Posted: Tue Jan 29, 2019 19:28 Post subject: opvn client PBR with port specific exception to wan
Gents,
I know this particular request has been covered several times as my searching has many results.
However since this isnt a baked in feature to dd-wrt and seems to require either eigrab's script or additional repo downloads to get iptables I am going to see if this can be made clearer for those of us less Linux savvy.
I am also adding a diagram showing what I would like to achieve.
Router:
R7800 Atheros chipset
Kong build: 38340M (1_20_2019 test build)
Standard IP scope (192.168.1.0/24)
ovpn client (nordvpn)
Using the PBR field for 1 client to use vpn (192.168.1.19)
I am happy to do all the PBR via the FW rules/IPtables etc.. if guided to the proper steps. Since the dd-wrt PBR is limited to source or destination IP only.
I need port based PBR at least for this one client device on the LAN so it is remotely available.
I have a Synology NAS which I want remote access to using port 5010.
I have port forwarding enabled for this on the router and I know that is working.
However, since this single client is also PBR to use the Nord ovpn, remote access is lost.
Request from internet coming in over WAN port 5010
but all 192.168.1.19 traffic PBR out the ovpn interface.
= broken remote management.
I do not currently (but have and can attach) a usb jiffs drive attached.
For some of you this is quite simple to fix. I have looked at eibgrabs script file floating around and honestly understand very little. Not enough to see what its doing and how to tweak it to my specific needs.
Also read that with kongs repo the iptables can be used.
Again, more skills that I do not currently have and with a busy work I dont have much time to devote to the deeper dive.
I am trying to get this working this way since taking my pfSense box out of the picture. In pfSense its easy to do.
Would have went with the stock firmware for the r7800 but it does not support nordvpn clients.
Thank you in advance.
Mike _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Wed Jan 30, 2019 9:59 Post subject:
Mike, this is something for @Eibgrad, unfortunately he is MIA.
I am not a networking engineer but will share my thoughts for what it is worth.
It can be done manually but as your VPN is dynamic this does not seem like good idea.
I suggest using one of @Eibgrad's scripts, as you are dealing with ports you have to use the advanced script.
What it does is creating an alternate routing table just like PBR, only it creates table 200 instead of table 10 for PBR.
It adds routes just like PBR is doing.
But traffic is diverted using IP Tables instead of routing.
A new chain "ovpn_split" is added to the PREROUTING chain of the mangle table:
I would guess you could use this with PBR. Would need to route the mark to the default table and might need to execute when inside the openvpn routeup script that makes the pbr.
Thanks guys,
I will review the suggestions.
As I indicated earlier, very busy with work. _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
egc,
thank you for providing the script and tweak.
Questions before implementation.
1)
Does
"add_rule -p tcp -s 192.168.1.19 ! --dport 5010"
under the "Begin Rules" section mean this:
add all 192.168.1.19 traffic except tcp port 5010 to go out the ovpn interface?
2)
I am guessing that the argument "!" means "except", would that be correct?
3)
Can I replace tcp with ip for all packets from that client on port 5010 or would I need a 2nd line for udp?
4)
What do the -s, -p, -i arguments do?
I assume -p means "pass" or "port".
I did a quick google search but didnt find a simple list of those variables.
5)
I want to also force all traffic from .18 over ovpn so the rule would look like this correct?
add_rule -s 192.168.1.18
Thank you in advance egc.
Your time and patience has been much appreciated. _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sat Feb 02, 2019 16:56 Post subject:
slidermike wrote:
egc,
thank you for providing the script and tweak.
Questions before implementation.
1)
Does a
"add_rule -p tcp -s 192.168.1.19 ! --dport 5010"
under the "Begin Rules" section mean this:
add all 192.168.1.19 traffic except tcp port 5010 to go out the ovpn interface?
That is correct
slidermike wrote:
2)
I am guessing that the argument "!" means "except", would that be correct?
! means not (except)
slidermike wrote:
3)
Can I replace tcp with ip for all packets from that client on port 5010 or would I need a 2nd line for udp?
No you need a second rule with udp: add_rule -p udp -s 192.168.1.19 ! --dport 5010
slidermike wrote:
4)
What do the -s, -p, -i arguments do?
I assume -p means "pass" or "port".
I did a quick google search but didnt find a simple list of those variables.
-s: source ip, -p: port, -i: in-interface
slidermike wrote:
5)
I want to also force all traffic from .18 over ovpn so the rule would look like this correct?
add_rule -s 192.168.1.18
Traffic you specify is marked with MARK 1:
Code:
iptables -t mangle -A ovpn_split -p tcp -s 192.168.1.19 ! --dport 5010 -j MARK --set-mark 1
The final step is to "bind" the marked traffic to the alternate routing table with:
Code:
ip rule add fwmark 1 table 200
Do I need to add the rest of the variables to the script?
This is in the script
"add_rule -p tcp -s 192.168.1.19 ! --dport 5010"
and this is in your instructions
"iptables -t mangle -A ovpn_split -p tcp -s 192.168.1.19 ! --dport 5010 -j MARK --set-mark 1" _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
To the best of my understanding I installed the script.
Added a couple of lines to it.
Made it executable.
Verified the certain services were configured as instructed and rebooted.
No traffic is going over the vpn tunnel now.
Its all going out the wan.
Checked it 2 more times, rebooted 3 additional times and the same results.
The only other thing I have in place is a DNSMASQ FW script to block adds which I took out completely for testing.
It appears nothing is flowing over the vpn tunnel.
Counters arent incrementing and the cpu usage isnt spiking which I see when I use the default PBR and say point the .19 client over the vpn.
Here is What i added to ddwrt-ovpn-split-advanced-mike.sh
# ------------------------------- BEGIN RULES -------------------------------- #
add_rule -p tcp -s 192.168.1.18 ! --dport 5010
add_rule -p tcp -s 192.168.1.19 ! --dport 5010
add_rule -s 192.168.1.18
add_rule -s 192.168.2.0/24
The 2.0/24 is a guest ssid
Added to the additional config section of ovpn.
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
route-noexec
Most of that is Nordvpn specific options. The last line is what the script instructions said to add.
root@R7800:/# ls jffs/
ddwrt-ovpn-split-advanced-mike.sh _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Mon Feb 04, 2019 21:55 Post subject:
Sorry I did not responded sooner, I had urgent matters to attend to.
First thing is to check if the script is running.
Unfortunately the script is not in debug mode by default and I forgot to enable it.
In the script near the top is the line:
Code:
#DEBUG= # uncomment/comment to enable/disable debug mode
Remove the first # so that theline will be:
Code:
DEBUG= # uncomment/comment to enable/disable debug mode
Now you can see what the script is doing in syslog (of course syslog must be enabled).
If the script does not run, check if it is set as executable and if you use a windows editor check if there are no <CR> at the end of the lines (If you are not familiar with this I will give detailed instructions)
If the sript runs without errors the next thing is to see if the routing tables are created and the iptables rules are implemented show output of:
So i put the script back onto the router.
Used nano on the router to edit & save the script changes.
Enabled debug.
Then made the script executable.
Verified steps 6-9, saved and rebooted the router.
Still appears everything is going out the wan interface.
Got the log output and command line output requested.
I dont know how to verify the script is executable now or how to see if it ran (or didnt) in the logs.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Thu Feb 07, 2019 12:56 Post subject:
I just revised the script, attached a revision.
The data you send indicate that the script has not ran.
It ran fine on my R6400 with the latest Kong build.
But lets take it step by step.
Set up your router and the VPN client.
Check that the VPN client is running and traffic is send via the VPN
In the Additional config of the VPN client add:
Code:
route-noexec
Check that traffic is now routed via the WAN
Unzip script and place in /jffs of your USB stick
(probably redundant do not enable JFFS2 support on Administration tab)
run script from the command line:
Code:
/jffs/ddwrt-ovpn-split-advanced-mike.sh
See if any error is thrown.
After about 30-60 seconds check if the script has run with:
Code:
iptables -vnL ovpn_split -t mangle
You should see your rules implemented:
Quote:
root@R6400v2:~# iptables -vnL ovpn_split -t mangle
Chain ovpn_split (1 references)
pkts bytes target prot opt in out source destination
18 1098 CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
12 626 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 mark match !0x0
0 0 MARK 0 -- tun1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1
0 0 MARK 0 -- * * 192.168.1.18 0.0.0.0/0 MARK set 0x1
0 0 MARK tcp -- * * 192.168.1.19 0.0.0.0/0 tcp dpt:!5010 MARK set 0x1
6 472 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 mark match !0x1 MARK set 0x2
6 472 CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
root@R6400v2:~#
As I have enabled debugging you can see the execution of the script also in syslog.
I have tested with my setup and it works with a simple IP address, I have not tested it with the port exclusion you are implementing.
I am curious to know if it is going to work for you.
If it works you can add it to Administration/Commands and save as Startup.
For posterity there is actually a flaw in the script, hard to believe knowing @Eibgrad's skills.
But if you disable the use of an external rule file then the internal rules from the script are not executed because the invocation of the add_rules() is to deeply nested.
Disclaimer: my coding days are long gone so I could be totally wrong _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087