Simple script for Policy Based OpenVPN Routing [WORKING]

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5897
Location: Netherlands

PostPosted: Thu Aug 08, 2019 11:51    Post subject: Reply with quote
The first posting details how to do that:

Quote:
Destination based routing is standard for OVPN, in the additional config you can enter destinations by IP address or URL and specify whether these should be routed through WAN or VPN e.g:
Code:
route 209.222.18.222 255.255.255.255 vpn_gateway # DNS server PIA
route 209.222.18.218 255.255.255.255 vpn_gateway # DNS server PIA
route 204.11.35.98 255.255.255.255 vpn_gateway #whatsmyip.org
route 95.85.16.212 255.255.255.255 net_gateway # ipleak.net
route 23.239.16.110 255.255.255.255 vpn_gateway #dnsleaktest.com
route 212.58.0.0 255.255.0.0 vpn_gateway #BBC
route amazon.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255


It also details that that is impossible with the standard PBR in DDWRT.

You can use the script as described in the first posting but Netflix uses so many different and changing IP's that it is very difficult.

Look for a dedicated thread regarding Netflix, you probably need ipset.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 85

PostPosted: Thu Aug 08, 2019 13:03    Post subject: Reply with quote
Not impossible with standard PBR you just need to script the ip commands to set the routing. All the standard PBR is is a set of routing commands anyway.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5897
Location: Netherlands

PostPosted: Thu Aug 08, 2019 13:08    Post subject: Reply with quote
portsup wrote:
Not impossible with standard PBR you just need to script the ip commands to set the routing. All the standard PBR is is a set of routing commands anyway.


True but not with the route commands from the VPN

Edit: must even have a script for that lying somehwere Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
MesMurized
DD-WRT Novice


Joined: 08 Aug 2017
Posts: 9

PostPosted: Tue Sep 10, 2019 0:22    Post subject: Reply with quote
Thanks @egc. Stock method does exactly what I needed. A major learning curve for me - but successful.

Q? Since stock reroutes to WAN, is there a need to have the script running all the time? I can't ever remember my WAN IP changing unless the cable modem is powered cycled.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5897
Location: Netherlands

PostPosted: Tue Sep 10, 2019 9:14    Post subject: Reply with quote
MesMurized wrote:
Thanks @egc. Stock method does exactly what I needed. A major learning curve for me - but successful.

Q? Since stock reroutes to WAN, is there a need to have the script running all the time? I can't ever remember my WAN IP changing unless the cable modem is powered cycled.


If you do not add: pull-filter ignore "redirect-gateway" so that the WAN is used as default for the alternate routing table, it usually is not necessary to run the script more then once.

I have made some modifications that the script runs only once when you specify SLEEP=0.
You can download the new script from the first posting. I have not tested it yet

Make sure that when you insert the script in the Startup command you add "SLEEP 60" before the script to make sure everything is up

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
MesMurized
DD-WRT Novice


Joined: 08 Aug 2017
Posts: 9

PostPosted: Wed Sep 11, 2019 22:11    Post subject: Reply with quote
@egc 5.08 working great. Thanks
Had to exclude the added PBR entry from the VPN kill switch:

WAN_IF=`nvram get wan_iface`
iptables -I FORWARD ! -s 192.168.1.86 -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD ! -s 192.168.1.86 -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD ! -s 192.168.1.86 -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset


This works, but only for a single IP. I could use a netmask, but I prefer to not rearrange my DHCP assignments.

Any other suggestions for multiple IPs?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5897
Location: Netherlands

PostPosted: Thu Sep 12, 2019 8:31    Post subject: Reply with quote
The trick is to make clever use of netmask/CIDR notation: https://www.ipaddressguide.com/cidr

That is why I keep my DHCP at 192.168.1.64 - 127 because it is 192.168.1.64/26

For my static leases I use 16 - 31 which is 192.168.1.16/28 and 160 - 191 which is 192.168.1.160/27.

But indeed you have to restructure things Sad

The coming weeks (if I can find the time) I will make a simple script to automate the kill switch, so stay tuned Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
MesMurized
DD-WRT Novice


Joined: 08 Aug 2017
Posts: 9

PostPosted: Fri Sep 13, 2019 5:22    Post subject: Reply with quote
Sounds great @egc.

FYI: !!Maybe!! (Was surprised VPN kill must be executed before pbr, else important table 11 entries are deleted. Easy fix: place pbr script after kill in firewall startup

Update: Using 192.168.1.16/31 for 2 excluded IPs. Works great. Thanks again

Update to running pbr in rc_firewall. Not a good idea. rc_firewall runs 3 times for me: at startup, after getting WAN ip, and after getting tun1 ip. Still works, but not ideal

Update @?#!: On second thought, since iptables screws with the routing table AND it runs with an OpenVPN ip change maybe pbr should run again... I'm still working on a fail-safe solution to keeping it running all the time.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5897
Location: Netherlands

PostPosted: Thu Sep 19, 2019 10:25    Post subject: Reply with quote
New version is up with as add-on an automatic kill script, see the second posting for details.

Tested on R7800 and R7000 but as there are many setups/routers, always check if it works as intended from CLI with:
Code:
iptables -vnL FORWARD


When in doubt or if you have questons feel free to post or PM me.

The script is in beta so there is definetely room for improvement Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
skhan35
DD-WRT Novice


Joined: 06 May 2018
Posts: 11

PostPosted: Sat Oct 05, 2019 1:37    Post subject: Question about using the script for my situation Reply with quote
Hi egc. Thanks for script. I have a question about how exactly I would impliement is for my situation.

-I am using SurfShark VPN on Linksys 3200ACM with IP address: 172.168.1.1

-DD-WRT DHCP LAN ip range is 172.168.1.102-151

- I want the following Static IPs to connect through WAN:


172.168.1.94- 172.168.1.101

(everything else through VPN, so that's why I have the LAN range go from 172.168.102-151)

- I also want Amazon Prime Video to Connect through WAN gateway and with some google searching I found info for Amazon IP Range:

https://forum.goldenfrog.com/t/access-to-amazon-instant-video-netflix-etc-via-excluding-the-server-ip/3127



Thanks a bunch for all your help!!!!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5897
Location: Netherlands

PostPosted: Sat Oct 05, 2019 9:42    Post subject: Re: Question about using the script for my situation Reply with quote
skhan35 wrote:
Hi egc. Thanks for script. I have a question about how exactly I would impliement is for my situation.

-I am using SurfShark VPN on Linksys 3200ACM with IP address: 172.168.1.1

-DD-WRT DHCP LAN ip range is 172.168.1.102-151

- I want the following Static IPs to connect through WAN:


172.168.1.94- 172.168.1.101

(everything else through VPN, so that's why I have the LAN range go from 172.168.102-151)

- I also want Amazon Prime Video to Connect through WAN gateway and with some google searching I found info for Amazon IP Range:

https://forum.goldenfrog.com/t/access-to-amazon-instant-video-netflix-etc-via-excluding-the-server-ip/3127



Thanks a bunch for all your help!!!!


Before I answer your question, the IP you have choosen for youre LAN is not a private LAN.
You have to use 192.168.xxx.xxx or 172.16.xxx.xxx

So I would just alter your LAN to 192.168.

Now back to your question, there is more than one way to approach this.

Probably the easiest way is to use the built in DDWRT PBR, starting with build 41174 this has almost the same possibilties as the scripts from this thread.

So if you did not do it already upgrade to a recent build.

If it is working then in the PBR field you enter all those ip addresses you want to route via the VPN, i.e. if you want to route your DHCP range through the VPN you enter, for your range from 102 -151:
192.168.1.102/31
192.168.1.104/29
192.168.1.112/28
192.168.1.128/28
192.168.1.144/29

(I use a DHCP range from 64 - 127 because it is easier to set with CIDR: 192.168.1.64/26 (only one rule Smile )

You use a CIDR calculator: https://www.ipaddressguide.com/cidr

To exclude amazon from the VPN you use the "route " command placed in the additional config of the OpenVPN client as described in the first post

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
skhan35
DD-WRT Novice


Joined: 06 May 2018
Posts: 11

PostPosted: Sat Oct 05, 2019 12:26    Post subject: Reply with quote
Thanks for the reply egc. Unfortunately Surfshark doesn’t support entering ip ranges in the pbr field. I have tried with the route no pull command and entering the Ip info in pbr but then Netflix starts showing proxy errors.

I will certainly change the ip range and could you explain a bit more about how to have amazon go through wan? would PrimeVideo.com work with just having amazon.com in the Additional Config command or I should have that as another entry? Thanks a lot!

P.S. I'm on build 40009 and only reason for not upgrading is vpn not reconnecting automatically after a reboot.

Edit:

I upgraded to DD-WRT v3.0-r41218 std, and tried the Amazon route Commands under Additional Config, without any success:

route amazon.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255
route primevideo.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255


Amazon Prime Video still shows the Connected through VPN/Proxy Error.


Last edited by skhan35 on Sat Oct 05, 2019 16:57; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5897
Location: Netherlands

PostPosted: Sun Oct 06, 2019 9:46    Post subject: Reply with quote
skhan35 wrote:
Thanks for the reply egc. Unfortunately Surfshark doesn’t support entering ip ranges in the pbr field. I have tried with the route no pull command and entering the Ip info in pbr but then Netflix starts showing proxy errors.

I will certainly change the ip range and could you explain a bit more about how to have amazon go through wan? would PrimeVideo.com work with just having amazon.com in the Additional Config command or I should have that as another entry? Thanks a lot!

P.S. I'm on build 40009 and only reason for not upgrading is vpn not reconnecting automatically after a reboot.

Edit:

I upgraded to DD-WRT v3.0-r41218 std, and tried the Amazon route Commands under Additional Config, without any success:

route amazon.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255
route primevideo.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255


Amazon Prime Video still shows the Connected through VPN/Proxy Error.

Sorry I did not come back to you earlier I am at the moment at the Oktoberfest in Munchen Smile

You can check if it is working with
route ipleak.net 255.255.255.255 net_gateway

I am confident that it works but that the problem is with amazon, those large websites have multiple IP addresses so you have to get hold of all the used IP addresses.

Alternatively a lot of people use two different IP addresses one in the VPN range and one outside of the range I use a program called netsetman to switch my windows PC between the two IP addresses.

If your clients are on wifi you can have two different AP's one one VPN and one not

So there are different ways to approach this

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
skhan35
DD-WRT Novice


Joined: 06 May 2018
Posts: 11

PostPosted: Sun Oct 06, 2019 18:42    Post subject: Reply with quote
That's no problem egc, I hope you are enjoying Octoberfest.

I managed to make things work (for the most part)

Although SurfShark does not support having any entries in the PBR field in the VPN client section, I was able to get around that by using the following Startup Command:

# ----- LOCAL IP NOT BE ROUTED UNDER VPN -----
(
#wait for WAN to be up
while ! ping -qc1 -w3 1.1.1.1 > /dev/null 2>&1; do sleep 10; done

# wait 5s extra
sleep 5

# add your policy based routing here
ip route flush table 200
ip route add default via `nvram get wan_gateway` table 200
ip rule add from 192.168.1.90 table 200
ip rule add from 192.168.1.91 table 200
ip rule add from 192.168.1.92 table 200
ip rule add from 192.168.1.93 table 200
ip rule add from 192.168.1.94 table 200
ip rule add from 192.168.1.95 table 200
ip rule add from 192.168.1.96 table 200
ip rule add from 192.168.1.97 table 200
ip rule add from 192.168.1.98 table 200
ip rule add from 192.168.1.99 table 200
) &




Interestingly enough I am able to use Amazon Prime video using the apps (TV, Apple TV, Phone) but not through a desktop browser, so the VPN Route Script works somewhat.

Thanks a bunch again for all your help!
c0l0c0d0s
DD-WRT Novice


Joined: 10 Mar 2019
Posts: 28

PostPosted: Thu Jan 30, 2020 11:59    Post subject: Re: Simple script for Policy Based OpenVPN Routing [WORKING] Reply with quote
[quote="egc"]Policy Based Routing script for use with builds earlier than 41174

Hi mate you helped me shed loads in this thread to get this up and working ages ago but in the end I ended up dropping the VPN provider as with or without PBR it was so sloowwww.

All worked how I needed, but I still keep the VPN server/daemon on 443 now and where I do port forward I pushed up my clients to HTTPS etc. to give some encryption.

Anyway I want to know if you can help, two clients in my LAN (a PBX telephone server & an access control server) require to connect to internal LAN devices via an external address.

I used to achieve this by XYZ.duckdns.org:123 whatever port number forwarded correctly on my LAN in the software instead of using LAN IP.

I have only just noticed where I decided to implement the access control again that NAT loopback (reverse lookup) fails, if I am sitting externally say on 4G I can hit any port forward rule, XYZ.duckdns.org:123 example works fine, I can check with say canyouseeme.org and always works.
But when I do a Test-NetConnection xyxDDNS -Port in Powershell the ONLY success I get is with the R7000 router hosted ports, for example I use VNC repeater 5600, and 999 for remote router admin, they both hit, but not any XYZ.duckdns.org:123 route as NAT loopback fails.

I removed your PBR script (in commands) which I still had sitting there in case that was causing the issue, I have only this in my FW rules (in commands)
iptables -t nat -A POSTROUTING -o $(get_wanface)-j MASQUERADE
Other than that I have nothing.
I don’t have “Filter WAN NAT Redirection” ticked in Block WAN requests, I experiments turning all that off, I even tried DHCP clients vs STATIC LAN clients hosting a rule to see if that was the issue, no joy.

Tried the rules posted here:-
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=89353&postdays=0&postorder=asc&start=135
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

Nothing, have you any advice?
Goto page Previous  1, 2, 3, 4, 5, 6  Next Display posts from previous:    Page 5 of 6
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum