Route only specific ports through VPN (openvpn)

Discussion in 'Tomato Firmware' started by ethaniel, Apr 1, 2012.

  1. eangulus

    eangulus Network Guru Member

    I have just enabled the "Create NAT on tunnel" option, and it seems to be working as you wanted.

    192.168.1.10 = VPN
    All Else = WAN
     
  2. eibgrad

    eibgrad Network Guru Member

    NO! NAT has to be enabled at all times for the VPN to work!
     
  3. eangulus

    eangulus Network Guru Member

  4. eibgrad

    eibgrad Network Guru Member

    Whew, you had me worried there for a moment OP. I knew that was correct and it had to be something else.

    Now I want you to add a prerouting rule in which you specify one IP that you only want to use the VPN for outbound port 443. Because prerouting requires the marking of packets, we need to uncomment the “ip rule” that looks for marked packets as well.

    route-up.sh
    Code:
    iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.20 --dport 443 -j MARK --set-mark $MARK
    ip rule add fwmark $MARK table $TID
    route-down.sh
    Code:
    iptables -t mangle -D PREROUTING -p tcp -s 192.168.1.20 --dport 443 -j MARK --set-mark $MARK
    ip rule del fwmark $MARK table $TID
    Verify this works. If you visit a secure (https) site using that source IP, say https://www.grc.com/x/ne.dll?bh0bkyd2, it should show your VPN’s public IP. Any other site from that same source IP, say http://www.ipchicken.com, should show your WAN’s public IP.
     
  5. eangulus

    eangulus Network Guru Member

  6. eangulus

    eangulus Network Guru Member

    Hang on a minute. Wrong IP. (Need to read it better)
     
  7. eangulus

    eangulus Network Guru Member

    OK same results.

    Changed the IP to 192.168.1.10
    192.168.1.10 = 80 & 443 shows VPN IP
    All Else = 80 & 443 shows WAN IP
     
  8. eibgrad

    eibgrad Network Guru Member

    In case it's not obvious, you never want to have the same IP added in "ip rule" as in "PREROUTING" since the ip rule is unconditional. Once you're interested in have conditions applied to a source IP, you abandon the use of "ip rule" in favor of "PREROUTING". That's why I used a different IP in my example (192.168.1.20).

    Frankly, you could abandon the use of “ip rule” entirely and just use "PREROUTING" for even just the source IP. That’s a little less efficient, but it would still work, and perhaps avoid any possibility of confusion. I offer the use of “ip rule” mostly for the simple cases and to make things a little more efficient.
     
  9. eangulus

    eangulus Network Guru Member

    The problem is thou, is that in my final setup, I need to have the one IP (Server) have all traffic over VPN except for a determined set of Ports. So I may have say port 21,80 to that one IP bypass the VPN while all other traffic to and from it goes over VPN.

    Otherwise I will need to either do a complicated setup on the Server with multiple NIC's and routing different services over each NIC pending what IP I need it to have, or build completely separate servers for each service. Either way it's either more complicated and/or expensive.

    So in relation to you saying I can use the IP in prerouting instead, I could just add this:

    Code:
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark $MARK
     
  10. eangulus

    eangulus Network Guru Member

    Just realised the above won't work as it will mark it to go over VPN.

    How can I add it so it goes over WAN instead? Am I adding it to an alternate table or a different MARK?
     
  11. eangulus

    eangulus Network Guru Member

    OK done a little tinkering, just to show that I am trying to learn this.

    I know it's probably not the best way but I commented out the ip rule, then made the prerouting this:

    Code:
    # route over VPN based on other criteria (e.g., protocol, source/destination port)
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark $MARK
    iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.10 --dport 443 -j MARK --set-mark 0
    Then of course the reverse in the route-down.

    This seems to but "other" server traffic over WAN and puts 443 traffic over VPN.
     
  12. eangulus

    eangulus Network Guru Member

    So basically functionally its working close to what I need, other than knowing how to stop the server traffic from ever going over WAN other than the ports in the exception above.
     
  13. eangulus

    eangulus Network Guru Member

    OK I think I have it all working. I'll show my code so you can nit pick at my bad ways ;)

    Current Function:

    On first boot (before VPN starts):
    Network has WAN access. SERVER has no WAN. Ports<->SERVER have no WAN (would like but not essential, gives me an indication that VPN is down).

    OpenVPN Up:
    Network has WAN access. SERVER has VPN access. Ports<->SERVER have WAN access.

    OpenVPN Down:
    Network has WAN access. SERVER has no WAN. Ports<->SERVER have no WAN (would like but not essential, gives me an indication that VPN is down).

    Here is my code if you can review:

    route-up.sh:
    Code:
    #!/bin/sh -x
    (
    TID="200"
    MARK="0x88"
    WS="[[:space:]]"
    WAN_GTWY="$route_net_gateway"       # provided by OpenVPN at runtime
    WAN_IF="$(route | grep -Em1 ^${WAN_GTWY}${WS} | awk '{print $NF}')"
    VPN_GTWY="$route_vpn_gateway"       # provided by OpenVPN at runtime
    VPN_IF="$dev"                       # provided by OpenVPN at runtime
    REDIRECT_GTWY="$redirect_gateway"   # provided by OpenVPN at runtime
    
    # copy default/main routing table (exclude all default gateways)
    ip route flush table $TID > /dev/null 2>&1
    ip route show table main | grep -Ev "^default|^0.0.0.0/1${WS}|^128.0.0.0/1${WS}" \
      | while read route; do
            ip route add $route table $TID
        done
    # add VPN as default gateway
    ip route add default via $VPN_GTWY table $TID
    
    # add WAN back as default gateway in main/default routing table
    if [ "$REDIRECT_GTWY" == "1" ]; then
        ip route add 0.0.0.0/2   via $WAN_GTWY
        ip route add 64.0.0.0/2  via $WAN_GTWY
        ip route add 128.0.0.0/2 via $WAN_GTWY
        ip route add 192.0.0.0/2 via $WAN_GTWY
    fi
    
    # disable WAN/VPN reverse path filtering
    echo 0 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    
    # clear the routing cache (or else it won't recognize our changes)
    ip route flush cache
    
    # route over VPN based on source IP(s)/network(s) or network interface
    #ip rule add from 192.168.1.10 table $TID
    #ip rule add from 10.10.1.113  table $TID
    #ip rule add from 10.10.2.0/24 table $TID
    #ip rule add iif wl0.1 table $TID
    
    # route over VPN based on other criteria (e.g., protocol, source/destination port)
    iptables -I FORWARD -i br0 -m iprange --src-range 192.168.1.10 -o $WAN_IF -j ACCEPT
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark $MARK
    iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.10 -m multiport --dport 21,22,80 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.10 -m multiport --sport 21,22,80 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -p udp -s 192.168.1.10 -m multiport --dport 21,22,80 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -p udp -s 192.168.1.10 -m multiport --sport 21,22,80 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -p tcp -s 10.10.1.42 --sport 22 -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -s jims-ipod -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -m mac --mac-source 00:11:22:33:44:55 -j MARK --set-mark $MARK
    
    # start processing marked packets through the alternate routing table
    ip rule add fwmark $MARK table $TID
    
    ) 2>&1 | logger -t $(basename $0)[$$]
    route-down.sh:
    Code:
    #!/bin/sh -x
    (
    TID="200"
    MARK="0x88"
    WS="[[:space:]]"
    WAN_GTWY="$route_net_gateway"       # provided by OpenVPN at runtime
    WAN_IF="$(route | grep -Em1 ^${WAN_GTWY}${WS} | awk '{print $NF}')"
    VPN_GTWY="$route_vpn_gateway"       # provided by OpenVPN at runtime
    VPN_IF="$dev"                       # provided by OpenVPN at runtime
    REDIRECT_GTWY="$redirect_gateway"   # provided by OpenVPN at runtime
    
    # remove routes based on source IP(s)/network(s) or network interface
    #ip rule del from 192.168.1.10 table $TID
    #ip rule del from 10.10.1.113  table $TID
    #ip rule del from 10.10.2.0/24 table $TID
    #ip rule del iif wl0.1 table $TID
    
    # remove routes based on other criteria (e.g., protocol, source/destination port)
    iptables -I FORWARD -i br0 -m iprange --src-range 192.168.1.10 -o $WAN_IF -j REJECT
    iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark $MARK
    iptables -t mangle -D PREROUTING -p tcp -s 192.168.1.10 -m multiport --dport 21,22,80 -j MARK --set-mark 0
    iptables -t mangle -D PREROUTING -p tcp -s 192.168.1.10 -m multiport --sport 21,22,80 -j MARK --set-mark 0
    iptables -t mangle -D PREROUTING -p udp -s 192.168.1.10 -m multiport --dport 21,22,80 -j MARK --set-mark 0
    iptables -t mangle -D PREROUTING -p udp -s 192.168.1.10 -m multiport --sport 21,22,80 -j MARK --set-mark 0
    #iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.42 --sport 22 -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -p tcp --dport 443 -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -s jims-ipod -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -m mac --mac-source 00:11:22:33:44:55 -j MARK --set-mark $MARK
    
    # stop processing marked packets through the alternate routing table
    ip rule del fwmark $MARK table $TID
    
    # remove WAN as default gateway in main/default routing table
    if [ "$REDIRECT_GTWY" == "1" ]; then
        ip route del 0.0.0.0/2   via $WAN_GTWY
        ip route del 64.0.0.0/2  via $WAN_GTWY
        ip route del 128.0.0.0/2 via $WAN_GTWY
        ip route del 192.0.0.0/2 via $WAN_GTWY
    fi
    
    # re-enable WAN/VPN reverse path filtering
    echo 1 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 1 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    
    # clear the alternate routing table and routing cache
    ip route flush table $TID
    ip route flush cache
    
    ) 2>&1 | logger -t $(basename $0)[$$]
    And I have in WAN Up (for blocking SERVER on boot):
    Code:
    iptables -I FORWARD -i br0 -m iprange --src-range 192.168.1.10 -o ppp0 -j REJECT
     
  14. Hardrock

    Hardrock Networkin' Nut Member

    Hi Guys,

    Could someone please help me make my IPTABLES work.

    From outside my LAN network, I’d like to be able to access my printer and streaming TV box from my phone or work PC using my ddns address.. Here are my basic router details:

    My WAN 94.1.2.3 (for example)
    My LAN Gateway is 192.168.0.1
    My Printer is on 192.168.0.5:80
    My TV Box is on 192.168.0.10:8005

    I want to be able to type xxxx.ddns.net:8010 and access my printer webpage
    I want to be able to type xxx.ddns.net:8005 and access my TV box remotely

    Below are my IPTABLES rules so far, any help appreciated:

    iptables -F
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i br0 -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state --state RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A INPUT -p udp -m multiport --dports 1194,1935,58050,8005,8200 -m state --state NEW -j ACCEPT
    iptables -A INPUT -p tcp -m multiport --dports 58050,1935,8005,8200 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
    iptables -A FORWARD -m state --state RELATED -j ACCEPT
    iptables -A FORWARD -i br0 -m state --state NEW -j ACCEPT
    iptables -I INPUT -i tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE



    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    #
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done
    #
    # Delete and table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    # NOTE: Here I assume the OpenVPN tunnel is named "tun0".
    #
    ip route show table main | grep -Ev ^default | grep -Ev tun0\
    | while read ROUTE ; do
    ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache



    # 0 vpn and 1 bypass
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0


    # All traffic to a specific Internet IP address will bypass the VPN

    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 1935 -j MARK --set-mark 1 #BBC port
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range xx.210.138.xx -j MARK --set-mark 1 #IPTV VPN Bypass
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range xx.114.242.xx -j MARK --set-mark 1 #IPTV VPN Bypass
     
  15. eangulus

    eangulus Network Guru Member

    I thin kyou would need to put the port information in your last script under "# All traffic to a specific Internet IP address will bypass the VPN"

    Take a look at my last post. This set of scripts is working and the Ports listed are bypassing the VPN allow remote outside to inside access.
     
    QQQTJ likes this.
  16. eangulus

    eangulus Network Guru Member

    Just wanted to make sure that I thank eibgrad for all his help. So much appreciated and I have everything working for past week (so far).

    Thankyou very much for your help and patiance. Very much appreciated.
     
    QQQTJ likes this.
  17. Hardrock

    Hardrock Networkin' Nut Member

    Guys, still struggling to get my iptables forward and prerouting rules working. Im using the mark 0 or 1 to allow prerouting of the vpn. To keep it simple, if i connect my ip web cam with ip 192.168.0.100:80 to my router and i want my mobile phone to login from outside my network and view the stream? How do i make this happen with iptables?
    My GW 192.168.0.1 my phone IP 94.1.2.3

    Cheers
     
  18. eibgrad

    eibgrad Network Guru Member

    In no particular order of importance …

    * The tunnel name it’s using is tun0. Tomato (Shibby anyway) uses tun11, at least by default.

    * Not sure I get the point of marking packets 0 for the default since unmarked packets will default to the VPN anyway. No harm I suppose, but it makes me wonder if in the process of editing it for your own needs, you accidentally left something out from the original script.

    * Two of your three rules don’t even need this technique. If all you want to do is change the routing to the WAN based solely on destination IP, you can simply add a static route directly in the GUI.

    * In the process of developing my own solution, I’ve found it’s important to NAT everything over the WAN and VPN. Sometimes the router, by default, is only configured to NAT specific source networks (e.g., 192.168.1.x). And if you should switch the routing from one network to another, you can suddenly find you’ve lost connectivity due to the lack of NAT between that source IP and the new output network interface.

    * The fact you’ve replaced ALL the firewall rules is a concern, since that introduces another possible source of errors, and that’s before we even get to the issue of whether the split tunneling is working.

    * That script was clearly developed initially for dd-wrt. The fact is doesn’t handle the VPN coming down (just up) suggests it’s a startup script, and therefore can’t handle a restart of the VPN. That seems a shame considering the tomato GUI makes this possible via scripting. Not the end of the world, but why introduce a hack (which the dd-wrt solution is) when you don’t have to.

    Anyway, if we put aside all your changes to firewall that are NOT related to split tunneling, it would at least appear to be functionally correct (but one never knows for sure w/o testing).

    It might help too if we say the original script from which you based your own script.
     
  19. Hardrock

    Hardrock Networkin' Nut Member

    Hi Eibgrad, thanks for reply buddy - ok, the IPtables rules I have has been knocked up using different examples i have seen over time from the web. It ports well with a E4200 and equally, I have these iptable rules working well in a second home build Linux router / server which I mainly use for upnp bubble streaming internally and outside my network..

    BUT

    For what ever reason, I just can't reach my webcam on <my ddns>:8005 from the outside. Please note my GW 192.168.0.1 is mapped to my ddns

    Here are some further rules I've tried today, still don't work

    iptables -t nat -A PREROUTING -p tcp --dport 8005 -j DNAT --to-destination 192.168.0.10:8005
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.10 --dport 8005 -j SNAT --to-source 192.168.0.1

    I am starting to wonder if the *nat is getting muddled up with the *mangle rules.
    I want to resolve this using Iptables so I can port it to my E4200 and linux station also.

    This is hurting my head sooo much because i am sure the solution is easy!
    Any help appreciated!
     
  20. eibgrad

    eibgrad Network Guru Member

    deleted
     
  21. eibgrad

    eibgrad Network Guru Member

    I just realized this was a port forwarding situation. For remote access purposes, you need to specify the source port, not destination port! What's preventing the remote access is the *reply* being routed out the VPN. It’s the reply that needs to be marked so it gets routed out the WAN, and that’s based on its source IP and source port.

    Code:
    iptables -t mangle -A PREROUTING -i br0 -p tcp -s 192.168.0.100 --sport 80 -j MARK --set-mark 1 #BBC port
     
  22. Hardrock

    Hardrock Networkin' Nut Member

    Hi Eibgrad,

    So my iptables list now looks like this. Added your rule above to the bottom of the rules.
    I'm afraid, it still doesn't work. IP forwarding is enabled, and I can reach 192.168.0.10:8005 from any internal device within my network..but not eternal.

    Just as a test, do you know how I could redirect 192.168.0.10:8005 to 192.168.0.1:8005 as test?

    #!/bin/sh
    iptables -F
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i br0 -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state --state RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A INPUT -p udp -m multiport --dports 1194,1935,58050,8005,8200 -m state --state NEW -j ACCEPT
    iptables -A INPUT -p tcp -m multiport --dports 58050,1935,8005,8200 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
    iptables -A FORWARD -m state --state RELATED -j ACCEPT
    iptables -A FORWARD -i br0 -m state --state NEW -j ACCEPT
    iptables -I INPUT -i tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE



    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    #
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done
    #
    # Delete and table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    # NOTE: Here I assume the OpenVPN tunnel is named "tun0".
    #
    ip route show table main | grep -Ev ^default | grep -Ev tun0\
    | while read ROUTE ; do
    ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache

    # 0 vpn and 1 bypass
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0

    # All traffic to a specific Internet IP address will bypass the VPN

    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 1935 -j MARK --set-mark 1 #BBC port
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range xx.210.138.xx -j MARK --set-mark 1 #IPTV VPN Bypass
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range xx.114.242.xx -j MARK --set-mark 1 #IPTV VPN Bypass

    iptables -t mangle -A PREROUTING -i br0 -p tcp -s 192.168.0.10 --sport 8005 -j MARK --set-mark 1 #WebCam
     
  23. eibgrad

    eibgrad Network Guru Member

    Have you confirmed you can reach that internal device remotely when the VPN is down? With all those firewall changes you've made, I'm not convinced the issue is the VPN. Not unless you first confirm that remote access works when the VPN isn't active.
     
  24. Hardrock

    Hardrock Networkin' Nut Member

    Hello, So i stopped the VPN and just run some basic iptables rules as below, Good news, I can reach the webcam no problem from the outside with VPN off, that's a start :)

    What should I try next?

    #!/bin/sh
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    # Enable routing.
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Allow all inputs to firewall from the internal network and local interfaces

    iptables -A INPUT -i br0 -s 0/0 -d 0/0 -j ACCEPT
    iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

    iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -m state --state RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport ssh -m state --state NEW -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A INPUT -p udp -m multiport --dports 1194,1900,58050,58051,9091,8002:8005,8200,51413 -m state --state NEW -j ACCEPT
    iptables -A INPUT -p tcp -m multiport --dports 60535:65535,58050,58051,8002:8005,8200,9091,51413 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -i br0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8005 -j DNAT --to-destination 192.168.0.10:8005
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
     
  25. Bird333

    Bird333 Network Guru Member

    Can someone explain why we have to disable Reverse Path Filtering for this to work? Perhaps with a couple of examples showing how a packet would travel otherwise.
     
  26. uniextra

    uniextra Reformed Router Member

    Hi all!

    I'm using Shibby on a Belking F7D7302 for a while now, and i have two problems with it:

    1- as for the topic... I have set up a VPN to USA (get netflix) and i have problems to make it work as it sholud. The idea is only to route netflix traffic and no the rest of internet, so i have two setups possible.

    1-a. I have a pptp connection working leaving the "Redirect Internet traffic" unchecked and then adding the exeption rotes manualy
    Code:
    ip route add default dev ppp0 table 3
    # netflix
    ip rule add to 72.44.32.0/19 table 3 pref 300
    ....
    This works, but everytime i get a tunnel drop, i loose the Ip table, and since the "Redirect Internet traffic" is unchecked, the WAN table does not change, and i can't use any of the administration scripts to automatically add the routes again.

    1-b. the other option is to use OPENVPN that has a Routing policy, where i can "select" destination IPs to be sent through the tunnel. It also has a option in Advance tab "Redirect Internet traffic" that i leave unchecked and added the same routes on the Routing Policy, but some how there should be a bug because when connected it creates the default route to the tunnel, and all my trafic is sent into the tunnel with no exception.
    2- Problem two i will post separatly to avoid confusion.

    Hope to get some help thanks!
     
  27. eangulus

    eangulus Network Guru Member

    OK having a small issue, maybe I just need fresh eyes. My up and down scripts have been working perfectly for some time now. Recently though I have upgraded from a RT-AC66U to the RT-AC68U. In the process I took the chance to do a reconfigure of my network IP addressing from the 192.168.1.0/24 to 10.1.0.0/16

    Now in my scripts I changed all the references to 192.168.1.1 to 10.1.21.1. My server cannot get access to the VPN at all and I can't seem to workout why.

    router-up:

    Code:
    #!/bin/sh -x
    (
    TID="200"
    MARK="0x88"
    WS="[[:space:]]"
    WAN_GTWY="$route_net_gateway"       # provided by OpenVPN at runtime
    WAN_IF="$(route | grep -Em1 ^${WAN_GTWY}${WS} | awk '{print $NF}')"
    VPN_GTWY="$route_vpn_gateway"       # provided by OpenVPN at runtime
    VPN_IF="$dev"                       # provided by OpenVPN at runtime
    REDIRECT_GTWY="$redirect_gateway"   # provided by OpenVPN at runtime
    
    # copy default/main routing table (exclude all default gateways)
    ip route flush table $TID > /dev/null 2>&1
    ip route show table main | grep -Ev "^default|^0.0.0.0/1${WS}|^128.0.0.0/1${WS}" \
      | while read route; do
            ip route add $route table $TID
        done
    # add VPN as default gateway
    ip route add default via $VPN_GTWY table $TID
    
    # add WAN back as default gateway in main/default routing table
    if [ "$REDIRECT_GTWY" == "1" ]; then
        ip route add 0.0.0.0/2   via $WAN_GTWY
        ip route add 64.0.0.0/2  via $WAN_GTWY
        ip route add 128.0.0.0/2 via $WAN_GTWY
        ip route add 192.0.0.0/2 via $WAN_GTWY
    fi
    
    # disable WAN/VPN reverse path filtering
    echo 0 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    
    # clear the routing cache (or else it won't recognize our changes)
    ip route flush cache
    
    # route over VPN based on source IP(s)/network(s) or network interface
    #ip rule add from 10.1.21.1 table $TID
    #ip rule add from 10.10.1.113  table $TID
    #ip rule add from 10.10.2.0/24 table $TID
    #ip rule add iif wl0.1 table $TID
    
    # route over VPN based on other criteria (e.g., protocol, source/destination port)
    iptables -I FORWARD -i br0 -m iprange --src-range 10.1.21.1 -o $WAN_IF -j ACCEPT
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.1.21.1 -j MARK --set-mark $MARK
    iptables -t mangle -A PREROUTING -p tcp -s 10.1.21.1 -m multiport --dport 80,81,3000,5050,8081,8181,8888,9091,10000 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -p tcp -s 10.1.21.1 -m multiport --sport 80,81,3000,5050,8081,8181,8888,9091,10000 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -p udp -s 10.1.21.1 -m multiport --dport 80,81,3000,5050,8081,8181,8888,9091,10000 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -p udp -s 10.1.21.1 -m multiport --sport 80,81,3000,5050,8081,8181,8888,9091,10000 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -p tcp -s 10.10.1.42 --sport 22 -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -s jims-ipod -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -m mac --mac-source 00:11:22:33:44:55 -j MARK --set-mark $MARK
    
    # start processing marked packets through the alternate routing table
    ip rule add fwmark $MARK table $TID
    
    ) 2>&1 | logger -t $(basename $0)[$$]

    route-down

    Code:
    #!/bin/sh -x
    (
    TID="200"
    MARK="0x88"
    WS="[[:space:]]"
    WAN_GTWY="$route_net_gateway"       # provided by OpenVPN at runtime
    WAN_IF="$(route | grep -Em1 ^${WAN_GTWY}${WS} | awk '{print $NF}')"
    VPN_GTWY="$route_vpn_gateway"       # provided by OpenVPN at runtime
    VPN_IF="$dev"                       # provided by OpenVPN at runtime
    REDIRECT_GTWY="$redirect_gateway"   # provided by OpenVPN at runtime
    
    # remove routes based on source IP(s)/network(s) or network interface
    #ip rule del from 10.1.21.1 table $TID
    #ip rule del from 10.10.1.113  table $TID
    #ip rule del from 10.10.2.0/24 table $TID
    #ip rule del iif wl0.1 table $TID
    
    # remove routes based on other criteria (e.g., protocol, source/destination port)
    iptables -I FORWARD -i br0 -m iprange --src-range 10.1.21.1 -o $WAN_IF -j REJECT
    iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 10.1.21.1 -j MARK --set-mark $MARK
    iptables -t mangle -D PREROUTING -p tcp -s 10.1.21.1 -m multiport --dport 80,81,3000,5050,8081,8181,8888,9091,10000 -j MARK --set-mark 0
    iptables -t mangle -D PREROUTING -p tcp -s 10.1.21.1 -m multiport --sport 80,81,3000,5050,8081,8181,8888,9091,10000 -j MARK --set-mark 0
    iptables -t mangle -D PREROUTING -p udp -s 10.1.21.1 -m multiport --dport 80,81,3000,5050,8081,8181,8888,9091,10000 -j MARK --set-mark 0
    iptables -t mangle -D PREROUTING -p udp -s 10.1.21.1 -m multiport --sport 80,81,3000,5050,8081,8181,8888,9091,10000 -j MARK --set-mark 0
    #iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.42 --sport 22 -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -p tcp --dport 443 -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -s jims-ipod -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -m mac --mac-source 00:11:22:33:44:55 -j MARK --set-mark $MARK
    
    # stop processing marked packets through the alternate routing table
    ip rule del fwmark $MARK table $TID
    
    # remove WAN as default gateway in main/default routing table
    if [ "$REDIRECT_GTWY" == "1" ]; then
        ip route del 0.0.0.0/2   via $WAN_GTWY
        ip route del 64.0.0.0/2  via $WAN_GTWY
        ip route del 128.0.0.0/2 via $WAN_GTWY
        ip route del 192.0.0.0/2 via $WAN_GTWY
    fi
    
    # re-enable WAN/VPN reverse path filtering
    echo 1 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 1 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    
    # clear the alternate routing table and routing cache
    ip route flush table $TID
    ip route flush cache
    
    ) 2>&1 | logger -t $(basename $0)[$$]
     
  28. eangulus

    eangulus Network Guru Member

    May have just solved it after a good sleep.

    I just added both a source and destination rule to the new part in the OpenVPN settings.

    Now just testing the source or destination on there own.

    Also while having both at least, my logs were flooded with this:

    Code:
    Aug 8 11:38:15 RTR-ECS-MASTER daemon.err openvpn[2011]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #102806 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
     
  29. eangulus

    eangulus Network Guru Member

    OK, something is really odd, but not too sure on what's going on.

    Basically, the router is doing most of what its suppose to do. The server is blocked from all internet by default.

    When VPN comes up, the specific ports I have set to bypass VPN work fine.

    But I am not getting anything over the VPN. No port 443 (using this as an IP checker for testing) and my torrent ports.

    All the information in the scripts seem to be correct in the logs (things like gateway, tun11 name etc).

    If I tick the option in VPN Routing Police - Redirect through VPN, on Shibby Tomato 131 in then it seems to all work as normal. I get the VPN IP under 443, torrents work etc.

    But with this option on, my logs are flooded with these lines:

    daemon.err openvpn[2030]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #9749 ]


    I think it may have something to do with a duplication in my script, where a line in my script is doing the same thing as the option in Tomato. But withou the option ticked, nothing is working.
     
  30. James Wichall

    James Wichall New Member Member

  31. Edrikk

    Edrikk Network Guru Member

    Not wanting to look through the code, I was banging my head against this for a while.
    In the end, I gave up, and looked at how Shibby 131 implemented the Selective IP code. Want to share the below in case it saves someone a lot of headaches/time.


    As of Shibby 131, it looks like all these involved scripts aren't needed any longer, and a simpler approach can be taken, leveraging the code that's been built.

    What I wanted to do, and tested:
    - VPN Client 1 (setup by the PIA setup) is used by only one LAN IP. All Others by-pass VPN. In addition, a single port from the LAN IP that is on the VPN is to by-pass the VPN.

