User Tools

Site Tools


unix:networking:openwrt_routing

This is an old revision of the document!


"Split" VPN routing with OpenWRT/Tomato

Original on-the-fly Notes

The point of this is to route traffic for specific LAN IP addresses (my NAS) through an openVPN connection on a router running OpenWRT/Tomato firmware. I'm also running “tinyproxy” on the NAS so I can have an individual browser configured on my own station to route through the VPN as well.

I've never used awk before and didn't devote a lot of time to these scripts, so save your judgement please.

Optware

Pre-requisite: Get optware installed and mounting automatically on boot.

Set your USB support with the option Automatically mount all partitions to sub-directories in /mnt.

Set the USB Run after mounting script:

if [ -d /mnt/optware ]; then
  mount -o bind /mnt/optware /opt
fi

Contents of Administration→Scripts→Init:

#Mount optware
echo "LABEL=optware /opt ext3 defaults 1 1" >> /etc/fstab
/bin/mount /opt /opt

These are the packages I have installed:

ipkg-opt - 0.99.163-10 - The Itsy Package Manager
libcurl - 7.24.0-1 - Curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FI
libidn - 1.25-1 - GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domai
netcat - 1.10pl32-5 - TCP/IP swiss army knife.
openssl - 0.9.7m-6 - Openssl provides the ssl implementation in libraries libcrypto and libssl, and is needed by many other applications and librari
uclibc-opt - 0.9.28-13 - micro C library for embedded Linux systems
wget-ssl - 1.12-2 - A network utility to retrieve files from the Web
zlib - 1.2.5-1 - zlib is a library implementing the 'deflate' compression system.

OpenVPN settings

  • Ensure the option “Create NAT on tunnel” is checked
  • Advanced settings:
persist-key
persist-tun
tls-client
auth-user-pass /opt/etc/pia/pia.txt
comp-lzo
verb 1
reneg-sec 0
route-noexec
route-up /opt/etc/scripts/vpnrouteup.sh 
down /opt/etc/scripts/vpnroutedown.sh

Contents of pia.txt is VPN username on first line, password on second line.

VPN Scripts

The vpnrouteup.sh script sets a second routing table with ip route to direct traffic for ip's listed in “vpndhosts” (space delimited) through the VPN connection. It then calls a script to get a forwarding port from my VPN provider, and then a script to update the transmission client config that's running on the NAS.

I don't remember why I needed to use my ISP's DNS servers over the VPN's DNS servers, but there must be a good reason. Maybe it was because I couldn't figure out how to dynamically update the /etc/resolv.conf file on my NAS. If you don't need to use your ISPs DNS, comment out the third for loop.

Contents of vpnrouteup.sh:

#!/bin/sh 
privateinternetaccess=$(nslookup www.privateinternetaccess.com |grep ^A |tail -1 |awk -F ' ' '{ print $3 }')
vpndhosts="192.168.xxx.xxx"
dnsservers="89.xxx.xxx.xxx 89.xxx.xxx.xxx"
tun_iface=$(ifconfig|grep tun|awk '{ print $1 }')
tun_inet=$(ifconfig $tun_iface|grep P-t-P|awk -F ':' '{ print $2 }'|awk -F ' ' '{ print $1 }')
tun_ptp=$(ifconfig $tun_iface|grep P-t-P|awk -F ':' '{ print $3 }'|awk -F ' ' '{ print $1 }')
tun_gw=$(echo $tun_inet |awk -F '.' '{print $1"."$2"."$3".1"}')
tun_net=$(echo $tun_inet |awk -F '.' '{print $1"."$2"."$3".0/24"}')
ip route add 0.0.0.0/1 via $tun_ptp dev $tun_iface table 10
ip route add 128.0.0.0/1 via $tun_ptp dev $tun_iface table 10
ip route add $tun_gw via $tun_ptp dev $tun_iface metric 1 table 10
ip rule add from $tun_net table 10
ip rule add to $tun_net table 10
for host in $privateinternetaccess;do ip rule add from $host table 10;ip rule add to $host table 10;done
for host in $vpndhosts;do ip rule add from $host table 10;done
for host in $vpndhosts;do for server in $dnsservers;do ip rule add from $host to $server lookup main;ip rule add from $server to $host lookup main;done;done

/opt/etc/scripts/port_forward_update.sh 
/opt/etc/scripts/transmission_port_update.sh

Contents of vpnroutedown.sh:

#!/bin/sh
for rule in $(ip rule list |grep -v "all lookup"|awk -F ":" '{ print $1 }');do ip rule delete pref $rule;done
unix/networking/openwrt_routing.1398847416.txt.gz · Last modified: 2014/04/30 04:43 by ben