How to route all traffic over openvpn

Could someone help me, please? I'm having a problem with Linksys wrt1900acs. My aim is to have all traffic to go through vpn including transmission client traffic (torrent uploads and downloads). Currently i have uploaded openwrt and i have the vpn set and transmission set on the router. However only lan traffic is going through vpn and not transmission. I searched the forums and found some information but it was hard for me to follow. I am new to linux and openwrt. Thanks in advance.

1 Like

It is interesting. I don't understand, where routes for router itself and lan differ. Have you configured OpenVPN client without routes modification?

I am not sure but I followed these instructions when setting up the vpn.

https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-setup-with-NordVPN.htm

OK, thank you for using my manual, see also Transmission torrent client through VPN My manual is dedicated to route only forwarded traffic. Transmission runs on router itself, so kill-switch won't work in this case. It binds to specific address, so in link above there is explanation, how to change address.

I don't use NordVPN, but with OpenVPN I always need to add redirect-gateway def1 to the .ovpn file so all traffic goes through the vpn, so you might give that a try, it's been a while since I've done that, but the comments here suggest it should be added under verb 3.

1 Like

Is it as simple as just adding a line under 'verb 3'?

Thanks. I had a look at that post already and it ended up deleting my transmission configs same as the person who posted on the forum.

Sorry I deleted my comment (added it back, didn't realize you could do that), @ulmwind obviously knows much more about this, but if you want to give that a try yes, just add redirect-gateway def1 under verb 3 in the .ovpn file.

As more ISPs and VPN providers support IPv6, this should also be considered:

redirect-gateway def1 ipv6

You can add it anywhere in the config assuming that you replace the current option if any.
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client#commercial_provider

Thanks, I will give that a go. My transmission client is configured on the router. Will that command route all transmission traffic and any future traffic router or lan to the vpn?

Typically, it should route all your LAN traffic to the VPN when it is connected.

To avoid traffic leak when VPN is not connected, assign VPN interface to a separate firewall zone and disable LAN to WAN forwarding:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#kill_switch

To avoid DNS leak, disable ISP DNS as well:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

Note, that you can still override this configuration with some policy routing instruments.

The issue is not in routing. As far as I've understood, it is IP-address, which transmission 'advertizes' to peers. So special script to determine it and substitute in transmission-config was discussed. I repeat once more, it is not lan-to-wan forwarding, it is output traffic of router itself.

@ulmwind, that thread relies on policy based routing which has nothing to do with the current thread.
There's no problem when you route all traffic via VPN, both outgoing and forward use the same routing.
The only possible traffic leak is limited to the WAN interface subnet route which is typically negligible.

I added this line into my ovpn file and I am still getting the same issue. Transmission traffic is still not going through the vpn. Any other suggestions please.

Troubleshooting this issue requires comprehensive diagnostics starting from:

ip a; ip r; ip ru; iptables-save

Sorry how do I add the output here? I cant find the way to attach the file besides copy and pasting.

Copy-paste is fine, simply wrap it in the code tag.

root@Linksys:/#
root@Linksys:/# ip a; ip r; ip ru; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    link/ether 60:38:e0:d8:c6:bb brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6238:e0ff:fed8:c6bb/64 scope link
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    link/ether 62:38:e0:d8:c6:bb brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6038:e0ff:fed8:c6bb/64 scope link
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 62:38:e0:d8:c6:bb brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/28 brd 192.168.1.15 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdda:c6c9:2f54::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::6038:e0ff:fed8:c6bb/64 scope link
       valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 62:38:e0:d8:c6:bb brd ff:ff:ff:ff:ff:ff
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 60:38:e0:d8:c6:bb brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.29/26 brd 192.168.0.63 scope global eth1.2
       valid_lft forever preferred_lft forever
    inet6 fe80::6238:e0ff:fed8:c6bb/64 scope link
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether 62:38:e0:d8:c6:bd brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6038:e0ff:fed8:c6bd/64 scope link
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether 62:38:e0:d8:c6:bc brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6038:e0ff:fed8:c6bc/64 scope link
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.17.0.102 peer 10.17.0.101/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::c62d:9b32:ab3d:4761/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.17.0.101 dev tun0
default via 192.168.0.1 dev eth1.2 proto static src 192.168.0.29
10.17.0.1 via 10.17.0.101 dev tun0
10.17.0.101 dev tun0 proto kernel scope link src 10.17.0.102
45.56.154.141 via 192.168.0.1 dev eth1.2
128.0.0.0/1 via 10.17.0.101 dev tun0
192.168.0.0/26 dev eth1.2 proto kernel scope link src 192.168.0.29
192.168.1.0/28 dev br-lan proto kernel scope link src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.2 on Sun Sep  8 00:34:57 2019
*nat
:PREROUTING ACCEPT [84:10627]
:INPUT ACCEPT [8:716]
:OUTPUT ACCEPT [203:14586]
:POSTROUTING ACCEPT [36:2637]
:postrouting_exusfw_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_exusfw_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_exusfw_postrouting - [0:0]
:zone_exusfw_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_exusfw_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_exusfw_postrouting
-A zone_exusfw_postrouting -m comment --comment "!fw3: Custom exusfw postrouting rule chain" -j postrouting_exusfw_rule
-A zone_exusfw_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_exusfw_prerouting -m comment --comment "!fw3: Custom exusfw prerouting rule chain" -j prerouting_exusfw_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sun Sep  8 00:34:57 2019
# Generated by iptables-save v1.6.2 on Sun Sep  8 00:34:57 2019
*mangle
:PREROUTING ACCEPT [1603:390915]
:INPUT ACCEPT [963:225695]
:FORWARD ACCEPT [619:159909]
:OUTPUT ACCEPT [1222:192990]
:POSTROUTING ACCEPT [1826:352455]
-A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone exusfw MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Sep  8 00:34:57 2019
# Generated by iptables-save v1.6.2 on Sun Sep  8 00:34:57 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_exusfw_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_exusfw_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_exusfw_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_exusfw_dest_ACCEPT - [0:0]
:zone_exusfw_dest_REJECT - [0:0]
:zone_exusfw_forward - [0:0]
:zone_exusfw_input - [0:0]
:zone_exusfw_output - [0:0]
:zone_exusfw_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_exusfw_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_exusfw_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_exusfw_output
-A forwarding_lan_rule ! -o tun+ -j REJECT --reject-with icmp-port-unreachable
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_exusfw_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_exusfw_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_exusfw_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_exusfw_forward -m comment --comment "!fw3: Custom exusfw forwarding rule chain" -j forwarding_exusfw_rule
-A zone_exusfw_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_exusfw_forward -m comment --comment "!fw3" -j zone_exusfw_dest_REJECT
-A zone_exusfw_input -m comment --comment "!fw3: Custom exusfw input rule chain" -j input_exusfw_rule
-A zone_exusfw_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_exusfw_input -m comment --comment "!fw3" -j zone_exusfw_src_REJECT
-A zone_exusfw_output -m comment --comment "!fw3: Custom exusfw output rule chain" -j output_exusfw_rule
-A zone_exusfw_output -m comment --comment "!fw3" -j zone_exusfw_dest_ACCEPT
-A zone_exusfw_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to exusfw forwarding policy" -j zone_exusfw_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Sep  8 00:34:57 2019
root@Linksys:/#
1 Like

This looks normal and we can exclude IPv6 traffic.
How do you determine that Transmission traffic overrides VPN?

After I have upload the torrent on transmission client. The website shows my wan ip not the vpn ip.

1 Like