[RESOLVED, kinda] VPN Routing Policies - Destination Routing

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Sun Aug 21, 2022 21:59    Post subject: [RESOLVED, kinda] VPN Routing Policies - Destination Routing Reply with quote
Hi Gurus,

I have been searching for information relating to this section of DD-WRT but could not find any in my search so far, except info on Policy Based Routing (which is under Services/VPN Tab).

Just wondering if someone could shed any light on it. It appears to me to be Split Tunneling which i am interested in learning more about it.

Thank you in advance. Cheers.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.


Last edited by DWCruiser on Sun Aug 28, 2022 22:23; edited 1 time in total
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Sun Aug 21, 2022 22:07    Post subject: Reply with quote
It's the same thing, but apply to general routing rather than VPN.
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Sun Aug 21, 2022 22:45    Post subject: Reply with quote
Per Yngve Berg wrote:
It's the same thing, but apply to general routing rather than VPN.


Hmm, Routing Policies has more more granularity than just the entry of a singe IP entered in Policy Based Routing under VPN Tab.

The granularity is what puzzles me, in other words.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Mon Aug 22, 2022 4:49    Post subject: Reply with quote
https://forum.dd-wrt.com/wiki/index.php/Policy_Based_Routing
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Mon Aug 22, 2022 6:09    Post subject: Reply with quote
You can add a lot more than a single IP in the PBR section of the VPN see the OpenVPN Client setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Tue Aug 23, 2022 1:26    Post subject: Reply with quote
Thanks Per Yngve Berg. Sorry for my ignorance.

egc wrote:
You can add a lot more than a single IP in the PBR section of the VPN see the OpenVPN Client setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398


Thanks for making me read more about VPN. Smile

I setup & had both OpenVPN Server & Client working on my home network for several years before being made aware of your very extensive guide. So i kinda stopped reading about VPN unless when needed.

And when i read your guide, i realised that it has more options than i am aware of and using in my settings. My excuse is that IT is too HUGE to be on top of everything. Besides, one needs time out to smell the roses, so to speak.

Back to my issue. I want to be able to exclude certain destination IPs from VPN such as Australia's local TV podcast programs so i can still access them without hopping off my PC's VPN connection. Your guide has a section called 'Destination Based'. I used your template for mine below but it does not seem to resolve the issue at this stage.

route abc.net.au 255.255.255.255 net_gateway

I must miss something like adding a net-gateway somewhere.

Thank you.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Tue Aug 23, 2022 7:15    Post subject: Reply with quote
that is the way to do it, I just added it to my openvpn and you can check if it is working with

ip route show

That showed (among others)
203.2.218.214 via 192.168.0.1 dev vlan2

203.2.218.214 is that specific web address so that is working.

But if you are using it to watch TV you probably need a lot more domains and ip addresses
If all the addresses are in the same subnets you can try with
route 203.2.0.0 255.255.0.0 net_gateway

then you have a whole lot more IP addresses, again check with ip route show

But you probably have to hunt down all the IP addresses, in the guide is that described for netflix etc so I think the same applies to your situation.

WireGuard will get an update later this year, you can then use ipset to automatically add the used IP addresses, if it works it will get ported to OpenVPN but that will not be anytime soon.

@eibgrad has an advanced routing script which uses ipset see his pastebin:
https://pastebin.com/u/eibgrad

There is a script to add static routes which actually does what I describe above:
https://pastebin.com/D96qMp5k

and there might be an advanced script which even uses IPSET but I am not sure about that, he usually visits this forum so I hope he will chime in.

But otherwise just use source based routing and set your TV going out via the WAN that surely works Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Wed Aug 24, 2022 21:48    Post subject: Reply with quote
egc wrote:
that is the way to do it, I just added it to my openvpn and you can check if it is working with

ip route show

That showed (among others)
203.2.218.214 via 192.168.0.1 dev vlan2

203.2.218.214 is that specific web address so that is working.


ip route show results from my router's setting of 'route abc.net.au 255.255.255.0 net_gateway' resolves to '102.129.145.110'. Not 203.2.218.214 which is the correct one of abc.net.au.

102.129.145.110 via 124.188.191.254 dev vlan2

A search using 'whois.com' reveals the info below the line. Should I be concerned, or worry? It does not seem normal to me.

I'd like to reply to the remaining points of your last email later.

Thanks egc.

____________________________________________

Whois IP 102.129.145.110 <<<<<<<<<<<<<<<<<<<
% This is the AfriNIC Whois server.
% The AFRINIC whois database is subject to the following terms of Use. See https://afrinic.net/whois/terms

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '102.129.128.0 - 102.129.255.255'

% Abuse contact for '102.129.128.0 - 102.129.255.255' is 'email@ipxo.com'

inetnum: 102.129.128.0 - 102.129.255.255
netname: DET-Africa-v4-3
descr: DET Africa (Pty) LTD
country: ZA
org: ORG-DAL1-AFRINIC
admin-c: DV12-AFRINIC
admin-c: ER12-AFRINIC
admin-c: VG4-AFRINIC
admin-c: EN44-AFRINIC
admin-c: PP22-AFRINIC
admin-c: RZ4-AFRINIC
admin-c: PZ8-AFRINIC
admin-c: AV23-AFRINIC
tech-c: DV12-AFRINIC
tech-c: ER12-AFRINIC
tech-c: EN44-AFRINIC
tech-c: PP22-AFRINIC
tech-c: VN16-AFRINIC
tech-c: IB13-AFRINIC
tech-c: RZ4-AFRINIC
tech-c: PZ8-AFRINIC
tech-c: AV23-AFRINIC
status: ALLOCATED PA
mnt-by: AFRINIC-HM-MNT
mnt-lower: DAL1-MNT
mnt-lower: IPXO-MNT
mnt-domains: IPXO-MNT
mnt-irt: IRT-IPXO
source: AFRINIC # Filtered
parent: 102.0.0.0 - 102.255.255.255

organisation: ORG-DAL1-AFRINIC
org-name: DET Africa (Pty) LTD
org-type: LIR
country: ZA
address: 300 Acacia Road
address: Gauteng (2194)
phone: tel:+27-10-595-1279
phone: tel:+44-151-528-5820
phone: tel:+44-37069908833
phone: tel:+370-699-08833
admin-c: AV23-AFRINIC
admin-c: ER12-AFRINIC
admin-c: PP22-AFRINIC
admin-c: EN44-AFRINIC
admin-c: VG4-AFRINIC
admin-c: RZ4-AFRINIC
admin-c: DV12-AFRINIC
admin-c: PZ8-AFRINIC
tech-c: AV23-AFRINIC
tech-c: ER12-AFRINIC
tech-c: PP22-AFRINIC
tech-c: VN16-AFRINIC
tech-c: EN44-AFRINIC
tech-c: IB13-AFRINIC
tech-c: RZ4-AFRINIC
tech-c: DV12-AFRINIC
tech-c: PZ8-AFRINIC
mnt-ref: AFRINIC-HM-MNT
mnt-ref: DAL1-MNT
mnt-by: AFRINIC-HM-MNT
source: AFRINIC # Filtered

person: Almantas Valiunas
address: Ground Floor, 4 Victoria Square, St Albans, Hertfordshire
address: London
address: United Kingdom
phone: tel:+370-699-08833
nic-hdl: AV23-AFRINIC
source: AFRINIC # Filtered
mnt-by: GENERATED-SYYI8AKZS3KPEE6JBDOA4GYNGLZFGPLX-MNT

person: Deividas Vansevicius
address: Ground Floor, 4 Victoria Square, St Albans, Hertfordshire
address: London
address: United Kingdom
phone: tel:+370-699-08833
nic-hdl: DV12-AFRINIC
source: AFRINIC # Filtered
mnt-by: GENERATED-MVVTKZ2KIMVMDDDEL3KR3LDJ1BICKBKK-MNT

person: Eligijus Norvaisas
address: Ground Floor, 4 Victoria Square, St Albans, Hertfordshire
address: London
address: United Kingdom
phone: tel:+44-37069908833
nic-hdl: EN44-AFRINIC
source: AFRINIC # Filtered
mnt-by: GENERATED-8ZHUODIYWTWZOQCJIT1Q0AYYLKH9RI5R-MNT

person: Edvinas Rackauskas
address: Ground Floor, 4 Victoria Square, St Albans, Hertfordshire
address: London
address: United Kingdom
phone: tel:+44-330-808-0975
nic-hdl: ER12-AFRINIC
abuse-mailbox: email@ipxo.com
mnt-by: IPXO-MNT
source: AFRINIC # Filtered

person: Ieva Balseviciene
address: Ground Floor, 4 Victoria Square, St Albans, Hertfordshire
address: London
address: United Kingdom
phone: tel:+44-37069908833
nic-hdl: IB13-AFRINIC
source: AFRINIC # Filtered
mnt-by: GENERATED-MB2CTZPS0W7MOVF7ODSD0DIHNN6NHWNR-MNT

person: Paulius Peciulis
address: Ground Floor, 4 Victoria Square,
address: St Albans, Hertfordshire
address: London
address: United Kingdom
phone: tel:+370-699-08833
nic-hdl: PP22-AFRINIC
source: AFRINIC # Filtered
mnt-by: GENERATED-0TIDBMX7DNNR78JI7HQTMCEP9DQS1UHY-MNT

person: Paulius Zaura
address: Ground Floor, 4 Victoria Square, St Albans, address: Hertfordshire
address: London
address: United Kingdom
phone: tel:+370-699-08833
nic-hdl: PZ8-AFRINIC
source: AFRINIC # Filtered
mnt-by: GENERATED-PYEUHBXKJ43AUEHY1FEFVRTC0W65OTPE-MNT

person: Rytis Zitkauskas
address: Ground Floor, 4 Victoria Square,
address: St Albans, Hertfordshire
address: London
address: United Kingdom
phone: tel:+370-699-08833
nic-hdl: RZ4-AFRINIC
source: AFRINIC # Filtered
mnt-by: GENERATED-LHAFUB2FYZRMJURQBSYJHHBD1SX5T5M1-MNT

person: Vincentas Grinius
nic-hdl: VG4-AFRINIC
address: 300 Acacia Road
address: Darrenwood
address: Randburg
address: Gauteng 2194
address: South Africa
address: Randburg
address: Other
phone: tel:+27-10-595-1279
mnt-by: GENERATED-0VF6M4D0SVWX4R0UFVSLCXTP2HDJ0Q2A-MNT
source: AFRINIC # Filtered

person: Vladislav Novickas
address: Ground Floor, 4 Victoria Square, St Albans, address: Hertfordshire
address: London
address: United Kingdom
phone: tel:+370-699-08833
nic-hdl: VN16-AFRINIC
source: AFRINIC # Filtered
mnt-by: GENERATED-MPRAZQV8EAGVRWU0EBQQ1R9VUBQNB2ZI-MNT

% Information related to '102.129.145.0/24AS174'

route: 102.129.145.0/24
origin: AS174
descr: AS174
mnt-by: DAL1-MNT
source: AFRINIC # Filtered

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Sun Aug 28, 2022 22:21    Post subject: Reply with quote
A follow-up.

1.
Firstly, the detailed long list in my last post was the inquiry result of 102.129.145.110 on WHOIS.com.

It relates to the following script in my startup:
____________________________________
#!/bin/sh
logger WAN up script executing
if test -s /tmp/hosts0
then
rm /tmp/hosts0
fi

logger Downloading http://winhelp2002.mvps.org/hosts.txt
wget -O - http://winhelp2002.mvps.org/hosts.txt | grep 0.0.0.0 |
sed 's/[[:space:]]*#.*$//g;' |
grep -v localhost | tr ' ' '\t' |
tr -s '\t' | tr -d '\015' | sort -u >/tmp/hosts0
grep addn-hosts /tmp/dnsmasq.conf ||
echo "addn-hosts=/tmp/hosts0" >>/tmp/dnsmasq.conf
logger Restarting dnsmasq
killall dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf
_____________________________________

After removing it, the long list of IP addresses earlier disappears. Since i don't feel comfortable with it, i deleted the script. That was that. (I can't remember where i got it from so please don't ask).


2.
Following my online search during the last few days, i found out that PIA's OpenVPN app has a neat 'Split Tunneling' feature. It's based on the application used.

So when using Microsoft Edge, my requests appear to all websites as from where i live, i.e. Australia; whereas FireFox allows my requests to be somewhere else at the end on my VPN tunnel, without hopping on/off like i used to do.

On the other hand, for devices such as Roku and smart TV, i simply have them set up permanently in DDWRT's OpenVPN PBR settings since these dummy devices do not need to be in two places at the same time.

It is a neat solution for me. Split Tunneling based on destination is still a long way off as i can see.

End note: I prefer not to have an unresolved issue that becomes a waste space, and an inconvenient distraction for others, in a public forum. So this is to close the issue that was raised.

Thank you.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum