Posted: Fri Feb 22, 2019 23:45 Post subject: Removing Destination from Table
Hi,
Thanks for this post, it really solves my issue with my VPNs.
I'm wondering if there is a way to remove_rule from the table. My idea was to add an IP to Table 11 so this IP would use VPN for most of connections, but I want to use normal WAN for a few destinations, like netflix.com. Is it possible?
I'm new to firewall and IPTables, so I'm looking for a quite easy way.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sat Feb 23, 2019 9:06 Post subject:
@boris03, you are throwing in a lot at once
You should test each component individually.
First we need to know your router model and firmware build and if applicable the Kernel version used.
Start with testing the OVPN server, so disable the OVPN client on the router, no worries your settings are retained.
Simply click disable at the OVPN client GUI.
Also remove the PBR script from the startup command and reboot the router.
Always test the OVPN server from outside the netwerk i.e. with a phone on cellular, there are a lot of good guides for setting up an OVPN server, here is how I do it: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
When the server works, disable the OVPN server and enable the OVPN client on the router and reboot the router.
One tip, normally you do not need anything placed in the additional config of the client, all things can be done via the GUI.
If the OVPN client works then you can setup Policy based routing, first test with the DDWRT PBR just enter 192.168.1.100/32 in the Policy based routing field of the OVPN client, check if it works.
If this works enable the OVPN server and check everything.
Now if you need the advantages of my PBR script over the default PBR implementation (like local routes and PBR by destination) then proceed with my script as per the first post of this thread.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sat Feb 23, 2019 9:14 Post subject:
@ETRB, the use case you describes is exactly why I made the script.
Just use the instructions per the first post.
In your case you have to enter: pull-filter ignore "redirect-gateway" in the additional config of the OVPN client.
Enter the IP addresses of the clients you want to use the VPN in the script like:
As I said OVPN client is working and OVPN server is working both CONNECTED SUCCESS. But when client is on I cannot connect to the server.
OK I switched off client and YES I can connect to the server, client on again - No server connection.
So I removed all additional config from client, removed your script, and also set LZO to "No" for client and server.
Client still working even they said required.
But when client is activated no access to the server, any idea how to get both working?
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sat Feb 23, 2019 14:45 Post subject:
See my previous post:
If the OVPN client works then you can setup Policy based routing, first test with the DDWRT PBR: just enter 192.168.1.100/32 in the Policy based routing field of the OVPN client, check if it works.
Yessss, PBR rule works and I can connect both.
What I notice is that when connected to the server I don´t have internet access.
I can connect to only one device of the range of the first router (why exactly only this one 192.168.2.199:99), nothing else.
Can also not connect to DD-WRT router GUI and cannot connect to the IP used for the PBR rule 192.168.2.100.
So what next:-)
I would like to connect to IPs from the other router and to devices from the DD-WRT range itself.
If possible I would like to access the IPs from DD-WRT when connected to the first routers DHCP range - means at home.
I would to access internet when connected to the server.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sat Feb 23, 2019 17:02 Post subject:
boris03 wrote:
Yessss, PBR rule works and I can connect both.
What I notice is that when connected to the server I don´t have internet access.
I can connect to only one device of the range of the first router (why exactly only this one 192.168.2.199:99), nothing else.
Can also not connect to DD-WRT router GUI and cannot connect to the IP used for the PBR rule 192.168.2.100.
So what next:-)
I would like to connect to IPs from the other router and to devices from the DD-WRT range itself.
If possible I would like to access the IPs from DD-WRT when connected to the first routers DHCP range - means at home.
I would to access internet when connected to the server.
If you can connect to your OVPN server but do not have internet acces you might be missing a firewall rule.
For the OVPN server you have to use one firewall rule (and only one) to NAT the OVPN traffic out through the internet (see the guide).
If you can not reach all local clients, you have to check the firewall of the local clients, most local clients (like your PC's) have their own firewall which will not allow traffic from other subnets.
To see if this is the problem disable the firewall of the local client.
I had not noticed that you had a newer script.
I was unable to get simple-pbr-by-egc-v4 working.
I didn't fool with it much because I didn't need it then.
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE
This will NAT out the WAN, not using the VPN Client.
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
Check that the VPN Client is on tun1.
PS. It's better to use -I instead of -A, so the rules get first in chain and not last.
Yes it is tun1 so should I try this iptables command
iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE
and will that allow accessing my local IPs from my first router and also enables internet access via the server connection?
It is not certain it will work as intended, as only the first ip address of netflix is used and large corporations often use a range/block of ip addresses.
You can google for this block of IP addresses and then use something like:
I'm trying this as well and am a little over my head with these rules. I changed from PBR to egc's script and it does allow me to "see" clients on my network through the OVPN server on my tablet when I am off my network.
I am also seeing that the machines that I have put in the script are no longer on my router's OVPN client. I think that makes sense since I have changed the table for those two. I'm guessing I "can't have my cake and eat it too" with this, wanting all my machines on my network on the VPN AND allow external machines connecting using the OVPN server to see the machines on my network? _________________ Netgear R9000
DD-WRT v3.0-r55819 std (04/17/24)
Linux 4.9.337 #722 SMP Wed Apr 17 04:16:49 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps