SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > LAN & WAN > Routers

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 01-16-2013, 10:13 PM
janosek janosek is offline
Senior Member
 
Join Date: Jan 2013
Posts: 134
Thanks: 18
Thanked 8 Times in 7 Posts
janosek is just starting out
Default Help with Tomato/RMerlin Asuswrt selective routing over two openvpn clients

Hello,

I have spend days searching how to selectively route openvpn over TWO clients, but all I have found is people asking the question in a "Solved" forum, but no solution.

Here is my code to selectively route with one VPN.
It is not mine. It was modified from here, with much gratitiude:
http://www.linksysinfo.org/index.php...openvpn.37240/


#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done


#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING


ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


# Define the routing policies for the traffic. The rules will be applied in the #order that they are listed. In the end, packets with MARK set to "0" will
# pass through the VPN. If MARK is set to "1" it will bypass the VPN.


# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1


# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1

# Ports 38666 will bypass the VPN (in the future, another VPN)
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 1



exit 0

I would like to set up a second VPN and route some ports through there, but when I try to bring a second openvpn client up, everything stops working.

I tried modifying cornasdf's method to my own usages:
http://cornasdf.blogspot.ca/2012/10/...y-routing.html
but it did not work in my setup. Here is what I got:

Here is my environment setup script:

################################################## #

mkdir /jffs/scripts/customvpn
mkdir /jffs/scripts/customvpn/us
mkdir /jffs/scripts/customvpn/uk
echo "-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----" >> /jffs/scripts/customvpn/ca.crt

chmod 700 /jffs/scripts/customvpn/ca.crt


#Setup uk Tunnel Config
echo script-security 3 > /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo daemon >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo client >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo dev tun0 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo proto udp >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo remote <UK_VPN_ADDRESS> 1194 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo nobind >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-key >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-tun >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-up /jffs/scripts/customvpn/uk/route-up-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo down-pre /jffs/scripts/customvpn/uk/route-down-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo verb 15 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo status-version 2 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-nopull >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo status /jffs/scripts/status_uk >> /jffs/scripts/customvpn/uk/openvpn-uk.conf



chmod 700 /jffs/scripts/customvpn/uk/openvpn-uk.conf


#Setup US Tunnel Config

echo script-security 3 > /jffs/scripts/customvpn/us/openvpn-US.conf
echo daemon >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo client >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo dev tun1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo proto udp >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo remote <US_VPN_ADDRESS>1194 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo nobind >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-key >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-tun >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-up /jffs/scripts/customvpn/us/route-up-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo down-pre /jffs/scripts/customvpn/us/route-down-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo verb 15 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo status-version 2 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-nopull >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo status /jffs/scripts/status_us >> /jffs/scripts/customvpn/us/openvpn-US.conf

chmod 700 /jffs/scripts/customvpn/us/openvpn-US.conf

#tun0 route up script
echo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-up-uk.sh

chmod 700 /jffs/scripts/customvpn/uk/route-up-uk.sh
#tun0 route down script
echo iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-down-uk.sh
chmod 700 /jffs/scripts/customvpn/uk/route-down-uk.sh

#tun1 route up script
echo iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-up-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-up-US.sh
#tun1 route down script
echo iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-down-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-down-US.sh


#General Config
echo <USER> > /jffs/scripts/customvpn/password.txt
echo <PASS> >> /jffs/scripts/customvpn/password.txt

chmod 700 /jffs/scripts/customvpn/password.txt

exit 0

#############################################

wan_start:

#!/bin/sh

touch /tmp/000phase2wanstarted

modprobe tun

#Setup tunnels.
/usr/bin/killall openvpn

/usr/sbin/openvpn --config /jffs/scripts/customvpn/uk/openvpn-uk.conf
sleep 10
/usr/sbin/openvpn --config /jffs/scripts/customvpn/us/openvpn-US.conf
sleep 10


#The tunnels can take a couple seconds to establish. Hold for 5 seconds to allow for this



# get gateway addresses
IspGateway=$(ip route list table main | awk '/default/ { print $3}')
tun0Gateway=$(ip route list table main | awk '/tun0/ { print $1}')
tun1Gateway=$(ip route list table main | awk '/tun1/ { print $1}')



# Create fwmark to table bindings
ip rule add fwmark 1 table main # ISP
ip rule add fwmark 2 table 2 # Tunnel 0 uk
ip rule add fwmark 3 table 3 # Tunnel 1 US

# Create table to tunnel bindings
ip route add default via $tun0Gateway dev tun0 table 2 #Send out uk Tunnel
ip route add default via $tun1Gateway dev tun1 table 3 #Send out US Tunnel


# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



# All LAN traffic will bypass the VPNs (Useful to put this rule first, so all traffic bypasses the VPNs and you can # configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1



#uk tunnel rules
# Ports 38666 will go through the uk tunnel
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 2

#US Tunnel rules

# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 3


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 3


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 3



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1



exit 0

################################################


Does anyone have a working script? The above just kills everything. If anyone can help, I would be grateful.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT -4. The time now is 05:24 PM.


Top 10 Stats
Top Posters* Top Thanked
RMerlin  397
azazel1024  131
L&LD  105
john9527  101
htismaqe  97
stevech  78
ColinTaylor  77
hggomes  58
sfx2000  51
Anzaia  49
RMerlin  6287
john9527  459
stevech  353
ryzhov_al  289
TeHashX  253
L&LD  243
RogerSC  203
sinshiva  146
sfx2000  136
joegreat  127
Most Viewed Threads* Hottest Threads*
Old Asuswrt-Merli...  55829
Old RT-AC68 -...  24742
Old Moderate Nat...  5381
Old ASUS RT-N66U...  4868
Old iOS 8.1...  4189
Old RT-AC87U -...  2717
Old RT-AC68P QOS...  2230
Old New AC68...  2133
Old AC68U,...  2047
Old Ruckus...  1855
Old Asuswrt-Merli...  247
Old RT-AC68 -...  141
Old Review: 24...  35
Old Moderate Nat...  34
Old iOS 8.1...  33
Old RT-AC87U -...  26
Old How to flash...  24
Old RT-AC68P QOS...  24
Old Linksys...  21
Old Help Plz:...  21


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.