How can we change the routes that are created by openvpn?

[nfuids]

Hi,

I recently got a router up with DD-WRT and OpenVPN. Works great and on my router's reboot, OpenVNC launches and connects. When it does so, it add a few routes in my main routing table which make all my device to go through the VPN.

I would like to have only device from 192.168.1.32/27 to go through the VPN. I thought of 2 solutions:

1) instead of adding a route: from 0.0.0.0/1 via 10.8.11.5, I could change it to from 192.168.1.32/27 via 10.8.11.
2) have openVPN add all of his routes to routing table 10 and add a rule saying traffic from 192.168.1.32/27 to use that table.

I tried to understand the documentation, but I didn't find out how to achieve either of these solutions. I was thinking that with the --route option there might be something to do, but I haven't figured it out.

Any help would be greatly appreciated.

[maikcat]

please post configs for server/client

if you are client you can use nopull directive so you
dont get routes at all..

Michael.

[nfuids]

Well, it's not that I don't want routes at all. I want them, but in a different routing table. How could I do it?

Thanks

Config:
proto tcp
tls-auth ta.key 1
cipher none
auth none
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 4
mute 5
tun-mtu 1500
comp-lzo yes
script-security 2
up "/tmp/ovpn/up"
down "/tmp/ovpn/dn"

[maikcat]

hi there,

>but in a different routing table

are there many routing tables?....

also it would helped a lot if you posted server config and the contents of up/down scripts.

you can use nopull statement with route as well..

Michael.

[nfuids]

Well.. the server is strongvpn.com, so I don't know their exact config.

As for the routing tables, when you type: ip route show
it shows route in the main routing table. If you type: ip route show table 10
you get routes for table 10

and you can define rule that will tell which local IPs use which table.
I checked up the documentation for the nopull option and I came across this one:
--route-noexec
Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables.

Maybe I could script to that and add the route to the table 10 for example...

The UP script is:
#!/bin/sh
nvram set wan_ipaddr=$ifconfig_local
nvram set wan_ifname=$dev
nvram set wan_default=$dev
killall upnp
upnp -D -W $dev
iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
for R in /tmp/resolv.conf /tmp/resolv.dnsmasq; do
mv $R $R~
for O in "$foreign_option_1" "$foreign_option_2"; do
P="$O"
p1=$(echo "$P" | cut -d " " -f1)
if [ "$p1" == "dhcp-option" ]; then
p2=$(echo "$P" | cut -d " " -f2)
p3=$(echo "$P" | cut -d " " -f3)
if [ "$p2" == "DNS" ] ; then
echo "nameserver $p3">>$R
fi
fi
done



The DOWN script is:
#!/bin/sh
killall upnp
iptables -t nat -D POSTROUTING -o $dev -j MASQUERADE
for R in /tmp/resolv.conf /tmp/resolv.dnsmasq; do
mv $R~ $R
done
killall -HUP dnsmasq'
nvram set upnp_enable=0
nvram commit

[janjust]

yes you can have multiple kernel routing tables, a tutorial is given here , for example
http://kindlund.wordpress.com/2007/11/1 ... -in-linux/

you can add routes to a different routing table, but you also need to tell the system to *use* this table, e.g.

Code: Select all

ip rule add from 10.10.70.38/32 table 10
ip rule add to 10.10.70.38/32 table 10

the address '10.10.70.38/32' would need to be replaced by the (VPN) IP address that you want to set up routing for.

[nfuids]

Thanks janjust,

I already know how to use multiple kernel routing tables, what I don't know is how to have open vpn use a custom table instead of the main one, so I can add a rule to have only 192.168.1.32/27 to use the VPN.

In your exemple, you have
ip rule add from 10.10.70.38/32 what purpose does this serve? I mean I was thinking on only adding a rule like:
ip rule add from 192.168.1.32/27 so all traffic from these private IPs use the route added by the VPN.

What do you think?

[janjust]

I'd say, give it a shot!
remember to include both a 'to' and a 'from' route; you can then use 'ip rule' to verify whether traffic from the VPN IP range is routed via the new routing table.

[nfuids]

Why the 'to' rule?

I thought that by saying which 'from' IPs the rule applies to, I didn't have to specify a 'to' rule.

Say a device that is outside the .32/27 range, wanted to connect to the same IP, I would want it to go through the ISP's gateway, not the VPN's.

and if I have to put a 'to' rule, I set the VPN's gateway? So all traffic going to that IP should use the custom table, is that correct?

[janjust]

the kernel needs to know that all traffic coming from and going to the VPN network has to go through routing table 10 - otherwise traffic is routed differently going in than out , and that is bound to give you problems.

which IPs need to be passed via the VPN tunnel anyways?

[nfuids]

Well,

I thought of this:
192.168.1.32/27 Manually assigned - through VPN
192.168.1.64/27 Manually assigned - Not through VPN
192.168.1.96/27 DHCP assigned - Not through VPN
192.168.1.128/27 DHCP assigned - Not through VPN
192.168.1.160/27 DHCP assigned - Not through VPN
192.168.1.192/27 DHCP assigned - Not through VPN

So I would add

ip rule from 192.168.1.32/27 via xx.xx.xx.xx table 10
ip rule to 192.168.1.32/27 table 10
ip rule from xx.xx.xx.xx table 10
ip rule to xx.xx.xx.xx table 10

where xx.xx.xx.xx is the VPN's gateway IP.

Would that be correct?

[nfuids]

So basically, I will launch openVPN using this command:
openvpn --daemon --config /tmp/ovpn/ovpn.conf --route-delay 10 --route-noexec --route-nopull --route-up /tmp/ovpn/route-up.sh

and in the script route-up.sh, I will use the environment variables that contain the route to add and add them all to 'table 10' and add the proper rules so the right traffic use that table.

I will loop through the route_{parm}_{n} variables and issue the ip route add route table 10 commands for each of these variables.

Sounds like a good plan?

[janjust]

yep, although you could also try source routing : if it's only a single subnet that needs for which the rules apply then you might be able to do it using only source routing...

[nfuids]

What do you mean by source routing? (I'm pretty new to this routing stuff!)

Thanks

[janjust]

as always, 90+ % of the questions asked here have to do with routing. Read up on e.g.
http://linux-ip.net/html/tools-ip-route.html
for details on how to do source routing.

[maikcat]

thank you JJK for the link.

there is always something new to learn.

Michael.

[nfuids]

the address '10.10.70.38/32' would need to be replaced by the (VPN) IP address that you want to set up routing for.

I did:
ip rule add from 192.168.1.32/27 table 10
ip rule add to 192.168.1.32/27 table 10

You're saying I should also add the VPN's IP? which IPs is that? My IP (10.8.11.6) or the other end's IP (10.8.11.5)?

Thanks

[janjust]

you're a bit in uncharted territory for me - I'd add the whole VPN range (10.8.0.0/24)

[nfuids]

Thanks for your help!

Here is how I achieved my objective.

I started openvpn using this command:
openvpn --daemon --config /path/to/my/ovpn.conf

In the ovpn.conf, I have these 2 lines:

Code: Select all

route-up /path/to/my/route-up.sh
route-noexec
down /path/to/my/vpn-down.sh

I think that the route-up line needs to be before the route-noexec (I used to use the --route-up and --route-noexec in the command line and I'm pretty sure --route-up needed to be before the --route-noexec).

In the route-up.sh script, I have this:

Code: Select all

#!/bin/sh
ip route add $ifconfig_remote dev $dev  proto kernel  scope link  src $ifconfig_local
ip route add $route_network_1 via $ifconfig_remote dev $dev  metric 1 table 10
ip route add 0.0.0.0/1 via $ifconfig_remote dev $dev table 10
ip route add 128.0.0.0/1 via $ifconfig_remote dev $dev table 10
ip rule add from 192.168.1.32/27 table 10
ip rule add to 192.168.1.32/27 table 10

I still need to find a way to add the rule for the from/to of the whole VPN IP's network.
so I guess that by using something along the line of

Code: Select all

vpniprange=$(echo $route_network_1 | use regex here to get the 10.8.11 | append '.0')
ip rule add from $vpniprange/24 table 10
ip rule add to $vpniprange/24 table 10

Then, in the script that is run when VPN goes down, I flush the table 10, and remove the rules

Code: Select all

#!/bin/sh
ip route flush table 10
ip rule del from 192.168.1.32/27 table 10
ip rule del to 192.168.1.32/27 table 10
ip rule del from $vpniprange/24 table 10
ip rule del to $vpniprange/24 table 10

By doing this, all device that have an IP in the 192.168.1.32/27 (.33 to .62 inclusive) will get routed through the VPN.
Hope this helps!

[pgreening]

ok, so this can be sort of easy. I just did it. I'm using the default routing table for most traffic, and I've created a second 'proxy' routing table for my vpn proxy traffic. Obviously you're going to have iproute2 to configure the 2nd table. You need an openvpn compiled with the --enable-iproute2 option. While you're compiling, you probably also want --enable-password-save. In total, you need 3 things:
custom openvpn with --enable-iproute2
custom proxyroute.sh script
use the --iproute option

Once you have a new binary, it should support the --iproute option. I've created a simple script to handle the custom routing work. here it is:
root@localhost:~# cat proxyroute.sh
#!/bin/bash
if [ "$1" == "route" ] ; then
ip $@ table proxy
else
ip $@
fi

since openvpn will be using ip for building the tunnel/tap interface as well as configuring the routes, you only want to modify commands for routing.

Now, let's bring it all together.
my vpn provider gave me a vpn.conf file, and said to run it like:
openvpn vpn.conf

now, I actually use it like this:
openvpn --config vpn.conf --daemon

and to enable your custom route command, use this:
openvpn --config vpn.conf --daemon --iproute /root/proxyroute.sh

or, you can add the line:
iproute /root/proxyroute.sh to the end of your vpn.conf


This a better solution than the previous one as it allows dynamic conrfiguration of the vpn gateway, for situations where your vpn provider has a cluster and your vpn ip details can change slightly.