OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Help with OpenVPN Client Config on Tomato 1.28 (Shibby) Rout

https://forums.openvpn.net/viewtopic.php?t=18714

Page 1 of 1

Help with OpenVPN Client Config on Tomato 1.28 (Shibby) Rout

Posted: Thu Apr 23, 2015 4:56 pm
by JuicyRoots
Please bear with me. I've never done this before. I can connect to the VPN and the standard setup works fine, but when I disable 'create NAT on tunnel', disable 'redirect Internet traffic', and try setting it up through firewall and WAN Up scripts, nothing happens (My IP is not hidden). I haven't even gotten to forwarding web traffic back to the internal LAN machine.

Here's what I'm trying to do...

1. Only one LAN machine (192.168.10.10) needs to ALWAYS use the VPN
2. This LAN machine runs Apache, and needs to be reachable from the Internet
- AirVPN doesn't let me forward ports under 2048, so I guess it would have to be something like https://machine.ddns.net:XXXX/ ?
- My internal Apache runs the standard 80/443.
3. This LAN machine needs to be routed only through the VPN (i.e. - not allowed to connect without VPN)

Tomato Version 1.28 by shibby

VPN Tunneling > OpenVPN Client > Basic > Create NAT on tunnel > UNCHECKED
VPN Tunneling > OpenVPN Client > Advanced > Redirect Internet traffic > UNCHECKED

Administration > Scripts > Firewall

Code: Select all

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I INPUT -i tun11 -j REJECT # This is probbly wrong if it rejects all incoming traffic on tun11
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE
Administration > Scripts > WAN Up

Copied from grdnkln's post on http://serverfault.com/questions/382498 ... -on-tomato

Code: Select all

# This code goes in the WAN UP section of the Tomato GUI.
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
done

# Delete and table 100 and flush any existing rules if they exist.

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
# All LAN traffic will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1

# This LAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.10.10 -j MARK --set-mark 0
So to summarize (for my own sake):
  • Establish an OpenVPN client connection to AirVPN (disabling NAT and Internet traffic routing in the Tomato VPN Client)
    Exclude all LAN traffic from the VPN
    Route a single LAN IP to always use the VPN (192.168.10.10)
    Forward all incoming HTTP/TCP traffic on a specific port (XXXX) to the machine
ifconfig

Code: Select all

br0        Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
           inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:26345 errors:0 dropped:0 overruns:0 frame:0
           TX packets:17696 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:6708422 (6.3 MiB)  TX bytes:4712272 (4.4 MiB)

eth0       Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:68210 errors:0 dropped:0 overruns:0 frame:0
           TX packets:36321 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:12986002 (12.3 MiB)  TX bytes:9534775 (9.0 MiB)
           Interrupt:4 Base address:0x2000

eth1       Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:1922 errors:0 dropped:0 overruns:0 frame:18996
           TX packets:5962 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:237167 (231.6 KiB)  TX bytes:2084813 (1.9 MiB)
           Interrupt:3 Base address:0x8000

eth2       Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:80 errors:0 dropped:0 overruns:0 frame:0
           TX packets:4689 errors:1 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:9372 (9.1 KiB)  TX bytes:1092344 (1.0 MiB)
           Interrupt:5 Base address:0x8000

lo         Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
           RX packets:22 errors:0 dropped:0 overruns:0 frame:0
           TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:2920 (2.8 KiB)  TX bytes:2920 (2.8 KiB)

tun11      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.4.3.19  P-t-P:10.4.3.19  Mask:255.255.0.0
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vlan1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:24335 errors:0 dropped:0 overruns:0 frame:0
           TX packets:15960 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:6586225 (6.2 MiB)  TX bytes:3708075 (3.5 MiB)

vlan2      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
           inet addr:XXX.XXX.XXX.XXX  Bcast:XXX.XXX.XXX.XXX  Mask:255.255.254.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:43874 errors:0 dropped:0 overruns:0 frame:0
           TX packets:20361 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:5171947 (4.9 MiB)  TX bytes:5826700 (5.5 MiB)

Re: Help with OpenVPN Client Config on Tomato 1.28 (Shibby)

Posted: Sun Apr 26, 2015 8:35 pm
by Traffic
simply port forward to the apache host ..
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/