VPN Client: policy based routing

12 posts / 0 new
Last post
Sky1111
Sky1111's picture
VPN Client: policy based routing

Guys who understand the matter - can you please educate me?

 

I am reading this : <http://www.dd-wrt.com/wiki/index.php/OpenVPN>

Policy based Routing
allow only special clients to use the tunnel. Add IPs in the form 0.0.0.0/0 to force clients to use the tunnel as default gateway. One line per IP. {} []

So let's say, I want only 192.168.1.125 and 192.168.1.130  to go thru the tonnel, I put that this command 'Policy Based Routing' window:

192.168.1.125/0

192.168.1.130/0

is that correct?

What if I want the opposite - exclude a specific IP from VPN tunnel - what do I do?

 

thanks in advance!

 

 

 

kallsop
kallsop's picture
You would need to add:

You would need to add:

192.168.1.125/32
192.168.1.130/32

to have only those 2 IP's go through VPN. Anything not in the Policy Based Routing is excluded, so in principle, you can't explicitly specify an exclude range. But you can specify the opposite and achieve the same thing e.g. to exclude only 192.168.0.32 through 192.168.0.63:

192.168.0.0/27
192.168.0.64/26
192.168.0.128/25

Sky1111
Sky1111's picture
kallsop said: You would need

kallsop said: You would need to add: 192.168.1.125/32 192.168.1.130/32 to have only those 2 IP's go through VPN. Anything not in the Policy Based Routing is excluded, so in principle, you can't explicitly specify an exclude range. But you can specify the opposite and achieve the same thing e.g. to exclude only 192.168.0.32 through 192.168.0.63: 192.168.0.0/27 192.168.0.64/26 192.168.0.128/25

thanks kallsop - but can you please explain the logic behind the numbers?

flag /32 means this address go thru VPN? OK, but why to exclude the range from .32 to .63 you listed 3 IP addresses with different flags?

I am terribly sorry if I am asking an obvious questions - but I looked at the relevant pages but they are not clear to me - missing some basics I suppose...

Sky1111
Sky1111's picture
Holy smokes - I did that /32

Holy smokes - I did that /32 and it works!!!!!
THANK YOU!!!!!!!!!!

kallsop
kallsop's picture
Great. Read up on CIDR to

Great. Read up on CIDR to understand the / numbering e.g. http://software77.net/cidr-101.html

The /32 means that all 32 bits of the IP address are used to specify the used IP address, with no bits for the range, so there is no range at all. A CIDR of e.g. 192.168.0.32/27 means that 27 bits of the IP address are used, and the remaining 32 - 27 = 5 bits determine the range. 2 to the power 5 is 32, so the range is 32, and the IP range is then 192.168.0.32 through 192.168.0.63 inclusive.

Sky1111
Sky1111's picture
kallsop said: Great. Read up

kallsop said: Great. Read up on CIDR to understand the / numbering e.g. http://software77.net/cidr-101.html The /32 means that all 32 bits of the IP address are used to specify the used IP address, with no bits for the range, so there is no range at all. A CIDR of e.g. 192.168.0.32/27 means that 27 bits of the IP address are used, and the remaining 32 - 27 = 5 bits determine the range. 2 to the power 5 is 32, so the range is 32, and the IP range is then 192.168.0.32 through 192.168.0.63 inclusive.

thanks!

kamaaina
kamaaina's picture
Sky, does this mean you

Sky, does this mean you figured out how to exclude a few boxes from the VPN connection? E.g. if I wanted to exclude the OBI adapter from the VPN tunnel? That would be awesome and eliminate the GW router before the R7000. Now I don't see that in the Tomato menu, I might have to hop back if that works.

Sky1111
Sky1111's picture
kamaaina said: Sky, does this

kamaaina said: Sky, does this mean you figured out how to exclude a few boxes from the VPN connection? E.g. if I wanted to exclude the OBI adapter from the VPN tunnel? That would be awesome and eliminate the GW router before the R7000. Now I don't see that in the Tomato menu, I might have to hop back if that works.

I only only figured out how to put 5 specific IP addresses on VPN, the rest goes in bypass mode.

Many devices on my network have static IP addresses assigned, so it is easy.

Clifford Commanda
Clifford Commanda's picture
Is there a way to filter by

Is there a way to filter by other options than source IP?

I would like all the traffic of the router itself, and all clients going through the VPN tunnel except Port 21 (FTP server on the router) and DDNS updates. DDNS updates I would like to specify dest IPs to be excluded, and for FTP I would like to exclude ports 20, and 21.

kamaaina
kamaaina's picture
That's a good point, I have

That's a good point, I have some issues with SFTP and FTP when the VPN is on. Would be great to exclude that when accessing web servers.

Clifford Commanda
Clifford Commanda's picture
Is there a way to filter by

Is there a way to filter by other options than source IP?

I would like all the traffic of the router itself, and all clients going through the VPN tunnel except Port 21 (FTP server on the router) and DDNS updates. DDNS updates I would like to specify dest IPs to be excluded, and for FTP I would like to exclude ports 20, and 21.

kamaaina
kamaaina's picture
That's a good point, I have

That's a good point, I have some issues with SFTP and FTP when the VPN is on. Would be great to exclude that when accessing web servers.