Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Mon Oct 14, 2019 13:24 Post subject: Policy Based Routing guides for DDWRT
Policy Based Routing guide for DDWRT
These guides are outdated see the WireGuard Client setup guide, The OpenVPN Client setup guide and the VPN and DNS guide.
Policy Based Routing is defined as routing not all but only a predefined part of your traffic via VPN.
It is often necessary if you want to connect to your router from the internet for SSH, or OpenVPN server etc. This is not possible if a VPN client is active on the router, because traffic is entering the router from the WAN and going out via the OVPN client. The firewall will not allow that.
The most common/used PBR is based on using source IP's, DDWRT can do this by entering the source IP's of your network in the PBR field of the OVPN client, use CIDR notation to define a range (www.ipaddressguide.com/cidr), only the (source) IP's entered in the PBR field are routed out via the VPN.
There are different solutions besides PBR to tackle this problem like port forwarding through the VPN client to enter your router or using a static route to your client which connects to the OpenVPN server(reverse DNS), or using reverse proxies like ngrok but that is outside the scope of this guide.
Besides Policy Based Routing for solving the problem described above, there are other sophisticated PBR solutions available written by @eibgrad, see: https://pastebin.com/nC27ETsp for @eibgrad's advanced script.
This guide is intended for use with build 41174 or later.
The wiki (https://wiki.dd-wrt.com/wiki/index.php/Policy_Based_Routing) is rather outdated and with all the new and exciting functions we now have in recent builds I have tried to put together a guide.
Any help/comments/remarks are welcome.
The guide is attached to this post but is only visible when you are logged in.
DNS Problems (leak or no DNS)
There are often questions about a DNS leak when using Policy Based Routing or even without using Policy Based Routing.
To (hopefully) answer some questions and to provide some solutions see the attached file (only visible when you are logged in!).
Instructions:
1. Download and unzip
2. Set VPN_ENABLED_ONLY to your preference, "0" or "1"1
3. Set FW_STATE to your preference, uncomment line to set state NEW
4. Install this script in the router's firewall script: Administration/Commands, Save as Firewall, you can either place the script on permanent storage like jffs, make it executable with chmod +x /jffs/ovpn-pbr-kill-switch-02.sh or copy the text below and paste in in Administration Commands and the Save as Firewall
5. Reboot router
6. The firewall is not automatically updated after a change in the PBR field, so reboot after changing
VPN_ENABLED_ONLY
* 0 = apply rules 24/7
* 1 = apply rules only if VPN enabled (default)
Code:
VPN_ENABLED_ONLY="1" # (0 = apply rules 24/7, 1 = apply rules only if VPN enabled)
State checking: "state NEW" vs. no state
state NEW (default):
* any pre-existing LAN->WAN connections persist until/unless they timeout/close
* remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
* more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
no state:
* any pre-existing LAN->WAN connections are stopped/blocked
* remote access (WAN->LAN) is denied (even if port forwarding is enabled)
* less efficient (every LAN->WAN packet is inspected)
Code:
FW_STATE="-m state --state NEW" # uncomment/comment to disable/enable state checking
Note:
The firewall is not automatically updated after a change in the PBR field, so reboot after changing or do from CLI:
Code:
stopservice firewall && startservice firewall
Troubleshooting
For troubleshooting look at or show when asking for help:
Code:
iptables -vnL blocked-ips
iptables -vnL FORWARD
Copy text below and paste in Administration/Commands Save as Firewall
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Tue Oct 15, 2019 13:35 Post subject:
Watchdog script for VPN client
Note: recent builds have a watchdog built-in!
If you are using PBR the normal watchdog function of DDWRT is not working, you have to do your checking via the VPN tunnel.
This also applies if you have setup the OVPN client on a WAP.
There are VPN settings to mitigate the disconnection problem (keepalive 10 60, reneg-sec 0 (this is not recommended because of safety concerns), use TCP instead of UDP, use another OVPN server), these however seldom work.
This script is also useful if you do not want the full reboot which the DDWRT watchdog is doing but only restart the VPN client.
@Sploit has written a watchdog script see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1093571#1093571
Unfortunately the scripts kills all OpenVPN instances and thus also your OpenVPN server if you are using that simultaneous with your OpenVPN client.
I have posted a revision of that script in that thread which only kills the OpenVPN client, you can find it on the second page.
I have also made a simple solution to restart the OpenVPN client (or reboot the router), if you disable the OpenVPN Client in the GUI the script will not execute, this resumes when you enable the OpenVPN Client again.
See attached script, only visible when you are logged in!
name: ddwrt-vpn-pbr-watchdog-05.sh
version: 0.5, 08-11-2019 by egc
purpose: restarts OVPN Client or reboots router when VPN goes down
script type: jffs script called from startup script
instructions:
1. unzip and modify parameters in script if necessary, make sure not to
include Windows style line endings <CR>
2. copy modified script to /jffs (or external storage, e.g., usb)
3. make script executable:
Code:
chmod +x /jffs/ddwrt-vpn-pbr-watchdog-05.sh
4. call this script from the startup: Administration/Commands Save as
Startup after making sure it works:
Code:
sh /jffs/ddwrt-vpn-pbr-watchdog-05.sh &
Warning use at your own risk, this is a beta version
If you do not have or do not want to make permanent storage like JFFS2 or an USB stick, you can paste the following code in Administration/Commands and Save Startup, after that reboot the router:
Code:
#=======BEGIN vpn-pbr-watchdog=========
sleep 60
SCRIPT="/tmp/vpn-pbr-watchdog.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
SLEEP=300 # time (in secs) between each pass, do not set lower than 180 this gives you the ability to login and remove script from startup
#DEBUG= # uncomment/comment to enable/disable debug mode
#REBOOT= # uncomment to Reboot, comment this line to only restart OpenVPN Client
PINGIP="8.8.8.8" # Target IP to ping to
[ ${DEBUG+x} ] && set -x
logger "Start $(basename $0)"
while sleep $SLEEP; do
logger "sleep $SLEEP $(basename $0)"
[ "$(nvram get openvpncl_enable)" == "0" ] && continue
TUN=$(sed '/^[[:blank:]]*#/d;s/#.*//' "/tmp/openvpncl/openvpn.conf" | grep -oE 'tun[0-9]' | tail -1)
while ! ping -qc1 -W6 -n $PINGIP -I $TUN &> /dev/null; do
sleep 29
if ! ping -qc1 -W6 -n $PINGIP -I $TUN &> /dev/null; then
logger "$(basename $0) $TUN down, Reboot or Restart of OVPN Client will be executed"
[ ${REBOOT+1} ] && reboot || restart_f openvpn
break
fi
done
done
)2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
$SCRIPT > /dev/null 2>&1 &
#=======END vpn-pbr-watchdog=========
so I am on WAP mode have OVPN router and client up and running. Archer C9 on built 41418.
Can I just put your code "unchanged" in my DD-WRT startup and it will work for restarting the VPN client cause reboot is commented?
I guess I need to adjust the target IP, but which is the right IP to use here?
Edit: I use PBR 192.168.2.2/24 as PBR rule cause 192.168.2.2 is the local IP for my DD-WRT WAP router. Hope this doesn´t disturb that script.
#=======BEGIN vpn-pbr-watchdog=========
sleep=30
SCRIPT="/tmp/vpn-pbr-watchdog.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
SLEEP=300 # time (in secs) between each pass, do not set lower than 180 this gives you the ability to login and remove script from startup
#DEBUG= # uncomment/comment to enable/disable debug mode
#REBOOT= # uncomment to Reboot, comment this line to only restart OpenVPN Client
PINGIP="8.8.8.8" # Target IP to ping to
[ ${DEBUG+x} ] && set -x
logger "Start $(basename $0)"
TUN=$(cat /tmp/openvpncl/openvpn.conf | grep "dev " | cut -d " " -f 2) 2>/dev/null # name of OVPN client tunnel interface (default is tun1)
[ -z $TUN ] && TUN=tun1
while sleep $SLEEP; do
logger "sleep $SLEEP $(basename $0)"
# quit if OpenVPN client has been disabled
[ "$(nvram get openvpncl_enable)" == "0" ] && break
while ! ping -qc1 -W6 -n $PINGIP -I $TUN > /dev/null; do
logger "$(basename $0) $TUN down, Reboot or Restart of OVPN Client will be executed"
sleep 15
[ ${REBOOT+1} ] && reboot || restart_f openvpn
break
done
done
)2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &
#=======END vpn-pbr-watchdog=========
Last edited by boris03 on Wed Nov 06, 2019 14:37; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Nov 06, 2019 14:36 Post subject:
Yes a WAP has its default via br0 and not via the tun1 interface so I do not think the DDWRT watchdog will work, so yes you also need one of the above solutions.
You can just use the script as is, it will only restart the OVPN client and not reboot as it is.
The target ip 8.8.8.8 is Google and is the most used so just leave it.
This is not tested on a WAP so let me know if it works.
When you add this to startup, there will be a script created : /tmp/vpn-pbr-watchdog.sh
You can check if it is created by telnetting into your router and do:
Code:
cat /tmp/vpn-pbr-watchdog.sh
You can check if the script runs by telnetting into your router and do:
Code:
ps
The script also writes every 300 seconds into your syslog:
Nov 6 14:42:40 R7800 user.notice root: sleep 300 vpn-pbr-watchdog.sh
when you telnet into your router and do:
Code:
grep vpn-pbr /var/log/messages
You see everything the script is doing also if it restarts (Assuming you have Syslog turned on under Services/System Log)
If the script is not doing what you want then edit the startup and remove the "#" before DEBUG that enables debug mode.
Then send output of:
Code:
grep vpn-pbr /var/log/messages
If you want to trigger a VPN connect you can telnet into your router and do:
Code:
iptables -I OUTPUT -o tun1 -j REJECT
This will block the tun1 (OVPN clients interface)
When you see it is working you either have to reboot the router or delete the rule with:
grep vpn-pbr /var/log/messages
shows just nothing I was waiting more then 5 min.
WIll it only work when I remove the # before Debug?
And now when I want to test I just use
"iptables -I OUTPUT -o tun1 -j REJECT"
to stop the OVPN client and wait until the script tries to restart?
Yes it runs
grep vpn-pbr /var/log/messages should show the script reporting also without DEBUG turned on
Have a look at the GUI: Status/syslog (maybe you have syslog not turned on? You can turn it on on Services page under System log)
So it works - Proof of concept for you working also on WAP routers, and I leave it like it is!
The only thing what would be great for other dummy users like me, if you could achieve to include it in the Web GUI with two flags for restart and reboot.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Nov 06, 2019 17:56 Post subject:
boris03 wrote:
You are the man:-)
So it works - Proof of concept for you working also on WAP routers, and I leave it like it is!
The only thing what would be great for other dummy users like me, if you could achieve to include it in the Web GUI with two flags for restart and reboot.
Hmm, although not very difficult (I did look into it) we have this reasonable easy fix handy.