    Steps:
    - In the VPN Client Routing Policy page, do not include the IP Address of the LAN IP that you want to use VPN, but instead, create a dummy "From Source" entry, using a non-existant IP (on a different subnet if you wish). For example, I am on 192.168.1.X, but I created an entry for 192.168.11.10

    - In the Admin Firewall Scripts, add the appropriate IPTables code to now include what you wish for the LAN IP. In the below case, port 123 is excluded from being a part of the VPN, but the "rest" of IP 192.168.1.10 is to use the VPN. Please note that for VPN Client 1, must set mark "111"

    Code:
    iptables -t mangle -A PREROUTING -p tcp -m multiport ! --sport 123 -s 192.168.1.10 -j MARK --set-mark 111
    That's it!

    Can add and remove port 80 to the above to test by running from the box that is supposed to be using VPN:
    Code:
    wget http://ipinfo.io/ip -qO -
     
  32. lvibe10

    lvibe10 New Member Member


    Edrikk,

    Could you elaborate more on what your script is and how you implemented the whole thing. I am driving myself crazy trying to sort this out.
     
  33. MichaelH

    MichaelH New Member Member

    Hi eibgrad,
    I'm trying to use your code in my Netgear R7000 router with Shibby Tomato 1.28 129 K26ARM USB AIO-64K, and PIA VPN installed on it. Basically, I'd like my PC & Roku to go through VPN. I just want my PS3 to go through regular internet (WAN?). I enabled JFFS checkbox in Admin --> JFFS. I attempted to Format/Erase since I read it was recommended when first using it. I got an error "Error formatting JFFS. Check the logs to see if they contain more details about this error." I still attempted to SSH into router using your instructions to vi route-up.sh in /jffs directory. After typing in script, I went to save it. But I got "Read only" error. Looking in /var/log/messages, the error entry was identical to what Tomato GUI said. No further details to help troubleshoot.

    You stated that as an alternative, we can enter the scripts in any area that has persistence, such as Admin --> Scripts --> Init. How would we do this? Do we put the contents of "route-up.sh" into Init? Where do we place contents of "route-pre-down.sh"? And once both scripts contents are entered, what do I put in the VPN Tunneling --> OpenVPNClient --> Advanced --> Custom Configuration section? Do I check the "Redirect Internet Traffic" checkbox?

    When I SSH'd into router, I navigated to /temp. And noticed that contents of "script_init.sh" matched what I put in the Admin --> Scripts --> Init. So, in Custom Configuration do I type something like?:
    script-security 2
    route-up /tmp/script_init.sh

    If so, again where do I put contents of "route-pre-down.sh" and how do I call it in Custom Configuration?

    I would really appreciate your help, and have learned alot from your entries in this thread.
     
  34. MichaelH

    MichaelH New Member Member

    hello, can anyone help with this? any advice would be greatly appreciated. thanks.
     
  35. eibgrad

    eibgrad Network Guru Member

    You can create the scripts in /tmp by encapsulating them within another script that builds the script for you. Then place all of it in the init script.

    SCRIPT="/tmp/route-up.sh"
    cat << "EOF" > $SCRIPT
    ### your script goes here ###
    EOF
    chmod +x $SCRIPT

    SCRIPT="/tmp/route-down.sh"
    cat << "EOF" > $SCRIPT
    ### your script goes here ###
    EOF
    chmod +x $SCRIPT
     
    MichaelH likes this.
  36. MichaelH

    MichaelH New Member Member

    Many thanks, Eibgrad! I am new to all of this, so I truly appreciate the guidance.
    Again, my goal is to have all traffic pass through the VPN (PIA), except my PS3 which will access WAN.
    If VPN goes down, I want those devices access to be blocked (until it comes back up).
    Finally, I'd like to configure port forwarding through VPN tunnel for BitTorrent traffic to work properly.

    So just to clarify my understanding on what to do, can you confirm that the following steps are correct?


    1. Navigate to Admin --> Scripts --> Init

    SCRIPT="/tmp/route-up.sh"
    cat << "EOF" > $SCRIPT
    #!/bin/sh
    TID=200
    VPN_IF="$dev" # provided by OpenVPN at runtime
    VPN_DFLT_GTWY='^0.0.0.0/1|^128.0.0.0/1'

    # copy main routing table to alternate routing table (ignore VPN routes)
    ip route flush table $TID > /dev/null 2>&1
    ip route show table main | grep -v "$VPN_IF" | grep -Ev $VPN_DFLT_GTWY \
    | while read route; do
    ip route add $route table $TID
    done
    ip route flush cache

    # specify source IP(s)/network(s) to be routed over the WAN
    ip rule add from < IP of my PS3 > table $TID
    EOF
    chmod +x $SCRIPT

    SCRIPT="/tmp/route-down.sh"
    cat << "EOF" > $SCRIPT
    #!/bin/sh
    TID=200
    ip rule del from < IP of my PS3 > table $TID
    ip route flush table $TID
    ip route flush cache
    EOF
    chmod +x $SCRIPT


    2. Navigate to VPN Tunneling --> OpenVPNClient --> Advanced --> Custom Configuration

    script-security 2
    route-up /tmp/route-up.sh
    route-pre-down /tmp/route-pre-down.sh

    Do I enable/check the "Redirect internet traffic" checkbox here?


    3. Navigate to Administration->Scripts->Firewall

    iptables -I FORWARD -o $(nvram get wan_iface) -j DROP


    4. Steps to set up port forwarding for BitTorrent? I use UTorrent.


    I recall that you've said before that using scripts in "WAN_UP" are essentially "hacks".
    With the setup above, does it represent a more comprehensive, stable solution in your opinion?
    I don't want any leaks, etc.

    One further question: what is the best way to confirm that selective routing is occurring as intended? ipleak.net?
     
  37. eangulus

    eangulus Network Guru Member

    A couple of questions to those who may know.

    With the new Routing Policy in Tomato Shibby, is all these scripts now redundant? Like in my case I router only a specific IP to the VPN, all others WAN only, but I have setup specifying specific ports to the VPNed IP to bypass VPN. We can put IP's into the Routing Policy but can we also add ports like 192.168.1.10:80.

    Also, in the route-up script examples, is there a way to force a specific domain to the second vpn? Here is my reasoning incase there is a better way, soon Australia will start blocking domains like piratebay and the like. Australia has Sydney and Melbourne servers for PIA, and they are much faster for me for downloads. What I would like to achieve is to continue using local servers for downloading, but when my server looks at eg. Piratebay, I want it to use the second VPN connection, which would be set to another country to bypass the blocking.


    And finally to MichaelH.

    Here is what I have under the firewall script to copy over my QoS settings to the VPN. Not sure how but may be able to use a similar method for copying the port forwarding structure too.

    Code:
    #Copy QoS details from WAN to VPN
    cp /etc/qos /tmp/qos-tun11
    sed -i 's/ppp0/tun11/g' /tmp/qos-tun11
    sed -i 's/imq0/imq1/g' /tmp/qos-tun11
    chmod +x /tmp/qos-tun11
    /tmp/qos-tun11
    iptables -t mangle -A FORWARD -o tun11 -j QOSO
    iptables -t mangle -A OUTPUT -o tun11 -j QOSO
    iptables -t mangle -A PREROUTING -i tun11 -j CONNMARK --restore-mark --mask 0xff
    iptables -t mangle -A PREROUTING -i tun11 -j IMQ --todev 1
    ifconfig imq1 up
     
  38. eibgrad

    eibgrad Network Guru Member

    Every third party OpenVPN provider will default to having the default gateway changed to the VPN, and that's the assumption in those scripts. Checking "Redirect internet traffic" isn't going to hurt anything, it's just redundant.

    You'd have to provide a specific instance. I don't recall the context under which I made that statement.

    Compared to what? Shibby's own Routing Policy feature? I don't know of any routers that offer policy based routing *and* block the WAN at the same time, so I guess in that sense it's better. Also, Shibby's Routing Policy feature has a few bugs, so it might be better to stick w/ this kind of scripting until that's addressed. But I suspect he'll never provide blocking of the WAN as an option.

    Try using tracert (Windows) or traceroute (Linux) to the specific IP address. You'll easily be able to see the path it takes, WAN vs. VPN.
     
  39. eibgrad

    eibgrad Network Guru Member

    Shibby's Routing Policy feature can replace *some* of these scripts, but only those that are based on either source or destination IP. There's no ability to be selective based on other criteria like ports, protocol, MAC address, etc. Also, it only works one way. You have to prevent the gateway from being changed from the WAN to the VPN by enabling the "Ignore Redirect Gateway (route-nopull)" option under the Advanced tab because Routing Policy is only capable of directing traffic to the VPN. IOW, you can't have it default to the VPN, but use Routing Policy to direct some source IPs back to the WAN. This is one reason I believe once you enable Routing Policy, the router should automatically enable "Ignore Redirect Gateway (route-nopull)". This is essentially what dd-wrt's policy based routing features does (but it uses route-noexec).

    While you could use the "To Domain" type in Routing Policy for this, destination IPs are really not what policy based routing is all about. You can always control destination IPs by simply adding static routes.

    So let's say I want all access to Google servers to use the VPN. All I have to do is add the following to the OpenVPN client custom config field.

    Code:
    route 8.8.8.8 255.255.255.255 vpn_gateway
    route 8.8.4.4 255.255.255.255 vpn_gateway
    This could actually be shortened since the default mask is 255.255.255.255 and the VPN's gateway is assumed.

    Code:
    route 8.8.8.8
    route 8.8.4.4
    You can send some destinations to the WAN instead w/ the following.

    Code:
    route 8.8.8.8 255.255.255.255 net_gateway
    route 8.8.8.8 255.255.255.255 net_gateway
     
    Last edited: Apr 6, 2016
  40. eangulus

    eangulus Network Guru Member

    I am having a small issue. Server IP is not getting any VPN accesss.

    I am still using my above scripts, but now I am needing to turn on the routing policy option (with no entries) for it to work.

    All I know is that it seems to solve the issue but not sure if it is the problem and therefore if it's the proper way to fix it.
     
  41. feedzapper

    feedzapper Connected Client Member


    I use the same Router as you (NETGEAR R7000), do the following
    - Update to 132 K26ARM USB AIO-64K (don´t use the MULTIWAN builds yet !, little buggy for the moment)
    - in OPENVPN CLIENT -> ROUTING POLICY :
    - check REDIRECT TROUGH VPN
    - enter FROM SOURCE IP your ip adresses you want to use the VPN
    you can also use adress ranges e.g. 192.168.0.104/29 will force 192.168.0.105-192.168.0.110 to use the VPN
    ALL OTHER ipadresses there are NOT in the list will bypass the VPN !
    - under ADVANCED TAB make a check under -> Ignore Redirect Gateway (route-nopull)
    - also UN-check CREATE NAT ON TUNNEL
    - under ADVANCED TAB -> CUSTOM CONFIGURATION :
    script-security 2
    route-up /opt/routeup.sh
    route-pre-down /opt/routedown.sh
    well, i use a USB Stick for storing the script files that i use (example path /opt)
    All shibby MIPS builds are know the the very nice command for storing own script files "nvram setfile2nvram", but
    not for ARM available right now.

    i use the following routeup / down files
    routeup.sh :
    #!/bin/sh -x
    (
    sleep 15
    WS="[[:space:]]"
    # copy default/main routing table (exclude all default gateways)
    ip route show table main | grep -Ev "^default|^0.0.0.0/1${WS}|^128.0.0.0/1${WS}$" \
    | while read route; do
    ip route add $route table 111
    done
    # example for routing all FTP traffic over VPN
    # iptables -t mangle -I PREROUTING -p tcp -m multiport --sport 20,21 -j MARK --set-mark 111
    ) 2>&1 | logger -t $(basename $0)[$$]

    routedown.sh :
    #!/bin/sh -x
    (
    ip route flush table 111
    ip route flush cache

    ) 2>&1 | logger -t $(basename $0)[$$]

    NOTE : the scripts above, are for the TUN11 "Client1" OPENVPN Interface, witch will use the routing Table 111 by default !
    you can also see the execution of the script files in the SYSLOG !
    Also in all shibby ARM =<1.32 builds the iptables MARK Module does not work correctly for now. Don´t spend time for that to keep this running with openvpn :-(

    and finally :
    in ADMINISTRATION->SCRIPTS->FIREWALL enter :

    iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
    iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
    iptables -I INPUT -i tun11 -j DROP
    iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

    do you want also some IP`s to be blocked from the internet, if the VPN goes down (until it comes back up). (only internet via VPN)
    add the following also here :
    iptables -I FORWARD -i br0 -s <ip-address to be blocked> -o `nvram get wan_iface` -j DROP


    Good Luck !
     
    Last edited: Mar 25, 2016
  42. MichaelH

    MichaelH New Member Member

    Hi eibgrad,

    Sorry for the late reply. I tried the solution and it doesn't appear to work. All my internet traffic seems to be going through VPN, including the PS3 ... which was the only device I didn't want going through VPN. Here is my set up again if you don't mind taking a look to see if I did something wrong:

    1. Administration - Scripts - Init:

    SCRIPT="/tmp/route-up.sh"
    cat << "EOF" > $SCRIPT
    #!/bin/sh
    TID=200
    VPN_IF="$dev" #provided by OpenVPN at runtime
    VPN_DFLT_GTWY='^0.0.0.0/1|^128.0.0.0/1'

    #copy main routing table to alternate routing table (ignore VPN routes)
    ip route flush table $TID > /dev/null 2>&1
    ip route show table main | grep -v "$VPN_IF" | grep -Ev $VPN_DFLT_GTWY \
    | while read route; do
    ip route add $route table $TID
    done
    ip route flush cache

    #specify source IP(s)/network(s) to be routed over WAN
    ip rule add from 192.168.1.46 table $TID
    EOF
    chmod +x $SCRIPT

    SCRIPT="/tmp/route-down.sh"
    cat << "EOF" > $SCRIPT
    #!/bin/sh
    TID=200
    ip rule del from 192.168.1.46 table $TID
    ip rule flush table $TID
    ip rule flush cache
    EOF
    chmod +x $SCRIPT

    2. VPN Tunneling - OpenVPNClient - Client1 - Advanced:

    persist-key
    persist-tun
    tls-client
    auth-user-pass /tmp/password.txt
    comp-lzo
    verb 1
    reneg-sec 0
    script-security 2
    route-up /tmp/route-up.sh
    route-pre-down /tmp/route-down.sh

    3. Administration - Scripts - Firewall:

    iptables -I FORWARD -o $(nvram get wan_iface) -j DROP

    Just to refresh your memory, I want PS3 to go through ISP as I want to watch my region's Netflix (Canada) through PS3 as NF blocks access when using VPN IP's for either Canada or US. But I want to continue using Roku through US VPN in order to access other American services.

    The PS3 IP is 192.168.1.46. I had a wireless connection which was working, as verified on PS3 and in router Device List. But when launching NF on PS3, I got "We're having a problem connecting to Netflix. Please try again or visit website" error message "nf-2-5". So I googled it and a few ppl advised power cycling both PS3 and router. After I did that, I noticed that when setting up wireless connection on console it successfully obtains an IP, but internet connection now fails.

    The selective routing for PS3 is not working b/c other apps like YouTube are also having connectivity related problems.

    Can you please advise?

    Also, how would I run tracert to verify PS3 is not going through VPN?
     
  43. MichaelH

    MichaelH New Member Member

    can anyone help me out please?
     
  44. theredmoose

    theredmoose Networkin' Nut Member

    Has anyone implemented what Edrikk mentioned below. What is the purpose of the "dummy" ip address?




     
  45. Edrikk

    Edrikk Network Guru Member

    For those interested, here is a more complete setup description (for my VPN, which is PIA):

    Interface Type = TUN
    Protocol = UDP
    Extra HMAC authorization (tls-auth) = Disabled
    Create NAT on tunnel = Checked

    Redirect Internet traffic = Unchecked
    Ignore Redirect Gateway (route-nopull) = Unchecked
    Accept DNS configuration = Strict
    Verify server certificate (tls-remote) = Unchecked

    Custom Config entries:
    Code:
    persist-key
    persist-tun
    tls-client
    comp-lzo
    verb 1
    reneg-sec 0
    route-noexec
    
    Routing Policy:
    "From Source IP --> 192.168.11.10" <-- This is a non-existant IP on my LAN




    - In the Admin Firewall Scripts, add the appropriate IPTables code to now include what you wish for the LAN IP. In the below case, port 123 is excluded from being a part of the VPN, but the "rest" of IP 192.168.1.10 is to use the VPN. Please note that for VPN Client 1, must set mark "111"

    Code:
    iptables -t mangle -A PREROUTING -p tcp -m multiport ! --sport 123 -s 192.168.1.10 -j MARK --set-mark 111
    
     
    Jason Meudt likes this.
  46. KhurramFHassan

    KhurramFHassan Reformed Router Member

    There is a lot of great information in these 3 pages. Thanks to all who have contributed and helped others. I want to use the VPN for selected websites only and using the GUI for this does not work. I would like to use eibgard's approach detailed in http://www.linksysinfo.org/index.ph...-through-vpn-openvpn.37240/page-2#post-257554 and combine it with the ip addresses approach in kk5000 post at http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-223966.

    Is there a way to get the ip addresses in cidr notation for specific domain names, say for netflix, so that I can add them to the up/down scripts?

    Thanks.
     
  47. Jason Meudt

    Jason Meudt Reformed Router Member

    http://www.linksysinfo.org/index.ph...sp-and-two-vpn-connections.72248/#post-273736
     
  48. KhurramFHassan

    KhurramFHassan Reformed Router Member

    Last edited: Apr 18, 2016
  49. MichaelH

    MichaelH New Member Member

    Hi eibgrad,

    I know it's been awhile, but can you please help me out? My last post is #242. I really appreciate it. Thx.

    Mike
     
  50. theredmoose

    theredmoose Networkin' Nut Member

    Thanks for the post Edrikk. I have the same setup as you. I use to use the WAN script to direct all traffic from my media server out the VPN with the exception of the Plex ports. However it stopped working when i upgraded Tomato.

    What is the purpose of the non-existent IP? Does it trigger something to occur?

    Also why set-mark=111? My previous script I used --set-mark=0 to redirect traffic through the VPN?



     
  51. Darkvador

    Darkvador Network Guru Member


    can anyone plz help me edit this script ,so that only one ip ( 192.168.1.200 ) connects through the VPN ?
    ( my Wan connection is "PPP0" and VPN connection is "PPP4" )
    do i need a script in the firewall section too ?
    thanks
     
  52. Darkvador

    Darkvador Network Guru Member

    Bump
    Anyone ???
     
  53. thedog123

    thedog123 New Member Member

    Hello, I have been using the script posted by "Grdnkln" for a few years now with success but recently in the last week or so the clients on my network that have been configured to NOT use the VPN have all of a sudden stopped working. By stopped working I mean, they are not able to browse the Internet. It appears that DNS resolution is working fine but for some reason Web pages are not returned.

    The clients that I have configured to selectively use the VPN tunnel work just fine with no issues. If I change the router WANUp script and Firewall Script to include the none working clients so they are pointed to the VPN they start to work again.

    It seems like maybe my Table 100 config isnt working which is supposed to include all default and non VPN related config info and tell clients to go out the WAN Gateway instead of the VPN table. This is just a guess but based on my understanding of what this table is meant to do it seems to make sense.

    From a client that I have told to use the VPN tunnel, if I run a traceroute to Google's 8.8.8.8 DNS server I can see the route follows the path of the VPN tunnel as expected.

    From a client that I have told to NOT use the VPN tunnel, if I run a trace to Google's 8.8.8.8 DNS server I only see 2 hops. The first hop is the local LAN gateway address. Then I get about 10 hops of nothing but "*" signs. Then the last hop shows the Google DNS server. Performing an NSLookup of the Google DNS server IP returns the local router IP as the resolving party and then it successfully resolves the Google DNS name.

    Not sure what happened for this to stop working as nothing has been changed on the Tomato Router (Asus RT-AC66U version 1.28 by shibby)....that I know of.

    Here are a few log entries I see related to the test above from the client that is NOT using the VPN tunnel.

    May 7 15:13:28 unknown user.alert kernel: ACCEPT <4>ACCEPT IN=br0 OUT=vlan2 <1>SRC=192.168.2.31 DST=8.8.8.8 <1>LEN=92 TOS=0x00 PREC=0x00 TTL=7 ID=2337 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=39

    May 7 15:19:47 unknown user.alert kernel: ACCEPT <4>ACCEPT IN=br0 OUT=vlan2 <1>SRC=192.168.2.31 DST=52.24.217.21 <1>LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=3120 DF PROTO=TCP <1>SPT=49366 DPT=443 SEQ=290066076 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)

    This client is set to use DHCP from the router and uses the Router as its Gateway & DNS server (in this case 192.168.2.1 for both).

    On the BASIC Network Tab of the Tomato Router I have two static DNS servers listed (8.8.8.8 & 8.8.4.4) which I believe these non VPN clients should use as their DNS server while the clients on the VPN use the DNS server that is pushed to me by the VPN provider.

    On the OpenVPN Client Tab, under Advanced, I have Redirect Internet traffic ENABLED and I also have Accept DNS configuration set to EXCLUSIVE.

    Anyone have any ideas and Thanks in advance for your time
     
  54. koitsu

    koitsu Network Guru Member

    Preface: I haven't fully parsed all of what you've written, and I don't do VPNs (at least not on consumer devices; I absolutely understand them in enterprise environments with Netscreens and so on) or "complex setups" (on residential), but I do have a very good understanding of networking protocols, routing, and NAT (how it works, not so much how Linux implements it, re: DNAT/SNAT etc.).

    So that said, I wanted to provide some insight to this specific part of your post:

    These two "alerts" are simply iptables rules which have had logging enabled for whatever that particular classification of traffic is (not QoS classification, just referring to whatever firewall rules correlate with the above). Decoding these is quite easy. In respective order:

    1. This is a an ICMP ECHO being sent from 192.168.2.31 (from interface br0 (LAN)) to 8.8.8.8 (going out interface vlan2 (WAN)). This is otherwise known as a classic "ping". So, someone on 192.168.2.31 was doing "ping 8.8.8.8". The packet was accepted (i.e. wasn't dropped or rejected by iptables).

    2. This is a packet from 192.168.2.31 (source port 49366 (random)) (from interface br0 (LAN)) destined to 52.24.217.21 (destination port 443, i.e. HTTPS) (going out interface vlan2) via TCP. In other words: someone on 192.168.2.31 was attempting to visit https://52.24.217.21 (or some website name that resolved to 52.24.217.21). 52.24.217.21 points to a server within Amazon EC2's cloud (us-west-2, which is geographically in Oregon). It was an initial connection (TCP SYN). It is impossible to determine what website name was attempting to be accessed from this data/log, but I don't think that's relevant. The packet was accepted (i.e. wasn't dropped or rejected by iptables).

    In neither example do I see signs of response traffic (possibly those lines were omitted -- I do not know). Traffic which was rejected (by iptables) would have a REJECT or DROP association line with them (they wouldn't be silently discarded).

    With regards to your VPN: possibly one of the complexities here is that your packets are not going out what I would normally expect to be a VPN interface (commonly tapXX or tunXX).

    So while I'm sorry that I can't help you directly with your problem, I hope the above gives you some details as to what the logging messages mean.

    I will say, however, that "using scripts from {some random person}" is not very helpful. It is incredibly important to understand the networking topology/flow aspect of what the script is doing. There is no such thing as a "magic script" -- understanding the "magic" is what matters, and failure to do so can/will result in situations like this. :)
     
  55. thedog123

    thedog123 New Member Member

    Hello and Thanks for your response. The two log file entries I included in my initial post is from a Client on the network that is configured to NOT use the VPN tunnel and instead just go out the WAN as regular traffic sourcing from my ISP assigned public IP address. So with that said, its good to see that there is no sign of the traffic attempting to use the VPN tunnel (tun11 in my case).

    The part that still leaves me scratching my head is that it appears that an attempt is made to try and return a web page to my browser on said client but then it times out and returns nothing. The funny thing is, I can even see the URL appear in my browser showing the company specific logo of the owner of a given site (ie..you know, you can see the Amazon Logo before the URL address) but despite that, no dice on the page itself. It almost looks like Port 80 is being stopped somewhere upstream.

    At least on the Tomato router I see nothing that indicates a DROP so I may need to look at my ASA Firewall which is in front of the Tomato. I haven't had to log into the ASA for over a year so I cant imagine why it would all of a sudden decide to block traffic from these clients not using the VPN tunnel.

    I guess I'll need to roll up my sleeves on this one which is something I was hoping to avoid due to being a lazy slob and all :)
    Now where did I put that damn firewall password again :eek:
     
  56. koitsu

    koitsu Network Guru Member

    I'd suggest reviewing your iptables -L -n -v --line-numbers output too (may also need iptables -t nat -L -n -v --line-numbers -- not sure), to see if there are any rules in there that look like they might be punting traffic through the wrong interface.
     
  57. wildcat2083

    wildcat2083 New Member Member

    Hi I have a dd-wrt router and I have been struggling to get a set op iptables commands to work the way I want to and could use some help. I'll start with my current setup

    I currently have vpn up and running and have copied and pasted the original script from the first page after some tinkering I noticed my objective was working (mostly) however I lost remote access to my router from WAN, i also have a ftp server running on the router itself and that was also lost as well as ssh

    what I am trying to do is default a few computers (ip address) to go through the tunnel which in my case is tun1, was verified using the ifconfig command, also I am running a program called rutorrent and due to my isp what I am trying to achieve is forward any ports that are not 21,22,80,81,443,8081 through the vpn which would be mark 0 according to the script as well as all udp traffic also to route through the vpn, I can give you the modified script i am trying to use, again my biggest issue is i loose all WAN access to my ssh ftp remote login etc

    I was also told to disable NAT on the openvpn config as well, is that helpful in my case?
    *edit* found out NAT Has to be Enabled

    Here is the exact copy of the modified script im using
    Code:
    #!/bin/sh
    
    #  To list the current rules on the router, issue the command:
    #      iptables -t mangle -L PREROUTING
    
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
    
    # Delete and table 100 and flush any existing rules if they exist.
    
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    
    # NOTE: Here I assume the OpenVPN tunnel is named "tun11". #changed to tun1
    
    ip route show table main | grep -Ev ^default | grep -Ev tun1 \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    
    # Define the routing policies for the traffic. The rules will be applied in the order that they
    # are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
    # to "1" it will bypass the VPN.
    
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.115 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.124 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport ! 21,22,80,81,443,8081,8200 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -p udp -m multiport --dport ! 21,22,80,81,443,8081,8200 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 0
     
    Last edited: May 15, 2016
  58. Jason Meudt

    Jason Meudt Reformed Router Member

    In order to access your router admin use this:

    Code:
    # OUTPUT for Admin page of router (Set port for your setting)
    iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 8080 -j MARK --set-mark 0
     
  59. Mikeyy

    Mikeyy Reformed Router Member

    Hi all. Didn't visit this thread for a long time, but since I'm going back to Shibby/AdvancedTomato on my AC68P, I need your help with keeping some ports out of VPN.

    I have AirVPN working on latest AdvancedTomato (137). Pictures of setup: http://imgur.com/a/t0ix6
    route-nopull is used.

    I want only 192.168.1.5 and 192.168.1.22 to use VPN.
    Also, I want ports 10001, 10002 which are port forwarded to 192.168.1.22 to use WAN. Same for ports 11222, 11333 and 11444 which are port forwarded to 192.168.1.5, want them to use WAN instead of VPN.

    Code:
    #!/bin/sh -x
    (
    TID="200"
    MARK="0x88"
    WS="[[:space:]]"
    WAN_GTWY="$route_net_gateway"       # provided by OpenVPN at runtime
    WAN_IF="$(route | grep -Em1 ^${WAN_GTWY}${WS} | awk '{print $NF}')"
    VPN_GTWY="$route_vpn_gateway"       # provided by OpenVPN at runtime
    VPN_IF="$dev"                       # provided by OpenVPN at runtime
    REDIRECT_GTWY="$redirect_gateway"   # provided by OpenVPN at runtime
    
    # copy default/main routing table (exclude all default gateways)
    ip route flush table $TID > /dev/null 2>&1
    ip route show table main | grep -Ev "^default|^0.0.0.0/1${WS}|^128.0.0.0/1${WS}" \
      | while read route; do
            ip route add $route table $TID
        done
    # add VPN as default gateway
    ip route add default via $VPN_GTWY table $TID
    
    # add WAN back as default gateway in main/default routing table
    if [ "$REDIRECT_GTWY" == "1" ]; then
        ip route add 0.0.0.0/2   via $WAN_GTWY
        ip route add 64.0.0.0/2  via $WAN_GTWY
        ip route add 128.0.0.0/2 via $WAN_GTWY
        ip route add 192.0.0.0/2 via $WAN_GTWY
    fi
    
    # disable WAN/VPN reverse path filtering
    echo 0 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    
    # clear the routing cache (or else it won't recognize our changes)
    ip route flush cache
    
    # route over VPN based on source IP(s)/network(s) or network interface
    ip rule add from 192.168.1.5  table $TID
    ip rule add from 192.168.1.22  table $TID
    
    # route over WAN based on other criteria
    iptables -t mangle -A PREROUTING -p tcp -m multiport ! --sport 10001,10002,11222,11333,11444 -j MARK --set-mark $MARK
    
    # start processing marked packets through the alternate routing table
    ip rule add fwmark $MARK table $TID
    
    ) 2>&1 | logger -t $(basename $0)[$$]
    Problem is, it doesn't work. Those 2 devices still access internet via WAN IP.
    Tested after router restart.

    This is log:
    Code:
    Jul  9 23:28:51 unknown daemon.notice openvpn[1478]: OpenVPN 2.3.11 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul  7 2016
    Jul  9 23:28:51 unknown daemon.notice openvpn[1478]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
    Jul  9 23:28:51 unknown daemon.warn openvpn[1481]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: Socket Buffers: R=[120832->120832] S=[120832->120832]
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: UDPv4 link local: [undef]
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: UDPv4 link remote: [AF_INET]213.152.162.164:443
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: TLS: Initial packet from [AF_INET]213.152.162.164:443, sid=54ae71fe 5f501f5b
    Jul  9 23:28:52 unknown daemon.info pppd[908]: System time change detected.
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: Validating certificate key usage
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: ++ Certificate has key usage  00a0, expects 00a0
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: VERIFY KU OK
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: Validating certificate extended key usage
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: VERIFY EKU OK
    Jul  9 23:28:52 unknown daemon.notice openvpn[1481]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
    Jul  9 23:28:52 unknown daemon.err apcupsd[877]: apcupsd FATAL ERROR in linux-usb.c at line 609 Cannot find UPS device -- For a link to detailed USB trouble shooting information, please see <http://www.apcupsd.com/support.html>.
    Jul  9 23:28:52 unknown daemon.err apcupsd[877]: apcupsd error shutdown completed
    Jul  9 23:28:53 unknown user.notice root: vpnrouting: clean-up
    Jul  9 23:28:54 unknown daemon.notice openvpn[1481]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Jul  9 23:28:54 unknown daemon.notice openvpn[1481]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  9 23:28:54 unknown daemon.notice openvpn[1481]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Jul  9 23:28:54 unknown daemon.notice openvpn[1481]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jul  9 23:28:54 unknown daemon.notice openvpn[1481]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
    Jul  9 23:28:54 unknown daemon.notice openvpn[1481]: [server] Peer Connection Initiated with [AF_INET]213.152.162.164:443
    Jul  9 23:28:56 unknown daemon.info dnsmasq-dhcp[1077]: DHCPREQUEST(br0) 192.168.1.46 ac:3f:a4:05:3b:7c
    Jul  9 23:28:56 unknown daemon.info dnsmasq-dhcp[1077]: DHCPACK(br0) 192.168.1.46 ac:3f:a4:05:3b:7c Piper
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.9.145 255.255.0.0'
    Jul  9 23:28:57 unknown daemon.err openvpn[1481]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
    Jul  9 23:28:57 unknown daemon.err openvpn[1481]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: OPTIONS IMPORT: timers and/or timeouts modified
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: OPTIONS IMPORT: LZO parms modified
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: OPTIONS IMPORT: --ifconfig/up options modified
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: OPTIONS IMPORT: route-related options modified
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: TUN/TAP device tun11 opened
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: TUN/TAP TX queue length set to 100
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: /sbin/ifconfig tun11 10.4.9.145 netmask 255.255.0.0 mtu 1500 broadcast 10.4.255.255
    Jul  9 23:28:57 unknown daemon.notice openvpn[1481]: updown.sh tun11 1500 1558 10.4.9.145 255.255.0.0 init
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + TID=200
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + MARK=0x88
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + WS=[[:space:]]
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + WAN_GTWY=
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + awk {print $NF}
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + route
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + grep -Em1 ^[[:space:]]
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + WAN_IF=
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + VPN_GTWY=
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + VPN_IF=tun11
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + REDIRECT_GTWY=0
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip route flush table 200
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip+  routegrep show -Ev table ^default|^0.0.0.0/1[[:space:]]|^128.0.0.0/1[[:space:]]+ read route
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]:  main
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip route add 172.29.252.70 dev ppp0 proto kernel scope link src 93.143.227.61 table 200
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + read route
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip route add 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1 table 200
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + read route
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip route add 10.4.0.0/16 dev tun11 proto kernel scope link src 10.4.9.145 table 200
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + read route
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip route add 127.0.0.0/8 dev lo scope link table 200
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + read route
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip route add default via table 200
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: Error: an inet address is expected rather than "table".
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + [ 0 == 1 ]
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: /jffs/route-up.sh: line 55: can't create /proc/sys/net/ipv4/conf//rp_filter: nonexistent directory
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + echo 0
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + echo 0
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip route flush cache
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip rule add from 192.168.1.5 table 200
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip rule add from 192.168.1.22 table 200
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + iptables -t mangle -A PREROUTING -p tcp -m multiport ! --sport 10001,10002,11222,11333,11444 -j MARK --set-mark 0x88
    Jul  9 23:29:02 unknown user.notice route-up.sh[1607]: + ip rule add fwmark 0x88 table 200
    Jul  9 23:29:02 unknown daemon.notice openvpn[1481]: Initialization Sequence Completed
    
    
    In log these variables are empty:
    WAN_GTWY=
    WAN_IF=
    VPN_GTWY=

    Is that normal?
     
    Last edited: Jul 9, 2016
  60. Mikeyy

    Mikeyy Reformed Router Member

    Turned off "route-nopull", left "Redirect Internet Traffic" unchecked.
    Now 2 VPN machines are working, but all WAN machines are not. All those variables I mentioned at the end of last post are correctly filled now, but WAN internet isn't working.
    It starts working when I turn off VPN client, but then everyone has WAN.

    So problem probably lies in WAN code of route-up script.
     
  61. eangulus

    eangulus Network Guru Member

    Having issues. I don't know what has caused it, as I don't even know when it started, but overall I don't think I have done anything that should affect this.

    So, just to clarify my current setup:

    Asus RT-AC68U with Shibby Tomato 132 & PIA VPN


    Basic
    Open VPN Client 1:
    Start with WAN = Checked
    Interface Type = TUN
    Protocol = UDP
    Server Address/Port = aus.privateinternetaccess.com | 1198
    Firewall = Auto
    Authorization Mode = TLS
    Username/Password Authentication = Checked
    Username Authen. Only = Unchecked
    Extra HMAC authorization (tls-auth) = Disabled
    Create NAT on tunnel = Checked

    Advanced
    Poll Interval = 5
    Redirect Internet traffic = Unchecked
    Ignore Redirect Gateway (route-nopull) = Unchecked
    Accept DNS configuration = Strict
    Encryption cipher = None (Not concerned with encryption and found that none runs faster while still hiding my IP)
    Compression = Adaptive
    TLS Renegotiation Time = 0
    Connection retry = -1
    Verify server certificate (tls-remote) = Unchecked
    Custom Configuration =
    persist-key
    persist-tun
    auth sha1
    tls-client
    remote-cert-tls server
    comp-lzo
    verb 1
    crl-verify /jffs/crl.rsa.2048.pem
    disable-occ
    auth-nocache
    script-security 2
    mute-replay-warnings
    route-up /jffs/route-up.sh
    route-pre-down /jffs/route-down.sh​
    Keys
    Certificate Authority = Is entered from ca file.
    Routing Policy
    Redirect through VPN = Unchecked
    List is Empty

    Administration->Scripts->Firewall
    Code:
    #Block IP from WAN Connection as Default
    iptables -I FORWARD -i br0 -s 10.1.21.2 -o ppp0 -j REJECT
    
    #Copy QoS details from WAN to VPN
    cp /etc/qos /tmp/qos-tun11
    sed -i 's/ppp0/tun11/g' /tmp/qos-tun11
    sed -i 's/imq0/imq1/g' /tmp/qos-tun11
    chmod +x /tmp/qos-tun11
    /tmp/qos-tun11
    iptables -t mangle -A FORWARD -o tun11 -j QOSO
    iptables -t mangle -A OUTPUT -o tun11 -j QOSO
    iptables -t mangle -A PREROUTING -i tun11 -j CONNMARK --restore-mark --mask 0xff
    iptables -t mangle -A PREROUTING -i tun11 -j IMQ --todev 1
    ifconfig imq1 up
    route-up.sh
    Code:
    #!/bin/sh -x
    (
    TID="200"
    MARK="0x88"
    WS="[[:space:]]"
    WAN_GTWY="$route_net_gateway"
    WAN_IF="$(route | grep -Em1 ^${WAN_GTWY}${WS} | awk '{print $NF}')"
    VPN_GTWY="$route_vpn_gateway"
    VPN_IF="$dev"
    REDIRECT_GTWY="$redirect_gateway"
    # Ports to bypass VPN
    PORTS_ALLOWED="22,80,81,5050,8081,8096,8181,8989,9091,10000"
    
    # copy default/main routing table (exclude all default gateways)
    ip route flush table $TID > /dev/null 2>&1
    ip route show table main | grep -Ev "^default|^0.0.0.0/1${WS}|^128.0.0.0/1${WS}" \
      | while read route; do
            ip route add $route table $TID
        done
    # add VPN as default gateway
    ip route add default via $VPN_GTWY table $TID
    
    # add WAN back as default gateway in main/default routing table
    if [ "$REDIRECT_GTWY" == "1" ]; then
        ip route add 0.0.0.0/2   via $WAN_GTWY
        ip route add 64.0.0.0/2  via $WAN_GTWY
        ip route add 128.0.0.0/2 via $WAN_GTWY
        ip route add 192.0.0.0/2 via $WAN_GTWY
    fi
    
    # disable WAN/VPN reverse path filtering
    echo 0 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    
    # clear the routing cache (or else it won't recognize our changes)
    ip route flush cache
    
    # route over VPN based on source IP(s)/network(s) or network interface
    #ip rule add from 192.168.1.10 table $TID
    #ip rule add from 10.10.1.113  table $TID
    #ip rule add from 10.10.2.0/24 table $TID
    #ip rule add iif wl0.1 table $TID
    
    # route over VPN based on other criteria (e.g., protocol, source/destination port)
    iptables -I FORWARD -i br0 -m iprange --src-range 10.1.21.2 -o $WAN_IF -j ACCEPT
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.1.21.2 -j MARK --set-mark $MARK
    iptables -t mangle -A PREROUTING -p tcp -s 10.1.21.2 -m multiport --dport $PORTS_ALLOWED -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -p tcp -s 10.1.21.2 -m multiport --sport $PORTS_ALLOWED -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -p udp -s 10.1.21.2 -m multiport --dport $PORTS_ALLOWED -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -p udp -s 10.1.21.2 -m multiport --sport $PORTS_ALLOWED -j MARK --set-mark 0
    
    # Examples
    #iptables -t mangle -A PREROUTING -p tcp -s 10.10.1.42 --sport 22 -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -s jims-ipod -j MARK --set-mark $MARK
    #iptables -t mangle -A PREROUTING -m mac --mac-source 00:11:22:33:44:55 -j MARK --set-mark $MARK
    
    # start processing marked packets through the alternate routing table
    ip rule add fwmark $MARK table $TID
    
    ) 2>&1 | logger -t $(basename $0)[$$]
    route-down.sh
    Code:
    #!/bin/sh -x
    (
    TID="200"
    MARK="0x88"
    WS="[[:space:]]"
    WAN_GTWY="$route_net_gateway"
    WAN_IF="$(route | grep -Em1 ^${WAN_GTWY}${WS} | awk '{print $NF}')"
    VPN_GTWY="$route_vpn_gateway"
    VPN_IF="$dev"
    REDIRECT_GTWY="$redirect_gateway"
    # Ports to bypass VPN
    PORTS_ALLOWED="22,80,81,5050,8081,8096,8181,8989,9091,10000"
    
    # remove routes based on source IP(s)/network(s) or network interface
    #ip rule del from 192.168.1.10 table $TID
    #ip rule del from 10.10.1.113  table $TID
    #ip rule del from 10.10.2.0/24 table $TID
    #ip rule del iif wl0.1 table $TID
    
    # remove routes based on other criteria (e.g., protocol, source/destination port)
    iptables -I FORWARD -i br0 -m iprange --src-range 10.1.21.2 -o $WAN_IF -j REJECT
    iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 10.1.21.2 -j MARK --set-mark $MARK
    iptables -t mangle -D PREROUTING -p tcp -s 10.1.21.2 -m multiport --dport $PORTS_ALLOWED -j MARK --set-mark 0
    iptables -t mangle -D PREROUTING -p tcp -s 10.1.21.2 -m multiport --sport $PORTS_ALLOWED -j MARK --set-mark 0
    iptables -t mangle -D PREROUTING -p udp -s 10.1.21.2 -m multiport --dport $PORTS_ALLOWED -j MARK --set-mark 0
    iptables -t mangle -D PREROUTING -p udp -s 10.1.21.2 -m multiport --sport $PORTS_ALLOWED -j MARK --set-mark 0
    
    # Examples
    #iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.42 --sport 22 -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -p tcp --dport 443 -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -s jims-ipod -j MARK --set-mark $MARK
    #iptables -t mangle -D PREROUTING -m mac --mac-source 00:11:22:33:44:55 -j MARK --set-mark $MARK
    
    # stop processing marked packets through the alternate routing table
    ip rule del fwmark $MARK table $TID
    
    # remove WAN as default gateway in main/default routing table
    if [ "$REDIRECT_GTWY" == "1" ]; then
        ip route del 0.0.0.0/2   via $WAN_GTWY
        ip route del 64.0.0.0/2  via $WAN_GTWY
        ip route del 128.0.0.0/2 via $WAN_GTWY
        ip route del 192.0.0.0/2 via $WAN_GTWY
    fi
    
    # re-enable WAN/VPN reverse path filtering
    echo 1 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 1 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    
    # clear the alternate routing table and routing cache
    ip route flush table $TID
    ip route flush cache
    
    ) 2>&1 | logger -t $(basename $0)[$$]
    Everything used to work fine.

