howto only tunnel specific hosts route through openvpn client on tomato

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by kcome on Server Fault See other posts from Server Fault or by kcome
Published on 2012-04-24T07:07:47Z Indexed on 2012/06/01 16:43 UTC
Read the original article Hit count: 590

Filed under:
|
|

I am relatively newbie in networking world although I did coding and know some sysadmin background for a long time. and here I'm only one step from my destination.

The whole picture is : at home I use one LinkSys E3000 as the gateway(don't know yet if this is it's name), wireless AP and no other routing/switching devices. It serves 1 PC and 1 Mac with LAN, 1 Mac Mini + 1 iPad + 2 smartphones with WIFI.

My goal is use an openvpn client on the E3000 (with tomato firmware) and make my iPad and smartphone's all WiFi traffic through it, and other devices route remain the same non-openvpn route.

So far I'm able to connect openvpn client on E3000 to an openvpn server, tunnel all my devices' all traffic through that openvpn connection. What's left is howto selectively route by source IP (at least in my guessing) to the tunnel while don't bother others.

I had learned some 'iptables' and 'route' in past few days however without much luck, so here comes my question. Here are some info which will help you get the structure.

ifconfig -a output, some useless lines striped, and in the web interface C0:C1:C0:1A:E0:28 is WAN, C0:C1:C0:1A:E0:27 is LAN, C0:C1:C0:1A:E0:29 is 2.4G wifi AP, C0:C1:C0:1A:E0:2A is 5G wifi AP.

root@router:/tmp/home/root# ifconfig -a

br0 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:27
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:27
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:29
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

eth2 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:2A
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host

ppp0 Link encap:Point-to-Point Protocol
inet addr:172.200.1.43 P-t-P:172.200.0.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING MULTICAST MTU:1480 Metric:1

vlan1 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:27
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1

vlan2 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:28
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

wl0.1 Link encap:Ethernet HWaddr C0:C1:C0:1A:E0:29
BROADCAST MULTICAST MTU:1500 Metric:1

brctl show output

root@router:/tmp/home/root# brctl show
bridge name bridge id       STP enabled interfaces
br0     8000.c0c1c01ae027   no      vlan1
                            eth1
                            eth2

before openvpn route-up script

root@router:/tmp/home/root# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.200.0.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         172.200.0.1     0.0.0.0         UG    0      0        0 ppp0

openvpn server push 

PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 8.8.8.8,route 172.20.0.1,topology net30,ping 10,ping-restart 120,ifconfig 172.20.0.6 172.20.0.5'

openvpn's stock route-up script

Apr 24 14:52:06 router daemon.notice openvpn[1768]: /sbin/ifconfig tun11 172.20.0.6 pointopoint 172.20.0.5 mtu 1500
Apr 24 14:52:08 router daemon.notice openvpn[1768]: /sbin/route add -net 72.14.177.29 netmask 255.255.255.255 gw 172.200.0.1
Apr 24 14:52:08 router daemon.notice openvpn[1768]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 172.20.0.5
Apr 24 14:52:08 router daemon.notice openvpn[1768]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 172.20.0.5
Apr 24 14:52:08 router daemon.notice openvpn[1768]: /sbin/route add -net 172.20.0.1 netmask 255.255.255.255 gw 172.20.0.5

route after openvpn

root@router:/tmp/home/root# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.20.0.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun11
72.14.177.29    172.200.0.1     255.255.255.255 UGH   0      0        0 ppp0
172.200.0.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
172.20.0.1      172.20.0.5      255.255.255.255 UGH   0      0        0 tun11
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         172.20.0.5      128.0.0.0       UG    0      0        0 tun11
128.0.0.0       172.20.0.5      128.0.0.0       UG    0      0        0 tun11
0.0.0.0         172.200.0.1     0.0.0.0         UG    0      0        0 ppp0

something I had noticed and tried: * on the web interface of openvpn client there is an option "Create NAT on tunnel", if i check this, there is the following script (probably executed after openvpn connection established)

root@router:/tmp/home/root# cat /tmp/etc/openvpn/fw/client1-fw.sh
#!/bin/sh
iptables -I INPUT -i tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.1.0/255.255.255.0 -o tun11 -j MASQUERADE

if i uncheck this option, the last line will not appear. Then I guess probably the my issue will be solved by iptables and NAT related commands, I just haven't got enough knowledge to figure them out. I tried run 

iptables -t nat -I POSTROUTING -s 192.168.1.6 -o tun11 -j MASQUERADE

manually after openvpn connected (192.168.1.6 is the ip address of my iPad), then my iPad get internet with openvpn tunnel, however all other devices can't reach internet.

in case if needed, here is the iptables about NAT

root@router:/tmp/home/root# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            192.168.1.0/24      
WANPREROUTING  all  --  0.0.0.0/0            172.200.1.43        
upnp       all  --  0.0.0.0/0            172.200.1.43        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
SNAT       all  --  192.168.1.0/24       192.168.1.0/24      to:192.168.1.1 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain WANPREROUTING (1 references)
target     prot opt source               destination         
DNAT       icmp --  0.0.0.0/0            0.0.0.0/0           to:192.168.1.1 

Chain upnp (1 references)
target     prot opt source               destination         
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0       udp dpt:5353 to:192.168.1.3:5353

Thanks in advance for helping and read this so much, I hope i made every info you need to give a help :)

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about iptables

Related posts about openvpn

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle