SOLVED Proxy traffic over Open VPN Tunnel Using 2 DDWRT v 24

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
paudash
DD-WRT Novice


Joined: 27 Jul 2008
Posts: 1

PostPosted: Tue Feb 03, 2009 8:26    Post subject: SOLVED Proxy traffic over Open VPN Tunnel Using 2 DDWRT v 24 Reply with quote
UPDATED:

OKAY FIGURED IT OUT. Ive modified my configs below
See RED.

I Was missing a couple things from both of my config files. I am now able to allow any host behind my routers in Canada to use HULU without PPTP or SSH/Putty. NO Client configs, it's all handled by the routers baby!.

If you find this usefull or need any help with your configs, or have any suggestions to add functionality please post here.

Would love to know if there is a way to add dns routes to my config.

IE:

route add -net [HOSTNAME] netmask 255.255.255.0 gw 10.0.0.2

ORIGINAL:
I am trying to route/proxy specifc traffic thru my VPN connection using 2 DDWRT Routers w/ Routed Open VPN implementation. I have successfully made my connection using this guide and have no issues connecting internally.

http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_routed_VPN_between_two_routers

The reason I am trying to do this is to allow myself access to content not otherwise accessible in Canada thru my connection (gateway) in the US. I realize i may have issues with video streaming but I still want to give it a try.

I realize I could use the built in PPTP server or SSH/Putty to create a connection but I'd like to avoid this if possible.
The goal is to allow all of my machines in my Canadian subnet access to these restricted sites without configuring and toggling a software VPN connection.

Here is my setup..
USA (Open VPN CLIENT 192.168.10.1) <-(VPN)-> Canada (Open VPN SERVER 192.168.0.1)

Ideally Id like my router in Canada to recognize a request for HULU or NBC (Via DNS request) and pass that request thru my vpn to my US gataway and then return the content.

Or

Configure my Proxy settings in my browser to use my remote VPN gateway (192.168.10.1) to access these sites. In which case I would need to configure this gateway to act as a proxy.

Im not sure if this is complicated or I am missing something simple but I have been searching for days for a solution.

Could it be a firewall rule? YES Partly

Any help would be greatly appreciated.

Below are my config files:

SERVER CONFIG - CANADA

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site SiteA-SiteB
echo "
proto udp
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
daemon
" > SiteA-SiteB.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc up

# Create routes
route add -net 192.168.10.0 netmask 255.255.255.0 gw 10.0.0.2

# Catch Hulu Stream and route thru vpn
# Do a netstat to determine which subnet they are using. Hint: look for connections on port 1935.
# Note: As of the writing of this i could only find one subnet in use, If they ever change this in the future you will have to add / change / modify these next line
route add -net X.X.X.0 netmask 255.255.255.0 gw 10.0.0.2

# Hulu Geo Check Servers
# Hulu does a check on your ipaddress,
# You must catch this traffic and route thru your vpn connection as they check the RTSP stream for ip address validity.
# (http://releasegeo.hulu.com/geoCheck)
# Hint: do an nslookup to determine the subnet of the geo check servers.
# I have 2 entries here as they use round robin dns to alternate between two subnets, do a couple ns lookups to determine yours.
# Note: if they ever change this in the future you will have to add / change / modify these next 2 lines.
route add -net X.X.X.0 netmask 255.255.255.0 gw 10.0.0.2
route add -net X.X.X.0 netmask 255.255.255.0 gw 10.0.0.2


# Initiate the tunnel
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf

SERVER FIREWALL RULES - CANADA
# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

# Allow VPN traffic to use the local wan port
iptables -I FORWARD -i vlan1 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o vlan1 -j ACCEPT


iptables -I INPUT 1 -i tun0 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p udp --dport 53 -j ACCEPT
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 443 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 23 -j ACCEPT

CLIENT CONFIG - USA
# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site SiteA-SiteB
echo "
remote DNSADDRESS
proto udp
port 2000
dev tun0
secret /tmp/static.key
verb 3
comp-lzo
keepalive 15 60
#log /tmp/openvpn.log
daemon
" > SiteA-SiteB.conf

# Config for Static Key
echo "
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
" > static.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc up

# Create routes
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.0.0.1

# Initiate the tunnel
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf

CLIENT FIREWALL RULES - USA
# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

# Allow VPN traffic to use the local wan port
iptables -I FORWARD -i vlan1 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o vlan1 -j ACCEPT


# Allow DNS to Traverse the VPN
iptables -I INPUT 1 -i tun0 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p udp --dport 53 -j ACCEPT
# Allow Access to the Router thru VPN
iptables -I INPUT 3 -i tun0 -p icmp -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 23 -j ACCEPT
iptables -I INPUT 1 -i tun0 -p tcp --dport 443 -j ACCEPT
# Allow Netbios to Traverse the VPN
#iptables -I FORWARD 1 -i tun0 -p tcp --dport 139 -j ACCEPT
#iptables -I FORWARD 2 -i tun0 -p udp --dport 139 -j ACCEPT

So My only question would be now to the group is, does anyone see anyissues with my newly created firewall rules as far as security may be concerned?

I also wanted to give a shout out the the guys and gals at the DDWRT team, you guys rock! Keep up the great work!
Sponsor
BillybBob67
DD-WRT Novice


Joined: 22 Jan 2011
Posts: 3

PostPosted: Sat Jan 22, 2011 16:01    Post subject: dynamic routing? Reply with quote
is it possible to use Shawn's script for dynamically updating the routes?

http://www.shawnmolnar.com/blog/tag/webmin
aka_rich
DD-WRT Novice


Joined: 09 Feb 2011
Posts: 11

PostPosted: Thu Feb 10, 2011 18:22    Post subject: I am facing a similar issue... Reply with quote
Hi,

I am facing a similar issue and wonder if you could help me?

(Sniffer) <--- (Router A) <---VPN--- (Router B) <--- (HUB) <--- Traffic

My setup is between 2 DD-WRT routers which create a VPN link between 2 sites. One end of the VPN (Router B) will be in a client network which is where the traffic needs to be routed from. I plan to tap into the traffic that i need via a Hub and Router B will be directly connected to this Hub. The other end of the VPN link, will be in my remote location where i will be running a sniffer (Behind Router A). I want Router B to accept traffic from any sender and route that packet through my VPN so that my remote sniffer can process it so i can provide services.

During testing, this does work for traffic that is routed through Router B, but i found that the router is dropping packets at the MAC layer when the packets do not have Router B's MAC set as their destination. So the approach that was taken so far was to set Router B into Promiscuous mode to accept all packets.

Are there any other ways to accomplish this? Can anyone shed any light?
Has anyone got promiscuous mode to work?

Many Thanks,

Rich.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum