R7800 Voxel FW - IP Tables to bypass OpenVPN

8 posts / 0 new
Last post
kinakuta
kinakuta's picture
R7800 Voxel FW - IP Tables to bypass OpenVPN

Hi Voxel / everyone,

I just switched from DD-WRT to Voxel's latest FW on my R7800 and I'm pretty happy with the speed & overall performance.

That being said, I need to replicate the setup I had on my DD-WRT, which is a bypass of the VPN connection for certain IPs in my LAN.

I used to do that by using IP tables in my openvpn-up script, like so:

ip route add default via 192.168.1.1 table 10
ip rule add from 192.168.2.10 table 10
ip route flush cache
 
where 192.168.2.10 wants to bypass the vpn connection (192.168.2.1) and go directly through the main router's WAN interface (192.168.1.1).
 
But if I use that in the up script, I get an error and the openvpn client won't start: 

/etc/rc.common: kill: 90: (21004) - No such process

So is there anything special about this system that I need to be aware of? How can I add the routing for these IPs to bypass the VPN?

Any ideas? Voxel?

Best,

Martin

Voxel
Voxel's picture
Hi Martin,

Hi Martin,

 

It's difficult to say. You have to check log file of openvpn client: what is recorded there. Plus try to debug /etc/init.d/openvpn-client start script (sh -x).

Voxel.

kinakuta
kinakuta's picture
Hi Voxel,

Hi Voxel,

thanks for your reply. Well, I checked the logs and the process just terminates. Somehow it seems there is a problem when I attempt to add the ip rule, so I wondered if there is another way or another place to do that. 

Does the vpn-firewall.sh get executed when the openvpn client starts or just for the server? 

Where would you add the firewall rules / ip tables for the vpn bypass?

Best,

Martin

kinakuta
kinakuta's picture
Oh, and another thing. When I

Oh, and another thing. When I stop the openvpn client using /etc/init.d/openvpn stop, the routing seems not to be restored, because I don't have internet access anymore. I didn't change any of the default scripts, so somehow the routing seems to still go through the TUN interface, which is no longer there.

Best,

Martin

Voxel
Voxel's picture
Where would you add the

Where would you add the firewall rules / ip tables for the vpn bypass?

 

Netgear has own firewall. Please check this explanation:
 

https://www.snbforums.com/threads/custom-firmware-build-for-r9000-v-1-0-...

 

It is for R9000, but the same for R7800. Probably you have to add your rules here. net-wall.

Oh, and another thing. When I stop the openvpn client using /etc/init.d/openvpn stop, the routing seems not to be restored, because I don't have internet access anymore. I didn't change any of the default scripts, so somehow the routing seems to still go through the TUN interface, which is no longer there.

 

When tested I did not have such problems. Connection was restored immadiately after stop of vpn client. Perhaps it is some side effect of your changes. Also, some guys helped me to test this. And the same: restoring original direct connection after vpn client is ended. 

Voxel.

 

Voxel
Voxel's picture
P.S. and note: if you are

P.S. and note: if you are using Entware, its /opt/bin and /opt/sbin directories are in PATH before original. Just for info. I.e. maybe you run program from Entware, not from firmware.

Voxel.

kinakuta
kinakuta's picture
Hi Voxel,

Hi Voxel,

thank you for your replies. I'm not using Entware at the moment, as I only need the openVPN client for now. But I got it to work, setting the ip rules in the ovpnclient-up.sh script and using a sleep 30:

# ip list to bypass vpn
sleep 30
sudo ip route add default via 192.168.1.1 table main
sudo ip rule add from 192.168.2.10 table main
ip route flush cache
exit 0
 
And now it works just as intended :-)
 
Best,
Martin
Voxel
Voxel's picture
Congratulations!   Voxel.

Congratulations!

 

Voxel.