Simple script for Policy Based OpenVPN Routing [WORKING]

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Thu Jun 06, 2019 10:53    Post subject: Reply with quote
I have taken a quick look at their instructions: https://my.ibvpn.com/knowledgebase/305/Configure-the-OpenVPN-client-on-DD-WRT-routers-NEW.html

But I am realy confused, tap is for a bridged OVPN setup, I have never seen that used for a commercial VPN provider.

Try to setup just with specifying TUN

A bridge OVPN is normally used like an an ethernet switch to combine two networks into one, really strange to use that for a commercial OVPN.

I have a bridged OVPN with my summer residence so that basically it forms one network with my home network, not the thing you want to a commercial VPN provider, I would think

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Fri Jun 07, 2019 19:34    Post subject: Reply with quote
I have been using simple-pbr-script-by-egc-V5.05
successfully calling for it in startup with
Code:
/jffs/simple-pbr-by-egc-V5.05.sh


The same method does not work for simple-pbr-by-egc-V5.06. I have made the script executable.
No clients are using the vpn.

If I save the script (V5.06) as startup it seems to work fine.

I have jffs mounted to external storage and am calling other
services from there in the same manner and all working.

Any thoughts as to why this is?

Also what is the best method to stop and restart the script
for the purpose of making changes when stored in /jffs without rebooting?

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
punktde
DD-WRT Novice


Joined: 05 May 2008
Posts: 7

PostPosted: Fri Jun 07, 2019 23:30    Post subject: Reply with quote
@egc

Doesn't work with TUN. It's not connected to ibVPN
Not connected to ibVPN as well if I add the ip-range into PBR setting.
Fyi, I use firmware BS version v3.0-r39827 std (05/20/19)

any thought?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jun 08, 2019 7:32    Post subject: Reply with quote
punktde wrote:
@egc

Doesn't work with TUN. It's not connected to ibVPN
Not connected to ibVPN as well if I add the ip-range into PBR setting.
Fyi, I use firmware BS version v3.0-r39827 std (05/20/19)

any thought?


I saw another instruciton: https://my.ibvpn.com/knowledgebase/36/OpenVPN-setup-on-DD-WRT-routers.html
Where they tell you to diable the SPI firewall Shocked

This is not the VPN provider I can recommend

I will PM you a script to try but I can not support it as i do not use this VPN provider and definetely will not going to Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jun 08, 2019 8:31    Post subject: Reply with quote
bushant wrote:
I have been using simple-pbr-script-by-egc-V5.05
successfully calling for it in startup with
Code:
/jffs/simple-pbr-by-egc-V5.05.sh


The same method does not work for simple-pbr-by-egc-V5.06. I have made the script executable.
No clients are using the vpn.

If I save the script (V5.06) as startup it seems to work fine.

I have jffs mounted to external storage and am calling other
services from there in the same manner and all working.

Any thoughts as to why this is?

Also what is the best method to stop and restart the script
for the purpose of making changes when stored in /jffs without rebooting?


Hmm interesting, the differenc between 5.05 and 5.0 is minimal, I removed unecessary quotes around:
Code:
VPN_GW_OLD="$VPN_GW"


So I can not imagine that this has anything to do with it.

One thing I can think off, you probably have changed the file to incorporate your own IP addresses and if you use a windows editor you might have introduced windows style line endings <cr>
A linux script will not run with that

If you place it in Administration/Commands than that will not matter.

In the Thread are troubleshooting instructions please have a look at that.

Furthermore if you want to run the script from permanent storage you only need the inner script, I will send you this later this weekend when I have time.

You can kill a process by name or PID, to kill buy name looup the name by telnetting into your router and do : ps
kill the process with: killall name_of_process
If it does not work then kill by PID

I will look into it, curious to find out what is going on.

Keep me posted

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sat Jun 08, 2019 9:39    Post subject: Reply with quote
@Bushant attached the Inner shell script

For Inner Shell script (is), unzip script, place in jffs, make executable and start with:
Code:
sh /jffs/simple-pbr-506-is.sh &

From administration/Commands save as Startup, be sure that usb storage is available.
When in doubt add sleep 30 before executing i.e.
Code:
sleep 30
sh /jffs/simple-pbr-506-is.sh &


Test first without placing in Startup by running from the command line.


If you want to kill the running script a quick and dirty method is:
Code:
ps | grep simple-pbr | awk '{print $1}' | xargs kill -9


I have not extensively tested it

Looking forward to your findings

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Wed Jul 17, 2019 19:11; edited 1 time in total
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Sat Jun 08, 2019 13:02    Post subject: Reply with quote
I was going to tell you not to bother since v5.05 was working fine unless you told me not to use it for some reason.

To late, You get up several hours before I do.

That was the only change I saw so I am guessing there is user error involved here.

I haven't used windows much since XP went away.
Every time I start the win10 I am reminded why.

I will have to wait to test until the other household has left for the day.
I will report back, Thank You.

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Sun Jun 09, 2019 0:24    Post subject: Reply with quote
Thank You egc, /jffs/simple-pbr-506-is starts and working as intended.

I did not try with my previous method anymore and probably won't.
I had tried at least a dozen times since finding v5.06.

_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
bghouse
DD-WRT Novice


Joined: 18 May 2013
Posts: 3
Location: Missouri

PostPosted: Wed Jul 03, 2019 16:59    Post subject: PBR script question Reply with quote
EGC,
First of all thank you for your scripts & threads on OpenVPN configs, much appreciated!!
I've been going btwn you & Eibgrad threads researching on best way to configure remote
access. I have recently swapped out my AP w/ a WRT32X so I could implement a VPN(Keep Solid VPN).
It is working, no issues. But I am needing remote access for my CCTV & Directv DVRs. I
attempted to add your simple pbr script(v5) but could not access either. All I did to
the script was add the following:

# --------------- BEGIN RULES ---------#
add_rule from 192.168.1.4 #CCC DVR
add_rule from 192.168.1.24 #Directv
# --------------- END RULES -----------#

Now, am I incorrect in thinking I need to use my ISP(WAN) IP to access these devices or do
I need to use my VPN public IP?
Secondly, Do I need to add a route in the script for the VPN public IP or my ISP(WAN)
public IP? Or any other settings for that matter?
Lastly, this may only be partially related to running VPN on DD-WRT. I'm getting intermittent drops as
I'm working from home. I am directly connected to my router but have to connect to
my work VPN for various company applications etc. So if I can get the pbr script working
I would add my PC IP so that Im not running a tunnel w/in a tunnel so to speak.
Any direction would be appreciated & apologies if this noted already.

_________________
Routers/Switches:
-----------------
WRT32X AP -v3.0-r40065 std (06/20/19)
Wired Bridges:
-----------------
WRT310Nv2 - v24-sp2 std-nokaid-small
E2500 - v24-sp2 (03/25/13) big
Switch:
-------
Netgear Prosafe 24-Port Switch
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Wed Jul 03, 2019 19:07    Post subject: Reply with quote
If you want to access clients on your own LAN from the internet you normally do that via your WAN.
(it is possible to do it via the VPN but not all VPN providers can do port forwarding or it is difficult to do so)

If you have a VPN client running then that will not work.

Have a look at the first post of this thread and the reference to the post from @eibgrad, he describes the problem (connection coming in from the WAN and going out via the VPN which does not work) and possible solutions.

One of the solutions is using PBR.

If you decide to do so and use my script, be sure to add: pull-filter ignore "redirect-gateway" to the additional config of the VPN client.

All addresses you add to script will use the VPN and these addresses can not be reached through the WAN.

So you can add all addresses to the VPN but not the ones you want to reach via the WAN.

It is possible to route by port but for that you need the sophisticated scripts from @eibgrad

Hope this will clear things up a bit.

Otherwise you can always ask for assistances

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
bghouse
DD-WRT Novice


Joined: 18 May 2013
Posts: 3
Location: Missouri

PostPosted: Wed Jul 03, 2019 21:03    Post subject: Reply with quote
egc wrote:
If you want to access clients on your own LAN from the internet you normally do that via your WAN.
(it is possible to do it via the VPN but not all VPN providers can do port forwarding or it is difficult to do so)

If you have a VPN client running then that will not work.

Have a look at the first post of this thread and the reference to the post from @eibgrad, he describes the problem (connection coming in from the WAN and going out via the VPN which does not work) and possible solutions.

One of the solutions is using PBR.

If you decide to do so and use my script, be sure to add: pull-filter ignore "redirect-gateway" to the additional config of the VPN client.

All addresses you add to script will use the VPN and these addresses can not be reached through the WAN.

So you can add all addresses to the VPN but not the ones you want to reach via the WAN.

It is possible to route by port but for that you need the sophisticated scripts from @eibgrad

Hope this will clear things up a bit.

Otherwise you can always ask for assistances


Thank you for responding. I have read/re-read the original post & continue to keep it referenced as not to overlook anything, so like I said, sincere apologies if I'm not understanding it completely.
So I am thinking that I am getting confused on using PBR & your script.

With that being said, I would like to keep this as simple as possible. Sooo, if I am just wanting to be able to remotely access 2 devices(directv & CCTV dvrs) & my AP from the internet can I just use your script & no PBR?
If so, are these the steps to do so?

1) add - > pull-filter ignore "redirect-gateway" in the additional config of the OVPN client.

2) I need to add the following to your script:
# --------------- BEGIN RULES ---------#
add_rule from 192.168.1.4 #CCTV DVR
add_rule from 192.168.1.24 #Directv DVR
# --------------- END RULES -----------#

3) Additional command/config for GUI access to my AP?

Thanks in advance for helping a noob!

_________________
Routers/Switches:
-----------------
WRT32X AP -v3.0-r40065 std (06/20/19)
Wired Bridges:
-----------------
WRT310Nv2 - v24-sp2 std-nokaid-small
E2500 - v24-sp2 (03/25/13) big
Switch:
-------
Netgear Prosafe 24-Port Switch
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Thu Jul 04, 2019 7:18    Post subject: Reply with quote
First get WAN access for your CCTV and DVR without the VPN, you can simply disable the VPN, the settings are retained.
You need to set a port forwrd to your CCTV and DVR.
(Alternatively you can setup a VPN server on the router, which is the safer/preferred method)

Now enable the VPN client and reboot your router.
Check that the VPN is working.

You will not have WAN access now, because the router itself is also on the VPN.
One way to deal with it is PBR.
You can use the built in PBR or my implementation.

When using the built in PBR enter the IP addresses you want to use the VPN in the Policy based Routing field of the VPN client.
Use CIDR notation, i.e. for one client use 192.168.1.88/32
You can not enter the addresses of the CCTV and/or the DVR in the PBR field.


Wen using mine you do the following:

Quote:
1) add - > pull-filter ignore "redirect-gateway" in the additional config of the OVPN client.

That is correct

Quote:
2) I need to add the following to your script:
# --------------- BEGIN RULES ---------#
add_rule from 192.168.1.4 #CCTV DVR
add_rule from 192.168.1.24 #Directv DVR
# --------------- END RULES -----------#

Not correct, you can add any client you want to route via the VPN but NOT the clients you want to reach via the WAN, so anything BUT the CCTV and DVR

Make sure there is not anything in the VPN clients PBR field.

When done save/apply and reboot your router

There is a troubleshooting section to use if it is not working

have fun Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
bghouse
DD-WRT Novice


Joined: 18 May 2013
Posts: 3
Location: Missouri

PostPosted: Mon Jul 08, 2019 16:54    Post subject: Reply with quote
Thanks again EGC, thats exactly what I was needing clarified. I was adding my devices needing remote access, not omitting them. I do have remote access w/out the VPN enabled. I will get my VPN client enabled, update the script & retest. I would like to set up VPN server on the router but have some more research/reading before I attempt that change. Really appreciate you patience & assistance!
_________________
Routers/Switches:
-----------------
WRT32X AP -v3.0-r40065 std (06/20/19)
Wired Bridges:
-----------------
WRT310Nv2 - v24-sp2 std-nokaid-small
E2500 - v24-sp2 (03/25/13) big
Switch:
-------
Netgear Prosafe 24-Port Switch
KeWm
DD-WRT Novice


Joined: 26 Jul 2019
Posts: 19

PostPosted: Thu Aug 08, 2019 8:30    Post subject: Reply with quote
Hey!
I am new to this and only use guides when I have to do something. There are many different terms to learn. I don't want netflix.com to use VPN, how do I make it work.

I have DD wrt latest, on my R7000 router. Using PBR for my PC and a simple killswitch, iptables -I FORWARD -s xxx.xxx.x.xxx -o $ (nvram get wan_iface) -j REJECT.
KeWm
DD-WRT Novice


Joined: 26 Jul 2019
Posts: 19

PostPosted: Thu Aug 08, 2019 8:30    Post subject: Reply with quote
Hey!
I am new to this and only use guides when I have to do something. There are many different terms to learn. I don't want netflix.com to use VPN, how do I make it work.

I have DD wrt latest, on my R7000 router. Using PBR for my PC and a simple killswitch, iptables -I FORWARD -s xxx.xxx.x.xxx -o $ (nvram get wan_iface) -j REJECT.
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 4 of 6
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum