[Solved]Some beginner questions I am really confused about

[wstewart3]

I currently have an Asus RT-N56U with Padavan's firmware.

I have successfully connect the openVPN Client to privateinternaccess.com without too many problems. I do however have some functionality issues I would like to get resolved.

On one of my desktop inside my LAN I am running an FTP server that (before messing with this openvpn stuff) was accessible externally. Is this even possible anymore?

A possible fix would be to set up a OpenVPN Server on my router that ran alongside the OpenVPN client, so I could simply VPN back into my network and then run filezilla, but I do not think this is ideal or maybe it is not even doable. I would also like the securely RDP into the desktop as well from an external location.

So while I do love having everything encrypted going out from my desktop, there are a couple of services that it would be very nice to still be able to get in with. I was hoping someone could give me some guidance and I do apologize if these questions are ridiculous!

[maikcat]

On one of my desktop inside my LAN I am running an FTP server that (before messing with this openvpn stuff) was accessible externally. Is this even possible anymore?

because the openvpn server probably pushes redirect-gateway this forces ALL traffic via the vpn provider,
one solution is to use policy based routing so you can direct ftp traffic outside the vpn.

Michael.

[wstewart3]

Thanks for the quick reply. I will do some googling on this....Are there any guides, or howto's. Can this be done on my Asus router?

[wstewart3]

Also

my router has an example script that is set to run at disconnect/connect that sounds interesting, could this be manipulated to solve my issue as well?

Code: Select all

#!/bin/sh

### Custom user script
### Called after internal VPN client connected/disconnected to remote VPN server
### $1        - action (up/down)
### $IFNAME   - tunnel interface name (e.g. ppp5 or tun0)
### $IPLOCAL  - tunnel local IP address
### $IPREMOTE - tunnel remote IP address
### $DNS1     - peer DNS1
### $DNS2     - peer DNS2

# private LAN subnet behind a remote server (example)
peer_lan="192.168.9.0"
peer_msk="255.255.255.0"

### example: add static route to private LAN subnet behind a remote server

func_ipup()
{
#  route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
   return 0
}

func_ipdown()
{
#  route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
   return 0
}

logger -t vpnc-script "$IFNAME $1"

case "$1" in
up)
  func_ipup
  ;;
down)
  func_ipdown
  ;;
esac

[maikcat]

if your asus runs linux and contains iproute2 package then you are ready to go.

Michael.

[wstewart3]

Thanks!

I checked, and this does have iproute2.

I have been doing some googling and found a few sources:
http://serverfault.com/questions/382498 ... -on-tomato

This has an example script at the bottom but it is not quite there yet.

I found another post:
topic7163-15.html

Which has

Code: Select all

ip rule add from <internal IP of SSH server/VPN client> table 10
ip route add default via <internal IP of gateway/router> table 10

Although I believe this would route all the traffic from the SSH server to the gateway of the router, where I would only want part of the traffic (ftp port, and some passive ports). I will keep looking. but if you have any suggestions I would very much love to hear them!

Thank you for your extremely quick responses!

*EDIT*

I was looking at
topic7163-15.html

And mops post may be the answer here. I think I would just need to change the -sport to the ports I want. I will try this later tonight!

[maikcat]

the rule you need it would be like:

source ip any to dest ip your ftp service with source port any to dest port 20/21 tcp
and the reverse f.e

source ip your ftp server with source port 20/21 proto tcp dest ip any port any

the above packets should be marked for outside vpn route.

ps: you need iptables MANGLE rules also.

Michael.

[wstewart3]

maikat,

Thanks so much for the help! I am gonna play around with these later tonight!

Just to be clear though (And sorry for all of the hand holding but I appreciate your help so much!)
And I will use port 22 just to be specific in this example

Code: Select all

iptables -A OUTPUT -t mangle -p tcp --sport 22 -j MARK --set-mark=1 //reply packets from ssh
iptables -A PREROUTING -t mangle -i wlan0 -j MARK --set-mark=1 //(Not sure if wlan0 is that right interface in the router)

iptables -s any -d (LAN IP of FTP SERVER) --dport 22 -p tcp 
iptables -s (LAN IP of FTP SERVER) -d any --sport 22 -p tcp 

So something like the above should possibly get the job done?

[wstewart3]

My edit buttons seems to have disappeared...

I hope it is ok to post like this!
But I found an interesting post:
http://forum.hidemyass.com/index.php/to ... re-tomato/

Code: Select all

## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and set value(s) as needed to customize your rules
#
# IP addresses, contiguous range AND/OR individual.
#
#ip_addrs_lst="192.168.10.100
#192.168.10.115-192.168.10.118
#192.168.10.120"
#
# Specific destination websites ip range - Spotify , Netflix...
#
#web_range_lst="72.44.32.1-72.44.63.254
#67.202.0.1-67.202.63.254
#207.223.0.1-207.223.15.254
#98.207.0.1-98.207.255.254
#208.85.40.1-208.85.47.254
#78.31.8.1-78.31.15.254
#193.182.8.1-193.182.15.254"

########################################
# NO NEED TO CHANGE BELOW THIS LINE #
########################################

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#	  iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#	  iptables -t mangle -F PREROUTING
 
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done
 
#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Let's find out the tunnel interface
#
iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
	  ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
 
# Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
for ip_addrs in $ip_addrs_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
done

# WEBSITES_IP_RANGES -
for web_dst_range in $web_range_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
done

It is fairly straight forward! I have only one main issue!
When I SSH into my router and run
nvram get wan_gateway
It returns 0.0.0.0

Should this be my router IP address since it is the gateway, or should it be my ISP's gateway?

[maikcat]

When I SSH into my router and run
nvram get wan_gateway
It returns 0.0.0.0

i have never used an asus router so i cant tell what the response should be,

about iptables,

If you want to magle packet header always use prerouting table because input & output
tables are parsed AFTER routing process...

Michael.

[wstewart3]

Michael,

Thanks for the reply! After SSH'ing to my router I did an nvram show, which got me a list of all the variables saved in the NVram. I found that wan0_gateway was what I wanted. After I changed that I was able to customize the script a little.

The padavan firmware has a script for
"Run After Firewall Rules Restarted:"

I put this in there, rebooted my router, and the VM I have running on a static IP address was pulling my ISP's IP Address while my other computers were pulling the VPN IP! Worked like a charm!

[maikcat]

if you havent got any other issues i will mark this as solved & close it.

Regards,

Michael.

[wstewart3]

Last thing I hope!

Code: Select all

#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1

While sorting this by IP address seems to wrok just fine, when I use this rule for a specific port, it does not quite seem to want to work.

I have used this line to add my ftp ports (main port, and passive ports) I cant get the connection through externally. I check the mangle table via SSH and manually added these lines but still no dice! If anyone has any suggestions I would love to hear them.

[wstewart3]

seriously sometimes the edit button is there and sometimes it isnt!

I found out how to get my FTP to work while encrypted. In padavans openvpn client setting there is:

Restrict Access from VPN Server Site:
And if I choose the option Nov(Site to site), Using Routing instead of "Using NAT"

I can connect to my FTP server just fine, but I find nothing else works anywhere. I think I need to add routes but I am unsure how to do this.

[wstewart3]

Edit button still not showing for me..

BUT I think I figured it out!

Code: Select all

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1 
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1 

It simply needed the source and destination ports to be marked for non-vpn interfaces!

Now my desktop is reporting my VPN IP address, but connecting to my ISP Provided IP on my external ports results in a perfect Success!

[maikcat]

Now my desktop is reporting my VPN IP address, but connecting to my ISP Provided IP on my external ports results in a perfect Success!

Nice!

solved !?



Michael.

[wstewart3]

Yes! Solved! Thanks for the initial post, definitely got me going the right way.