OpenVPN Policy Based Routing not working on WRT1900ACS

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
View previous topic :: View next topic  
Author Message
m_abdelfattah
DD-WRT Novice


Joined: 27 Apr 2016
Posts: 29
PostPosted: Thu Feb 22, 2018 9:09    Post subject: OpenVPN Policy Based Routing not working on WRT1900ACS Reply with quote
Firmware Version: r33215 (and latest beta too)
Router: ART1900ACS V1
SFE: Disabled
VPN: OpenVPN

I tried to use the IP with netmask and without (192.168.1.10/24, 192.168.1.10)

Any idea what should I do next?
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Thu Feb 22, 2018 10:18    Post subject: Reply with quote
You mean a OpenVPN Client I suppose?
Test with one client give this client a static lease e.g. 192.168.1.89. Then in the PBR field enter: 192.168.1.89/32.
Never include the router itself in the PBR range.
To calculate a PBR range use: https://www.ipaddressguide.com/cidr

Disable SFE on the setup tab.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
m_abdelfattah
DD-WRT Novice


Joined: 27 Apr 2016
Posts: 29
PostPosted: Thu Feb 22, 2018 16:05    Post subject: Reply with quote
I tried and it is not working. My router IP is: 192.168.1.1
My device IP is: 192.168.1.201
My PBR is: 192.168.1.201/32

Let me be clear, by "not working", I mean that the internet works fine on all devices, non of the connected devices route through the VPN. But the device that should route through the VPN has no connection.
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Thu Feb 22, 2018 16:23    Post subject: Reply with quote
Remove everything from the PBR field and check if VPN is working.

If VPN is working reinstate PBR, check if you have any connection, ping 8.8.8.8 or browse to ftp://ftp.dd-wrt.com/
If this is working you probably have SFE enabled, SFE only blocks http traffic.

If it is not working try a newer build, there were earlier problems with PBR.
Newest build: ftp://ftp.dd-wrt.com/betas/2018
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
m_abdelfattah
DD-WRT Novice


Joined: 27 Apr 2016
Posts: 29
PostPosted: Thu Feb 22, 2018 17:20    Post subject: Reply with quote
eibgrad wrote:
Let's make sure we have the full details of your network configuration here. So far all we know is that you have a router w/ a OpenVPN client configured. But that's not always sufficient information.

For example, if that router is NOT being used in a routed configuration (i.e., active WAN), but instead bridged (LAN to LAN) w/ some other primary router, than the fact the OpenVPN client is configured w/ PBR will have no effect. Nobody is being routed through that WAP anyway.

So rather than have us guess, please provide a little more information, a little more context, so we can be sure things are as we assume them to be.


Basic Setup:
Connection Type: Automatic Configuration - DHCP

Advanced Routing:
Operating Mode: Gateway
Interface: LAN & WLAN


Can you please tell me what other info should I provide? thank you for your time Smile
Back to top View user's profile Send private message
m_abdelfattah
DD-WRT Novice


Joined: 27 Apr 2016
Posts: 29
PostPosted: Thu Feb 22, 2018 17:22    Post subject: Reply with quote
egc wrote:
Remove everything from the PBR field and check if VPN is working.

If VPN is working reinstate PBR, check if you have any connection, ping 8.8.8.8 or browse to ftp://ftp.dd-wrt.com/
If this is working you probably have SFE enabled, SFE only blocks http traffic.

If it is not working try a newer build, there were earlier problems with PBR.
Newest build: ftp://ftp.dd-wrt.com/betas/2018


VPN works perfectly if there is no PBR, but all devices connect through it.
SFE is Disabled, is there any other way to make sure that it is disabled than "Shortcut Forwarding Engine" in Basic Setup page?

Thank you for your time!
Back to top View user's profile Send private message
m_abdelfattah
DD-WRT Novice


Joined: 27 Apr 2016
Posts: 29
PostPosted: Thu Feb 22, 2018 18:28    Post subject: Reply with quote
ip route show table main
Quote:

default via 192.168.70.254 dev eth0
25.0.8.0/24 dev tun1 proto kernel scope link src 25.0.8.5
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.70.0/24 dev eth0 proto kernel scope link src 192.168.70.64



ip route show table 10
Quote:

default via 25.0.8.1 dev tun1



ip rule list
Quote:

0: from all lookup local
32762: from 192.168.1.201 lookup 10
32763: from 192.168.1.201 lookup 10
32764: from 192.168.1.201 lookup 10
32765: from 192.168.1.201 lookup 10
32766: from all lookup main
32767: from all lookup default



cat /tmp/openvpncl/openvpn.conf
Quote:

ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto udp4
cipher aes-256-cbc
auth sha256
auth-user-pass /tmp/openvpncl/credentials
remote us-lax-3.isvpn.net 1194
comp-lzo yes
redirect-private def1
route-noexec
tun-mtu 1500
mtu-disc yes
ns-cert-type server
fast-io
tls-auth /tmp/openvpncl/ta.key 1



cat /tmp/openvpncl/route-up.sh
Quote:

#!/bin/sh
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -D INPUT -i tun1 -j ACCEPT
iptables -I INPUT -i tun1 -j ACCEPT
for IP in `cat /tmp/openvpncl/policy_ips` ; do
ip rule add from $IP table 10
done
ip route add default via $route_vpn_gateway table 10
ip route flush cache
echo $ifconfig_remote >>/tmp/gateway.txt
echo $route_vpn_gateway >>/tmp/gateway.txt
echo $ifconfig_local >>/tmp/gateway.txt



cat /tmp/openvpncl/route-down.sh
Quote:

#!/bin/sh
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route flush table 10



cat /tmp/openvpncl/policy_ips
Quote:

192.168.1.201/32
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Thu Feb 22, 2018 18:48    Post subject: Reply with quote
If it is not a DNS problem, consider trying another build. There have been problems with PBR in earlier builds.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
m_abdelfattah
DD-WRT Novice


Joined: 27 Apr 2016
Posts: 29
PostPosted: Thu Feb 22, 2018 19:06    Post subject: Reply with quote
egc wrote:
If it is not a DNS problem, consider trying another build. There have been problems with PBR in earlier builds.


Unfortunately, it is not a DNS problem, do you suggest a specific build?
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Thu Feb 22, 2018 19:20    Post subject: Reply with quote
m_abdelfattah wrote:
egc wrote:
If it is not a DNS problem, consider trying another build. There have been problems with PBR in earlier builds.


Unfortunately, it is not a DNS problem, do you suggest a specific build?


Try the latest
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
m_abdelfattah
DD-WRT Novice


Joined: 27 Apr 2016
Posts: 29
PostPosted: Thu Feb 22, 2018 19:33    Post subject: Reply with quote
egc wrote:
m_abdelfattah wrote:
egc wrote:
If it is not a DNS problem, consider trying another build. There have been problems with PBR in earlier builds.


Unfortunately, it is not a DNS problem, do you suggest a specific build?


Try the latest


If you are talking about the latest beta, I did and I had the same problem.
Back to top View user's profile Send private message
m_abdelfattah
DD-WRT Novice


Joined: 27 Apr 2016
Posts: 29
PostPosted: Fri Feb 23, 2018 6:39    Post subject: Reply with quote
So, I tried to apply this PBR on 2 devices (Roku and Windows PC).

Windows PC worked fine, but Roku still not working.
Back to top View user's profile Send private message
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California
PostPosted: Fri Feb 23, 2018 9:16    Post subject: Ummmmmm Reply with quote
Just a quick few questions

1) Are you using a generic firewall killswitch?
PBR doesnt work with it without additial rules

2) After you enabled PBR on those IP's did you restart the Router and the devices?

3) Have you tried network segmentation on specific CIDR'S for a range of lets say 192.168.1.20 through 192.168.1.30 and assigning the devices to that range?

192.168.1.100/30
Would be 192.168.1.100 thru 192.168.1.103

You can use below to calculate
https://www.ipaddressguide.com/cidr#range
_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Back to top View user's profile Send private message Visit poster's website
m_abdelfattah
DD-WRT Novice


Joined: 27 Apr 2016
Posts: 29
PostPosted: Sun Feb 25, 2018 6:13    Post subject: Reply with quote
eibgrad wrote:
m_abdelfattah wrote:
So, I tried to apply this PBR on 2 devices (Roku and Windows PC).

Windows PC worked fine, but Roku still not working.


Tried to apply what PBR?


Yes, PBR Smile
Back to top View user's profile Send private message
m_abdelfattah
DD-WRT Novice


Joined: 27 Apr 2016
Posts: 29
PostPosted: Sun Feb 25, 2018 6:15    Post subject: Re: Ummmmmm Reply with quote
sploit wrote:
Just a quick few questions

1) Are you using a generic firewall killswitch?
PBR doesnt work with it without additial rules

2) After you enabled PBR on those IP's did you restart the Router and the devices?

3) Have you tried network segmentation on specific CIDR'S for a range of lets say 192.168.1.20 through 192.168.1.30 and assigning the devices to that range?

192.168.1.100/30
Would be 192.168.1.100 thru 192.168.1.103

You can use below to calculate
https://www.ipaddressguide.com/cidr#range


1. I don't know what is that Smile so, I'll assume that I'm not using it.

2. Yes, I restarted the router.

3. I did not try it, will try it and update this post.
Back to top View user's profile Send private message
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum