OpenVPN and excluding IP/MAC address from VPN routing

madj42 · 2017-05-06T11:57:02.000Z

Did everything you mentioned and changed the options. Getting RTNETLINK answers: File Exists for a response. I changed it to something like this:
ip rule add from 192.168.8.172 lookup 2
ip route add table 2 default via 192.168.11.1 dev wlan-sta

EDIT: Was able to get the command to work by doing ip route replace instead of add. Only issue is that streaming from the chromecast still goes through the VPN.

hansome · 2017-05-06T15:25:42.000Z

Oh, I forget Mwan3 is interfering wtih with this policy routing. try to change to:
ip rule add from 192.168.8.172 lookup 20 pref 2
ip route add table 20 default via 192.168.199.1 dev eth0
20 is a custom routing table number, if it’s 2 causing conflict with mwan’s.

you can see rules by:
ip rule
ip route show table 20

madj42 · 2017-05-06T23:37:07.000Z

I hate to be a pest. Still not working for whatever reason. The chromecast comes back and states that it is connected to the wifi network but cannot connect to the internet.

ip route

0.0.0.0/1 via 10.63.10.5 dev tun0
default via 192.168.42.1 dev wlan-sta proto static src 192.168.42.138 metric 20
10.63.10.1 via 10.63.10.5 dev tun0
10.63.10.5 dev tun0 proto kernel scope link src 10.63.10.6
104.207.136.111 via 192.168.42.1 dev wlan-sta
128.0.0.0/1 via 10.63.10.5 dev tun0
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
192.168.42.0/24 dev wlan-sta proto static scope link metric 20
192.168.42.1 dev wlan-sta proto static scope link src 192.168.42.138 metric 20

ip route show table 20

default via 192.168.42.1 dev wlan-sta

ip rule

0: from all lookup 128
1: from all lookup local
2: from 192.168.8.200 lookup 20
1002: from all iif wlan-sta lookup main
2002: from all fwmark 0x200/0xff00 lookup 2
2253: from all fwmark 0xfd00/0xff00 blackhole
2254: from all fwmark 0xfe00/0xff00 unreachable
32766: from all lookup main
32767: from all lookup default

hansome · 2017-05-08T11:44:24.000Z

goto http://192.168.8.1. openvpn Settings, turn off force VPN.
Force VPN means only traffic of TUN inferface is allowed, so ethernet WAN interface traffic is blocked. This do sometimes brings puzzles.

You brillant guy almost made it by add:
iptables -I FORWARD -i br-lan -o wlan-sta -s <src_ip> -j ACCEPT
but some script may flush your manully added iptables rule.

zimo · 2017-05-08T19:13:45.000Z

@hansome could we just customise /vpnfirewall and keep force VPN?

Thinking it may be problematic (insecure) to disable force VPN?

hansome · 2017-05-08T23:24:31.000Z

In current design, force vpn means the traffic to Internet only go through tun0 inferface even when you lost openvpn connetion. But as long as the default route via tun0 (which has metric 0) exists, you Internet traffic go through tun0 by default except traffic to wlan-sta subnet. In my test result, the tun0 and conresponding route do NOT disappear when I cut openvpn. So the worst case is openvpn process aborted, that’s when the tun0 goes down and Force VPN take effect.

As you pointed it, Force vpn option is buggy to some extend. We are considering to make some tweak.
So you are secure as long as openvpn process running.

kennypowers · 2017-05-28T03:40:45.000Z

Hi All,

Looking to do this now myself I have one device I don’t want traffic to go over VPN, could someone tell me where you enter these settings?

Thank you.

kennypowers · 2017-05-28T17:51:07.000Z

Would it also be possible to just have one device/ip use the VPN all all other traffic routed as normal?

alzhao · 2017-05-29T09:58:04.000Z

Yes. It is possible. Need to use iptables.

@hansome can give you some command.

hansome · 2017-05-29T20:21:42.000Z

First disable forcevpn at web UI, then SSH to device and run:

IP address not go vpn:
iptables -I PREROUTING -t mangle -i br-lan -s <ipaddr> -j MARK --set-mark 5
ip rule add fwmark 5 lookup 5 pref 2005
ip route | while read -r rule;do
if [ -z “echo $rule | grep tun0” ]; then
ip route add $rule table 5
fi
done

Only IP address go vpn:
iptables -I PREROUTING -t mangle -i br-lan ! -s <ipaddr> -j MARK --set-mark 5
ip rule add fwmark 5 lookup 5 pref 2005
ip route | while read -r rule;do
if [ -z “echo $rule | grep tun0” ]; then
ip route add $rule table 5
fi
done

glitch · 2017-05-29T21:47:03.000Z

Where does the router store this info (ie. what directory/file)?

taoiseach · 2018-03-24T20:28:17.690Z

Hello,

Thats exactly what I need, but the commands dont work on my router. I have installed the 2.264 firmware. I get a message that it couldnt fount a file or directory when I enter these commands…
I will get the error when I hit the done command

alzhao · 2018-03-25T04:49:26.827Z

Can you post the error message?

tomei · 2018-06-03T10:01:58.981Z

I entered those commands in ssh in router and got these error messages

grep: ]: No such file or directory
-ash: missing ]

I am trying to exclude my laptop from vpn.

EDIT: I am using a GL-AR 750 will this affect the commands?

alzhao · 2018-06-04T04:55:22.552Z

Pls check then double quota. It is changed by html.

Fenestra · 2019-03-13T06:17:43.181Z

Hi,

I have a GL iNet MiFi on the latest firmware and I need to route a single IP through OpenVPN to get VoIP to work over my mobile broadband ISP’s network. I’ve assigned the phone a static lease and it is connected through the ethernet LAN port on the MiFi. Would this code still work on this device?

There is no longer an option to disable force VPN in the GL iNet GUI. Does this still need to be done and how do I do it?

Can I just add the code to the end of the startup script through the Luci GUI, so I could just hash it out whenever I need all traffic to go over the VPN? Do I just need to remove the quotation marks around echo $rule | grep tun0 as previously mentioned?

I’ve tried using vpn-policy-routing and vpn-bypass but neither worked. It’d be nice to have a GUI option to do this if possible.

glitch · 2019-03-13T08:15:31.988Z

Try testing firmware V3, as I believe that has policy routing.

Fenestra:

There is no longer an option to disable force VPN in the GL iNet GUI.

In V3, “force VPN” is (rather clumsily) enforced automatically (ie. once you have clicked “connect”).

Fenestra · 2019-03-13T08:47:45.225Z

Do you mean it will work if I install it again, or it should already be in there somewhere?

I’ve upgraded to the testing firmware, there’s some nice new features, but I can’t find anything to do with policy routing in the GL iNet GUI or Luci.

alzhao · 2019-03-13T09:20:45.334Z

Fenestra:

I’ve upgraded to the testing firmware, there’s some nice new features, but I can’t find anything to do with policy routing in the GL iNet GUI or Luci.

Hold on, making another update of the server but may be AR750S first.

robotluo · 2019-03-14T02:57:43.884Z

Hi,

I uploaded the route-policy firmware for AR750S and MIFI.
You can enable it on the UI–>VPN–>VPN policies
If you have any questions, please send them to me through forum, and I will deal with them as soon as possible