Posted: Thu Jan 18, 2018 19:07 Post subject: Route only certain destination domains through VPN?
I have configured the DD-WRT router to only route traffic from one of my machines (AppleTV) through VPN using the policy based routing setting and it works fine.
I would however like to only route certain destinations (for example www.google.com) through the VPN, the rest through the normal internet connection..
Is this possible? I have tried searching but cant really find anything.
@eibgrad: I have amended the basic version of your script to only send 46.4.175.45 (whatsmyip.com) through the VPN, on 1 device (my server), just to test its running correctly.. However everything seems to be sent through VPN, for all devices.. For testing purposes, my desktop returns the same IP as my mobile phone.
Syslog has been enabled, and PBR has been disabled, as per the instructions in the script.
Your script contains the following rule:
add_rule from 192.168.0.2 to 46.4.175.45 # SERVER to www.whatsmyip.com
Ah, I think I get you now. Sorry, I misunderstood (didnt think it through).
I have now added 'route-noexec' to the additional config, added the route I want in your script - and it looks like it is working now.
A quick question though - do I need to reboot the server every time I say add an entry in the rules, or can it be done without a reboot? (I suspect the answer is that the startup copies the file into /tmp/ovpn_split, etc, but thought I'd check).
i hope so much you are still there!
Three years ago you had exactly the problem, that i am about to fix now...
You wrote:
I have configured the DD-WRT router to only route traffic from one of my machines (AppleTV) through VPN using the policy based routing setting and it works fine.
I would however like to only route certain destinations (for example www.google.com) through the VPN, the rest through the normal internet connection..
Is this possible? I have tried searching but cant really find anything.
You seem to have found a solution for this, but the solution is offline now...
May you send me sceenshots of your configuration or so?
That would be awesome!
Joined: 08 May 2018 Posts: 14828 Location: Texas, USA
Posted: Wed Apr 14, 2021 16:05 Post subject:
Thanks for resurrecting this thread with missing content from @eibgrad due to a major oops that I inflicted on the forum inadvertently last year. Unfortunately, I can't even find the missing content on web.archive.org, so it's a complete loss unless someone remembers what the solution was. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
PBR (policy based routing) is NOT required (nor even desirable) if all you need to do is control *destination* IPs. PBR is primarily intended to control how *source* IPs are routed wrt the WAN vs. VPN. Using PBR has the often undesirable side-effect of removing the router itself from the VPN, which can lead to things like DNS leaks.
For the purposes of controlling destination IPs, all you need to do is create static routes (in the form of route directives in the Additional Config field of the OpenVPN client) to bind those IPs to either the WAN or VPN.
If all you need to do is monitor *destination* IPs, PBR isn't needed. PBR's main purpose is to monitor how IPs are routed between the WAN and the VPN. Using PBR has the unintended consequence of disconnecting the router from the VPN, which can result in DNS leaks.
Joined: 18 Mar 2014 Posts: 13277 Location: Netherlands
Posted: Tue Apr 20, 2021 6:25 Post subject:
Policy Based Routing:
Quote:
When using a VPN normally all traffic is routed via the VPN (if the VPN server pushes the redirect default gateway).
You can however have a choice from which clients (sources) or to which IP addresses (destination) you want to route
via the VPN or the WAN.
This is done with the help of Policy Based Routing (PBR)
Policy Based Routing is just that routing using a policy, it is not synonymous with source based routing, it also comprises destination based routing and as such is covered in the Policy Based Routing guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Posted: Mon Apr 26, 2021 11:11 Post subject: My solution so far
Hi Folks,
i spend a couple of hours yesterday to get this thing to work and now, it seems i found my solution! Some things are still weird (take a look to my OpenVPN log, some IP's have been replaced manually), but now i am routing my VPN only to a specific domain that you can see in my additional config and the rest is going through my ISP directly. That's what i wanted.
Somehow i can't connect to Switzerland (Private Internet Access) since yesteday, but that seems to be an issue with PIA. I just doublechecked that with other countries, that are all instantly working.
Is there anything else i need to check?
Clientlog:
19700101 01:00:53 W WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
19700101 01:00:53 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19700101 01:00:53 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
19700101 01:00:53 I OpenVPN 2.5.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 3 2020
19700101 01:00:53 I library versions: OpenSSL 1.1.1h 22 Sep 2020 LZO 2.09
19700101 01:00:53 MANAGEMENT: TCP Socket listening on [AF_INET]xx.xx.xx.xx
19700101 01:00:53 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 01:00:53 I TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1198
19700101 01:00:53 Socket Buffers: R=[180224->180224] S=[180224->180224]
19700101 01:00:53 I UDPv4 link local: (not bound)
19700101 01:00:53 I UDPv4 link remote: [AF_INET] xx.xx.xx.xx:1198
19700101 01:00:53 TLS: Initial packet from [AF_INET] xx.xx.xx.xx:1198
sid=81b048e4 66e0941a
19700101 01:00:53 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
19700101 01:00:53 N VERIFY ERROR: depth=0 error=certificate is not yet valid: C=US ST=CA L=LosAngeles O=Private Internet Access OU=Private Internet Access CN=tirana401 name=tirana401 serial=94565967192
19700101 01:00:53 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19700101 01:00:53 N TLS_ERROR: BIO read tls_read_plaintext error
19700101 01:00:53 NOTE: --mute triggered...
19700101 01:00:53 2 variation(s) on previous 3 message(s) suppressed by --mute
19700101 01:00:53 I SIGUSR1[soft tls-error] received process restarting
19700101 01:00:53 Restart pause 5 second(s)
20210426 12:49:06 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210426 12:49:06 I TCP/UDP: Preserving recently used remote address: [AF_INET] xx.xx.xx.xx:1198
20210426 12:49:06 Socket Buffers: R=[180224->180224] S=[180224->180224]
20210426 12:49:06 I UDPv4 link local: (not bound)
20210426 12:49:06 I UDPv4 link remote: [AF_INET] xx.xx.xx.xx:1198
20210426 12:49:06 TLS: Initial packet from [AF_INET] xx.xx.xx.xx:1198
sid=bed03683 a04c9b9a
20210426 12:49:06 VERIFY KU OK
20210426 12:49:06 Validating certificate extended key usage
20210426 12:49:06 NOTE: --mute triggered...
20210426 12:49:06 4 variation(s) on previous 3 message(s) suppressed by --mute
20210426 12:49:06 I [tirana401] Peer Connection Initiated with [AF_INET] xx.xx.xx.xx:1198
20210426 12:49:07 SENT CONTROL [tirana401]: 'PUSH_REQUEST' (status=1)
20210426 12:49:07 PUSH: Received control message: 'PUSH_REPLY comp-lzo no redirect-gateway def1 route-ipv6 2000::/3 dhcp-option DNS 10.0.0.243 route-gateway 10.11.112.1 topology subnet ping 10 ping-restart 60 ifconfig xx.xx.xx.xx 255.255.255.0 peer-id 6'
20210426 12:49:07 N Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
20210426 12:49:07 N Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
20210426 12:49:07 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20210426 12:49:07 OPTIONS IMPORT: timers and/or timeouts modified
20210426 12:49:07 OPTIONS IMPORT: compression parms modified
20210426 12:49:07 OPTIONS IMPORT: --ifconfig/up options modified
20210426 12:49:07 NOTE: --mute triggered...
20210426 12:49:07 3 variation(s) on previous 3 message(s) suppressed by --mute
20210426 12:49:07 Using peer cipher 'AES-128-CBC'
20210426 12:49:07 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20210426 12:49:07 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
20210426 12:49:07 NOTE: --mute triggered...
20210426 12:49:07 2 variation(s) on previous 3 message(s) suppressed by --mute
20210426 12:49:07 net_route_v4_best_gw query: dst 0.0.0.0
20210426 12:49:07 net_route_v4_best_gw result: via 192.168.178.1 dev eth0
20210426 12:49:07 I TUN/TAP device tun1 opened
20210426 12:49:07 I net_iface_mtu_set: mtu 1500 for tun1
20210426 12:49:07 I net_iface_up: set tun1 up
20210426 12:49:07 I net_addr_v4_add: xx.xx.xx.xx dev tun1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 I Initialization Sequence Completed
20210426 12:55:53 MANAGEMENT: Client connected from [AF_INET] xx.xx.xx.xx
20210426 12:55:53 D MANAGEMENT: CMD 'state'
20210426 12:55:53 MANAGEMENT: Client disconnected
20210426 12:55:53 MANAGEMENT: Client connected from [AF_INET] xx.xx.xx.xx
20210426 12:55:53 D MANAGEMENT: CMD 'state'
20210426 12:55:53 MANAGEMENT: Client disconnected
20210426 12:55:53 MANAGEMENT: Client connected from [AF_INET] xx.xx.xx.xx
20210426 12:55:53 D MANAGEMENT: CMD 'state'
20210426 12:55:53 MANAGEMENT: Client disconnected
20210426 12:55:53 MANAGEMENT: Client connected from [AF_INET] xx.xx.xx.xx
20210426 12:55:53 D MANAGEMENT: CMD 'status 2'
20210426 12:55:53 MANAGEMENT: Client disconnected
20210426 12:55:53 MANAGEMENT: Client connected from [AF_INET] xx.xx.xx.xx
20210426 12:55:53 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00