OpenVPN Client 'Policy based routing' feature broken

[davem]

The route-up script for DD-WRT's onboard OpenVPN client is generated as follows:

#!/bin/sh
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route add default via 192.168.88.1 table 10
for IP in `cat /tmp/openvpncl/policy_ips` ; do
        ip rule add from $IP table 10
done

(192.168.88.1 is the default gateway of my WAN interface)

As-is the policy-based routing feature does nothing, because the table created has a default gateway taken from the WAN interface, not the OpenVPN interface (see changeset 16381).

[Sash]

so your script is also doing nothing when u also use the wan gateway?

[davem]

thanks for the reply

here is what the sidebar on ddwrt says

Add IPs in the form 0.0.0.0/0 to force clients to use the tunnel as default gateway. One line per IP. Redirect Gateway MUST be off.

but, dd-wrt's integrated route-up script does not route clients on the policy_ips list through the tunnel - it actually routes through wan_gateway.

the relevant code in dd-wrt with the error is located within src/router/services/services/openvpn.c

318	                fprintf(fp, "ip route add default via %s table 10\n", 
319	                        nvram_safe_get("wan_gateway")); 

if there is a way this is supposed to be working that i do not understand, please let me know.

[Sash]

​http://www.butschek.de/2010/05/sourced-based-routing/

[davem]

i understand source based routing, and dd-wrt does the "source" part correctly, however the new table created does not have the tunnel's gateway set to it, so it does not work as intended.

[davem]

and just to make sure this is clear - that code excerpt i posted, that is generated by dd-wrt, i did not write it.

[davem]

ah, you are sash from the forums! no wonder.

i will just distribute a patch script to our clients until you figure this one out.

[irishtr]

If I add any IP to the Policy Based Routing field under Services>VPN>OpenVPN section, I lose all access to local network.

Example. 192.168.1.1 = WZR-HP-G300HN Buffalo Router Build 17201 I establish OpenVPN connection with settings via the GUI page and all is well. Connection goes up, all traffic is routed thru VPN (which is not what I want). I have nothing input into Commands other than the user/password file creation script for the connection to my VPN Service provider.

Now if I add say 192.168.1.106/24 into the Policy Based Routing field, all devices on network can no longer access any local resource on 192.168.1.x, as in I cannot get back into the Router GUI page/PuTTY. Internet on all other machines connected to the router (all wifi btw) except .106 can still access the internet. (scratches head in confusion!) Is this a problem with the route-up.sh & ipspolicy scripts that OPENVPN is creating via the GUI in this 17201 build? Or am I screwing something up

[Sash]

davem now i get u. i will see how to fix this at the weekend. the problem is to get the gateway

maybe i hav to use something like

sed '1!G;h;$!d'
sed '1!G;h;$!p'
sort -r

[Sash]

i recheckted. this feature DOES work but the server MUST send the "redirect gateway" option! its for clients NOT using the vpn tunnel. and thats how its implemented.

[wenzhuo]

sash, the gateway ip of the openvpn tunnel is passed to the route-up script through the environment variable $ifconfig_remote. It's also configured in openvpn.conf as tun1 anyway. I really hope you can make the "Policy based Routing" option more flexible. When redirect-gateway is not enabled, policy_ips should be defined as IPs to be forwarded to the openvpn tunnel.

Moreover, tunneling the entire LAN through openvpn is problematic, as it can break local services. Redirect_gateway is mostly used on client computers, I guess.

[Sash]

fixed