1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Selectively setting only some IPs to go through VPN based on destination

Discussion in 'Tomato Firmware' started by darthcheddar, Jul 30, 2011.

  1. darthcheddar

    darthcheddar Networkin' Nut Member

    I've been at this for a couple of evenings now and need some help.

    What I'm trying to achieve is some destinations route through VPN client 1, some through VPN client 2, and the default route is to the wan gateway.

    Challenge one: getting everything to default through the wan gateway.
    My solution so far is to just delete the default route added when a VPN client starts. e.g. ip route del 0.0.0.0/1. This gives odd behaviour and so it appears I need to delete all routes for the client device. Is there a way to stop these routes from being created? Or a better way to do this?

    Challenge two: nslookup doesn't work when I delete the default created routes for a VPN client
    More a nuisance, as client connected machines work but this is stopping me from making a script that runs when the VPN client is started as I can't get the IPs to route. I've worked around this, but it means I have to stop the VPN client to update the IP list.

    Challenge three: Two VPN clients at the same time.
    I can work around the above and get something mostly working, but I cannot get two VPN clients to work at the same time. Are there settings I need to get 2 VPN clients connected at the same time? e.g. redirect internet traffic is unchecked. Do I have to turn off NAT? etc.

    I'm pretty convinced I'm solving an easy problem a really hard way. Is there a better way I can approach this?

    Thanks.
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    If you don't specifically configure the VPN to send default traffic over it, it won't. So, by default, the default route should be over the WAN, even if VPNs are connected.
    Then, you just add route lines to your VPN custom config for the addresses you want to go over that VPN.
     
  3. darthcheddar

    darthcheddar Networkin' Nut Member

    Ok, I must be missing something, or somethings broken.
    I am on: Tomato Firmware v1.28.9054 MIPSR2-beta K26 vpn3.6
    All for "Client 1":
    "Redirect internet traffic": checked, VPN not started
    Code:
    root@tomato:/tmp/home/root# ip route show
    24.84.52.1 dev vlan2  scope link
    172.16.100.0/24 dev br0  proto kernel  scope link  src 172.16.100.1
    24.84.52.0/22 dev vlan2  proto kernel  scope link  src 24.84.52.187
    127.0.0.0/8 dev lo  scope link
    default via 24.84.52.1 dev vlan2
    
    "Redirect internet traffic": checked, VPN started
    This looks fine. The 0.0.0.0/1 will send everything through the VPN.
    Code:
    root@tomato:/tmp/home/root# ip route show
    10.119.3.69 dev tun11  proto kernel  scope link  src 10.119.3.70
    64.120.6.67 via 24.84.52.1 dev vlan2
    10.119.0.1 via 10.119.3.69 dev tun11
    24.84.52.1 dev vlan2  scope link
    172.16.100.0/24 dev br0  proto kernel  scope link  src 172.16.100.1
    24.84.52.0/22 dev vlan2  proto kernel  scope link  src 24.84.52.187
    127.0.0.0/8 dev lo  scope link
    0.0.0.0/1 via 10.119.3.69 dev tun11
    128.0.0.0/1 via 10.119.3.69 dev tun11
    default via 24.84.52.1 dev vlan2
    
    "Redirect internet traffic": un-checked, VPN not started
    Code:
    root@tomato:/tmp/home/root# ip route show
    24.84.52.1 dev vlan2  scope link
    172.16.100.0/24 dev br0  proto kernel  scope link  src 172.16.100.1
    24.84.52.0/22 dev vlan2  proto kernel  scope link  src 24.84.52.187
    127.0.0.0/8 dev lo  scope link
    default via 24.84.52.1 dev vlan2
    
    
    "Redirect internet traffic": un-checked, VPN running
    Hmm.. broken? It is defaulting everything through the VPN.
    Code:
    root@tomato:/tmp/home/root# ip route show
    10.119.2.185 dev tun11  proto kernel  scope link  src 10.119.2.186
    216.6.236.171 via 24.84.52.1 dev vlan2
    10.119.0.1 via 10.119.2.185 dev tun11
    24.84.52.1 dev vlan2  scope link
    172.16.100.0/24 dev br0  proto kernel  scope link  src 172.16.100.1
    24.84.52.0/22 dev vlan2  proto kernel  scope link  src 24.84.52.187
    127.0.0.0/8 dev lo  scope link
    0.0.0.0/1 via 10.119.2.185 dev tun11
    128.0.0.0/1 via 10.119.2.185 dev tun11
    default via 24.84.52.1 dev vlan2
    root@tomato:/tmp/home/root#
    
    I see no difference. The logs consistently show:
    Code:
    /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.119.3.185
    
    regardless of setting. Is there another setting other than "Redirect internet traffic" I should be using to stop everything from defaulting through the VPN?
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That means that the VPN server is pushing the "redirect-gateway" directive to you, whether you want it or not. If you also "own" the server, you should change this (you can even make the redirect-gateway push client-specific).

    If you don't have control over the server, you can either add a "route-nopull" to the client custom config (and set up the needed/desired routes manually) or delete the unwanted routes in an "up" script.
     
  5. darthcheddar

    darthcheddar Networkin' Nut Member

    That would be the part I am missing. Thanks!
     

Share This Page