specified in the instructions in post #43, and therefore as far as I can tell the script is marked as executable. I have followed all the instructions in post #43 but just can;t get it to work properly. Any other ideas, and thanks again for your time. chmod 755 /root/vpn_route.sh nvram setfile2nvram /root/vpn_route.sh nvram commit
You should be able to use an ip/subnet in your client ip list, as the route add bit accepts that. So if you wanted to do an IP range, you could do it with something like: 192.168.1.1/25 (that'd give you from IP .1 to .128 as a range). (I haven't tested that, of course, but it should work). Also, I have a Question: if I use this method, will the clients that are set to go through the VPN able to connect to the Internet if the VPN drops? I want to prevent their access if the VPN drops. Another question: I have a couple virtual wirless interfaces (on br1 (192.168.2.0/24) and br2 (192.168.3.0/24)), and when the VPN connects, those interfaces cannot access the Internet. Is there a way to get them routed through the VPN as well? If I added them to the VPN client list will they route through the VPN properly? It seems that the VPN client only automatically routes br0 through the VPN, and kills the routes for everything else. Ideally I'd like my VPN connected *always* and if it drops those clients that should be routed through it have no access.
