FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

12691 questions

15070 answers

24150 comments

47148 members

0 votes
1,652 views 4 comments
by
Hi all - I'm not a network administrator or a developer, so please, very basic. Any help you can provide will be much appreciated.

I have a rutx12 with a basic home configuration to connect to the internet, that's it.

I would like to understand how routing works and I would like to start with these objectives:

Objective 1: place the apple tv under vpn-usa

Objective 2: place the iPad under vpn-spain

Objective 3: place the iPhone and Computer under vpn-uk

My questions are:

- When I add a vpn client, it seems to cover all traffic in the house, it becomes too slow and have to switch it off. How do I send just one device through the vpn and not the entire house's traffic?

- Do I create 3 separate subnets?

- Or is it better to create 3 separate interface based vlans? What's the difference?

- And the firewall settings? Accept-Accept-Reject? Or reject everything...

- Or is it best with routing rules? static? dynamic?

- Can I then create a wifi connection "home-usa" or "home-uk"? To be routed through the appropriate vpn?

- In which order do I create these things? Must one exist before creating another one?

Any help or pointers would be appreciated - thanks in advance,

Pete

1 Answer

0 votes
by

Hello,

It's possible make this scenario work although it will require a fair amount of additional configuration and installation of one package to make everything work the way it's supposed to. What you're trying to accomplish is called "VPN policy based routing" - a way of routing packets from specific hosts or with specific markings/destination ports etc. I must inform you that before getting started with this configuration, an access to the router CLI interface will be necessary.

If I understand your case correctly, you want to specify individual devices to use different VPN tunnels. This is achievable, but it will be necessary to meddle with the router configuration via CLI (command line interface) in addition to web UI. I'll try to provide a full step-by-step solution in this post using RUTX11 with RUTX_R_00.07.01 firmware as well as configuring OpenVPN (TUN mode) tunnel.

Please note that if you are using a different (older) router or older firmware, the necessary package may not be available for installation although any RUTX device with newest firmware should work.

To start things off, please login to the router, switch from Basic to Advanced mode (if you haven't already, your router will show "Basic" mode in the top right corner), then proceed to create VPN tunnels by going to Services>VPN by picking the VPN you want to use. After that, configure the VPN tunnel itself and make sure it establishes connection. Once that's done, create a new interface named "vpn1" by navigating to Network>Interfaces. Once interface configuration window opens, click "Protocol field" and switch from "DHCP" to "Static". Enter the following information in the fields below:

IPv4 address: <Your VPN tunnel LOCAL address, router side>

IPv4 gateway: <Your VPN tunnel REMOTE address, VPN server side>

Note: Generally, these IPs are point to point addresses, one for your VPN tunnel on the router side and another IP on the other end where traffic gets sent. You can find them by looking at "ifconfig" output in CLI, the "inet addr:" field should show you your VPN tunnel LOCAL address while "P-t-P:" should display your VPN tunnel REMOTE address. It's also possible to find them by taking a look at "route -n" output in the CLI as a gateway, in the same line as the VPN tunnel interface name.

Leave everything else empty, click on "Physical settings" on the side, select "Interface" field, click on "Custom" and enter the VPN interface name. In this example, my interface is named "tun_c_vpn1" but your interface name might differ. 

Note: to double check, you'll have to login the CLI and type "ifconfig", then find the name of VPN interface.

After all of the configuration is done, we can save the interface and apply changes. Additionally, I strongly recommend reserving the LAN IP address of your devices which will be using the VPN. To do that, edit the "LAN" interface, scroll down to "Static lease" section and add some new LAN IP reservations by naming them appropriately and assigning LAN IP address, depending on specific device MAC address. Once again, save and apply all changes.

As a final configuration part, move to the CLI (System>CLI), login to it and enter the following commands in order:

opkg update

opkg install vpn-policy-routing

uci set vpn-policy-routing.config.enabled="1"

while uci -q delete vpn-policy-routing.@policy[0]; do :; done

uci add vpn-policy-routing policy

uci set vpn-policy-routing.@policy[-1].name="Ignore_destination_class_C"

uci set vpn-policy-routing.@policy[-1].dest_addr="192.168.0.0/16"

uci set vpn-policy-routing.@policy[-1].interface="ignore"

uci add vpn-policy-routing policy

uci set vpn-policy-routing.@policy[-1].name="Route_VPN_Device1"

uci set vpn-policy-routing.@policy[-1].src_addr="192.168.1.X/32"

uci set vpn-policy-routing.@policy[-1].interface="vpn1"

uci add vpn-policy-routing policy

uci set vpn-policy-routing.@policy[-1].name="Route_VPN_Device22"

uci set vpn-policy-routing.@policy[-1].src_addr="192.168.1.Y/32"

uci set vpn-policy-routing.@policy[-1].interface="vpn2"

uci commit

/etc/init.d/vpn-policy-routing restart

Note: don't forget to change the src_addr fields from X and Y to decimal values in your configuration according to your device(s) LAN IP address.

And that's it! The devices you've specified should have their traffic routed via the OpenVPN tunnel while everything else on your LAN will exit to the internet directly via your ISP. As for doing this for multiple VPN tunnels, simply make sure to swap out additional interfaces in the "vpn-policy-routing" configuration and specify the host IP address that needs to leave from LAN to the internet via specific VPN tunnel.

Additionally, if you'd like to route the entire subnet or create extra LAN interfaces/Wi-Fi I'd recommend checking out the article on our wiki page regarding the configuration example here: https://wiki.teltonika-networks.com/wikibase/index.php?title=OpenVPN_traffic_split. The example configuration in this article shows how to configure a VPN tunnel to split up traffic (using OpenVPN tunnel) between Ethernet and Wi-Fi.

This is a slightly complicated case, configuring the device might be tricky so please, if you run into any issues or anomalies regarding this configuration, let me know and I'll be glad to assist you with any further questions. Additionally, if you could specify the VPN of your choice (OpenVPN, WireGuard, PPTP etc.) I could give you a precise step-by-step configuration regarding your specific VPN choice.

Best regards,

TP.

by
Wow Tomas, thank you so much!!

I'm ok to configure (and CLI too) as long as I can always restore to user defaults (which I do often enough :)

I've got a RUTX12 with fw 0701. I'm hoping it wont be too different. By the way, is the 2mb limit lifted in the new fw on backup config files?

I use openVpn (which I add on the gui switching on "enable external services" and uploading a country config file).

Let me see if I've understood:

1) we'll create 3 vpn tunnels along with 3 new interfaces, one for each vpn.

2) we'll assign each device to its new route via cli (vpn policy route)

While that is perfect, I think also like your proposal to follow the vpn tunnel split guide. I tried it and somewhere I broke the config and had to restore. My problem is somewhere in the firewall configuration (which I don't fully understand) and I always mess it up.

I think I prefer to try the subnetting (split) option and this gives me the flexibility to add/move/remove devices from one subnet (hence vpn) or another. Is this viable?

The thing with multiple vpn clients, they seem to run into trouble around the firewall. And access to the web (wan) gets blocked/rejected. What am I doing wrong? One vpn is ok, but two vpns block the wan. why?

So, is this set of steps correct?

1) create 3 vpn tunnels (country1, country2, country3)

2) create 3 new lans (lan1, lan2, lan3) - how do I configure physical settings, etc? Or create plans instead? Steps?

3) how to configure firewall?

4) via cli install package, set rules

Are those the steps?

Thanks Tomas. I know this is a quite a bit of time to help some stranger, but you will receive a virtual beer after all of this is set and done.

Many thanks.
by

First of all, thank you for your kind words, I appreciate it a lot!

Regarding the 2 MB backup limit - it's the intended design of our devices. It's possible to manually remove a bunch of unnecessary files in the compressed backup file to make sure it doesn't exceed 2 MB and then upload it as a backup but you have to be careful about which files to remove.

As for the VPN traffic routing:

1) we'll create 3 vpn tunnels along with 3 new interfaces, one for each vpn.

Correct, creating 3 VPN tunnels is a must before anything else. Once those VPN tunnels are up and running (connected), I recommend immediately logging onto the CLI and checking the names of the tunnels with "ifconfig" command. It's a must to at the very least enter the valid address in the "IPv4 address" field (which, in this case, is your local VPN tunnel address on your router side). I've double checked it and it is not mandatory to enter anything in the "IPv4 gateway" field, although I would recommend putting in the correct gateway (IP address of the remote VPN tunnel interface, not an external IP) just to make sure traffic always sent out the right way.

2) we'll assign each device to its new route via cli (vpn policy route)

Correct, this is the step to take after configuring 3 VPN tunnels and configuring 3 different interfaces for the new VPN tunnels.

I think I prefer to try the subnetting (split) option and this gives me the flexibility to add/move/remove devices from one subnet (hence vpn) or another. Is this viable?

Indeed, this is also a valid way to make things work. In that case it would be enough to define an entire subnet of, for example, 192.168.150.0/24 which would basically mean that any device that has an IP address starting with "192.168.150.*" would have its traffic routed via the VPN tunnel. In that case I'd recommend creating individual LAN subnets for seperate VPN tunnels. 

Also, while I can't be certain about what might've caused you troubles with connectivity, I can make a couple of calculated guesses - either the firewall rule or routing were an issue. You may PM me for more details regarding this.

The thing with multiple vpn clients, they seem to run into trouble around the firewall. And access to the web (wan) gets blocked/rejected. What am I doing wrong? One vpn is ok, but two vpns block the wan. why?

If I understand correctly your devices can't reach the internet when connected to specific the VPN tunnel? If so, this may be an issue on the VPN server side. It's possible to test out whether the client configuration is working by using any standalone VPN client without involving the router, for example downloading a phone app, importing the configuration file and connecting with it to the VPN server via Wi-Fi and mobile data. If the internet works on the phone and your device shows a different external IP address (VPN servers' external IP) after these steps then there might be an issue with the router firewall or routes, otherwise it's a VPN server issue.

So, is this set of steps correct?

1) create 3 vpn tunnels (country1, country2, country3)

Yes, I'd like to note that the way these tunnels are named will be important later when configuring the physical names on the interfaces. These names are case-sensitive.

2) create 3 new lans (lan1, lan2, lan3) - how do I configure physical settings, etc? Or create plans instead? Steps?

As for the 3 new interfaces - you'd have to name them appropriately as well, these names will be important later when configuring the VPN routing policies. These names are case-sensitive too. Once interface configuration window opens up, swap the "Protocol" field to "Static" and enter the local IP address of your appropriate VPN tunnel in the "IPv4 address" field, everything else can be kept empty/default. After that, click on "Physical settings" on the left and click on the "Interface" field. There, select "--Custom--" field, then enter the name (case sensitive!) of your VPN tunnel that shows up in the "ifconfig" output in the CLI. Finally, move on to the "Firewall settings" and make sure to select the "openvpn" firewall zone for this interface, otherwise you may not be able to connect to the internet via your VPN tunnel. The exact same steps will apply for any other interface, except the IPv4 address and the interface names will differ.

3) how to configure firewall?

For this step, there are a few ways you can approach this task. First way is to create new LAN interfaces, then assign different physical port for the newly created interface but put every single LAN subnet under the same firewall zone "lan". This way you should still be able to access any LAN device from one subnet to another but at the same time, using the VPN routing policies, you could define which subnet to route to the internet via VPN and which - via your ISP's gateway.

Example #1: LAN1 port would serve IP addresses in range from 192.168.1.100 to 192.168.1.200 and route every device traffic in that subnet via your ISP IP. LAN2 port would serve IP addresses in range from 192.168.50.100 to 192.168.50.200 and any device in that subnet would have its traffic routed via the specified VPN tunnel.

Example #2: another way to do this would be to create seperate LAN zones for different subnets in the firewall section and then only permit LAN traffic within the same LAN subnet and deny output/input to any other LAN subnet on your device. This can be accomplished by creating new firewall zone while configuring the interface itself by going to the "Firewall settings", selecting "--Custom--" field and entering any firewall zone name for the new subnet. Once that's done, it's necessary to configure firewall in a slightly more extensive way by navigating to Network>Firewall settings. Once there, edit the newly created zone (or create one if it's not there yet), set the "Input" and "Output" fields as "Accept" for this new zone, then add the "openvpn" zone in the field "Allow forward to destination zones". Also, double check that in the "Covered networks" field it shows your newly created LAN interface. Once all of that is done, apply changes. I have to warn you that if your VPN tunnel goes down, you won't have any internet on your devices, which belong to the new subnet, at all.

4) via cli install package, set rules

Are those the steps?

Correct. Installing the package will be  Those are the steps for individual hosts. If you want to set a rule for the entire subnet, you can accomplish this by modifying the subnet in VPN policy rule. For example, to apply the routing rule for the entire subnet of 192.168.5.0, you would have to create the following policy:

uci add vpn-policy-routing policy 

uci set vpn-policy-routing.@policy[-1].name="Route_VPN_subnet"

uci set vpn-policy-routing.@policy[-1].src_addr="192.168.5.0/24"

uci set vpn-policy-routing.@policy[-1].interface="vpn1"

You may notice that these commands are nearly the exact same as the ones I've posted before, except this way you will be able to route any device with an IP address starting from 192.168.5.1 to 192.168.5.254 via the specified VPN tunnel.

So, to recap, if you wish to do VPN routing per host, follow these steps:

1) Head over to Services>Network>OpenVPN and create a new VPN tunnel, configure and wait for the tunnel to estalish connection to the VPN server

2) Log in to the CLI, type in "ifconfig" and check the name of the tunnel and the assigned IP address for it

3) Go back to the router web UI, go to Network>Interfaces. Name and add a new interface for the VPN interface

4) Once the interface creation window opens, select "Static" as your protocol and enter the IPv4 address of your VPN tunnel on the router side (from "ifconfig" output), leave everything else as-is

5) Go to "Physical settings", in the "Interface" field select "--Custom--" and then enter the name of your tunnel (from "ifconfig" output), click enter once you've entered it

6) Then, click on "Firewall settings" and assign the "openvpn" zone for this interface. Once done, save and apply the configuration.

7) Lastly, go back to the router CLI, run the commands given in my previous post in order and remember to specify exact IP addresses of every device that should have its internet traffic routed via the VPN tunnel

8)*Optional, but I recommend binding a static IP to MAC (static lease) of the LAN device to make sure the LAN IP address remains consistent on specific devices. You can do that by editing the LAN interface and setting a static lease there.

This should be enough for specific hosts configuration. 

In case you'd like to do a full subnet split-tunnel, the article I've linked before (https://wiki.teltonika-networks.com/wikibase/index.php?title=OpenVPN_traffic_split) should be enough to guide you through the configuration process but I'll make sure to summarize it here as well to make things clealer:

1) Head over to Services>Network>OpenVPN and create a new VPN tunnel, configure and wait for the tunnel to estalish connection to the VPN server

2) Log in to the CLI, type in "ifconfig" and check the name of the tunnel and the assigned IP address for it

3) Go back to the router web UI, go to Network>Interfaces. Name and add a new interface for the VPN interface

4) Once the interface creation window opens, select "Static" as your protocol and enter the IPv4 address of your VPN tunnel on the router side (from "ifconfig" output), leave everything else as-is

5) Go to "Physical settings", in the "Interface" field select "--Custom--" and then enter the name of your tunnel (from "ifconfig" output), click enter once you've entered it

6) Then, click on "Firewall settings" and assign the "openvpn" zone for this interface. Once done, save and apply the configuration.

7) After that, navigate to Network>VLAN>Port based, then click on "Add" and once you see a new VLAN ID (3), set one LAN port from "Untagged 1" to "Untagged 3". I recommend setting the third LAN port (LAN).

8) Navigate back to the Network>Interfaces, create the new LAN interface (for example "LAN3"). Yet again, select protocol "Static", then configure the IPv4 address and DNS servers of the new LAN

9) Go to "Physical settings", select "eth0.3" as your interface, make sure the firewall settings have "lan" set as its zone. Then, click on "Setup DHCP server" and save the configuration

10) Lastly, go back to the router CLI, run the commands given above in order and (for this configuration example) remember to specify the entire subnet that should have its internet traffic routed via the VPN tunnel this time

Once this example is done, any device that you plug into LAN3 port of your router will have an IP address of the OpenVPN server. This device can be anything - a PC, a TV, or even a switch to increase the amount of available physical ports for other devices. 

I hope it makes clearer, even if a little because this can get rather confusing really quickly. Once again, since this is a huge wall of text, if you run into any trouble or have any additional questions about this configuration, let me know and I'll try to assist you as best I can. You may also send me a private message in case there's any necessity to go into configuration details and questions from your side.

Have a brilliant day,

TP.

by
Hi Tomas. Well... we're not going to get very far I don't think.

Adding a vpn client kills the internet connection. Will PM as instructed.
by

Hi Tomas,

I have followed this for a RUT240 with 2  Wireguard instances. I have error messages when setting this up. Please see below:

root@Teltonika-RUT240:~# opkg update

Downloading https://downloads.openwrt.org/releases/21.02.0/targets/ath79/generic/packages/Packages.gz

Failed to send request: Operation not permitted

*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/targets/ath79/generic/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/base/Packages.gz

Updated list of available packages in /var/opkg-lists/openwrt_base

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/base/Packages.sig

Signature check passed.

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/luci/Packages.gz

Updated list of available packages in /var/opkg-lists/openwrt_luci

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/luci/Packages.sig

Signature check passed.

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/packages/Packages.gz

Updated list of available packages in /var/opkg-lists/openwrt_packages

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/packages/Packages.sig

Signature check passed.

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/routing/Packages.gz

Updated list of available packages in /var/opkg-lists/openwrt_routing

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/routing/Packages.sig

Signature check passed.

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/telephony/Packages.gz

Updated list of available packages in /var/opkg-lists/openwrt_telephony

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/telephony/Packages.sig

Signature check passed.

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/vuci/Packages.gz

*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/vuci/Packages.gz

Downloading http://opkg.teltonika-networks.com/d8e7c18320c5d5f9467c490804f373bbecaa063ef849b8f331860f5db8925b6f/Packages.gz

*** Failed to download the package list from http://opkg.teltonika-networks.com/d8e7c18320c5d5f9467c490804f373bbecaa063ef849b8f331860f5db8925b6f/Packages.gz

Collected errors:

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/targets/ath79/generic/packages/Packages.gz, wget returned 4.

 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/vuci/Packages.gz, wget returned 8.

 * opkg_download: Failed to download http://opkg.teltonika-networks.com/d8e7c18320c5d5f9467c490804f373bbecaa063ef849b8f331860f5db8925b6f/Packages.gz, wget returned 4.

 * opkg_download: Check your network settings and connectivity.

root@Teltonika-RUT240:~# opkg install vpn-policy-routing

Installing vpn-policy-routing (0.3.4-8) to root...

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mips_24kc/packages/vpn-policy-routing_0.3.4-8_all.ipk

Configuring vpn-policy-routing.

ERROR: vpn-policy-routing is currently disabled.

Enable vpn-policy-routing from WebUI or run the following commands:

uci set vpn-policy-routing.config.enabled='1'; uci commit vpn-policy-routing;

root@Teltonika-RUT240:~# uci set vpn-policy-routing.config.enabled="1"

root@Teltonika-RUT240:~# while uci -q delete vpn-policy-routing.@policy[0]; do :

; done

root@Teltonika-RUT240:~# uci add vpn-policy-routing policy

cfg046ff5

root@Teltonika-RUT240:~# uci set vpn-policy-routing.@policy[-1].name="Ignore_des

tination_class_C"

root@Teltonika-RUT240:~# uci set vpn-policy-routing.@policy[-1].dest_addr="192.1

68.0.0/16"

root@Teltonika-RUT240:~# uci set vpn-policy-routing.@policy[-1].interface="ignor

e"

root@Teltonika-RUT240:~# uci add vpn-policy-routing policy

cfg056ff5

root@Teltonika-RUT240:~# uci set vpn-policy-routing.@policy[-1].name="Device1"

root@Teltonika-RUT240:~# uci set vpn-policy-routing.@policy[-1].src_addr="192.168.10.101/32"

root@Teltonika-RUT240:~# uci set vpn-policy-routing.@policy[-1].interface=“Linode”

root@Teltonika-RUT240:~# uci add vpn-policy-routing policy

cfg066ff5

root@Teltonika-RUT240:~# uci set vpn-policy-routing.@policy[-1].name="Device2"

root@Teltonika-RUT240:~# uci set vpn-policy-routing.@policy[-1].src_addr="192.168.10.102/32"

root@Teltonika-RUT240:~# uci set vpn-policy-routing.@policy[-1].interface=“Linode2”

root@Teltonika-RUT240:~# uci commit

root@Teltonika-RUT240:~# /etc/init.d/vpn-policy-routing restart

Creating table 'Linode/10.0.1.2

10.0.1.2' [✗]

Creating table 'Linode2/10.1.1.2

10.1.1.2' [✗]

Creating table 'VPN1/Linode/10.0.1.1' [✓]

Routing 'Ignore_destination_class_C' via ignore [✓]

Routing 'Device1' via “Linode” [✗]

Routing 'Device2' via “Linode2” [✗]

vpn-policy-routing 0.3.4-8 monitoring interfaces: Linode Linode2 VPN1 [✓]

vpn-policy-routing 0.3.4-8 started with gateways:

VPN1/Linode/10.0.1.1

ERROR: Failed to set up 'Linode/10.0.1.2

10.0.1.2'

ERROR: Failed to set up 'Linode2/10.1.1.2

10.1.1.2'

ERROR: Policy 'Device1' has unknown interface: '“Linode”'

ERROR: Policy 'Device2' has unknown interface: '“Linode2”'

WARNING: The 'ignore' target is used by a policy 'Ignore_destination_class_C', but a WebUI setting to show 'ignore' target (webui_show_ignore_target) is disabled!