setting up VPN Routing Policy to route traffic going through SSH tunnel

Discussion in 'Tomato Firmware' started by kabar, Mar 14, 2018.

  1. kabar

    kabar LI Guru Member

    Hi,

    Firstly Ive set up a VPN client on my router using NordVPN and instructions they provide, and it worked great, forwarded ALL traffic through the VPN.

    Ive set up a socs-over-SSH tunnel from a remote machine to my tomato router, using putty (http://dimitar.me/dynamic-port-forwarding-with-socks-over-ssh/) and that traffic was also redirected through VPN.

    But eventually I needed some machines on my home network to omit the VPN and access internet directly through my ISP, so Ive created additional subnet using tomato and set up Routing Policy, and made it work after reading some posts on the forum, about route-nopull. Works perfectly fine now with one exception - when I use the SSH tunnel as before, the traffic isnt directed through VPN. I end up with my ISP IP. And I would like it to be routed through VPN.

    Ive added another record in the Routing Policy - from source ip 127.0.0.0/8, as I though SSH is basically the localhost, but still doesnt work. Any suggestions?

    btw Im using tomato Shibby MIPSR2-132 K26

    Code:
    root@cisco:/tmp/home/root# iptables -t mangle -vnL
    Chain PREROUTING (policy ACCEPT 67459 packets, 64M bytes)
     pkts bytes target     prot opt in     out     source               destination                                                                                                            
    28470   35M DSCP       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0    DSCP set 0x00
        0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0    set vpnrouting112 dst,src MARK set 0x70
    14853 1620K MARK       all  --  *      *       192.168.2.0/24       0.0.0.0/0    MARK set 0x70
     1523  194K MARK       all  --  *      *       127.0.0.0/8          0.0.0.0/0    MARK set 0x70
        0     0 MARK       all  --  *      *       192.168.2.0/24       192.168.3.0/24      MARK set 0x0
    
    Chain INPUT (policy ACCEPT 33620 packets, 35M bytes)
     pkts bytes target     prot opt in     out     source               destination                                                                                                            
    Chain FORWARD (policy ACCEPT 33737 packets, 28M bytes)
     pkts bytes target     prot opt in     out     source               destination                                                                                                            
    Chain OUTPUT (policy ACCEPT 18473 packets, 6826K bytes)
     pkts bytes target     prot opt in     out     source               destination                                                                                                            
    Chain POSTROUTING (policy ACCEPT 52243 packets, 35M bytes)
     pkts bytes target     prot opt in     out     source               destination                                                                                                            
    
    Code:
    root@cisco:/tmp/home/root# ip route show table 112
    default via 10.8.8.114 dev tun12
    Code:
    root@cisco:/tmp/home/root# ip route show table main
    109.173.192.1 dev vlan2  scope link
    192.168.3.0/24 dev br1  proto kernel  scope link  src 192.168.3.1
    192.168.2.0/24 dev br0  proto kernel  scope link  src 192.168.2.1
    10.8.8.0/24 dev tun12  proto kernel  scope link  src 10.8.8.114
    109.173.192.0/21 dev vlan2  proto kernel  scope link  src 109.173.192.92
    127.0.0.0/8 dev lo  scope link
    default via 109.173.192.1 dev vlan2
     
    Last edited: Mar 14, 2018
  2. eibgrad

    eibgrad Network Guru Member

    Even if you could add the router's IP to PBR (policy based routing), it's a bad idea. Notice the *only* route available in the alternate routing table (112) is a default route to the VPN. The router can't function properly have *only* a default route to the VPN. It would lose access to all other routes (including static routes, if any) only available in the default/main routing table.

    In fact, that's a known bug w/ both the tomato and dd-wrt implementations of PBR.

    http://svn.dd-wrt.com/ticket/5690

    What would work better in this case is to leave the default gateway as the VPN, then make exceptions for the WAN/ISP. That way the router continues to function normally. Unfortunately, the Routing Policy tab of the GUI can't handle this. But my own PBR scripts can.

    https://pastebin.com/xEziw8Pq
    https://pastebin.com/GMUbEtGj

    Plus, my own scripts fix several known bugs, including copying the routes from the default/main routing table over to the alternate routing table so you don't have communications problems when dealing w/ multiple local IP networks.
     
    Last edited: Mar 15, 2018
  3. labear

    labear New Member Member

    HI,
    I read thru this post and assume you are referring to possibly Asus 3200 or eqvl. using Tomato VPN (only) firmware. My issue I'm having I think is same thing, but don't understand how to create custom route tables. I was hoping that the Route Policy tab in VPN Tunnel would provide me the following;
    I'm running NordVPN on a newer Asus RT-AC3200 w/ tomato VPN (only, not AIO), and would like only a handful of my main computers + possibly a few phones (via AP'S) to be behind the VPN (routed thru VPN connection tunnel). The other many devices (like Amazon Fire) are not critical and also have GEO Errors when trying to use them w/ VPN, so leaving them without VPN is OK by me.
    Here's the issue - Once I select "ignore redirect Gateway (route-nopull) and add just 1 route policy (for my main computer, using just source IP 192.168.0.xxx) everything is cool. My main computer is protected by VPN and the other devices are not. Though when I begin to add more than the 1st route policy, such as my other computers, none of the other computers seem to be routed thru the VPN, and the initial good working route works for about 2 hours, then the VPN connection is Stopped all on its own.
    When trying to remove the router policy and/or returning the Ignore Redirect..... back to ReDirect Internet Traffic... the VPN connection says its running, but there is no protection (via VPN), and the connected status returns to "stopped" after a few minutes.
    The only way to get the router back to its'old self is to default all the tomato settings (not NVRam) and restore the tomato config backup file which I saved prior to attempting this Route Policy effort.

    Anyone have any thoughts on this?
    I thought it was just me, but Its looking like its possibly this version (3.5-140 VPN-64k) on this 3200 router (ARMv rev 0 (v71).

    Possibly if I could be assisted in creating custom routes (in the other necessary screens/tabs) instead of "route policy" maybe this will function correctly???

    HELP!!!!

    Thanks!!!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice