OpenVPN source IP and destination IP policy based routing

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
vaguy
DD-WRT Novice


Joined: 23 Sep 2008
Posts: 12

PostPosted: Fri Feb 03, 2017 6:55    Post subject: OpenVPN source IP and destination IP policy based routing Reply with quote
Need a little help.

I’m running DDWRT v3.0-r29440M kongac (4/19/16)

I have set up an OpenVPN client that works fine.
Tunnel Device is TUN
Tunnel Protocol is UDP

I have used the Policy-based-Routing field to limit its use to one source device (a Firestick).
That’s working fine.

What I want to do is further limit the tunnel's use depending on destination IPs.
For example, I don’t want the tunnel to be used when I access Amazon Prime (as Amazon recognizes the IP of my VPN provider and blocks all streaming thinking I’m trying to access content from unknown parts of the world, which I’m not).
I’ve tried a few things with iptables, but no luck so far, especially when used in concert with a populated Policy-based-Routing field.

From the OpenVPN Status page, it would appear my client is using tun1

I’m looking for a routing rule like
If ( (source-IP == IP1) && (destination-IP != [IP2, IP3, IP4]) ) then use the OpenVPN client tunnel

Full disclosure - I’m also running a OpenVPN server in Bridge(TAP) mode. But that should have no bearing.
Sponsor
vaguy
DD-WRT Novice


Joined: 23 Sep 2008
Posts: 12

PostPosted: Fri Feb 03, 2017 17:37    Post subject: Reply with quote
Perfect! So simple and eloquent.
Was concerned who took precedence - route commands or policy based routing. Route commands do.

So my one device uses the OpenVPN client tunnel less its traffic destined for Amazon. I was able to download a .json file showing all IPs that AWS (Amazon Web Services) uses. A small script to create from that a set of OpenVPN route commands and I'm off to the races.
vaguy
DD-WRT Novice


Joined: 23 Sep 2008
Posts: 12

PostPosted: Sat Feb 04, 2017 17:29    Post subject: Reply with quote
Spoke to soon.
If the # of route commands is > 100, it blows the VPN route table and nothing goes through the VPN.
This was a false positive. I jumped to the wrong conclusion.
So I did a bunch of tests with tracert.
If there are no entries in Policy-based-Routing field, the routing commands in Additional-Config are used.
But if there is at least one entry in the Policy-based-Routing field, no route commands are processed, even if the Policy-based-Routing entry doesn't involved the PC used for testing.
So lets say I have in Addition-Config
route extIP#1 255.255.255.255 vpn_gateway
route extIP#2 255.255.255.255 net_gateway
And I also have a Policy-based-Routing entry
192.168.2.101

From PC#1 (192.168.2.101) everything goes through the VPN, even to extIP#2
From PC#2 (192.168.2.102) everything goes through the WAN, even to extIP#1

So I'm back to looking for a way to limit by destination what goes through the VPN from a particular source IP.
vaguy
DD-WRT Novice


Joined: 23 Sep 2008
Posts: 12

PostPosted: Sat Feb 04, 2017 21:00    Post subject: Reply with quote
Thx
I'll work on the script approach now that I understand the bug.
outernational
DD-WRT Novice


Joined: 23 Oct 2015
Posts: 28

PostPosted: Sat Mar 04, 2017 19:53    Post subject: Reply with quote
Moved my question to here. Didn't mean to hijack the thread.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum