Posted: Sun Jul 10, 2011 5:28 Post subject: DDWRT OpenVPN client... selective local clients routing
Hello everyone!....
Today I would like to ask for some greatly appreciated help on how to do the following setup.
First of all, i would like to note that my technical knowledge is very limited. I always do my best to figure out most of the crazy stuff I'm trying to do.. but at this time, i realize this goes way out of my skills and network understanding.
Well, i have a VPN provider that works with the OpenVPN protocol, and this service provides me with several benefits while surfing the web. I'm used to connect to my VPN server using a software client in my PC... but the other day i was playing with the DDWRT GUI and found that this awesome firmware has a built-in vpn client!. I was completely curious about it, so i started playing around with this feature... don't ask me how i did it, but i finally got it to work using my certificates and keys... and... and stuff i don't even know how actually works.
The point is my router connects to the VPN server, and it re-routes ALL my Internet traffic through this openvpn connection. It's GREAT!!!... all my local clients, including the wifi ones (like my ipad) use the same VPN connection!!!
Now, here's the tricky part!.. and I'm pretty excited to learn a lot out of this setup. I don't even know if it's possible, but well... what i want to do is tell my router to route all the Internet traffic of one given, specific, local client through the OpenVPN connection... but not the other clients!!... I want some local clients to access the Internet through my IPS's nasty internet network, and other clients to use the OpenVPN link to the internet.
Do you guys know if this is possible?... can i specify which client goes through the OpenVPN connection and which client goes through the 'regular' Internet connection based on the MAC address of this given client?.. or maybe there's even better ways to manage this special routing idea?.
I promise i won't stop searching... i just need a little help to point me in the right direction.
Ok I have the same hardware WZR-HP-G300HN from Buffalo and currently DD-WRT v24-sp2 (06/14/11) std
(SVN revision 17201).
I am having this issue where ALL traffic goes thru the VPN. Great it connects it works. What I want done now is to not route all traffic when the VPN is up. Only a specific IP.
I have been scouring the web/forums on Policy Based Routing where it says just add info in the field - 192.168.1.142/24 and thats it. Well not only does it breaks that machines connectivity completely. And all the other machines are still routing traffic over the VPN. Am I missing some firewall/other option I am suppose to be doing?
And I find this in the /var/log/openvpncl which leads me to believe this is the cause for ALL traffic tossed thru the VPN
Fri Aug 5 10:13:14 2011 us=591098 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,explicit-exit-not ify 5,rcvbuf 262144,route-gateway 10.11.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10. 11.0.199 255.255.0.0'
Also saw this so does this mean in build 17201 Policy Based Routing is not functioning as it should? Which is what it seems and I'm chasing my tail.
http://svn.dd-wrt.com/ticket/2151
Posted: Sat Aug 06, 2011 20:28 Post subject: Open VPN selective routing
I think the best way to do this is to create a virtual AP with a different SSID and configure OpenVPN to route all traffic of a specific AP (SSID) over the VPN tunnel. Access to this virtual AP can me controlled by using any of the supported wireless encryption protocols.
I am currently trying to do this and it is still work in progress. If any one makes progress. Please share.
Well I came to the conclusion that Policy Based Routing option under OpenVPN generates improper scripts and just breaks all my stuff lol. So I found some other methods to achieve my goal and was just as simple for the most part.
I added this to Additional Config
Code:
route-nopull
and then this to my firewall
Code:
ip route add default dev tun1 table 200
ip rule add from 192.168.1.104 table 200
The IP rule line can be changed to your IP addresses as you see fit (pretty sure you could add ranges/all/singles as multiple lines) But ya I now have all my traffic going out normal ISP and then my choice system routing over VPN for streaming access abroad!
Instead of selective client tunnel through OpenVPN, may I know how to tunnel certain port through the OpenVPN? for example uTorrent's port tunnel through OpenVPN but port 80 for web surfing through direct connection to ISP?
After this I enter the IP in the form of 192.168.1.2/32 at the Policy Based Routing text field and this EXCLUDE that particular IP (ending in .2) from using the VPN. ALL other devices still use the VPN.
If you want to exclude more just add them on different lines like this:
192.168.1.2/32
192.168.1.3/32
There is a issue if you include the router IP address in the EXCLUDED addresses above - you will lose access to the router from the local network but you will be able to access it from outside if you have that setup. Please note that you will not be able to use the router as a DNS so set your DHCP accordingly. As a workaround, you will be able to access the web from the internal network for couple of minutes after restart since the VPN will not be up yet. This way you can revert any wrongly set Policies.
Note that if you want to setup VPN SERVER on your router, you will have to exclude the router IP in order for the connections to work because by default, the router responds over the VPN IP and thus it cannot work as a VPN server.
You will want to setup VPN server if you'd like to connect to your router and use it's already setup VPN connection to access restricted sites for times when you're out and about of your home. Some examples - I can VPN to my home router from my phone and use restricted by US location services using my home connection without paying to the VPN provider additional taxes for multiple devices.
Another use - if you're in a place that have fast connection to the local country, but slow international, you could VPN to your home and use the fast international connection for the international VPN.
Hope this helps. If you have any question on setup or the examples, let me know so I can help.
Anyone ever figure this out?... that last reply wasn't a direct answer to how to forward specific ports directly from the ISP's IP and/or go out the ISP's IP for specific internal ip/ports
@irishtr and @lolcatz ...
Note that if you want to setup VPN SERVER on your router, you will have to exclude the router IP in order for the connections to work because by default, the router responds over the VPN IP and thus it cannot work as a VPN server.
You will want to setup VPN server if you'd like to connect to your router and use it's already setup VPN connection to access restricted sites for times when you're out and about of your home. Some examples - I can VPN to my home router from my phone and use restricted by US location services using my home connection without paying to the VPN provider additional taxes for multiple devices.
Another use - if you're in a place that have fast connection to the local country, but slow international, you could VPN to your home and use the fast international connection for the international VPN.
Hope this helps. If you have any question on setup or the examples, let me know so I can help.
YES!, exactly what I want to do!...
Now, when you say 'exclude the router IP'... you meant it's regular public ISP IP?