SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > LAN & WAN > Routers

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 01-16-2013, 09:13 PM
janosek janosek is offline
Senior Member
 
Join Date: Jan 2013
Posts: 132
Thanks: 18
Thanked 8 Times in 7 Posts
janosek is just starting out
Default Help with Tomato/RMerlin Asuswrt selective routing over two openvpn clients

Hello,

I have spend days searching how to selectively route openvpn over TWO clients, but all I have found is people asking the question in a "Solved" forum, but no solution.

Here is my code to selectively route with one VPN.
It is not mine. It was modified from here, with much gratitiude:
http://www.linksysinfo.org/index.php...openvpn.37240/


#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done


#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING


ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


# Define the routing policies for the traffic. The rules will be applied in the #order that they are listed. In the end, packets with MARK set to "0" will
# pass through the VPN. If MARK is set to "1" it will bypass the VPN.


# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1


# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1

# Ports 38666 will bypass the VPN (in the future, another VPN)
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 1



exit 0

I would like to set up a second VPN and route some ports through there, but when I try to bring a second openvpn client up, everything stops working.

I tried modifying cornasdf's method to my own usages:
http://cornasdf.blogspot.ca/2012/10/...y-routing.html
but it did not work in my setup. Here is what I got:

Here is my environment setup script:

################################################## #

mkdir /jffs/scripts/customvpn
mkdir /jffs/scripts/customvpn/us
mkdir /jffs/scripts/customvpn/uk
echo "-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----" >> /jffs/scripts/customvpn/ca.crt

chmod 700 /jffs/scripts/customvpn/ca.crt


#Setup uk Tunnel Config
echo script-security 3 > /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo daemon >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo client >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo dev tun0 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo proto udp >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo remote <UK_VPN_ADDRESS> 1194 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo nobind >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-key >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-tun >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-up /jffs/scripts/customvpn/uk/route-up-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo down-pre /jffs/scripts/customvpn/uk/route-down-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo verb 15 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo status-version 2 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-nopull >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo status /jffs/scripts/status_uk >> /jffs/scripts/customvpn/uk/openvpn-uk.conf



chmod 700 /jffs/scripts/customvpn/uk/openvpn-uk.conf


#Setup US Tunnel Config

echo script-security 3 > /jffs/scripts/customvpn/us/openvpn-US.conf
echo daemon >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo client >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo dev tun1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo proto udp >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo remote <US_VPN_ADDRESS>1194 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo nobind >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-key >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-tun >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-up /jffs/scripts/customvpn/us/route-up-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo down-pre /jffs/scripts/customvpn/us/route-down-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo verb 15 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo status-version 2 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-nopull >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo status /jffs/scripts/status_us >> /jffs/scripts/customvpn/us/openvpn-US.conf

chmod 700 /jffs/scripts/customvpn/us/openvpn-US.conf

#tun0 route up script
echo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-up-uk.sh

chmod 700 /jffs/scripts/customvpn/uk/route-up-uk.sh
#tun0 route down script
echo iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-down-uk.sh
chmod 700 /jffs/scripts/customvpn/uk/route-down-uk.sh

#tun1 route up script
echo iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-up-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-up-US.sh
#tun1 route down script
echo iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-down-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-down-US.sh


#General Config
echo <USER> > /jffs/scripts/customvpn/password.txt
echo <PASS> >> /jffs/scripts/customvpn/password.txt

chmod 700 /jffs/scripts/customvpn/password.txt

exit 0

#############################################

wan_start:

#!/bin/sh

touch /tmp/000phase2wanstarted

modprobe tun

#Setup tunnels.
/usr/bin/killall openvpn

/usr/sbin/openvpn --config /jffs/scripts/customvpn/uk/openvpn-uk.conf
sleep 10
/usr/sbin/openvpn --config /jffs/scripts/customvpn/us/openvpn-US.conf
sleep 10


#The tunnels can take a couple seconds to establish. Hold for 5 seconds to allow for this



# get gateway addresses
IspGateway=$(ip route list table main | awk '/default/ { print $3}')
tun0Gateway=$(ip route list table main | awk '/tun0/ { print $1}')
tun1Gateway=$(ip route list table main | awk '/tun1/ { print $1}')



# Create fwmark to table bindings
ip rule add fwmark 1 table main # ISP
ip rule add fwmark 2 table 2 # Tunnel 0 uk
ip rule add fwmark 3 table 3 # Tunnel 1 US

# Create table to tunnel bindings
ip route add default via $tun0Gateway dev tun0 table 2 #Send out uk Tunnel
ip route add default via $tun1Gateway dev tun1 table 3 #Send out US Tunnel


# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



# All LAN traffic will bypass the VPNs (Useful to put this rule first, so all traffic bypasses the VPNs and you can # configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1



#uk tunnel rules
# Ports 38666 will go through the uk tunnel
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 2

#US Tunnel rules

# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 3


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 3


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 3



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1



exit 0

################################################


Does anyone have a working script? The above just kills everything. If anyone can help, I would be grateful.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT -4. The time now is 03:34 PM.


Top 10 Stats
Top Posters* Top Thanked
RMerlin  452
stevech  194
sm00thpapa  185
azazel1024  178
KGB7  159
philmiami  97
jim769  86
microchip  81
htismaqe  78
AcostaJA  74
RMerlin  5181
stevech  315
ryzhov_al  259
TeHashX  212
RogerSC  187
L&LD  186
joegreat  123
jlake  122
sinshiva  118
sfx2000  112
Most Viewed Threads* Hottest Threads*
Old Asuswrt-Merli...  30962
Old Switched...  9120
Old NEW RT-AC68R...  8411
Old ASUS...  7752
Old ASUS...  7416
Old 3.0.0.4.376.1...  7131
Old ASUS RT-AC87...  4924
Old ASUS RTAC68U...  4072
Old ASUS...  3942
Old Netgear...  3856
Old Asuswrt-Merli...  277
Old ASUS...  91
Old Overclock...  74
Old [Q] How to...  73
Old Switched...  66
Old NEW RT-AC68R...  57
Old N66U daily...  47
Old ASUS...  45
Old How many of...  45
Old ASUS...  44


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.