Spilt Tunnelling and Policy Routing

[crows]

Hi all, firstly I'd like to apologise if this is not the right forum to ask, I have asked on another forum but have got no response. Really want to know if what am after is possible and some direction on where I can find some answers. It was this forum that I came across that has helped me achieve about 50% of my requirement.

My Scenario is:
What I want to do is to have some devices connected via my OpenVPN and the other devices connected via my ISP. The devices connected via VPN has to also have the ability to connect to some sites using my ISP i.e.. mail server, and specific sites which are GEO dependant. This part seems to work fine. The part which I cannot get to work is to isolate the devices that need to bypass the VPN. I'm am running a DD-WRT router connect to PIA as my VPN provider. The config file has an area for adavanced configuration and these are the entries I am using:

route 208.64.38.55 255.255.255.255 net_gateway (This line bypasses the VPN and uses my ISP and works fine)

However is there any reason why the entry below doesn't work, I'm trying to bypass VPN for one of my devices:

route 192.168.0.109 255.255.255.255 net_gateway

At the moment policy routing interface is empty, if you enter any ip address in their it overrides everything in the advanced configuration and it doesn't route any of the websites to my ISP...if it did then the policy routing option would be the best solution. Am I missing something? thanks in advance.

[maikcat]

However is there any reason why the entry below doesn't work, I'm trying to bypass VPN for one of my devices:

route 192.168.0.109 255.255.255.255 net_gateway

is 192.168.0.109 part of your LAN?

Michael.

[crows]

Yes its a computer on my LAN

However is there any reason why the entry below doesn't work, I'm trying to bypass VPN for one of my devices:

route 192.168.0.109 255.255.255.255 net_gateway

is 192.168.0.109 part of your LAN?

Michael.

[maikcat]

packets destined to your local lan ,always prefer the direct link, in your case your lan card...

Michael.

[crows]

Thanks for your reply Michael, isn't my ip address my direct link of my lan card? If not could you kindly provide an example.? Or is what I'm trying to do not an option?

Thank you

packets destined to your local lan ,always prefer the direct link, in your case your lan card...

Michael.

[maikcat]

if your pc has 192.168.0.109/24 ip then without openvpn running your
routing table has an entry similar to:

192.168.0.0 255.255.255.0 via 192.168.0.109

adding this entry to your openvpn config

route 192.168.0.109 255.255.255.255 net_gateway

your system adds

192.168.0.109 255.255.255.255 via <your pc default gw>

in this case this has no meaning at all....except i am missing something.

Michael.

[crows]

Thanks again...I understand what you posted, but don't understand what format I need to do.
My preference is to route only the machines I want via vpn but in doing this I cannot route those same machines via the gate _way for sites that require to route via my isp.i have found that if my systems are routed via the vpn there doesn't appear to be a way i can re-route those same devices via my isp for a handful of sites. That's the reason why I'm going the other way... Everything via my isp and then select the machines to route via vpn with the rules to bypass vpn on the sites.
Hope ive made sense
Anyway my wish list is this to summarise:
All lan devices via isp
Selected devices via vpn
The same selected devices to bypass vpn for a handful of sites
Is this possible, id really like to be pointed somewhere for one example, I've tried anything that remotely looks like it could work

Thanks for taking the time to read and respond

Rick

D

if your pc has 192.168.0.109/24 ip then without openvpn running your
routing table has an entry similar to:

192.168.0.0 255.255.255.0 via 192.168.0.109

adding this entry to your openvpn config

route 192.168.0.109 255.255.255.255 net_gateway

your system adds

192.168.0.109 255.255.255.255 via <your pc default gw>

in this case this has no meaning at all....except i am missing something.

Michael.

[EddieA]

Anyway my wish list is this to summarise:
All lan devices via isp
Selected devices via vpn
The same selected devices to bypass vpn for a handful of sites
Is this possible, id really like to be pointed somewhere for one example, I've tried anything that remotely looks like it could work

This is possible, but not with routing alone. You need a combination of iptables, to mark the packets destined for the VPN, and routing based on those marks.

Try searching the internet for howtos on multiple-isp routing, as those should give you a start.

Cheers.

[maikcat]

what EddieA tries to say is to search using the term "policy based routing" for linux...

you will need to use MANGLE tables and ip route commands...

Michael.

[crows]

Thanks guys, That's exactly what I've been searching, I 'll have another go. I'm prepared to pay someone who can provide me with a little script that I can use as a template.
I'll keep persevering its only been a week.
Another question do all these routing tables go in the advanced GUI under Open VPN, or in the custom scripts, startup or firewall coammands under adminstration.

Thanks
Rick

what EddieA tries to say is to search using the term "policy based routing" for linux...

you will need to use MANGLE tables and ip route commands...

Michael.

[maikcat]

Policy routing is performed by the OS not by openvpn...

Michael.

[crows]

Ok i see...i think it's a little to deep for me, is there anywhere else that i could get help... Like i said i will pay for a script that shows me where to put the ip's that i wanna use the vpn and where to put websites to bypass the devices using the vpn.. Normal conditions all other devices use isp

Thanks
Rick

Policy routing is performed by the OS not by openvpn...

Michael.

[crows]

I've tried running this script from a member from PIA, it works in that the ip 192.160.0.143 is using the VPN, but when I try to access site 208.64.38.55 the site just times out. Iwas hoping this would use my ISP via my ppp0 device, is this on the right track?
The # entry also doesnt work

echo "#!/bin/sh
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE" > route-down.sh
echo "ip route del 0.0.0.0/1" >> route-up.sh
echo "ip route del 128.0.0.0/1" >> route-up.sh
echo "ip rule add to 208.64.38.55 table 100" >> route-up.sh
echo "ip route add default dev ppp0 table 100" >> route-up.sh
echo "ip rule add from 192.168.0.143 table 200" >> route-up.sh
echo "ip route add default dev tun0 table 200" >> route-up.sh
echo "ip route flush cache" >> route-up.sh
#route 208.64.38.55 255.255.255.255 net_gateway

[EddieA]

echo "#!/bin/sh
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE" > route-down.sh
echo "ip route del 0.0.0.0/1" >> route-up.sh
echo "ip route del 128.0.0.0/1" >> route-up.sh
echo "ip rule add to 208.64.38.55 table 100" >> route-up.sh
echo "ip route add default dev ppp0 table 100" >> route-up.sh
echo "ip rule add from 192.168.0.143 table 200" >> route-up.sh
echo "ip route add default dev tun0 table 200" >> route-up.sh
echo "ip route flush cache" >> route-up.sh
#route 208.64.38.55 255.255.255.255 net_gateway

For my split routing, the default for each table is set like: ip route add default via <GW IP> dev <device> table <table> I'm not sure the way you have it specified will actually route anything.

Also, depending on the distribution you are using, you might also need to do this:

Code: Select all

echo 2 > /proc/sys/net/ipv4/conf/<dev>/rp_filter

To loosen the rules on reverse path filtering.

Cheers.

[EddieA]

Also just spotted. Why is the nat set-up for tun0 in route-down. Shouldn't that be in route-up.

Cheers.

[TiTex]

the first rule is deleting it from the chain, so it's ok to be in roue-down
althogh i don't see it added anywhere , so basicaly does nothing unless is added in some other way beside the route-up in the first place

[crows]

Eddie I tried changing from down to up makde no difference.

Also just spotted. Why is the nat set-up for tun0 in route-down. Shouldn't that be in route-up.

Cheers.

[crows]

Hi Eddie could you please help me? I've made the changes you suggested, could you have a look at my complete script it might make it easier. I dont have any experience with Linux and am learning on the way. I have removed my personal information. All I want to do is route 192.168.0.143 via VPN and then with that same device route to 208.64.38.55 for this website or any other website I choose. My understanding is I get this right I should be able to add to this script other devices and web sites.

Not sure if this is relevant but my ppp0 gateway changes IP if I reboot router but even with the correct IP it still doesn't work as it should.(could I use this syntax for gateway net_gateway) Could you just check whether my syntax is correct. Without these lines
echo "ip route add default via <my ppp0 gateway ip> dev ppp0 table 100"
echo "ip rule add 208.64.38.55 table 100" route-up.sh
The device 192.168.0.143 uses the VPN as it should.

Hope you can help.
Thanks in advance.

#!/bin/sh

USERNAME="username"
PASSWORD="password"
PROTOCOL="udp"
# Add - delete - edit servers between ##BB## and ##EE##
REMOTE_SERVERS="
##BB##
# US - EAST
remote VPN Server 1194
##EE##
"

#### DO NOT CHANGE below this line unless you know exactly what you're doing ####

CA_CRT='-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----'

OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

if [ "$OPVPNENABLE" != 0 ]; then
nvram set openvpncl_enable=0
nvram commit
fi

sleep 10
mkdir /tmp/pia; cd /tmp/pia
echo -e "$USERNAME\n$PASSWORD" > userpass.conf
echo "$CA_CRT" > ca.crt
echo "#!/bin/sh
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE" > route-up.sh
echo "#!/bin/sh
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE" > route-down.sh
echo "ip route del 0.0.0.0/1" >> route-up.sh
echo "ip route del 128.0.0.0/1" >> route-up.sh
echo "ip route add default via <my ppp0 gateway ip which changes> dev ppp0 table 100"
echo "ip rule add 208.64.38.55 table 100" route-up.sh
echo "ip rule add from 192.168.0.143 table 200" >> route-up.sh
echo "ip route add default dev tun0 table 200" >> route-up.sh
echo "ip route flush cache" >> route-up.sh
chmod 644 ca.crt; chmod 600 userpass.conf; chmod 700 route-up.sh route-down.sh
sleep 10
echo "client
auth-user-pass /tmp/pia/userpass.conf
management 127.0.0.1 5001
management-log-cache 50
dev tun0
proto $PROTOCOL
comp-lzo adaptive
fast-io
script-security 2
mtu-disc yes
verb 4
mute 5
cipher bf-cbc
auth sha1
tun-mtu 1500
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
log-append piavpn.log
ca ca.crt
status-version 3
status status
daemon
$REMOTE_SERVERS" > pia.conf
ln -s /tmp/pia/piavpn.log /tmp/piavpn.log
ln -s /tmp/pia/status /tmp/status
(killall openvpn; openvpn --config /tmp/pia/pia.conf --route-up /tmp/pia/route-up.sh --down /tmp/pia/route-down.sh) &
exit 0

[EddieA]

OK, let's get back to basics and try a slightly different tack. When there is no VPN running, all the traffic goes to your ISP, via ppp0. Normally, if you now start a VPN, without your own routing rules/scripts, most VPN providers push out a default route that now directs all the traffic down the tun0 interface. Is this what happens with your VPN provider. Or does all traffic continue to use ppp0. BTW How are you checking which interface a particular packet is using.

Whichever of those scenarios is the case, you only need to add routing for the packets that you want to go to the non-default destination. You don't have to specifically route to the default interface, because that's where they'll go anyway. Are you with me so far.

Now, the first question is, where do you want the majority of your packets to go. Is it down the tunnel, except for a few to your ISP. Or do you only want to send a small proportion via tun0 and let the rest go via ppp0.

OK, so let's assume that when the VPN is started, that all traffic uses the tunnel, as that's the most common. If you want the majority of the traffic to go via tun0, then you only need to set up the routing rules for the packets you want to send via ppp0, as the rest will use tun0 anyway.

However, if you want most traffic to use ppp0 and only a little to use the VPN, then you need to do two things. Like the previous scenario, you need to set the routing rules only for the minority route, the VPN. The second part, is to stop the VPN creating the default rule which routes everything via the VPN, which will leave ppp0 as your default. To do that, include the "route-nopull" setting.

Hopefully this gives you a little more to work with in trying to get this to work.

BTW My earlier comment about how to set up the route in each table, with the GW IP applied to BOTH ppp0 and tun0. Hint: Look at using the --up script instead of --route-up.

Cheers.

[crows]

OK, let's get back to basics and try a slightly different tack. When there is no VPN running, all the traffic goes to your ISP, via ppp0. Normally, if you now start a VPN, without your own routing rules/scripts, most VPN providers push out a default route that now directs all the traffic down the tun0 interface. Is this what happens with your VPN provider.Yes but if I insert this command "route-nopull" its the opposite all traffic is via ISP Or does all traffic continue to use ppp0. BTW How are you checking which interface a particular packet is using.By going into advanced routing and showing routing table using the web GUI

Whichever of those scenarios is the case, you only need to add routing for the packets that you want to go to the non-default destination. You don't have to specifically route to the default interface, because that's where they'll go anyway. Are you with me so far. Yes I am...Majority of my devices will be using my ISP or ppp0, hence if I use the route-nopull command all devices will traffic via my ISP under normal conditions without any routing

Now, the first question is, where do you want the majority of your packets to go. Is it down the tunnel, except for a few to your ISP. Or do you only want to send a small proportion via tun0 and let the rest go via ppp0.All devices to use ISP, only the selected devices(by ip address) to use VPN, however the devices that use VPN have to have the ability to switch or route to ISP when logging onto sites that don't like VPN, example sites are banking sites, gumtree and some business sites that I'm a member of

OK, so let's assume that when the VPN is started, that all traffic uses the tunnel, as that's the most common. If you want the majority of the traffic to go via tun0, then you only need to set up the routing rules for the packets you want to send via ppp0, as the rest will use tun0 anyway.Correct but as I explained above if the default is ISP I will require fewer routing as their are only a few devices that need routing via VPN

However, if you want most traffic to use ppp0 and only a little to use the VPN, then you need to do two things. Like the previous scenario, you need to set the routing rules only for the minority route, the VPN. The second part, is to stop the VPN creating the default rule which routes everything via the VPN, which will leave ppp0 as your default. To do that, include the "route-nopull" setting.This is the part which I have been battling for over a week and not getting any sleep, the route-nopull command is what I'm using now, I believe I don't have the necessary experience or knowledge to take this any further

Hopefully this gives you a little more to work with in trying to get this to work.

BTW My earlier comment about how to set up the route in each table, with the GW IP applied to BOTH ppp0 and tun0. Hint: Look at using the --up script instead of --route-up.I wouldn't even know where to start, I don't know enough about Linux, its taking me this long to get where I am today, I know its not much but its more than what I knew a week ago, Ive tried anything that remotely looks like it will do the job. I appreciate any help I can get...thanks

Cheers.