Posted: Tue Feb 17, 2015 2:38 Post subject: Is it possible to set openVPN to some, not all, LAN ports?
I have tried to search the forum and tutorials. I could not found any specific instruction because I don't even know how to frame my questions or querries.
Please be kind.
I have a netgear R7000 running the latest Kong build 26285M. I use Private Internet Access service. I want to set up the router so that only certain LAN ports/interfaces have vpn service, the others just regular internet service from my ISP. Can some one direct me to right instruction?
Create a new network bridge called br_vpn in setup > Networking with its own ip/network/dhcp settings. Save and apply at each step.
Then go to Setup>vlans. Change a port to a different vlan, eg on port 2, click on the vlan3 row. Leave assigned to bridge as none. Save and apply. If doing wifi, create the virtual interface, eg wl0.1 and select bridged.
Go back to networking tab and assign to br_vpn vlan3 and save/apply, then do another assignment, wl0.1 to br_vpn. Now these interfaces should be working, and will get the dhcp assignment on the br_vpn network specified earlier. You might need to reboot if its not working, although more likely a config error.
The next bit a bit more complicated. You need to set the default route for the new network inside an "up" script in the openvpn conf file. Maybe you can specify it in the web interface options
Code:
echo "up /tmp/tun.sh" >> /tmp/openvpncl.conf
and the script itself, put this in the startup section. Change the ip range to the one you made for br_vpn in the ip rule. the dns dnat command is to prevent dns requests going to the router's dnsmasq client and out the regular connection.
Code:
echo '#!/bin/sh
iptables -t nat -I POSTROUTING -o $1 -j MASQUERADE
ip route add default via $4 dev $1 table 10
ip rule add from 172.16.1.0/24 dev br_vpn table 10
iptables -t nat -I PREROUTING -i br_vpn -p udp --dport 53 -j DNAT --to 8.8.8.8' > /tmp/tun.sh
chmod +x /tmp/tun.sh
Now it should be working after the vpn starts up and runs this script. You can do something similar for tor if you do iptables redirects for udp:53 and tcp
You can also divert specific domains and ip ranges through the vpn if you use the iptables mark command.
Create a new network bridge called br_vpn in setup > Networking with its own ip/network/dhcp settings. Save and apply at each step.
Then go to Setup>vlans. Change a port to a different vlan, eg on port 2, click on the vlan3 row. Leave assigned to bridge as none. Save and apply. If doing wifi, create the virtual interface, eg wl0.1 and select bridged.
Go back to networking tab and assign to br_vpn vlan3 and save/apply, then do another assignment, wl0.1 to br_vpn. Now these interfaces should be working, and will get the dhcp assignment on the br_vpn network specified earlier. You might need to reboot if its not working, although more likely a config error.
The next bit a bit more complicated. You need to set the default route for the new network inside an "up" script in the openvpn conf file. Maybe you can specify it in the web interface options
Code:
echo "up /tmp/tun.sh" >> /tmp/openvpncl.conf
and the script itself, put this in the startup section. Change the ip range to the one you made for br_vpn in the ip rule. the dns dnat command is to prevent dns requests going to the router's dnsmasq client and out the regular connection.
Code:
echo '#!/bin/sh
iptables -t nat -I POSTROUTING -o $1 -j MASQUERADE
ip route add default via $4 dev $1 table 10
ip rule add from 172.16.1.0/24 dev br_vpn table 10
iptables -t nat -I PREROUTING -i br_vpn -p udp --dport 53 -j DNAT --to 8.8.8.8' > /tmp/tun.sh
chmod +x /tmp/tun.sh
Now it should be working after the vpn starts up and runs this script. You can do something similar for tor if you do iptables redirects for udp:53 and tcp
You can also divert specific domains and ip ranges through the vpn if you use the iptables mark command.
Thanks for the kind help. This is exactly what I want. It is complicated. I will take some time to study it and hopefully figure it out. If not I will certain come back if you don't mind.
Some interesting suggestions here, but what hasn’t been determined so far is if this VPN provider is expecting you to use the GUI, or providing their own scripting. Because if it’s the latter (and that’s often the case), some of the assumptions in these suggestions won’t apply (e.g., the policy based routing field of the GUI, the existence and use of /tmp/openvpncl.conf).
If you’re using scripting from the VPN provider, you should just modify those scripts directly.
Great to see you chime in. Throughout the process of learning this, I have seen your names everywhere giving valuable inputs.
The VPN provider supplies the ovpn and a ca certificate with username and password authentication. am not home and don't have it with me. The router is currently configured through the GUI and some startup and firewall scripts following an instruction on myopenrouter. i will post the details of the current config once I am home. I would appreciate some detailed instruction at that point. thanks in advance.
This current configuration does not utilize "crl-verify crl.pem", but it still works.
The DNS servers was set at the first page under 'setup/basic setup/DHCP" to prevent DNS leak and it is working.
Where should go from here? thanks I guess i will have to set up a port-based vlan. I am planning to use the physical port 3 and 4 for vpn within the same subnet. Port 1 and 2 going through ISP under another subnet.
I have finally successfully created a bridge, br1, in addition to the original br0.
br0: vlan1 (port 1&2, 192.168.1.1/255.255.255.0) LAN
vlan2: WAN
br1: (vlan3: port 3&4. 192.168.3.1/255.255.255.0) none
wireless is asigned to "LAN"
I want the br0 to go through vpn, br1 to go through ISP directly.
Right now I have nothing in the Startup and firewall command. Both br0 and br1 go through the VPN. here is the routing table. It is the default without me doing anything to it.
Code:
root@DD-WRT:~# ip route list
0.0.0.0/1 via 10.104.1.13 dev tun1
default via 192.168.2.1 dev vlan2
10.104.1.1 via 10.104.1.13 dev tun1
10.104.1.13 dev tun1 proto kernel scope link src 10.104.1.14
104.207.136.25 via 192.168.2.1 dev vlan2
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.104.1.13 dev tun1
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev vlan2 proto kernel scope link src 192.168.2.12
192.168.3.0/24 dev br1 proto kernel scope link src 192.168.3.1