Is it possible to set openVPN to some, not all, LAN ports?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
tigs
DD-WRT User


Joined: 25 Sep 2011
Posts: 84

PostPosted: Tue Feb 17, 2015 2:38    Post subject: Is it possible to set openVPN to some, not all, LAN ports? Reply with quote
I have tried to search the forum and tutorials. I could not found any specific instruction because I don't even know how to frame my questions or querries.

Please be kind.

I have a netgear R7000 running the latest Kong build 26285M. I use Private Internet Access service. I want to set up the router so that only certain LAN ports/interfaces have vpn service, the others just regular internet service from my ISP. Can some one direct me to right instruction?

Thanks
Sponsor
aventus
DD-WRT User


Joined: 02 May 2014
Posts: 61

PostPosted: Tue Feb 17, 2015 11:28    Post subject: Reply with quote
you can use policy based routing

openvpn client on the GUI under Additional Config

add there the ip adress from your device (which should use vpn) save, apply & reboot

all other devices use your isp
haggismn
DD-WRT User


Joined: 08 Dec 2011
Posts: 78

PostPosted: Tue Feb 17, 2015 12:55    Post subject: Reply with quote
Create a new network bridge called br_vpn in setup > Networking with its own ip/network/dhcp settings. Save and apply at each step.

Then go to Setup>vlans. Change a port to a different vlan, eg on port 2, click on the vlan3 row. Leave assigned to bridge as none. Save and apply. If doing wifi, create the virtual interface, eg wl0.1 and select bridged.

Go back to networking tab and assign to br_vpn vlan3 and save/apply, then do another assignment, wl0.1 to br_vpn. Now these interfaces should be working, and will get the dhcp assignment on the br_vpn network specified earlier. You might need to reboot if its not working, although more likely a config error.

The next bit a bit more complicated. You need to set the default route for the new network inside an "up" script in the openvpn conf file. Maybe you can specify it in the web interface options

Code:
echo "up /tmp/tun.sh" >> /tmp/openvpncl.conf


and the script itself, put this in the startup section. Change the ip range to the one you made for br_vpn in the ip rule. the dns dnat command is to prevent dns requests going to the router's dnsmasq client and out the regular connection.

Code:
echo '#!/bin/sh
iptables -t nat -I POSTROUTING -o $1 -j MASQUERADE
ip route add default via $4 dev $1 table 10
ip rule add from 172.16.1.0/24 dev br_vpn table 10
iptables -t nat -I PREROUTING -i br_vpn -p udp --dport 53 -j DNAT --to 8.8.8.8' > /tmp/tun.sh
chmod +x /tmp/tun.sh


Now it should be working after the vpn starts up and runs this script. You can do something similar for tor if you do iptables redirects for udp:53 and tcp

You can also divert specific domains and ip ranges through the vpn if you use the iptables mark command.
tigs
DD-WRT User


Joined: 25 Sep 2011
Posts: 84

PostPosted: Tue Feb 17, 2015 13:56    Post subject: Reply with quote
aventus wrote:
you can use policy based routing

openvpn client on the GUI under Additional Config

add there the ip adress from your device (which should use vpn) save, apply & reboot

all other devices use your isp


thanks for the pointer. I think the solution below is what I wanted for my scenario.

Appreciated the help.
tigs
DD-WRT User


Joined: 25 Sep 2011
Posts: 84

PostPosted: Tue Feb 17, 2015 13:59    Post subject: Reply with quote
haggismn wrote:
Create a new network bridge called br_vpn in setup > Networking with its own ip/network/dhcp settings. Save and apply at each step.

Then go to Setup>vlans. Change a port to a different vlan, eg on port 2, click on the vlan3 row. Leave assigned to bridge as none. Save and apply. If doing wifi, create the virtual interface, eg wl0.1 and select bridged.

Go back to networking tab and assign to br_vpn vlan3 and save/apply, then do another assignment, wl0.1 to br_vpn. Now these interfaces should be working, and will get the dhcp assignment on the br_vpn network specified earlier. You might need to reboot if its not working, although more likely a config error.

The next bit a bit more complicated. You need to set the default route for the new network inside an "up" script in the openvpn conf file. Maybe you can specify it in the web interface options

Code:
echo "up /tmp/tun.sh" >> /tmp/openvpncl.conf


and the script itself, put this in the startup section. Change the ip range to the one you made for br_vpn in the ip rule. the dns dnat command is to prevent dns requests going to the router's dnsmasq client and out the regular connection.

Code:
echo '#!/bin/sh
iptables -t nat -I POSTROUTING -o $1 -j MASQUERADE
ip route add default via $4 dev $1 table 10
ip rule add from 172.16.1.0/24 dev br_vpn table 10
iptables -t nat -I PREROUTING -i br_vpn -p udp --dport 53 -j DNAT --to 8.8.8.8' > /tmp/tun.sh
chmod +x /tmp/tun.sh


Now it should be working after the vpn starts up and runs this script. You can do something similar for tor if you do iptables redirects for udp:53 and tcp

You can also divert specific domains and ip ranges through the vpn if you use the iptables mark command.


Thanks for the kind help. This is exactly what I want. It is complicated. I will take some time to study it and hopefully figure it out. If not I will certain come back if you don't mind.

Really appreciated the help.
tigs
DD-WRT User


Joined: 25 Sep 2011
Posts: 84

PostPosted: Tue Feb 17, 2015 19:45    Post subject: Reply with quote
eibgrad wrote:
Some interesting suggestions here, but what hasn’t been determined so far is if this VPN provider is expecting you to use the GUI, or providing their own scripting. Because if it’s the latter (and that’s often the case), some of the assumptions in these suggestions won’t apply (e.g., the policy based routing field of the GUI, the existence and use of /tmp/openvpncl.conf).

If you’re using scripting from the VPN provider, you should just modify those scripts directly.


Great to see you chime in. Throughout the process of learning this, I have seen your names everywhere giving valuable inputs.

The VPN provider supplies the ovpn and a ca certificate with username and password authentication. am not home and don't have it with me. The router is currently configured through the GUI and some startup and firewall scripts following an instruction on myopenrouter. i will post the details of the current config once I am home. I would appreciate some detailed instruction at that point. thanks in advance.
tigs
DD-WRT User


Joined: 25 Sep 2011
Posts: 84

PostPosted: Tue Feb 17, 2015 21:41    Post subject: Reply with quote
Hi eibgrad and haggismn: here is the current setup. It works jut not separating the ports:

Original *.ovpn file

Code:
client
dev tun
proto udp
remote us-west.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem


Current config

services/vpn/opevpn client/additional config:
Code:
comp-lzo yes
auth-user-pass /tmp/password.txt
persist-key
persist-tun
tls-client
remote-cert-tls server


Administration/Commands/Startup:
Code:
echo USEDRNAME >> /tmp/password.txt
echo PASSWORD >> /tmp/password.txt
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --comp-lzo yes --route-up /tmp/openvpncl/route-up.sh --down-pre
/tmp/openvpncl/route-down.sh --daemon


Administration/Commands/FIREWALL:

Code:
iptables -N VPN
iptables -F VPN
iptables -I INPUT -i tun0 -j VPN
iptables -I FORWARD -i tun0 -j VPN
iptables -A VPN -i tun0 -o br0 -j ACCEPT
iptables -I POSTROUTING -t nat -o tun0 -j RETURN



This current configuration does not utilize "crl-verify crl.pem", but it still works.

The DNS servers was set at the first page under 'setup/basic setup/DHCP" to prevent DNS leak and it is working.

Where should go from here? thanks I guess i will have to set up a port-based vlan. I am planning to use the physical port 3 and 4 for vpn within the same subnet. Port 1 and 2 going through ISP under another subnet.

thanks
tigs
DD-WRT User


Joined: 25 Sep 2011
Posts: 84

PostPosted: Thu Feb 19, 2015 13:37    Post subject: Reply with quote
I have finally successfully created a bridge, br1, in addition to the original br0.

br0: vlan1 (port 1&2, 192.168.1.1/255.255.255.0) LAN
vlan2: WAN
br1: (vlan3: port 3&4. 192.168.3.1/255.255.255.0) none
wireless is asigned to "LAN"

I want the br0 to go through vpn, br1 to go through ISP directly.
Right now I have nothing in the Startup and firewall command. Both br0 and br1 go through the VPN. here is the routing table. It is the default without me doing anything to it.

Code:
root@DD-WRT:~# ip route list
0.0.0.0/1 via 10.104.1.13 dev tun1
default via 192.168.2.1 dev vlan2
10.104.1.1 via 10.104.1.13 dev tun1
10.104.1.13 dev tun1  proto kernel  scope link  src 10.104.1.14
104.207.136.25 via 192.168.2.1 dev vlan2
127.0.0.0/8 dev lo  scope link
128.0.0.0/1 via 10.104.1.13 dev tun1
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
192.168.2.0/24 dev vlan2  proto kernel  scope link  src 192.168.2.12
192.168.3.0/24 dev br1  proto kernel  scope link  src 192.168.3.1


Thanks a lot
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum