Posted: Fri May 18, 2018 20:40 Post subject: OpenVPN Simple Policy Based Routing Problem
Hi all,
So this one is driving me mad.
Simple set up - Wireless router with 2 Wireless AP's and Single Subnet LAN connected to Cable Modem.
All I am trying to do is to use OpenVPN Client and use Policy Based Routing to send just one of the hosts on my network out via the vpn, the rest go in the clear.
But.
As soon as I put something in the PBR settings such as
192.168.1.50/32
All web based traffic seems to no longer work for 192.168.1.50 and all other LAN IP's
I can still traceroute and ping from 192.168.1.50 out onto the internet and the traceroute is saying it is going out via the VPN.
ah ok, thanks. I've just rolled back about a year and it seems to work ok. is it just one person developing ddwrt? seems a bit off that regression bugs are taking this long to resolve.
I think i'm going to have to do something a bit more complex with PBR to be honest though after all.
Joined: 18 Mar 2014 Posts: 12911 Location: Netherlands
Posted: Sat May 19, 2018 8:37 Post subject:
Yes start by disabling Shortcut Forwarding Engine on the setup page that is not compatible with PBR (there is a solution though)
Furthermore I am not sure about your Network setup, you state LAN connected to your cable modem, but normally you should connect the cable modem to your router via the WAN port, unless you are using your router as a Wireless Accces Point.
When using PBR also disable any kill switch you are using (there is a kill switch for PBR but first get it working)
thanks, yes it is connected to wan port. i meant the router is connected to a cable modem not that the lan port was specifically.
i've arbitarily rolled back to r32170 and PBR is indeed working. i hadn't tried SFE disabling, but I didn't even know the 'feature' existed let alone knew if it was worthwhile disabling. i don't see any bandwidth/connection issues to justify needing it though.
i've set it up like this to be for accessing netflix in the US but i've found that when i do that for a certain IP, Amazon Prime doesnt work at all, so more complex it needs to be.
Also also, what is the script/command that turning on/off the OpenVPN client via the webUI runs? I've been looking into being able to turn it on/off via SSH script to be able to let the wife easily turn it off if she needs to use Prime video, but there doesn't seem to be an on/off command, despite being able to do it via the webUI.. which doesn't make sense. I've tried to search the device for *.asp or script files but have had no luck so far. any ideas?
Joined: 18 Mar 2014 Posts: 12911 Location: Netherlands
Posted: Sat May 19, 2018 11:27 Post subject:
You can turn OpenVPN client off in the gui by just disabling it, your settings are retained when you enable it iit just starts to work (of course Save and Apply)
I have not tested the above @Eibgrad will know better
With PBR you route your own clients by their IP address, it is also possible to route by destination IP address e.g. always route netfilx via the VPN but nothing else. Problem is that Netfilx or Amazon usually use a lot of different IP addresses and you do not know them.
You can not use PBR and IP destination routing together from the GUI, there is however a really neat solution for this crafted by @Eibgrad, he has made a script to route anything but the kitchen sink but I do not think this can route by domain name and that is probably what you want.
I am sure he will chime in and enlighten us on the subject
I think it is possible if you install ipset-dns but I have never tried it (must ask @James2k about that he is our resident ipset guru )
ok thanks. I'll look into using the script. Truth be told , I bought an app off of the Android app store which claimed to be able to make changes to a dd-wrt router, but it has seemingly got loads of flaws, one being that it forces a reboot of the router when it turns off/on the openvpn client or server. so now i know that you can turn it on or off via ssh (which is what it uses) without doing that, I'm just going to write some scripts and fire them off using dash buttons or something
