This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| unix:networking [2014/02/19 15:02] ben | unix:networking [2014/04/30 05:24] (current) ben | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| - | ===== ip route & multiple routing tables ===== | ||
| - | //For routing specific client traffic through specific interfaces// | + | **[[:unix:networking:openwrt_routing|Split VPN routing with OpenWRT/Tomato]]:** //For routing specific LAN client traffic through specific interfaces with multiple routing tables// | 
| - | + | ||
| - | **Desired Config:**  An openVPN client connection running from a Tomato/OpenWRT/DDWRT router, routing traffic for only //some// of our LAN clients through the VPN, while all others route through the default ISP connection. | + | |
| - | + | ||
| - | Enter "ip route" (I've always just used the default "route" in the past).  "Ip route" allows the creation of multiple routing tables and "rules" to direct the traffic to a specific table. | + | |
| - | + | ||
| - | Details on everything are below, or [[unix:networking#scripting_the_routes_and_rules|cut to the chase]]. | + | |
| - | ==== openVPN client settings ==== | + | |
| - | + | ||
| - | My VPN provider sets a bunch of routes when making the connection, if you let it. If you don't want that you need to set the openVPN directive "route-noexec".  In Tomato, there's an option called "Create NAT on tunnel", that is **checked**.  Under Advanced settings, my openVPN client settings are like so: | + | |
| - | + | ||
| - | <code> | + | |
| - | persist-key | + | |
| - | persist-tun | + | |
| - | tls-client | + | |
| - | auth-user-pass /tmp/auth.txt | + | |
| - | comp-lzo | + | |
| - | verb 1 | + | |
| - | reneg-sec 0 | + | |
| - | route-noexec | + | |
| - | route-up /tmp/vpnrouteup.sh | + | |
| - | down /tmp/vpnroutedown.sh | + | |
| - | </code> | + | |
| - | + | ||
| - | The contents of /tmp/auth.txt are simply VPN provider username on the top line, password on the second line. The contents of the route-up and route-down scripts are [[#scripting_the_routes_and_rules|at the bottom of this page]]. | + | |
| - | + | ||
| - | For those interested, the "Create NAT on tunnel" option executes the /tmp/etc/openvpn/fw/client1-fw.sh script, which looks like: | + | |
| - | <code> | + | |
| - | #!/bin/sh | + | |
| - | iptables -I INPUT -i tun11 -j ACCEPT | + | |
| - | iptables -I FORWARD -i tun11 -j ACCEPT | + | |
| - | iptables -t nat -I POSTROUTING -s 192.168.1.0/255.255.255.0 -o tun11 -j MASQUERADE | + | |
| - | </code> | + | |
| - | ==== ip route commands and new routing tables ==== | + | |
| - | + | ||
| - | From what I've seen there appear to be 3 default tables: | + | |
| - | + | ||
| - | * main | + | |
| - | * local | + | |
| - | * default | + | |
| - | + | ||
| - | This can be confirmed via ''ip rule list'': | + | |
| - | <code>root@wifi1:/tmp/home/root# ip rule list | + | |
| - | 0: from all lookup local | + | |
| - | 32766: from all lookup main | + | |
| - | 32767: from all lookup default | + | |
| - | </code> | + | |
| - | + | ||
| - | Other tables are defined with integer names.  To create a new table simply add a route to it with ''ip route add [route] table #tablename#'': | + | |
| - | <code> | + | |
| - | ip route add 192.168.100.100 via 127.0.0.1 dev lo table 100 | + | |
| - | </code> | + | |
| - | + | ||
| - | To see the table, ''ip route list table 100'': | + | |
| - | <code>root@wifi1:/tmp/home/root# ip route list table 100 | + | |
| - | 192.168.100.100 via 127.0.0.1 dev lo | + | |
| - | </code> | + | |
| - | + | ||
| - | To add a rule to affect traffic and direct it via routes in your new table 100, ''ip rule add [blah] table 100'', and to see the rule in place, ''ip rule list'': | + | |
| - | <code> | + | |
| - | root@wifi1:/tmp/home/root# ip rule add from 9.9.9.9 to 192.168.100.100 dev lo table 100 | + | |
| - | root@wifi1:/tmp/home/root# ip rule list | + | |
| - | 0: from all lookup local | + | |
| - | 32765: from 9.9.9.9 to 192.168.100.100 iif lo lookup 100 | + | |
| - | 32766: from all lookup main | + | |
| - | 32767: from all lookup default | + | |
| - | </code> | + | |
| - | + | ||
| - | That rule (as far as I can tell) tells the kernel that when traffic arrives on interface ''lo'' from ip 9.9.9.9 with destination address 192.168.100.100, then the pertinent routes are found in routing table 100. If you want to direct traffic both ways to and from specific ip's, then you must do so explicitly: | + | |
| - | <code> | + | |
| - | root@wifi1:/tmp/home/root# ip rule add to 9.9.9.9 from 192.168.100.100 dev lo table 100 | + | |
| - | root@wifi1:/tmp/home/root# ip rule list | + | |
| - | 0: from all lookup local | + | |
| - | 32764: from 192.168.100.100 to 9.9.9.9 iif lo lookup 100 | + | |
| - | 32765: from 9.9.9.9 to 192.168.100.100 iif lo lookup 100 | + | |
| - | 32766: from all lookup main | + | |
| - | 32767: from all lookup default | + | |
| - | </code> | + | |
| - | + | ||
| - | If you make a mistake and want to delete those rules, ''ip rule delete pref #rule#'': | + | |
| - | <code> | + | |
| - | root@wifi1:/tmp/home/root# ip rule delete pref 32764 | + | |
| - | root@wifi1:/tmp/home/root# ip rule delete pref 32765 | + | |
| - | root@wifi1:/tmp/home/root# ip rule list | + | |
| - | 0: from all lookup local | + | |
| - | 32766: from all lookup main | + | |
| - | 32767: from all lookup default | + | |
| - | </code> | + | |
| - | + | ||
| - | ==== routes set by VPN provider ==== | + | |
| - | + | ||
| - | In my case, the routes that get set by my provider look like so: | + | |
| - | + | ||
| - | <code> | + | |
| - | root@wifi1:/tmp/home/root# ip route show |grep tun11 | + | |
| - | 10.173.1.5 dev tun11 proto kernel scope link src 10.173.1.6 | + | |
| - | 10.173.1.1 via 10.173.1.5 dev tun11 | + | |
| - | 0.0.0.0/1 via 10.173.1.5 dev tun11 | + | |
| - | 128.0.0.0/1 via 10.173.1.5 dev tun11 | + | |
| - | </code> | + | |
| - | + | ||
| - | My TUN ifconfig in that case looks like: | + | |
| - | <code> | + | |
| - | root@wifi1:/tmp/home/root# ifconfig tun11 | + | |
| - | tun11 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 | + | |
| - | inet addr:10.173.1.6 P-t-P:10.173.1.5 Mask:255.255.255.255 | + | |
| - | UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 | + | |
| - | RX packets:17428 errors:0 dropped:0 overruns:0 frame:0 | + | |
| - | TX packets:19874 errors:0 dropped:16 overruns:0 carrier:0 | + | |
| - | collisions:0 txqueuelen:100 | + | |
| - | RX bytes:9120474 (8.6 MiB) TX bytes:3519467 (3.3 MiB) | + | |
| - | </code> | + | |
| - | + | ||
| - | We can see then that our tun11 IP is .6, our gateway (which is "via" in the table) is .5, and then some default routes are set. | + | |
| - | + | ||
| - | ==== directing the traffic for a specific IP ==== | + | |
| - | + | ||
| - | + | ||
| - | To make these routes work for only some of our LAN clients, we need to add them to a new routing table, and then specify rules to make use of them. | + | |
| - | + | ||
| - | In my case, I'm going to route only traffic from 192.168.1.253 through the VPN. | + | |
| - | + | ||
| - | Manually, that would go like this: | + | |
| - | <code> | + | |
| - | ip route add 10.173.1.5 dev tun11 proto kernel scope link src 10.173.1.6 | + | |
| - | ip route add 0.0.0.0/1 via 10.173.1.5 dev tun11 table 10 | + | |
| - | ip route add 128.0.0.0/1 via 10.173.1.5 dev tun11 table 10 | + | |
| - | ip route add 10.173.1.1 via 10.173.1.5 dev tun11 metric 1 table 10 | + | |
| - | ip rule add from 10.173.1.0/24 table 10 | + | |
| - | ip rule add to 10.173.1.0/24 table 10 | + | |
| - | ip rule add from 192.168.1.253 table 10 | + | |
| - | </code> | + | |
| - | + | ||
| - | Now, since I also have devices getting their DNS servers from DHCP, we'll also need to add rules for those internal devices to make use of the ISPs default route to access DNS servers.  To do that, the rules simply address traffic to and from the internal client ip to the DNS servers via the "main" table instead of our new table "10": | + | |
| - | <code> | + | |
| - | ip rule add from 192.168.1.253 to 89.150.129.10 lookup main | + | |
| - | ip rule add from 192.168.1.253 to 89.150.129.22 lookup main | + | |
| - | ip rule add to 192.168.1.253 from 89.150.129.10 lookup main | + | |
| - | ip rule add to 192.168.1.253 from 89.150.129.22 lookup main | + | |
| - | </code> | + | |
| - | + | ||
| - | + | ||
| - | ==== scripting the routes and rules ==== | + | |
| - | + | ||
| - | **Disclaimer:  I have never made use of awk before doing this configuration, so this may be the dumbest awk code ever written.  It works, so that's good enough for me.** | + | |
| - | + | ||
| - | A basic script to set the routes in my case looks like this: | + | |
| - | <code> | + | |
| - | vpndhosts="192.168.1.253" | + | |
| - | dnsservers="89.150.129.10 89.150.129.22" | + | |
| - | tun_iface=$(ifconfig|grep tun|awk '{ print $1 }') | + | |
| - | tun_inet=$(ifconfig $tun_iface|grep P-t-P|awk -F ':' '{ print $2 }'|awk -F ' ' '{ print $1 }') | + | |
| - | tun_ptp=$(ifconfig $tun_iface|grep P-t-P|awk -F ':' '{ print $3 }'|awk -F ' ' '{ print $1 }') | + | |
| - | tun_gw=$(echo $tun_inet |awk -F '.' '{print $1"."$2"."$3".1"}') | + | |
| - | tun_net=$(echo $tun_inet |awk -F '.' '{print $1"."$2"."$3".0/24"}') | + | |
| - | ip route add 0.0.0.0/1 via $tun_ptp dev $tun_iface table 10 | + | |
| - | ip route add 128.0.0.0/1 via $tun_ptp dev $tun_iface table 10 | + | |
| - | ip route add $tun_gw via $tun_ptp dev $tun_iface metric 1 table 10 | + | |
| - | ip rule add from $tun_net table 10 | + | |
| - | ip rule add to $tun_net table 10 | + | |
| - | for host in $vpndhosts;do ip rule add from $host table 10;done | + | |
| - | for host in $vpndhosts;do for server in $dnsservers;do ip rule add from $host to $server lookup main;ip rule add from $server to $host lookup main;done;done | + | |
| - | + | ||
| - | + | ||
| - | </code> | + | |
| - | + | ||
| - | To add other hosts, vpndhosts is a space delimited list of local ip's. | + | |
| - | + | ||
| - | Unfortunately, getting port-forwarding working from my chosen provider is another issue.  Optware here I come. | + | |
| - | + | ||
| - | To delete all custom rules and return to default (in my case at least): | + | |
| - | <code> | + | |
| - | for rule in $(ip rule list |grep -v "all lookup"|awk -F ":" '{ print $1 }');do ip rule delete pref $rule;done | + | |
| - | </code> | + | |
| - | + | ||
| - | So, add the two code sections above to /tmp/vpnrouteup.sh and /tmp/vpnroutedown.sh and chmod them via the Administration->Scripts->Init script: | + | |
| - | + | ||
| - | <code> | + | |
| - | + | ||
| - | cat > /tmp/vpnrouteup.sh <<EOF | + | |
| - | #!/bin/sh | + | |
| - | vpndhosts="192.168.1.253" | + | |
| - | dnsservers="89.150.129.10 89.150.129.22" | + | |
| - | tun_iface=\$(ifconfig|grep tun|awk '{ print \$1 }') | + | |
| - | tun_inet=\$(ifconfig \$tun_iface|grep P-t-P|awk -F ':' '{ print \$2 }'|awk -F ' ' '{ print \$1 }') | + | |
| - | tun_ptp=\$(ifconfig \$tun_iface|grep P-t-P|awk -F ':' '{ print \$3 }'|awk -F ' ' '{ print \$1 }') | + | |
| - | tun_gw=\$(echo \$tun_inet |awk -F '.' '{print \$1"."\$2"."\$3".1"}') | + | |
| - | tun_net=\$(echo \$tun_inet |awk -F '.' '{print \$1"."\$2"."\$3".0/24"}') | + | |
| - | ip route add 0.0.0.0/1 via \$tun_ptp dev \$tun_iface table 10 | + | |
| - | ip route add 128.0.0.0/1 via \$tun_ptp dev \$tun_iface table 10 | + | |
| - | ip route add \$tun_gw via \$tun_ptp dev \$tun_iface metric 1 table 10 | + | |
| - | ip rule add from \$tun_net table 10 | + | |
| - | ip rule add to \$tun_net table 10 | + | |
| - | for host in \$vpndhosts;do ip rule add from \$host table 10;done | + | |
| - | for host in \$vpndhosts;do for server in \$dnsservers;do ip rule add from \$host to \$server lookup main;ip rule add from \$server to \$host lookup main;done;done | + | |
| - | EOF | + | |
| - | + | ||
| - | cat > /tmp/vpnroutedown.sh <<EOF | + | |
| - | #!/bin/sh | + | |
| - | for rule in \$(ip rule list |grep -v "all lookup"|awk -F ":" '{ print \$1 }');do ip rule delete pref \$rule;done | + | |
| - | EOF | + | |
| - | + | ||
| - | chmod 700 /tmp/vpnrouteup.sh | + | |
| - | chmod 700 /tmp/vpnroutedown.sh | + | |
| - | + | ||
| - | </code> | + | |
| - | + | ||
| - | ==== troubleshooting ==== | + | |
| - | + | ||
| - | bzzt. | + | |
| - | + | ||
| - | ===== Port Forwarding with PIA ===== | + | |
| - | + | ||
| - | [[https://www.privateinternetaccess.com/forum/index.php?p=/discussion/180/port-forwarding-without-the-application-advanced-users/p1|Here's the link with basic info.]] | + | |
| - | + | ||
| - | Setup Optware via the very handy [[http://tomatousb.org/tut:optware-installation|tutorial here]].  | + | |
| - | + | ||
| - | Install curl via ''ipkg install libcurl''. | + | |
| - | + | ||
| - | Add the following to Administration->Scripts->Init: | + | |
| - | <code> | + | |
| - | + | ||
| - | #Setup port forwarding client-ID | + | |
| - | head -n 100 /dev/urandom | md5sum | tr -d " -" > /tmp/pia_client_id | + | |
| - | + | ||
| - | </code> | + | |
| - | + | ||
| - | Setup a scheduled task that runs at least once per hour that contains: | + | |
| - | <code> | + | |
| - | + | ||
| - | pia_client_id=$(cat /tmp/pia_client_id) | + | |
| - | pia_user=$(head -1 /tmp/pia.txt) | + | |
| - | pia_pw=$(tail -1 /tmp/pia.txt) | + | |
| - | tun_inet=$(ifconfig $tun_iface|grep P-t-P|awk -F ':' '{ print $2 }'|awk -F ' ' '{ print $1 }') | + | |
| - | + | ||
| - | curl -d "user=$pia_user&pass=$pia_pw&client_id=$pia_client_id&local_ip=$tun_inet" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment >> /tmp/port_forward.txt | + | |
| - | + | ||
| - | </code> | + | |
| - | + | ||
| - | What's missing is the traffic needs to go out and back over the tunnel- ip rule add? | + | |