Jump to content
Not connected, Your IP: 18.118.37.85
crap

Advanced configutation, mixed VPN and local Internet

Recommended Posts

I'm new to this game.

I've got a few options for making airvpn work, including making my Tomato-based router use it for everything, or setting up a dedicated machine (in a VM or otherwise), or throwing another Tomato-based device at it.

Right now, I'm just using the standard airvpn client on Windows, which of course works fine.

However, I'm mostly interested in a VPN for BitTorrent: I don't care too much about the rest of my traffic -- indeed, some of my traffic (US Netflix, Youtube) is going to be better-served by not running on the VPN.

And by default, it seems to be all-or-nothing; everything on the network or computer goes over the VPN, or nothing does.

I guess that's useful for many people, and indeed the sense of real anonymity and unfettered access is very good. I've got my router configured to block uTorrent by port, which seems to mitigate leakage enough for my purposes when the VPN is down, so things are currently safe for what I'm aiming for.

But what options do I have to split the difference? What are the rest of you folks doing?

Currently, the following seems to be the best option for me: Put together a dedicated PC or a small Linux VM with OpenVPN and run my BitTorrent stuff from there along with a SOCKS server for the times that I want web (or whatever) access across the VPN.

Simple, clean, secure.

And while this works fine, I've already got enough computers eating electricity, and DDR2 RAM is dear. I'd rather have a light-weight software solution if it were possible, instead of a dedicated box or a VM.

Share this post


Link to post

Thanks for the link - that's a lot closer to what I'm aiming for than my own Google-fu was coming up with, but it's all based on IP addresses instead of services, programs, or ports.

It's a good start. I'll need to spend some time understanding the script(s) on that page, and then maybe I'll be able to get going with port designations or something.

Share this post


Link to post

http://linksysinfo.org/index.php?threads/any-way-to-bypass-vpn-selectively.33468/page-2#post-221081

Start reading there.

This part of the scrtipt in particular:

# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#      iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#      iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#      iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#      iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#      iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#      iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

Share this post


Link to post

Excellent -- I'd missed that part.

Now I just need some time to make it work.

Share this post


Link to post

I'm new to this game.

However, I'm mostly interested in a VPN for BitTorrent: I don't care too much about the rest of my traffic -- indeed, some of my traffic (US Netflix, Youtube) is going to be better-served by not running on the VPN.

And by default, it seems to be all-or-nothing; everything on the network or computer goes over the VPN, or nothing does.

I guess that's useful for many people, and indeed the sense of real anonymity and unfettered access is very good. I've got my router configured to block uTorrent by port, which seems to mitigate leakage enough for my purposes when the VPN is down, so things are currently safe for what I'm aiming for.

But what options do I have to split the difference? What are the rest of you folks doing?

 

I only use AirVPN for torrenting. All of my other traffic goes out through the default gateway. I do not need any additional hardware or virtual machines to do this.

To do this I override the "0.0.0.0/128.0.0.0" and "128.0.0.0/128.0.0.0" routing table entries set up by the OpenVPN client with "0.0.0.0/192.0.0.0", "64.0.0.0/192.0.0.0", "128.0.0.0/192.0.0.0" and "192.0.0.0/192.0.0.0" entries to use my normal gateway for most activities. I have two .bat files that let me quickly insert or delete these in order to use the VPN for web browsing when I want to.

I also then need to tell my torrent clients (4 instances of uTorrent 2.2.1 and one instance of Vuze 4.8.0.0) to use the VPN interface. For Vuze I can specify the interface. But for uTorrent I have to specify the IP address.

So long as I continue to use the same AiirVPN server, since my DHCP license is for a year I do not need to change the uTorrent configurations. But every now and then I change the AirVPN server, and have to wip through changing the IP addresses for uTorrent. This is not a lot of work. But I have suggested on this forum forum that it would be nice to be able to have a fixed local IP address for the VPN interface.

I have also configured Windows firewall to block all traffic from my torrent clients using the default gateway. So if the VPN goes down, even if Windows decides to ignore the request to bind to a specific interface/IP and bind to my default gateway (apparently Windows may do this?), nothing leaks out using my own IP address. I did not Comodo to do this.

I could provide more information about the contents of my bat files, the firewall stuff and the client configuration stuff if you want. But I do not want to spend a lot of time on this if no one is going to read it. So let me know.

Share this post


Link to post

I'm very interested in what you are doing, but I lack the knowledge to fully comprehend what you are typing. Would you be so kind as to explain they "why" more than the "how"? What are those IP addresses, why are you using them, how to they change the default behavior?

My understanding was that if you wanted wanted to use the VPN just for BitTorrent that you would run the AirVPN client, virtually forward your port, run uTurrent (configure it for AirVPN), and then you would be good to go. I do not understand how the other information plays into this situation, but I wish to!

Thanks!

Share this post


Link to post

I'm very interested in what you are doing, but I lack the knowledge to fully comprehend what you are typing. Would you be so kind as to explain they "why" more than the "how"? What are those IP addresses, why are you using them, how to they change the default behavior?

My understanding was that if you wanted wanted to use the VPN just for BitTorrent that you would run the AirVPN client, virtually forward your port, run uTurrent (configure it for AirVPN), and then you would be good to go. I do not understand how the other information plays into this situation, but I wish to!

Thanks!

They are IP subnet definitions. I will explain a bit more.

With the VPN not up, open a command window (if you are using Windows, or console window fot Linux, but I am using Windows right now - the concepts are much the same for Linux) and type "route print". You shoul get something like this:

C:\bat\VPN>route print

===========================================================================

Interface List

22...00 ff 3b 72 32 1e ......TAP-Windows Adapter V9

21...2a ed b9 13 21 43 ......Microsoft Virtual WiFi Miniport Adapter

15...08 ed b9 13 21 43 ......Atheros AR5BWB222 Wireless Network Adapter

11...dc 0e a1 a6 9d 30 ......Broadcom NetLink Gigabit Ethernet

1...........................Software Loopback Interface 1

12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2

25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4

16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

48...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5

20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.63 10

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

192.168.1.0 255.255.255.0 On-link 192.168.1.63 266

192.168.1.63 255.255.255.255 On-link 192.168.1.63 266

192.168.1.255 255.255.255.255 On-link 192.168.1.63 266

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 192.168.1.63 266

224.0.0.0 240.0.0.0 On-link 10.4.15.174 286

224.0.0.0 240.0.0.0 On-link 192.168.109.1 276

224.0.0.0 240.0.0.0 On-link 192.168.202.1 276

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 192.168.1.63 266

255.255.255.255 255.255.255.255 On-link 10.4.15.174 286

255.255.255.255 255.255.255.255 On-link 192.168.109.1 276

255.255.255.255 255.255.255.255 On-link 192.168.202.1 276

===========================================================================

Persistent Routes:

Network Address Netmask Gateway Address Metric

None

===========================================================================

IPv6 Route Table

===========================================================================

...

===========================================================================

Persistent Routes:

None

This is the contents of my routing table, with some lines deleted. The routing table is used to determine what wired or wireless network interface to send a packet on, based on the destination. The packet destination is compared against the two values "Network Destination" and "Netmask". The values shown as 4 numbers separated by periods are 32 bit strings, divided up into 4 8 bit chucks, so that each chunk is a value from 0 to 255. But think opf these as 32 bit strings. "Netmask" will be all ones on the left and all zeros to the right of that. What matters with it is just how many 1-s are on the left. If the "Netmask" has only 4 1-s on the left, then only the left-most 4 bits of the packaet destination and "Network Destination" are compared for a match. A packet destination may have several routing table entries that match by this criteria. The one that will be used is the one for which the "Netmask" had the most 1-s. If that does not resolve it, the lowest "Metric" is then checked.

The entry with the "0.0.0.0." Netmask is called the "default" gateway, because it will match anything, since no bits have to be compared. So if no more specific entry is found that is where a packet will go.

With the VPN up my routing table looks like this:

C:\bat\VPN>route print

===========================================================================

Interface List

22...00 ff 3b 72 32 1e ......TAP-Windows Adapter V9

21...2a ed b9 13 21 43 ......Microsoft Virtual WiFi Miniport Adapter

15...08 ed b9 13 21 43 ......Atheros AR5BWB222 Wireless Network Adapter

11...dc 0e a1 a6 9d 30 ......Broadcom NetLink Gigabit Ethernet

1...........................Software Loopback Interface 1

12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2

25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4

16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

48...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5

20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.63 10

0.0.0.0 128.0.0.0 10.4.15.173 10.4.15.174 30

10.4.0.1 255.255.255.255 10.4.15.173 10.4.15.174 30

10.4.15.172 255.255.255.252 On-link 10.4.15.174 286

10.4.15.174 255.255.255.255 On-link 10.4.15.174 286

10.4.15.175 255.255.255.255 On-link 10.4.15.174 286

95.110.200.16 255.255.255.255 192.168.1.254 192.168.1.63 10

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

128.0.0.0 128.0.0.0 10.4.15.173 10.4.15.174 30

192.168.1.0 255.255.255.0 On-link 192.168.1.63 266

192.168.1.63 255.255.255.255 On-link 192.168.1.63 266

192.168.1.255 255.255.255.255 On-link 192.168.1.63 266

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 192.168.1.63 266

224.0.0.0 240.0.0.0 On-link 10.4.15.174 286

224.0.0.0 240.0.0.0 On-link 192.168.109.1 276

224.0.0.0 240.0.0.0 On-link 192.168.202.1 276

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 192.168.1.63 266

255.255.255.255 255.255.255.255 On-link 10.4.15.174 286

255.255.255.255 255.255.255.255 On-link 192.168.109.1 276

255.255.255.255 255.255.255.255 On-link 192.168.202.1 276

===========================================================================

Persistent Routes:

Network Address Netmask Gateway Address Metric

None

===========================================================================

IPv6 Route Table

===========================================================================

...

===========================================================================

Persistent Routes:

None

The extra lines are:

0.0.0.0 128.0.0.0 10.4.15.173 10.4.15.174 30

10.4.0.1 255.255.255.255 10.4.15.173 10.4.15.174 30

10.4.15.172 255.255.255.252 On-link 10.4.15.174 286

10.4.15.174 255.255.255.255 On-link 10.4.15.174 286

10.4.15.175 255.255.255.255 On-link 10.4.15.174 286

95.110.200.16 255.255.255.255 192.168.1.254 192.168.1.63 10

...

128.0.0.0 128.0.0.0 10.4.15.173 10.4.15.174 30

 

These were added by the VPN client. the entries with "128.0.0.0" prevent the "0.0.0.0" from ever being used, because one of these will match any address, and they are more specific (one 1 bit on the left of the Netmask). This makes the VPN gateway (10.4.15.174) the new "default gateway".

What I do is suppress the effect of the "128.0.0.0" entries by adding four entries with two 1 bits on the left of the Netmask:

..

0.0.0.0 192.0.0.0 192.168.1.254 192.168.1.63 11

...

64.0.0.0 192.0.0.0 192.168.1.254 192.168.1.63 11

...

128.0.0.0 192.0.0.0 192.168.1.254 192.168.1.63 11

192.0.0.0 192.0.0.0 192.168.1.254 192.168.1.63 11

...

Now any packet destination will match one of these four entries, and since these are even more specific, they have put the default gateway back to "192.168.1.63 " as it was before the VPN was started.

So now the VPN interface will never be used by default. I have my torrent clients configured to use the VPN interface rather than the default. So that way torrent traffic will go over the VPN, but everything else goes out as it did before. I believe this is what "flodadolf" said they wanted too.

Share this post


Link to post

HSCraft - I'll try to answer your question in broad strokes.

In the normal case of things (no VPN), things you do on The Internet are routed through your ISP, often in the clear (not encrypted, not hidden).

In the usual case of VPNs (such as the excellent, though simple, AirVPN client), things you do on The Internet are all eventually routed through your VPN provider. Depending on which provider (or in the case of AirVPN, which server) you have, this might be a Long, Long Way Away.

In my case, I have reason to want to route through the UK, so I use a UK VPN server. This means that if I send a packet to my next door neighbor, it must go across the Atlantic and back before it will show up at his place. This takes time (the speed of light is not infinite), and is wasteful of resources (even if that waste doesn't directly cost me anything). It is also slower (not that AirVPN is particularly slow, but it doesn't always seem to keep up with my 12Mbit home connection for me).

So. There's lots of stuff I want to do just as if I had no VPN at all: Access my work email, watch Netflix, play a video game online (latency is very important to this), and so on. And there's a few things that I never, ever want to use with anything other than a VPN connection; chief among these (for me, others may vary) is BitTorrent.

The purpose of the discussion is to try to figure out how to do both of these things at once (so some stuff happens over the VPN, some stuff doesn't), automatically. That way Netflix works properly, various downloads work quickly, online games work snappily, etc.

In order to do this, I've got a few obvious options (see my first post), but I'm first going to attempt to make my Tomato-based router handle it. I hope to be able to differentiate which connection gets used based on port number. I may also define some IP address-based rules to ensure that my work email never goes over the VPN (there's no reason to, as it's already encrypted with SSL) no matter what else I do.

But, yes: For a lot of folks, the default configuration with the AirVPN client or the how-to documents here is perfectly sufficient. For folks trying to evade oppressive government filtering, it might even be ideal to send every tiny packet over the VPN link. And it's certainly easy, which is a huge plus.

I'm not looking for easy, though, and I like to tinker.

Hope this helps.

Share this post


Link to post

Got it working, thanks to the research from PsychoWolf.

The process was not exactly as described in the linked thread, but that's OK: It's doing exactly what I want, and is easily extensible to do other things by only changing a file in the router.

On my router I couldn't put the whole (modified) script into NVRAM because I only had 4k left and it was slightly larger than that. So I wrote it to a file on an attached USB device (JFFS2 would work also, but I don't have that configured at the moment), and that seems to be working just fine.

Under Administration/Scripts, I have it being called from Init, Firewall, and WAN Up.

I noticed that when I only had it in WAN Up, the router would revert to forwarding all Internet access over the VPN after changing other (unrelated) settings. (Having it in "Init" is likely superfluous, but can't do any harm.)

So. At the moment, torrents go over VPN (as specified by port), while everything else goes over my regular ISP connection. And it fails safe: If the VPN is down, torrents just don't happen. It's a wonderful starting point, and it seems to survive both configuration changes and reboots with Shibby's Tomato build on my RT-N16.

It does somewhat break the carefully-tuned QoS rules I was using, but that's OK: I can rate-limit within uTorrent and that's good enough to keep things sane for now (or forever, really). The VPN traffic simply shows up as "Unclassified," though the rest of my (non-VPN-related) QoS rules are working fine, and that's quite good enough for my purposes.

Thanks again to PsychoWolf: I don't know if you're using this technique yourself or if you just Googled it on my behalf, but the thread you found is a diamond in the rough while my own research was not getting me anywhere at all.

Share this post


Link to post

@NaDre, are you making these changes at the router as well? I'm afraid I can not toy with our building router that way.

Share this post


Link to post

@NaDre, are you making these changes at the router as well? I'm afraid I can not toy with our building router that way.

I am not using a router to do this. I am just doing configuration tricks on my PC. That was the point of my first post.

I should point out here that I am confident that AirVPN has their IPTables (firewall) rules set up on each server to prevent any other user from connecting to my PC via the VPN, after connecting to the server themselves.

Dose "admin" have any comment on this?

In other words, I am am assuming that I can trust the server as I would trust a router, to provide an adequate firewall. If I start to fear that this trust is unwarranted, then I may also start using a router with OpenVPN on it.

Share this post


Link to post

@NaDre, are you making these changes at the router as well? I'm afraid I can not toy with our building router that way.

I am not using a router to do this. I am just doing configuration tricks on my PC. That was the point of my first post.

I should point out here that I am confident that AirVPN has their IPTables (firewall) rules set up on each server to prevent any other user from connecting to my PC via the VPN, after connecting to the server themselves.

Dose "admin" have any comment on this?

In other words, I am am assuming that I can trust the server as I would trust a router, to provide an adequate firewall. If I start to fear that this trust is unwarranted, then I may also start using a router with OpenVPN on it.

Hello!

Yes, confirmed, no client can communicate with another client INSIDE the VPN.

Some special notes: when you remotely forward a port, the server will forward packets directed to the : to your system local port, so it's up to you to check your security if you run services behind the VPN. By default NO ports are forwarded. Additionally, you can't be reached directly from the entry-IP address.

Finally a side note, not very relevant in this context: we have a cone-NAT (p2p friendly) so be aware of programs which perform NAT punching, because we allow that.

Kind regards

Share this post


Link to post

flodadolf: If ALL you're routing over VPN is your torrent traffic, add two rules to your QoS for source IP and destination IP and set them to whatever class you want...The traffic sent over the VPN will then use whatever class you set.

I use my VPN for Netflix (In Canada, Netflix has less content so I connect to USA to watch) so my rules give priority to the VPN over other traffic and this works wonderfully.

Glad you got this working.

Share this post


Link to post

Thank you to everyone for your detailed replies. I understand now what you are doing, even if I do not fully understand exactly how you are doing it. For my needs I think I will just make use of the AirVPN client and a firewall to block certain traffic. I will then only connect to the VPN when I am BitTorrenting, as this is my main concern. I do not need to seed for hours on end so I can connect to the VPN while I sleep and then go back to regular standard Internet browsing during the day.

Share this post


Link to post

I think PsychoWolf has pointed us to the right solution and I've seen the same discussed elsewhere on the interwebs...

I have the following setting in my dd-wrt Firewall based simply on the instructions provided by OpenVPN.

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT iptables -I INPUT -i tun0 -j REJECT

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Would someone who has a good understanding of this solution be so kind as to tell me exactly what I should replace the above with in order to keep my entire network over VPN except for my two Netflix streaming devices (192.168.1.14 & 192.168.1.15)??

I suspect this is pretty simple for those that understand but I'm not clear as two which settings I should add vs replace in my firewall settings to achieve this. Again, to be clear, I want those specific ips on my network to go straight through the ISP while everything else will go through the airvpn by default. I have a 30mb connection through my ISP but only get about 2mb via AirVPN so I'm looking to move some devices off of it. Thanks in advance if you can help!

Share this post


Link to post

@andrewtn

 

Hi,

The following script should work for a tomato router and hopefully for DD-WRT as well. You just need to modify DIRECTCLIENTS line and put ips you want to bypass vpn for there.

 

#!/bin/sh

lan_if="br0"
vpnclient="client1"
vpn_if="tun1$(echo $vpnclient | tail -c 2)"
DIRECTCLIENTS="192.168.14 192.168.1.15"

for i in /proc/sys/net/ipv4/conf/*/rp_filter
do
	echo 0 > $i
done

ip route flush table 100 1> /dev/null 2> /dev/null
ip rule show | grep -Ev "^(0|32766|32767):" | while read PRIO RULE; do 
	ip rule del prio ${PRIO%%:*} $( echo $RULE | sed 's|all|0/0|' ); done
ip route flush cache

ip route show table main | grep -Ev ^default | grep -Ev "$tun_if" | while read ROUTE
do
	ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway_get)
ip rule add fwmark 1 table 100

if [ -n "$DIRECTCLIENTS" ]
then
	for IP in $DIRECTCLIENTS
       	do
		ip rule add from $IP lookup 100
	done
fi
ip route flush cache

 

Share this post


Link to post

Hello,

 

I have been looking for an answer to this question for quite a while, it fits into this topic but with a different approach.

 

Now I am not sure if this is even possible but here goes:

 

I would like to have 2 seperate devices set up as gateways in my network - one would be a regular router, the other a raspberry pi.

The router would act as a gateway to the regular Internet, the raspberry pi as a gateway to VPN (VPN client connection to AirVPN).

Now all other devices in the network would just have to choose either the IP address of the router or the pi as the default gateway to either get reg. Internet or VPN access.

 

Is something like that feasible?

If needed, I can draw sth. up or explain in more detail with some examples.

 

Thanks!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...