1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Use OpenVPN as WAN conenction - is it possible ?

Discussion in 'Tomato Firmware' started by InfX, Mar 1, 2010.

  1. InfX

    InfX Addicted to LI Member

    I am trying to setup a tomato with an openvpn client mod to use some kind of service, similar to http://www.hidemyass.com payed VPN service, attempting to pass the entire internet traffic through VPN. In fact, i've managed to connect the VPN client on tomato, using the Keith Moyer's TomatoVPN mod.

    My question is - is there any way to make the VPN interface work as a kind of "WAN interface", for example, i want the port forwarding to forward from the VPN, i want DYNDNS to get updated with the IP i get from the VPN etc.

    Any ideas how to achieve this ?
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Select the "Redirect Internet traffic" option on the client (though, I suspect that the VPN service is already pushing that setting to you).

    If you use a DDNS that uses whatever address you connect from to update the IP address, then you're okay there. If you use one that uses an IP address you provide (eg, in the URL), you'll want to choose "Use external IP address checker" in the DDNS settings.

    To get the port forwarding to work, you'll need to set the "firewall" setting in the VPN page to "Custom" and set up the forward manually in the router's firewall script. Currently, there's no way to do this automatically. Though, that is an interesting idea for a future feature...
  3. InfX

    InfX Addicted to LI Member

    Well, HMA, indeed, pushes the "Redirect Internet traffic" setting to me so its not really important if it is selected or not.

    I didn't remember DDNS had an external ip checked option (and it does), thanks.

    Doing the port forwarding manually, using the IPTABLES commands on tun11 interface, obviously, works. My question was more about how to automatically replicate the entire IPTABLES rules set on wan interface automatically or something. I want to somehow make the nice and easy to use port forwarding GUI to work ;-)

    BTW, thanks for your reply and nice work on OpenVPN GUI.
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I understand what you're after, but it currently just isn't easily possible.

    One thing you could do is write a script that parses the portforward nvram variable and creates rules from it, using the VPN interface. Placing that in the firewall script would get you what you want. It might not even be that difficult.
  5. InfX

    InfX Addicted to LI Member

    Well, it might not be that difficult for someone familiar with linux and it's shell scripting, while i am all the way M$, lol. I am not computer illiterate, so, i guess, if i would REALLY want to do this, i'd get it, but considering the fact i've actually attempted this setup out of curiosity, i doubt i ever will :)

    BTW, i wonder what's normally parsing that portforward nvram variable. Any chance that something may be started again and could possibly receive an interface parameter ?
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Here is the code that parses the variable. It isn't callable from a script and doesn't take an interface as a parameter, though. You would only have to worry about the NAT table, not the FILTER table, so it wouldn't need to be quite so complicated.

    The format of the nvram variable is pretty straightforward, though.
    where each entry is

    There is currently no easier way to accomplish this than to parse this with a shell script. Whether than is worth it to anyone, I can't say.
  7. InfX

    InfX Addicted to LI Member

    Since we are already on the shell scripts + openvpn topic...

    Is there a better way of removing the default gateway pushed to me by the VPN server, and only adding a few subnets to get router through it, other than creating a shell script similar to the one below and placing it in the route-up directive ?

    #remove previously setup routes, if we don't, we will have more than one line with "UG " flags
    /sbin/route del -net netmask
    # get the gateways
    isp_gateway="$(route -n | grep "UGH" | cut -c17-32 | sed 's/[ \t]*$//')"
    vpn_gateway="$(route -n | grep "UG " | cut -c17-32 | sed 's/[ \t]*$//')"
    echo The ISP gateway is $isp_gateway
    echo The VPN gateway is $vpn_gateway
    # remove the VPN default gateway and add the regular one back
    /sbin/route del -net netmask
    /sbin/route add -net netmask gw $isp_gateway
    #add vpn routes
    /sbin/route add -net netmask gw $vpn_gateway
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    When the route-up script is run, OpenVPN will have set many useful environmental variables you can use rather than trying to parse them yourself, including route_net_gateway (isp_gateway) and route_vpn_gateway (vpn_gateway).

    Other than that, I think that looks pretty good. It would be nice to have a command you could place in the client config to not accept certain things pushed from the server (eg, redirect-gateway) but still accept the rest. But, alas, there isn't.
  9. InfX

    InfX Addicted to LI Member

    Nice to know that, thanks, just removed the parsing and attempted to used the env. variables you mentioned, seems to work :)

    Sometimes i really wonder where the heck "linux gurus" know all those things. Yea, i know the meaning of "RTFM" and "google it", and i usually succeed at that, but i guess you know what i meant ;-)
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I often feel the same way. However, I've just happened to spend a fair amount of time looking at this particular manpage while developing this firmware. :smile:

Share This Page