Simple script for Policy Based OpenVPN Routing [WORKING]

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Thu Mar 14, 2019 15:53    Post subject: Reply with quote
Per Yngve Berg wrote:
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE

This will NAT out the WAN, not using the VPN Client.

iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Check that the VPN Client is on tun1.

PS. It's better to use -I instead of -A, so the rules get first in chain and not last.


Okay quote another user & also asking EGC as I am using their script.
1. ERC quick question I notice in another persons ref to your earlier script you had:

TID="11"

VPN_GW_OLD="old"

vs (no quotes) in the latest v5.05.sh

TID=11

VPN_GW_OLD=old

Is this correct or doesnt matter?]
Also my ClientVPN-paid is TUN1, ServerVPN TUN2, is the script correct in that regard?

2. Is the script made, from CLI do: cat /tmp/simple-br.sh (small spelling error but had me going in circles testing), should be from CLI do: cat /tmp/simple-pbr.sh

3. Usage for me, I think in general I want MOST of the LAN devices to go via my VPN-client (paid), with exclusions such as CCTV which will sit behind the router, with no port fowards but my mobile devices (clients) connected to my VPN-server can only see through the tunnel.

3.a So I went with NOT entering this pull-filter ignore "redirect-gateway" in addConfig of VPN-client, as if I read this line of your guide correct:-
• Decide which should be your standard route, if this is the WAN then enter: pull-filter ignore "redirect-gateway" in the additional config of the OVPN client.
And I dont I want the standard route (assuming out) to be via the VPN-client (paid).

3.b But I couldnt get the client to connect at all with this one line in the script rules:-
add_rule from 10.8.0.2 #ChrisMOB
Which was effectively lifted/removed from the PBR rules entered as simply 10.8.0.2/32

Am I incorrectly reading point 3.a above, as when I added the "redirect-gateway" command I could connect to the VPN-server as a client? But surely my traffic is via the WAN, my WAN IP on the mobile is the ISP WAN not the VPN-paid one so it seems so.



On the FIREWALL part quoting "Per Yngve Berg"

I had:
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE
But should this be (in my scenario) as most traffic out through VPN, not WAN-ISP:-
iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE

Please note the -I

Also I need to connect a telephone server which wants a UDP port forward in to my network, as I cannot add the provider to be a "client" on my VPN-server, is there a port forward rule I should use OR does it not really matter as an open port is an open port?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Thu Mar 14, 2019 16:33    Post subject: Reply with quote
1. Script changes now and then in v5.05 I was tidying up a bit, so it should be correct (as said earlier it is somewhat experimental Smile )

2. Thanks for catching the typo I have corrected it.

3. Your assumption is correct. BUT you are using also an OVPN server that is needing the default route go out via the WAN so in your case you have to use pull-filter ignore "redirect-gateway"

When pull-filter ignore"redirect-gateway" is in place your outside clients connected to your OVPN server will have internet access via the WAN, if you place the ip's like 10.8.0.2 and 10.8.0.3 in the PBR script you will then have internet access via your out going VPN client to your commercial VPN provider

If you want your outside OVPN client have internet access when connected via you VPN server then you have to use
Code:
iptables -t nat -A POSTROUTING -o $(nvram get wan_iface) -j MASQUERADE

I would always add this rule

This has nothing to do with the OVPN client on your router (tun1) of course this client also needs a NAT rule otherwise you could never connect to the internet via tun1.
That is why in the DDWRT GUI of the OVPN client you always have to enable NAT (for TUN), when enabling this the rule will be put in place by DDWRT

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Thu Mar 14, 2019 17:06    Post subject: Reply with quote
egc wrote:

3. Your assumption is correct. BUT you are using also an OVPN server that is needing the default route go out via the WAN so in your case you have to use pull-filter ignore "redirect-gateway"

When pull-filter ignore"redirect-gateway" is in place your outside clients connected to your OVPN server will have internet access via the WAN, if you place the ip's like 10.8.0.2 and 10.8.0.3 in the PBR script you will then have internet access via your out going VPN client to your commercial VPN provider


Okay thanks for response mate.

They "" differences in script okay then?

Firewall = put the command as instructed, in fact I hadn't tried the sample I posted (with the -I)...

Redirect = I added the filter ignore "redirect-gateway" as instructed.

This does allow me to client connect like I said earlier.

Quick DNSMasq question as it may be relevant, I did ask it before, but I asked a lot of silly Q's!

interface=tun2 AS PER YOUR oVPN GUIDE
interface=tun1 AS PER EXPRESSVPN GUIDE

I ask as it may be relevant.

Anyway keeping it simple, client Android Mobile connected and WAN IP is returned as the real WRT ISP IP.

Added my SurfacePC in the PBR script rule and WAN IP is returned as the real WRT ISP IP.

Like this:-

# --------------- BEGIN RULES ---------#
add_rule from 10.8.0.2 #ChrisMOB
add_rule from 192.168.49.75
# --------------- END RULES -----------#

Reading your post I have quoted above why is neither going out via the VPN, I assume they arent as wouldnt I get the virtualWAN-IP from the paid VPN?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Thu Mar 14, 2019 18:09    Post subject: Reply with quote
regarding DNSMAsq you should specif TUN2 as that should listen to requests from your outside clients connecting to your OVPN server.

Like you set it up both 10.8.0.2 and 192.168.49.75 should use express VPN

Telnet to your router and show output of
ip route show
ip route show table 11
ip rule show

Furthermore what does your status/OVPN page is there a connection to Express, is Express working if you do not use PBR?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Thu Mar 14, 2019 18:55    Post subject: Reply with quote
Success, Smile

Following on from my last post.

Changed DNSMasq to interface=tun1 (BUT just see you recommend I make it TUN1? shall I change it?)

Ammended rules AND done a reboot (I reckon was BIGGEST issue which I know you state to do!) and from my client Android mobile (10.8.0.2) I can see my local CCTV VMS, in fact any LAN device regardless of being in the DHCP range listed below OR outside of it (static LAN devices):-

Also I can ping the external serverVPN-clients namely for example 10.8.0.2 below from both the listed DHCP range listed below OR outside of it (static LAN devices):-

# --------------- BEGIN RULES ---------#
add_rule from 10.8.0.2 #ChrisMob

add_rule from 10.8.0.3 #LeeMob

add_rule from 192.168.49.1/32 #DHCP range start

add_rule from 192.168.49.2/31

add_rule from 192.168.49.4/30

add_rule from 192.168.49.8/29

add_rule from 192.168.49.16/28

add_rule from 192.168.49.32/27

add_rule from 192.168.49.64/27

add_rule from 192.168.49.96/30

add_rule from 192.168.49.100/31 #DHCP range end
# --------------- END RULES -----------#

Devices in the rules list above get the fake paidVPN WAN-IP.
Those NOT listed get the real WAN-ISP one.

So perfect, so far, should I change the TUN1 to TUN2?

But EGC is the man!!!!
Very Happy Very Happy

Now to set up some more advanced routes!!!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Thu Mar 14, 2019 19:03    Post subject: Reply with quote
Great you got it working Smile
If you want DNS pushed to your clients then yes you have to follow the rules in the advanced section. So specify tun2 in additional config of DNSMasq and push the DNS to your clients

It is fun when it is working but can sometimes also be very frustrating

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Thu Mar 14, 2019 21:18    Post subject: Reply with quote
Okay now that all works pukka,

I decided to have a play with my AsteriskPBX(raspbx).

First I have set up a new duckdnsDDNS running in the Pi as a cron task, this is because I wanted it to resolve the non WAN-ISP-IP and it to instead resolve the fake-IP from paid VPN, sorted works perfect.


My theory initial HOPE Smile was to have the route both in AND out over the paidVPN, but its never going to happen as I dont think I can open any ports (back to original CCTV square1).

Please tell me if I am wrong?

Anyway failing that this is my step 2 solution:-

Achieve the registration to my SIP-trunk provider OUT of the serverVPN by adding it to your script rules.

This TAGs the real WAN-ISP-IP in the sip registration to them but the data would come back via the WAN (as this is where I told them to find me!), where I have already set up a small UDP range forward.

At the moment I have had enough, and tried my HOPE step 1, all in the paidVPN and although it successfully registered on their end, there was no call ability as data didnt make its was back (although I did turn off all port forwards).

So currently I have removed the RULE for that address from your script and it is all out/in via the WAN, this works but is less secure.

1. So initially am I correct, step1 HOPE is a non-starter?
2. If I do the step 2, should I use one of your scripts routing rules (suggested in guide), or is there something i am missing?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Fri Mar 15, 2019 9:39    Post subject: Reply with quote
You keep coming up with interesting questions Smile

You have to ask Express VPN if they support port forwarding.

I use Private Internet Access they support port forwarding and I know there are more VPN providers which do that.

If they do, then you can make a connection to your Public IP of express VPN and use that route to go in and go out of your router.

Of course you also have to port forward your own router and that needs some special rules but "been there done that".

I once had the pleasure together with @Bushant in assisting @Eibgrad to develop a solution for port forwading with Private internet Access, for some reading: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313661&postdays=0&postorder=asc&start=0

Long story short: inquire with Express VPN if they support port forwarding

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Fri Mar 15, 2019 10:31; edited 1 time in total
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Fri Mar 15, 2019 9:49    Post subject: Reply with quote
Thanks for the prompt response, always appreciated Smile

I did have a good chat last week with expressVPN and they 100% dont support any port forwarding I actually had 2 different support members, TBH half the answers are "canned" rubbish, but they actually did say when I can cancel upto as I pre-paid for a year, so its fairly conclusive if they say you can get your money back, they must know the cannot do it!

So I am going to look at your provider, and funnily enough I am just looking at your other guide ref SFE, as I noticed last night my VPN speeds are shocking when using eVPN, I mean under 10M, versus 100M when disabled!

I dont think the issue is the SFE, on a v.good R7000 router, I like SFE but also like QOS for my PBX traffic shaping, but my Kodis also suddenly struggling with HD streams so its obviously the eVPN.

I think I may look at your provider.

Do you think SFE is worth messing with on my DD-WRT v3.0-r37015M kongac (09/23/1Cool, I may be able to shape off the telephone system with another option perhaps VLAN the only two PBX devices (i.e. Im not a heavy SIP user).
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Fri Mar 15, 2019 10:40    Post subject: Reply with quote
From what I saw express VPN indeed does not do port forwarding.
Private internet Access is difficult with port forwarding, there are VPN providers which make it really easy, you can just set/ask a port in your VPN account.

SFE does not do much for VPN. VPN is very CPU intensive.
I get around 37 Mb/s on VPN, SFE does not do much on this.
Without SFE 250 Mb/s with SFE 550 Mb/s.
This is on an R6400v2 which has a comparable CPU as an R7000.

If you want faster speeds buy an R7800

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
gaddster
DD-WRT Novice


Joined: 09 Dec 2017
Posts: 1

PostPosted: Mon Apr 15, 2019 17:44    Post subject: Reply with quote
Just wanted to say big kudos to Erik for the script and for taking the time to help me out getting my setup running, very much appreciated.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Apr 20, 2019 7:45    Post subject: Reply with quote
Good news for everyone who can use some extra throughput while using Policy Based routing.

All builds after build 39556 have the patched SFE module made by @Quarkysg.

This patched SFE module is compatible with Policy Based Routing.
This means that you can keep Shortcut Forwading Engine enabled (at Setup page) while using Policy Based Routing!

I just did a quick speedtest with my Linksys E2000 using build 39572 and speeds improved from 45 Mb/s without SFE to 130 Mb/s with SFE (YMMV)

see: https://svn.dd-wrt.com/changeset/39556

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Bedlore
DD-WRT Novice


Joined: 25 Oct 2013
Posts: 1

PostPosted: Mon Apr 29, 2019 8:06    Post subject: Reply with quote
Hiya egc, I'm a DR-WRT newbie. I recently signed up with a VPN provider and was forcing all traffic through it. I have DD-WRT on a dedicated router behind a Fritzbox modem. One major issue I encountered was that remote access was no longer possible because the fritzbox would not route external ports when it no longer handled DHCP.

So I'm looking at PBR which I thought may resolve this issue and also give me more advanced internal management like destination mapping.

Can you suggest if your script would be the best tool for a newbie like me?

Thanks
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Mon Apr 29, 2019 10:31    Post subject: Reply with quote
Well I would go back one step Smile

What we first have to answer is how you are going to connect the routers.

You have the Fritzbox as ISP modem, and the DDWRT router as secondary router (Please always state your router model and build number)

You can daisy chain the routers i.e. have both routers on a different subnet and connect LAN<>WAN, that is the easiest but although you can have traffic between subnets by setting a static route on the Frizbox (which I assume is possible) and opening up the firewall, you will loose things like windows discovery and DLNA
because there is no broadcasting between subnets. Plus you have to use some form of PBR, my script or scripts from @eibgrad or even the built in PBR whith its limitations.
But this setup is the easiest to get it working, just reset the router make sure it is on a different IP subnet than the Fritzbox and connect LAN<>WAN.

The alternative setup is using the DDWRT router as a WAP: https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point .
You can run your VPN client on the WAP but you have to set the gateway of each client you want to use the VPN to the WAP as gateway address.
You can do that manually per client, and that will work and if you can live with this, I would use this configuration.
Maybe it is even possible that you can have the Fritzbox to hand out different gateways for different clients, DDWRT can do this with DNSMasq.
The beauty of this setup is that you do not have to use any form of PBR on the router and you have one subnet.

The choice is yours I (and others ) can assist you in both setups, although I do not have any experience with Fritzbox.

But before you do anything wait for other users to chime in, maybe they have different ideas/suggestions Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
punktde
DD-WRT Novice


Joined: 05 May 2008
Posts: 7

PostPosted: Thu Jun 06, 2019 10:26    Post subject: Reply with quote
@egc

My ibVPN use tap1 instead of tun1 or tun2.
So basically I need to replace inside your script all tun1 entry with tap1 isn't?
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 3 of 6
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum