Posted: Fri May 25, 2018 14:54 Post subject: [SOLVED] openvpn client from command line and ip routing
Hi,
First off, I just want to say that I've spent several days going through the suggested solutions to this problem and I really tried my best to solve it by myself without wasting any of your time here answering a question that has been asked before.
Basically, what I want to do is to run two openvpn clients, each client connecting to different servers, after which direct clients to the corresponding vpn server based on their IP address which I will do using virtual interfaces. But before doing that, I want to do a simple test using just one IP address.
auth-user-pass userpass.txt
script-security 2
remote-cert-tls server
cipher AES-256-CBC
# if the server is relatively new and uses sha512, uncomment the line below
auth sha512
As modification to the script, I added route-noexec
With that script, vpn connects successfully but nothing goes through the vpn because I think of the route-noexec. Without that, all clients connected connect to the vpn.
Now, I want to add the ip routing but I'm doing this from the command line so that I can see what is happening.
Immediately after reboot, I check ip route show:
default via 192.168.2.1 dev vlan2
10.8.8.0/24 dev tun1 proto kernel scope link src 10.8.8.247
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev vlan2 proto kernel scope link src 192.168.2.115
root@DD-WRT:~# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Then I execute this command:
ip rule add from 192.168.1.120/32 table 200
then:
iroot@DD-WRT:~# ip route add default via 10.8.8.0 dev tun1 table 200
RTNETLINK answers: Invalid argument
So, I'm stuck with the Invalid argument.
I'm not sure if I'm doing this right and I hope someone can help me.
Thanks in advance!
Last edited by louierh70 on Fri May 25, 2018 21:27; edited 2 times in total
So, I put added your suggestions to my route-up script and this is how it looks now:
echo "#!/bin/sh
iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE
ip rule add from 192.168.1.120/24 table 200
ip route add default via $route_vpn_gateway dev $dev table 200
ip route flush cache" > route-up.sh
echo "#!/bin/sh
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
ip rule del from 192.168.1.120/24 table 200
ip route del default dev tun1 table 200" > route-down.sh
I also replace route noexec with pull-filter ignore "redirect-gateway"
This is now what happens:
If I set my PC to a static IP address of 192.168.1.120, there is no internet connection
If I set my PC to DHCP, check my assigned IP is 192.168.1.120, it connects to the internet but is not connected via the VPN tunnel.
In my OSX, there is another option to use DHCP with Manual IP. I set my IP to 192.168.1.120 and there is no internet.
Am I setting the IP addresses incorrectly?
root@DD-WRT:/tmp/vpncl# ip rule show
0: from all lookup local
32765: from 192.168.1.120/24 lookup 200
32766: from all lookup main
32767: from all lookup default
root@DD-WRT:/tmp/vpncl# ip route show
default via 192.168.2.1 dev vlan2
10.8.8.0/24 dev tun1 proto kernel scope link src 10.8.8.247
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev vlan2 proto kernel scope link src 192.168.2.115
For now, I just want one IP address but eventually once I have confirmed that it's working, I will change it to all IP addresses in a subnet. I suppose then it will be 192.168.5.100/24 for all ip addresses in that subnet?
I'm changing my script now and will get back to you.
I updated the ip address on the route-up script to 192.168.1.120
The same result
If I use DHCP, check that my assigned IP is 192.168.1.120, there is internet but not connected via VPN
If I set my IP address manually to 192.168.1.120, I can't connect to the internet
ip route show table 200 doesn't return anything!
root@DD-WRT:/tmp/vpncl# ip route show table 200
root@DD-WRT:/tmp/vpncl# ip route show
default via 192.168.2.1 dev vlan2
10.8.8.0/24 dev tun1 proto kernel scope link src 10.8.8.247
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev vlan2 proto kernel scope link src 192.168.2.115
root@DD-WRT:/tmp/vpncl# ip rule show
0: from all lookup local
32765: from 192.168.1.120 lookup 200
32766: from all lookup main
32767: from all lookup default
I added the escape characters and after reboot, I checked the contents of route-up.sh:
#!/bin/sh
iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE
ip rule add from 192.168.1.120/24 table 200
ip route add default via $route_vpn_gateway dev $dev table 200
ip route flush cache
then I checked ip route show table 200 and it still returns nothing.
I simplified the command as you suggested and now it works! It is able to route my two devices via VPN or not depending on their IP address.
However, this only worked after I entered the simplified command via command line and hardcoded the gateway address which I got from ifconfig tun1. I mean, as part of the start up script, table 200 remains empty.
In the start up script, I added the escape character which was good because before that, in the route-up.sh, the variable returned empty. Now with the escape character, the you see the variable $route_vpn_gateway in the script.
When i checked on the command line using set | grep route_vpn_gateway nothing is returned.
root@DD-WRT:/tmp/vpncl# set | grep route_vpn_gateway
So I think the problem why table 200 is empty is because the variable route_vpn_gateway is empty. What could be the problem?
But at least part of script is working now. I just need to find a way to get the gateway as a variable in the script but as a workaround I can hardcode it after start up.
Meanwhile, I have already set up a virtual interface and have been able to direct traffic from that virtual interface only to use VPN; other clients not using the virtual interface go directly to my ISP. Of course, I still have to run the ip route command manually and hard code the gateway.
But I will try your suggestion now and report back.
Thank you so much for your help! Without your input, I would still be stuck!
I followed your advise and changed the order of the commands and it still returns empty. Are there any environment variables that I should set to be able to get this working? I'm using a terminal with basic settings in MacOS.
Meanwhile, I could get the Gateway by using this:
route_vpn_gateway=$(ip route list table main | awk '/tun1/ { print $9}')
But this is from the command line. so after the vpn tunnel is established. For some reason, the value for the gateway is not available until after it's connected. I don't know if this is normal and what can be done to get it as part of route-up.sh
I tried adding $(ip route list table main | awk '/tun1/ { print $9}') this in my route-up.sh but it returned empty so meaning the gateway is not available until after the vpn is connected. What do you think?
I still used the pull-filter and referenced $ifconfig_local and table 200 now shows the gateway!
This was the solution to all my problems with routing!
#!/bin/sh
iptables -A POSTROUTING -t nat -o $dev -j MASQUERADE
ip route add default via $ifconfig_local dev $dev table 200
ip rule add from 192.168.1.120 table 200
ip route flush cache
Thank you so much for this! I would never have found the solution without your help!
I will now setup my second instance of openvpn client connecting to another server and hopefully I won't encounter any problems anymore.
