Author
Message
Yop59 DD-WRT Novice Joined: 30 Nov 2014 Posts: 12
Posted: Sun Dec 07, 2014 2:08 Post subject: Use the VPN but not for some IP targets
Hello all !
I have a problem with my iptables rules.
First, the configuration of my network :
Internet ---- modem (192.168.1.x) ---- routeur (192.168.0.x)
The computer 192.168.0.10 passes through my VPN and not all the others IP (192.168.0.x).
The problem is when this computer (192.168.0.10) wants to access to the page of modem (192.168.1.1), it does not work, probably because of the VPN.
I have to add an iptables rule but which one? iptables -I FORWARD 1 -d 192.168.1.1 -j ACCEPT ?
Currently here are my iptables rules :
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
Thank in advance !
Yop
Back to top
Sponsor
Yop59 DD-WRT Novice Joined: 30 Nov 2014 Posts: 12
Posted: Sun Dec 07, 2014 13:29 Post subject:
Hello,
It doesn't work with this rule
Perhaps more information about my configuration?
----
Internet ---- modem (192.168.1.x) ---- routeur (192.168.0.x)
Policy based Routing : 192.168.0.10/32
my iptables rules :
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
----
If I add this rule :
iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -d 192.168.1.1 -j ACCEPT
The web browser can not access the 192.168.1.1 page
An idea?
Thank!
Back to top
Yop59 DD-WRT Novice Joined: 30 Nov 2014 Posts: 12
Posted: Mon Dec 08, 2014 15:21 Post subject:
No idea ?
Back to top
Yop59 DD-WRT Novice Joined: 30 Nov 2014 Posts: 12
Posted: Mon Dec 08, 2014 22:11 Post subject:
OK, the rule :
iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -d 192.168.1.1 -j ACCEPT
works well but only when the VPN fail :/
Me, I would like to have access to 192.168.1.1 even when the VPN is not down.
Is this possible?
Thank a lot
Yop
Back to top
Yop59 DD-WRT Novice Joined: 30 Nov 2014 Posts: 12
Posted: Sat Dec 13, 2014 0:18 Post subject:
Quote: Problem is you haven’t fully explained the configuration of your VPN. You’ve merely said you suspect it’s the VPN, but without explaining why.
Oh sorry eibgrad, I'll try to be more accurate !
And I don't know if it's the fault of the VPN, it was just a hypothesis :/
My configuration :
Internet (IP : xxx.xxx.xxx.xxx)
|
|_ Modem (IP : 192.168.1.254, DMZ -> Router)
|
|_ Router (IP : 192.168.0.1)
Configuration router :
Code: Setup / Basic setup
WAN Connection Type
Connection Type : Static IP
WAN IP Address : 192.168.1.253
Subnet Mask : 255.255.255.0
Gateway : 192.168.1.254
Router IP
Local IP Address : 192.168.0.1
Subnet Mask : 255.255.255.0
Gateway : 192.168.1.254
Code: Services / VPN
OpenVPN Client
* Configuration of my VPN *
....
Policy based Routing : 192.168.0.10/32
....
Code: Administration / Commands
Firewall
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
My problem :
When I use the computer with the IP Address 192.168.0.10, I can surf on the web but I can not access 192.168.1.x IP.
First attempt :
If I add this rule :
iptables -I FORWARD -i br0 -s 192.168.0.10 -o vlan2 -d 192.168.1.0/24 -j ACCEPT
I can access to 192.168.1.x IP but only if the VPN is down.
I hope that with this information, it is much clearer.
Thank in advance !
Yop
Back to top
Yop59 DD-WRT Novice Joined: 30 Nov 2014 Posts: 12
Posted: Sat Dec 13, 2014 17:43 Post subject:
Okay so I remove everything that is in "Services / VPN / OpenVPN Client" and I create a script that manages the entire VPN configuration in "Administration / Commands".
Is that right?
Thank you very much eibgrad
Back to top
Yop59 DD-WRT Novice Joined: 30 Nov 2014 Posts: 12
Posted: Sun Dec 14, 2014 23:27 Post subject:
Hi eibgrad,
The command "ip rule list" returns nothing. I upgraded the firmware and nothing changed.
If I'm going to read the script "/tmp/openvpncl/route-up.sh", this is the "table 10" is used.
So if it's good table :
ip route show table 10
-> default via 10.181.1.5 dev tun1
Thank eibgrad
Back to top
Yop59 DD-WRT Novice Joined: 30 Nov 2014 Posts: 12
Posted: Mon Dec 15, 2014 1:55 Post subject:
eibgrad! It works!!!!
I used your method with the creation of two scripts (route-up.sh and route-down.sh) in the JFFS partition and I use the command line with "openvpn" and its parameters.
I'll try to use all in one script and not use the JFFS partition.
I'll post it all here probably tomorrow.
Thank you so much eibgrad!!!!
Back to top
Yop59 DD-WRT Novice Joined: 30 Nov 2014 Posts: 12
Posted: Mon Dec 15, 2014 17:00 Post subject:
Arg! In fact, it does not really work....
In /jffs/route-up.sh, I put :
Code: #!/bin/sh
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D FORWARD -i tun1 -j ACCEPT
iptables -D FORWARD -o tun1 -j ACCEPT
iptables -I INPUT -i tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -j ACCEPT
iptables -I FORWARD -o tun1 -j ACCEPT
# copy main routing table to alternate (ignore default gateway)
ip route flush table 10
ip route show table main | grep -Ev ^default \
| while read route; do
ip route add $route table 10
done
# specify vpn as default gateway
ip route add default via $route_vpn_gateway dev $dev table 10
# now add your source IP(s)
ip rule add from 192.168.0.10 table 10
ip route flush cache
And now, all IP (192.168.0.x) pass through the VPN as if there was no rule when it should be as 192.168.0.10 using VPN.
A idea? I made a mistake? :/
PS : For your information, I have deleted everything he had in "Policy based Routing".
Back to top
Yop59 DD-WRT Novice Joined: 30 Nov 2014 Posts: 12
Posted: Tue Dec 16, 2014 2:54 Post subject:
Wow it works very well! And I have made several tests and no errors
My "little" startup script (for those who have the same problem as me) :
Code: /usr/bin/killall openvpn
echo 'ip route add 192.168.1.0/24 dev $(nvram get wan_iface) table 10' >>/tmp/openvpncl/route-up.sh
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon
eibgrad, thank you very much for taking time to help me
Back to top