[SOLVED]VPN and ipset

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Tue May 11, 2021 11:48    Post subject: [SOLVED]VPN and ipset Reply with quote
Hi everyone,

After some long hard work Laughing I managed to set up ipset. Now I want to use these ipset tables to have 'normal' traffic to use the vpn (which is working already) and some traffic (ipset) to bypass the vpn (netflix, youtube and Office 365 for now).

Although I have read many different topics about vpn, ipset, pbr, I just want to verify if what I intend doing would get this working.

I have Ipset save on exit and restore on restart of the router by the way.

This is the script (that I would have to save as a firewall script?) that i came up with after reading some documents by forum member egc:



#add default route to alternate table
ip route add default via 192.168.0.1 table 100

#add local routes to alternate table
ip route add 127.0.0.0/8 table 100
ip route add 192.168.0.0/23 table 100
ip route add 192.168.10.0/23 table 100

# force routing system to recognize our changes
ip route flush cache

# add firewall rule
iptables -t mangle -D PREROUTING -m set --match-set NETFLIX dst -j MARK --set-mark 40
iptables -t mangle -A PREROUTING -m set --match-set NETFLIX dst -j MARK --set-mark 40

iptables -t mangle -D PREROUTING -m set --match-set OUTLOOK.OFFICE365 dst -j MARK --set-mark 40
iptables -t mangle -A PREROUTING -m set --match-set OUTLOOK.OFFICE365 dst -j MARK --set-mark 40

iptables -t mangle -D PREROUTING -m set --match-set OUTLOOK.OFFICE dst -j MARK --set-mark 40
iptables -t mangle -A PREROUTING -m set --match-set OUTLOOK.OFFICE dst -j MARK --set-mark 40

iptables -t mangle -D PREROUTING -m set --match-set YOUTUBE dst -j MARK --set-mark 40
iptables -t mangle -A PREROUTING -m set --match-set YOUTUBE dst -j MARK --set-mark 40


# start split tunnel
ip rule del fwmark 40 table 100
ip rule add fwmark 40 table 100


Would this do the trick?

Thanks in advance,
Greetings Rob
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Tue May 11, 2021 16:30    Post subject: Reply with quote
You probably also found the route scripts which are accompanying the IPSET documentation Smile

Although I made an example for WireGuard it also should work for OpenVPN, so yes basically this is how you make an alternate routing table and reroute FireWall Mark traffic via that alternate routing table

So have a go and let us know if it works Smile

P.S. also have a look at @eibgrads excellent (IPSET)-script which is designed for use with OpenVPN:
https://pastebin.com/nC27ETsp

P.P.S. It is always helpful if you state router model and build number.
To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
If you have not already read the forum guidelines, please do !!

EDIT:
Code:
ip route add 192.168.0.0/23 table 100
ip route add 192.168.10.0/23 table 100


Is the /23 intentional/correct ?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Wed May 12, 2021 5:52    Post subject: Reply with quote
First of all: thanks for your reply!

Quote:
You probably also found the route scripts which are accompanying the IPSET documentation Smile


Sure did! Smile
Already found some stuff by @eibgrad, but those scripts were a bit to lengthy for me. To get a grip on what's happening I want to understand what happens for what reason; so rather a few lines of 'code'. Nature of the beast I suppose Very Happy

Quote:
Code:
ip route add 192.168.0.0/23 table 100
ip route add 192.168.10.0/23 table 100



Yes, this is intentional. I have a subnet that hosts some reserved addresses (...10.xxx) and a subnet for dhcp leases (...11.xxx). The latter I use for all devices (kids off course) that I prohibit from using internet at a time schedule. Had to work around the 'private address' feature (Apple in this case), that's why.

My router is a Linksys WRT3200ACM and it's running on DD-WRT v3.0-r44715.

I will try to apply the script in a couple of hours.


One more question; I am using NextDNS at the moment, works like a charm for blocklists and all that. Using these in the vpn would be no more than adding server=xxx.xxx.xxx.xxx to Additional Dnsmasq Options right?
Does this have to added as well in that case (without the hashes)?

Code:
#no-resolv
#bogus-priv
#strict-order

#server=45.90.30.0
#server=45.90.28.0
#add-cpe-id=xxxxx

_________________
Linksys WRT3200ACM
DD-WRT v3.0-r46069
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Wed May 12, 2021 7:21    Post subject: Reply with quote
Regarding DNS and VPN:

Some VPN providers add their own DNS server when the tunnel goes up.
If you do not want that add the following in the VPN Additional Config:
Code:
pull-filter ignore "dhcp-option DNS"


Now only the DNS servers from Static DNS 1,2,3 are used (be sure to tick/enable "Ignore WAN DNS" on setup page)

Alternatively add in Additional DNSMasq Options
Code:
no-resolv
server=45.90.30.0


The DNS servers are routed via the VPN in your setup, if you do not want that you can add a static route in the OpenVPN additional config i.e.:
Code:
route 45.90.30.0 255.255.255.255 net_gateway


A lot of information about DNS and VPN can be found at:
https://forum.dd-wrt.com/phpBB2/download.php?id=46561

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Wed May 12, 2021 7:25    Post subject: Reply with quote
Thanks again!

By the way, regarding this part:
# start split tunnel
ip rule del fwmark 40 table 100
ip rule add fwmark 40 table 100

Shouldn't I assign this to another table? As now both 'regular' traffic and the 'ipset' traffic are pointing to the same table now?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Wed May 12, 2021 8:03    Post subject: Reply with quote
You make one alternate routing table (table 100)

This table has a default route via the WAN.
so all traffic using this table will use the WAN.

Your main table (which has actually number 254) uses the VPN.

You can "associate" traffic to use this table 100 in various ways.
The IPSETs uses a firewall mark, you tag IPSET traffic with fwmark 40 (that is the PREROUTING rule)

Next thing is that you associate fwmark 40 with table 100 with "iprule add fwmark 40 table 100"

Now all IPSET traffic will use table 100 and thus the WAN and not the default table which uses the VPN.

You can also associate source addresses, destination addresses, source and destination port etc.
So if you want your IPTV which has address 192.168.1.64 with table 100 you do:
Code:
ip rule add from 192.168.1.64 table 100


see https://man7.org/linux/man-pages/man8/ip-rule.8.html

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Wed May 12, 2021 8:12    Post subject: Reply with quote
Got it! Thanks again Wink

I will put this in place somewhere today, during some quiet hours at work probably. I'll keep you posted!

Greetz
Rob

UPDATE: everything seems to be working ok. But. How do I verify if the ipset traffic really bypasses the vpn?
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Wed May 12, 2021 14:58    Post subject: Reply with quote
djuroutski wrote:
How do I verify if the ipset traffic really bypasses the vpn?

Set up a pair of firewall rules with -s on the ipset but with no -j action at the end. Give one rule "-o tun1" (or whatever your vpn tunnel interface is) and the other "-o eth0" (or whatever your WAN interface is). Then you can check the packet counts on those two rules when you want to see where stuff has been going.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Thu May 13, 2021 13:03    Post subject: Reply with quote
Good advice form @Surpriseditworks Smile

Alternatively add something like ipchicken.com or ipleak.net (95.85.16.212) to your IPSET that address will then show your IP address.
In your case it should be your ISP WAN and not the VPN

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Sat May 15, 2021 20:26    Post subject: Reply with quote
Thanks a lot to you both!

Works like a charm! At first forgot to change the firewall scripted, but in the end found out that part was missing. Then was able to verify that everything is working like i think it should!

Thanks again!

Greetings Rob
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Tue May 18, 2021 11:11    Post subject: Reply with quote
One more thing:

I had some errors in the logging regarding the MTU sizes.
Now I have configured (as it appears to be impossible to directly configure link-mtu) tun-mtu in a way that the error for the link-mtu has been resolved.

However: what's the best way to go abou this? Adjust the tun-mtu to the value that logging reports for the remote value for tun-mtu or the way I did as described above?

Greetz
Rob
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Tue May 18, 2021 11:15    Post subject: Reply with quote
mtu calculating is buggy on OpenVPN

See the VPN troubleshooting guide, paragraph about MTU size problems and the accompanying references

In daily usage you will not notice any problems as most traffic is TCP but if you use UDP (streaming media, VoIP) and your applications rely on the clients MTU size you can have problems (most applications do not use packetsizes above 1350, so you will not notice)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
djuroutski
DD-WRT Novice


Joined: 09 May 2021
Posts: 14

PostPosted: Tue May 18, 2021 11:31    Post subject: Reply with quote
So your advice? Just set tun-mtu to default (1500)?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Tue May 18, 2021 12:37    Post subject: Reply with quote
mtu is really a can of worms.

You can set it according to the log (the server side) but only if it is lower than 1500 (usually it is not), The warning will go away but it is not a real solution.

At this moment we default to 1400 to be on the safe side.

For my own setup I manually searched for the optimal mtu which was 1448 usually it is lower (depends on wan-mtu used cipher/compression etc.)

So 1400 is a safe bet (the warning will not go away with this)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum