DDWRT OpenVPN client... selective local clients routing

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
lolcatz
DD-WRT Novice


Joined: 18 Nov 2009
Posts: 14

PostPosted: Sun Jul 10, 2011 5:28    Post subject: DDWRT OpenVPN client... selective local clients routing Reply with quote
Hello everyone!....

Today I would like to ask for some greatly appreciated help on how to do the following setup.

First of all, i would like to note that my technical knowledge is very limited. I always do my best to figure out most of the crazy stuff I'm trying to do.. but at this time, i realize this goes way out of my skills and network understanding.

Well, i have a VPN provider that works with the OpenVPN protocol, and this service provides me with several benefits while surfing the web. I'm used to connect to my VPN server using a software client in my PC... but the other day i was playing with the DDWRT GUI and found that this awesome firmware has a built-in vpn client!. I was completely curious about it, so i started playing around with this feature... don't ask me how i did it, but i finally got it to work using my certificates and keys... and... and stuff i don't even know how actually works.

The point is my router connects to the VPN server, and it re-routes ALL my Internet traffic through this openvpn connection. It's GREAT!!!... all my local clients, including the wifi ones (like my ipad) use the same VPN connection!!!

Now, here's the tricky part!.. and I'm pretty excited to learn a lot out of this setup. I don't even know if it's possible, but well... what i want to do is tell my router to route all the Internet traffic of one given, specific, local client through the OpenVPN connection... but not the other clients!!... I want some local clients to access the Internet through my IPS's nasty internet network, and other clients to use the OpenVPN link to the internet.

Do you guys know if this is possible?... can i specify which client goes through the OpenVPN connection and which client goes through the 'regular' Internet connection based on the MAC address of this given client?.. or maybe there's even better ways to manage this special routing idea?.

I promise i won't stop searching... i just need a little help to point me in the right direction.

My Router: Buffalo WZR-HP-G300NH
Firmware: DD-WRT v24SP2-EU-US (08/19/10) std
(SVN revision 14998)

Thank you very much in advance!
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Sun Jul 10, 2011 9:34    Post subject: Reply with quote
its possible in newer builds.
upgrade 1st

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
lolcatz
DD-WRT Novice


Joined: 18 Nov 2009
Posts: 14

PostPosted: Mon Jul 11, 2011 4:56    Post subject: Reply with quote
Seems like my router is not getting any of the newer builds... i have installed the latest build available for my router Sad
jedufa
DD-WRT Novice


Joined: 18 Jul 2011
Posts: 1

PostPosted: Mon Jul 18, 2011 19:01    Post subject: Can you post the procedure you have used? Reply with quote
Hi! Great that it worked for you! I was searching to do the exact same thing with my WRT610n but did not know if it would work.

Do you remember enough to post the procedure you have used to get your client working?

Thanks in advance!!

JF
irishtr
DD-WRT Novice


Joined: 06 Jan 2011
Posts: 20

PostPosted: Fri Aug 05, 2011 0:35    Post subject: Reply with quote
Sash wrote:
its possible in newer builds.
upgrade 1st


Ok I have the same hardware WZR-HP-G300HN from Buffalo and currently DD-WRT v24-sp2 (06/14/11) std
(SVN revision 17201).

I am having this issue where ALL traffic goes thru the VPN. Great it connects it works. What I want done now is to not route all traffic when the VPN is up. Only a specific IP.

I have been scouring the web/forums on Policy Based Routing where it says just add info in the field - 192.168.1.142/24 and thats it. Well not only does it breaks that machines connectivity completely. And all the other machines are still routing traffic over the VPN. Am I missing some firewall/other option I am suppose to be doing?

And I find this in the /var/log/openvpncl which leads me to believe this is the cause for ALL traffic tossed thru the VPN

Fri Aug 5 10:13:14 2011 us=591098 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,explicit-exit-not ify 5,rcvbuf 262144,route-gateway 10.11.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10. 11.0.199 255.255.0.0'

Also saw this so does this mean in build 17201 Policy Based Routing is not functioning as it should? Which is what it seems and I'm chasing my tail.
http://svn.dd-wrt.com/ticket/2151
hsibai
DD-WRT Novice


Joined: 06 Aug 2011
Posts: 1

PostPosted: Sat Aug 06, 2011 20:28    Post subject: Open VPN selective routing Reply with quote
I think the best way to do this is to create a virtual AP with a different SSID and configure OpenVPN to route all traffic of a specific AP (SSID) over the VPN tunnel. Access to this virtual AP can me controlled by using any of the supported wireless encryption protocols.

I am currently trying to do this and it is still work in progress. If any one makes progress. Please share.

cheers.
irishtr
DD-WRT Novice


Joined: 06 Jan 2011
Posts: 20

PostPosted: Sun Aug 07, 2011 3:10    Post subject: Reply with quote
Well I came to the conclusion that Policy Based Routing option under OpenVPN generates improper scripts and just breaks all my stuff lol. So I found some other methods to achieve my goal and was just as simple for the most part.

I added this to Additional Config
Code:
route-nopull


and then this to my firewall
Code:

ip route add default dev tun1 table 200
ip rule add from 192.168.1.104 table 200

The IP rule line can be changed to your IP addresses as you see fit (pretty sure you could add ranges/all/singles as multiple lines) But ya I now have all my traffic going out normal ISP and then my choice system routing over VPN for streaming access abroad!
ken-ywk
DD-WRT Novice


Joined: 08 Apr 2010
Posts: 35

PostPosted: Tue Aug 09, 2011 12:00    Post subject: Reply with quote
Instead of selective client tunnel through OpenVPN, may I know how to tunnel certain port through the OpenVPN? for example uTorrent's port tunnel through OpenVPN but port 80 for web surfing through direct connection to ISP?
pamplemousse
DD-WRT Novice


Joined: 05 Jan 2012
Posts: 3

PostPosted: Thu Jan 05, 2012 19:59    Post subject: Reply with quote
Same question as ken-ywk
stoinov
DD-WRT Novice


Joined: 20 Aug 2012
Posts: 6

PostPosted: Mon Aug 20, 2012 9:55    Post subject: Reply with quote
@irishtr and @lolcatz I was trying to accomplish the same as you and here is how I managed:
First update your device with this build - ftp://dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2012/03-19-12-r18777/
it's the latest one that have bug-free OpenVPN client.

After this I set up my VPN as per the provider (I use https://www.astrill.com/knowledge-base/80/OpenVPN---How-to-configure-OpenVPN-on-DD-WRT-firmware-routers.html) and all my traffic was routed through the VPN which I checked by going to http://whatismyipaddress.com/

After this I enter the IP in the form of 192.168.1.2/32 at the Policy Based Routing text field and this EXCLUDE that particular IP (ending in .2) from using the VPN. ALL other devices still use the VPN.
If you want to exclude more just add them on different lines like this:
192.168.1.2/32
192.168.1.3/32

There is a issue if you include the router IP address in the EXCLUDED addresses above - you will lose access to the router from the local network but you will be able to access it from outside if you have that setup. Please note that you will not be able to use the router as a DNS so set your DHCP accordingly. As a workaround, you will be able to access the web from the internal network for couple of minutes after restart since the VPN will not be up yet. This way you can revert any wrongly set Policies.
Note that if you want to setup VPN SERVER on your router, you will have to exclude the router IP in order for the connections to work because by default, the router responds over the VPN IP and thus it cannot work as a VPN server.

You will want to setup VPN server if you'd like to connect to your router and use it's already setup VPN connection to access restricted sites for times when you're out and about of your home. Some examples - I can VPN to my home router from my phone and use restricted by US location services using my home connection without paying to the VPN provider additional taxes for multiple devices.
Another use - if you're in a place that have fast connection to the local country, but slow international, you could VPN to your home and use the fast international connection for the international VPN.

Hope this helps. If you have any question on setup or the examples, let me know so I can help.
beaudamore
DD-WRT Novice


Joined: 20 Jan 2014
Posts: 24

PostPosted: Thu Apr 10, 2014 1:32    Post subject: Reply with quote
Anyone ever figure this out?... that last reply wasn't a direct answer to how to forward specific ports directly from the ISP's IP and/or go out the ISP's IP for specific internal ip/ports
beaudamore
DD-WRT Novice


Joined: 20 Jan 2014
Posts: 24

PostPosted: Mon Apr 14, 2014 18:49    Post subject: Reply with quote
stoinov wrote:
@irishtr and @lolcatz ...
Note that if you want to setup VPN SERVER on your router, you will have to exclude the router IP in order for the connections to work because by default, the router responds over the VPN IP and thus it cannot work as a VPN server.

You will want to setup VPN server if you'd like to connect to your router and use it's already setup VPN connection to access restricted sites for times when you're out and about of your home. Some examples - I can VPN to my home router from my phone and use restricted by US location services using my home connection without paying to the VPN provider additional taxes for multiple devices.
Another use - if you're in a place that have fast connection to the local country, but slow international, you could VPN to your home and use the fast international connection for the international VPN.

Hope this helps. If you have any question on setup or the examples, let me know so I can help.


YES!, exactly what I want to do!...

Now, when you say 'exclude the router IP'... you meant it's regular public ISP IP?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum