Spilt Tunnelling and Policy Routing

[crows]

I will, I think it works, I was initially running these commands via the command shell within the web gui and it was giving me those errors. When I ran them using telnet, that command was accepted and it actually worked. I'm checking whether it still works when I reboot, becuase it worked once and not the other, it shouldnt matter that vpn_gateway_ip changes, this should take care of it?

can you do a '

Code: Select all

ip route show table main
ip route show table 25

' on the command line and post the output here ?

[crows]

Yeah it doesn't work,I think its because my VPN IP address changes on bootup or resetting router, is there a substitute command for vpn_gateway_ip, instead of inserting the physical IP address? getting close now..

[crows]

This is when its working, obviously when I reboot or reset router vpn_gateway_ip changes and the script doesn't work, I even tried leaving vpn_gateway_ip in this format on the off chance to see if that would work

Output for:
ip route show table
default via 203.16.215.174 dev ppp0
10.100.1.5 dev tun1 proto kernel scope link src 10.100.1.6
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
203.16.215.174 dev ppp0 proto kernel scope link src 121.45.88.214

ip route show table 25
default via 10.100.1.6 dev tun1
10.100.1.5 dev tun1 proto kernel scope link src 10.100.1.6
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
203.16.215.174 dev ppp0 proto kernel scope link src 121.45.88.214

[TiTex]

i think you got this wrong default via 10.100.1.6 dev tun1 , from what i can see 10.100.1.6 is your end of the vpn connection , not the the server vpn IP
if i'm correct (you can check if 'ifconfig') , then you need to change 10.100.1.6 to 10.100.1.5
ip route del default table 25
ip route add default via 10.100.1.5 dev tun1 table 25

[crows]

Your right thats the ip of my gateway tunnel, you meanI should be using the ip that I use to connect to my VPN provider? I did that now and it says that the network is unreachable even though VPN is connected

i think you got this wrong default via 10.100.1.6 dev tun1 , from what i can see 10.100.1.6 is your end of the connection , not the the server vpn IP

This is my status page, the red is my VPN server I'm connected to

Client: CONNECTED SUCCESS
Local Address: 10.105.1.6
Remote Address: 10.105.1.5

Status
VPN Client Stats
TUN/TAP read bytes 0
TUN/TAP write bytes 0
TCP/UDP read bytes 4506
TCP/UDP write bytes 1934
Auth read bytes 0
pre-compress bytes 0
post-compress bytes 0
pre-decompress bytes 0
post-decompress bytes 0

Log
Clientlog:
19700101 10:30:04 I OpenVPN 2.3.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 18 2015
19700101 10:30:04 I library versions: OpenSSL 1.0.2c 12 Jun 2015 LZO 2.09
19700101 10:30:04 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19700101 10:30:04 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
19700101 10:30:04 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19700101 10:30:04 Socket Buffers: R=[180224->131072] S=[180224->131072]
19700101 10:30:04 I UDPv4 link local: [undef]
19700101 10:30:04 I UDPv4 link remote: [AF_INET]168.1.99.205:1194

[crows]

I just double checked your response, your correct it should be
Remote Address: 10.105.1.5
However this address changes after each reboot or reset

[TiTex]

no , you need to use the VPN IP of the server , not the IP that you use to connect but the IP address that gets assigned to the VPN server when the connection is up
if you have 10.100.1.6 the vpn server should have 10.100.1.? , probably 5 instead of the ? if your setup is p2p ( point to point)

-- Edit --

I just double checked your response, your correct it should be
Remote Address: 10.105.1.5
However this address changes after each reboot or reset

you can script it

[crows]

Correct understand, how do I have it automatically selecting the correct vpn_gate_ip each time when it reboots or resets...do I have to do it manually each time.

[TiTex]

can you do an 'ifconfig' and post the output here ?

[crows]

can you do an 'ifconfig' and post the output here ?

br0 Link encap:Ethernet HWaddr E4:F4:C6:17:8F:78
inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9306 errors:0 dropped:281 overruns:0 frame:0
TX packets:9976 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1276663 (1.2 MiB) TX bytes:6982829 (6.6 MiB)

br0:0 Link encap:Ethernet HWaddr E4:F4:C6:17:8F:78
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0 Link encap:Ethernet HWaddr E4:F4:C6:17:8F:78
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14837 errors:0 dropped:0 overruns:0 frame:0
TX packets:14406 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6397130 (6.1 MiB) TX bytes:4593715 (4.3 MiB)
Interrupt:179 Base address:0x4000

eth1 Link encap:Ethernet HWaddr E4:F4:C6:17:8F:7A
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:146
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:163

eth2 Link encap:Ethernet HWaddr E4:F4:C6:17:8F:7B
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2521 errors:0 dropped:0 overruns:0 frame:714
TX packets:3633 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:334227 (326.3 KiB) TX bytes:3794397 (3.6 MiB)
Interrupt:169

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:79 errors:0 dropped:0 overruns:0 frame:0
TX packets:79 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8776 (8.5 KiB) TX bytes:8776 (8.5 KiB)

ppp0 Link encap:Point-to-Point Protocol
inet addr:14.2.59.132 P-t-P:203.16.215.199 Mask:255.255.255.255
UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1
RX packets:7826 errors:0 dropped:0 overruns:0 frame:0
TX packets:7226 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:5024756 (4.7 MiB) TX bytes:1023753 (999.7 KiB)

tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.105.1.6 P-t-P:10.105.1.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

vlan1 Link encap:Ethernet HWaddr E4:F4:C6:17:8F:78
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6756 errors:0 dropped:0 overruns:0 frame:0
TX packets:6926 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:971556 (948.7 KiB) TX bytes:3345540 (3.1 MiB)

vlan2 Link encap:Ethernet HWaddr E4:F4:C6:17:8F:79
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8081 errors:0 dropped:0 overruns:0 frame:0
TX packets:7480 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5099160 (4.8 MiB) TX bytes:1190551 (1.1 MiB)

[crows]

I just double checked your response, your correct it should be
Remote Address: 10.105.1.5
However this address changes after each reboot or reset

you can script it

Please don't say I need another script? another week without sleep

[TiTex]

unfortunately i don't know what utilities you have on your router but try to run this commands and see if the output is what you want

# gvip=$(ifconfig | grep -A 1 tun1 | grep inet | cut -d: -f3 | cut -d' ' -f1)
# echo $gvip

if you don't have grep and cut on your router , then i can't help you because i can't guess what programs your micro router OS provides , so you'll need to do it manually ... or find a way to automate it by yourself.

anyway , you did not say if the routing is actually working for you or not

[crows]

Yes the echo $gvip displays my gateway VPN...and yes the routing works if I manually enter the coomands but are lost once I make any changes to the router because the dam address changes...

Anyway those commands are accepted in my router in the telnet environment

unfortunately i don't know what utilities you have on your router but try to run this commands and see if the output is what you want

# gvip=$(ifconfig | grep -A 1 tun1 | grep inet | cut -d: -f3 | cut -d' ' -f1)
# echo $gvip

if you don't have grep and cut on your router , then i can't help you because i can't guess what programs your micro router OS provides , so you'll need to do it manually ... or find a way to automate it by yourself.

anyway , you did not say if the routing is actually working for you or not

[TiTex]

can you post the whole vpn setup script that you have until now so i can modify it for you without the sensitive information ?
also , does you vpn start automatically when you reboot the router ?

*PS: maybe you should edit your previous posts and remove the public IP addresses , or at least two octets (groups) like 15.55.x.x

[crows]

This is the only bit I need, I'm using the main private internet config which is all done via the web gui, additional scripting can either be included in the start tab, or custom tab...something I will have to see which one will work. I think I might need to include a sleep 20 command to give VPN time to activate so really its only what we are working on
And Im assuming i would only have to add devices for table 25 and the main table to work?

ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
ip route add table 25 default via vpn_gateway_ip dev tun1
ip rule add from 192.168.0.109 table 25
ip rule add to 66.171.248.172 table main

Its a pitty I can edit any of my previous posts.

[TiTex]

instead of

ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
ip route add table 25 default via vpn_gateway_ip dev tun1
ip rule add from 192.168.0.109 table 25
ip rule add to 66.171.248.172 table main

you can do

ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
gvip=$(ifconfig | grep -A 1 tun1 | grep inet | cut -d: -f3 | cut -d' ' -f1)
ip route add table 25 default via $gvip dev tun1
ip rule add from 192.168.0.109 table 25
ip rule add to 66.171.248.172 table main

so your route-up.sh , would contain

iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
gvip=$(ifconfig | grep -A 1 tun1 | grep inet | cut -d: -f3 | cut -d' ' -f1)
ip route add table 25 default via $gvip dev tun1
ip rule add from 192.168.0.109 table 25
ip rule add to 66.171.248.172 table main
#...rest of your rules
ip route flush cache

and route-down.sh

iptables -t nat -D POSTROUTING -o tun1 -j MASQUERADE
ip route flush table 25
ip rule flush
ip rule add from all lookup main pref 32766
ip rule add from all lookup default pref 32767
ip route flush cache

this should automate the setup

[crows]

Thank you so much, its a bit hard to explain if your not using a dd-wrt router but these routers have an open vpn web gui where you set up all your server details, user name etc. When you reboot your router it connects to openvpn automatically and depending on your "route-nopull" all your devices are either all using vpn or all using your ISP. The gui provides you with a start up tab, firewall tab and a custom script tab where you can insert your own script. This is the area (start-up) where I am inserting your script i.e. :

sleep 30
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
gvip=$(ifconfig | grep -A 1 tun1 | grep inet | cut -d: -f3 | cut -d' ' -f1)
ip route add table 25 default via $gvip dev tun1
ip rule add from 192.168.0.109 table 25
ip rule add to 66.171.248.172 table main
ip route flush cache

Is it ok to insert the route down script just below the ip route flush cache from above:

iptables -t nat -D POSTROUTING -o tun1 -j MASQUERADE
ip route flush table 25
ip rule flush
ip rule add from all lookup main pref 32766
ip rule add from all lookup default pref 32767
ip route flush cache

If not do I have to rename these scripts as
route-down.sh and
route-up.sh
Does the OS know which script to run when the router is starting and when its resetting.