    But I have now noticed that https is from the server (10.1.21.2) is showing my Real IP. It used to be http = my WAN IP and http = VPN IP.

    All traffic is blocked on server when VPN is down, when VPN is up I get internet but I get wrong IP. All other network devices are working fine on WAN bypassing the VPN.

    I have spent all day (literally) trying to nut this out, I have tried so manny things, each 1 at a time. The iptables seem to have the info there for the routing in the scripts.

    The only very strange thing I have noticed, is the when the VPN is down, all traffic is blocked from the server, except for SABnzbd+ on port 119. It seems to be still going while torrents and other things are all stopped.

    I just need someone's fresh eyes on this, maybe someone can see something I may have overlooked.
     
  62. eangulus

    eangulus Network Guru Member

    I don't know what to do now. 2 Days on and I have tried everything. Even going back to a basic VPN all setup.

    Nothing at all is going over the VPN. Its connecting but no matter what I do, no traffic is on tun11 all traffic goes over ppp0.

    My only option right now is a full reset of the router and see if it is that. otherwise it has to be a tomato bug.
     
  63. eangulus

    eangulus Network Guru Member

    OK. Solved it.

    Basically mentioning here incase others try the same thing.

    PIA + Tomato 132 VPN without encryption does not work.

    I never wanted VPN for encryption, only to hide my location/ip. So to try and get downloads faster, I was trying to setup without encryption. I also tried various PIA ports 1194,1195,1196,1197,1198, all not working.

    PIA show on their site that I can run without encryption, but I have yet to find the right combination of settings to do this. The PIA windows app thou runs fine without encryption.

    So does anyone know what port and other setting need to be set at to run without encryption?
     
  64. eangulus

    eangulus Network Guru Member

    Also, can anyone help with this.

    I was trying to simplify my scripts, but this doesn't seem to work in Tomato.

    iptables -t mangle -D PREROUTING -p tcp -s 10.1.21.2 -m multiport ! --dport $PORTS_ALLOWED -j MARK --set-mark $MARK

    Basically I was trying to add the ! so I didn't specifically mark 0 the needed bypass ports, but instead mark all but these ports. But after trying it wasn't allowing the ports to bypass the vpn.
     
  65. koitsu

    koitsu Network Guru Member

    Your iptables syntax is wrong in several ways. The biggest one is that you're using -D (that's delete, not add/insert, so I am going to assume you're just copy-pasting things randomly from incorrect parts of a script or something). The key for "why the ! didn't work" has to do with your syntax. Pay very very close attention to the differences between the two lines (there are 3 differences, and I cover the 3rd after):

    Code:
    -p tcp -s 10.1.21.2 -m multiport ! --dport $PORTS_ALLOWED -j MARK --set-mark $MARK
    
    -p tcp -s 10.1.21.2 -m multiport --dports \! $PORTS_ALLOWED -j MARK --set-mark $MARK
    
    You will probably need to escape the ! as well, especially if being done from via a shell or script, i.e. use \! instead of ! otherwise the shell interpreter may interpret it.

    You should look at iptables -m multiport -h sometime and see the actual syntax help:

    Code:
    multiport v1.3.8 options:
    --source-ports [!] port[,port:port,port...]
    --sports ...
                                    match source port(s)
    --destination-ports [!] port[,port:port,port...]
    --dports ...
                                    match destination port(s)
    --ports [!] port[,port:port,port]
                                    match both source and destination port(s)
    
    
     
  66. eangulus

    eangulus Network Guru Member

    Thanks for the insight.

    The D is sort of correct. I actually copied the wrong line from my script according to what I described. I have double checked and I do have them correct.

    The ! part does show in my iptables when I list them. Does that make a difference to if I have to escape it or not, as I have not tried that either?

    What I would like to try to do is simplify my scripts. I have seen that since the Routeing Rules were added by SHibby, I thought I might be able to just use the 111 table and the same MARK in my script and I may be able to remove some of the code in it. Utilise what Shibby has coded but add the port bypassing into it as well.

    The method I tried so far was the !, I changed the tables to 111 and added the same MARK as shibby uses. Then I entered the Server IP 10.1.21.2 to the GUI Routing table for the VPN connection and left in the
    -p tcp -s 10.1.21.2 -m multiport --dports \! $PORTS_ALLOWED -j MARK --set-mark $MARK parts to try to have specified ports bypass.

    Everything worked ok regarding what used the VPN and what didn't except for the ports. The server was completely on the VPN.
     
  67. Nilugeator

    Nilugeator Connected Client Member

    Hi all,

    Years ago I succesfully used this script ( the Grdnkln's one page 1) with a R7000 router, within a Shibby tomato firmware.

    Today I try to execute exactly the same script but with different hardware and software :
    Router R7800
    Firmware : DD-WRT v3.0-r30342 std (07/30/16)
    CPU Model : QCA IPQ806X
    Kernel Version
    Linux 3.18.37 #92 SMP PREEMPT Fri Jul 29 12:03:58 CEST 2016 armv7l

    And I dont know which of those parameters is guilty, but the same script doesnt work with this hardware/software changes !!!

    So I decided to execute the script "line by line" to identificate where problems are

    It appears I have at least two problemes (perhaps more...) :

    Commands
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done


    sh: eval: line 1: syntax error: unexpected word (expecting

    and
    Commands
    ip route show table main | grep -Ev ^default | grep -Ev tun1\
    | while read ROUTE ; do
    ip route add table 100 $ROUTE
    done

    sh: eval: line 2: syntax error: unexpected link |quot;9

    Could please someone tell me :
    Whats is the problem and how to "correct" the script to make it works with my new hardware/software
    Why is this script refused by my new hardware/software and working like a charm with my old one?

    Thank you for all incoming explanations ! :)

     
  68. koitsu

    koitsu Network Guru Member

    You're doing this through Tools -> System Commands, aren't you?

    Try doing the same commands directly from the CLI (telnet/SSH).

    I can clearly see what the error messages mean, contextually, but some look like problems relating to HTML entity encoding (this is a problem with HTML forms). Do it from the CLI. I can still see potential problems with both "scripts" (if you can call them that; they're more line "convenient one-liners"), as they make some blind assumptions.
     
  69. Nilugeator

    Nilugeator Connected Client Member

    Yes I m doing this through Tools -> System Commands,
    I am not sure to understand what you want me to do, I have tested the same lines with putty with a SSH connection (this is what you want me to try?) but putty didnt sent back any result line

    I that the CLI?
     
  70. koitsu

    koitsu Network Guru Member

    Yes, telnet/SSH is the CLI.

    If it didn't give you any errors, then that means the commands ran as expected. The way UNIX/Linux works is that if you don't see any output, then what you did worked (unless the output you get explicitly says "this worked" or equivalent).

    So the problem is with Tools -> System Commands. HTML entity encoding isn't being handled properly (i.e. is being broken; things like > in the command window end up getting turned into &gt; which the shell has no idea how to parse -- or worse, will parse wrong and break badly). Someone will need to look into that. I can't imagine Tools -> System Commands being able to work for every single situation, esp. for multi-line complex scripts.

    In general, when doing "script things", you should get used to using telnet/SSH and not use Tools -> System Commands.
     
  71. Nilugeator

    Nilugeator Connected Client Member

    Thank you Koitsu, I used telnet for the whole script and i've made some progress :

    all traffic go through vpn (sucessfull)
    exception for ports 8080 and 9091 : bypass VPN (sucessfull)
    exception for 3 IP to also vypass VPN (loose!)

    Here is the entire script, could you please see why the 3 IP go through VPN instead I want them to bypass it?

    thanks you



    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do

    echo 0 > $i

    done


    ip route flush table 100

    ip route del default table 100

    ip rule del fwmark 1 table 100

    ip route flush cache

    iptables -t mangle -F PREROUTING



    ip route show table main | grep -Ev ^default | grep -Ev tun1\

    | while read ROUTE ; do

    ip route add table 100 $ROUTE

    done

    ip route add default table 100 via $(nvram get wan_gateway)

    ip rule add fwmark 1 table 100

    ip route flush cache


    # By default all traffic will pass through the VPN

    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0


    # some ports bypassing VPN

    iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 8080 -j MARK --set-mark 1

    iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 9091 -j MARK --set-mark 1


    # All traffic from a particular computer on the LAN will bypass the VPN (unsuccessfull)

    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.125 -j MARK --set-mark 1

    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.111 -j MARK --set-mark 1

    iptables -t mangle -A PREROUTING -i ath0 -m iprange --src-range 192.168.1.141 -j MARK --set-mark 1
     
  72. koitsu

    koitsu Network Guru Member

    My gut feeling is that this has to do with iptables rule order. These rules in your list are currently coming last:

    Code:
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.125 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.111 -j MARK --set-mark 1
    While this rule comes before them, so it's going to match first (hence the above 2 rules won't get hit):
    Code:
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0
    
    I would suggest using iptables -L -n -v --line-numbers and watching packet/byte counts in the far left columns to see if something is being hit/reached or not. Odds are those rules which come last (particularly for br0) will have 0 packets (i.e. they've never been reached/hit because of what I described).

    Also, there's no reason to be using -m iprange --src-range there (according to the usage syntax I'm surprised that works at all, but I'm looking at MIPS not ARM). Those are individual IPs, so you can turn that nonsense into:
    Code:
    iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.125 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.111 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i ath0 -s 192.168.1.141 -j MARK --set-mark 1
    
    Finally: be aware that:

    Code:
    iptables -t mangle -F PREROUTING
    
    Will erase the Comcast DSCP fix (Advanced -> Firewall) if you have it enabled (on Toastman it's enabled by default, not sure about others). Said fix uses the mangle table, PREROUTING chain to rewrite the DSCP bits. Proof:
    Code:
    Chain PREROUTING (policy ACCEPT 151 packets, 26562 bytes)
    pkts bytes target     prot opt in     out     source               destination
       69  7887 DSCP       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           DSCP set 0x00
    
    This is as much as I can help with. Good luck!
     
  73. Nilugeator

    Nilugeator Connected Client Member

    Once again, thank you !

    I have replaced :
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.125 -j MARK --set-mark 1
    by
    iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.125 -j MARK --set-mark 1

    and now it works for my 3 computers!

    What is strange is that the first line was operationnal with my tomato router, but not with the dd wrt... Nevermind; it works !

    Another difference between tomato and dd wrt with this script is for opening port :

    iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 8080 -j MARK --set-mark 1
    iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 9091 -j MARK --set-mark 1

    With tomato it allows me to reach from the internet my router remote access GUI (8080) and my transmission client GUI (9091)

    And I dont know why, but with DDWRT, I can reach the transmission client (9091) but not the dd wrt remote access (8080) ! (that I can access from the internet as soon as I desactivate the openVPN client... this is a shame and I dont understand why this is specific to dd wrt with vpn... If someone know...
     
  74. koitsu

    koitsu Network Guru Member

    This syntax looks right for a single port, except -m multiport is extraneous. So it should be:

    Code:
    iptables -t mangle -A OUTPUT -p tcp --sport 8080 -j MARK --set-mark 1
    iptables -t mangle -A OUTPUT -p tcp --sport 9091 -j MARK --set-mark 1
    
    If you wanted to reference multiple ports in a single rule (ex. 8080 and 9091 together), it would be this (note that it's --sports not --sport):

    Code:
    iptables -t mangle -A OUTPUT -p tcp -m multiport --sports 8080,9091 -j MARK --set-mark 1
    
    You can always use iptables -h to get help syntax on things, though it's a bit tedious/troublesome to understand. You can't just "blindly append arguments" to -h to get usage syntaxes, you gotta be somewhat specific (because the help syntax comes from the extensions/modules themselves, loaded dynamically at runtime), and the -h flag must come last (due to how the argv parser is designed (stupidly, IMO)). Compare the output of the following 3 commands and you'll see what I mean:
    Code:
    iptables -h
    iptables -p tcp -h
    iptables -m multiport -h
    
    (But don't try something like iptables -p tcp -m multiport -h; you won't see the usage syntax details for -p tcp).

    Also note that the iptables syntaxes can differ between iptables versions (see iptables -V). With TomatoUSB, at present, ARM routers use iptables 1.4.x, while MIPSR2 uses iptables 1.3.x. They are not 100% syntactically compatible. In other words: your router model can affect which syntax/capabilities are available due to iptables versions differing.
     
  75. Nilugeator

    Nilugeator Connected Client Member

    Thank you Koitsu

    perhaps syntax was quite wrong, but as I said, I was still able to access remotly my router with 9091 (transmission server).
    And also 32400 (plex server)
    But not 8080 (dd wrt remote GUI)

    I tried with this syntax :

    iptables -t mangle -A OUTPUT -p tcp --sport 32400 -j MARK --set-mark 1
    iptables -t mangle -A OUTPUT -p tcp --sport 8080 -j MARK --set-mark 1
    iptables -t mangle -A OUTPUT -p tcp --sport 9091 -j MARK --set-mark 1

    Same result : cannot access 8080 (ERROR CONNECTION TIMED OUT)

    I looked to syslog.asp but didnt find anything about it

    And as soon as I desactivate openvpn, I can access 8080 from LAN and from Internet (which is my goal)
    Since i activate Openvpn, i can only access dd wrt gui from LAN, but no more from internet

    I ve read similar problems on the internet, but without any solution, sadly.

    My feeling is that it should be another port than 8080 that I 'll have to open in the script, but I dont know which and I dont know why

    UPDATE : I am now also able to connecte my router behind VPN from internet with an SSH connection (port 22)

    So the only problem is for WEB GUI with port 8080 ...

    my setup :
    iptables -t mangle -A OUTPUT -p tcp --sport 32400 -j MARK --set-mark 1
    iptables -t mangle -A OUTPUT -p tcp --sport 8080 -j MARK --set-mark 1
    iptables -t mangle -A OUTPUT -p tcp --sport 9091 -j MARK --set-mark 1
    iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 1
     
    Last edited: Aug 6, 2016
  76. eangulus

    eangulus Network Guru Member

    Only really one last thing to work out for those of us using PIA.

    Would like to be able to get port forwarding working for PIA. Using information from the scripts below, would it be possible in Tomato, to get the allocated Port from PIA and save it somewhere for transmission to pickup as a value or the like?

    - https://www.privateinternetaccess.c...without-application-pia-script-advanced-users
    - https://github.com/enolan/pia-forward

    Also, just a thought on how to give Transmission etc, the port allocated by PIA. What if we set a preset port in transmission, then setup a port forward between the fixed transmission port and the allocated PIA port? Could something like that work?
     
    Last edited: Aug 10, 2016
  77. eangulus

    eangulus Network Guru Member

    Made some serious progress.

    I need to check the PIA port assignment every hour. So in Tomato I have set a custom script to run every hour under the schedular.

    Code:
    #!/bin/sh -x
    (
    VPN_IF="$dev"                       # provided by OpenVPN at runtime
    PIA_USER=`nvram get vpn_client1_username`
    PIA_PASS=`nvram get vpn_client1_password`
    PIA_CLIENT_ID=`head -n 100 /dev/urandom | md5sum | tr -d " -"`
    PIA_IP=`ifconfig tun11|grep -oE "inet addr: *10\.[0-9]+\.[0-9]+\.[0-9]+"|tr -d "a-z :"`
    INT_PORT="16000"
    
    # PIA Port forwarding
    json=`curl -k --interface tun11 -d "user=$PIA_USER&pass=$PIA_PASS&client_id=$PIA_CLIENT_ID&local_ip=$PIA_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment`
    PIA_PORT=$(echo $json | sed "s/[^0-9]*//g")
    # iptables -A PREROUTING -t nat -i $VPN_IF -p tcp --dport $PIA_PORT -j DNAT --to 10.1.21.2:$INT_PORT
    # iptables -A FORWARD -p tcp -d 10.1.21.2 --dport $INT_PORT -j ACCEPT
    ) 2>&1 | logger -t $(basename $0)[$$]
    Now the only thing I can't work out yet, is how to map the Internal port (16000 in the above code) to the PIA_PORT returned via the IP Tables.
     
  78. eangulus

    eangulus Network Guru Member

    Can anyone who knows iptables better than me help please?

    In my script above, I need to map the external pia_port to the internal port I use within my lan. I also need it to work both ways.
     
  79. eangulus

    eangulus Network Guru Member

    OK for anyone interested, I have made some progress.

    Here is my current script for auto mapping PIA's Port to an Internal fixed port (to use with a torrent client or whatever else you need.

    Code:
    #!/bin/sh -x
    (
    PIA_USER=`nvram get vpn_client1_username`
    PIA_PASS=`nvram get vpn_client1_password`
    PIA_CLIENT_ID=`head -n 100 /dev/urandom | md5sum | tr -d " -"`
    PIA_IP=`ifconfig tun11|grep -oE "inet addr: *10\.[0-9]+\.[0-9]+\.[0-9]+"|tr -d "a-z :"`
    
    # These values are to be changed to whatever you need for your use case scenario.
    INT_PORT="16000"
    INT_IP=10.1.21.2
    
    # PIA Port forwarding
    json=`curl -k --interface tun11 -d "user=$PIA_USER&pass=$PIA_PASS&client_id=$PIA_CLIENT_ID&local_ip=$PIA_IP" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment`
    PIA_PORT=$(echo $json | sed "s/[^0-9]*//g")
    
    iptables -t nat -A PREROUTING -i tun11 -p tcp --dport $PIA_PORT -j DNAT --to $INT_IP:$INT_PORT
    iptables -t nat -A PREROUTING -p tcp --dport $PIA_PORT -j DNAT --to $INT_IP:$INT_PORT
    iptables -t nat -A POSTROUTING -p tcp -d $INT_IP --dport $INT_PORT -j MASQUERADE
    
    iptables -t nat -A PREROUTING -i tun11 -p udp --dport $PIA_PORT -j DNAT --to $INT_IP:$INT_PORT
    iptables -t nat -A PREROUTING -p udp --dport $PIA_PORT -j DNAT --to $INT_IP:$INT_PORT
    iptables -t nat -A POSTROUTING -p udp -d $INT_IP --dport $INT_PORT -j MASQUERADE
    
    # echo PIA_USER : $PIA_USER
    # echo PIA_PASS : $PIA_PASS
    # echo PIA_CLIENT_ID : $PIA_CLIENT_ID
    echo PIA_IP : $PIA_IP
    echo PIA_PORT : $PIA_PORT
    ) 2>&1 | logger -t $(basename $0)[$$]
    
    I do need help thou. A couple of issue still remain:

    1. I need to work out a way to tag the above rules, so I can clean them out when we need to rerun the script for a new port. So I need a way to undo the above iptable rules without knowing what the old port was.

    2. I would love to either be able to run this as another script after the route-up, or put this inside the route-up script. Putting it inside I have already tried but it runs too soon and doesn't get a port number.

    3. Would love to be able to only apply the iptable rules if we get a whole number returned as the PIA Port. if no port then don't apply the rules.

    At this stage I have to run this script manually and would love to get it more automated.
     
  80. eangulus

    eangulus Network Guru Member

  81. eibgrad

    eibgrad Network Guru Member

    Instead of placing the rules directing into the nat PREROUTING chain, create your own chain in that same table and insert your rules there. Then insert a jump in the PREROUTING chain to your own chain. This allows you to clean out your own chain unconditionally (i.e., flush) each time you run the script.

    What you could do in a route-up script is spawn a second script that runs in the background (so the route-up script continues normally and doesn't needlessly delay the openvpn client from starting). Then wait in a loop until your port is available. IOW, if PIA_PORT="", sleep for a few seconds an try again. Perhaps limit how many times you'll retry as well (in case it never becomes available).

    Not sure why this is a problem. Are you expecting a fractional result on certain occasions for some reason? Even so, just exit the script.
     
    xulian and koitsu like this.
  82. Jason Meudt

    Jason Meudt Reformed Router Member

  83. xulian

    xulian Network Newbie Member

    Hi eibgrad,

    Please could you provide an example of this?

    Thanks in advance
     
  84. eibgrad

    eibgrad Network Guru Member

    Code:
    #create user-defined chain
    iptables -t nat -N mychain
    
    # add rules to user-defined chain
    iptables -t nat -A mychain -i tun11 -p tcp --dport $PIA_PORT -j DNAT --to $INT_IP:$INT_PORT
    iptables -t nat -A mychain -p tcp --dport $PIA_PORT -j DNAT --to $INT_IP:$INT_PORT
    iptables -t nat -A mychain-p tcp -d $INT_IP --dport $INT_PORT -j MASQUERADE
    
    # jump to user-defined chain
    iptables -t nat -A PREROUTING -j mychain
    As a result, all these rules are still processed through the PREROUTING chain, but can only get their via the user-defined chain. That makes it easier to delete those rules later on, without having to remember them specifically.

    Code:
    # remove jump to user-defined chain
    iptables -t nat -D PREROUTING -j mychain
    # flush user-defined chain
    iptables -t nat -F mychain
    # delete user-defined chain
    iptables -t nat -X mychain
     
  85. xulian

    xulian Network Newbie Member

    Thanks... will test
     
  86. lolento

    lolento Serious Server Member

    Hello, Need some assistance here.... Don't know what I'm doing.
    I'm running 1.28.8510 Toastman-ARM7 K26ARM USB VPN-64K on my R8000. OpenVPN client is setup and working.

    I want to run this script from WAN UP, but this isn't working for me:

    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done

    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING

    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
    | while read ROUTE ; do
    ip route add table 100 $ROUTE
    done

    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache

    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 4545,25461 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.138 -j MARK --set-mark 0
     
  87. Joney0210

    Joney0210 New Member Member


    Here is my way to find out that how to then this script working.
    my route is R8500, use merlin 7.4,

    checkout what is your vpn dev, default GW, when connect VPN, do below command as root.
    Code:
    ip route show table main
    in my case, return like below
    Code:
    x.x.x.x via 172.37.0.1 dev ppp0
    172.37.0.1 dev ppp0  proto kernel  scope link
    192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
    169.254.0.0/16 dev eth0  proto kernel  scope link  src 169.254.237.240
    127.0.0.0/8 dev lo  scope link
    default via 192.168.18.1 dev ppp5
    default via 172.37.0.1 dev ppp0  metric 1
    x.x.x.x is my VPN server IP address, 192.168.18.0 is my VPN NAT IP range.
    So, my vpn dev is ppp5, default GW is ppp0,
    And I know that 172.37.0.1 is not internet ip address, but my ISP give me that.
    and then change code below
    from:
    Code:
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
    to:
    Code:
    ip route show table main | grep -Ev ^default | grep -Ev ppp5 | grep -Ev x.x.x.x \
    hope can help you.
     
  88. Joney0210

    Joney0210 New Member Member

    I'm come from china, as you know, people come from china can't see web site that out side china. we need some way to across GFW.
    So, I use shdowsocks-RSS to do that.
    my route is R8500, merlin 7.4. R8500 run shadowsocks-RSS client and VPN client.

    I can use the script as below, and work good. in my case, I want 192.168.1.200 through VPN only.
    everything is good, when client 192.168.1.200 doing tracer google, return pass through 192.168.18.1(VPN IP), else client do same thing return pass through 172.37.0.1(wan ip gw).
    but, there is still have problem, my bandwidth is going down to 50%.
    Can anybody help me?

    information as below
    Code:
    #!/bin/sh
    # This code goes in the WAN UP section of the Tomato GUI.
    #
    # This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
    # the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
    # traffic to bypass the VPN and use the regular Internet instead.
    #
    # To list the current rules on the router, issue the command:
    # iptables -t mangle -L PREROUTING
    #
    # Flush/reset all the rules to default by issuing the command:
    # iptables -t mangle -F PREROUTING
    #
    
    #
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    #
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done
    
    #
    # Delete and table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    
    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    # NOTE: Here I assume the OpenVPN tunnel is named "tun11".
    #
    #
    #WANIP=`ifconfig ppp0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}'`
    
    ip route show table main | grep -Ev ^default | grep -Ev ppp5 | grep -Ev 47.52 \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    #ip route add default table 100 via $WANIP
    ip rule add fwmark 1 table 100
    ip route flush cache
    
    
    #
    # Define the routing policies for the traffic. The rules will be applied in the order that they
    # are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
    # to "1" it will bypass the VPN.
    #
    # EXAMPLES:
    #
    #  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
    #    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    #  Ports 80 and 443 will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    #  All traffic from a particular computer on the LAN will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
    #  All traffic to a specific Internet IP address will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    #  All UDP and ICMP traffic will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    #    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
    
    
    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.200 -j MARK --set-mark 0
    
    #this line below for test
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.128 -j MARK --set-mark 0
    
    
    my route table
    Code:
    X.X.X.X via 172.37.0.1 dev ppp0
    172.37.0.1 dev ppp0  proto kernel  scope link
    192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
    169.254.0.0/16 dev eth0  proto kernel  scope link  src 169.254.237.240
    127.0.0.0/8 dev lo  scope link
    default via 192.168.18.1 dev ppp5
    default via 172.37.0.1 dev ppp0  metric 1
    
    x.x.x.x is my VPN server address.

    my iptables with shadowsocks-RSS and VPN
    Code:
    # Generated by iptables-save v1.4.14 on Fri Jun  2 17:43:24 2017
    *raw
    :PREROUTING ACCEPT [4760549:4082270105]
    :OUTPUT ACCEPT [1409057:478113946]
    COMMIT
    # Completed on Fri Jun  2 17:43:24 2017
    # Generated by iptables-save v1.4.14 on Fri Jun  2 17:43:24 2017
    *nat
    :PREROUTING ACCEPT [92:16540]
    :INPUT ACCEPT [57:6131]
    :OUTPUT ACCEPT [45:2807]
    :POSTROUTING ACCEPT [49:3047]
    :DNSFILTER - [0:0]
    :LOCALSRV - [0:0]
    :PCREDIRECT - [0:0]
    :PUPNP - [0:0]
    :SHADOWSOCKS - [0:0]
    :SHADOWSOCKS_CHN - [0:0]
    :SHADOWSOCKS_GAM - [0:0]
    :SHADOWSOCKS_GFW - [0:0]
    :SHADOWSOCKS_GLO - [0:0]
    :SHADOWSOCKS_HOM - [0:0]
    :VSERVER - [0:0]
    :VUPNP - [0:0]
    -A PREROUTING -p tcp -j SHADOWSOCKS
    -A PREROUTING -d 192.168.18.2/32 -j VSERVER
    -A PREROUTING -d 172.37.158.250/32 -j VSERVER
    -A PREROUTING -d 169.254.237.240/32 -j VSERVER
    -A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.1
    -A OUTPUT -p tcp -m set --match-set router dst -j REDIRECT --to-ports 3333
    -A POSTROUTING ! -s 192.168.18.2/32 -o ppp5 -j MASQUERADE
    -A POSTROUTING ! -s 172.37.158.250/32 -o ppp0 -j MASQUERADE
    -A POSTROUTING ! -s 169.254.237.240/32 -o eth0 -j MASQUERADE
    -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
    -A PUPNP -s 192.168.1.128/32 -p tcp -m tcp --sport 9 -j MASQUERADE --to-ports 1024
    -A SHADOWSOCKS -p tcp -m set --match-set white_list dst -j RETURN
    -A SHADOWSOCKS -p tcp -j SHADOWSOCKS_CHN
    -A SHADOWSOCKS_CHN -p tcp -m set --match-set black_list dst -j REDIRECT --to-ports 3333
    -A SHADOWSOCKS_CHN -p tcp -m set ! --match-set chnroute dst -j REDIRECT --to-ports 3333
    -A SHADOWSOCKS_GAM -p tcp -m set --match-set black_list dst -j REDIRECT --to-ports 3333
    -A SHADOWSOCKS_GAM -p tcp -m set ! --match-set chnroute dst -j REDIRECT --to-ports 3333
    -A SHADOWSOCKS_GFW -p tcp -m set --match-set black_list dst -j REDIRECT --to-ports 3333
    -A SHADOWSOCKS_GFW -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 3333
    -A SHADOWSOCKS_GLO -p tcp -j REDIRECT --to-ports 3333
    -A SHADOWSOCKS_HOM -p tcp -m set --match-set black_list dst -j REDIRECT --to-ports 3333
    -A SHADOWSOCKS_HOM -p tcp -m set --match-set chnroute dst -j REDIRECT --to-ports 3333
    -A VSERVER -p tcp -m tcp --dport 20080 -j DNAT --to-destination 192.168.1.1:80
    -A VSERVER -p tcp -m tcp --dport 4658 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 4658 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 4659 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 4659 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 3074 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 3074 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 33000:33499 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 33000:33499 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 80 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 443 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 51000 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 51000 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 55000:55999 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 55000:55999 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 56000:56999 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 56000:56999 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 3478:3480 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 3478:3480 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 9295:9310 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 9295:9310 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -j VUPNP
    -A VSERVER -j LOCALSRV
    -A VSERVER -j DNAT --to-destination 192.168.1.200
    -A VUPNP -p udp -m udp --dport 9308 -j DNAT --to-destination 192.168.1.14:9308
    -A VUPNP -p udp -m udp --dport 9307 -j DNAT --to-destination 192.168.1.14:9307
    -A VUPNP -p udp -m udp --dport 59013 -j DNAT --to-destination 192.168.1.69:59013
    -A VUPNP -p udp -m udp --dport 13033 -j DNAT --to-destination 192.168.1.64:13033
    -A VUPNP -p tcp -m tcp --dport 1024 -j DNAT --to-destination 192.168.1.128:9
    -A VUPNP -p udp -m udp --dport 58784 -j DNAT --to-destination 192.168.1.128:58784
    -A VUPNP -p tcp -m tcp --dport 58784 -j DNAT --to-destination 192.168.1.128:58784
    COMMIT
    # Completed on Fri Jun  2 17:43:24 2017
    # Generated by iptables-save v1.4.14 on Fri Jun  2 17:43:24 2017
    *mangle
    :PREROUTING ACCEPT [177072:145966163]
    :INPUT ACCEPT [70535:65501709]
    :FORWARD ACCEPT [106200:80383810]
    :OUTPUT ACCEPT [56905:37550335]
    :POSTROUTING ACCEPT [163111:117935724]
    -A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MARK --set-xmark 0x1/0x7
    -A FORWARD -p tcp -m state --state NEW -j MARK --set-xmark 0x1/0x7
    COMMIT
    # Completed on Fri Jun  2 17:43:24 2017
    # Generated by iptables-save v1.4.14 on Fri Jun  2 17:43:24 2017
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [56910:37550983]
    :FUPNP - [0:0]
    :NSFW - [0:0]
    :PControls - [0:0]
    :SECURITY - [0:0]
    :logaccept - [0:0]
    :logdrop - [0:0]
    -A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -i br0 -m state --state NEW -j ACCEPT
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A INPUT -d 192.168.1.1/32 -p tcp -m conntrack --ctstate DNAT -m tcp --dport 80 -j ACCEPT
    -A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
    -A INPUT -j DROP
    -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD ! -i br0 -o ppp0 -j DROP
    -A FORWARD ! -i br0 -o eth0 -j DROP
    -A FORWARD -i eth0 -m state --state INVALID -j DROP
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -j NSFW
    -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
    -A FORWARD -i br0 -j ACCEPT
    -A FORWARD ! -i br0 -o ppp5 -j DROP
    -A FUPNP -d 192.168.1.14/32 -p udp -m udp --dport 9308 -j ACCEPT
    -A FUPNP -d 192.168.1.14/32 -p udp -m udp --dport 9307 -j ACCEPT
    -A FUPNP -d 192.168.1.69/32 -p udp -m udp --dport 59013 -j ACCEPT
    -A FUPNP -d 192.168.1.64/32 -p udp -m udp --dport 13033 -j ACCEPT
    -A FUPNP -d 192.168.1.128/32 -p tcp -m tcp --dport 9 -j ACCEPT
    -A FUPNP -d 192.168.1.128/32 -p udp -m udp --dport 58784 -j ACCEPT
    -A FUPNP -d 192.168.1.128/32 -p tcp -m tcp --dport 58784 -j ACCEPT
    -A PControls -j ACCEPT
    -A SECURITY -d 192.168.1.200/32 -j RETURN
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
    -A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
    -A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
    -A SECURITY -j RETURN
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logaccept -j ACCEPT
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logdrop -j DROP
    COMMIT
    # Completed on Fri Jun  2 17:43:24 2017
    
    my iptables without shadowsocks-RSS and VPN
    Code:
    # Generated by iptables-save v1.4.14 on Fri Jun  2 17:39:50 2017
    *raw
    :PREROUTING ACCEPT [4582731:3936213043]
    :OUTPUT ACCEPT [1351632:439707199]
    COMMIT
    # Completed on Fri Jun  2 17:39:50 2017
    # Generated by iptables-save v1.4.14 on Fri Jun  2 17:39:50 2017
    *nat
    :PREROUTING ACCEPT [302:58643]
    :INPUT ACCEPT [59:11597]
    :OUTPUT ACCEPT [26:2529]
    :POSTROUTING ACCEPT [29:2445]
    :DNSFILTER - [0:0]
    :LOCALSRV - [0:0]
    :PCREDIRECT - [0:0]
    :PUPNP - [0:0]
    :VSERVER - [0:0]
    :VUPNP - [0:0]
    -A PREROUTING -d 172.37.158.250/32 -j VSERVER
    -A PREROUTING -d 169.254.237.240/32 -j VSERVER
    -A POSTROUTING ! -s 172.37.158.250/32 -o ppp0 -j MASQUERADE
    -A POSTROUTING ! -s 169.254.237.240/32 -o eth0 -j MASQUERADE
    -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
    -A PUPNP -s 192.168.1.128/32 -p tcp -m tcp --sport 9 -j MASQUERADE --to-ports 1024
    -A VSERVER -p tcp -m tcp --dport 20080 -j DNAT --to-destination 192.168.1.1:80
    -A VSERVER -p tcp -m tcp --dport 4658 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 4658 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 4659 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 4659 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 3074 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 3074 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 33000:33499 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 33000:33499 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 80 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 443 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 51000 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 51000 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 55000:55999 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 55000:55999 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 56000:56999 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 56000:56999 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 3478:3480 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 3478:3480 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p tcp -m tcp --dport 9295:9310 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -p udp -m udp --dport 9295:9310 -j DNAT --to-destination 192.168.1.200
    -A VSERVER -j VUPNP
    -A VSERVER -j LOCALSRV
    -A VSERVER -j DNAT --to-destination 192.168.1.200
    -A VUPNP -p udp -m udp --dport 9308 -j DNAT --to-destination 192.168.1.14:9308
    -A VUPNP -p udp -m udp --dport 9307 -j DNAT --to-destination 192.168.1.14:9307
    -A VUPNP -p udp -m udp --dport 59013 -j DNAT --to-destination 192.168.1.69:59013
    -A VUPNP -p udp -m udp --dport 13033 -j DNAT --to-destination 192.168.1.64:13033
    -A VUPNP -p tcp -m tcp --dport 1024 -j DNAT --to-destination 192.168.1.128:9
    -A VUPNP -p udp -m udp --dport 58784 -j DNAT --to-destination 192.168.1.128:58784
    -A VUPNP -p tcp -m tcp --dport 58784 -j DNAT --to-destination 192.168.1.128:58784
    COMMIT
    # Completed on Fri Jun  2 17:39:50 2017
    # Generated by iptables-save v1.4.14 on Fri Jun  2 17:39:50 2017
    *mangle
    :PREROUTING ACCEPT [48394:8008304]
    :INPUT ACCEPT [9778:3428670]
    :FORWARD ACCEPT [37298:3290767]
    :OUTPUT ACCEPT [8737:2373928]
    :POSTROUTING ACCEPT [46104:5677709]
    -A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MARK --set-xmark 0x1/0x7
    COMMIT
    # Completed on Fri Jun  2 17:39:50 2017
    # Generated by iptables-save v1.4.14 on Fri Jun  2 17:39:50 2017
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [530:145098]
    :FUPNP - [0:0]
    :NSFW - [0:0]
    :PControls - [0:0]
    :SECURITY - [0:0]
    :logaccept - [0:0]
    :logdrop - [0:0]
    -A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -i br0 -m state --state NEW -j ACCEPT
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A INPUT -d 192.168.1.1/32 -p tcp -m conntrack --ctstate DNAT -m tcp --dport 80 -j ACCEPT
    -A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
    -A INPUT -j DROP
    -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD ! -i br0 -o ppp0 -j DROP
    -A FORWARD ! -i br0 -o eth0 -j DROP
    -A FORWARD -i eth0 -m state --state INVALID -j DROP
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -j NSFW
    -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
    -A FORWARD -i br0 -j ACCEPT
    -A FUPNP -d 192.168.1.14/32 -p udp -m udp --dport 9308 -j ACCEPT
    -A FUPNP -d 192.168.1.14/32 -p udp -m udp --dport 9307 -j ACCEPT
    -A FUPNP -d 192.168.1.69/32 -p udp -m udp --dport 59013 -j ACCEPT
    -A FUPNP -d 192.168.1.64/32 -p udp -m udp --dport 13033 -j ACCEPT
    -A FUPNP -d 192.168.1.128/32 -p tcp -m tcp --dport 9 -j ACCEPT
    -A FUPNP -d 192.168.1.128/32 -p udp -m udp --dport 58784 -j ACCEPT
    -A FUPNP -d 192.168.1.128/32 -p tcp -m tcp --dport 58784 -j ACCEPT
    -A PControls -j ACCEPT
    -A SECURITY -d 192.168.1.200/32 -j RETURN
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
    -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
    -A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
    -A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
    -A SECURITY -j RETURN
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logaccept -j ACCEPT
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logdrop -j DROP
    COMMIT
    # Completed on Fri Jun  2 17:39:50 2017
    
     
  89. LancedBoyle

    LancedBoyle New Member Member

    Firstly, this is a great thread with lots of info. Secondly, this is a great thread with lots of info and being a subgenius it has totally scrambled my brain so I don't know which way is up anymore. I would really apprecriate some help with clarification.

    Here is my situation. I have installed AdvanceTomato on my Linksys E4200 and got my PIA vpn working on the router. Unfortunately it has seriously killed my internet speed (80 Mbps without vpn and 1-4 Mbps with vpn). I only need the router based vpn for my Roku which streams Netflix, Amazon Prime, and The Roku Channel. (I can and will use the client based vpn (on my mac) when I need it for other things.)

    So what I want to be able to do is route the Roku through the vpn and everything else through my isp ip. I tried the AdvancedTomato feature for redirecting internet traffic and setting a routing policy but everything still goes through the vpn. I've been to a zillion sites and learned that what I want is split tunnelling ( I think). Then I found this forum and thread.

    First I saw ethaniel's post and thought version2 was the ticket and then I saw Grdnkln's code and thought that was the answer with a slight modification (ie, I don't need to go to spotify's servers). Now I think I have changed so many settings and don't really understand 50% of what the settings mean that I have made a mess of my router settings.

    I know what my Roku ip address is and I beleive that I have set it to a static ip address. I want that ip address to go through the router vpn and all my other ip addresses to go through my isp with no vpn. Also, through reading on other forums and sites, I think my internet speed drop is in part to due to the vpn encrypting data and my router does not have a powerful processor so this is a bottleneck. Since all I really want is a US ip address for the Roku and am not sending highly sensitive data ( I think), could I/ should I turn off the encryption in the vpn to speed things up?

    I would really appreciate any help and guidence in setting this up. I will reset all my router settings and/or install other firmware on the router if needs be just to start from scratch if that is easier. Thanks in advance for any help you can provide. Cheers.
     
  90. eibgrad

    eibgrad Network Guru Member

    The Routing Policy tab in the GUI doesn't make it clear that in order for it to work as intended, you have to prevent the default gateway from being changed to the VPN. And that can be done several ways. You can either enable the route-nopull option in the GUI, or add the following directive to Custom Config.

    Code:
    route-noexec
    In fact, dd-wrt has a similar PBR (Policy Based Routing) feature which automatically inserts a "route-noexec" directive into the OpenVPN client config whenever it sees the user add a source IP to the PBR field.

    Why tomato doesn't do the same thing escapes me. But if you don't use either route-nopull or route-noexec, then the default gateway gets changed to the VPN, and so the use of the Routing Policy tab, while it does force that traffic over the VPN, all the other traffic is still being forced over the VPN anyway!

    Frankly, given this situation, and the fact the Routing Policy tab has numerous bugs as well, you might want to consider using my own PBR scripts, where a lot of these bugs have been addressed.

    https://pastebin.com/xEziw8Pq (basic script)
    https://pastebin.com/GMUbEtGj (advanced script)

    I built these a few years ago (and maintain them) precisely because I wanted a definitive solution, or at least something a bit more formalized than all the numerous solutions in this and other threads.
     
  91. LancedBoyle

    LancedBoyle New Member Member

    Eibgrad, Thanks for the help, I will try this out! Would you know if I can or should turn off my vpn encryption to increase up my speed? If I can/should, is there a trick or something to be aware of? Thanks again. Lance
     
  92. eibgrad

    eibgrad Network Guru Member

    Unless your only purpose for using the VPN is to mask your public IP, disabling encryption defeats the purpose of the VPN. And frankly, the poor performance you typically see w/ VPNs (of all stripes) has little to do w/ the choice of encryption, and more to do w/ the limitations of your hardware, plus the inherent demands of a VPN, as explained in the following link.

    http://linksysinfo.org/index.php?threads/netgear-3500lv2-problems-on-tomato.74250/#post-298848
     
  93. LancedBoyle

    LancedBoyle New Member Member

    Thanks eibgrad. I only want the vpn on the router to hide my ip address or more specifically to give me an ip address in the us. I thought the slowness was mainly due to the hardware but felt that if I could just pick up a Mbs or two that would make play back possible. I use the vpn on my devises if I want encryption. I'm having issues now with, I think, leakage since amazon seems to know where I am even though the vpn is on. thanks again for you assistance. I have been busy with other stuff lately but will get back to solving this nut soon. Cheers
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice