DDWRT - Policy based Routing

xbecukxbecuk
in Other Devices VPN Setup
I am able to get all of my network traffic to pass through VPN on my router , no problem at all.  But as soon as I add a policy to restrict it to specific IP's then it stops working.  When I restrict to a laptop, I still connect to the router, and I can ping specific IP addresses outside of the network, but I cannot pull up web pages etc...

I must be missing a checkbox or a setting somewhere ?  I have tried several tutorials, I have updated DDWRT on my router to a very recent release, I have even reset to factory defaults and started from scratch.

I am trying to use policy based routing in the VPN tab in DDWRT/Services/VPN, restricting to a single IP this way 
192.168.0.200/32

If I use NO policy based routing, then all local IP's go through VPN and work fine.

Tutorials I tried..  (Tried others as well, they all say the same thing)
https://www.privateinternetaccess.com/forum/discussion/15962/open-vpn-using-router-configured-with-dd-wrt
http://www.instructables.com/id/Configure-VPN-Settings-on-Older-DD-WRT-Routers-for/

Thank you kindly for any help.









Comments

  • geordigeordi
    You aren't missing anything except there is a bug in DD-wrt that fails to properly create / copy the routing table. I was just dealing with this recently because my usage case is that I want to ONLY VPN filter my Apple TV devices, and let the computers be selected on or off based on the users' desire. I'm also running a Raspberry Pi for Pihole for the ATV, but that is separate. Through digging around I found this startup script that fixes the bug - Copy this and put it into the custom commands window, and save it as a startup script:

    #!/bin/sh
export DEBUG= # uncomment/comment to enable/disable debug mode
# ---------------------------------------------------------------------------- #
# ddwrt-ovpn-table-10-fix.sh: v2.0.0, 28 February 2017, by eibgrad
# bug report: http://svn.dd-wrt.com/ticket/5690
# install this script in the dd-wrt startup script
# ---------------------------------------------------------------------------- #

SCRIPT_DIR="/tmp"
SCRIPT="$SCRIPT_DIR/ddwrt-ovpn-table-10-fix.sh"
mkdir -p $SCRIPT_DIR

cat << "EOF" > $SCRIPT
#!/bin/sh
(
[ "${DEBUG+x}" ] && set -x

MAX_PASS=0 # max number of passes through routing tables (0=infinite)
SLEEP=60 # time (in secs) between each pass

# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #

TID="10"
ROUTES="/tmp/tmp.$$.routes"

# initialize this run
pass_count=0

while :; do
    # initialize this pass
    pass_count=$((pass_count + 1))
    table_changed=false

    # wait for creation of OpenVPN client alternate routing table
    while [ ! "$(ip route show table $TID)" ]; do sleep 10; done; sleep 3

    echo "$(ip route show | \
        grep -Ev '^default|^0.0.0.0/1|^128.0.0.0/1')" > $ROUTES

    # add routes to pbr found in main routing table
    while read route; do
        if ! ip route show table $TID | grep -q "$route"; then
            ip route add $route table $TID && table_changed=true
        fi
    done < $ROUTES

    echo "$(ip route show table $TID | grep -Ev '^default')" > $ROUTES

    # remove routes from pbr not found in main routing table
    while read route; do
        if ! ip route show | grep -q "$route"; then
            ip route del $route table $TID && table_changed=true
        fi
    done < $ROUTES

    # force routing system to recognize our changes
    [[ $table_changed == true ]] && ip route flush cache

    # quit if we've reached any execution limits
    [ $MAX_PASS -gt 0 ] && [ $pass_count -ge $MAX_PASS ] && break

    # put it bed for a while
    [ $SLEEP -gt 0 ] && sleep $SLEEP
done

# cleanup
rm -f $ROUTES

echo "done"
exit 0

) 2>&1 | logger -t $(basename $0)[$$]
EOF

chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &
Sign In or Register to comment.