Simple script for Policy Based OpenVPN Routing [WORKING]

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2, 3, 4, 5  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4345
Location: Netherlands

PostPosted: Wed Feb 13, 2019 17:42    Post subject: Simple script for Policy Based OpenVPN Routing [WORKING] Reply with quote
Policy Based Routing script for use with builds earlier than 41174

Policy Based Routing is defined as routing not all but only a predefined part of your traffic via VPN.

It is often necessary if you want to connect to your router from the internet for SSH, or OpenVPN server etc. This is not possible if a VPN client is active on the router, because traffic is entering the router from the WAN and going out via the OVPN client. The firewall will not allow that.

The most common/used PBR is based on using source IP's, DDWRT can do this by entering the source IP's of your network in the PBR field of the OVPN client, use CIDR notation to define a range (https://www.ipaddressguide.com/cidr )
Only the (source) IP's entered in the PBR field are routed out via the VPN.

As I was not satisfied with the state of Policy Based Routing in the OVPN implementation of DDWRT, I decided to add yet another solution.

Beside my PBR implementation below, there are more (advanced) solutions available advocated and written by @eibgrad, have a look at: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1129398 see the sixth post from @eibgrad.

Ideas for this script are borrowed from the excellent work of @eibgrad to whom I owe much of my "wisdom" Thanks!

The main shortcomings of the DDWRT implementation of PBR are, in my opinion, twofold:
1. Lack of destination based routing (builds after 41103 do not have this shortcoming see: https://svn.dd-wrt.com/changeset/41103 ).
2. Lack of local routes in the alternate routing tables (builds starting with 41174 do not have this limitation, see https://svn.dd-wrt.com/ticket/6821 ,https://svn.dd-wrt.com/ticket/6822 ).

So take note: builds starting with build 41174 do not have the afore mentioned limitations and therefore these script are no longer necessary, you can setup with source- and destination PBR with the built in PBR.
Instructions for setting up can be found at: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686


Destination based routing is standard for OVPN, in the Additional Config of the OpenVPN Client you can enter destinations by IP address or URL and specify whether these should be routed through WAN or VPN e.g:
Code:
route 209.222.18.222 255.255.255.255 vpn_gateway # DNS server PIA
route 209.222.18.218 255.255.255.255 vpn_gateway # DNS server PIA
route 204.11.35.98 255.255.255.255 vpn_gateway  #whatsmyip.org
route 95.85.16.212 255.255.255.255 net_gateway # ipleak.net
route 23.239.16.110 255.255.255.255 vpn_gateway #dnsleaktest.com
route 212.58.0.0 255.255.0.0 vpn_gateway  #BBC
route amazon.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255


The second drawback of DDWRT is the lack of local routes in the alternate routing table, meaning that there is no connection between PBR clients and non PBR clients of the local LAN.

Of course we have very sophisticated and ingenious solutions from @Eibgrad but those are very complex and often need external storage as those are too large. But if you need routing per port those are the ones you should use.

I wanted a simple solution which could be placed in Administration/Commands and saved as Startup and yet has standard OVPN destination based routing and has local routes in the alternate routing table. Basically the best of both worlds.

I therefore hacked a script together. As bash is not my native language, any remarks and improvements are welcome.
The script makes an alternate routing table, so in effect you have a default routing table which is routed through the VPN and an alternate routing table which is routed via the WAN.
But you can reverse this by adding in the additional config of the VPN:
pull-filter ignore “redirect-gateway”
When this is entered, the default routing table routes through the WAN and the alternate routing table is routed through the VPN, this is the behaviour which mimics the DDWRT implementation, which starts if you enter IP addresses in the PBR field.
In the script you place the IP addresses you want to route via the alternate routing table in the RULES section this is an example of a rules section:
Code:
# ------------------------------- BEGIN RULES -------------------------------- #
# specify source ip(s)/network(s)/interface(s) to be rerouted
#add_rule iif br1 # guest network
add_rule from 192.168.1.7 # mary's pc
add_rule from 192.168.1.89  #Laptop 8610
#add_rule from 192.168.1.14
#add_rule from 192.168.2.0/24 # iot network

# specify destination ip(s)/network(s) to be rerouted
#add_rule to 4.79.142.0/24 # grc.com
#add_rule to 172.217.6.142 # maps.google.com

# specify source + destination to be rerouted
#add_rule iif br2 to 121.121.121.121
#add_rule from 192.168.1.14 to 104.25.112.26 # ipchicken.com
#add_rule from 192.168.1.14 to 104.25.113.26 # ipchicken.com
#add_rule from 192.168.1.113 to 45.79.3.202 # infobyip.com
#add_rule from 192.168.1.10 to 122.122.122.122
#add_rule from 192.168.2.0/24 to 133.133.133.0/24
# -------------------------------- END RULES --------------------------------- #


This allows to enter IP addresses of local clients you want to route via the alternate routing table.
It also allows to enter destinations you want to reroute and from<>to addresses to use.

Mind you all these addresses use the alternate routing table.

This is in contrast to the OVPN destination routing, by specifying net_gateway or vpn_gateway those addresses always take the designated route whatever you specify in the rules section.

Instructions for installing:
• Download the attached script (visible when you are logged in)
• Unzip the script
• Decide which should be your standard route, if this is the WAN then enter: pull-filter ignore "redirect-gateway" in the additional config of the OVPN client. Recent BS builds starting with build number 40xxx do not play nice with double quotes ", so just enter: pull-filter ignore redirect-gateway without the double quotes and use version 507 or higher.
• Enter the IP addresses in the rules section which you want to use the alternate route. Be sure to use an editor which does not use windows line endings, like Notepad++, the script only runs when there are no <CR> line endings.
• Copy the whole script and place in Administration/Commands and save as startup.
• Any destinations you want to exclude from the alternate route you can enter in the additional config of the OVPN, like described in the previous section.
• Do not enter anything in the Policy Based Routing field of the OVPN page of the GUI.
• Builds before 39556 have to disable Shortcut Forwarding Engine on Setup page, (https://svn.dd-wrt.com/changeset/39556), builds after 40172 appear to be broken again (https://svn.dd-wrt.com/ticket/6706). From 40459 onwards SFE works again.
• The script runs every 60 seconds as defined by SLEEP=60, as to track any changes in OVPN, if you only want to run the script once (you can do that if you do not add pull-filter ignore "redirect-gateway" so that the WAN is used for the alternate routing table) you can decide to run the script only once, in that case use SLEEP=0 which means the script runs only once (works from version 5.08 and higher)
• When you run the script once make sure that when you insert the script in the Startup command you start with "SLEEP 60" before the script to make sure everything is up.
• Reboot the router.

There is also a script version to run as standalone script this is with the SA behind.
• Unzip and copy to external storage either USB or JFFS2 copy to /jffs.
• Make the scrip executable either with Win SCP: right click and under properties enable all [X], or from the CLI (replace XXX with version number):
Code:
cd /jffs
chmod +x simple-pbr-by-egc-XXX-sa.sh

• Place following command in Administration/Commands (replace XXX with version number):
Code:
sh /jffs/simple-pbr-by-egc-XXX-sa.sh &

• Save as Startup

Changelog
V506 small clean-up
V507 double quotes in pull-filter ignore redirect-gateway optional
v508 When SLEEP=0 the script should run only once
v700 Only for external stoarge and prepared for automatic kill switch

Experimenting with rules
Before puting more rules in the script, you can see if they work by adding the rules from the CLI (Command Line Interface i.e. telnet/putty)
Lets say you want to route a client with IP address of 10.8.0.2 through the alternate routing table you just do:
Code:
ip rule add from 10.8.0.2 table 11

you can check with:
Code:
ip rule show

and remove the rule with:
Code:
ip rule del from 10.8.0.2 table 11


This is a work in progress so stay tuned for improved versions.

Trouble shooting
If you have any trouble you can check the following:
Is the script added to Startup, check with: nvram get rc_startup
Is the script made, from CLI do: cat /tmp/simple-pbr.sh
Is the script running? From CLI do: top , and you should see: 1528 1527 root S 1208 0.4 1 0.0 /bin/sh /tmp/simple-pbr.sh
Check default table: ip route show
Check alternate routing table: ip route show table 11
Check rules: ip rule show
Check syslog: grep "pbr" /var/log/messages | tail -n 30

Feel free to PM me if you have questions or remarks.

There can be special circumstances where the script does not work.
The script is not using the default gateway pushed by the OVPN server but instead assumes that the default gateway is just the otherside of the OVPN tunnel and that the OVPN server handles the traffic from there on, usually this is the case.
But if you experience problems, check the pushed default gateway against the default gateway in the routing table (Thanks @eibgrad for pointing this out)

Note: you can only see and download the attached documents if you are logged in

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Thu Oct 24, 2019 17:56; edited 46 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4345
Location: Netherlands

PostPosted: Wed Feb 13, 2019 17:45    Post subject: Reply with quote
DNS LEAK with Policy Based Routing
There are often questions about a DNS leak when using Policy Based Routing.
To (hopefully) answer some questions and to provide some solutions see the attached file in the third post of this thread:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1179254#1179254 (only visible when you are logged in!).

A very nice utility/script has been produced by @eibgrad, this scripts scans and warns you for DNS leaks, highly recommended. See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319747


Manual Kill Switch for PBR
A kill switch is important, but as you are using PBR you need to only block the IP's which are using the VPN, you can use CIDR notation to specify a range ( https://www.ipaddressguide.com/cidr )

I have my DHCP scope from 192.168.1.64 - 127
I have this scope added to my PBR script so that all DHCP clients will use the VPN.

Furthermore I have a static IP address of 160 and 189 using the VPN.

In Administratino/Commands enter:
Code:
iptables -I FORWARD -s 192.168.1.160/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.189/32 -o $(nvram get wan_iface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.64/26 -o $(nvram get wan_iface) -m state --state NEW -j REJECT   


this blocks my DHCP scope and addresses 160 and 189 from using the WAN

Save this as Firewall.

Automatic Kill switch script
As an add-on, I have written an automatic kill script which blocks the IP addresses you entered in the main simple-pbr-script.
This only works with the stand alone version of the simple-pbr-script(v700 and upwards).

There are some things to consider
It works:
Only when using the WAN is default (i.e. if pull-filter ignore "redirect-gateway" is set)
Only the simple IP entries are " killed" (not from … to ….)

Always check from CLI with iptables -vnL FORWARD after a reboot if the rules are implemented.

If "VPN_ENABLED_ONLY=1" then the kill switch is not implemented when you disable the VPN client in the GUI. If you always want to block the IP addresses from using the WAN then change to 0.
Note: if you disable the VPN the kill switch rules will only be deleted after a reboot or after: stopservice firewall && startservice firewall from CLI.

There is a failsafe mechanism build in which blocks all WAN access (basically a general kill switch) which kicks in if there are no IP addresses found to block, this is operational if "SAFETY_FIRST=1" if you do not want that change to 0.

Installation instructions:
• Unzip and copy to external storage either USB or JFFS2 copy to /jffs.
• Make the script executable either with Win SCP: right click and under properties enable all [X], or from the CLI (replace XXX with version number):
Code:
cd /jffs
chmod +x kill-switch-pbr-egc-700.sh

• Place the following command in Administration/Commands (replace XXX with version number):
Code:
sh /jffs/kill-switch-pbr-egc-XXX.sh &

• Save as Firewall


Watchdog script for VPN client
As you are using PBR the normal watchdog function of DDWRT is not working, you have to do your checking via the VPN tunnel.
For this purpose @Sploit has written a watchdog script see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1093571#1093571

Unfortunately the scripts kills all OpenVPN instances and thus also your OpenVPN server if you are using that simultaneous with your OpenVPN client.

I will post a revision of that script in that thread which only kills the OpenVPN client.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135


Last edited by egc on Tue Oct 15, 2019 13:40; edited 14 times in total
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Mon Feb 18, 2019 20:30    Post subject: Reply with quote
egc,
nicely written up and thanks for another (simple) solution for better PBR.
Just to be clear, if you want port based PBR then its better to use Eibgrad's more complex script?

Does your script support domains or do you (the end user) have to determine the domain in questions IP scope?
Like youtube.com

Thanks, I will be watching this thread as you tweak it.

Mike

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4345
Location: Netherlands

PostPosted: Mon Feb 18, 2019 21:53    Post subject: Reply with quote
For port based routing you need the more complex solution from @Eibgrad
This solution supports domain/url based routing but it only supports only one ip resolution per url/domain.
Sometimes you need to resolve all ip addresses per domain to get things working.
This is possible with either @Eibgrads special advanced script which needs IPSET-DNS loaded via Entware or you can use my script with the the brute force method i.e. resolving an url and then use /16 for excluding ip addresses.
Maybe needs some more explaining but I am typing it on my phone currently on holiday on Spain Very Happy

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Tue Feb 19, 2019 14:28    Post subject: Reply with quote
I successfully activated OVPN client on my dd-wrt router and use one PBR for just IP 192.168.1.100. So far so good.

In LAN connected to my primary router gateway 192.168.2.1
I noticed that I cannot access any IP of dd-wrt. and especially this one running trough VPN I would like to access in my LAN, this is an OpenATV SAT receiver.

Is there any simple thing I need to activate, and please I am a novice.
Would I need to use this script or can this be done just with a flag to be set in dd-wrt.

Later I would like to create an OVPN router and accessing IPs from both routers would I need to use this script or can this be done with a more simple way?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4345
Location: Netherlands

PostPosted: Tue Feb 19, 2019 15:31    Post subject: Reply with quote
Just saw your thread, simple answer is :yes you can use this script, I will answer in more detail in your thread.
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Tue Feb 19, 2019 16:01    Post subject: Reply with quote
Cool - Thanks a lot but please novice-like:-)
Maybe you can somehow use this IP 192.168.1.100 in your example so it is easier to understand how that works, and how I could modify when e.g. adding a second IP.
Rest of my DD-WRT settings is fully standard.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4345
Location: Netherlands

PostPosted: Wed Feb 20, 2019 9:07    Post subject: Reply with quote
In the script there is one IP address added:
Code:
add_rule from 192.168.1.89  #Laptop 8610


You can change this rule with
Code:
add_rule from 192.168.1.100  #for boris

After the # is just comment

You can add extra lines
In the first post there are more examples.

Maybe my instructions are not clear, it is always difficult to write good instructions, but please read them and let me know what is not clear, so I can improve them.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Wed Feb 20, 2019 9:44    Post subject: Reply with quote
Thanks a lot, I will definitely give it a try.
I am currently not at home on Friday I will check this.
One thing is this also to be used with the ovpn client and server running or do I need to modify?
I would like to achieve is to access the IPs from the DD-WRT router from outside and also in the Lan when connected to another router with a different IP range.
Server is not yet realised I will try following the documentation as updated by you from the 19th of February
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4345
Location: Netherlands

PostPosted: Wed Feb 20, 2019 9:55    Post subject: Reply with quote
You need Policy Based Routing to run an OpenVPN server and OpenVPN client on the same router simultaneously.

My script is an implementation of PBR but has some advantages over the DDWRT implementation, notably that you can communicate between clients.

But it is designed to be simple so it does not have all the possibilities of more sophisticated methods/scripts.

You can try it and see if it suits your needs

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Wed Feb 20, 2019 10:06    Post subject: Reply with quote
Sure, and so I need to remove the PBR rule for that IP in the ddwrt GUI, cause this is handled with your script, right?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4345
Location: Netherlands

PostPosted: Wed Feb 20, 2019 10:31    Post subject: Reply with quote
exactly keep the PBR field empty, only use the following in the Additional config:
Code:
pull-filter ignore "redirect-gateway"

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
dispeggy
DD-WRT Novice


Joined: 21 Feb 2019
Posts: 2

PostPosted: Fri Feb 22, 2019 1:22    Post subject: Policy Based Routing on WRT3200ACM Reply with quote
I'm currently running build r37012 on my WRT3200ACM. All is well with the current network and VPN via PIA and the OpenVPN Client. This router was sitting behind a Linksys E4200 with its' stock software connected to my cable modem. Goal was to remove the Linksys and use the 3200 for both VPN and non-VPN traffic (only sending one IP to the VPN). I tried setting up Policy Based Routing in the Services > VPN > OpenVPN Client area, placing a single IP there as 192.168.1.30. I also placed the MAC address and this IP in the Services > Services > DHCP Server section under static leases. This ALMOST worked. All computers on non-VPN addresses worked but when using the Windows PC at 1.30, I was able to ping 8.8.8.8 and www.google.com, was able to go to www.google.com via a browser, but wasn’t able to open any of the links that were displayed after a google search. I also was only be able to go to www.google.com. I did use 8.8.8.8 as one of my DNS settings. Anyone have an idea on what I have missed here? Thanks for any assistance.

One quick edit: Could my problem have been that I didn't use CIDR notation on the IP address and it should have been 192.168.1.30/32? Also, does Shortcut Forwarding Engine need to be disabled? Finally, do I need to run any scripts?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4345
Location: Netherlands

PostPosted: Fri Feb 22, 2019 10:54    Post subject: Reply with quote
CIDR notation is advised so use /32 for a single address. However DDWWRT/Linux is smart enough to add this if you do not specify anything, so it is advised but not necessary.

SFE is not compatible with PBR you should turn it off on the Setup page. For Broadcom/Arm Linux K4.4. there is a solution which I am using, but I think you are on K4.9 so that probably will not wokr but you can always try if needed.

Reboot after changes

You do not need any script if you can live with the limitations, as outlined in my first post, of the DDWRT implementation.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
boris03
DD-WRT User


Joined: 17 Jan 2019
Posts: 127

PostPosted: Fri Feb 22, 2019 22:45    Post subject: Reply with quote
Looks promising even that not fully working yet, can you please help me here to do the last step.

I activated the OVPN server following your description.
OVPN Server and Client "CONNECTED SUCCESS" >YESSSSSS

I copied the files to my Android phone but connection via cellular isn´t successful. WHat can that be?

And also even that I added pull-filter ignore "redirect-gateway" to the VPN client additional config and applied your script to commands>startup the whole traffic runs now through VPN whereby I set my 192.168.1.100 as only rule.
In DD-WRT GUI "Redirect default gateway" is "Enabled"

Below my client1.ovpn. I am using UDP port 443 cause this is the same port for the Cyberghost VPN client.
I tried LZO compression "comp-lzo" and "comp-lzo no" in the file - no difference cannot connect to the OVPN server.

Client1.ovpn
client
dev tun
proto udp
remote xxxxxxx 443
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
comp-lzo no
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
ca ca.crt
cert client1.crt
key client1.key

My Additional config in OVPN client
pull-filter ignore "redirect-gateway"
resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500
fragment 1300
mssfix 1300
verb 4
comp-lzo

and your script
#!/bin/sh
# For instructions see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1156466#1156466
logger "start pbr script"
cat << "EOF" > "/tmp/simple-pbr.sh"
#!/bin/sh
(
SLEEP=60
TID="11"
VPN_GW_OLD="old"
while :; do
add_rules() {
# --------------- BEGIN RULES ---------#
add_rule from 192.168.1.100 #gigablue
# --------------- END RULES -----------#
:;}
add_rule() {
ip rule add table $TID "$@"
}
logger "pbr no change detected yet, old: $VPN_GW_OLD , new: $VPN_GW"
VPN_GW="$(ifconfig tun1 | awk '/P-t-P/ {gsub("P-t-P:", "", $3); print $3}')"
if [ "$VPN_GW_OLD" != "$VPN_GW" ] ; then
logger "pbr change detected old: $VPN_GW_OLD , new: $VPN_GW"
VPN_GW_OLD="$VPN_GW"
while ip rule delete from 0/0 to 0/0 table $TID 2>/dev/null; do true; done
ip route flush table $TID
if [ -z "$VPN_GW" ]; then
logger " $(basename $0) No TUN1 Interface detected "
else
if grep -Eq '^[[:space:]]*pull-filter ignore "redirect-gateway"' /tmp/openvpncl/openvpn.conf ; then
logger " $(basename $0) Pull-filter detected table $TID via VPN"
ip route add default via $VPN_GW table $TID
else
logger " $(basename $0) table $TID via WAN"
ip route add default via $(nvram get wan_gateway) table $TID
fi
add_rules
ip route show | grep -Ev '^default |^0.0.0.0/1 |^128.0.0.0/1 ' \
| while read route; do
ip route add $route table $TID
done
fi
ip route flush cache
fi
[ $SLEEP -gt 0 ] && sleep $SLEEP
done
) 2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x "/tmp/simple-pbr.sh"
nohup "/tmp/simple-pbr.sh" > /dev/null 2>&1 &
logger "pbr script executed"


Further I do have some additional questions i am sure you can help me.

DNS in DD-WRT
I can often read I should use other static DNS 1 and 2 i.e 8.8.8.8 and 8.8.4.4
My setting shows 0.0.0.0 in all three DNS entries
Is that necessary, what is recommended when using OVPN client and server?
Goto page 1, 2, 3, 4, 5  Next Display posts from previous:    Page 1 of 5
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum