Question

Hi

I have openvpn set up with NORDVPN using ovpn config file.

I want to route three or four single ip addresses away from the vpn and through the normal isp route.

Can I do this via the ovpn file and how?

Or can I do it another way?

Hardware rutx09 on latest firmware

Answer 1

Hi,

I have not tested this with NORDVPN, however, you should be able to configure VPN policy routing to achieve what you want. 

For this, you will need to install VPN policy routing package via CLI/SSH:

• opkg update
• opkg install vpn-policy-routing

Then, you will need to find out the name of your OVPN interface via 'ifconfig' command.

The following should be your configuration using UCI, just replace IP addresses, names (if needed), and the name of the OVPN tunnel with your own. The first two rules show which IP addresses should be routed via ISP, the last rule defines the network (all the rest of the traffic from LAN) to be routed via OVPN tunnel. Add as many rules as you need, just make sure that the rule that routes via OVPN interface is the last rule at the bottom. I've added some comments, you can ignore them.

# enable vpn policy routing.

• uci set vpn-policy-routing.config.enabled="1"

# delete existing rules.

• while uci -q delete [email protected][0]; do :; done

# create new policy.

• uci add vpn-policy-routing policy

# define a host to route via WAN or Mobile interface (whichever you use).

• uci set [email protected][-1].name="HostRouteISP"
• uci set [email protected][-1].src_addr="192.168.1.10/32"
• uci set [email protected][-1].interface="wan"

# create a second policy.

• uci add vpn-policy-routing policy

# define a second host to route via WAN.

• uci set [email protected][-1].name="AnotherHostToISP"
• uci set [email protected][-1].src_addr="192.168.1.11/32"
• uci set [email protected][-1].interface="wan"

# Create the last policy to route the rest of the traffic via OVPN tunnel.

• uci add vpn-policy-routing policy
• uci set [email protected][-1].name="AllRest_OVPN"
• uci set [email protected][-1].src_addr="192.168.1.0/24"
• uci set [email protected][-1].interface="ovpn_tun"

# Commit changes and restart the service.

• uci commit
• /etc/init.d/vpn-policy-routing restart

You can use 'uci show vpn-policy-routing' to see your current vpn-policy-routing configuration.

You can find some more information in this thread.

Please, let me know your topology (with interfaces and IP addresses) if you run into any issues.

Kind Regards,

Andzej

Comments

Update:

Having created a vpn interface I am now connected but still can’t get the mob1s1a1 to be an understood interface so everything is going through vpn.

Also if we get this set up correctly and vpn fails will it go to the next rule and pass all through isp?

——————————————

Many thanks, got errors as below

So my subnet is 192.168.0.1/32

And the addresses I wish to route to ISP only are 192.268.0.145, 192.268.0.146, 192.268.0.147, 192.268.0.148, 192.268.0.149, 192.268.0.150

The openvpn name is NORD_OPE but appearing on ifcpnfig as tun_c_NORD_OPE

I used mob1s1a1 as the normal isp route

when committing the commands it creates an error not knowing the VpN or mobile network, should I have used wwan as the isp but what do I use as the vpn?

I also assume that the 5 addresses for non vpn is just a repeat of # define a host to route via WAN or Mobile interface (whichever you use). x5

I assume this package will start on every reboot and on firmware upgrades?

Finally here is the ifconfig

<code> [email protected]:~# ifconfig

br-lan    Link encap:Ethernet  HWaddr 00:1E:42:27:CD:05  

          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0

          inet6 addr: fe80::21e:42ff:fe27:cd05/64 Scope:Link

          inet6 addr: fd1d:4fcd:c3e9::1/60 Scope:Global

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:125411 errors:0 dropped:1675 overruns:0 frame:0

          TX packets:359920 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:10723152 (10.2 MiB)  TX bytes:491271393 (468.5 MiB)

eth0      Link encap:Ethernet  HWaddr 00:1E:42:27:CD:05  

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:234926 errors:0 dropped:4401 overruns:0 frame:0

          TX packets:359750 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:23920722 (22.8 MiB)  TX bytes:491072090 (468.3 MiB)

eth1      Link encap:Ethernet  HWaddr 00:1E:42:27:CD:06  

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:65536  Metric:1

          RX packets:203 errors:0 dropped:0 overruns:0 frame:0

          TX packets:203 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:17376 (16.9 KiB)  TX bytes:17376 (16.9 KiB)

tun_c_NORD_OPE Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  

          inet addr:10.8.2.6  P-t-P:10.8.2.6  Mask:255.255.255.0

          inet6 addr: fe80::c673:1ed:fe0a:3a5/64 Scope:Link

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:34664 errors:0 dropped:0 overruns:0 frame:0

          TX packets:9567 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500 

          RX bytes:46045320 (43.9 MiB)  TX bytes:693891 (677.6 KiB)

wwan0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  

          inet addr:10.67.34.119  P-t-P:10.67.34.119  Mask:255.255.255.255

          inet6 addr: fe80::78d5:31f9:ae01:b0e0/64 Scope:Link

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:355955 errors:0 dropped:0 overruns:0 frame:0

          TX packets:91315 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:487574693 (464.9 MiB)  TX bytes:7459592 (7.1 MiB) </code>

Ip addresses included as all internal ip

---

Hi,

I have sent you a private message.

You can set the interface to 'ignore'. The traffic from the host with interface set as 'ignore' will be routed via ISP. Try :

• uci set [email protected][-1].interface="ignore"

Change the policy number [-1] with the index of your policy.

You can find the policy index by executing:

• uci show vpn-policy-routing

Alternatively, just delete all existing policies and create new ones from scratch.

Kind Regards,

Andzej