VPN routing issues

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
dan95
DD-WRT Novice


Joined: 14 Apr 2018
Posts: 21

PostPosted: Wed Dec 22, 2021 15:38    Post subject: VPN routing issues Reply with quote
I managed to successfully (lots of reading, thanks everyone!) setup a vpn on my router, and managed to set a range of IPs to use the VPN, set some specific static leases IPs and those IPs not to use VPN BUT have run into one issue.

Before, I used Remmina to RDP from my desktop/192.168.1.122 into one of my headless computers/192.168.1.121; both set as Static Leases, and have a cidr set to:
Code:
192.168.1.100/30
192.168.1.104/29
192.168.1.112/29
192.168.1.120/32

So neither 122 or 121 are supposed to use the VPN.
The problem is though, I now can't RDP into my headless computer? I assume maybe the CIDR but have tried a variety of ranges.

I also used @SurprisedItWorks killswitch (thanks!!!!)
Code:
#vpn kill switch for PBR
  WAN_IF=$(ip route | awk '/^default/{print $NF}')
  grep '\S' /tmp/openvpncl/policy_ips \
  | while read pbr; do
      iptables -I FORWARD -s $pbr -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
      iptables -I FORWARD -s $pbr -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
      iptables -I FORWARD -s $pbr -p udp -o $WAN_IF -j REJECT
    done )


and I tried my setup without the killswitch but still nada.

additionally:
starting address 192.168.1.100
Maximum DHCP Users 23

not sure if any other info is needed, please do let me know and thanks in advance!!!
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10318
Location: Netherlands

PostPosted: Wed Dec 22, 2021 16:15    Post subject: Reply with quote
The build which is advised to use is build 47900 or better 47911.

A kill switch is built-in, no need to use a script just tick/enable Kill switch.

Set your DHCP range on setup page to start at .64 for 64 clients.

Static leases must be set outside the DHCP range!

For clients with static leases you do not want to use the VPN choose addresses below .64

For clients with static leases you do want to use the VPN choose addresses from .128-191

In the PBR field enter for the DHCP addresses to use the VPN:
192.168.1.64/26

and for the static leases from .128-191 enter:
192.168.1.128/26

Static leases can best/easiest be set in the Additional DNSMasq options like:
dhcp-host=00:08:9B:XX:XX:XX,QNAP453,192.168.0.91,1440m

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sat Dec 25, 2021 7:34; edited 1 time in total
dan95
DD-WRT Novice


Joined: 14 Apr 2018
Posts: 21

PostPosted: Fri Dec 24, 2021 21:49    Post subject: Reply with quote
egc wrote:
The build which is advised to use is build 47900 or better 47911.

A kill switch is built-in, no need to use a script just tick/enable Kill switch.

Set your DHCP range on setup page to start at .64 for 64 clients.

Static leases must be set outside the DHCP range!

For clients with static leases you do not want to use the VPN choose addresses below .64

For clients with static leases you do want to use the VPN choose addresses from .128-191

In the PBR field enter for the DHCP addresses to use the VPN:
192.168.1.64/26

and for the static leases from .128-191 enter:
192.168.1.128/26

Static leases can best/easiest be set in the Additional DNSMasq options like:
dhcp-host=00:08:9B:XX:XX:XX,QNAP453,192.168.0.91,1440m


had no idea about the killswitch feature, sweet! thanks!

So when you say start my dhcp range at 64 that means it would be 192.168.1.64 i guess, I can totally do that but am just curious (still learning) why not start at 192.168.1.100?

As for static leases, I want most of the devices including one static lease using the vpn (a fair amount of tablets, IoT devs, etc - would be a bit of a pain to set each one?), and the remaining two static leases going straight to "clearnet".

so in sticking with the .64 and below range, if i dont set 192.168.1.64/26 then .64 and below will default to using the vpn I think? (sorry, this is a bit of a brain workout for me at least).

and I set the two that i do not want to use the vpns to say .65 and .66 with a pbr rule of 192.168.1.128/26 ... ok, thats not right?

I guess I am getting hung up on making my setup default to everything except a very few devs to use the vpn so I dont need to set up every dev as a static address?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6532
Location: Romerike, Norway

PostPosted: Fri Dec 24, 2021 22:49    Post subject: Reply with quote
dan95 wrote:

So when you say start my dhcp range at 64 that means it would be 192.168.1.64 i guess, I can totally do that but am just curious (still learning) why not start at 192.168.1.100?


100 is not a rundt binary number you can address with a CIDR notation.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10318
Location: Netherlands

PostPosted: Sat Dec 25, 2021 7:41    Post subject: Reply with quote
As PYB said you really should look into CIDR notation.

The guide gives you a link to calculate ranges just do some and then perhaps you will begin to understand:
https://www.ipaddressguide.com/cidr

I am not going to reiterate myself as I cannot explain it any better so the only advice I can give is that you should read carefully

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum