[scope2]

I have configured the DD-WRT router to only route traffic from one of my machines (AppleTV) through VPN using the policy based routing setting and it works fine.

I would however like to only route certain destinations (for example www.google.com) through the VPN, the rest through the normal internet connection..

Is this possible? I have tried searching but cant really find anything.

[scope2]

[scope2]

@eibgrad: Great.. that looks exactly like I need.. Look forward to testing it. Thanks for sharing.

[scope2]

@eibgrad: I have amended the basic version of your script to only send 46.4.175.45 (whatsmyip.com) through the VPN, on 1 device (my server), just to test its running correctly.. However everything seems to be sent through VPN, for all devices.. For testing purposes, my desktop returns the same IP as my mobile phone.

Syslog has been enabled, and PBR has been disabled, as per the instructions in the script.

Your script contains the following rule:
add_rule from 192.168.0.2 to 46.4.175.45 # SERVER to www.whatsmyip.com

The openVPN log returns the following:
20180119 17:07:37 I /sbin/ifconfig tun0 10.14.10.10 pointopoint 10.14.10.9 mtu 1500
20180119 17:07:37 /sbin/route add -net 82.102.27.50 netmask 255.255.255.255 gw 86.12.5.1
20180119 17:07:37 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.14.10.9
20180119 17:07:37 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.14.10.9
20180119 17:07:37 /sbin/route add -net 10.14.10.1 netmask 255.255.255.255 gw 10.14.10.9

My LAN is configured on 192.168.0.x

Other than uploading the amended file to my router (/jffs), chmod +x and adding the entry in the startup script, is there anything I need to do?

[scope2]

initially I had not enabled jffs but stored the script on the usb drive (/opt) instead..

Having enabled /jffs and copied the file across to there I now have my ISP ip address rather than the VPN address.

[scope2]

Ah, I think I get you now. Sorry, I misunderstood (didnt think it through).

I have now added 'route-noexec' to the additional config, added the route I want in your script - and it looks like it is working now.

A quick question though - do I need to reboot the server every time I say add an entry in the rules, or can it be done without a reboot? (I suspect the answer is that the startup copies the file into /tmp/ovpn_split, etc, but thought I'd check).

[The_Drizzt]

Hi scope2,

i hope so much you are still there!
Three years ago you had exactly the problem, that i am about to fix now...

You wrote:
I have configured the DD-WRT router to only route traffic from one of my machines (AppleTV) through VPN using the policy based routing setting and it works fine.

I would however like to only route certain destinations (for example www.google.com) through the VPN, the rest through the normal internet connection..

Is this possible? I have tried searching but cant really find anything.


You seem to have found a solution for this, but the solution is offline now...

May you send me sceenshots of your configuration or so?
That would be awesome!

Best regards
Julian

[kernel-panic69]

Thanks for resurrecting this thread with missing content from @eibgrad due to a major oops that I inflicted on the forum inadvertently last year. Unfortunately, I can't even find the missing content on web.archive.org, so it's a complete loss unless someone remembers what the solution was.

[egc]

For simple things see the policy based routing guide.

For complicated things one of @eibgrads scripts and you can also take a look at IPSET.

See the stickies in this forum.

[scope2]

@The_Drizzt: I have replied to your PM.

I believe this is the script in question:

https://pastebin.com/nC27ETsp

[eibgrad]

PBR (policy based routing) is NOT required (nor even desirable) if all you need to do is control *destination* IPs. PBR is primarily intended to control how *source* IPs are routed wrt the WAN vs. VPN. Using PBR has the often undesirable side-effect of removing the router itself from the VPN, which can lead to things like DNS leaks.

For the purposes of controlling destination IPs, all you need to do is create static routes (in the form of route directives in the Additional Config field of the OpenVPN client) to bind those IPs to either the WAN or VPN.

[The_Drizzt]

Wow, thank you for your great support!!!
I will test these things out asap and will let you know, if it worked out.

Best regards

[atifak]

If all you need to do is monitor *destination* IPs, PBR isn't needed. PBR's main purpose is to monitor how IPs are routed between the WAN and the VPN. Using PBR has the unintended consequence of disconnecting the router from the VPN, which can result in DNS leaks.

[egc]

Policy Based Routing:

[The_Drizzt]

Hi Folks,
i spend a couple of hours yesterday to get this thing to work and now, it seems i found my solution! Some things are still weird (take a look to my OpenVPN log, some IP's have been replaced manually), but now i am routing my VPN only to a specific domain that you can see in my additional config and the rest is going through my ISP directly. That's what i wanted.
Somehow i can't connect to Switzerland (Private Internet Access) since yesteday, but that seems to be an issue with PIA. I just doublechecked that with other countries, that are all instantly working.
Is there anything else i need to check?

Firmware: DD-WRT v3.0-r44715 std (11/03/20)

VPN
Additional config:
persist-key
persist-tun
tls-client
remote-cert-tls server
pull-filter ignore "auth-token"
route dein-ip-check.de 255.255.255.255 vpn_gateway
route speedtest.net 255.255.255.255 vpn_gateway
route-nopull

Clientlog:
19700101 01:00:53 W WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
19700101 01:00:53 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19700101 01:00:53 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
19700101 01:00:53 I OpenVPN 2.5.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 3 2020
19700101 01:00:53 I library versions: OpenSSL 1.1.1h 22 Sep 2020 LZO 2.09
19700101 01:00:53 MANAGEMENT: TCP Socket listening on [AF_INET]xx.xx.xx.xx
19700101 01:00:53 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 01:00:53 I TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1198
19700101 01:00:53 Socket Buffers: R=[180224->180224] S=[180224->180224]
19700101 01:00:53 I UDPv4 link local: (not bound)
19700101 01:00:53 I UDPv4 link remote: [AF_INET] xx.xx.xx.xx:1198
19700101 01:00:53 TLS: Initial packet from [AF_INET] xx.xx.xx.xx:1198
sid=81b048e4 66e0941a
19700101 01:00:53 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
19700101 01:00:53 N VERIFY ERROR: depth=0 error=certificate is not yet valid: C=US ST=CA L=LosAngeles O=Private Internet Access OU=Private Internet Access CN=tirana401 name=tirana401 serial=94565967192
19700101 01:00:53 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19700101 01:00:53 N TLS_ERROR: BIO read tls_read_plaintext error
19700101 01:00:53 NOTE: --mute triggered...
19700101 01:00:53 2 variation(s) on previous 3 message(s) suppressed by --mute
19700101 01:00:53 I SIGUSR1[soft tls-error] received process restarting
19700101 01:00:53 Restart pause 5 second(s)
20210426 12:49:06 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210426 12:49:06 I TCP/UDP: Preserving recently used remote address: [AF_INET] xx.xx.xx.xx:1198
20210426 12:49:06 Socket Buffers: R=[180224->180224] S=[180224->180224]
20210426 12:49:06 I UDPv4 link local: (not bound)
20210426 12:49:06 I UDPv4 link remote: [AF_INET] xx.xx.xx.xx:1198
20210426 12:49:06 TLS: Initial packet from [AF_INET] xx.xx.xx.xx:1198
sid=bed03683 a04c9b9a
20210426 12:49:06 VERIFY KU OK
20210426 12:49:06 Validating certificate extended key usage
20210426 12:49:06 NOTE: --mute triggered...
20210426 12:49:06 4 variation(s) on previous 3 message(s) suppressed by --mute
20210426 12:49:06 I [tirana401] Peer Connection Initiated with [AF_INET] xx.xx.xx.xx:1198
20210426 12:49:07 SENT CONTROL [tirana401]: 'PUSH_REQUEST' (status=1)
20210426 12:49:07 PUSH: Received control message: 'PUSH_REPLY comp-lzo no redirect-gateway def1 route-ipv6 2000::/3 dhcp-option DNS 10.0.0.243 route-gateway 10.11.112.1 topology subnet ping 10 ping-restart 60 ifconfig xx.xx.xx.xx 255.255.255.0 peer-id 6'
20210426 12:49:07 N Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
20210426 12:49:07 N Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
20210426 12:49:07 N Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
20210426 12:49:07 OPTIONS IMPORT: timers and/or timeouts modified
20210426 12:49:07 OPTIONS IMPORT: compression parms modified
20210426 12:49:07 OPTIONS IMPORT: --ifconfig/up options modified
20210426 12:49:07 NOTE: --mute triggered...
20210426 12:49:07 3 variation(s) on previous 3 message(s) suppressed by --mute
20210426 12:49:07 Using peer cipher 'AES-128-CBC'
20210426 12:49:07 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
20210426 12:49:07 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
20210426 12:49:07 NOTE: --mute triggered...
20210426 12:49:07 2 variation(s) on previous 3 message(s) suppressed by --mute
20210426 12:49:07 net_route_v4_best_gw query: dst 0.0.0.0
20210426 12:49:07 net_route_v4_best_gw result: via 192.168.178.1 dev eth0
20210426 12:49:07 I TUN/TAP device tun1 opened
20210426 12:49:07 I net_iface_mtu_set: mtu 1500 for tun1
20210426 12:49:07 I net_iface_up: set tun1 up
20210426 12:49:07 I net_addr_v4_add: xx.xx.xx.xx dev tun1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 net_route_v4_add: xx.xx.xx.xx via xx.xx.xx.xx dev [NULL] table 0 metric -1
20210426 12:49:07 I Initialization Sequence Completed
20210426 12:55:53 MANAGEMENT: Client connected from [AF_INET] xx.xx.xx.xx
20210426 12:55:53 D MANAGEMENT: CMD 'state'
20210426 12:55:53 MANAGEMENT: Client disconnected
20210426 12:55:53 MANAGEMENT: Client connected from [AF_INET] xx.xx.xx.xx
20210426 12:55:53 D MANAGEMENT: CMD 'state'
20210426 12:55:53 MANAGEMENT: Client disconnected
20210426 12:55:53 MANAGEMENT: Client connected from [AF_INET] xx.xx.xx.xx
20210426 12:55:53 D MANAGEMENT: CMD 'state'
20210426 12:55:53 MANAGEMENT: Client disconnected
20210426 12:55:53 MANAGEMENT: Client connected from [AF_INET] xx.xx.xx.xx
20210426 12:55:53 D MANAGEMENT: CMD 'status 2'
20210426 12:55:53 MANAGEMENT: Client disconnected
20210426 12:55:53 MANAGEMENT: Client connected from [AF_INET] xx.xx.xx.xx
20210426 12:55:53 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00