Exclude some IP/devices from my Router VPN [solved]

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
ray_308
DD-WRT Novice


Joined: 09 Jan 2020
Posts: 17
Location: Heemskerk, The Netherlands

PostPosted: Thu Jan 09, 2020 21:59    Post subject: Exclude some IP/devices from my Router VPN [solved] Reply with quote
Hi there,

I have a Linksys WRT3200ACM router, currently with the firmware from Expressvpn. I did us dd-wrt in the past and want to go back to dd-wrt instead of the Expressvpn firmware.

There is only one thing that I cannot find, when I'm going to use dd-wrt.

When I config my vpn on the router (on dd-wrt) all clients using the internet through VPN. But I need a view devices not to. In the original firmware from Expressvpn I can set this clients to not use the VPN.

Is it possible to config dd-wrt settings so that I can exclude some of the devices/IP/macaddresses from the VPN connection. (so it is using my isp connection.

And if this is possible, does portforwarding works on the devices that are not on the VPN?
Back to top


Last edited by ray_308 on Mon Jan 13, 2020 16:06; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Jan 10, 2020 14:17    Post subject: Reply with quote
That is done with Policy Based Routing, and yes clients not using the VPN can be port forwarded

For an excellent guide (and I am not saying that because I am the author) about PBR see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686

If you want the most of your users to use the VPN then start with setting your DHCP Start IP address at .64 and use a maximum of 64 users.

If you read the guide you will understand why that will make your life easier Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ray_308
DD-WRT Novice


Joined: 09 Jan 2020
Posts: 17
Location: Heemskerk, The Netherlands

PostPosted: Sat Jan 11, 2020 17:09    Post subject: Reply with quote
Thanks!
ray_308
DD-WRT Novice


Joined: 09 Jan 2020
Posts: 17
Location: Heemskerk, The Netherlands

PostPosted: Sun Jan 12, 2020 16:23    Post subject: Reply with quote
Thanks for your reply again. So you set al your clients/devices to use the VPN, and if you not set a client it is not using the VPN?

I thought that al clients used the VPN ones you make the vpn connection. But is the other way around so it seems.

The guide is excellent by the way.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Sun Jan 12, 2020 17:17    Post subject: Reply with quote
ray_308 wrote:
Thanks for your reply again. So you set al your clients/devices to use the VPN, and if you not set a client it is not using the VPN?

I thought that al clients used the VPN ones you make the vpn connection. But is the other way around so it seems.

The guide is excellent by the way.
I believe you can specify either which clients do use or which clients do not use the vpn, but check out @egc's guide for the real answer.

I've never needed port forwarding so am no expert, but I do find it intriguing that AirVPN (or other vpn providers? anyone know?) offers port forwarding from an AirVPN server back to your router when you are connected to that server in the ordinary way: https://airvpn.org/faq/port_forwarding/. The IP address you present to the world is that of one of their servers, so you maintain some location and other privacy as well as location flexibility. You can move around. You can connect to their server from different IP addresses, but your customers or users or whatever always see you at the same IP address and port. When you set this up, you can choose the port they will see (if it is not already taken), but it cannot be a low-numbered port, so no port 80 or 443. You can, however, have the high-numbered port your users see mapped to a low-numbered port on your system if you wish.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
ray_308
DD-WRT Novice


Joined: 09 Jan 2020
Posts: 17
Location: Heemskerk, The Netherlands

PostPosted: Mon Jan 13, 2020 11:41    Post subject: Reply with quote
Ok i’m using PBR in the field of the openvpn settings. My build is not high enough for your guide.

But still portforwarding was not working, and there was a dns leak

I accidentally added my router ip to the PBR list. Now portforwarding works. But no internet from LAN anymore.

And I think I’m locked out the router now because of my mistake Sad

Anyone knows why?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jan 13, 2020 12:00    Post subject: Reply with quote
Yes if you include your router's IP address with builds before 41174 you will lock yourself out as there is no local route in the PBR routing table.

But even if you have an earlier build you can port forward when using PBR (but of course not to the IP addresses you put in the PBR range)

Earlier builds also had trouble using PBR and/or port forwarding when SFE is enabled

So disable SFE (Shortcut Forwarding Engine) on setup tab

For builds prior to 41174 see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Mon Jan 13, 2020 12:07; edited 2 times in total
ray_308
DD-WRT Novice


Joined: 09 Jan 2020
Posts: 17
Location: Heemskerk, The Netherlands

PostPosted: Mon Jan 13, 2020 12:03    Post subject: Reply with quote
Ok thanks, I'll have a better look.

Online again, reset to factory defaults en restored a backup, that was only 10 minutes old Wink
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jan 13, 2020 12:08    Post subject: Reply with quote
Regarding DNS leak you will have that when using PBR and you can not do a lot about it (well you can use static routing but as the VPN address is not fixed and changes a lot that is difficult), you can in builds after 41174 as detailed in the third post of the PBR thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662

Or use the scripts I referenced for builds prior to 41174 then you can also deal with DNS leaks easier

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ray_308
DD-WRT Novice


Joined: 09 Jan 2020
Posts: 17
Location: Heemskerk, The Netherlands

PostPosted: Mon Jan 13, 2020 12:24    Post subject: Reply with quote
Hi egc,

If I want to use build 41174 or higher, where do I find this build. I understand that I'm using a build that is not that good. (40559)

Edit: found it Wink
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jan 13, 2020 12:45    Post subject: Reply with quote
Be sure to research the build threads Marvell routers can be picky, see point 8 and 9 Smile

Below some pointers which might help to get the best out of DDWRT and out of the forum:
1. Research your router, start with the supported devices wiki:
https://wiki.dd-wrt.com/wiki/index.php/Supported_Devices .
2. In the supported devices wiki you can see if your router is supported and what architecture your router has and if you are lucky also an install guide/wiki.
3. Post in the right forum, from the former step you can see if your router is Broadcom, Qualcomm/Atheros, Marvell or other, use that forum to post router specific questions, for networking questions post in the Advanced Networking forum and for other things in the General Questions forum.
4. When posting always state router model, build number and when applicable the Kernel version.
Describe your problem and how you think it can be solved.
Give as much detail as you can also provide your network setup if applicable.
For your Network setup, state what wiki you have used: https://wiki.dd-wrt.com/wiki/index.php/Linking_Routers
5. When posting pictures make sure the maximum width is not more than 600 pixels.
6. Do not hijack a thread, meaning do not post your own problem in someone else's thread. Just start your own thread. This so that it can be searched and found by others.
7. If your post is answered and your problem solved, mark your thread with [SOLVED] (the header of your first post).
8. Do NOT use the router database, builds can be found at:
https://dd-wrt.com/support/other-downloads/?path=betas%2F2019%2F
All builds are beta including those from the router database.
9. Before uploading a new build to your router, research the build by looking in the build threads.
This is an example of a build thread for build 41686 for Broadcom routers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322339
Search build threads with the search function and search on build number.
10. Use the build threads from the former step to report success or problems.
11. For older Broadcom routers (Linksys WRT54 and E series) read the peacock thread although some of it is outdated: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=51486
Builds can be found in the Broadcom directory for Linux kernel 2.4, in Broadcom_K26 for Linux K2.6 and in Broadcom_K3X for Linux K3.X.
12. If you are sure you have discovered a bug, after asking and querying the forum, you can report a real bug in the bug tracker: https://svn.dd-wrt.com/
This is also the place where the commits/changes to the source are administrated.
13. Recommended reading:
https://forum.dd-wrt.com/wiki/index.php/Main_Page
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=54845
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=54959
14. If you are happy with DDWRT and want it to live on then donate:
https://dd-wrt.com/donations/

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ray_308
DD-WRT Novice


Joined: 09 Jan 2020
Posts: 17
Location: Heemskerk, The Netherlands

PostPosted: Mon Jan 13, 2020 13:55    Post subject: Reply with quote
Hi egc,

Thanks for the info, after reading the most I installed the build 41954 on my WRT3200ACM and seems to work fine, whitout any problems.

I used your guide for de OVPN client's (including the router) this works too. Wink

Portforwarding works fine from the WAN, but from the LAN I cannot connect to the FQDN.

So If I connect to the internal IP of my NAS it works, From the WAN it works with the FQDN, but not from the LAN.
Any ideas?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jan 13, 2020 14:11    Post subject: Reply with quote
I think the problem is hairpinning/NAT loopback, you can not reach your own DNS address (like the one you are setting up with DYNDNS) that is a limitation of NAT/loopback, I think the router does not NAT your internal client's address. Thus, the TCP handshake fails.

If that is your problem, then there should be a trick for that, it is something like adding in the additional DNSMasq options:
address=/mydnsaddress.com/my-internal-ipadress

I hope someone with more DNSMasq expertise will chime in to tell you exactly what it should be Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ray_308
DD-WRT Novice


Joined: 09 Jan 2020
Posts: 17
Location: Heemskerk, The Netherlands

PostPosted: Mon Jan 13, 2020 16:05    Post subject: Reply with quote
The resolved itself after a reboot of the router. Don't know what the problem was.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum