Help with policy based routing over OpenVPN (SOLVED)

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
nic67
DD-WRT Novice


Joined: 06 Dec 2015
Posts: 5
PostPosted: Thu Dec 24, 2015 2:40    Post subject: Help with policy based routing over OpenVPN (SOLVED) Reply with quote
Hi,

I have trawled the internet and this forum for information and examples for how to configure multiple VPN tunnels where I can develop a source/destination & port ruleset for what traffic to send across a particular tunnel. I have managed to cobble together a startup script based on snippets I found and my basic networking knowledge but cannot get the final configuration to work.

The objective with the basic config below is to

- establish 2 tunnels to HMA servers, one in the US and one in Sweden. This works

- A basic policy where the host 192.168.10.50 will route all traffic across tun0, this does not work.

- An observation is that with the below start up script, the commands

Code:
p route list table 200
ip rule show


returns nothing.

If I manually input in a telnet session once tunnels are established

Code:
ip rule add from 192.168.10.50/32 table 200
ip route add default via <current tun0 gateway> dev tun0 table 200
ip route flush cache


the device 192.168.10.50 will lose connectivity completely and the config appears to be in effect but be missing something to work correctly. This also makes me suspect that the awk syntax that I don't understand and have copied from a sample is not correct and the $Tun0Gateway variable not working

Startup script below, any pointers on where I am going wrong would be appreciated. And before its suggested, I have read http://www.dd-wrt.com/wiki/index.php/Policy_Based_Routing

Build: Firmware: DD-WRT v3.0-r28493M std (I have tried v24 SP2 as well)
Router is D-Link DIR 890L

Code:
#!/bin/sh
#Create directory
mkdir /tmp/openvpncl

#Create CA Certificate
echo "-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIJAIaWiJ8tvvfkMA0GCSqGSIb3DQEBBQUAMIGgMQswCQYD
VQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xEzARBgNV
BAoTClByaXZheCBMdGQxFDASBgNVBAsTC0hNQSBQcm8gVlBOMRYwFAYDVQQDEw1o
aWRlbXlhc3MuY29tMQwwCgYDVQQpEwNITUExHjAcBgkqhkiG9w0BCQEWD2luZm9A
cHJpdmF4LmNvbTAeFw0xNDA1MTMwNzQ1NThaFw0yNDA1MTAwNzQ1NThaMIGgMQsw
CQYDVQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xEzAR
BgNVBAoTClByaXZheCBMdGQxFDASBgNVBAsTC0hNQSBQcm8gVlBOMRYwFAYDVQQD
Ew1oaWRlbXlhc3MuY29tMQwwCgYDVQQpEwNITUExHjAcBgkqhkiG9w0BCQEWD2lu
Zm9AcHJpdmF4LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMyQ
vosRoQjE/qNBzpVzU3Td0jS8z1h96BvqzNfVIK+yOuoe+/qv59q4Eo1R+kUnUlM9
KznYDmHxIBBID24Kak0nzBSLDHrK7RO70DYgj8jWteQYWk4G+Eu5kfO/ru6WYDcU
Wq1ifHDEKbAJ8t2SgneAVCYcqwBRPJqsqkkMnrgNxdPU9yMVX4gxRqVvD0KIYgwl
4te7aF2i3tElM8fDatTmWqeIgoU1kOEqaZFT5lzeZP7sh0Q5h0QAJOKYPs6qgCH4
zv+74DCCSSR5Oh6oF5ssCX4GADaWqVH+pdDudLo3wxu81PN2K95jk7r25Dung7F9
a65cp+b/okLmWwZoyeMCAwEAAaOCAQkwggEFMB0GA1UdDgQWBBQjV1wN2kwuVDRa
DQpk4p4HThtF4zCB1QYDVR0jBIHNMIHKgBQjV1wN2kwuVDRaDQpk4p4HThtF46GB
pqSBozCBoDELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMG
TG9uZG9uMRMwEQYDVQQKEwpQcml2YXggTHRkMRQwEgYDVQQLEwtITUEgUHJvIFZQ
TjEWMBQGA1UEAxMNaGlkZW15YXNzLmNvbTEMMAoGA1UEKRMDSE1BMR4wHAYJKoZI
hvcNAQkBFg9pbmZvQHByaXZheC5jb22CCQCGloifLb735DAMBgNVHRMEBTADAQH/
MA0GCSqGSIb3DQEBBQUAA4IBAQBtuQXAuxPkZH5hLUeK45dNHOj2TAtWs1WM+Kje
SBPfzn1RQE8xwClcBEdpfiUi4lZ1X9OIq3Jri0T27YAaUk3bMqvk6Pzmida96yWY
lxQjzitXsH7KyCCWmNBSIxF2M/sb2OX9vWdAINDawiFeEzNcqwx/LLyriZ+WxFyU
eWVPl6cUKQBNoDGXZdRKWePT+QNIrtLBHRhB+UpwtoXn6qVl3t8YbycgYczd6lBe
9GiAKvfqLuxkfDe9ZgLMKnQZfjfUyUPpYODOJSGewqiHOYAO4ix26heq3K6rFVpH
Y2MwKmFME0eL8tHlPAWEkGOICiuwX6ir0tPhhq4WAUY1K9kj
-----END CERTIFICATE-----
" >> /tmp/openvpncl/ca.crt

#Create Public Key
echo "-----BEGIN CERTIFICATE-----
MIIFAjCCA+qgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMCR0Ix
DzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMRMwEQYDVQQKEwpQcml2
YXggTHRkMRQwEgYDVQQLEwtITUEgUHJvIFZQTjEWMBQGA1UEAxMNaGlkZW15YXNz
LmNvbTEMMAoGA1UEKRMDSE1BMR4wHAYJKoZIhvcNAQkBFg9pbmZvQHByaXZheC5j
b20wHhcNMTQwNTEzMDgyMjM0WhcNMjQwNTEwMDgyMjM0WjCBjDELMAkGA1UEBhMC
R0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMRMwEQYDVQQKEwpQ
cml2YXggTHRkMRQwEgYDVQQLEwtITUEgUHJvIFZQTjEQMA4GA1UEAxMHaG1hdXNl
cjEeMBwGCSqGSIb3DQEJARYPaW5mb0Bwcml2YXguY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAq/bV9X2lw9rusZ+A+NDx5eX5I82wHo9/th0HUNd5
LwDqPvdBd8oLlqIITBzgDYHhYVe981SyqaUJeL3LJpniVGeNd3oYJRvxkoAw9eSe
ZXDzW4Szr669qMsChkzXSDoSVBAVMVbRnbJ8htgpeHLjumMHMbjxyXk5gC2YW4R6
xsFSR5l2ylzZNikn8p1pKm3jEqxO0cJhGQs4oRudZF0ssDNQrmDT1zRq1vRxoF9r
GjMOrVIlynb8yp3Maef3Fnr53/tm1CebmrcE1C7R7HV173E378Wn/b0ZOujHUEim
AlKiorZwCrFogd4Fnk6aY4JNPqc55Ok/0bWLh6fGcj8WowIDAQABo4IBVzCCAVMw
CQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBRKkMJmNATxpSybS6W7ezGWucjeRjCB1QYDVR0j
BIHNMIHKgBQjV1wN2kwuVDRaDQpk4p4HThtF46GBpqSBozCBoDELMAkGA1UEBhMC
R0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMRMwEQYDVQQKEwpQ
cml2YXggTHRkMRQwEgYDVQQLEwtITUEgUHJvIFZQTjEWMBQGA1UEAxMNaGlkZW15
YXNzLmNvbTEMMAoGA1UEKRMDSE1BMR4wHAYJKoZIhvcNAQkBFg9pbmZvQHByaXZh
eC5jb22CCQCGloifLb735DATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC
B4AwDQYJKoZIhvcNAQEFBQADggEBAKFRIKJpyfOz9Y78np4DyboZ/u52P8Cpj+Yj
kmT6FvWg+fy4CP5/c8umx2ypVi/dl90SAHOTxwD4J90MK3v3BD+rL852nI8Ag8Ga
wUBnCI8aD/V5o5ESNk0afEPd/8gLa59bUtgUkjY/KoeBs0WGXBgfDnpUuksCpDJi
QK8/oB5KpiRWJwOUqAgI+WrNccTfJnsgtwkA/IK2EIMMno61oRdV0BfC3faCgdtj
6+RxQfEnNXArDP/vtDX5PophcUP6SOvaB/lzO8jLSwRXgGWb3JTc68BqevNpLKXG
IMkIcd3EuAwXZMNiLjARvJt9xTqloFjAOiXPywnRB6WlaDkzqKo=
-----END CERTIFICATE-----
" >> /tmp/openvpncl/client.crt


#Create Private Key
echo "-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAq/bV9X2lw9rusZ+A+NDx5eX5I82wHo9/th0HUNd5LwDqPvdB
d8oLlqIITBzgDYHhYVe981SyqaUJeL3LJpniVGeNd3oYJRvxkoAw9eSeZXDzW4Sz
r669qMsChkzXSDoSVBAVMVbRnbJ8htgpeHLjumMHMbjxyXk5gC2YW4R6xsFSR5l2
ylzZNikn8p1pKm3jEqxO0cJhGQs4oRudZF0ssDNQrmDT1zRq1vRxoF9rGjMOrVIl
ynb8yp3Maef3Fnr53/tm1CebmrcE1C7R7HV173E378Wn/b0ZOujHUEimAlKiorZw
CrFogd4Fnk6aY4JNPqc55Ok/0bWLh6fGcj8WowIDAQABAoIBAQCBRTMeMnAURVY+
LHuVj+zoN/ML2SnWL2WAD15ahUBR90wgPVr3o+kGOZQnM2WygbpdpMnkS/1qzefK
3lIDGJctgBK2iA/yhYkZ6kfj8RKpizlFyQISxTdJ1iJ1tvn3D8CLdPOZfXxiIbS+
4Wx7YVKT4LGdzTvlir2Q/7WSxopNMfZeu2qWjccltvVlZIZdiwF8Va1o5iZAvWGp
ZGhyZYHsrRlk0e/8K7lu2bbA5i++Wj+DA5ID3RVnXX68Pe9C3ZcyDA/Rq9C5MUj7
CYuVUi8nGd74gBGXOSYD2+QL2VwDZ5qZX49ARSxIk9LglWR7OmadoPI2BGmmQBqx
vh/64AOhAoGBAOEWD3u9QlKk5isjN4/K5OxDdMmMXSL3vuwKUa8qW/g9nlcDzX74
Z7/Lc4NRMuz/hls41CY6j3vReM5JiHFGZ2jDlpEdjdw/Zem8iXUmXdFoxlRGlL+/
Uir7xfgcuCYGp/i++TO4reM3clMsg7kZW0e7zLe5RAz55iIUduVy2f8JAoGBAMOV
BzGcv2plVO4CYlkbmiM9twc8yvA2YEWHSGCyTIH5o2upqhjyPC6x50S9tEdKgFCo
Izlro5JI7xX/4eu31igohp8qAwr6Z/f0FHH9rEj4pdk5jyLXPIrOK1eYQtZHaN5I
qRob4xfObSz11sjNMrQdzxZ/n9Z4cF304se9DydLAoGAPqwt0353IRvZGtnLdrY/
16lQs23p4Pqqpn6ZD/TzdsNxezkL1vbDrJuxpjbNvz/G4U+Jgrt7iDZjNM00uJWp
5XnQSse34EOm1NYyT/RG2zAZSQ3+DQXwkxdXoCYfADeKPbCvIr+ha0rdAlu6sadl
yyt3bRCg6hwLACJCmNDJ8kECgYEAngolZvyPXE0HhM/eYrzAH6v14t5H6jU2M9iu
LpzE3942JIBT15ad9OmCxHQ6YcUczJAg7nxBD6rprzA2gX/qiEa/CYwsK0nOi3jq
sHXYKprpgQ9Wz0N3Q353XW/Gylmnrr6uDk/sgEcox0TbyySszQitVzPHl8l4myOP
wPDPduMCgYA8P05GXiTVMDE1xnmUath0M8+DY9YUHMrIdlSPnyiBn9MRZYa2XFqK
ibutukOECVrdf82r9mqEqKyGYKKbC14y4kY4fLhR15/p8FNJBJcREW3yX5VC5raC
isiaZEXblIAyaylPGUJBosKVuPTmtIpXpZ/Qez/CJHu2rxWG317T+w==
-----END RSA PRIVATE KEY-----
" >> /tmp/openvpncl/client.key


#Setup US Tunnel Config
echo ca /tmp/openvpncl/ca.crt > /tmp/openvpncl/openvpn-US.conf
echo cert /tmp/openvpncl/client.crt >> /tmp/openvpncl/openvpn-US.conf
echo key /tmp/openvpncl/client.key >> /tmp/openvpncl/openvpn-US.conf
echo verb 3 >> /tmp/openvpncl/openvpn-US.conf
echo mute 3 >> /tmp/openvpncl/openvpn-US.conf
echo syslog >> /tmp/openvpncl/openvpn-US.conf
echo writepid /var/run/openvpncl.pid >> /tmp/openvpncl/openvpn-US.conf
echo client >> /tmp/openvpncl/openvpn-US.conf
echo resolv-retry infinite >> /tmp/openvpncl/openvpn-US.conf
echo nobind >> /tmp/openvpncl/openvpn-US.conf
echo persist-key >> /tmp/openvpncl/openvpn-US.conf
echo persist-tun >> /tmp/openvpncl/openvpn-US.conf
echo script-security 2 >> /tmp/openvpncl/openvpn-US.conf
echo dev tun1 >> /tmp/openvpncl/openvpn-US.conf
echo proto tcp-client >> /tmp/openvpncl/openvpn-US.conf
echo cipher bf-cbc >> /tmp/openvpncl/openvpn-US.conf
echo auth sha1 >> /tmp/openvpncl/openvpn-US.conf
echo remote us.hma.rocks 443 >> /tmp/openvpncl/openvpn-US.conf
echo tun-mtu 1500 >> /tmp/openvpncl/openvpn-US.conf
echo mtu-disc yes >> /tmp/openvpncl/openvpn-US.conf
echo ns-cert-type server >> /tmp/openvpncl/openvpn-US.conf
echo tun-ipv6 >> /tmp/openvpncl/openvpn-US.conf
echo auth-user-pass /tmp/openvpncl/user.conf >> /tmp/openvpncl/openvpn-US.conf

#Setup SE Tunnel Config
echo ca /tmp/openvpncl/ca.crt > /tmp/openvpncl/openvpn-SE.conf
echo cert /tmp/openvpncl/client.crt >> /tmp/openvpncl/openvpn-SE.conf
echo key /tmp/openvpncl/client.key >> /tmp/openvpncl/openvpn-SE.conf
echo verb 3 >> /tmp/openvpncl/openvpn-SE.conf
echo mute 3 >> /tmp/openvpncl/openvpn-SE.conf
echo syslog >> /tmp/openvpncl/openvpn-SE.conf
echo writepid /var/run/openvpncl.pid >> /tmp/openvpncl/openvpn-SE.conf
echo client >> /tmp/openvpncl/openvpn-SE.conf
echo resolv-retry infinite >> /tmp/openvpncl/openvpn-SE.conf
echo nobind >> /tmp/openvpncl/openvpn-SE.conf
echo persist-key >> /tmp/openvpncl/openvpn-SE.conf
echo persist-tun >> /tmp/openvpncl/openvpn-SE.conf
echo script-security 2 >> /tmp/openvpncl/openvpn-SE.conf
echo dev tun0 >> /tmp/openvpncl/openvpn-SE.conf
echo proto tcp-client >> /tmp/openvpncl/openvpn-SE.conf
echo cipher bf-cbc >> /tmp/openvpncl/openvpn-SE.conf
echo auth sha1 >> /tmp/openvpncl/openvpn-SE.conf
echo remote se.hma.rocks 443 >> /tmp/openvpncl/openvpn-SE.conf
echo tun-mtu 1500 >> /tmp/openvpncl/openvpn-SE.conf
echo mtu-disc yes >> /tmp/openvpncl/openvpn-SE.conf
echo ns-cert-type server >> /tmp/openvpncl/openvpn-SE.conf
echo tun-ipv6 >> /tmp/openvpncl/openvpn-SE.conf
echo auth-user-pass /tmp/openvpncl/user.conf >> /tmp/openvpncl/openvpn-SE.conf

#Tun0 route up script
echo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE > /tmp/openvpncl/route-up-SE.sh
chmod 700 /tmp/openvpncl/route-up-SE.sh
#Tun0 route down script
echo iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE > /tmp/openvpncl/route-down-SE.sh
chmod 700 /tmp/openvpncl/route-down-SE.sh

#Tun1 route up script
echo iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE > /tmp/openvpncl/route-up-US.sh
chmod 700 /tmp/openvpncl/route-up-US.sh
#Tun1 route down script
echo iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE > /tmp/openvpncl/route-down-US.sh
chmod 700 /tmp/openvpncl/route-down-US.sh


#General Config
echo MYUSERNAME > /tmp/openvpncl/user.conf
echo MYPASSWORD >> /tmp/openvpncl/user.conf

#Setup tunnels. 
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn-SE.conf --route-nopull --route-up /tmp/openvpncl/route-up-SE.sh --down-pre /tmp/openvpncl/route-down-SE.sh --daemon
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn-US.conf --route-nopull --route-up /tmp/openvpncl/route-up-US.sh --down-pre /tmp/openvpncl/route-down-US.sh --daemon

#Hold for 10 seconds to allow for tunnels to establish
sleep 10

# get gateway addresses
IspGateway=$(ip route list table main | awk '/default/ { print $3}')
Tun0Gateway=$(ip route list table main | awk '/tun0/ { print $1}’)
Tun1Gateway=$(ip route list table main | awk '/tun1/ { print $1}’)

# Route all traffic from host 192.168.10.50 through the SE tunnel
ip rule add from 192.168.10.50/32 table 200
ip route add default via $Tun0Gateway dev tun0 table 200
ip route flush cache

#US Tunnel rules
# TBD


Thanks

Nic

Last edited by nic67 on Fri Dec 25, 2015 8:50; edited 1 time in total
Back to top View user's profile Send private message
Sponsor
nic67
DD-WRT Novice


Joined: 06 Dec 2015
Posts: 5
PostPosted: Fri Dec 25, 2015 1:12    Post subject: Reply with quote
Hi,

Thanks for the pointers, to summarise my findings

1. The syntax error with the missing i in ip was in the post only

2. The cat command to troubleshoot when the router is running is great

3. You were spot on with the single quote characters, it was a copy from a web page and it may have been changed by TextEdit which defaults to .rtf. I moved the whole script to a new editor (TextWrangler) and updated the quotes and the variable is now populated with the correct string.

4. I don't think placing the code in the startup script is an issue, I can confirm that the tunnels come up OK with ifconfig but I will try moving to wanup once I get the routing working

To simplify the troubleshooting, I have tried executing the following part of the code when I have tun0 confirmed to be up using cat > /tmp/temp.sh

Code:

iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
Tun0Gateway=$(ip route list table main | awk '/tun0/ { print $1}')
ip rule add from 192.168.10.50/32 table 200
ip route add default via $Tun0Gateway dev tun0 table 200
ip route flush cache


However, despite everything executing successfully the routing does not appear to work, the command

Code:

ip route list table 200


still returns nothing and a trace route from the endpoint 192.168.10.50 shows that the traffic is not being routed via tun0.

I have also tried adding the routing code to the VPN route-up script which feels like a good idea but the results are the same.

If there is there anything obvious with the code above that is wrong or any further thoughts on what the problem could be would be appreciated.

Thanks

Nic
Back to top View user's profile Send private message
nic67
DD-WRT Novice


Joined: 06 Dec 2015
Posts: 5
PostPosted: Fri Dec 25, 2015 8:49    Post subject: Solved Reply with quote
Hi,

I have had some success and now have a working basic config

@ebigrad, while I don't dispute your finding about double matches (I don't know this well enough), the statement actually works. The problem with the command as is in the post is that it is fetching the first column in the routing table entry, which is the network and not the gateway.

Code:

Tun0Gateway=$(ip route list table main | awk '/tun0/ { print $9}')


will assign the $Tun0Gateway variable with the gateway IP.

The other problem I had was that the route-up script was not executing which I found by debugging the openvpn command. I am not sure if its the correct fix but adding the #!/bin/sh to the top of the script made it work.

Once the route up script started working, I moved the routing commands there instead to remove the sleep statement and the eventuality for execution before the tunnel is established. I will now try and add this to wanup to increase the reliability and start figuring out the rules I want.

Thanks for the support.

The final working basic startup script looks like this

Code:


#!/bin/sh
#Create directory
mkdir /tmp/openvpncl

#Create CA Certificate
echo "-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIJAIaWiJ8tvvfkMA0GCSqGSIb3DQEBBQUAMIGgMQswCQYD
VQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xEzARBgNV
BAoTClByaXZheCBMdGQxFDASBgNVBAsTC0hNQSBQcm8gVlBOMRYwFAYDVQQDEw1o
aWRlbXlhc3MuY29tMQwwCgYDVQQpEwNITUExHjAcBgkqhkiG9w0BCQEWD2luZm9A
cHJpdmF4LmNvbTAeFw0xNDA1MTMwNzQ1NThaFw0yNDA1MTAwNzQ1NThaMIGgMQsw
CQYDVQQGEwJHQjEPMA0GA1UECBMGTG9uZG9uMQ8wDQYDVQQHEwZMb25kb24xEzAR
BgNVBAoTClByaXZheCBMdGQxFDASBgNVBAsTC0hNQSBQcm8gVlBOMRYwFAYDVQQD
Ew1oaWRlbXlhc3MuY29tMQwwCgYDVQQpEwNITUExHjAcBgkqhkiG9w0BCQEWD2lu
Zm9AcHJpdmF4LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMyQ
vosRoQjE/qNBzpVzU3Td0jS8z1h96BvqzNfVIK+yOuoe+/qv59q4Eo1R+kUnUlM9
KznYDmHxIBBID24Kak0nzBSLDHrK7RO70DYgj8jWteQYWk4G+Eu5kfO/ru6WYDcU
Wq1ifHDEKbAJ8t2SgneAVCYcqwBRPJqsqkkMnrgNxdPU9yMVX4gxRqVvD0KIYgwl
4te7aF2i3tElM8fDatTmWqeIgoU1kOEqaZFT5lzeZP7sh0Q5h0QAJOKYPs6qgCH4
zv+74DCCSSR5Oh6oF5ssCX4GADaWqVH+pdDudLo3wxu81PN2K95jk7r25Dung7F9
a65cp+b/okLmWwZoyeMCAwEAAaOCAQkwggEFMB0GA1UdDgQWBBQjV1wN2kwuVDRa
DQpk4p4HThtF4zCB1QYDVR0jBIHNMIHKgBQjV1wN2kwuVDRaDQpk4p4HThtF46GB
pqSBozCBoDELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMG
TG9uZG9uMRMwEQYDVQQKEwpQcml2YXggTHRkMRQwEgYDVQQLEwtITUEgUHJvIFZQ
TjEWMBQGA1UEAxMNaGlkZW15YXNzLmNvbTEMMAoGA1UEKRMDSE1BMR4wHAYJKoZI
hvcNAQkBFg9pbmZvQHByaXZheC5jb22CCQCGloifLb735DAMBgNVHRMEBTADAQH/
MA0GCSqGSIb3DQEBBQUAA4IBAQBtuQXAuxPkZH5hLUeK45dNHOj2TAtWs1WM+Kje
SBPfzn1RQE8xwClcBEdpfiUi4lZ1X9OIq3Jri0T27YAaUk3bMqvk6Pzmida96yWY
lxQjzitXsH7KyCCWmNBSIxF2M/sb2OX9vWdAINDawiFeEzNcqwx/LLyriZ+WxFyU
eWVPl6cUKQBNoDGXZdRKWePT+QNIrtLBHRhB+UpwtoXn6qVl3t8YbycgYczd6lBe
9GiAKvfqLuxkfDe9ZgLMKnQZfjfUyUPpYODOJSGewqiHOYAO4ix26heq3K6rFVpH
Y2MwKmFME0eL8tHlPAWEkGOICiuwX6ir0tPhhq4WAUY1K9kj
-----END CERTIFICATE-----
" >> /tmp/openvpncl/ca.crt

#Create Public Key
echo "-----BEGIN CERTIFICATE-----
MIIFAjCCA+qgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMCR0Ix
DzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMRMwEQYDVQQKEwpQcml2
YXggTHRkMRQwEgYDVQQLEwtITUEgUHJvIFZQTjEWMBQGA1UEAxMNaGlkZW15YXNz
LmNvbTEMMAoGA1UEKRMDSE1BMR4wHAYJKoZIhvcNAQkBFg9pbmZvQHByaXZheC5j
b20wHhcNMTQwNTEzMDgyMjM0WhcNMjQwNTEwMDgyMjM0WjCBjDELMAkGA1UEBhMC
R0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMRMwEQYDVQQKEwpQ
cml2YXggTHRkMRQwEgYDVQQLEwtITUEgUHJvIFZQTjEQMA4GA1UEAxMHaG1hdXNl
cjEeMBwGCSqGSIb3DQEJARYPaW5mb0Bwcml2YXguY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAq/bV9X2lw9rusZ+A+NDx5eX5I82wHo9/th0HUNd5
LwDqPvdBd8oLlqIITBzgDYHhYVe981SyqaUJeL3LJpniVGeNd3oYJRvxkoAw9eSe
ZXDzW4Szr669qMsChkzXSDoSVBAVMVbRnbJ8htgpeHLjumMHMbjxyXk5gC2YW4R6
xsFSR5l2ylzZNikn8p1pKm3jEqxO0cJhGQs4oRudZF0ssDNQrmDT1zRq1vRxoF9r
GjMOrVIlynb8yp3Maef3Fnr53/tm1CebmrcE1C7R7HV173E378Wn/b0ZOujHUEim
AlKiorZwCrFogd4Fnk6aY4JNPqc55Ok/0bWLh6fGcj8WowIDAQABo4IBVzCCAVMw
CQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBRKkMJmNATxpSybS6W7ezGWucjeRjCB1QYDVR0j
BIHNMIHKgBQjV1wN2kwuVDRaDQpk4p4HThtF46GBpqSBozCBoDELMAkGA1UEBhMC
R0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMRMwEQYDVQQKEwpQ
cml2YXggTHRkMRQwEgYDVQQLEwtITUEgUHJvIFZQTjEWMBQGA1UEAxMNaGlkZW15
YXNzLmNvbTEMMAoGA1UEKRMDSE1BMR4wHAYJKoZIhvcNAQkBFg9pbmZvQHByaXZh
eC5jb22CCQCGloifLb735DATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC
B4AwDQYJKoZIhvcNAQEFBQADggEBAKFRIKJpyfOz9Y78np4DyboZ/u52P8Cpj+Yj
kmT6FvWg+fy4CP5/c8umx2ypVi/dl90SAHOTxwD4J90MK3v3BD+rL852nI8Ag8Ga
wUBnCI8aD/V5o5ESNk0afEPd/8gLa59bUtgUkjY/KoeBs0WGXBgfDnpUuksCpDJi
QK8/oB5KpiRWJwOUqAgI+WrNccTfJnsgtwkA/IK2EIMMno61oRdV0BfC3faCgdtj
6+RxQfEnNXArDP/vtDX5PophcUP6SOvaB/lzO8jLSwRXgGWb3JTc68BqevNpLKXG
IMkIcd3EuAwXZMNiLjARvJt9xTqloFjAOiXPywnRB6WlaDkzqKo=
-----END CERTIFICATE-----
" >> /tmp/openvpncl/client.crt


#Create Private Key
echo "-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAq/bV9X2lw9rusZ+A+NDx5eX5I82wHo9/th0HUNd5LwDqPvdB
d8oLlqIITBzgDYHhYVe981SyqaUJeL3LJpniVGeNd3oYJRvxkoAw9eSeZXDzW4Sz
r669qMsChkzXSDoSVBAVMVbRnbJ8htgpeHLjumMHMbjxyXk5gC2YW4R6xsFSR5l2
ylzZNikn8p1pKm3jEqxO0cJhGQs4oRudZF0ssDNQrmDT1zRq1vRxoF9rGjMOrVIl
ynb8yp3Maef3Fnr53/tm1CebmrcE1C7R7HV173E378Wn/b0ZOujHUEimAlKiorZw
CrFogd4Fnk6aY4JNPqc55Ok/0bWLh6fGcj8WowIDAQABAoIBAQCBRTMeMnAURVY+
LHuVj+zoN/ML2SnWL2WAD15ahUBR90wgPVr3o+kGOZQnM2WygbpdpMnkS/1qzefK
3lIDGJctgBK2iA/yhYkZ6kfj8RKpizlFyQISxTdJ1iJ1tvn3D8CLdPOZfXxiIbS+
4Wx7YVKT4LGdzTvlir2Q/7WSxopNMfZeu2qWjccltvVlZIZdiwF8Va1o5iZAvWGp
ZGhyZYHsrRlk0e/8K7lu2bbA5i++Wj+DA5ID3RVnXX68Pe9C3ZcyDA/Rq9C5MUj7
CYuVUi8nGd74gBGXOSYD2+QL2VwDZ5qZX49ARSxIk9LglWR7OmadoPI2BGmmQBqx
vh/64AOhAoGBAOEWD3u9QlKk5isjN4/K5OxDdMmMXSL3vuwKUa8qW/g9nlcDzX74
Z7/Lc4NRMuz/hls41CY6j3vReM5JiHFGZ2jDlpEdjdw/Zem8iXUmXdFoxlRGlL+/
Uir7xfgcuCYGp/i++TO4reM3clMsg7kZW0e7zLe5RAz55iIUduVy2f8JAoGBAMOV
BzGcv2plVO4CYlkbmiM9twc8yvA2YEWHSGCyTIH5o2upqhjyPC6x50S9tEdKgFCo
Izlro5JI7xX/4eu31igohp8qAwr6Z/f0FHH9rEj4pdk5jyLXPIrOK1eYQtZHaN5I
qRob4xfObSz11sjNMrQdzxZ/n9Z4cF304se9DydLAoGAPqwt0353IRvZGtnLdrY/
16lQs23p4Pqqpn6ZD/TzdsNxezkL1vbDrJuxpjbNvz/G4U+Jgrt7iDZjNM00uJWp
5XnQSse34EOm1NYyT/RG2zAZSQ3+DQXwkxdXoCYfADeKPbCvIr+ha0rdAlu6sadl
yyt3bRCg6hwLACJCmNDJ8kECgYEAngolZvyPXE0HhM/eYrzAH6v14t5H6jU2M9iu
LpzE3942JIBT15ad9OmCxHQ6YcUczJAg7nxBD6rprzA2gX/qiEa/CYwsK0nOi3jq
sHXYKprpgQ9Wz0N3Q353XW/Gylmnrr6uDk/sgEcox0TbyySszQitVzPHl8l4myOP
wPDPduMCgYA8P05GXiTVMDE1xnmUath0M8+DY9YUHMrIdlSPnyiBn9MRZYa2XFqK
ibutukOECVrdf82r9mqEqKyGYKKbC14y4kY4fLhR15/p8FNJBJcREW3yX5VC5raC
isiaZEXblIAyaylPGUJBosKVuPTmtIpXpZ/Qez/CJHu2rxWG317T+w==
-----END RSA PRIVATE KEY-----
" >> /tmp/openvpncl/client.key

#Setup SE Tunnel Config
echo ca /tmp/openvpncl/ca.crt > /tmp/openvpncl/openvpn-SE.conf
echo cert /tmp/openvpncl/client.crt >> /tmp/openvpncl/openvpn-SE.conf
echo key /tmp/openvpncl/client.key >> /tmp/openvpncl/openvpn-SE.conf
echo verb 3 >> /tmp/openvpncl/openvpn-SE.conf
echo mute 3 >> /tmp/openvpncl/openvpn-SE.conf
echo syslog >> /tmp/openvpncl/openvpn-SE.conf
echo writepid /var/run/openvpncl.pid >> /tmp/openvpncl/openvpn-SE.conf
echo client >> /tmp/openvpncl/openvpn-SE.conf
echo resolv-retry infinite >> /tmp/openvpncl/openvpn-SE.conf
echo nobind >> /tmp/openvpncl/openvpn-SE.conf
echo persist-key >> /tmp/openvpncl/openvpn-SE.conf
echo persist-tun >> /tmp/openvpncl/openvpn-SE.conf
echo script-security 2 >> /tmp/openvpncl/openvpn-SE.conf
echo dev tun0 >> /tmp/openvpncl/openvpn-SE.conf
echo proto tcp-client >> /tmp/openvpncl/openvpn-SE.conf
echo cipher bf-cbc >> /tmp/openvpncl/openvpn-SE.conf
echo auth sha1 >> /tmp/openvpncl/openvpn-SE.conf
echo remote se.hma.rocks 443 >> /tmp/openvpncl/openvpn-SE.conf
echo tun-mtu 1500 >> /tmp/openvpncl/openvpn-SE.conf
echo mtu-disc yes >> /tmp/openvpncl/openvpn-SE.conf
echo ns-cert-type server >> /tmp/openvpncl/openvpn-SE.conf
echo tun-ipv6 >> /tmp/openvpncl/openvpn-SE.conf
echo auth-user-pass /tmp/openvpncl/user.conf >> /tmp/openvpncl/openvpn-SE.conf

#Setup US Tunnel Config
echo ca /tmp/openvpncl/ca.crt > /tmp/openvpncl/openvpn-US.conf
echo cert /tmp/openvpncl/client.crt >> /tmp/openvpncl/openvpn-US.conf
echo key /tmp/openvpncl/client.key >> /tmp/openvpncl/openvpn-US.conf
echo verb 3 >> /tmp/openvpncl/openvpn-US.conf
echo mute 3 >> /tmp/openvpncl/openvpn-US.conf
echo syslog >> /tmp/openvpncl/openvpn-US.conf
echo writepid /var/run/openvpncl.pid >> /tmp/openvpncl/openvpn-US.conf
echo client >> /tmp/openvpncl/openvpn-US.conf
echo resolv-retry infinite >> /tmp/openvpncl/openvpn-US.conf
echo nobind >> /tmp/openvpncl/openvpn-US.conf
echo persist-key >> /tmp/openvpncl/openvpn-US.conf
echo persist-tun >> /tmp/openvpncl/openvpn-US.conf
echo script-security 2 >> /tmp/openvpncl/openvpn-US.conf
echo dev tun1 >> /tmp/openvpncl/openvpn-US.conf
echo proto tcp-client >> /tmp/openvpncl/openvpn-US.conf
echo cipher bf-cbc >> /tmp/openvpncl/openvpn-US.conf
echo auth sha1 >> /tmp/openvpncl/openvpn-US.conf
echo remote us.hma.rocks 443 >> /tmp/openvpncl/openvpn-US.conf
echo tun-mtu 1500 >> /tmp/openvpncl/openvpn-US.conf
echo mtu-disc yes >> /tmp/openvpncl/openvpn-US.conf
echo ns-cert-type server >> /tmp/openvpncl/openvpn-US.conf
echo tun-ipv6 >> /tmp/openvpncl/openvpn-US.conf
echo auth-user-pass /tmp/openvpncl/user.conf >> /tmp/openvpncl/openvpn-US.conf

#Tun0 route up script
echo '#!/bin/sh' > /tmp/openvpncl/route-up-SE.sh
echo '# NAT all traffic' >> /tmp/openvpncl/route-up-SE.sh
echo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE >> /tmp/openvpncl/route-up-SE.sh
echo '# Get Gateway IP' >> /tmp/openvpncl/route-up-SE.sh
echo Tun0Gateway='$(ip route list table main | awk '\''/tun0/ { print $9}'\'')' >> /tmp/openvpncl/route-up-SE.sh
echo '# SE Rules starts here' >> /tmp/openvpncl/route-up-SE.sh
echo ip rule add from 192.168.10.50/32 table 200 >> /tmp/openvpncl/route-up-SE.sh
echo '# Add routes' >> /tmp/openvpncl/route-up-SE.sh
echo 'ip route add default via $Tun0Gateway dev tun0 table 200' >> /tmp/openvpncl/route-up-SE.sh
echo ip route flush cache >> /tmp/openvpncl/route-up-SE.sh
chmod +x /tmp/openvpncl/route-up-SE.sh

#Tun0 route down script
echo '#!/bin/sh' > /tmp/openvpncl/route-down-SE.sh
echo iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE >> /tmp/openvpncl/route-down-SE.sh
echo ip rule del from 192.168.10.50/32 table 200 >> /tmp/openvpncl/route-down-SE.sh
echo 'ip route del table 200' >> /tmp/openvpncl/route-down-SE.sh
chmod +x /tmp/openvpncl/route-down-SE.sh

#Tun1 route up script
echo '#!/bin/sh' > /tmp/openvpncl/route-up-US.sh
echo iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE >> /tmp/openvpncl/route-up-US.sh
chmod +x /tmp/openvpncl/route-up-US.sh

#Tun1 route down script
echo '#!/bin/sh' > /tmp/openvpncl/route-down-US.sh
echo iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE >> /tmp/openvpncl/route-down-US.sh
chmod +x /tmp/openvpncl/route-down-US.sh


#General Config
echo HMAUserName > /tmp/openvpncl/user.conf
echo HMAPassword >> /tmp/openvpncl/user.conf

#Setup tunnels. 
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn-SE.conf --route-nopull --route-up ./tmp/openvpncl/route-up-SE.sh --down-pre /tmp/openvpncl/route-down-SE.sh --daemon
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn-US.conf --route-nopull --route-up /tmp/openvpncl/route-up-US.sh --down-pre /tmp/openvpncl/route-down-US.sh --daemon

Back to top View user's profile Send private message
nic67
DD-WRT Novice


Joined: 06 Dec 2015
Posts: 5
PostPosted: Fri Dec 25, 2015 13:47    Post subject: Reply with quote
Hi,

I certainly do not claim that my approach is "right" and I'm sure that as I pick up on this, I will see your points clearer. However, I don't fully understand your comments.

1. What do you mean with the assumption of the matching line ? if the refers to to the way the gateway address is obtained why wouldn't "tun0" always refer to the right gateway adress for that tunnel ? It is extracted from ip route list table main so I don't see how it can be wrong ?

2. What are the OpenVPN variables, I can't find the documentation of $route_vpn_gateway and $dev . Clearly this is a better solution than string matching on the ip table but how do they distinguish between the 2 concurrent tunnels tun0 and tun1 ?

Thanks for your help

Nic
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum