Route through VPN based on LAN IP?

Discussion in 'Tomato Firmware' started by pallys, Jul 8, 2010.

  1. pallys

    pallys Networkin' Nut Member

    Hi, I been running Tomato for a number of years now.

    I have 1 router - WRT54GL.
    I have multiple LAN clients. I want the router to select 1 ip address that will route through to a VPN server, and will reconnect if the VPN connection drops. The VPN host I will be renting for a small monthly fee.

    The other LAN Clients I want to continue using the isp gateway for interet browsing as normal.

    Is this possible with vanilla tomato? or do I need to install a mod version like TomatoVPN?

    I think its possible using vanilla tomato via IPtables but I don't know enough about them and I tried learning but I'm finding it too difficult.

    Does anyone know what iptable script I would need? (including reconnecting if it drops)

    Or a firmware where I can do this via gui options?

    Kind Regards.
  2. Dagger

    Dagger Networkin' Nut Member

    I think what you're trying to do is more of a HotSpot type of solution... not a VPN solution.
  3. rhester72

    rhester72 Network Guru Member

    No, it sounds like a pretty standard routing request - should be doable with a one-liner in iptables if I'm understanding the OP correctly. (Of course, I'm not sure what's actually controlling his end of the VPN connection/client...)

  4. Dagger

    Dagger Networkin' Nut Member

    I was thinking the local LAN router would be the VPN server... but if you're wanting your local LAN router to act as a VPN client and connect to a VPN server at a different location then TomatoVPN will do that as long as the VPN server supports OpenVPN.
  5. pallys

    pallys Networkin' Nut Member

    The LAN router would act as the VPN client (because this LAN client cannot be configured but is assigned an IP by DHCP -static).

    Yeah I thought it was a standard routing request (eg the machine with this IP will always go through to VPN, other machines carry on as normal through ISP for internet.

    I'm, just surprised I cant see anything that tells me exactly what script I need after lots of searching. I have seen 2 router solutions but that isn't an option for me.

    With TomatoVPN I can do this all through the GUI?

    and Why does the VPN server have to support OpenVPN? I thought VPN would be a standard protocol?
  6. Dagger

    Dagger Networkin' Nut Member

    If the router is the client... then the router will be the one with the assigned VPN IP... not a computer on your local LAN. When the router is the VPN client it basically creates a point-to-point connection from your router to another router. You can then use that "route" to direct certain traffic via static routes. Routes your entire LAN will have access to, not just one computer.

    TomatoVPN implements OpenVPN based on OpenSSL tunneling protocols... not L2TP or IPSec. VPN is a methodology/topology, not a single standardized protocol.
  7. rhester72

    rhester72 Network Guru Member

    Actually, Dagger, I think what he's looking for is effectively an iptables "internal forward" - source IP is his internal LAN IP of the specific station he wants to force through the VPN, gateway is the VPN server IP, destination mask is ! local subnet. As long as the LAN station is _receiving_ traffic only through either the local LAN or the VPN (and not, say, forwarded from the Internet, where it would create an assymetric route), it should be fine.

    It sounds, however, like there is a bit of confusion about what VPN technology the server is using, which would certainly put a bit of a crimp in all of it.

  8. pallys

    pallys Networkin' Nut Member


    Uploaded with

    Sorry if I'm not explaining it clearly!

    Clearer with that diagram? (missing return routes but they should take the same return path as outwards path).

    VPN Server will either have OpenVPN or PPTP -whichever is easier (from likes of or etc).

    Is this configuration possible through GUI options?

    Kind Regards.
  9. rhester72

    rhester72 Network Guru Member

    If you use OpenVPN (there is no PPTP client in Tomato), yes, mostly. The iptables lines in particular will need to be entered into the Firewall script (via GUI), but it looks pretty straightforward to me.

    Will's IP need to be masqueraded as to the VPN server, or will it know how to reach directly? Also, is the IP of the VPN server/gateway static or dynamic (ditto the VPN client IP that sits on the box)?

  10. pallys

    pallys Networkin' Nut Member

    - I don't know the answer to the 1st question.
    - IP of the VPN will be static at both client and server.

    So how do I start?
  11. rhester72

    rhester72 Network Guru Member

    It sounds like you can get away with NATting regardless of whether they understand your internal infrastructure or not.

    The first step is to actually get a VPN tunnel up, working, and _tested good_ before minimum, you need to:

    - Get the tunnel established
    - Verify that a machine on the *other* side of the tunnel can ping your router's static VPN IP
    - Verify that you can ping the machine on the other side of the tunnel from your router

    Until that's done, the iptables rules are useless, and the above will be considerably more challenging than writing the rules.

  12. Dagger

    Dagger Networkin' Nut Member

    iptables - That's what I was getting at... once you have the VPN tunnel from the home router to the VPN server, your home router basically has two routes to the internet (assuming the VPN server routes to the internet). It will be as if your home router has two WAN ports... one connected to your ISP's router and one connected to your VPN's router. At that point you can use static routes/filters to control traffic. The VPN WAN connection will most likely need to be NATed... the benefit is that traffic from any host on your home LAN will appear to come from a single VPN client... As far as the VPN server knows, it is only talking to one VPN client which is your home router.

    I agree with Rhester72... the first thing you have to do is get the VPN tunnel up between your router(acting as a VPN client) and the VPN server.
  13. rhester72

    rhester72 Network Guru Member

    The problem with using static routes vs. iptables is that there's no way (that I know of) to segregate individual client source IPs, which is the whole thing he's trying to achieve in the first place. You could static-route the client, but that would cut it off from the LAN, hence the iptables suggestion. It seems quite straightforward assuming the VPN itself doesn't become an issue.

  14. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Linux, in general, does support having multiple routing tables, and iptables can be used to tag different packets (such as all from a device) to use different routing tables. That would be the right way to do this. However, the vanilla Tomato does not support this (by extension, neither does TomatoVPN - I have no idea about the K26 versions).

    Another option might be the --gw option of the ROUTE iptables target. But, in my experience, that target is flaky, at best (which is why the netfilter folks strongly discourage its use and have dropped support of it).

    Other than those, I don't see any way it can be done. Are the iptables rules you were thinking of along those lines?
  15. rhester72

    rhester72 Network Guru Member

    I was actually thinking of the ROUTE target, because the separate routing tables solution hadn't occurred to me.

    What would it take to enable support for that?

  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Actually, looking again, the support may be there. I was thrown off before because there is no /etc/iproute2/rt_tables file. However, that probably just means I have to use a number rather than a human-readable name.

    I'm able to add routes to an arbitrary table with
    ip route add table 5 dev vlan1
    ip route add table 5 dev vlan1
    ip route add table 5 via dev vlan1
    While trying to display them (ip route show table 5) shows nothing, trying to add the same route I already did shows an error indicating it's already in place.

    But, I can't seem to add the rule to make the decision to use this.
    ip rule add from table 5
    gives a non-useful error.

    I've never done this before, and I'm just going off of quick google searches, so I'm probably just doing something wrong...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice