I mentioned once before that the server has it's own ip. That is to say although the ip of the machine running the server is 192.168.201.1, the server when the application is open in the browser shows 127.0.0.1 in the address bar. Is that like a VM, and can that be a problem?
Have one more thought. Since all traffic going from the server out to any android devices whether on my network or not, go through plex.tv, I assume any anonymity achieved by the vpn is negated by that since all these devices have to be logged into my plex account for it to work. If that is in fact the case, is there any way to route the entire plex server app around the vpn while still having the rest of the machine go through it? Kind of a split tunneling thing.
At first I thought this was working. In the server Gui it says the server is fully accessible outside the network, but none of my devices are able to connect to it. Also noticed in the Gui that the public ip was the vpn's not my isp's. I changed all the ips in the script to the server's, and saved to firewall/reboot. Then I commented out lines not pertaining to port 32400, save/reboot. I wasn't sure whether to leave the mac addresses as you have them or change them to mine, so I tried both. One thing I didn't try and perhaps I should, is to comment out the mac address lines?
I have no idea what you're referring to in the following statement.
Also noticed in the Gui that the public ip was the vpn's not my isp's.
I have attached a pic to explain. That being said, I thought I had it figured out by using the following:
Code:
#!/bin/sh
set -x # uncomment/comment to enable/disable debug mode
# name: ddwrt-ovpn-redirect-vpn-to-wan-v1.sh
# version: 1.0.0, 18-Jan-2017, by eibgrad
# purpose: redirect specific VPN traffic back to WAN
# script type: firewall
# dd-wrt ref: n/a
# instructions:
# 1. add/modify firewall rules based on desired criteria (ip address, port, etc.)
# 2. install this script in the router's firewall script
# 3. reboot router
(
TID="200"
FW_MARK="0x88"
# copy main routing table to alternate routing table (exclude all default
# and openvpn client routes)
ip route flush table $TID > /dev/null 2>&1
ip route show | grep -Ev '^default|^0.0.0.0/1|^128.0.0.0/1' | grep -Ev tun1 \
| while read route; do
ip route add $route table $TID
done
# add WAN as default gateway
ip route add default via $(nvram get wan_gateway) table $TID
# force routing system to recognize our changes
ip route flush cache
# disable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $i
done
# route marked packets through the alternate routing table
ip rule del fwmark $FW_MARK table $TID > /dev/null 2>&1
ip rule add fwmark $FW_MARK table $TID
# mark packets based on specific criteria (lan only)
#iptables -t mangle -D PREROUTING -p tcp -s 192.168.1.100 --sport 22 \
-j MARK --set-mark $FW_MARK > /dev/null 2>&1
#iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.100 --sport 22 \
-j MARK --set-mark $FW_MARK
#iptables -t mangle -D PREROUTING -p tcp -s 192.168.1.110 --sport 80 \
-j MARK --set-mark $FW_MARK > /dev/null 2>&1
#iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.110 --sport 80 \
-j MARK --set-mark $FW_MARK
iptables -t mangle -D PREROUTING -p tcp -s 192.168.201.125 --sport 32400 \
-j MARK --set-mark $FW_MARK > /dev/null 2>&1
iptables -t mangle -A PREROUTING -p tcp -s 192.168.201.125 --sport 32400 \
-j MARK --set-mark $FW_MARK
iptables -t mangle -D PREROUTING -p tcp -m mac --mac-source 54:b8:0a:a6:41:34 \
-j MARK --set-mark $FW_MARK > /dev/null 2>&1
iptables -t mangle -A PREROUTING -p tcp -m mac --mac-source 54:b8:0a:a6:41:34 \
-j MARK --set-mark $FW_MARK
# mark packets based on specific criteria (router only)
#iptables -t mangle -D OUTPUT -p tcp --sport 32400 -j MARK --set-mark $FW_MARK > /dev/null 2>&1
#iptables -t mangle -A OUTPUT -p tcp --sport 32400 -j MARK --set-mark $FW_MARK
) 2>&1 | logger -t "ovpn_split[$$]"
Changing the mac addresses to those of my router made the public IP show as my ISPs, and my devices connected. Unfortunately, after a minute or so the server disconnects.
Baffling thing is with the old code it works flawlessly for days, but for whatever reason won't accept the killswitch.
Yeah I understand that, but when I comment everything out except the 2 lines pertaining to port 32400, the result I get is in the pic posted and devices can't connect. So I was just trying other scenarios and like I said, that worked, but for a short period of time.
Well I'll try it with everything commented out the correct way anyway. One thing I know for sure with this setup is nothing goes the way you expect it.
#!/bin/sh
set -x # uncomment/comment to enable/disable debug mode
# name: ddwrt-ovpn-redirect-vpn-to-wan-v1.sh
# version: 1.0.0, 18-Jan-2017, by eibgrad
# purpose: redirect specific VPN traffic back to WAN
# script type: firewall
# dd-wrt ref: n/a
# instructions:
# 1. add/modify firewall rules based on desired criteria (ip address, port, etc.)
# 2. install this script in the router's firewall script
# 3. reboot router
(
TID="200"
FW_MARK="0x88"
# copy main routing table to alternate routing table (exclude all default
# and openvpn client routes)
ip route flush table $TID > /dev/null 2>&1
ip route show | grep -Ev '^default|^0.0.0.0/1|^128.0.0.0/1' | grep -Ev tun1 \
| while read route; do
ip route add $route table $TID
done
# add WAN as default gateway
ip route add default via $(nvram get wan_gateway) table $TID
# force routing system to recognize our changes
ip route flush cache
# disable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $i
done
# route marked packets through the alternate routing table
ip rule del fwmark $FW_MARK table $TID > /dev/null 2>&1
ip rule add fwmark $FW_MARK table $TID
Now I can't get it to work with the old code that was working. I suspect all the code changing and rebooting has maybe corrupted something. I'm thinking I'll reset to factory and start from scratch. Should I update to a more recent beta version while I'm at it?
So I've been trying to make this work for the past week with no luck. I did a 30/30/30 and reinstalled dd-wrt and it loads fine. I set up the vpn, reboot and all is well=connected success. When I add the firewall code,(either the one that was originally working or your custom one) I get endless tls connection errors and the vpn won't connect. I tried adding a sleep command before the script but still got the tls errors. If I reboot the router with no firewall code and then add/save the firewall code it works as it should, the plex connects, but of course as soon as it reboots its back to tls errors. I saved the script as a custom script and ran it though telnet and got the following result:
root@DD-WRT:/tmp# sh -x ./custom.sh
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ echo 0
+ ip route flush table 100
Nothing to flush.
+ ip route del default table 100
RTNETLINK answers: No such process
+ ip rule del fwmark 1 table 100
RTNETLINK answers: No such file or directory
+ ip route flush cache
+ + read ROUTE
+ grep -Ev tun1
grep -Ev ^default
+ ip route show table main
+ ip route add table 100 10.0.0.0/24 dev vlan2 proto kernel scope link src 10.0.0.223
+ read ROUTE
+ ip route add table 100 127.0.0.0/8 dev lo scope link
+ read ROUTE
+ ip route add table 100 169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
+ read ROUTE
+ ip route add table 100 172.94.40.3 via 10.0.0.1 dev vlan2
+ read ROUTE
+ ip route add table 100 192.168.151.0/24 dev br0 proto kernel scope link src 192.168.151.1
+ read ROUTE
+ nvram get wan_gateway
+ ip route add default table 100 via 10.0.0.1
+ ip rule add fwmark 1 table 100
+ ip route flush cache
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -s 192.168.151.125 --sport 32400 -j MARK --set-mark 1
Let me also add that the tls connection error seems directly correlated to the sleep command at the beginning of the firewall script. IE: sleep 10=shorter tls error before connecting than does sleep 30. Either way the script is not allowing plex to connect remotely.
I use purevpn, with https://support.purevpn.com/how-can-i-configure-openvpn-on-my-dd-wrt-router. The differences are, I have Nat and Firewall enabled as well as SPI firewall, and I have User Pass Authentication enabled in the Gui so there is nothing in "additional config" or Startup script. In the server IP/Name field I have "usnj1-ovpn-udp.pointtoserver.com" and using port 53. Can I change that to the 108.61.41.3 IP? As per the instructions, there is only info pasted in the "TLS Auth Key" and "Ca Cert" fields. I will run that code in telnet shortly and upload the results along with the open vpn status page.
Okay so anyway I went ahead and changed the Server IP/name to 108.61.41.3 and ran it. Attached are the results both with VPN only and with firewall script added.