OpenVPN Support Forum

Posted: **Fri Sep 22, 2023 6:53 pm**

Hi Forum,

I am running an OpenVPN client on a Nighthawk R7000 with FreshTomato. My intention is that all internet traffic should go through the VPN, except for traffic to a specific IP address. Let's pretend that address is the IP for craigslist.org, 208.82.237.129.
My command is:
route 208.82.237.129 255.255.255.255 net_gateway

The result of this is that this route is indeed entered into the routing table, but then I cannot reach craigslist at all, no ping, no tracert, no browsing. When pinging, I get a reply from 192.168.1.1 of "Destination host unreachable".

Here's my routing table. 192.168.12.1 is a T-Mobile cellular modem/"gateway", but I get the same result using a Spectrum cable modem. "<VPN IP>" is a placeholder for my VPN provider's IP address.

Current Routing Table
Destination Gateway / Next Hop Subnet Mask Metric Interface
<VPN IP> 192.168.12.1 255.255.255.255 0 vlan2 (WAN0)
192.168.12.1 * 255.255.255.255 0 vlan2 (WAN0)
208.82.237.129 192.168.12.1 255.255.255.255 0 vlan2 (WAN0)
10.2.22.0 * 255.255.255.0 0 tun11
192.168.1.0 * 255.255.255.0 0 br0 (LAN0)
192.168.12.0 * 255.255.255.0 0 vlan2 (WAN0)
127.0.0.0 * 255.0.0.0 0 lo
default 10.2.22.1 128.0.0.0 0 tun11
128.0.0.0 10.2.22.1 128.0.0.0 0 tun11
default 192.168.12.1 0.0.0.0 0 vlan2 (WAN0)

Here are the commands my VPN provider pushes to me:

Sep 22 13:23:03 daemon notice openvpn-client1[1343] PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.2.22.1,explicit-exit-notify 5,rcvbuf 524288,route-gateway 10.2.22.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.2.22.239 255.255.255.0,peer-id 23'

Can anyone explain what is going wrong? Thank you.

Posted: **Sat Sep 23, 2023 6:55 am**

Argh! Never mind -- admin feel free to delete this if you think it will not be of any instructional value to future users.
I discovered that there were kill switch rules in an administration script, and if I wanted to allow traffic to an IP outside the VPN tunnel, I had to not only enter the exception into the routing table, but also to the kill switch.
iptables -I FORWARD -d 208.82.237.129 -j ACCEPT

Posted: **Sat Sep 23, 2023 7:03 pm**

Where did you put the iptables -I FORWARD -d 208.82.237.129 -j ACCEPT ? I tried inserting it in my openvpn client settings file.ovpn but when I upload it tomy router it says file format is invalid.

Posted: **Sun Sep 24, 2023 5:35 am**

@saridd, it is in Administration -> Scripts -> Firewall I'd be lying if I said I understood it; I copied it from somewhere.

Code: Select all

#KillSwitch
WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
#also the guest network:
iptables -I FORWARD -i br1 -o `nvram get wan_iface` -j DROP
#add any exceptions below, example is craigslist.org
iptables -I FORWARD -d 208.82.237.129 -j ACCEPT

OpenVPN Support Forum

VPN client route net_gateway not working

VPN client route net_gateway not working

Re: VPN client route net_gateway not working

Re: VPN client route net_gateway not working

Re: VPN client route net_gateway not working