OpenVPN selective routing over multiple tunnels questions

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
cornasdf
DD-WRT Novice


Joined: 29 Sep 2012
Posts: 3

PostPosted: Sat Sep 29, 2012 23:08    Post subject: OpenVPN selective routing over multiple tunnels questions Reply with quote
Hi All,
I am starting work on a fairly complex setup and I have a couple questions I am hoping the community will help me with. I plan to post the config if I get it stable for others.

First, the goal.
1. I want to bring up multiple (currently 2) OpenVPN tunnels. I am considering 1 endpoint in the uk (local country) and 1 in the US. My ISP is a UK isp
2. I want 'default' traffic to route out the UK VPN service.
3. I want selected traffic to route out the US VPN service.
4. I want to be able to subscribe certain traffic to route out the local ISP. intially this will be port based (rdp) and skype type traffic.
5. Preferrably, there would be a failure mode, where if the tunnels are down, things fail back to routing out the ISP. (this may just be a cron job that checks the tunnels and takes action)
6. I want to also be a VPN endpoint for my phone and laptop when roaming to be able to connect and flow out the same logic.

So, a tall order.

I currently can bring up the two OpenVPN tunnels. I am generally comfortable with routing and intermediate (cisco) fw config .

I have several questions, some based on my unfamiliarty with the platform and some based on the complexity. I greatly appreciate any hints, suggestions, half remembered terms, or even full answers the community may have.

Questions
1. I am running Router Model Netgear WNR3500v2/U/L Firmware Version DD-WRT v24-sp2 (08/12/10) mega - build 14929. This was based on the recommendations on the peacock thread. I have seen various reports of some bad openVPN builds. indeed, this build doesn't seem to have an 'additional commands' section in the gui config. Is there a better version I should be using as a base?
2. Where should I store my config scripts on dd-wrt?
nvram show | grep size
shows size: 26120 bytes (6648 left)
6k seems like a lot and nothing at the same time B-). I understand I run the risk of bricking my router if I overfill the nvram? Not having a clear feel for what is writing to nvram, how close is safe to get? Along these lines, how do I store scripts to persist between reboots?
3. If I can get to the point where I am writing IP tables commands, i feel like I can do manage all the this traffic goes where rules. As far as I can tell, I wlil need to create ip rule fwmark tables for each tunnel and then use iptables to set-mark on them. more or less as specified here (http://lartc.org/howto/lartc.netfilter.html and http://lartc.org/howto/lartc.rpdb.html). Does this seem like a 'sane' way to do this?
4. Do we have any option of having 'preferred' routing, where we try to use the tunnel but if the tunnel is down, fall back to ISP?
5. I haven't started looking at the vpn server side at all, will anything I am doing here preclude me running as a server?
6. Finally, does my router have the cpu to manage this load for a family house? I will obviously have to watch this myself but i am wondering about your esteemed opinions.

Again, any nuggets about any of the above would be hugely helpful.

thanks for your time.
Sponsor
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Sun Sep 30, 2012 8:07    Post subject: Reply with quote
You can accomplish this with policy based routing, which you can find more information on in the wiki.

you will need to create a new routing tables for each network or ip that you want to have redirected, and then create default routes for the addresses that match the rule.

As far as port based or protocol based routing, not sure if I can help you there. (At least I don't know how to do that)

To answer your questions in more detail...

1. You are always better off using telnet or SSH to send commands to the router. Good job doing your reading before flashing DD-WRT... and you are correct. That is the officially recommended build. You can upgrade past that, but do keep in mind that with that router you are going to be limited to the mini and small versions of dd-wrt.. but you can put any Broadcom K2.6 (I assume you uploaded a K2.6 version) build on there that is under 4 meg.

2. The amount of NVRAM that additional route configurations will take up is negligible... the amount of NVRAM those two openvpn daemons are taking up is not. Wink

3. Its called policy based routing, and on DD-WRT is accomplished with iproute2.

4. If the interface goes down, so does the route (and it doesn't come back until you explicitly declare the route again).

5. You can run as many daemons as your NVRAM will allow for, theoretically.

6. If I am correct, your router has a Broadcom 4718 which is capable of 533 mHz.. (but has probably been clocked somewhere around 480 mHz for stability and heat reduction) The processor will not be the bottleneck in that router. The bottleneck will be the amount of NVRAM available.

_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768
cornasdf
DD-WRT Novice


Joined: 29 Sep 2012
Posts: 3

PostPosted: Mon Oct 01, 2012 8:22    Post subject: Reply with quote
THanks for the reply.
for the policy based routing, it seemed like I could only do that for specific ip ranges (ie layer 3). to bring in port based routing, i need to rely on teh ip tables fwmark functionality. it looks like I can use the same table routing for that though. I haven't tested how it will degrade.

do I have any options for using a thumbdrive or similar to extend the nvram? In any case, I am thinking that would probably be the right place to keep scripts, etc..

based on my read of your response, i see no advantage to reflashing my router so I will stick w/ the current build.

is there anyway I can see the load to nvram of the openvpn client? nvram show | grep size doesn't show any change when between no openvpn running and 1 running. What am I missing?


you were close on the chip. looks like I am on Broadcom BCM4716 chip rev 1.

Here is what I have so far, really just a base setup and a couple proof of concept lines. two kids means my time to play are limited, and this is as far as I got the other night. It is definitely not how I will be running things but i was able to verify that things were working as i expected. I will post more when I get it really working. my next challenge is going to be dynamically determining what to route where. I am considering something similar to this guy.
http://delx.net.au/blog/2011/12/hulu-and-pandora-outside-usa/

any suggestions welcome


# get gateway addresses
DEFAULT_GATEWAY_IP=$(ip route list table main | awk '/default/ { print $3}')
TUNNEL0_GATEWAY_IP=$(ip route list table main | grep 0.0.0.0 | awk '/tun0/ { print $3}')
TUNNEL1_GATEWAY_IP=$(ip route list table main | grep 0.0.0.0 | awk '/tun1/ { print $3}')

# Create fwmark to table bindings
ip rule add fwmark 200 table 200 # Local ISP
ip rule add fwmark 300 table 300 # Tunnel 0 UK
ip rule add fwmark 400 table 400 # Tunnel 1 US

# Create table to tunnel bindings
/sbin/ip route add default via $DEFAULT_GATEWAY_IP dev ppp0 table 200 #Send out local ISP
/sbin/ip route add default via $TUNNEL0_GATEWAY_IP dev tun0 table 300 #Send out UK Tunnel
/sbin/ip route add default via $TUNNEL1_GATEWAY_IP dev tun1 table 400 #Send out US Tunnel

#Local ISP rules
iptables -A PREROUTING -i br0 -t mangle -p tcp --d port 80 -j MARK --set-mark 200 # All HTTP over ISP

#UK tunnel rules
ip rule add to x.y.z.34/32 table 300

#US Tunnel rules
ip rule add from 192.168.x.128/28 table 400


Last edited by cornasdf on Mon Oct 15, 2012 14:15; edited 1 time in total
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Mon Oct 01, 2012 10:00    Post subject: Reply with quote
I am not familiar with the fwmark functionality of iproute2. I haven't needed it quite yet.

As far as extending NVRAM goes, the short answer to that question is no. NVRAM is controlled by the CFE, and needless to say it's very picky. Any change to NVRAM that it isn't expecting and it will clear and rebuild it. If you have time, this is an interesting read some attempts to modify the CFE to increase NVRAM size. An easy work around for this is to run the openvpn servers as optware and store all the configuration data on the external drive or on JFFS. You are correct in your thinking that it is a good place to store things like extra scripts and such. I also wrote a small script that will go through and clean up your NVRAM of unused assignments. This cleared up almost 5k of NVRAM on my router. You can find it here.

If you are running openVPN as optware, you will not see any change to NVRAM when it is running. It will load data into RAM... but not NVRAM. It doesn't need to store anything in NVRAM as it has access to an actual disk (either an external USB/MMC or a JFFS2 mounted partition). If you are running the OpenVPN from the GUI and have supplied configuration data into those fields, then you would see that data being stored in NVRAM. The GUI needs to do this for your config data to be persistent.

Your setup is much more complicated than mine. This is a good topic for addition to the wiki. It would help others, if you have the time, once you get it up and running.

_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768
Vespian
DD-WRT User


Joined: 26 May 2009
Posts: 183
Location: N34 31.872 E69 10.821 for now.

PostPosted: Mon Oct 01, 2012 10:08    Post subject: Reply with quote
Vespian wrote:

2. The amount of NVRAM that additional route configurations will take up is negligible... the amount of NVRAM those two openvpn daemons are taking up is not. Wink


Heh. Oops. You can't run two openvpn daemons from the GUI.. duh.

_________________
The Peacock Thread <-- New? READ THIS!
------

Current:
ASUS RT-N16 DD-WRT v24-sp2 mega(SVN revision 19519)Running OTRW - Take 2 on 8 GB Flash Disk. 128M swap + 7.5 GB ext2 on /opt
Past:
ASUS WL500GP v2 [DD-WRT v24-sp2 (06/17/09) mega-(SVN 12307M NEWD Eko)]

Registered Linux User #491768
cornasdf
DD-WRT Novice


Joined: 29 Sep 2012
Posts: 3

PostPosted: Mon Oct 15, 2012 14:15    Post subject: got it Reply with quote
ok, so I got it. i posted a proof of concept walkthrough at: http://cornasdf.blogspot.co.uk/2012/10/dd-wrt-openvpn-and-selectively-routing.html

If you do think this should be in the wiki, where? I can put up the article but i don't feel i have been involved enough in the community to know where it should be posted.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum