Posted: Sun Aug 06, 2017 11:57 Post subject: Route Traffic on eth2 via VPN
Hi,
Hi have installed dd-wrt (DD-WRT v24-sp2 (06/07/14) vpnkong - build 22000M) on a Netgear WNDR4000. I've mostly configured everything OK, but there is one thing I'd like to do.
I have the OpenVPN client configured and running OK, it is connected to my server, all seems good.
I would like to set the router up so that all traffic on eth2 (the 5GHz wlan) is routed via the VPN. I'm guessing I need to create a bridge to do that?
The current bridging table shows br0 with interfaces vlan1 eth1 eth2
I'm guessing I'd need to remove eth2 from that bridge beofre i bridge to tun1? There doesnt seem to be a way to edit br0 via the webif.
Also read the peacock thread. For openVPN you have to use a mega or openVPN build.
Be sure to reset to defaults and put settings in manually
Now for your question: on newer builds on the Wireless/basic settings tab, you can just tick: Network configuration "Unbridged"
More boxes will then open leave it at default and fill in the IP} address e.g. 192.168.2.1/255.255.255.0
Now head over to Setup/Networking, scroll down and add a DHCPD server, choose eth2.
Basically you are done and now have the 5GHz/eth2 on a different subnet.
If you want openVPN and route only this subnet net use Policy based routing and add the following in the PBR field:
192.168.2.100/30
192.168.2.104/29
192.168.2.112/28
192.168.2.128/28
192.168.2.144/30
192.168.2.148/31
192.168.2.150/32
I have read the wiki page, and I installed the FW I have, as it was recommended on that page as a 'good build for this device', and I also read the peacock thread where it says 'Remember that newer is not necessarily better!!!'
So I thought I should do as I'm told
Is there any particular build I should go for, or should I just pick the latest?
Anyway, not sure I understand the last bit, with the PBR entries, why are all the lines needed, could it not be done with one entry, or is that the only way to define 50 IP addresses starting from 192.168.2.100? (the 50 that the DHCP server could allocate)
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sun Aug 06, 2017 14:33 Post subject:
It is true that newer is not necessary better, but your build is really old and you want to do modern things like openVPN an Policy based routing on different subnets.
For my older broadcom units comparable to you I use build 30880. You should then use the mega nv64K if i am informed correctly
You could try the latest 33006 but not the 3 builds prior, 32170 is possibly also stable but you have to look in the build threads and do some research for your own router
Thanks a lot for your help here egc. As you may be able to tell i'm a bit of a network newbie.
Things don't seem to be working quite yet.
I've got the build you recommended on, set up the subnet as you describe, put in the second DHCP server, and put in the IPs in the PBR field of the OpenVPN config.
In the OpenVPN status I'm seeing connection success, there doesn't seem to be any worring error messages in the log.
However, anything connected to the 5G wireless, does not get an outside world connection. I can access the router page, but anything futher than that there is nothing.
I'd like to test the VPN itself to break down whether its the VPN conecction or a routing inssue in the router. Please could you suggest some troubleshooting steps to try?
I've been trying to troubleshoot a bit, and I've narrowed at least some of the issue to the PBR entries.
I have tested the connection from the server side. With no entries in the PBR field, I can telnet into the router using the VPN IP (10.9.2.x), proving the connection is OK.
As soon as I place an entry into the PBR field, the ping/telnet no longer works, though the VPN client claims it is connected.
Any ideas why entries in the PBR field would break the connection, especially from the server side. I would have thought that the server side doesn't know/care about routing rules on the client side, so this suggests to me that the PBR entries are breaking the connection somehow.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Mon Aug 07, 2017 11:06 Post subject:
I am not sure what you are trying to do, are you using an openVPN provider? Or are you want to contact your own open VPN server?
First see if everything works with OpenVPN, then use open VPN without PBR and see if everything works and is routed to your VPN provider.
I'm connecting to my own openVPN server, located in the UK at a friends house, from my router, located outside of the UK.
What I'm trying to achieve, is that anything connected to the 5GHz wifi, will connect to the internet with an external UK IP address, and can therefore use Geo-restricted services as if they were connected in the UK.
As I have access to the VPN server (openVPN running on ubuntu), I am able to log into it and test the connection 'looking back' at the client. So to clarify a little, when there were PBR entries in the client config on the router, I was not able to connect to the router, using its IP address that the server had allocated it.
If I removed the PBR entries and restarted the client, then I could ping the server from the router, and I could ping and telnet into the router from the server side.
Do you think the lack of local routes could be causing this behavior?
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Mon Aug 07, 2017 13:57 Post subject:
Hmm that complicates matters, I have this setup working when I contact my OpenVPN provder (PIA), so it is something which is maybe also relaled to your setup of the OpenVPN server, for that we need more expert help .
You have "Masquearade/Nat" enabled and "Net Isolation" disabled I presume otherwise it could not work in the first place I think.
Another point that I have not mentioned, is that the router is not the only client connecting to the openVPN server.
I have various Linux based satellite set-top boxes that have been connected to the server for a few years, with no issues. So I know the server is working. If there is an issue with the server, it must be in this particular interaction with the openVPN client on the router. Which I suppose could be possible.
The routing setup is slightly different however. The STBs are set up so that any traffic to a 192.168.1.1/24 IP address is routed down the VPN, but anything else is not. So it's destination based routing rather than source based. Again, I suppose this could be an important difference.
I'll look into the "Masquearade/Nat" and "Net Isolation" settings and try the script this evening and see how it goes.