Posted: Mon Jun 20, 2022 22:16 Post subject: IP Rules duplicate each time VPN goes down/up
I'm routing only certain IP's through OpenVPN with the code below. The problem is that every time I save or apply a setting in the web GUI the VPN connection must go down and then back up so that my IP rules are duplicating each time.
ip rule list
Code:
0: from all lookup local
32742: from 192.168.0.247 lookup 200
32743: from 192.168.0.199 lookup 200
32744: from 192.168.0.190 lookup 200
32745: from 192.168.0.88 lookup 200
32746: from 192.168.0.247 lookup 200
32747: from 192.168.0.199 lookup 200
32748: from 192.168.0.190 lookup 200
32749: from 192.168.0.88 lookup 200
32750: from 192.168.0.247 lookup 200
32751: from 192.168.0.199 lookup 200
32752: from 192.168.0.190 lookup 200
32753: from 192.168.0.88 lookup 200
32754: from 192.168.0.247 lookup 200
32755: from 192.168.0.199 lookup 200
32756: from 192.168.0.190 lookup 200
32757: from 192.168.0.88 lookup 200
My firewall rule
Code:
# Prevent specified IPs from reaching the internet directly
# So no connection if VPN down (kill switch)
iptables -I FORWARD -s 192.168.0.88 -o vlan2 -j DROP
iptables -I FORWARD -s 192.168.0.190 -o vlan2 -j DROP
iptables -I FORWARD -s 192.168.0.199 -o vlan2 -j DROP
iptables -I FORWARD -s 192.168.0.247 -o vlan2 -j DROP
and I have a scrip VPN-ONUP which runs when the VPN connects.
This is in my VPN additional config
Code:
# Script to run when the link is established
# This sets up my custom routes and iptable rules
up /jffs/openvpn/vpn-onup
# Set the default route for table 200 as over the VPN
ip route add default dev tun1 table 200
# Assign all outgoing connections from specified IPs to table 200
# so they go over the VPN
ip rule add from 192.168.0.88 table 200
ip rule add from 192.168.0.190 table 200
ip rule add from 192.168.0.199 table 200
ip rule add from 192.168.0.247 table 200
Use the functionality(ies) of PBR (and other features, i.e. killswitch) in the webUI? Use "save" and when all done, "reboot"?
OpenVPN guides and documentation _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
But to answer your question directly (since this type of problem is common to many scripting situations besides this one), you just need to precede the addition of ip rules by flushing the previous rules.
Code:
while ip rule del from 0/0 to 0/0 table 200 2>/dev/null; do :; done
# Set the default route for table 200 as over the VPN
ip route add default dev tun1 table 200
# Assign all outgoing connections from specified IPs to table 200
# so they go over the VPN
while ip rule del from 0/0 to 0/0 table 200 2>/dev/null; do :; done
ip rule add from 192.168.0.88 table 200
ip rule add from 192.168.0.190 table 200
ip rule add from 192.168.0.199 table 200
ip rule add from 192.168.0.247 table 200
# Flush the cache
ip route flush cache
_________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
I'm using DDWRT Firmware v3.0-r48607. I played around with a newer firmware a month ago and although I forget the exact reason I ended up using a little older version.
Anyway, clearing the 200 table before setting it works perfectly.
My old router was running very old firmware. When I upgraded I manually transferred many settings including the old PBR. I didn't know that the new GUI now had PBR.
Guess I will have to play with it, but anyway the old way works now clearing out the table before re-building it.