Posted: Tue Jul 11, 2017 23:30 Post subject: OpenVPN policy based routing (based on IP) - Please help
Hi guys, can you please share some advice on how to get all traffic from all devices connected to my router to be tunneled through a VPN tunnel EXCEPT those with IPs in the range of 192.168.1.2 - 192.168.1.10 ?
I figured I can use the 'Policy based routing' field to manually enter the IPs of hosts to use the VPN connection, but whenever I fill it with actual values, ALL hosts are assigned my real IP (i.e. they do not use my VPN connection at all). The VPN connection itself is working normally, i.e. I can tunnel ALL traffic from all devices connected to the router, the problem is to apply an IP-based exception rule.
I know it is a trivial issue and there is a bunch of tutorials on how to set up policy-based routing rules on DD WRT, but none of them worked for me for some reason
From what I read, I guess it is necessary to add a route-nopull command (so that the OpenVPN client on the router won't get pushed def1 default gateway value from the server, and also set up a custom routing table, but I am not sure how to do that).
I am banging my head for several days now guys, any help will be greatly greatly appreciated, thank you!
Here is my config:
server:
Code:
dev tun
proto udp
port 1194
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
topology subnet
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
keepalive 10 120
verb 3
client-to-client
tun-mtu 1500
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
Joined: 18 Mar 2014 Posts: 12904 Location: Netherlands
Posted: Thu Jul 13, 2017 10:58 Post subject:
If you have a recent DDWRT build (which you may be have not as the client config show only udp and not udp4)
Then the only thing you have to do is fill in the IP range for clients you want to route throught the VPN in the PBR field. (The route-noexec is then added automatically)
If you have a recent DDWRT build (which you may be have not as the client config show only udp and not udp4)
Then the only thing you have to do is fill in the IP range for clients you want to route throught the VPN in the PBR field. (The route-noexec is then added automatically)
[/code]
Thank you for your reply. Yes, I have actually tried to fill in the PBN field (that was the first thing I tried to do) but the problem is that it does not make DD WRT to adjust the routing tables accordingly. Indeed, maybe that is due to the fact that I am using an older DD WRT build (mine is DD-WRT v24-sp2 (03/25/13) mega).
I figured I need to have 2 separate routing tables with different default gateway for traffic - one for IPs which I want to be tunneled (their gateway must be tun1), and another for those I do not want to (their gateway in my case had to be vlan1, i.e. my default gateway for WAN).
In my case I wanted all devices with IPs 192.168.1.2-192.168.1.10 to NOT use the VPN tunnel. Here is how I achieved this (many thanks to psufan5 from this thread: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1057049, hope it will be helpful for others as I spent 3 days to find this solution):
Put this into the Firewall textbox:
Code:
WAN_GTWY="$(nvram get wan_gateway)"
WAN_IF="$(nvram get wan_iface)"
ip route add default via $WAN_GTWY dev $WAN_IF table 10
ip rule add from 192.168.1.2 table 10
ip rule add from 192.168.1.3 table 10
ip rule add from 192.168.1.4 table 10
ip rule add from 192.168.1.5 table 10
ip rule add from 192.168.1.6 table 10
ip rule add from 192.168.1.7 table 10
ip rule add from 192.168.1.8 table 10
ip rule add from 192.168.1.9 table 10
ip rule add from 192.168.1.10 table 10
#----------------------------------------------------
And that is it! No need for custom scripts, no need for voodoo - it simply works.
The only problem is that I had to comment out this line to make it work:
Code:
#iptables -I INPUT -i tun1 -j REJECT
It looks like a killswitch but in my case it is always on, i.e. it prevents all traffic to and from tunnel tun1 for some reason. Anyway, I am going to solve it later, the most important thing is that the above setup actually works and you can easily change it according to your needs without much effort.
The only problem is that I had to comment out this line to make it work:
Code:
#iptables -I INPUT -i tun1 -j REJECT
It looks like a killswitch but in my case it is always on, i.e. it prevents all traffic to and from tunnel tun1 for some reason. Anyway, I am going to solve it later, the most important thing is that the above setup actually works and you can easily change it according to your needs without much effort.
Hope it will help someone.
Thanks for this, worked great. I also had to remove that line, or it killed everything. Did you ever solve it?
You can also randomize the server using remote-random and putting a list of compatible servers below it. My VPN (Nord VPN) was a little tricky, and I wanted to use script-based solution.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316713
Not much help available here, but I could find a workaround (remote-random in the GUI with a list of compatible servers below it). This way, I am on a different random server each time I refresh dd-wrt _________________ PROFESSIONAL STUDENT my.Mistakes ∝ my.Learning ... provided I have the patience & persistence to learn