Tunnel only traffic on a couple of ports

[PsychoWolf 16]

Hi,

I've been fighting (and failing) to get AirVPN set up on my DD-WRT powered Linksys E3000. I set it up as per the directions at https://airvpn.org/ddwrt but I cannot get it to work. According to the logs it connects fine, but I get no internet at all on any devices connected to the router.

After a while it drops the connection, then the web interface here complains that "I am already logged in" (Likely because it's dropping the connection then retrying to connect right away, and is refused, but I don't know for sure).

Anyhow, this got me thinking...I don't actually need to encrypt my entire connection, only a couple of ports for sensitive services, and at that only from one machine on my LAN. This is a Windows 7 machine, and since I'd like to have the tunnel established all the time, I'm thinking the best solution would be to run openvpn as a service with a specific .opvn configuration file so it connects at startup automatically.

Can anyone tell me if there's a way to just tunnel a couple of ports and no other traffic by adding a line to the .opvn config file?

Failing that, I would like to get it to work on my DD-WRT powered router in the same fashion. Would anyone happen to know the iptables rules I would need to use?

Cheers!

[Staff 9972]

Hi,

I've been fighting (and failing) to get AirVPN set up on my DD-WRT powered Linksys E3000. I set it up as per the directions at https://airvpn.org/ddwrt but I cannot get it to work. According to the logs it connects fine, but I get no internet at all on any devices connected to the router.

After a while it drops the connection, then the web interface here complains that "I am already logged in" (Likely because it's dropping the connection then retrying to connect right away, and is refused, but I don't know for sure).

Hello!

Can you please send us the connection logs?

Kind regards

[PsychoWolf 16]

I've attached it here...

I also have the following IPTABLES rules:

#VPN

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT

iptables -I FORWARD -i tun1 -o br0 -j ACCEPT

iptables -I INPUT -i tun1 -j REJECT

iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

#Fix DHCP Quirk

iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT

#Fix NAT loopback (Bug in specific versions of dd-wrt)

iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE

#Force local DNS

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to `nvram get lan_ipaddr`

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to `nvram get lan_ipaddr`

 

And these additional DNSMASQ options:

local=/core/

expand-hosts

dhcp-option=43,01:04:00:00:00:02

 

When I set my DNS server to 10.4.0.1 I get DNS couldn't be resolved errors, and if I set it to any other DNS server (208.67.222.222 -- OpenDNS server, for example) I get request timed out errors.

log.txt

[Staff 9972]

@PsychoWolf

Hello!

It definitely looks like a firmware OpenVPN known bug. Probably a re-flash with a different firmware is necessary. Please see here:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=4684&Itemid=142#4687

and here:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=4684&Itemid=142#4690

for Linksys E2000 and E3000 DD-WRT firmware versions that are reported as fully functional.

Kind regards

[PsychoWolf 16]

According to the dd-wrt community, 15962 is fully functional with openvpn on the E3000 as well. That's the version I am running.

I don't currently have time to do a re flash as the rest of my setup on the router is horribly time consuming.

What about my other idea of using openvpn on windows but only tunneling a couple of ports?

Thanks!

[Staff 9972]

According to the dd-wrt community, 15962 is fully functional with openvpn on the E3000 as well. That's the version I am running.

I don't currently have time to do a re flash as the rest of my setup on the router is horribly time consuming.

Hello!

Good to know, thank you. However the version you're running is not reported by us as fully working and the logs you sent us seem to confirm that.

What about my other idea of using openvpn on windows but only tunneling a couple of ports?

It's a little unclear: you don't tunnel ports, you tunnel packets. Can you please elaborate?

Kind regards

[PsychoWolf 16]

What about my other idea of using openvpn on windows but only tunneling a couple of ports?

It's a little unclear: you don't tunnel ports, you tunnel packets. Can you please elaborate?

Kind regards

What i mean is, what if I wanted only DNS and web traffic (port 80 and 443) over the tunnel, and everything else (like email, IM, etc) to just use my regular connection.

I'm considering biting the bullet and flashing a "known working with AirVPN" dd-wrt build as well, as I would like this to be transparent on my network as a whole, but if I could get that working on just this one PC in the mean time, that would be good.

I assume it can't be done with openvpn alone and I'd need some sort of firewall configuration to do the routing?

[Staff 9972]

What about my other idea of using openvpn on windows but only tunneling a couple of ports?

It's a little unclear: you don't tunnel ports, you tunnel packets. Can you please elaborate?

Kind regards

What i mean is, what if I wanted only DNS and web traffic (port 80 and 443) over the tunnel, and everything else (like email, IM, etc) to just use my regular connection.

I'm considering biting the bullet and flashing a "known working with AirVPN" dd-wrt build as well, as I would like this to be transparent on my network as a whole, but if I could get that working on just this one PC in the mean time, that would be good.

I assume it can't be done with openvpn alone and I'd need some sort of firewall configuration to do the routing?

Hello!

Splitting the tunnel on a port basis will not necessarily allow you to split it on programs basis.

Since our servers will push a routing table and redirect gateway in order to tunnel all the client device traffic, you can reject the push (using the nopull directive) and build your own NAT, gateways and routing table. Unfortunately some tools which come handy are missing in Windows: on a vanilla Windows non-server edition, you can't do masquerading, forwarding and you can't even handle multiple routing tables.

So, perhaps a more viable solution is a little hack: bind the applications that you do NOT want to be tunneled to your physical network interface with a program loader and DLL injector like ForceBindIP:

http://www.r1ch.net/stuff/forcebindip

Although ForceBindIP is not advertised for Windows 7, at least two customers of us have reported it works successfully in Win7 (although the usage was the other way round, i.e. forcing the binding to awfully programmed videogame clients like PES2012 which refuse to bind to the TAP-Win32 interface and therefore would not connect to the game servers when the VPN connection is established).

Kind regards

[PsychoWolf 16]

That sounds like way more work than it's worth for my setup...Adding iptables rules in dd-wrt might be a better solution...

Speaking of, I upgraded to 16785 (the build in the thread you linked) and there's a bug in the openvpn client in that build that prevents the client from starting. See http://www.dd-wrt.com/phpBB2/viewtopic.php?p=603733 and http://www.dd-wrt.com/phpBB2/viewtopic.php?p=626851 for more info. I got it to run, but it's unreliable for me.

I'm going to give 18946 a shot here when I have some time to flash it and report back how it works. I'd like to know how others got build 16785 to run, as it wasn't as simple as just turning on the client...

[PsychoWolf 16]

OK, so build 18946 has a bug in the SSH implementation that rebuilds the device key on every reboot, making it a poor choice since you never know if you're connecting to the right device if you get an unknown key error...

So, I'm sticking with 16785 and using a startup script to "fix" the openvpn client bug.

I can connect, but the only website I can get to is airvpn.org and after a few minutes it stops working as well with dns could not be resolved errors.

I have the "local dns" option set to yes in dnsmasq options, and I have a couple firewall rules to force my local router's address as the dns server on my LAN (regardless of what clients set for themselves...kind of a transparent dns like some ISP's do).

I disabled the "local dns" option, and removed my firewall rules for DNS, and I have the same symptoms.

I'm almost there, I think, and I'll be a happy man...but I just can't figure it out...

[PsychoWolf 16]

Here's my latest openvpn logs.

As soon as I connect, DNS no longer resolves.

Sun Oct 14 22:16:15 2012 us=326442 OpenVPN 2.1.3 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Apr 13 2011
Sun Oct 14 22:16:15 2012 us=327204 MANAGEMENT: TCP Socket listening on 127.0.0.1:5001
Sun Oct 14 22:16:15 2012 us=333455 WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
Sun Oct 14 22:16:15 2012 us=338319 LZO compression initialized
Sun Oct 14 22:16:15 2012 us=339420 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Oct 14 22:16:15 2012 us=339930 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sun Oct 14 22:16:15 2012 us=340250 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Oct 14 22:16:15 2012 us=342083 UDPv4 link local: [undef]
Sun Oct 14 22:16:15 2012 us=342719 UDPv4 link remote: 108.59.11.194:443
Sun Oct 14 22:16:15 2012 us=434928 TLS: Initial packet from 108.59.11.194:443, sid=7d99aaae 58efe27a
Sun Oct 14 22:16:16 2012 us=6048 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org
Sun Oct 14 22:16:16 2012 us=17832 VERIFY OK: nsCertType=SERVER
Sun Oct 14 22:16:16 2012 us=18055 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org
Sun Oct 14 22:16:17 2012 us=441080 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Oct 14 22:16:17 2012 us=441344 NOTE: --mute triggered...
Sun Oct 14 22:16:17 2012 us=442266 4 variation(s) on previous 5 message(s) suppressed by --mute
Sun Oct 14 22:16:17 2012 us=442476 [server] Peer Connection Initiated with 108.59.11.194:443

[PsychoWolf 16]

I just noticed it didn't copy/paste all of the log. Here's the full connection log:

Sun Oct 14 22:27:33 2012 us=438981 OpenVPN 2.1.3 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Apr 13 2011
Sun Oct 14 22:27:33 2012 us=445558 WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
Sun Oct 14 22:27:33 2012 us=449963 LZO compression initialized
Sun Oct 14 22:27:33 2012 us=450977 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Oct 14 22:27:33 2012 us=451502 Socket Buffers: R=[114688->131072] S=[114688->131072]
Sun Oct 14 22:27:33 2012 us=451840 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Oct 14 22:27:33 2012 us=454121 UDPv4 link local: [undef]
Sun Oct 14 22:27:33 2012 us=454733 UDPv4 link remote: 108.59.11.194:443
Sun Oct 14 22:27:33 2012 us=547534 TLS: Initial packet from 108.59.11.194:443, sid=28fa785f d2f4eaea
Sun Oct 14 22:27:34 2012 us=111632 VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org
Sun Oct 14 22:27:34 2012 us=118715 VERIFY OK: nsCertType=SERVER
Sun Oct 14 22:27:34 2012 us=118932 VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org
Sun Oct 14 22:27:35 2012 us=567074 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Oct 14 22:27:35 2012 us=567336 NOTE: --mute triggered...
Sun Oct 14 22:27:35 2012 us=568301 4 variation(s) on previous 5 message(s) suppressed by --mute
Sun Oct 14 22:27:35 2012 us=568514 [server] Peer Connection Initiated with 108.59.11.194:443
Sun Oct 14 22:27:37 2012 us=695534 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Oct 14 22:27:37 2012 us=787539 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.4.16.222 10.4.16.221'
Sun Oct 14 22:27:37 2012 us=788470 OPTIONS IMPORT: timers and/or timeouts modified
Sun Oct 14 22:27:37 2012 us=788675 OPTIONS IMPORT: LZO parms modified
Sun Oct 14 22:27:37 2012 us=788842 OPTIONS IMPORT: --ifconfig/up options modified
Sun Oct 14 22:27:37 2012 us=789004 NOTE: --mute triggered...
Sun Oct 14 22:27:37 2012 us=791977 2 variation(s) on previous 5 message(s) suppressed by --mute
Sun Oct 14 22:27:37 2012 us=792196 TUN/TAP device tun1 opened
Sun Oct 14 22:27:37 2012 us=792428 TUN/TAP TX queue length set to 100
Sun Oct 14 22:27:37 2012 us=792862 /sbin/ifconfig tun1 10.4.16.222 pointopoint 10.4.16.221 mtu 1500
Sun Oct 14 22:27:37 2012 us=829314 /sbin/route add -net 108.59.11.194 netmask 255.255.255.255 gw 96.125.240.1
Sun Oct 14 22:27:37 2012 us=844236 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.4.16.221
Sun Oct 14 22:27:37 2012 us=859032 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.4.16.221
Sun Oct 14 22:27:37 2012 us=875188 /sbin/route add -net 10.4.0.1 netmask 255.255.255.255 gw 10.4.16.221
Sun Oct 14 22:27:37 2012 us=889959 Initialization Sequence Completed

[Staff 9972]

Hello!

The logs look just fine.

Are the devices which connect to the router forced to use some particular DNS?

EDIT: please also check this, just in case:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=680573

Kind regards

[PsychoWolf 16]

I *was* using a couple of iptables rules that transparently forced users to use OpenDNS as the DNS servers, but in my testing I removed those rules. Besides that, all the LAN clients are set to get DNS via DHCP anyhow.

There is an option in the dnsmasq setting for "local dns" and when set, clients get 192.168.1.1 as their DNS server (The address of my router) and when unset, it passes through whatever I've set as the DNS servers in the router's main setup.

I'll try adding that option when I return home from work tonight and see if that solves it. One thing I haven't tried is pinging something from the router either, that may be a good test to see if the router is working just fine but LAN traffic isn't being routed. I'll report back my findings there.

[PsychoWolf 16]

I also found this:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=87956&highlight=openvpn+dnsmasq

which is a setting I currently have enabled. Will try disabling that as well, to see what happens.

[PsychoWolf 16]

Well, I've tried all of the options, even completely disabled dnsmasq on the router and I still get no DNS resolving when connected to the vpn. I'm completely at a loss, considering others on this forum have successfully connected on this exact dd-wrt build.

I had very high hopes that one of these options was the key, but I guess not... :-S

[Staff 9972]

Hello!

Try to force your router to use the VPN DNS as primary, for example 10.4.0.1 if it connects to 443 UDP https://airvpn.org/specs

Kind regards

[PsychoWolf 16]

I updated to 18948 and now VPN appears to be working perfectly through my dd-wrt router.

OK, so, step 2: How can I now route only traffic on ports 80 and 443 (for example) through the tunnel, and everything else via my ISP?

I would like to secure some traffic through the VPN, but not Netflix (I'm in Canada, and Netflix has a crap if I use my account from a US (or other country) IP.

Thank you!

[Staff 9972]

I updated to 18948 and now VPN appears to be working perfectly through my dd-wrt router.

OK, so, step 2: How can I now route only traffic on ports 80 and 443 (for example) through the tunnel, and everything else via my ISP?

I would like to secure some traffic through the VPN, but not Netflix (I'm in Canada, and Netflix has a crap if I use my account from a US (or other country) IP.

Thank you!

Hello!

Splitting traffic on a ports basis within a subnet requires NAT filtering. An alternative method is splitting traffic on a destination IPs basis. See

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3721&Itemid=142#3724

but beware that the reported IP ranges are wrong, you'll need to discover Netflix IP ranges (and you'll have to elaborate a complementary solution - the message covers the case for which Netflix access is NOT tunneled - in your message it's unclear whether you want it to be tunneled or not).

If you have more than one device connecting to the router, you can implement Policy Based Routing on the DD-WRT (which supports it) so that a certain device (the one that you wish to use for Netflix) will be or will not be tunneled over the VPN:

http://www.dd-wrt.com/wiki/index.php/Policy_Based_Routing

[EDIT] Please see also here: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=711921

Kind regards

[PsychoWolf 16]

Those look like the opposite of what I want.

I want most traffic to run normally through my ISP, with the exception of a couple of services (DNS and web traffic I want through the VPN and everything else I want through the ISP). Those looks like it adds exceptions to services that you want to run through your ISP instead.

I'll have to do some reading on this and see what I come up with.

SO far it's working great routing everything through the VPN, so I at least have time to tinker with it.

[PsychoWolf 16]

So I was thinking that I really only want my Netflix traffic to not be tunnelled. There's an option in the OpenVPN Client on DD-WRT for "policy based routing" and any ip/netmask you add there automatically doesn't go through the tunnel.

Since I only use Netflix from my XBox 360's, I have just given them static IP's and added those to the "policy based routing" section of the OpenVPN Client page. This has the added benefit that xbox live traffic also doesn't go through the tunnel.

I added the IP's I didn't want tunnelled, restarted the client, and voila! Now all the PC's, tablets, phones, etc on my network are tunnelled automatically and my game consoles are routed through my ISP instead.

Cheers!