Policy-based routing to let only specifc IPs through PIA VPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
dragonC
DD-WRT User


Joined: 23 May 2015
Posts: 272

PostPosted: Tue Apr 11, 2017 15:36    Post subject: Policy-based routing to let only specifc IPs through PIA VPN Reply with quote
Hi all,

I would like to only route specific IPs through the PIA VPN -- primarily to retain access to remote WebIF management, SSH, and my own OpenVPN server.

I learned that Policy Based Routing in the OpenVPN Client config page is where I should go. And I have these setup as below:

Additional Config:
persist-key
persist-tun
tls-client
remote-cert-tls server

Policy Based Routing:
192.168.1.101/32

Other VPN client setup follows PIA's own instructions:
https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn

However I am not able to get the 192.168.1.101 address through VPN in this way. If I leave Policy Based Routing empty **everything** goes through VPN.

I had done forum and google search on the topic but cannot find a viable solution. Any advice would be appreciated!

Thanks in advance~
Sponsor
dragonC
DD-WRT User


Joined: 23 May 2015
Posts: 272

PostPosted: Tue Apr 11, 2017 20:44    Post subject: Reply with quote
Any luck someone may know something?
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Wed Apr 12, 2017 14:38    Post subject: Reply with quote
Wait,
what are you having an issue with?

It sounds like you do not understand how vpn's work.
VPN= Virtual Private Network.
As the name implies, it is another network...
Hench traffic going over the vpn interface will have a different private IP address which for vpn's is normally something like 10.10.8.x

There is absolutely no way to access your LAN IP scope from outside over the vpn. As long as your a client on the vpn (not the server) then you have 0 control over what & how the vpn responds to external traffic trying to come in.

VPN uses NAT/PAT just like your router. The biggest difference is that you do not have the ability (as a client) to do port redirects from the outside world, back to your network over the vpn tunnel.

If I have failed to understand your issue please clearly explain what you are doing and what behavior you believe you should be seeing vs. what you are seeing.

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Thu Apr 13, 2017 15:17    Post subject: Reply with quote
@Slidermike is right, but if you use PBR then the default gateway is the WAN and your router can be accessible from the outside.

If I understand correctly then using PBR does not route through the VPN, I am also on PIA and using policy based routing which does work.

I used the same instructions and 192.168.101/32 is the right way to get this IP address routed via the VPN

Things I can think of
1. What router/build are you using? I am on Kong 31780 (netgear R6400), some BS builds have had problems, if you are on BS builds try the latest
2. The IP address is in the DHCP scope (presumably) for your client set a static lease outside the scope and put that in the PBR field, test with ipleak.net
3. If this does not help then post your question and the following items in the advanced networking forum

-OpenVPN config and status page
from the command prompt:
- route -n
- ip rule list
- ip route show table 10

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
dragonC
DD-WRT User


Joined: 23 May 2015
Posts: 272

PostPosted: Fri Apr 14, 2017 13:46    Post subject: Reply with quote
egc wrote:
@Slidermike is right, but if you use PBR then the default gateway is the WAN and your router can be accessible from the outside.

If I understand correctly then using PBR does not route through the VPN, I am also on PIA and using policy based routing which does work.

I used the same instructions and 192.168.101/32 is the right way to get this IP address routed via the VPN

Things I can think of
1. What router/build are you using? I am on Kong 31780 (netgear R6400), some BS builds have had problems, if you are on BS builds try the latest
2. The IP address is in the DHCP scope (presumably) for your client set a static lease outside the scope and put that in the PBR field, test with ipleak.net
3. If this does not help then post your question and the following items in the advanced networking forum

-OpenVPN config and status page
from the command prompt:
- route -n
- ip rule list
- ip route show table 10


Thank you egc, I managed to make it work this time, with almost exact configuration. The only things I could think of *may* be different are:

1. Setup > Basic Setup > Network Setup: I set "Local DNS" to 0.0.0.0 (previously I may have had it on the router's IP)

2. Services > Services > DNSMasq: disable "Encrypt DNS", "Local DNS" + enable "Query DNS in Strict Order".

3. This may be a KEY difference -- I had Privoxy enabled before, and I have it disabled this time.


The next thing I am still trying to achieve (probably not viable through the GUI PBR) is to route only my Transmission torrent client through VPN -- that would mean only routing traffic from/to my router IP __THROUGH__ specific port, but leave other traffic through the router IP on WAN... is that even possible?
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Mon Apr 17, 2017 13:19    Post subject: Reply with quote
Is this the transmission client on the router itself or running on another machine?

When dealing with applications that need to be routed over the VPN, you can still use PBR, but you'll want to bind a specific IP address to the application in question that's in the VPN policy. Not all applications support this though and you'll want to make sure the application will obey the bind, otherwise you'll get leaks.

https://blog.ipredator.se/howto/restricting-transmission-to-the-vpn-interface-on-ubuntu-linux.html

If its the transmission client on the router, you shouldn't just place the IP of the router into the PBR list, otherwise you'll encounter a "bug" in the routing table which will get you locked out and mess up your internet access.

I'm not familiar with the transmission daemon built into DD-WRT, but if the config allows you to bind to a specific IP that's not the routers primary IP, you'll achieve it that way, you don't have to worry about ports in this case, as the source IP will match the VPN policy.

You'll need to add a secondary IP address to your router and make sure its in your startup script, otherwise it will be lost on a reboot, something like this should work:

Code:
ip addr add 192.168.1.x dev br0

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
slappy2
DD-WRT Novice


Joined: 24 Jul 2017
Posts: 3

PostPosted: Thu Jul 27, 2017 17:46    Post subject: Reply with quote
Hi, I have my r7000 running onboard transmission torrent. How can i set my vpn only for the torrent on the router.
The ip of the router is 192.168.1.1.

STEVE
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Thu Jul 27, 2017 19:06    Post subject: Reply with quote
As above. Ideally you'll want the Transmission client to bind to an IP that isn't the default router IP e.g. 192.168.1.1. If you add a secondary IP to your router and edit the transmission config to bind to it, you can then place it in the PBR table.

I can't remember if the transmission client setup within DD-WRT allows you to do it. Maybe someone else can confirm?

Don't however just add 192.168.1.1 or you will have a bad time!

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
kfrank1240
DD-WRT Novice


Joined: 26 Aug 2017
Posts: 6

PostPosted: Fri Sep 15, 2017 21:16    Post subject: Reply with quote
I was having trouble getting my Ring Video Doorbell to work (black screen and a little sound) after I added the doorbell to my new network where I use DD-WRT along with the PIA VPN. After much time reading and searching, I noticed that alongside the Open VPN Client section of DD-WRT, it tells you to add the IP address of the device you want to force to use the VPN tunnel and the subnet mask. I followed the instructions and my video doorbell started working straight away. I could not believe it. Even the Ring level 2 support did not know how to fix my issue. Perhaps it will work for you also. The input must be entered as directed in the help instructions in the Open VPN Client section, IP address/subnet mask. Each device's information must be on a separate line.
Linksys Wrt 3200 ACM
DD-WRT version 33215
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sat Sep 16, 2017 9:29    Post subject: Reply with quote
Be sure to disable SFE otherwise PBR will not work.
What you did by adding something in the PBR field is making your WAN default to your ISP so that your doorbell takes the normal=ISP route and does not go through your VPN.
You can also enter a range in your PBR field by using a an IP to CIDR calculator: http://www.ipaddressguide.com/cidr

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kfrank1240
DD-WRT Novice


Joined: 26 Aug 2017
Posts: 6

PostPosted: Sun Sep 17, 2017 1:29    Post subject: Reply with quote
Thank you egc, I did not realize what I had done by putting something in the policy based routing field. If I disable the SFE, will my traffic be routed through the VPN instead of the ISP gateway even if I have an IP address and subnet mask in the policy based routing section?

Linksys Wrt 3200 ACM
DD-WRT version 33215
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sun Sep 17, 2017 9:39    Post subject: Reply with quote
All IP addresses in the PBR field are routed through your VPN, but if you enable SFE these IP addresses are not routed at all, this is a bug. So disable SFE

If you want to route almost all trafic through your VPN and supposing your router is on 192.168.1.1 and DHCP range is 100-150, then enter the following in your PBR field to route 192.168.1.100 - 192.168.1.150:

192.168.1.100/30
192.168.1.104/29
192.168.1.112/28
192.168.1.128/28
192.168.1.144/30
192.168.1.148/31
192.168.1.150/32

If you want to route your doorbell through you ISP give it a static lease outside your DHCP range (static lease is on Services/Services tab under static lease)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kfrank1240
DD-WRT Novice


Joined: 26 Aug 2017
Posts: 6

PostPosted: Tue Sep 19, 2017 23:11    Post subject: Reply with quote
Egc, Thank you for the helpful information. I appreciate your efforts.
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 210

PostPosted: Sat Oct 20, 2018 23:58    Post subject: Reply with quote
dragonC wrote:
egc wrote:
@Slidermike is right, but if you use PBR then the default gateway is the WAN and your router can be accessible from the outside.

If I understand correctly then using PBR does not route through the VPN, I am also on PIA and using policy based routing which does work.

I used the same instructions and 192.168.101/32 is the right way to get this IP address routed via the VPN

Things I can think of
1. What router/build are you using? I am on Kong 31780 (netgear R6400), some BS builds have had problems, if you are on BS builds try the latest
2. The IP address is in the DHCP scope (presumably) for your client set a static lease outside the scope and put that in the PBR field, test with ipleak.net
3. If this does not help then post your question and the following items in the advanced networking forum

-OpenVPN config and status page
from the command prompt:
- route -n
- ip rule list
- ip route show table 10


Thank you egc, I managed to make it work this time, with almost exact configuration. The only things I could think of *may* be different are:

1. Setup > Basic Setup > Network Setup: I set "Local DNS" to 0.0.0.0 (previously I may have had it on the router's IP)

2. Services > Services > DNSMasq: disable "Encrypt DNS", "Local DNS" + enable "Query DNS in Strict Order".

3. This may be a KEY difference -- I had Privoxy enabled before, and I have it disabled this time.


The next thing I am still trying to achieve (probably not viable through the GUI PBR) is to route only my Transmission torrent client through VPN -- that would mean only routing traffic from/to my router IP __THROUGH__ specific port, but leave other traffic through the router IP on WAN... is that even possible?


To route transmission over VPN while using PBR. Bind transmission to local vpn ip, and add said ip to the PBR table which should be 10.

Look at my post https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313661&start=30 for ideas and help.

slappy2 wrote:
Hi, I have my r7000 running onboard transmission torrent. How can i set my vpn only for the torrent on the router.
The ip of the router is 192.168.1.1.

STEVE


Look at my post https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313661&start=30
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum