SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > LAN & WAN > Routers

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 01-16-2013, 09:13 PM
janosek janosek is offline
Senior Member
 
Join Date: Jan 2013
Posts: 132
Thanks: 18
Thanked 8 Times in 7 Posts
janosek is just starting out
Default Help with Tomato/RMerlin Asuswrt selective routing over two openvpn clients

Hello,

I have spend days searching how to selectively route openvpn over TWO clients, but all I have found is people asking the question in a "Solved" forum, but no solution.

Here is my code to selectively route with one VPN.
It is not mine. It was modified from here, with much gratitiude:
http://www.linksysinfo.org/index.php...openvpn.37240/


#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done


#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING


ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


# Define the routing policies for the traffic. The rules will be applied in the #order that they are listed. In the end, packets with MARK set to "0" will
# pass through the VPN. If MARK is set to "1" it will bypass the VPN.


# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1


# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1

# Ports 38666 will bypass the VPN (in the future, another VPN)
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 1



exit 0

I would like to set up a second VPN and route some ports through there, but when I try to bring a second openvpn client up, everything stops working.

I tried modifying cornasdf's method to my own usages:
http://cornasdf.blogspot.ca/2012/10/...y-routing.html
but it did not work in my setup. Here is what I got:

Here is my environment setup script:

################################################## #

mkdir /jffs/scripts/customvpn
mkdir /jffs/scripts/customvpn/us
mkdir /jffs/scripts/customvpn/uk
echo "-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----" >> /jffs/scripts/customvpn/ca.crt

chmod 700 /jffs/scripts/customvpn/ca.crt


#Setup uk Tunnel Config
echo script-security 3 > /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo daemon >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo client >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo dev tun0 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo proto udp >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo remote <UK_VPN_ADDRESS> 1194 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo nobind >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-key >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-tun >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-up /jffs/scripts/customvpn/uk/route-up-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo down-pre /jffs/scripts/customvpn/uk/route-down-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo verb 15 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo status-version 2 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-nopull >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo status /jffs/scripts/status_uk >> /jffs/scripts/customvpn/uk/openvpn-uk.conf



chmod 700 /jffs/scripts/customvpn/uk/openvpn-uk.conf


#Setup US Tunnel Config

echo script-security 3 > /jffs/scripts/customvpn/us/openvpn-US.conf
echo daemon >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo client >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo dev tun1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo proto udp >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo remote <US_VPN_ADDRESS>1194 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo nobind >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-key >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-tun >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-up /jffs/scripts/customvpn/us/route-up-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo down-pre /jffs/scripts/customvpn/us/route-down-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo verb 15 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo status-version 2 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-nopull >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo status /jffs/scripts/status_us >> /jffs/scripts/customvpn/us/openvpn-US.conf

chmod 700 /jffs/scripts/customvpn/us/openvpn-US.conf

#tun0 route up script
echo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-up-uk.sh

chmod 700 /jffs/scripts/customvpn/uk/route-up-uk.sh
#tun0 route down script
echo iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-down-uk.sh
chmod 700 /jffs/scripts/customvpn/uk/route-down-uk.sh

#tun1 route up script
echo iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-up-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-up-US.sh
#tun1 route down script
echo iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-down-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-down-US.sh


#General Config
echo <USER> > /jffs/scripts/customvpn/password.txt
echo <PASS> >> /jffs/scripts/customvpn/password.txt

chmod 700 /jffs/scripts/customvpn/password.txt

exit 0

#############################################

wan_start:

#!/bin/sh

touch /tmp/000phase2wanstarted

modprobe tun

#Setup tunnels.
/usr/bin/killall openvpn

/usr/sbin/openvpn --config /jffs/scripts/customvpn/uk/openvpn-uk.conf
sleep 10
/usr/sbin/openvpn --config /jffs/scripts/customvpn/us/openvpn-US.conf
sleep 10


#The tunnels can take a couple seconds to establish. Hold for 5 seconds to allow for this



# get gateway addresses
IspGateway=$(ip route list table main | awk '/default/ { print $3}')
tun0Gateway=$(ip route list table main | awk '/tun0/ { print $1}')
tun1Gateway=$(ip route list table main | awk '/tun1/ { print $1}')



# Create fwmark to table bindings
ip rule add fwmark 1 table main # ISP
ip rule add fwmark 2 table 2 # Tunnel 0 uk
ip rule add fwmark 3 table 3 # Tunnel 1 US

# Create table to tunnel bindings
ip route add default via $tun0Gateway dev tun0 table 2 #Send out uk Tunnel
ip route add default via $tun1Gateway dev tun1 table 3 #Send out US Tunnel


# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



# All LAN traffic will bypass the VPNs (Useful to put this rule first, so all traffic bypasses the VPNs and you can # configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1



#uk tunnel rules
# Ports 38666 will go through the uk tunnel
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 2

#US Tunnel rules

# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 3


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 3


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 3



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1



exit 0

################################################


Does anyone have a working script? The above just kills everything. If anyone can help, I would be grateful.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT -4. The time now is 04:57 PM.


Top 10 Stats
Top Posters* Top Thanked
RMerlin  366
stevech  156
KGB7  124
Kel-L  100
sfx2000  98
sinshiva  93
azazel1024  93
john9527  81
fistv  71
hggomes  68
RMerlin  5597
stevech  329
ryzhov_al  266
TeHashX  217
L&LD  191
RogerSC  190
sinshiva  143
joegreat  127
jlake  122
sfx2000  121
Most Viewed Threads* Hottest Threads*
Old Asuswrt-Merli...  78022
Old Asuswrt-Merli...  46380
Old [Fork]...  19881
Old Asus locking...  10331
Old ASUS...  8273
Old Incoming...  8023
Old Share What...  3880
Old Asuswrt-Merli...  3353
Old Asuswrt-Merli...  3020
Old Thinking of...  2153
Old Asuswrt-Merli...  393
Old Asuswrt-Merli...  212
Old [Fork]...  136
Old Asus locking...  125
Old Connection...  54
Old [HOW TO]...  50
Old ASUS...  49
Old Incoming...  44
Old 376.44 -...  40
Old Use the same...  35


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.