OpenVPN Support Forum

Hi,

I recently got a router up with DD-WRT and OpenVPN. Works great and on my router's reboot, OpenVNC launches and connects. When it does so, it add a few routes in my main routing table which make all my device to go through the VPN.

I would like to have only device from 192.168.1.32/27 to go through the VPN. I thought of 2 solutions:

1) instead of adding a route: from 0.0.0.0/1 via 10.8.11.5, I could change it to from 192.168.1.32/27 via 10.8.11.
2) have openVPN add all of his routes to routing table 10 and add a rule saying traffic from 192.168.1.32/27 to use that table.

I tried to understand the documentation, but I didn't find out how to achieve either of these solutions. I was thinking that with the --route option there might be something to do, but I haven't figured it out.

Any help would be greatly appreciated.

please post configs for server/client

if you are client you can use nopull directive so you
dont get routes at all..

Michael.

Well, it's not that I don't want routes at all. I want them, but in a different routing table. How could I do it?

Thanks

Config:
proto tcp
tls-auth ta.key 1
cipher none
auth none
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 4
mute 5
tun-mtu 1500
comp-lzo yes
script-security 2
up "/tmp/ovpn/up"
down "/tmp/ovpn/dn"

hi there,

>but in a different routing table

are there many routing tables?....

also it would helped a lot if you posted server config and the contents of up/down scripts.

you can use nopull statement with route as well..

Michael.

Well.. the server is strongvpn.com, so I don't know their exact config.

As for the routing tables, when you type: ip route show
it shows route in the main routing table. If you type: ip route show table 10
you get routes for table 10

and you can define rule that will tell which local IPs use which table.
I checked up the documentation for the nopull option and I came across this one:
--route-noexec
Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables.

Maybe I could script to that and add the route to the table 10 for example...

The UP script is:
#!/bin/sh
nvram set wan_ipaddr=$ifconfig_local
nvram set wan_ifname=$dev
nvram set wan_default=$dev
killall upnp
upnp -D -W $dev
iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
for R in /tmp/resolv.conf /tmp/resolv.dnsmasq; do
mv $R $R~
for O in "$foreign_option_1" "$foreign_option_2"; do
P="$O"
p1=$(echo "$P" | cut -d " " -f1)
if [ "$p1" == "dhcp-option" ]; then
p2=$(echo "$P" | cut -d " " -f2)
p3=$(echo "$P" | cut -d " " -f3)
if [ "$p2" == "DNS" ] ; then
echo "nameserver $p3">>$R
fi
fi
done



The DOWN script is:
#!/bin/sh
killall upnp
iptables -t nat -D POSTROUTING -o $dev -j MASQUERADE
for R in /tmp/resolv.conf /tmp/resolv.dnsmasq; do
mv $R~ $R
done
killall -HUP dnsmasq'
nvram set upnp_enable=0
nvram commit

yes you can have multiple kernel routing tables, a tutorial is given here , for example
http://kindlund.wordpress.com/2007/11/1 ... -in-linux/

you can add routes to a different routing table, but you also need to tell the system to *use* this table, e.g. the address '10.10.70.38/32' would need to be replaced by the (VPN) IP address that you want to set up routing for.

Thanks janjust,

I already know how to use multiple kernel routing tables, what I don't know is how to have open vpn use a custom table instead of the main one, so I can add a rule to have only 192.168.1.32/27 to use the VPN.

In your exemple, you have
ip rule add from 10.10.70.38/32 what purpose does this serve? I mean I was thinking on only adding a rule like:
ip rule add from 192.168.1.32/27 so all traffic from these private IPs use the route added by the VPN.

What do you think?

I'd say, give it a shot!
remember to include both a 'to' and a 'from' route; you can then use 'ip rule' to verify whether traffic from the VPN IP range is routed via the new routing table.

Why the 'to' rule?

I thought that by saying which 'from' IPs the rule applies to, I didn't have to specify a 'to' rule.

Say a device that is outside the .32/27 range, wanted to connect to the same IP, I would want it to go through the ISP's gateway, not the VPN's.

and if I have to put a 'to' rule, I set the VPN's gateway? So all traffic going to that IP should use the custom table, is that correct?

the kernel needs to know that all traffic coming from and going to the VPN network has to go through routing table 10 - otherwise traffic is routed differently going in than out , and that is bound to give you problems.

which IPs need to be passed via the VPN tunnel anyways?

Well,

I thought of this:
192.168.1.32/27 Manually assigned - through VPN
192.168.1.64/27 Manually assigned - Not through VPN
192.168.1.96/27 DHCP assigned - Not through VPN
192.168.1.128/27 DHCP assigned - Not through VPN
192.168.1.160/27 DHCP assigned - Not through VPN
192.168.1.192/27 DHCP assigned - Not through VPN

So I would add

ip rule from 192.168.1.32/27 via xx.xx.xx.xx table 10
ip rule to 192.168.1.32/27 table 10
ip rule from xx.xx.xx.xx table 10
ip rule to xx.xx.xx.xx table 10

where xx.xx.xx.xx is the VPN's gateway IP.

Would that be correct?

So basically, I will launch openVPN using this command:
openvpn --daemon --config /tmp/ovpn/ovpn.conf --route-delay 10 --route-noexec --route-nopull --route-up /tmp/ovpn/route-up.sh

and in the script route-up.sh, I will use the environment variables that contain the route to add and add them all to 'table 10' and add the proper rules so the right traffic use that table.

I will loop through the route_{parm}_{n} variables and issue the ip route add route table 10 commands for each of these variables.

Sounds like a good plan?

yep, although you could also try source routing : if it's only a single subnet that needs for which the rules apply then you might be able to do it using only source routing...

What do you mean by source routing? (I'm pretty new to this routing stuff!)

Thanks

as always, 90+ % of the questions asked here have to do with routing. Read up on e.g.
http://linux-ip.net/html/tools-ip-route.html
for details on how to do source routing.

thank you JJK for the link.

there is always something new to learn.

Michael.

janjust wrote:the address '10.10.70.38/32' would need to be replaced by the (VPN) IP address that you want to set up routing for.

I did:
ip rule add from 192.168.1.32/27 table 10
ip rule add to 192.168.1.32/27 table 10

You're saying I should also add the VPN's IP? which IPs is that? My IP (10.8.11.6) or the other end's IP (10.8.11.5)?

Thanks

you're a bit in uncharted territory for me - I'd add the whole VPN range (10.8.0.0/24)

Thanks for your help!

Here is how I achieved my objective.

I started openvpn using this command:
openvpn --daemon --config /path/to/my/ovpn.conf

In the ovpn.conf, I have these 2 lines: I think that the route-up line needs to be before the route-noexec (I used to use the --route-up and --route-noexec in the command line and I'm pretty sure --route-up needed to be before the --route-noexec).

In the route-up.sh script, I have this: I still need to find a way to add the rule for the from/to of the whole VPN IP's network.
so I guess that by using something along the line of Then, in the script that is run when VPN goes down, I flush the table 10, and remove the rules By doing this, all device that have an IP in the 192.168.1.32/27 (.33 to .62 inclusive) will get routed through the VPN.
Hope this helps!

ok, so this can be sort of easy. I just did it. I'm using the default routing table for most traffic, and I've created a second 'proxy' routing table for my vpn proxy traffic. Obviously you're going to have iproute2 to configure the 2nd table. You need an openvpn compiled with the --enable-iproute2 option. While you're compiling, you probably also want --enable-password-save. In total, you need 3 things:
custom openvpn with --enable-iproute2
custom proxyroute.sh script
use the --iproute option

Once you have a new binary, it should support the --iproute option. I've created a simple script to handle the custom routing work. here it is:
root@localhost:~# cat proxyroute.sh
#!/bin/bash
if [ "$1" == "route" ] ; then
ip $@ table proxy
else
ip $@
fi

since openvpn will be using ip for building the tunnel/tap interface as well as configuring the routes, you only want to modify commands for routing.

Now, let's bring it all together.
my vpn provider gave me a vpn.conf file, and said to run it like:
openvpn vpn.conf

now, I actually use it like this:
openvpn --config vpn.conf --daemon

and to enable your custom route command, use this:
openvpn --config vpn.conf --daemon --iproute /root/proxyroute.sh

or, you can add the line:
iproute /root/proxyroute.sh to the end of your vpn.conf


This a better solution than the previous one as it allows dynamic conrfiguration of the vpn gateway, for situations where your vpn provider has a cluster and your vpn ip details can change slightly.