1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help with IPtables...

Discussion in 'Tomato Firmware' started by lanmtl, Oct 11, 2010.

  1. lanmtl

    lanmtl Addicted to LI Member

    Hi all,

    I am very bad at iptables and I wonder how I could do this...
    I just installed Victek's RAF 1.28 with OpenVPN.

    I have setup the client1 openvpn connection and would like to tell the router to only send the outgoing traffic to 208.85.40.0-208.85.40.254 via the VPN connection.
    Any other traffic is to be going out via the WAN port and bypass the VPN.

    How can I accomplish that?
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    This is not a firewall (iptables) question, but a routing one. The proper way to handle it will depend on a few things:
    • Do you control the VPN server?
    • Is it Static Key or TLS authentication?
    • Does the server push a redirect-gateway command to your client?
    • Is the VPN server gateway address known/constant?
    • Do you use the "Accept DNS configuration" option?
     
  3. lanmtl

    lanmtl Addicted to LI Member

    • I do not control the VPN server
    • It seems to be static key since under TLS auth file there is no file indicated
    • I added the route-nopull extra command because I am already doing selective routing on my Mac with this VPN server
    • I don't use the accept DNS config option but I could

    Thanks for your help :)
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You say you're already doing selective routing on your MAC, and that's exactly what you're wanting to do here.

    Just add the following to you custom config (the answers to your questions where precisely what they needed to be to make this easy*):
    Code:
    route 208.85.40.0 255.255.255.0
    * Except I'm pretty sure you're using TLS, not static key. But, no need to worry about that based on your other answers.
     
  5. lanmtl

    lanmtl Addicted to LI Member

    Am I supposed to check "Redirect internet traffic"?

    --edit: I'm not sure if that was very clear, but all that I mentioned in the list in my previous post was about the config of the software I use with my Mac, not the config in the router. I have setup the VPN in the router but it doesn't route any traffic, anything goes through the WAN connection as if there was no VPN connection
     
  6. lanmtl

    lanmtl Addicted to LI Member

  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    No, don't check "Redirect Internet Traffic". That would have all Internet-bound traffic go over the VPN tunnel (which isn't what you want, right?).

    If you haven't already, you'll want to add the route-nopull to your custom config like you did on your MAC.
     
  8. lanmtl

    lanmtl Addicted to LI Member

    This is what I have under advanced, and it doesn't connect at all.
    I tried to adapt it from their DD-WRT config page but I must be doing something wrong...

    Code:
    sleep 30
    echo "MYUSERNAME
    MYPASSWORD" > /tmp/openvpncl/userpass.conf
    sleep 30
    echo "client
    dev tun
    proto udp
    hand-window 30
    remote-random
    remote vpn1.vpnsteel.com 1195
    remote vpn2.vpnsteel.com 1195
    resolv-retry infinite
    route-nopull
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    comp-lzo
    verb 3
    reneg-sec 0
    auth-user-pass /tmp/openvpncl/userpass.conf" > /tmp/openvpncl/myopenvpn.conf
    ( sleep 20 ; killall openvpn ; /usr/sbin/openvpn --config /tmp/openvpncl/myopenvpn.conf --auth-user-pass /tmp/openvpncl/userpass.conf
    --route-up /tmp/openvpncl/route-up.sh --down /tmp/openvpncl/route-down.sh --daemon ) &
    
    Logs say
    Code:
    Oct 13 13:02:19 routage daemon.err openvpn[1350]: Options error: Unrecognized option or missing parameter(s) in config.ovpn:20: sleep (2.1.1)
    Oct 13 13:02:19 routage daemon.warn openvpn[1350]: Use --help for more information.
    
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The custom config section is not a shell script. Whatever you put there is tacked on to the end of the OpenVPN config file after all of the auto-generated statements (based on the settings you select in the GUI). I'll go through this one piece at a time.

    Don't need that anywhere
    This needs to go in the router's init script (administration->scripts). However, you may have to create the /tmp/openvpncl directory first.
    Don't need that anywhere
    You're adding to a config file directly, so no echoing needed.
    Handled automatically. Don't need it
    Just select TUN and UDP from the GUI. You don't need to specify them here.
    You can leave these in custom config
    One of these should be entered in the GUI ("Server address/port"), the other can stay in custom config
    Just put -1 in "Connection retry". Don't need it in custom config
    Leave that since you're wanting to ignore routes from the server
    Don't need those, they're handled automatically by the GUI.
    You can leave this in custom config if you want.
    Select "Adaptive" for "Compression". Don't need it in custom config.
    You don't need that.
    Put in 0 for "TLS Renegotiation Time". Don't need it in custom config.
    Leave that in custom config
    Don't need any of that. This mentions route-up.sh and route-down.sh scripts, but you haven't created those. You probably don't need them, but I wanted to point out that inconsistency in what you had.
    That's because you were putting things in the config file that don't belong there.
     
  10. lanmtl

    lanmtl Addicted to LI Member

    Thanks SgtPepperKSU!
    I am now able to establish a connection successfully to the VPN server but traceroutes to 208.85.40.0/24 are lost in oblivion (208.85.40.20/208.85.40.50/208.85.40.80)

    logs:
    Code:
    Oct 13 18:08:09 routage daemon.notice openvpn[1659]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Sep 19 2010
    Oct 13 18:08:09 routage daemon.warn openvpn[1659]: WARNING: file '/tmp/openvpncl/userpass.conf' is group or others accessible
    Oct 13 18:08:09 routage daemon.warn openvpn[1659]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Oct 13 18:08:09 routage daemon.notice openvpn[1659]: LZO compression initialized
    Oct 13 18:08:09 routage daemon.notice openvpn[1659]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Oct 13 18:08:09 routage daemon.notice openvpn[1659]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Oct 13 18:08:09 routage daemon.notice openvpn[1665]: Socket Buffers: R=[32767->65534] S=[32767->65534]
    Oct 13 18:08:09 routage daemon.notice openvpn[1665]: UDPv4 link local: [undef]
    Oct 13 18:08:09 routage daemon.notice openvpn[1665]: UDPv4 link remote: 178.18.17.41:1195
    Oct 13 18:08:09 routage daemon.notice openvpn[1665]: TLS: Initial packet from 178.18.17.41:1195, sid=3e53349d a7039519
    Oct 13 18:08:09 routage daemon.warn openvpn[1665]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Oct 13 18:08:13 routage daemon.notice openvpn[1665]: VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=ServerCA/Email=me@myhost.mydomain
    Oct 13 18:08:13 routage daemon.notice openvpn[1665]: VERIFY OK: nsCertType=SERVER
    Oct 13 18:08:13 routage daemon.notice openvpn[1665]: VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=section1/CN=server/Email=me@myhost.mydomain
    Oct 13 18:08:17 routage daemon.notice openvpn[1665]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Oct 13 18:08:17 routage daemon.notice openvpn[1665]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 13 18:08:17 routage daemon.notice openvpn[1665]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Oct 13 18:08:17 routage daemon.notice openvpn[1665]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 13 18:08:17 routage daemon.notice openvpn[1665]: Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Oct 13 18:08:17 routage daemon.notice openvpn[1665]: [server] Peer Connection Initiated with 178.18.17.41:1195
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 8.8.8.8,dhcp-option NTP 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 30,ifconfig 10.8.0.6 10.8.0.5'
    Oct 13 18:08:20 routage daemon.err openvpn[1665]: Options error: option 'redirect-gateway' cannot be used in this context
    Oct 13 18:08:20 routage daemon.err openvpn[1665]: Options error: option 'route' cannot be used in this context
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: OPTIONS IMPORT: timers and/or timeouts modified
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: OPTIONS IMPORT: --ifconfig/up options modified
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: TUN/TAP device tun11 opened
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: TUN/TAP TX queue length set to 100
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: /sbin/ifconfig tun11 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: /sbin/route add -net 208.85.40.0 netmask 255.255.255.0 gw 10.8.0.5
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: Initialization Sequence Completed
    
    I now have this under advanced:
    Code:
    hand-window 30
    remote-random
    remote vpn2.vpnsteel.com 1195
    remote vpn3.vpnsteel.com 1195
    route-nopull
    route 208.85.40.0 255.255.255.0
    ns-cert-type server
    auth-user-pass /tmp/openvpncl/userpass.conf
    
    It seems to be because there is no gateway specified for the custom route but I'm not quite sure which gateway to use. There is a tun11 interface, maybe it's the one I should put? Would this be ok or is the tunXX always a different number? I'm not sure how to use vpn_gateway either
    Code:
    route 208.85.40.0 255.255.255.0 tun11

    Thanks again for the time you spend helping me out, much appreciated :)
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, you can see from the logs that the gateway is specified just fine:
    Code:
    Oct 13 18:08:20 routage daemon.notice openvpn[1665]: /sbin/route add -net 208.85.40.0 netmask 255.255.255.0 gw 10.8.0.5
    One thing to check: Do you have the "Create NAT on tunnel" option selected? (you need to)
     
  12. lanmtl

    lanmtl Addicted to LI Member

    Yes this is checked. I can't do any further testing for the moment because the VN provider is down
     
  13. lanmtl

    lanmtl Addicted to LI Member

    Ok it works now, thanks very much :)
     

Share This Page