Simple script for Policy Based OpenVPN Routing [WORKING]

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4153
Location: Netherlands

PostPosted: Thu Aug 08, 2019 11:51    Post subject: Reply with quote
The first posting details how to do that:

Quote:
Destination based routing is standard for OVPN, in the additional config you can enter destinations by IP address or URL and specify whether these should be routed through WAN or VPN e.g:
Code:
route 209.222.18.222 255.255.255.255 vpn_gateway # DNS server PIA
route 209.222.18.218 255.255.255.255 vpn_gateway # DNS server PIA
route 204.11.35.98 255.255.255.255 vpn_gateway #whatsmyip.org
route 95.85.16.212 255.255.255.255 net_gateway # ipleak.net
route 23.239.16.110 255.255.255.255 vpn_gateway #dnsleaktest.com
route 212.58.0.0 255.255.0.0 vpn_gateway #BBC
route amazon.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255


It also details that that is impossible with the standard PBR in DDWRT.

You can use the script as described in the first posting but Netflix uses so many different and changing IP's that it is very difficult.

Look for a dedicated thread regarding Netflix, you probably need ipset.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Sponsor
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 59

PostPosted: Thu Aug 08, 2019 13:03    Post subject: Reply with quote
Not impossible with standard PBR you just need to script the ip commands to set the routing. All the standard PBR is is a set of routing commands anyway.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4153
Location: Netherlands

PostPosted: Thu Aug 08, 2019 13:08    Post subject: Reply with quote
portsup wrote:
Not impossible with standard PBR you just need to script the ip commands to set the routing. All the standard PBR is is a set of routing commands anyway.


True but not with the route commands from the VPN

Edit: must even have a script for that lying somehwere Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
MesMurized
DD-WRT Novice


Joined: 08 Aug 2017
Posts: 9

PostPosted: Tue Sep 10, 2019 0:22    Post subject: Reply with quote
Thanks @egc. Stock method does exactly what I needed. A major learning curve for me - but successful.

Q? Since stock reroutes to WAN, is there a need to have the script running all the time? I can't ever remember my WAN IP changing unless the cable modem is powered cycled.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4153
Location: Netherlands

PostPosted: Tue Sep 10, 2019 9:14    Post subject: Reply with quote
MesMurized wrote:
Thanks @egc. Stock method does exactly what I needed. A major learning curve for me - but successful.

Q? Since stock reroutes to WAN, is there a need to have the script running all the time? I can't ever remember my WAN IP changing unless the cable modem is powered cycled.


If you do not add: pull-filter ignore "redirect-gateway" so that the WAN is used as default for the alternate routing table, it usually is not necessary to run the script more then once.

I have made some modifications that the script runs only once when you specify SLEEP=0.
You can download the new script from the first posting. I have not tested it yet

Make sure that when you insert the script in the Startup command you add "SLEEP 60" before the script to make sure everything is up

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
MesMurized
DD-WRT Novice


Joined: 08 Aug 2017
Posts: 9

PostPosted: Wed Sep 11, 2019 22:11    Post subject: Reply with quote
@egc 5.08 working great. Thanks
Had to exclude the added PBR entry from the VPN kill switch:

WAN_IF=`nvram get wan_iface`
iptables -I FORWARD ! -s 192.168.1.86 -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD ! -s 192.168.1.86 -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD ! -s 192.168.1.86 -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset


This works, but only for a single IP. I could use a netmask, but I prefer to not rearrange my DHCP assignments.

Any other suggestions for multiple IPs?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4153
Location: Netherlands

PostPosted: Thu Sep 12, 2019 8:31    Post subject: Reply with quote
The trick is to make clever use of netmask/CIDR notation: https://www.ipaddressguide.com/cidr

That is why I keep my DHCP at 192.168.1.64 - 127 because it is 192.168.1.64/26

For my static leases I use 16 - 31 which is 192.168.1.16/28 and 160 - 191 which is 192.168.1.160/27.

But indeed you have to restructure things Sad

The coming weeks (if I can find the time) I will make a simple script to automate the kill switch, so stay tuned Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
MesMurized
DD-WRT Novice


Joined: 08 Aug 2017
Posts: 9

PostPosted: Fri Sep 13, 2019 5:22    Post subject: Reply with quote
Sounds great @egc.

FYI: !!Maybe!! (Was surprised VPN kill must be executed before pbr, else important table 11 entries are deleted. Easy fix: place pbr script after kill in firewall startup

Update: Using 192.168.1.16/31 for 2 excluded IPs. Works great. Thanks again

Update to running pbr in rc_firewall. Not a good idea. rc_firewall runs 3 times for me: at startup, after getting WAN ip, and after getting tun1 ip. Still works, but not ideal

Update @?#!: On second thought, since iptables screws with the routing table AND it runs with an OpenVPN ip change maybe pbr should run again... I'm still working on a fail-safe solution to keeping it running all the time.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4153
Location: Netherlands

PostPosted: Thu Sep 19, 2019 10:25    Post subject: Reply with quote
New version is up with as add-on an automatic kill script, see the second posting for details.

Tested on R7800 and R7000 but as there are many setups/routers, always check if it works as intended from CLI with:
Code:
iptables -vnL FORWARD


When in doubt or if you have questons feel free to post or PM me.

The script is in beta so there is definetely room for improvement Smile

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
skhan35
DD-WRT Novice


Joined: 06 May 2018
Posts: 9

PostPosted: Sat Oct 05, 2019 1:37    Post subject: Question about using the script for my situation Reply with quote
Hi egc. Thanks for script. I have a question about how exactly I would impliement is for my situation.

-I am using SurfShark VPN on Linksys 3200ACM with IP address: 172.168.1.1

-DD-WRT DHCP LAN ip range is 172.168.1.102-151

- I want the following Static IPs to connect through WAN:


172.168.1.94- 172.168.1.101

(everything else through VPN, so that's why I have the LAN range go from 172.168.102-151)

- I also want Amazon Prime Video to Connect through WAN gateway and with some google searching I found info for Amazon IP Range:

https://forum.goldenfrog.com/t/access-to-amazon-instant-video-netflix-etc-via-excluding-the-server-ip/3127



Thanks a bunch for all your help!!!!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4153
Location: Netherlands

PostPosted: Sat Oct 05, 2019 9:42    Post subject: Re: Question about using the script for my situation Reply with quote
skhan35 wrote:
Hi egc. Thanks for script. I have a question about how exactly I would impliement is for my situation.

-I am using SurfShark VPN on Linksys 3200ACM with IP address: 172.168.1.1

-DD-WRT DHCP LAN ip range is 172.168.1.102-151

- I want the following Static IPs to connect through WAN:


172.168.1.94- 172.168.1.101

(everything else through VPN, so that's why I have the LAN range go from 172.168.102-151)

- I also want Amazon Prime Video to Connect through WAN gateway and with some google searching I found info for Amazon IP Range:

https://forum.goldenfrog.com/t/access-to-amazon-instant-video-netflix-etc-via-excluding-the-server-ip/3127



Thanks a bunch for all your help!!!!


Before I answer your question, the IP you have choosen for youre LAN is not a private LAN.
You have to use 192.168.xxx.xxx or 172.16.xxx.xxx

So I would just alter your LAN to 192.168.

Now back to your question, there is more than one way to approach this.

Probably the easiest way is to use the built in DDWRT PBR, starting with build 41174 this has almost the same possibilties as the scripts from this thread.

So if you did not do it already upgrade to a recent build.

If it is working then in the PBR field you enter all those ip addresses you want to route via the VPN, i.e. if you want to route your DHCP range through the VPN you enter, for your range from 102 -151:
192.168.1.102/31
192.168.1.104/29
192.168.1.112/28
192.168.1.128/28
192.168.1.144/29

(I use a DHCP range from 64 - 127 because it is easier to set with CIDR: 192.168.1.64/26 (only one rule Smile )

You use a CIDR calculator: https://www.ipaddressguide.com/cidr

To exclude amazon from the VPN you use the "route " command placed in the additional config of the OpenVPN client as described in the first post

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
skhan35
DD-WRT Novice


Joined: 06 May 2018
Posts: 9

PostPosted: Sat Oct 05, 2019 12:26    Post subject: Reply with quote
Thanks for the reply egc. Unfortunately Surfshark doesn’t support entering ip ranges in the pbr field. I have tried with the route no pull command and entering the Ip info in pbr but then Netflix starts showing proxy errors.

I will certainly change the ip range and could you explain a bit more about how to have amazon go through wan? would PrimeVideo.com work with just having amazon.com in the Additional Config command or I should have that as another entry? Thanks a lot!

P.S. I'm on build 40009 and only reason for not upgrading is vpn not reconnecting automatically after a reboot.

Edit:

I upgraded to DD-WRT v3.0-r41218 std, and tried the Amazon route Commands under Additional Config, without any success:

route amazon.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255
route primevideo.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255


Amazon Prime Video still shows the Connected through VPN/Proxy Error.


Last edited by skhan35 on Sat Oct 05, 2019 16:57; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4153
Location: Netherlands

PostPosted: Sun Oct 06, 2019 9:46    Post subject: Reply with quote
skhan35 wrote:
Thanks for the reply egc. Unfortunately Surfshark doesn’t support entering ip ranges in the pbr field. I have tried with the route no pull command and entering the Ip info in pbr but then Netflix starts showing proxy errors.

I will certainly change the ip range and could you explain a bit more about how to have amazon go through wan? would PrimeVideo.com work with just having amazon.com in the Additional Config command or I should have that as another entry? Thanks a lot!

P.S. I'm on build 40009 and only reason for not upgrading is vpn not reconnecting automatically after a reboot.

Edit:

I upgraded to DD-WRT v3.0-r41218 std, and tried the Amazon route Commands under Additional Config, without any success:

route amazon.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255
route primevideo.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255


Amazon Prime Video still shows the Connected through VPN/Proxy Error.

Sorry I did not come back to you earlier I am at the moment at the Oktoberfest in Munchen Smile

You can check if it is working with
route ipleak.net 255.255.255.255 net_gateway

I am confident that it works but that the problem is with amazon, those large websites have multiple IP addresses so you have to get hold of all the used IP addresses.

Alternatively a lot of people use two different IP addresses one in the VPN range and one outside of the range I use a program called netsetman to switch my windows PC between the two IP addresses.

If your clients are on wifi you can have two different AP's one one VPN and one not

So there are different ways to approach this

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
skhan35
DD-WRT Novice


Joined: 06 May 2018
Posts: 9

PostPosted: Sun Oct 06, 2019 18:42    Post subject: Reply with quote
That's no problem egc, I hope you are enjoying Octoberfest.

I managed to make things work (for the most part)

Although SurfShark does not support having any entries in the PBR field in the VPN client section, I was able to get around that by using the following Startup Command:

# ----- LOCAL IP NOT BE ROUTED UNDER VPN -----
(
#wait for WAN to be up
while ! ping -qc1 -w3 1.1.1.1 > /dev/null 2>&1; do sleep 10; done

# wait 5s extra
sleep 5

# add your policy based routing here
ip route flush table 200
ip route add default via `nvram get wan_gateway` table 200
ip rule add from 192.168.1.90 table 200
ip rule add from 192.168.1.91 table 200
ip rule add from 192.168.1.92 table 200
ip rule add from 192.168.1.93 table 200
ip rule add from 192.168.1.94 table 200
ip rule add from 192.168.1.95 table 200
ip rule add from 192.168.1.96 table 200
ip rule add from 192.168.1.97 table 200
ip rule add from 192.168.1.98 table 200
ip rule add from 192.168.1.99 table 200
) &




Interestingly enough I am able to use Amazon Prime video using the apps (TV, Apple TV, Phone) but not through a desktop browser, so the VPN Route Script works somewhat.

Thanks a bunch again for all your help!
Goto page Previous  1, 2, 3, 4, 5 Display posts from previous:    Page 5 of 5
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum