Use the VPN but not for some IP targets

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
Yop59
DD-WRT Novice


Joined: 30 Nov 2014
Posts: 12
PostPosted: Sun Dec 07, 2014 2:08    Post subject: Use the VPN but not for some IP targets Reply with quote
Hello all !

I have a problem with my iptables rules.

First, the configuration of my network :

Internet ---- modem (192.168.1.x) ---- routeur (192.168.0.x)

The computer 192.168.0.10 passes through my VPN and not all the others IP (192.168.0.x).

The problem is when this computer (192.168.0.10) wants to access to the page of modem (192.168.1.1), it does not work, probably because of the VPN.

I have to add an iptables rule but which one? iptables -I FORWARD 1 -d 192.168.1.1 -j ACCEPT ?

Currently here are my iptables rules :
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Thank in advance ! Smile

Yop
Back to top View user's profile Send private message
Sponsor
Yop59
DD-WRT Novice


Joined: 30 Nov 2014
Posts: 12
PostPosted: Sun Dec 07, 2014 13:29    Post subject: Reply with quote
Hello,

It doesn't work with this rule Sad

Perhaps more information about my configuration?

----
Internet ---- modem (192.168.1.x) ---- routeur (192.168.0.x)

Policy based Routing : 192.168.0.10/32

my iptables rules :
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
----

If I add this rule :

iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -d 192.168.1.1 -j ACCEPT

The web browser can not access the 192.168.1.1 page Sad

An idea?

Thank! Smile
Back to top View user's profile Send private message
Yop59
DD-WRT Novice


Joined: 30 Nov 2014
Posts: 12
PostPosted: Mon Dec 08, 2014 15:21    Post subject: Reply with quote
No idea ? Sad
Back to top View user's profile Send private message
Yop59
DD-WRT Novice


Joined: 30 Nov 2014
Posts: 12
PostPosted: Mon Dec 08, 2014 22:11    Post subject: Reply with quote
OK, the rule :

iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -d 192.168.1.1 -j ACCEPT

works well but only when the VPN fail :/

Me, I would like to have access to 192.168.1.1 even when the VPN is not down.

Is this possible?

Thank a lot Smile

Yop
Back to top View user's profile Send private message
Yop59
DD-WRT Novice


Joined: 30 Nov 2014
Posts: 12
PostPosted: Sat Dec 13, 2014 0:18    Post subject: Reply with quote
Quote:
Problem is you haven’t fully explained the configuration of your VPN. You’ve merely said you suspect it’s the VPN, but without explaining why.


Oh sorry eibgrad, I'll try to be more accurate !
And I don't know if it's the fault of the VPN, it was just a hypothesis :/


My configuration :

Internet (IP : xxx.xxx.xxx.xxx)
|
|_ Modem (IP : 192.168.1.254, DMZ -> Router)
|
|_ Router (IP : 192.168.0.1)


Configuration router :

Code:
Setup / Basic setup

WAN Connection Type
Connection Type : Static IP
WAN IP Address : 192.168.1.253
Subnet Mask : 255.255.255.0
Gateway : 192.168.1.254

Router IP
Local IP Address : 192.168.0.1
Subnet Mask : 255.255.255.0
Gateway : 192.168.1.254


Code:
Services / VPN

OpenVPN Client
* Configuration of my VPN *
....
Policy based Routing : 192.168.0.10/32
....


Code:
Administration / Commands

Firewall
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE



My problem :

When I use the computer with the IP Address 192.168.0.10, I can surf on the web but I can not access 192.168.1.x IP.


First attempt :

If I add this rule :
iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -d 192.168.1.0/24 -j ACCEPT
I can access to 192.168.1.x IP but only if the VPN is down.


I hope that with this information, it is much clearer.

Thank in advance ! Smile

Yop
Back to top View user's profile Send private message
Yop59
DD-WRT Novice


Joined: 30 Nov 2014
Posts: 12
PostPosted: Sat Dec 13, 2014 17:43    Post subject: Reply with quote
Okay so I remove everything that is in "Services / VPN / OpenVPN Client" and I create a script that manages the entire VPN configuration in "Administration / Commands".
Is that right?

Thank you very much eibgrad Smile
Back to top View user's profile Send private message
Yop59
DD-WRT Novice


Joined: 30 Nov 2014
Posts: 12
PostPosted: Sun Dec 14, 2014 23:27    Post subject: Reply with quote
Hi eibgrad,

The command "ip rule list" returns nothing. I upgraded the firmware and nothing changed.

If I'm going to read the script "/tmp/openvpncl/route-up.sh", this is the "table 10" is used.

So if it's good table :

ip route show table 10
-> default via 10.181.1.5 dev tun1

Thank eibgrad Smile
Back to top View user's profile Send private message
Yop59
DD-WRT Novice


Joined: 30 Nov 2014
Posts: 12
PostPosted: Mon Dec 15, 2014 1:55    Post subject: Reply with quote
eibgrad! It works!!!!

I used your method with the creation of two scripts (route-up.sh and route-down.sh) in the JFFS partition and I use the command line with "openvpn" and its parameters.

I'll try to use all in one script and not use the JFFS partition.
I'll post it all here probably tomorrow.

Thank you so much eibgrad!!!! Smile
Back to top View user's profile Send private message
Yop59
DD-WRT Novice


Joined: 30 Nov 2014
Posts: 12
PostPosted: Mon Dec 15, 2014 17:00    Post subject: Reply with quote
Arg! In fact, it does not really work.... Sad

In /jffs/route-up.sh, I put :

Code:
#!/bin/sh

iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D FORWARD -i tun1 -j ACCEPT
iptables -D FORWARD -o tun1 -j ACCEPT
iptables -I INPUT -i tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -j ACCEPT
iptables -I FORWARD -o tun1 -j ACCEPT

# copy main routing table to alternate (ignore default gateway)
ip route flush table 10
ip route show table main | grep -Ev ^default \
  | while read route; do
        ip route add $route table 10
    done

# specify vpn as default gateway
ip route add default via $route_vpn_gateway dev $dev table 10

# now add your source IP(s)
ip rule add from 192.168.0.10 table 10

ip route flush cache


And now, all IP (192.168.0.x) pass through the VPN as if there was no rule when it should be as 192.168.0.10 using VPN.

A idea? I made a mistake? :/

PS : For your information, I have deleted everything he had in "Policy based Routing".
Back to top View user's profile Send private message
Yop59
DD-WRT Novice


Joined: 30 Nov 2014
Posts: 12
PostPosted: Tue Dec 16, 2014 2:54    Post subject: Reply with quote
Wow it works very well! And I have made several tests and no errors Smile

My "little" startup script (for those who have the same problem as me) :

Code:
/usr/bin/killall openvpn
echo 'ip route add 192.168.1.0/24 dev $(nvram get wan_iface) table 10' >>/tmp/openvpncl/route-up.sh
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon


eibgrad, thank you very much for taking time to help me Smile
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum