All devices I want on the VPN are assigned static IPs >127
The policy based routing mask is 192.168.1.128/25
In this way I get the .50 off the VPN, and I still can place my network guests on the VPN by assigning them a static IP > .127 or I can just change the DHCP range to start at .128.
Voilá!
Now for the 2nd part, REJECT does work better for me. Is this what I need now?
Code:
iptables -I FORWARD ! -s 192.168.1.1/25 -o $(nvram get wan_iface) -m state --state NEW -j --reject-with icmp-host-prohibited
iptables -I FORWARD -p tcp ! -s 192.168.1.1/25 -o $(nvram get wan_iface) -m state --state NEW -j REJECT --reject-with tcp-reset
Thanks again!
eibgrad wrote:
The proper way to control what does and doesn’t use the VPN is via the policy based routing field of the GUI. As soon as you specify at least one IP, that stops the VPN server from changing the default gateway to the VPN. And now only those IP’s listed will use the VPN.
Now granted, in this case, since all but one IP will use the WAN, it may seem a bit of a hassle. But you can cut down the IP list considerably by using an “ip range to CIDR calculator”.
As far as blocking these same IPs from the WAN, I would reference the WAN specifically instead of NOT’ing the tunnel (are you even sure that’s the tunnel name, tun1?):
Code:
iptables -I FORWARD ! -s 192.168.1.50 -o $(nvram get wan_iface) -m state --state NEW -j --reject-with icmp-host-prohibited
iptables -I FORWARD -p tcp ! -s 192.168.1.50 -o $(nvram get wan_iface) -m state --state NEW -j REJECT --reject-with tcp-reset
Notice I’m checking the state of the connection for “NEW” as well. By checking for NEW, we’re preventing those devices from initiating outbound connections, but not preventing them from being accessed remotely and sending replies through the WAN (at least when the VPN is down). But if you want to prevent remote access as well, you could remove state from those rules.
I also use REJECT since it’s a bit friendlier than DROP. DROP doesn’t respond and requires the client to timeout, which can be annoying for users. In contrast, REJECT causes the client to quit IMMEDIATELY.
sorry, I am confused. I don't need to set policy based routing anymore and just apply the revised rules to the firewall?
Or do I apply the rules in conjunction with policy based routing?
eibgrad wrote:
Since your VPN list is based on a single line CIDR, you could just as easily specify that in your firewall rules (rather than the negation of everything else):
Code:
iptables -I FORWARD -s 192.168.1.128/25 -o $(nvram get wan_iface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -p tcp -s 192.168.1.128/25 -o $(nvram get wan_iface) -m state --state NEW -j REJECT --reject-with tcp-reset
IOW, anyone using the VPN is not allowed to use the WAN. Everyone else can use the WAN.
Note, I had a syntax error in my original rules. I left off the REJECT target in the first rule, which I've since corrected above and here.
The only way I can see OpenVPN being blocked across the board, irrespective of port, is if the OpenVPN connection was under traffic analysis by the ISP, and perhaps then it might provide some hints that it was an OpenVPN connection. Is that what we're talking about here?
Exactly this! regardless which VPN provider / ports I use, the openvpn status shows connected successfully however I never get internet and when try to ping any website...always very high packet loss..
eibgrad wrote:
So something doesn't seem quite right here about your analysis of the situation.
wotking with smartydns and nordvpn techincal teams they confirmed to me the same .. my ISP blocking the openvpn connection..
The only way I can see OpenVPN being blocked across the board, irrespective of port, is if the OpenVPN connection was under traffic analysis by the ISP, and perhaps then it might provide some hints that it was an OpenVPN connection. Is that what we're talking about here?
Exactly this! regardless which VPN provider / ports I use, the openvpn status shows connected successfully however I never get internet and when try to ping any website...always very high packet loss..
eibgrad wrote:
So something doesn't seem quite right here about your analysis of the situation.
working with smartydns and nordvpn techincal teams they confirmed to me the same .. my ISP blocking the openvpn connection..
This my post regarding the same issue...you can check all trials we did together..
Thanks a million for the efforts. I have managed to get the script installed. however, for the IP addresses/destinations specified in the script they are no longer having internet access... other devices connected successfully through the PPTP.. below my script
EDIT: code removed.
Last edited by ta2ta2 on Sat Jun 09, 2018 17:57; edited 1 time in total
Apologies for pasting the code. Excuse my limited knowledge... I checked and there is no kill switch, in fact I have the firewall disabled..
I have also checked the logs you mentioned earlier, nothing is there..just empty?
when I ran the watch command, this what i got
Code:
default via 10.**.**.** dev ppp0 scope link
8.8.4.4 via 94.**.**.** dev vlan2
8.8.8.8 via 94.**.**.** dev vlan2
10.**.**.** dev ppp0 scope link
80.227.101.19 via 94.**.**.** dev vlan2 <-- 80.227... is the destination IP address
91.74.74.74 via 94.**.**.** dev vlan2
94.200.200.200 via 94.**.**.** dev vlan2
94.206.24.0/22 dev vlan2 scope link src 94.206.25.9
111.111.111.111 via 94.**.**.** dev vlan2
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 scope link src 169.254.255.1
192.168.1.0/24 dev br0 scope link src 192.168.1.1
199.115.116.83 via 94.**.**.** dev vlan2 src 94.206.25.9
222.222.222.0/24 via 94.**.**.** dev vlan2
default via 94.**.**.** dev vlan2
8.8.4.4 via 94.**.**.** dev vlan2
8.8.8.8 via 94.**.**.** dev vlan2
10.**.**.** dev ppp0 scope link
91.74.74.74 via 94.**.**.** dev vlan2
94.200.200.200 via 94.**.**.** dev vlan2
94.206.24.0/22 dev vlan2 scope link src 94.206.25.9
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 scope link src 169.254.255.1
192.168.1.0/24 dev br0 scope link src 192.168.1.1
199.115.116.83 via 94.**.**.** dev vlan2 src 94.206.25.9
0: from all lookup local
32763: from all iif br1 lookup 200
32764: from 192.168.1.91 lookup 200 <-- static IP address to be routed through WAN
32765: from 192.168.1.90 lookup 200 <-- static IP address to be routed through WAN
32766: from all lookup main
32767: from all lookup default