Hi Forum,
I am running an OpenVPN client on a Nighthawk R7000 with FreshTomato. My intention is that all internet traffic should go through the VPN, except for traffic to a specific IP address. Let's pretend that address is the IP for craigslist.org, 208.82.237.129.
My command is:
route 208.82.237.129 255.255.255.255 net_gateway
The result of this is that this route is indeed entered into the routing table, but then I cannot reach craigslist at all, no ping, no tracert, no browsing. When pinging, I get a reply from 192.168.1.1 of "Destination host unreachable".
Here's my routing table. 192.168.12.1 is a T-Mobile cellular modem/"gateway", but I get the same result using a Spectrum cable modem. "<VPN IP>" is a placeholder for my VPN provider's IP address.
Current Routing Table
Destination Gateway / Next Hop Subnet Mask Metric Interface
<VPN IP> 192.168.12.1 255.255.255.255 0 vlan2 (WAN0)
192.168.12.1 * 255.255.255.255 0 vlan2 (WAN0)
208.82.237.129 192.168.12.1 255.255.255.255 0 vlan2 (WAN0)
10.2.22.0 * 255.255.255.0 0 tun11
192.168.1.0 * 255.255.255.0 0 br0 (LAN0)
192.168.12.0 * 255.255.255.0 0 vlan2 (WAN0)
127.0.0.0 * 255.0.0.0 0 lo
default 10.2.22.1 128.0.0.0 0 tun11
128.0.0.0 10.2.22.1 128.0.0.0 0 tun11
default 192.168.12.1 0.0.0.0 0 vlan2 (WAN0)
Here are the commands my VPN provider pushes to me:
Sep 22 13:23:03 daemon notice openvpn-client1[1343] PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.2.22.1,explicit-exit-notify 5,rcvbuf 524288,route-gateway 10.2.22.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.2.22.239 255.255.255.0,peer-id 23'
Can anyone explain what is going wrong? Thank you.
VPN client route net_gateway not working
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
RoutingOnEmpty
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Sep 22, 2023 6:35 pm
-
RoutingOnEmpty
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Sep 22, 2023 6:35 pm
Re: VPN client route net_gateway not working
Argh! Never mind -- admin feel free to delete this if you think it will not be of any instructional value to future users.
I discovered that there were kill switch rules in an administration script, and if I wanted to allow traffic to an IP outside the VPN tunnel, I had to not only enter the exception into the routing table, but also to the kill switch.
iptables -I FORWARD -d 208.82.237.129 -j ACCEPT
I discovered that there were kill switch rules in an administration script, and if I wanted to allow traffic to an IP outside the VPN tunnel, I had to not only enter the exception into the routing table, but also to the kill switch.
iptables -I FORWARD -d 208.82.237.129 -j ACCEPT
-
saridd
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Sep 23, 2023 1:42 am
Re: VPN client route net_gateway not working
Where did you put the iptables -I FORWARD -d 208.82.237.129 -j ACCEPT ? I tried inserting it in my openvpn client settings file.ovpn but when I upload it tomy router it says file format is invalid.
-
RoutingOnEmpty
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Sep 22, 2023 6:35 pm
Re: VPN client route net_gateway not working
@saridd, it is in Administration -> Scripts -> Firewall I'd be lying if I said I understood it; I copied it from somewhere.
Code: Select all
#KillSwitch
WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
#also the guest network:
iptables -I FORWARD -i br1 -o `nvram get wan_iface` -j DROP
#add any exceptions below, example is craigslist.org
iptables -I FORWARD -d 208.82.237.129 -j ACCEPT