howto only tunnel specific hosts route through openvpn client on tomato
- by kcome
I am relatively newbie in networking world although I did coding and know some sysadmin background for a long time. and here I'm only one step from my destination.
The whole picture is : at home I use one LinkSys E3000 as the gateway(don't know yet if this is it's name), wireless AP and no other routing/switching devices. It serves 1 PC and 1 Mac with LAN, 1 Mac Mini + 1 iPad + 2 smartphones with WIFI.
My goal is use an openvpn client on the E3000 (with tomato firmware) and make my iPad and smartphone's all WiFi traffic through it, and other devices route remain the same non-openvpn route.
So far I'm able to connect openvpn client on E3000 to an openvpn server, tunnel all my devices' all traffic through that openvpn connection. What's left is howto selectively route by source IP (at least in my guessing) to the tunnel while don't bother others.
I had learned some 'iptables' and 'route' in past few days however without much luck, so here comes my question. Here are some info which will help you get the structure.
ifconfig -a output, some useless lines striped, and in the web interface C0:C1:C0:1A:E0:28 is WAN, C0:C1:C0:1A:E0:27 is LAN, C0:C1:C0:1A:E0:29 is 2.4G wifi AP, C0:C1:C0:1A:E0:2A is 5G wifi AP.
root@router:/tmp/home/root# ifconfig -a
br0 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:27
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:27
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:29
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
eth2 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:2A
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
ppp0 Link encap:Point-to-Point Protocol
inet addr:172.200.1.43 P-t-P:172.200.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING MULTICAST MTU:1480 Metric:1
vlan1 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:27
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
vlan2 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:28
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
wl0.1 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:29
BROADCAST MULTICAST MTU:1500 Metric:1
brctl show output
root@router:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.c0c1c01ae027 no vlan1
eth1
eth2
before openvpn route-up script
root@router:/tmp/home/root# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.200.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 172.200.0.1 0.0.0.0 UG 0 0 0 ppp0
openvpn server push
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 8.8.8.8,route 172.20.0.1,topology net30,ping 10,ping-restart 120,ifconfig 172.20.0.6 172.20.0.5'
openvpn's stock route-up script
Apr 24 14:52:06 router daemon.notice openvpn[1768]: /sbin/ifconfig tun11 172.20.0.6 pointopoint 172.20.0.5 mtu 1500
Apr 24 14:52:08 router daemon.notice openvpn[1768]: /sbin/route add -net 72.14.177.29 netmask 255.255.255.255 gw 172.200.0.1
Apr 24 14:52:08 router daemon.notice openvpn[1768]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.20.0.5
Apr 24 14:52:08 router daemon.notice openvpn[1768]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.20.0.5
Apr 24 14:52:08 router daemon.notice openvpn[1768]: /sbin/route add -net 172.20.0.1 netmask 255.255.255.255 gw 172.20.0.5
route after openvpn
root@router:/tmp/home/root# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.20.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun11
72.14.177.29 172.200.0.1 255.255.255.255 UGH 0 0 0 ppp0
172.200.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
172.20.0.1 172.20.0.5 255.255.255.255 UGH 0 0 0 tun11
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 172.20.0.5 128.0.0.0 UG 0 0 0 tun11
128.0.0.0 172.20.0.5 128.0.0.0 UG 0 0 0 tun11
0.0.0.0 172.200.0.1 0.0.0.0 UG 0 0 0 ppp0
something I had noticed and tried:
* on the web interface of openvpn client there is an option "Create NAT on tunnel", if i check this, there is the following script (probably executed after openvpn connection established)
root@router:/tmp/home/root# cat /tmp/etc/openvpn/fw/client1-fw.sh
#!/bin/sh
iptables -I INPUT -i tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.1.0/255.255.255.0 -o tun11 -j MASQUERADE
if i uncheck this option, the last line will not appear. Then I guess probably the my issue will be solved by iptables and NAT related commands, I just haven't got enough knowledge to figure them out. I tried run
iptables -t nat -I POSTROUTING -s 192.168.1.6 -o tun11 -j MASQUERADE
manually after openvpn connected (192.168.1.6 is the ip address of my iPad), then my iPad get internet with openvpn tunnel, however all other devices can't reach internet.
in case if needed, here is the iptables about NAT
root@router:/tmp/home/root# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 192.168.1.0/24
WANPREROUTING all -- 0.0.0.0/0 172.200.1.43
upnp all -- 0.0.0.0/0 172.200.1.43
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 192.168.1.0/24 192.168.1.0/24 to:192.168.1.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain WANPREROUTING (1 references)
target prot opt source destination
DNAT icmp -- 0.0.0.0/0 0.0.0.0/0 to:192.168.1.1
Chain upnp (1 references)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5353 to:192.168.1.3:5353
Thanks in advance for helping and read this so much, I hope i made every info you need to give a help :)
