OpenVPN and single port bypass

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
securedparty
DD-WRT Novice


Joined: 07 Dec 2017
Posts: 2

PostPosted: Thu Dec 07, 2017 16:20    Post subject: OpenVPN and single port bypass Reply with quote
I have been trying to figure out now a single port bypass mechanism to run in Firewall commands, but nothing I have tried seems to work.

Here is what I have tried most recently:

Code:
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 3232 -j DNAT --to-destination 10.10.1.32
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 3333 -j DNAT --to-destination 10.10.1.32


I am trying to get LAN IP 10.10.1.32 to receive incoming traffic via ports tcp 3232 and 3333 from over my WAN/ISP address.

I am running OpenVPN through DD-WRT with Firmware: DD-WRT v3.0-r33615M kongac (10/31/17).

My ISP provided address is not a static IP address, but for the sake of example, how would I get traffic passed to my ISP, not my VPN service, on port 3232 if my ISP provided IP address was 88.88.88.88?

I've been struggling off and on for a few months, searching ever so often for something I can translate into something useful and usable.

I have used iptables for whole IP addresses using my WAN ISP instead of VPN IP, which works. However, I just need on specific computer on my home network to receive this incoming tcp port outside of the VPN.

The code I have used for whole machines:
Code:
ip route flush table 200
ip route del default table 200
sleep 1
ip route flush cache
sleep 1

nvram set no_vpn_lst="10.10.1.192 10.10.1.16"
nvram commit
sleep 1

#!/bin/sh
NO_VPN_LST=`nvram get no_vpn_lst`
[ -z "$NO_VPN_LST" ] && exit 0
sleep 3
# WAN_GWAY="0.0.0.0"
# while [ $WAN_GWAY == "0.0.0.0" ]; do
# sleep 3
# WAN_GWAY=`nvram get wan_gateway`
# done
ip route add default via $(nvram get wan_gateway) table 200
  for ipa in $NO_VPN_LST; do
  ip rule add from $ipa table 200
  done
ip route flush cache
exit 0


With OpenVPN client turned off, traffic routes just fine with WAN IP and the ports 3232 and 3333.

Any suggestions?
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 6553

PostPosted: Thu Dec 21, 2017 8:04    Post subject: Reply with quote
You can't solve this problem using an "ip add rule" strategy. That works primarily at the IP level. It has no notion of ports.

To include ports (and other criteria besides IP address), you need to use a more sophisticated approach where you mark packets in PREROUTING based on that criteria (IP, port, protocol, network interface, etc.) and tell the routing system to route those marked packets over the WAN.

Because this is such a common problem, and rather complex to configure, I've created a script to make it as simple as possible to implement.

https://pastebin.com/nC27ETsp

For completeness sake, there's a sister script that uses the "ip add rule" strategy for simple/basic cases where IP is the only consideration.

https://pastebin.com/W2P3TDZT
securedparty
DD-WRT Novice


Joined: 07 Dec 2017
Posts: 2

PostPosted: Mon Jan 01, 2018 22:06    Post subject: Reply with quote
Thanks for your reply! I will look into this further!

Again, thanks!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum