Page 2 of 5
Re: Spilt Tunnelling and Policy Routing
Posted: Sat Jul 11, 2015 7:31 am
by crows
I think I'm getting closer:
With the following entries I can get this device 192.168.0.109 to use VPN and all other devices to use ISP but I don't know how to get this same device to use the ISP when browsing the sites that don't like the VPN connection...am I getting there? I've been stuck at this point for a week.
#!/bin/sh
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route add default dev tun1 table 200
ip rule add fwmark 1 table 200
# route this IP through the VPN
ip rule add from 192.168.0.109 table 200
ip route flush cache
Re: Spilt Tunnelling and Policy Routing
Posted: Sat Jul 11, 2015 8:12 am
by EddieA
By going into advanced routing and showing routing table using the web GUI
Unless that shows actual packet counts per interface, just because you have a route doesn't mean a packet takes it.
OK, so majority of traffic to ppp0, which you've now seen you can do by including "route-nopull". So, what you are missing is the VPN routing.
Code: Select all
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
Yep, you need that.
Code: Select all
ip route add default dev tun1 table 200
Nope. You still need the "via <Gateway IP>" in there. Look at the documentation for --up. It passes the script 6 parameters, the 5th being the <Gateway IP>. And if you really wanted to make this script fully portable, the 1st parameter is the <TUN device>.
That assumes you have used the iptables mangle to set the "mark", which you haven't, so does nothing.
Code: Select all
ip rule add from 192.168.0.109 table 200
That is doing exactly what you want, for any packet coming from 192.168.0.109, it sends to table 200, which forces routing to tun1.
Now for the IP specific routing. You were close with:
Code: Select all
ip rule add to 208.64.38.55 table 100
But you had the order wrong. This rule must be added after the 192.168.0.109 one, so that it appears earlier in the rule chain.
For that to work, you have 2 options. Either create a table 100, using the "add default", but with the ppp0 Gateway IP and ppp0. You can easily script something to pull the IP from an "ifconfig ppp0" command. Or look at the existing tables set up by ppp0 and find the one that has the correct "default via <IP> dev ppp0" entry and use that table name instead of "100".
Cheers.
Re: Spilt Tunnelling and Policy Routing
Posted: Sat Jul 11, 2015 8:56 am
by crows
Is this command correct regarding my gateway:
route add default gw 192.168.0.254 tun1
Eddie could I pay you to write my script for me, I'm really out of my depth?
Thanks
Rick
Re: Spilt Tunnelling and Policy Routing
Posted: Sat Jul 11, 2015 1:56 pm
by TiTex
this is an interesting topic , advanced stuff ... i'd like to see this solved for future references
what about marking the packets destined for specific hosts ?
something like
Code: Select all
#creating another identical routing table as the main one with different default gateway , set fwmark on it
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
ip route add table 25 default via vpn_gateway_ip
ip rule add fwmark 25 table 25
ip route flush cache
# use mangle to mark the packets destined for specific host and pass it to routing table 25
iptables -t mangle -A PREROUTING -p tcp ! -d whatismyipaddress.com --dport 80 -s 192.168.0.109 -j MARK --set-mark 25
this basically translates to all traffic except
http://whatismyipaddress.com should be routed through routing table 25 (vpn)
could this work ?
Re: Spilt Tunnelling and Policy Routing
Posted: Sat Jul 11, 2015 5:43 pm
by EddieA
crows wrote:Is this command correct regarding my gateway:
route add default gw 192.168.0.254 tun1
I would guess that is the address of your gateway for your internal network. You need the address of the gateway from your ppp0. "ifconfig ppp0" would show it. It would be called Bcast, P-t-P, or something similar. I don't have a ppp0 myself to verify.
Also don't forget, you might need the "echo" command I posted earlier, which has to be done every time the tun1 interface is started. The symptoms of this missing would be no response/timeout.
TiTex wrote:
what about marking the packets destined for specific hosts ?
something like
Code: Select all
#creating another identical routing table as the main one with different default gateway , set fwmark on it
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
ip route add table 25 default via vpn_gateway_ip
ip rule add fwmark 25 table 25
ip route flush cache
# use mangle to mark the packets destined for specific host and pass it to routing table 25
iptables -t mangle -A PREROUTING -p tcp ! -d whatismyipaddress.com --dport 80 -s 192.168.0.109 -j MARK --set-mark 25
this basically translates to all traffic except
http://whatismyipaddress.com should be routed through routing table 25 (vpn)
could this work ?
Yes, this is another way of doing it by using the "mark" instead of creating a number of "rules". I've seen posts before that use that technique to create the table, although I prefer creating the "default route" table by hand.
It's not really recommended to use DNS names in iptables, but it does work. One thing to be aware, is that some domains have multiple ID addresses and a subsequent DNS lookup could provide a different IP.
Cheers.
Re: Spilt Tunnelling and Policy Routing
Posted: Sat Jul 11, 2015 6:08 pm
by EddieA
crows wrote:Is this command correct regarding my gateway:
route add default gw 192.168.0.254 tun1
Whoa, hang on here.
Is that the Gateway given to you by the VPN. If so, then you have problems, because based on the IP you want to route via the VPN, 192.168.0.109 (hmmm, it was 143 in your earlier posts), you are using the 192.168.0.0 subnet for your network, which is the same subnet used by the VPN. This will never work.
Cheers.
Re: Spilt Tunnelling and Policy Routing
Posted: Sat Jul 11, 2015 11:56 pm
by crows
No that gateway address is my router ip, with the commands you mentioned above are these in addition to what i have already? Address 109 is my computer makes it easier to test.
You provided lots of info not sure whether to add to my script or start a new one
Thanks for taking the time to respond
Re: Spilt Tunnelling and Policy Routing
Posted: Sun Jul 12, 2015 1:47 pm
by crows
This thing is killing me, I'm going to summarise what I have done thus far with the information you have provided me:
With the following script, machine 192.168.0.109 is using the internet via VPN, all other machines are using my ISP, with no website filtering
#!/bin/sh
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route add default dev tun1 table 200
ip rule add fwmark 1 table 200 - (Your correct in one of your previous posts that this does nothing, it has been removed in my working script)
# route this IP through the VPN
ip rule add from 192.168.0.109 table 200
ip route flush cache
I have incorporated some of your suggestions to the above script with no luck, i.e. the VPN link doesn't even come up.
#!/bin/sh
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route add default dev tun1 table 200
ip route add default gw X.X.X.X tun1(The X's represent my ISP gateway ip address, is this correct? can I not substitute for net_gateway_ip) is tun1 correct?
# route this IP through the VPN
ip rule add from 192.168.0.109 table 200
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
ip route add table 25 default via vpn_gateway_ip (Do I leave this vpn_gateway_ip, or do I need to insert the real IP address)
ip rule add fwmark 25 table 25
ip route flush cache
iptables -t mangle -A PREROUTING -p tcp ! -d whatismyipaddress.com --dport 80 -s 192.168.0.109 -j MARK --set-mark 25
And with you suggestions entirley, VPN also does not start
#!/bin/sh
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
ip route add table 25 default via vpn_gateway_ip
ip rule add fwmark 25 table 25
ip route flush cache
iptables -t mangle -A PREROUTING -p tcp ! -d whatismyipaddress.com --dport 80 -s 192.168.0.109 -j MARK --set-mark 25
Have I done this correctly and I understood you?
Thanks
Rick
Re: Spilt Tunnelling and Policy Routing
Posted: Mon Jul 13, 2015 7:25 am
by EddieA
crows wrote:This thing is killing me, I'm going to summarise what I have done thus far with the information you have provided me:
With the following script, machine 192.168.0.109 is using the internet via VPN, all other machines are using my ISP, with no website filtering
#!/bin/sh
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route add default dev tun1 table 200
ip rule add fwmark 1 table 200 - (Your correct in one of your previous posts that this does nothing, it has been removed in my working script)
# route this IP through the VPN
ip rule add from 192.168.0.109 table 200
ip route flush cache
And my post above details what you need for the conditions you want.
Cheers.
Re: Spilt Tunnelling and Policy Routing
Posted: Mon Jul 13, 2015 7:57 am
by crows
Ok ill try again, with your commands openvpn doesnt start.
Ill see if i can pinpoint which command prevents openvpn from starting
Re: Spilt Tunnelling and Policy Routing
Posted: Mon Jul 13, 2015 10:45 am
by crows
I have telneted into the router and have executed these commands individually, all but one of them errors after execution this one:
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
The error I receive is this: RTNETLINK answers: File exists
The only information I could find was to perform an ip route flash cache, this made no difference.
Re: Spilt Tunnelling and Policy Routing
Posted: Mon Jul 13, 2015 11:49 am
by crows
I have started from scratch, so default is all traffic bar 192.168.0.109 is via my ISP
I have executed this command route add -host 208.64.38.55 gw my Gateway IP
The a did a route -n, and this is what my table looks like:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 My Gateway IP 0.0.0.0 UG 0 0 0 ppp0
10.184.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
203.16.215.175 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
208.64.38.55 My Gateway IP 255.255.255.255 UGH 0 0 0 ppp0
As you can see the very last line that the route is there 208.64.38.55(whatsmyip.org) routed via my gateway and yet it still shows my VPN IP address, its gotta be something to do with policy routing of devices in my case 192.168.0.109
Re: Spilt Tunnelling and Policy Routing
Posted: Mon Jul 13, 2015 3:09 pm
by crows
I believe I have some sort of success, need a little more tweaking I think.
I can get this to work by executing one command at a time in the web gui in administration, I have a few questions that don't make sense. These are the commands:
#!/bin/sh
ip route add table 25 default via My_ISP_Gateway
ip rule add fwmark 25 table 25
route add -host 208.64.38.55 gw My_ISP_Gateway (Without this command the script doesnt work)
ip route flush cache
iptables -t mangle -A PREROUTING -p tcp ! -d whatismyipaddress.com --dport 80 -s 192.168.0.109 -j MARK --set-mark 25 (Without this command it doesnt work - however its not the "whatsmyipaddress that bypasses VPN but the ip 208.64.38.55) why is that so....maybe the syntax is not correct?
I have used the policy routing web gui to insert my ip addresses that I want to use the VPN by enabling route-nopull other devices successfully utilise my ISP
Is there syntax that can be substituted for my gateway ip? it continually changes after rebooting the router? I've tried net_gateway, but it cant resolve.
I have also noticed that not only whatsmyip.org bypasses VPN but so does a handful of other ip sites show my ISP IP, Ive rebooted router and cleared my browser cache, is there anything else I should be clearing?
Anyway thanks for helping me get this far....just a little more to go
Re: Spilt Tunnelling and Policy Routing
Posted: Mon Jul 13, 2015 5:24 pm
by TiTex
i think you misunderstood
crows what
EddieA was telling you
these command you need
Code: Select all
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
ip route add table 25 default via vpn_gateway_ip dev tun1
ip rule add from 192.168.0.109 table 25
ip rule add to 66.171.248.172 table main
#this last rule will have higher priority than the one above it, you can check with 'ip rule show'
#all this commands above translate in plain english
# 1 - do nat NAT on outgoing traffic on the vpn interface - i'm not even sure that you need that , if the remote vpn end does NAT on the #VPN interface then you don't need , you can leave it ... but you can also try without that and if doesn't work put it back
# 2 - create another routing table (25) , copy routes from the main table except the default gateway
# 3 - add default gateway in routing table 25 as the
vpn_gateway_ip = tun IP address on the remote VPN server , which is reachable from tun1 on your end.
# 4 - route all traffic from 192.168.0.109 through routing table 25 (vpn gateway)
# 5 - except if the destination is 66.171.248.172 , this is actually because of the order of preference , as i said above if you do a 'ip rule show', you should see that the later rule has a lower number associated with it , which means it will get matched before the one above if.
66.171.248.172 =
http://whatismyipaddress.com , so if you go to that site from PC with IP 192.168.0.109 , you should see your WAN IP address
if you go to
http://www.whatsmyip.org/ , you should see the IP address of the VPN server WAN
hope this clarify the questions you had , i can't explain it better than this
Re: Spilt Tunnelling and Policy Routing
Posted: Mon Jul 13, 2015 5:40 pm
by EddieA
You either need to follow the instructions I am suggesting. Or the ones from TiTex.
They are using different techniques to achieve the same thing. I went down the path of using routing rules, as that's how you had started and can be used for very simplistic routing.
TiTex is going down the path of "marking" packets which can be used to set up some fairly complex routing decisions.
Cheers.
Re: Spilt Tunnelling and Policy Routing
Posted: Mon Jul 13, 2015 6:28 pm
by TiTex
i was able to set up a test environment with a remote vpn server and a local virtual machine and it's working pretty good the way EddieA suggested it (see my previous reply)
here is a screenshot , browsing two sites from the same machine
commands output on my gateway (another linux box)
# ip rule show
0: from all lookup local
32762: from all to 66.171.248.172 lookup main
32763: from 192.168.1.156 lookup 25
32766: from all lookup main
32767: from all lookup default
# ip route show table 25
default via 10.8.0.1 dev tun1
10.8.0.0/24 dev tun1 proto kernel scope link src 10.8.0.2
169.254.0.0/16 dev enp0s25 scope link metric 1004
192.168.1.0/24 dev enp0s25 proto kernel scope link src 192.168.1.1
192.168.55.0/24 via 10.8.0.1 dev tun1
# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 278 packets, 22247 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 47 packets, 5346 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 52 packets, 3535 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 54 packets, 3655 bytes)
pkts bytes target prot opt in out source destination
226 16667 MASQUERADE all -- * tun1 0.0.0.0/0 0.0.0.0/0
Re: Spilt Tunnelling and Policy Routing
Posted: Tue Jul 14, 2015 5:41 am
by crows
Thanks I cant wait to try this tonight, and report back.
I don't want to divert from this topic but a matter of interest which build are you guys running? I'm running Kongac dated 16/06/2015 on a Nighthawk R7000 router, I'm a little worried that I get this error after I execute this command even after I have rebooted my router:
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
Error - RTNETLINK answers: File exists
I'll report back soon.
Re: Spilt Tunnelling and Policy Routing
Posted: Tue Jul 14, 2015 5:45 am
by TiTex
i think that just means that you've already done that step and the routes already exist , try to reset the router and start fresh
we are not using that hardware , just regular linux machines ... if your router is running on a linux kernel the steps should work as they
if it's some BSD/Unix kernel , then you need to find what are the equivalent commands for that OS.
good luck , and consider donating to OpenVPN if your problem gets solved.
Re: Spilt Tunnelling and Policy Routing
Posted: Tue Jul 14, 2015 10:13 am
by crows
I will donate, anyway this command
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 25 $ROUTE; done
Gives me an error:
RTNETLINK answers: No such device
I have also upgraded firmware to see if it would make a difference, same thing.
Really stuck now.
Thanks for everyone's patience.
TiTex wrote:i think that just means that you've already done that step and the routes already exist , try to reset the router and start fresh
we are not using that hardware , just regular linux machines ... if your router is running on a linux kernel the steps should work as they
if it's some BSD/Unix kernel , then you need to find what are the equivalent commands for that OS.
good luck , and consider donating to OpenVPN if your problem gets solved.
Re: Spilt Tunnelling and Policy Routing
Posted: Tue Jul 14, 2015 10:48 am
by TiTex
can you do a '
Code: Select all
ip route show table main
ip route show table 25
' on the command line and post the output here ?