Bypassing VPN for some ports (bis)

Forum » Discussions / General » Bypassing VPN for some ports (bis)

Started by:

jedufa
Date: 06 Feb 2015 14:30
Number of posts: 3

Summary:

I need to have a few in/out ports bypassing my tomato router OpenVPN so that some of my server functionalities are accessible directly through the address given to me by my ISP.

Unfold All Fold All More Options

Fold

Bypassing VPN for some ports (bis) - just a quick fix i hope!

jedufa 06 Feb 2015 14:30

Far from me to re-open a topic that might have been covered in past threads…
but I am searching the web since 3 days to solve the issue with my config.

Problem:

I need to have a few in/out ports bypassing my tomato router OpenVPN so that some of my server functionalities are accessible directly through the address given to me by my ISP.

My setup:

A modem from my ISP with the address WAN_IP. Internally, IP address set to xxx.xxx.255.2. DMZ set towards xxx.xxx.255.3.
A tomato router connected to my modem (on vlan2). Internally, IP address set to xxx.xxx.255.3 (on br0). A bridge br1 setup with IP xxx.xxx.254.2.
A local server xxx.xxx.254.15 (as well as x other devices on the intranet) connected to my tomato router. Intranet addresses on xxx.xxx.254.100-254.
For temporary simplification, i also have a DMZ in my tomato router set for my server xxx.xxx.254.15.
Tomato router has an OpenVPN client connection with a VPN provider. All traffic is routed there at the moment.
For sake of completeness, my eth1 and eth2 are for my 2 wireless networks (and not involved here).

All that works out-of-the-box.

But now I want to access my server (xxx.xxx.254.15) on port e.g. 80 directly by using my ISP-given WAN_IP (e.g. yy.yy.108.71), through my modem and then through my tomato router. This works when the VPN client is OFF. When ON, it does not as expected.
How should I change my Firewall script and WAN Up script (and VPN config) to allow me to do this?

Here is my ifconfig -a setup WITHOUT VPN activated:

br0        Link encap:Ethernet  HWaddr E0:3F:49:EC:2F:A8   
           inet addr:xxx.xxx.254.2  Bcast:xxx.xxx.254.255  Mask:255.255.255.0 
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1  
br1        Link encap:Ethernet  HWaddr 82:5D:3D:04:48:D8   
           inet addr:xxx.xxx.255.3  Bcast:xxx.xxx.255.255  Mask:255.255.255.0 
eth0       Link encap:Ethernet  HWaddr E0:3F:49:EC:2F:A8   
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1 
eth1       Link encap:Ethernet  HWaddr E0:3F:49:EC:2F:A8   
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1 
eth2       Link encap:Ethernet  HWaddr E0:3F:49:EC:2F:AC   
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1 
imq0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00   
           NOARP  MTU:1500  Metric:1 
imq1       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00   
           NOARP  MTU:1500  Metric:1 
lo         Link encap:Local Loopback   
           inet addr:127.0.0.1  Mask:255.0.0.0 
           inet6 addr: ::1/128 Scope:Host 
           UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1 
vlan1      Link encap:Ethernet  HWaddr E0:3F:49:EC:2F:A8   
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1 
vlan2      Link encap:Ethernet  HWaddr E0:3F:49:EC:2F:A9   
           inet addr:xxx.xxx.255.3  Bcast:xxx.xxx.255.255  Mask:255.255.255.0 
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

Here is my ifconfig -a setup WITH VPN activated:
… same as above…

tun11      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00   
           inet addr:10.15.14.130  P-t-P:10.15.14.130  Mask:255.255.255.128 
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

… same as above…

What I tried:

As I have mentioned, I tried the solutions found on the web (e.g. openvpn-bypass-on-some-ports, openvpn-client-on-tomato-to-a-server-how-to-bypass-some-ip, ). But nothing worked for my, probably because I did not know how to tailor those parameters to my setup.
I was also confused as to what IP I should use for the routes, e.g. my WAN_IP (given by ISP) or my Modem IP (xxx.xxx255.2).

I am currently trying the following:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter 
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter 
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter 
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter 
echo 0 > /proc/sys/net/ipv4/conf/tun11/rp_filter 
echo 0 > /proc/sys/net/ipv4/conf/vlan1/rp_filter 
echo 0 > /proc/sys/net/ipv4/conf/vlan2/rp_filter 

ip route del default table 100 
ip rule del fwmark 1 table 100 
ip route flush cache 
iptables -t mangle -F PREROUTING 

ip route add default table 100 via 83.84.108.1
ip rule add fwmark 1 table 100 
ip route flush cache 
#iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --dport 443,25,3001,1194 -j MARK --set-mark 1 
iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --dport 443,25,3001,1194 -j MARK --set-mark 1

found on a post called "Route only specific ports through VPN (openvpn)" (sorry, the site does not let me copy links yet).
While it works, it is only for ports of EVERY machine in my intranet, not only on my server's ip 254.15.

Can I get some help please?

Last edited on 06 Feb 2015 15:36 by jedufa Show more

Options

Unfold Bypassing VPN for some ports (bis) - just a quick fix i hope! by

jedufa, 06 Feb 2015 14:30

Fold

Re: Bypassing VPN for some ports (bis)

jedufa 07 Feb 2015 20:17

Anyone? I could really use some help :-(

Options

Unfold Re: Bypassing VPN for some ports (bis) by

jedufa, 07 Feb 2015 20:17

Fold

Re: Bypassing VPN for some ports (bis)

jedufa 08 Feb 2015 09:16

…still working on my issue…

what if I were to
1) have all the traffic go through my VPN
2) then bypass the VPN for the address 192.168.254.15 (my server)
3) then force all communications on port 6881 (torrent) in the VPN
in this order?

I mean, if I were to only implement (1) and (2), then I would directly connect my server on my modem instead of on my tomato router.
But as my server also downloads torrents, which traffic type I would prefer to go through my VPN, then I thought that adding a port 6881 redirect for all machines could do the trick:

#All traffic go through the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0

#All NAS outgoing traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.254.15 -j MARK --set-mark 1

#All outgoing traffic on torrent ports are going through the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 6881 -j MARK --set-mark 0

I guess I could get used to live with this setup. My testing shows that yes, I can reach my server through my normal (non-VPN) WAN address.
Problem is, I don't know how to test this routing table to verify that my traffic of port 6881 is actually going through the VPN…

So I move slightly forward, but yet no firm solution.

Anyone can chip-in?

Thanks
JF

PS:
In case you need all the script, I omitted it because I thought it was not too relevant. Basically, MARK 0 goes through the VPN, MARK 1 bypasses the VPN).

Last edited on 08 Feb 2015 09:20 by jedufa Show more

Options

Unfold Re: Bypassing VPN for some ports (bis) by

jedufa, 08 Feb 2015 09:16

New Post

TomatoUSB

Unleash your router

Problem:

My setup:

What I tried: