Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Thu Aug 08, 2019 11:51 Post subject:
The first posting details how to do that:
Quote:
Destination based routing is standard for OVPN, in the additional config you can enter destinations by IP address or URL and specify whether these should be routed through WAN or VPN e.g:
Code:
route 209.222.18.222 255.255.255.255 vpn_gateway # DNS server PIA
route 209.222.18.218 255.255.255.255 vpn_gateway # DNS server PIA
route 204.11.35.98 255.255.255.255 vpn_gateway #whatsmyip.org
route 95.85.16.212 255.255.255.255 net_gateway # ipleak.net
route 23.239.16.110 255.255.255.255 vpn_gateway #dnsleaktest.com
route 212.58.0.0 255.255.0.0 vpn_gateway #BBC
route amazon.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255
It also details that that is impossible with the standard PBR in DDWRT.
You can use the script as described in the first posting but Netflix uses so many different and changing IP's that it is very difficult.
Not impossible with standard PBR you just need to script the ip commands to set the routing. All the standard PBR is is a set of routing commands anyway.
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Thu Aug 08, 2019 13:08 Post subject:
portsup wrote:
Not impossible with standard PBR you just need to script the ip commands to set the routing. All the standard PBR is is a set of routing commands anyway.
Thanks @egc. Stock method does exactly what I needed. A major learning curve for me - but successful.
Q? Since stock reroutes to WAN, is there a need to have the script running all the time? I can't ever remember my WAN IP changing unless the cable modem is powered cycled.
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Tue Sep 10, 2019 9:14 Post subject:
MesMurized wrote:
Thanks @egc. Stock method does exactly what I needed. A major learning curve for me - but successful.
Q? Since stock reroutes to WAN, is there a need to have the script running all the time? I can't ever remember my WAN IP changing unless the cable modem is powered cycled.
If you do not add: pull-filter ignore "redirect-gateway" so that the WAN is used as default for the alternate routing table, it usually is not necessary to run the script more then once.
I have made some modifications that the script runs only once when you specify SLEEP=0.
You can download the new script from the first posting. I have not tested it yet
FYI: !!Maybe!! (Was surprised VPN kill must be executed before pbr, else important table 11 entries are deleted. Easy fix: place pbr script after kill in firewall startup
Update: Using 192.168.1.16/31 for 2 excluded IPs. Works great. Thanks again
Update to running pbr in rc_firewall. Not a good idea. rc_firewall runs 3 times for me: at startup, after getting WAN ip, and after getting tun1 ip. Still works, but not ideal
Update @?#!: On second thought, since iptables screws with the routing table AND it runs with an OpenVPN ip change maybe pbr should run again... I'm still working on a fail-safe solution to keeping it running all the time.
Before I answer your question, the IP you have choosen for youre LAN is not a private LAN.
You have to use 192.168.xxx.xxx or 172.16.xxx.xxx
So I would just alter your LAN to 192.168.
Now back to your question, there is more than one way to approach this.
Probably the easiest way is to use the built in DDWRT PBR, starting with build 41174 this has almost the same possibilties as the scripts from this thread.
So if you did not do it already upgrade to a recent build.
If it is working then in the PBR field you enter all those ip addresses you want to route via the VPN, i.e. if you want to route your DHCP range through the VPN you enter, for your range from 102 -151:
192.168.1.102/31
192.168.1.104/29
192.168.1.112/28
192.168.1.128/28
192.168.1.144/29
(I use a DHCP range from 64 - 127 because it is easier to set with CIDR: 192.168.1.64/26 (only one rule )
Thanks for the reply egc. Unfortunately Surfshark doesn’t support entering ip ranges in the pbr field. I have tried with the route no pull command and entering the Ip info in pbr but then Netflix starts showing proxy errors.
I will certainly change the ip range and could you explain a bit more about how to have amazon go through wan? would PrimeVideo.com work with just having amazon.com in the Additional Config command or I should have that as another entry? Thanks a lot!
P.S. I'm on build 40009 and only reason for not upgrading is vpn not reconnecting automatically after a reboot.
Edit:
I upgraded to DD-WRT v3.0-r41218 std, and tried the Amazon route Commands under Additional Config, without any success:
route amazon.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255
route primevideo.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255
Amazon Prime Video still shows the Connected through VPN/Proxy Error.
Last edited by skhan35 on Sat Oct 05, 2019 16:57; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Sun Oct 06, 2019 9:46 Post subject:
skhan35 wrote:
Thanks for the reply egc. Unfortunately Surfshark doesn’t support entering ip ranges in the pbr field. I have tried with the route no pull command and entering the Ip info in pbr but then Netflix starts showing proxy errors.
I will certainly change the ip range and could you explain a bit more about how to have amazon go through wan? would PrimeVideo.com work with just having amazon.com in the Additional Config command or I should have that as another entry? Thanks a lot!
P.S. I'm on build 40009 and only reason for not upgrading is vpn not reconnecting automatically after a reboot.
Edit:
I upgraded to DD-WRT v3.0-r41218 std, and tried the Amazon route Commands under Additional Config, without any success:
route amazon.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255
route primevideo.com 255.255.255.255 net_gateway # Routing by URL only with 255.255.255.255
Amazon Prime Video still shows the Connected through VPN/Proxy Error.
Sorry I did not come back to you earlier I am at the moment at the Oktoberfest in Munchen
You can check if it is working with
route ipleak.net 255.255.255.255 net_gateway
I am confident that it works but that the problem is with amazon, those large websites have multiple IP addresses so you have to get hold of all the used IP addresses.
Alternatively a lot of people use two different IP addresses one in the VPN range and one outside of the range I use a program called netsetman to switch my windows PC between the two IP addresses.
If your clients are on wifi you can have two different AP's one one VPN and one not
That's no problem egc, I hope you are enjoying Octoberfest.
I managed to make things work (for the most part)
Although SurfShark does not support having any entries in the PBR field in the VPN client section, I was able to get around that by using the following Startup Command:
# ----- LOCAL IP NOT BE ROUTED UNDER VPN -----
(
#wait for WAN to be up
while ! ping -qc1 -w3 1.1.1.1 > /dev/null 2>&1; do sleep 10; done
# wait 5s extra
sleep 5
# add your policy based routing here
ip route flush table 200
ip route add default via `nvram get wan_gateway` table 200
ip rule add from 192.168.1.90 table 200
ip rule add from 192.168.1.91 table 200
ip rule add from 192.168.1.92 table 200
ip rule add from 192.168.1.93 table 200
ip rule add from 192.168.1.94 table 200
ip rule add from 192.168.1.95 table 200
ip rule add from 192.168.1.96 table 200
ip rule add from 192.168.1.97 table 200
ip rule add from 192.168.1.98 table 200
ip rule add from 192.168.1.99 table 200
) &
Interestingly enough I am able to use Amazon Prime video using the apps (TV, Apple TV, Phone) but not through a desktop browser, so the VPN Route Script works somewhat.
Posted: Thu Jan 30, 2020 11:59 Post subject: Re: Simple script for Policy Based OpenVPN Routing [WORKING]
[quote="egc"]Policy Based Routing script for use with builds earlier than 41174
Hi mate you helped me shed loads in this thread to get this up and working ages ago but in the end I ended up dropping the VPN provider as with or without PBR it was so sloowwww.
All worked how I needed, but I still keep the VPN server/daemon on 443 now and where I do port forward I pushed up my clients to HTTPS etc. to give some encryption.
Anyway I want to know if you can help, two clients in my LAN (a PBX telephone server & an access control server) require to connect to internal LAN devices via an external address.
I used to achieve this by XYZ.duckdns.org:123 whatever port number forwarded correctly on my LAN in the software instead of using LAN IP.
I have only just noticed where I decided to implement the access control again that NAT loopback (reverse lookup) fails, if I am sitting externally say on 4G I can hit any port forward rule, XYZ.duckdns.org:123 example works fine, I can check with say canyouseeme.org and always works.
But when I do a Test-NetConnection xyxDDNS -Port in Powershell the ONLY success I get is with the R7000 router hosted ports, for example I use VNC repeater 5600, and 999 for remote router admin, they both hit, but not any XYZ.duckdns.org:123 route as NAT loopback fails.
I removed your PBR script (in commands) which I still had sitting there in case that was causing the issue, I have only this in my FW rules (in commands)
iptables -t nat -A POSTROUTING -o $(get_wanface)-j MASQUERADE
Other than that I have nothing.
I don’t have “Filter WAN NAT Redirection” ticked in Block WAN requests, I experiments turning all that off, I even tried DHCP clients vs STATIC LAN clients hosting a rule to see if that was the issue, no joy.
Tried the rules posted here:-
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=89353&postdays=0&postorder=asc&start=135
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE