Simple script for Policy Based OpenVPN Routing [WORKING]

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
ETRB
DD-WRT Novice


Joined: 20 Feb 2019
Posts: 2

PostPosted: Fri Feb 22, 2019 23:45    Post subject: Removing Destination from Table Reply with quote
Hi,

Thanks for this post, it really solves my issue with my VPNs.

I'm wondering if there is a way to remove_rule from the table. My idea was to add an IP to Table 11 so this IP would use VPN for most of connections, but I want to use normal WAN for a few destinations, like netflix.com. Is it possible?

I'm new to firewall and IPTables, so I'm looking for a quite easy way.

Thank you!
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Feb 23, 2019 9:06    Post subject: Reply with quote
@boris03, you are throwing in a lot at once Smile
You should test each component individually.
First we need to know your router model and firmware build and if applicable the Kernel version used.

Start with testing the OVPN server, so disable the OVPN client on the router, no worries your settings are retained.
Simply click disable at the OVPN client GUI.
Also remove the PBR script from the startup command and reboot the router.

Always test the OVPN server from outside the netwerk i.e. with a phone on cellular, there are a lot of good guides for setting up an OVPN server, here is how I do it: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795

When the server works, disable the OVPN server and enable the OVPN client on the router and reboot the router.
One tip, normally you do not need anything placed in the additional config of the client, all things can be done via the GUI.

If the OVPN client works then you can setup Policy based routing, first test with the DDWRT PBR just enter 192.168.1.100/32 in the Policy based routing field of the OVPN client, check if it works.

If this works enable the OVPN server and check everything.

Now if you need the advantages of my PBR script over the default PBR implementation (like local routes and PBR by destination) then proceed with my script as per the first post of this thread.

If you need any help in the steps make a separate thread

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Feb 23, 2019 9:14    Post subject: Reply with quote
@ETRB, the use case you describes is exactly why I made the script.

Just use the instructions per the first post.
In your case you have to enter: pull-filter ignore "redirect-gateway" in the additional config of the OVPN client.

Enter the IP addresses of the clients you want to use the VPN in the script like:
Code:
add_rule [myip]


And enter the destinations which you want to use the WAN or VPN in the addtitonal config of the OVPN client like described

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 148

PostPosted: Sat Feb 23, 2019 14:35    Post subject: Reply with quote
As I said OVPN client is working and OVPN server is working both CONNECTED SUCCESS. But when client is on I cannot connect to the server.
OK I switched off client and YES I can connect to the server, client on again - No server connection.
So I removed all additional config from client, removed your script, and also set LZO to "No" for client and server.
Client still working even they said required.
But when client is activated no access to the server, any idea how to get both working?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Feb 23, 2019 14:45    Post subject: Reply with quote
See my previous post:
If the OVPN client works then you can setup Policy based routing, first test with the DDWRT PBR: just enter 192.168.1.100/32 in the Policy based routing field of the OVPN client, check if it works.

When using OVPN server and OVPN client on the same router you have to use Policy based routing

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 148

PostPosted: Sat Feb 23, 2019 15:46    Post subject: Reply with quote
Yessss, PBR rule works and I can connect both.
What I notice is that when connected to the server I don´t have internet access.
I can connect to only one device of the range of the first router (why exactly only this one 192.168.2.199:99), nothing else.
Can also not connect to DD-WRT router GUI and cannot connect to the IP used for the PBR rule 192.168.2.100.

So what next:-)
I would like to connect to IPs from the other router and to devices from the DD-WRT range itself.
If possible I would like to access the IPs from DD-WRT when connected to the first routers DHCP range - means at home.
I would to access internet when connected to the server.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Feb 23, 2019 17:02    Post subject: Reply with quote
boris03 wrote:
Yessss, PBR rule works and I can connect both.
What I notice is that when connected to the server I don´t have internet access.
I can connect to only one device of the range of the first router (why exactly only this one 192.168.2.199:99), nothing else.
Can also not connect to DD-WRT router GUI and cannot connect to the IP used for the PBR rule 192.168.2.100.

So what next:-)
I would like to connect to IPs from the other router and to devices from the DD-WRT range itself.
If possible I would like to access the IPs from DD-WRT when connected to the first routers DHCP range - means at home.
I would to access internet when connected to the server.


If you can connect to your OVPN server but do not have internet acces you might be missing a firewall rule.
For the OVPN server you have to use one firewall rule (and only one) to NAT the OVPN traffic out through the internet (see the guide).

If you can not reach all local clients, you have to check the firewall of the local clients, most local clients (like your PC's) have their own firewall which will not allow traffic from other subnets.
To see if this is the problem disable the firewall of the local client.

You can not reach the client which is in the PBR. If you want that you have to use my script for PBR. First get everything else running. The script is experimental Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 148

PostPosted: Sat Feb 23, 2019 17:41    Post subject: Reply with quote
So I added
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE

No change, i cannot access internet neither I can access one of the IPs from other router exept this one 192.168.2.199:99

The other IPs I mentioned don´t have firewall these are stupid IP Cams
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Feb 23, 2019 18:02    Post subject: Reply with quote
Have you rebooted?

Otherwise start a new thread stating your problem, post pictures of your settings and pictures of the vpn log and post your client settings.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sat Feb 23, 2019 18:34    Post subject: Reply with quote
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE

This will NAT out the WAN, not using the VPN Client.

iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Check that the VPN Client is on tun1.

PS. It's better to use -I instead of -A, so the rules get first in chain and not last.
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Sat Feb 23, 2019 19:12    Post subject: Reply with quote
I had not noticed that you had a newer script.
I was unable to get simple-pbr-by-egc-v4 working.
I didn't fool with it much because I didn't need it then.

Now I do and simple-pbr-by-egc-v5.04 works great.

Thanks egc. GR8 work.

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 148

PostPosted: Sat Feb 23, 2019 20:06    Post subject: Reply with quote
Per Yngve Berg wrote:
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE

This will NAT out the WAN, not using the VPN Client.

iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Check that the VPN Client is on tun1.

PS. It's better to use -I instead of -A, so the rules get first in chain and not last.


Yes it is tun1 so should I try this iptables command
iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE
and will that allow accessing my local IPs from my first router and also enables internet access via the server connection?

Thanks a lot
ETRB
DD-WRT Novice


Joined: 20 Feb 2019
Posts: 2

PostPosted: Sun Feb 24, 2019 19:43    Post subject: I don't know how to remove the rule Reply with quote
@egc I've added pull-filter ignore "redirect-gateway" at Additional Config of OVPN and add all IPs I want on your scripts.

My issue is that I want IP 192.168.1.100 to go through VPN (alternate route), so I've added this IP with add_rule on you script:
Code:
add_rule from 192.168.1.100/32

Now I want (if possible) to use normal WAN if I access netflix.com from this IP. I didn't understand exactly which rule I should use and where.

Apart from that, everything else is working perfect. Thanks for your script and your help.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Mon Feb 25, 2019 7:58    Post subject: Reply with quote
In the same box where you entered: "pull-filter ......", you enter:
Code:
route netflix.com 255.255.255.255 net_gateway


So that the box will show:
Code:
pull-filter ignore "redirect-gateway"
route netflix.com 255.255.255.255 net_gateway


It is not certain it will work as intended, as only the first ip address of netflix is used and large corporations often use a range/block of ip addresses.
You can google for this block of IP addresses and then use something like:
Code:
route 52.30.0.0 255.255.0.0 net_gateway
to route a whole block of IP addresses over the WAN
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
MLandi
DD-WRT Guru


Joined: 04 Dec 2007
Posts: 1008

PostPosted: Thu Mar 14, 2019 14:01    Post subject: Reply with quote
I'm trying this as well and am a little over my head with these rules. I changed from PBR to egc's script and it does allow me to "see" clients on my network through the OVPN server on my tablet when I am off my network.

I am also seeing that the machines that I have put in the script are no longer on my router's OVPN client. I think that makes sense since I have changed the table for those two. I'm guessing I "can't have my cake and eat it too" with this, wanting all my machines on my network on the VPN AND allow external machines connecting using the OVPN server to see the machines on my network?

_________________
Netgear R9000
DD-WRT v3.0-r55460 std (03/25/24)
Linux 4.9.337 #715 SMP Mon Mar 25 06:15:53 +07 2024 armv7l
Gateway, AP, DNSMasq, Clock 2000MHz
VAP on wlan1 for internet devices
IPv4 & IPv6 (Prefix Delegation)
Static Leases & DHCP
CloudFlare, no SFE, SmartDNS, no QoS
2.4GHz: Vanilla, Airtime Fairness, NG-Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
5GHz: Vanilla, Airtime Fairness, AC/N Mixed, ACK Timing 3150, WPA2 w/AES & WPA3
2 Netgear AX1800 WiFi Mesh Extenders
Xfinity 1.2Gbps/35Mbps
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 2 of 6
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum