OpenVPN and excluding IP/MAC address from VPN routing

zimo · 2017-05-08T19:13:45.000Z

@hansome could we just customise /vpnfirewall and keep force VPN?

Thinking it may be problematic (insecure) to disable force VPN?

hansome · 2017-05-08T23:24:31.000Z

In current design, force vpn means the traffic to Internet only go through tun0 inferface even when you lost openvpn connetion. But as long as the default route via tun0 (which has metric 0) exists, you Internet traffic go through tun0 by default except traffic to wlan-sta subnet. In my test result, the tun0 and conresponding route do NOT disappear when I cut openvpn. So the worst case is openvpn process aborted, that’s when the tun0 goes down and Force VPN take effect.

As you pointed it, Force vpn option is buggy to some extend. We are considering to make some tweak.
So you are secure as long as openvpn process running.

kennypowers · 2017-05-28T03:40:45.000Z

Hi All,

Looking to do this now myself I have one device I don’t want traffic to go over VPN, could someone tell me where you enter these settings?

Thank you.

kennypowers · 2017-05-28T17:51:07.000Z

Would it also be possible to just have one device/ip use the VPN all all other traffic routed as normal?

alzhao · 2017-05-29T09:58:04.000Z

Yes. It is possible. Need to use iptables.

@hansome can give you some command.

hansome · 2017-05-29T20:21:42.000Z

First disable forcevpn at web UI, then SSH to device and run:

IP address not go vpn:
iptables -I PREROUTING -t mangle -i br-lan -s <ipaddr> -j MARK --set-mark 5
ip rule add fwmark 5 lookup 5 pref 2005
ip route | while read -r rule;do
if [ -z “echo $rule | grep tun0” ]; then
ip route add $rule table 5
fi
done

Only IP address go vpn:
iptables -I PREROUTING -t mangle -i br-lan ! -s <ipaddr> -j MARK --set-mark 5
ip rule add fwmark 5 lookup 5 pref 2005
ip route | while read -r rule;do
if [ -z “echo $rule | grep tun0” ]; then
ip route add $rule table 5
fi
done

glitch · 2017-05-29T21:47:03.000Z

Where does the router store this info (ie. what directory/file)?

taoiseach · 2018-03-24T20:28:17.690Z

Hello,

Thats exactly what I need, but the commands dont work on my router. I have installed the 2.264 firmware. I get a message that it couldnt fount a file or directory when I enter these commands…
I will get the error when I hit the done command

alzhao · 2018-03-25T04:49:26.827Z

Can you post the error message?

tomei · 2018-06-03T10:01:58.981Z

I entered those commands in ssh in router and got these error messages

grep: ]: No such file or directory
-ash: missing ]

I am trying to exclude my laptop from vpn.

EDIT: I am using a GL-AR 750 will this affect the commands?

alzhao · 2018-06-04T04:55:22.552Z

Pls check then double quota. It is changed by html.

Fenestra · 2019-03-13T06:17:43.181Z

Hi,

I have a GL iNet MiFi on the latest firmware and I need to route a single IP through OpenVPN to get VoIP to work over my mobile broadband ISP’s network. I’ve assigned the phone a static lease and it is connected through the ethernet LAN port on the MiFi. Would this code still work on this device?

There is no longer an option to disable force VPN in the GL iNet GUI. Does this still need to be done and how do I do it?

Can I just add the code to the end of the startup script through the Luci GUI, so I could just hash it out whenever I need all traffic to go over the VPN? Do I just need to remove the quotation marks around echo $rule | grep tun0 as previously mentioned?

I’ve tried using vpn-policy-routing and vpn-bypass but neither worked. It’d be nice to have a GUI option to do this if possible.

glitch · 2019-03-13T08:15:31.988Z

Try testing firmware V3, as I believe that has policy routing.

Fenestra:

There is no longer an option to disable force VPN in the GL iNet GUI.

In V3, “force VPN” is (rather clumsily) enforced automatically (ie. once you have clicked “connect”).

Fenestra · 2019-03-13T08:47:45.225Z

Do you mean it will work if I install it again, or it should already be in there somewhere?

I’ve upgraded to the testing firmware, there’s some nice new features, but I can’t find anything to do with policy routing in the GL iNet GUI or Luci.

alzhao · 2019-03-13T09:20:45.334Z

Fenestra:

I’ve upgraded to the testing firmware, there’s some nice new features, but I can’t find anything to do with policy routing in the GL iNet GUI or Luci.

Hold on, making another update of the server but may be AR750S first.

robotluo · 2019-03-14T02:57:43.884Z

Hi,

I uploaded the route-policy firmware for AR750S and MIFI.
You can enable it on the UI–>VPN–>VPN policies
If you have any questions, please send them to me through forum, and I will deal with them as soon as possible

Fenestra · 2019-03-16T06:41:05.148Z

Thanks!

I upgraded my firmware to the policy routing testing firmware, but I still can’t get it to work, I get no internet connection with the routing policy setup. I’ve set it up so all MAC in list goes through the VPN. I’ve only added the one MAC for testing. It has no internet connection.

Do I need to follow a process to get it working? I’ve tried a few different ways, setting then rebooting, connecting to VPN first then enabling policy routing and vice versa.

Also, I assume that when policy routing is enabled, any MAC not in the list will do the opposite to what is set in the policy routing (All MAC through VPN or No MAC through VPN) and not just deny connection.

robotluo · 2019-03-16T07:13:31.990Z

I have an example of a setup here. In this example, only 08:57:00: e5:88:6b is allowed through the VPN, and all other devices will bypass the VPN

OAZVV4P~O2%40RV9~XPK6P1H91079×539 20.7 KB

Fenestra · 2019-03-16T11:45:04.522Z

Yep, that’s what I had. I had no internet connection for the device that should’ve been connecting through the VPN.

I’m also using it through the 4G modem, would this be an issue compared to when using it as a repeater or tethered?

glitch · 2019-03-16T13:05:12.547Z

I tried the firmware (750S) and tried to allow pass-thru (ie. non-VPN) for one MAC address and it didn’t work.
Menu was confusing as to what was on the list and what wasn’t on the list.
Allow VPN and disallow VPN options also very confusing.