How can we change the routes that are created by openvpn?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Aug 20, 2011 12:01 am
How can we change the routes that are created by openvpn?
Hi,
I recently got a router up with DD-WRT and OpenVPN. Works great and on my router's reboot, OpenVNC launches and connects. When it does so, it add a few routes in my main routing table which make all my device to go through the VPN.
I would like to have only device from 192.168.1.32/27 to go through the VPN. I thought of 2 solutions:
1) instead of adding a route: from 0.0.0.0/1 via 10.8.11.5, I could change it to from 192.168.1.32/27 via 10.8.11.
2) have openVPN add all of his routes to routing table 10 and add a rule saying traffic from 192.168.1.32/27 to use that table.
I tried to understand the documentation, but I didn't find out how to achieve either of these solutions. I was thinking that with the --route option there might be something to do, but I haven't figured it out.
Any help would be greatly appreciated.
I recently got a router up with DD-WRT and OpenVPN. Works great and on my router's reboot, OpenVNC launches and connects. When it does so, it add a few routes in my main routing table which make all my device to go through the VPN.
I would like to have only device from 192.168.1.32/27 to go through the VPN. I thought of 2 solutions:
1) instead of adding a route: from 0.0.0.0/1 via 10.8.11.5, I could change it to from 192.168.1.32/27 via 10.8.11.
2) have openVPN add all of his routes to routing table 10 and add a rule saying traffic from 192.168.1.32/27 to use that table.
I tried to understand the documentation, but I didn't find out how to achieve either of these solutions. I was thinking that with the --route option there might be something to do, but I haven't figured it out.
Any help would be greatly appreciated.
- maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: How can we change the routes that are created by openvpn
please post configs for server/client
if you are client you can use nopull directive so you
dont get routes at all..
Michael.
if you are client you can use nopull directive so you
dont get routes at all..
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Aug 20, 2011 12:01 am
Re: How can we change the routes that are created by openvpn
Well, it's not that I don't want routes at all. I want them, but in a different routing table. How could I do it?
Thanks
Config:
proto tcp
tls-auth ta.key 1
cipher none
auth none
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 4
mute 5
tun-mtu 1500
comp-lzo yes
script-security 2
up "/tmp/ovpn/up"
down "/tmp/ovpn/dn"
Thanks
Config:
proto tcp
tls-auth ta.key 1
cipher none
auth none
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 4
mute 5
tun-mtu 1500
comp-lzo yes
script-security 2
up "/tmp/ovpn/up"
down "/tmp/ovpn/dn"
- maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: How can we change the routes that are created by openvpn
hi there,
>but in a different routing table
are there many routing tables?....
also it would helped a lot if you posted server config and the contents of up/down scripts.
you can use nopull statement with route as well..
Michael.
>but in a different routing table
are there many routing tables?....
also it would helped a lot if you posted server config and the contents of up/down scripts.
you can use nopull statement with route as well..
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Aug 20, 2011 12:01 am
Re: How can we change the routes that are created by openvpn
Well.. the server is strongvpn.com, so I don't know their exact config.
As for the routing tables, when you type: ip route show
it shows route in the main routing table. If you type: ip route show table 10
you get routes for table 10
and you can define rule that will tell which local IPs use which table.
I checked up the documentation for the nopull option and I came across this one:
--route-noexec
Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables.
Maybe I could script to that and add the route to the table 10 for example...
The UP script is:
#!/bin/sh
nvram set wan_ipaddr=$ifconfig_local
nvram set wan_ifname=$dev
nvram set wan_default=$dev
killall upnp
upnp -D -W $dev
iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
for R in /tmp/resolv.conf /tmp/resolv.dnsmasq; do
mv $R $R~
for O in "$foreign_option_1" "$foreign_option_2"; do
P="$O"
p1=$(echo "$P" | cut -d " " -f1)
if [ "$p1" == "dhcp-option" ]; then
p2=$(echo "$P" | cut -d " " -f2)
p3=$(echo "$P" | cut -d " " -f3)
if [ "$p2" == "DNS" ] ; then
echo "nameserver $p3">>$R
fi
fi
done
The DOWN script is:
#!/bin/sh
killall upnp
iptables -t nat -D POSTROUTING -o $dev -j MASQUERADE
for R in /tmp/resolv.conf /tmp/resolv.dnsmasq; do
mv $R~ $R
done
killall -HUP dnsmasq'
nvram set upnp_enable=0
nvram commit
As for the routing tables, when you type: ip route show
it shows route in the main routing table. If you type: ip route show table 10
you get routes for table 10
and you can define rule that will tell which local IPs use which table.
