Posted: Fri Feb 03, 2017 6:55 Post subject: OpenVPN source IP and destination IP policy based routing
Need a little help.
I’m running DDWRT v3.0-r29440M kongac (4/19/16)
I have set up an OpenVPN client that works fine.
Tunnel Device is TUN
Tunnel Protocol is UDP
I have used the Policy-based-Routing field to limit its use to one source device (a Firestick).
That’s working fine.
What I want to do is further limit the tunnel's use depending on destination IPs.
For example, I don’t want the tunnel to be used when I access Amazon Prime (as Amazon recognizes the IP of my VPN provider and blocks all streaming thinking I’m trying to access content from unknown parts of the world, which I’m not).
I’ve tried a few things with iptables, but no luck so far, especially when used in concert with a populated Policy-based-Routing field.
From the OpenVPN Status page, it would appear my client is using tun1
I’m looking for a routing rule like
If ( (source-IP == IP1) && (destination-IP != [IP2, IP3, IP4]) ) then use the OpenVPN client tunnel
Full disclosure - I’m also running a OpenVPN server in Bridge(TAP) mode. But that should have no bearing.
Perfect! So simple and eloquent.
Was concerned who took precedence - route commands or policy based routing. Route commands do.
So my one device uses the OpenVPN client tunnel less its traffic destined for Amazon. I was able to download a .json file showing all IPs that AWS (Amazon Web Services) uses. A small script to create from that a set of OpenVPN route commands and I'm off to the races.
Spoke to soon.
If the # of route commands is > 100, it blows the VPN route table and nothing goes through the VPN.
This was a false positive. I jumped to the wrong conclusion.
So I did a bunch of tests with tracert.
If there are no entries in Policy-based-Routing field, the routing commands in Additional-Config are used.
But if there is at least one entry in the Policy-based-Routing field, no route commands are processed, even if the Policy-based-Routing entry doesn't involved the PC used for testing.
So lets say I have in Addition-Config
route extIP#1 255.255.255.255 vpn_gateway
route extIP#2 255.255.255.255 net_gateway
And I also have a Policy-based-Routing entry
From PC#1 (192.168.2.101) everything goes through the VPN, even to extIP#2
From PC#2 (192.168.2.102) everything goes through the WAN, even to extIP#1
So I'm back to looking for a way to limit by destination what goes through the VPN from a particular source IP.