BTW - your script the "route up" one works if I insert it in the startup tab, but with sleep 30 as the first entry.....does it matter that I dont have the route down script, will this create issues with memory?

I'm sorry to bombard you and I really appreciate your patience and understanding.

And I will make a donation to this forum.

[TiTex]

the route-up.sh and route-down.sh i mentioned are for your message you posted here topic19200-15.html#p53197

for this command in particular

openvpn --config /tmp/pia/pia.conf --route-up /tmp/pia/route-up.sh --down /tmp/pia/route-down.sh

otherwise you can't use those in the same time , because the settings route-up.sh does , will be removed by route-down.sh
a short explanation of the command above whould be , run openvpn with config /tmp/pia/pia.conf , and when the vpn starts up run the commands from /tmp/pia/route-up.sh , when vpn goes down run the commands from /tmp/pia/route-down.sh

Does the OS know which script to run when the router is starting and when its resetting.
BTW - your script the "route up" one works if I insert it in the startup tab, but with sleep 30 as the first entry.....does it matter that I dont have the route down script, will this create issues with memory?
I'm sorry to bombard you and I really appreciate your patience and understanding.

i don't know how can you set scripts to run at shutdown or startup on dd-wrt but the scripts should run at vpn start and vpn stop , because if you vpn goes down and the settings made by route-up.sh would not be removed , then computers routed through the vpn will not be able to use the internet anymore, route-down.sh would revert back to you ppp0 for all PC's when your vpn is stoped... that's the idea

[EddieA]

unfortunately i don't know what utilities you have on your router but try to run this commands and see if the output is what you want

# gvip=$(ifconfig | grep -A 1 tun1 | grep inet | cut -d: -f3 | cut -d' ' -f1)
# echo $gvip

if you don't have grep and cut on your router , then i can't help you because i can't guess what programs your micro router OS provides , so you'll need to do it manually ... or find a way to automate it by yourself.

anyway , you did not say if the routing is actually working for you or not

If you use the --up script instead of --route-up then those addresses are passed in as parameters.

Cheers.

[crows]

Yes I was using that script because someone had it working with some custom scripting, but I have reverted back to the default PIA setup using the web GUI, fortunately if I insert the route-up commands in the startup script, the whole routing thing appears to work even after rebooting. I'm not sure if it has any effect with clearing cache etc by not inserting the down-script somewhere. If I had to incorporate the scripts in my initial script could you check that my syntax and location of the scripts are correct in red.

Thanks again, before I put this to closure I will summariize the fix for other people, but just want to ensure that its done in the most effective way.

#!/bin/sh

USERNAME="username"
PASSWORD="password"
PROTOCOL="udp"
# Add - delete - edit servers between ##BB## and ##EE##
REMOTE_SERVERS="
##BB##
# US - EAST
remote VPN Server 1194
##EE##
"

#### DO NOT CHANGE below this line unless you know exactly what you're doing ####

CA_CRT='-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----'

OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

if [ "$OPVPNENABLE" != 0 ]; then
nvram set openvpncl_enable=0
nvram commit
fi

sleep 10
mkdir /tmp/pia; cd /tmp/pia
echo -e "$USERNAME\n$PASSWORD" > userpass.conf
echo "$CA_CRT" > ca.crt


echo "#!/bin/sh
iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE" > route-up.sh
sleep 30
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
gvip=$(ifconfig | grep -A 1 tun1 | grep inet | cut -d: -f3 | cut -d' ' -f1)
echo "ip route add table 25 default via $gvip dev tun1"
echo "ip rule add from 192.168.0.109 table 25"
echo "ip rule add to 66.171.248.172 table main"
echo "ip route flush cache"


echo "#!/bin/sh
iptables -t nat -D POSTROUTING -o tun1 -j MASQUERADE" > route-down.sh
echo "ip route flush table 25"
echo "ip rule flush"
echo "ip rule add from all lookup main pref 32766"
echo "ip rule add from all lookup default pref 32767"
echo "ip route flush cache"

chmod 644 ca.crt; chmod 600 userpass.conf; chmod 700 route-up.sh route-down.sh
sleep 10
echo "client
auth-user-pass /tmp/pia/userpass.conf
management 127.0.0.1 5001
management-log-cache 50
dev tun0
proto $PROTOCOL
comp-lzo adaptive
fast-io
script-security 2
mtu-disc yes
verb 4
mute 5
cipher bf-cbc
auth sha1
tun-mtu 1500
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
log-append piavpn.log
ca ca.crt
status-version 3
status status
daemon
$REMOTE_SERVERS" > pia.conf
ln -s /tmp/pia/piavpn.log /tmp/piavpn.log
ln -s /tmp/pia/status /tmp/status
(killall openvpn; openvpn --config /tmp/pia/pia.conf --route-up /tmp/pia/route-up.sh --down /tmp/pia/route-down.sh) &
exit 0