I checked up the documentation for the nopull option and I came across this one:
--route-noexec
Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables.
Maybe I could script to that and add the route to the table 10 for example...
The UP script is:
#!/bin/sh
nvram set wan_ipaddr=$ifconfig_local
nvram set wan_ifname=$dev
nvram set wan_default=$dev
killall upnp
upnp -D -W $dev
iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
for R in /tmp/resolv.conf /tmp/resolv.dnsmasq; do
mv $R $R~
for O in "$foreign_option_1" "$foreign_option_2"; do
P="$O"
p1=$(echo "$P" | cut -d " " -f1)
if [ "$p1" == "dhcp-option" ]; then
p2=$(echo "$P" | cut -d " " -f2)
p3=$(echo "$P" | cut -d " " -f3)
if [ "$p2" == "DNS" ] ; then
echo "nameserver $p3">>$R
fi
fi
done
The DOWN script is:
#!/bin/sh
killall upnp
iptables -t nat -D POSTROUTING -o $dev -j MASQUERADE
for R in /tmp/resolv.conf /tmp/resolv.dnsmasq; do
mv $R~ $R
done
killall -HUP dnsmasq'
nvram set upnp_enable=0
nvram commit
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How can we change the routes that are created by openvpn
yes you can have multiple kernel routing tables, a tutorial is given here , for example
http://kindlund.wordpress.com/2007/11/1 ... -in-linux/
you can add routes to a different routing table, but you also need to tell the system to *use* this table, e.g.
the address '10.10.70.38/32' would need to be replaced by the (VPN) IP address that you want to set up routing for.
http://kindlund.wordpress.com/2007/11/1 ... -in-linux/
you can add routes to a different routing table, but you also need to tell the system to *use* this table, e.g.
Code: Select all
ip rule add from 10.10.70.38/32 table 10
ip rule add to 10.10.70.38/32 table 10
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Aug 20, 2011 12:01 am
Re: How can we change the routes that are created by openvpn
Thanks janjust,
I already know how to use multiple kernel routing tables, what I don't know is how to have open vpn use a custom table instead of the main one, so I can add a rule to have only 192.168.1.32/27 to use the VPN.
In your exemple, you have
ip rule add from 10.10.70.38/32 what purpose does this serve? I mean I was thinking on only adding a rule like:
ip rule add from 192.168.1.32/27 so all traffic from these private IPs use the route added by the VPN.
What do you think?
I already know how to use multiple kernel routing tables, what I don't know is how to have open vpn use a custom table instead of the main one, so I can add a rule to have only 192.168.1.32/27 to use the VPN.
In your exemple, you have
ip rule add from 10.10.70.38/32 what purpose does this serve? I mean I was thinking on only adding a rule like:
ip rule add from 192.168.1.32/27 so all traffic from these private IPs use the route added by the VPN.
What do you think?
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How can we change the routes that are created by openvpn
I'd say, give it a shot!
remember to include both a 'to' and a 'from' route; you can then use 'ip rule' to verify whether traffic from the VPN IP range is routed via the new routing table.
remember to include both a 'to' and a 'from' route; you can then use 'ip rule' to verify whether traffic from the VPN IP range is routed via the new routing table.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Aug 20, 2011 12:01 am
Re: How can we change the routes that are created by openvpn
Why the 'to' rule?
I thought that by saying which 'from' IPs the rule applies to, I didn't have to specify a 'to' rule.
Say a device that is outside the .32/27 range, wanted to connect to the same IP, I would want it to go through the ISP's gateway, not the VPN's.
and if I have to put a 'to' rule, I set the VPN's gateway? So all traffic going to that IP should use the custom table, is that correct?
I thought that by saying which 'from' IPs the rule applies to, I didn't have to specify a 'to' rule.
Say a device that is outside the .32/27 range, wanted to connect to the same IP, I would want it to go through the ISP's gateway, not the VPN's.
and if I have to put a 'to' rule, I set the VPN's gateway? So all traffic going to that IP should use the custom table, is that correct?
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How can we change the routes that are created by openvpn
the kernel needs to know that all traffic coming from and going to the VPN network has to go through routing table 10 - otherwise traffic is routed differently going in than out , and that is bound to give you problems.
which IPs need to be passed via the VPN tunnel anyways?
which IPs need to be passed via the VPN tunnel anyways?
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Aug 20, 2011 12:01 am
Re: How can we change the routes that are created by openvpn
Well,
I thought of this:
192.168.1.32/27 Manually assigned - through VPN
192.168.1.64/27 Manually assigned - Not through VPN
192.168.1.96/27 DHCP assigned - Not through VPN
192.168.1.128/27 DHCP assigned - Not through VPN
192.168.1.160/27 DHCP assigned - Not through VPN
192.168.1.192/27 DHCP assigned - Not through VPN
So I would add
ip rule from 192.168.1.32/27 via xx.xx.xx.xx table 10
ip rule to 192.168.1.32/27 table 10
ip rule from xx.xx.xx.xx table 10
ip rule to xx.xx.xx.xx table 10
where xx.xx.xx.xx is the VPN's gateway IP.
Would that be correct?
I thought of this:
192.168.1.32/27 Manually assigned - through VPN
192.168.1.64/27 Manually assigned - Not through VPN
192.168.1.96/27 DHCP assigned - Not through VPN
192.168.1.128/27 DHCP assigned - Not through VPN
192.168.1.160/27 DHCP assigned - Not through VPN
192.168.1.192/27 DHCP assigned - Not through VPN
So I would add
ip rule from 192.168.1.32/27 via xx.xx.xx.xx table 10
ip rule to 192.168.1.32/27 table 10
ip rule from xx.xx.xx.xx table 10
ip rule to xx.xx.xx.xx table 10
where xx.xx.xx.xx is the VPN's gateway IP.
Would that be correct?
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Aug 20, 2011 12:01 am
Re: How can we change the routes that are created by openvpn
So basically, I will launch openVPN using this command:
openvpn --daemon --config /tmp/ovpn/ovpn.conf --route-delay 10 --route-noexec --route-nopull --route-up /tmp/ovpn/route-up.sh
and in the script route-up.sh, I will use the environment variables that contain the route to add and add them all to 'table 10' and add the proper rules so the right traffic use that table.
I will loop through the route_{parm}_{n} variables and issue the ip route add route table 10 commands for each of these variables.
Sounds like a good plan?
openvpn --daemon --config /tmp/ovpn/ovpn.conf --route-delay 10 --route-noexec --route-nopull --route-up /tmp/ovpn/route-up.sh
and in the script route-up.sh, I will use the environment variables that contain the route to add and add them all to 'table 10' and add the proper rules so the right traffic use that table.
I will loop through the route_{parm}_{n} variables and issue the ip route add route table 10 commands for each of these variables.
Sounds like a good plan?
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How can we change the routes that are created by openvpn
yep, although you could also try source routing : if it's only a single subnet that needs for which the rules apply then you might be able to do it using only source routing...
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Aug 20, 2011 12:01 am
Re: How can we change the routes that are created by openvpn
What do you mean by source routing? (I'm pretty new to this routing stuff!)
Thanks
Thanks
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How can we change the routes that are created by openvpn
as always, 90+ % of the questions asked here have to do with routing. Read up on e.g.
http://linux-ip.net/html/tools-ip-route.html
for details on how to do source routing.
http://linux-ip.net/html/tools-ip-route.html
for details on how to do source routing.
- maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: How can we change the routes that are created by openvpn
thank you JJK for the link.
there is always something new to learn.
Michael.
there is always something new to learn.
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Aug 20, 2011 12:01 am
Re: How can we change the routes that are created by openvpn
I did:janjust wrote:the address '10.10.70.38/32' would need to be replaced by the (VPN) IP address that you want to set up routing for.
ip rule add from 192.168.1.32/27 table 10
ip rule add to 192.168.1.32/27 table 10
You're saying I should also add the VPN's IP? which IPs is that? My IP (10.8.11.6) or the other end's IP (10.8.11.5)?
Thanks
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: How can we change the routes that are created by openvpn
you're a bit in uncharted territory for me - I'd add the whole VPN range (10.8.0.0/24)
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Aug 20, 2011 12:01 am
Re: How can we change the routes that are created by openvpn
Thanks for your help!
Here is how I achieved my objective.
I started openvpn using this command:
openvpn --daemon --config /path/to/my/ovpn.conf
In the ovpn.conf, I have these 2 lines:
I think that the route-up line needs to be before the route-noexec (I used to use the --route-up and --route-noexec in the command line and I'm pretty sure --route-up needed to be before the --route-noexec).
In the route-up.sh script, I have this:
I still need to find a way to add the rule for the from/to of the whole VPN IP's network.
so I guess that by using something along the line of
Then, in the script that is run when VPN goes down, I flush the table 10, and remove the rules
By doing this, all device that have an IP in the 192.168.1.32/27 (.33 to .62 inclusive) will get routed through the VPN.
Hope this helps!
Here is how I achieved my objective.
I started openvpn using this command:
openvpn --daemon --config /path/to/my/ovpn.conf
In the ovpn.conf, I have these 2 lines:
Code: Select all
route-up /path/to/my/route-up.sh
route-noexec
down /path/to/my/vpn-down.sh
In the route-up.sh script, I have this:
Code: Select all
#!/bin/sh
ip route add $ifconfig_remote dev $dev proto kernel scope link src $ifconfig_local
ip route add $route_network_1 via $ifconfig_remote dev $dev metric 1 table 10
ip route add 0.0.0.0/1 via $ifconfig_remote dev $dev table 10
ip route add 128.0.0.0/1 via $ifconfig_remote dev $dev table 10
ip rule add from 192.168.1.32/27 table 10
ip rule add to 192.168.1.32/27 table 10
so I guess that by using something along the line of
Code: Select all
vpniprange=$(echo $route_network_1 | use regex here to get the 10.8.11 | append '.0')
ip rule add from $vpniprange/24 table 10
ip rule add to $vpniprange/24 table 10
Code: Select all
#!/bin/sh
ip route flush table 10
ip rule del from 192.168.1.32/27 table 10
ip rule del to 192.168.1.32/27 table 10
ip rule del from $vpniprange/24 table 10
ip rule del to $vpniprange/24 table 10
Hope this helps!
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu May 21, 2015 4:41 pm
Re: How can we change the routes that are created by openvpn
ok, so this can be sort of easy. I just did it. I'm using the default routing table for most traffic, and I've created a second 'proxy' routing table for my vpn proxy traffic. Obviously you're going to have iproute2 to configure the 2nd table. You need an openvpn compiled with the --enable-iproute2 option. While you're compiling, you probably also want --enable-password-save. In total, you need 3 things:
custom openvpn with --enable-iproute2
custom proxyroute.sh script
use the --iproute option
Once you have a new binary, it should support the --iproute option. I've created a simple script to handle the custom routing work. here it is:
root@localhost:~# cat proxyroute.sh
#!/bin/bash
if [ "$1" == "route" ] ; then
ip $@ table proxy
else
ip $@
fi
since openvpn will be using ip for building the tunnel/tap interface as well as configuring the routes, you only want to modify commands for routing.
Now, let's bring it all together.
my vpn provider gave me a vpn.conf file, and said to run it like:
openvpn vpn.conf
now, I actually use it like this:
openvpn --config vpn.conf --daemon
and to enable your custom route command, use this:
openvpn --config vpn.conf --daemon --iproute /root/proxyroute.sh
or, you can add the line:
iproute /root/proxyroute.sh to the end of your vpn.conf
This a better solution than the previous one as it allows dynamic conrfiguration of the vpn gateway, for situations where your vpn provider has a cluster and your vpn ip details can change slightly.
custom openvpn with --enable-iproute2
custom proxyroute.sh script
use the --iproute option
Once you have a new binary, it should support the --iproute option. I've created a simple script to handle the custom routing work. here it is:
root@localhost:~# cat proxyroute.sh
#!/bin/bash
if [ "$1" == "route" ] ; then
ip $@ table proxy
else
ip $@
fi
since openvpn will be using ip for building the tunnel/tap interface as well as configuring the routes, you only want to modify commands for routing.
Now, let's bring it all together.
my vpn provider gave me a vpn.conf file, and said to run it like:
openvpn vpn.conf
now, I actually use it like this:
openvpn --config vpn.conf --daemon
and to enable your custom route command, use this:
openvpn --config vpn.conf --daemon --iproute /root/proxyroute.sh
or, you can add the line:
iproute /root/proxyroute.sh to the end of your vpn.conf
This a better solution than the previous one as it allows dynamic conrfiguration of the vpn gateway, for situations where your vpn provider has a cluster and your vpn ip details can change slightly.