I am running transmission on openwrt router that is also running an openvpn client.
I would like to bypass openvpn for the router itself, so I can use transmission without openvpn
The router is on 192.168.1.1 connected to another router having the gateway 192.168.0.1
I would prefer to not use additional packages like pbr to achieve this, if possible
These routing/rule settings below don't seem to work
nano /etc/config/network
config rule
option lookup '100'
option src '192.168.1.1/32'
option in 'lan'
config route
option metric '200'
option table '100'
option gateway '192.168.0.1'
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
The above was help I got from @trendy for another use case https://forum.openwrt.org/t/transmission-port-bypass-openvpn-client/141613/9
Appreciate any help, thanks
Edit:
I've used these instructions to setup my openvpn client https://protonvpn.com/support/how-to-set-up-protonvpn-on-openwrt-routers/
trendy
November 5, 2022, 6:18pm
2
If trasmission is running from a specific user, use the uidrange option to match. You cannot match locally generated traffic the way you try.
Thank you.
I run transmission as 'root' user (I don't know how wise that is, from a security standpoint, or if I should run it as 'transmission' user)
root@OpenWrt:~# cat /etc/passwd
says UID of 'root' user is '0'
tried the following but it didn't work
config rule
option lookup '100'
option uidrange '0'
option in 'lan'
config route
option metric '200'
option table '100'
option gateway '192.168.0.1'
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
Thanks
Edit:
Seeing this post https://forum.openwrt.org/t/transmission-bypassing-openvpn/64319/11?u=redchilis
I tried,
config rule
option lookup '100'
option uidrange '0'
option in 'lan'
option action 'ignore'
config route
option metric '200'
option table '100'
option gateway '192.168.0.1'
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
but it didn't work
I am using transmission user and transmission group!
root@OpenWrt:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
transmission:x:224:224:transmission:/var/run/transmission:/bin/false
minidlna:x:65536:65536:minidlna:/var/run/minidlna:/bin/false
config rule
option lookup '100'
option uidrange '224'
config route
option metric '200'
option table '100'
option gateway '192.168.0.1'
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
When I stop openvpn, it downloads fine(only mentioning it because it was harrowing getting all the permissions working for for 'transmission' user, had to manually create 'resume' and 'torrents' folder within the settings of transmission folder, the folders were not getting created for some reason even after giving permission to transmission user for config folder) when openvpn starts, it keeps trying to get trackers(checked in system log).
I'm sure I'm missing something, I haven't added any port forwarding since torrents downloads fine when openvpn is stopped.
Thank you.
trendy
November 6, 2022, 7:31pm
6
Can you first verify with tcpdump
or remote wireshark
ssh root@openwrt.lan tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -
that the packets are going out of the vpn interface when the vpn is enabled?
I couldn't comprehend the wireshark output, but after giving it some time and stopping wireshark and it did not seem like '192.168.1.1'(the router) was giving out any packets, I am completely out of my depth here so I could be wrong.
I ran on 'wlan0'
not 'eth1'
as I have no 'eth1
' interface, just 'br-lan
' and 'wlan0'
.
ssh root@192.168.1.1 tcpdump -i wlan0 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -
Wireshark output https://pastebin.com/raw/4kZ4WwPi
Edit :
Also,
while I try downloading a torrent,
since the openvpn client does not allow P2P traffic,
it chokes off all traffic to normal browsing/using of internet,
I have to pause the torrent to restore internet via the openvpn client.
So, even if the torrent connection seems to be going through it is in fact going through the openvpn client and not bypassing, until, of course the openvpn server catches the traffic and blocks all connection.
Edit :
This is the output with openvpn stopped (I have no killswitch for openvpn enabled)
ssh root@192.168.1.1 tcpdump -i wlan0 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -
Wireshark output https://pastebin.com/raw/RZn0edec
trendy
November 7, 2022, 7:58am
8
You should use the interface name of the wan network. Or is everything on br-lan?
Better post the following to have a better understanding.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
BusyBox v1.35.0 (2022-10-14 22:44:41 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 22.03.2, r19803-9a599fee93
-----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "5.10.146",
"hostname": "OpenWrt",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "TP-Link TL-MR3020 v3",
"board_name": "tplink,tl-mr3020-v3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.2",
"revision": "r19803-9a599fee93",
"target": "ramips/mt76x8",
"description": "OpenWrt 22.03.2 r19803-9a599fee93"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd65:cd27:e283::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option igmp_snooping '1'
option ipaddr '192.168.1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 6t'
config interface 'wwan'
option proto 'dhcp'
option device 'wlan0'
option hostname 'TP-Link'
option peerdns '0'
list dns '1.1.1.1'
config rule
option lookup '100'
option uidrange '224'
config route
option metric '200'
option table '100'
option gateway '192.168.0.1'
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/10300000.wmac'
option band '2g'
option cell_density '0'
option htmode 'HT40'
option channel 'auto'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'sae-mixed'
option key 'redacted'
option ssid 'raspberry'
option ieee80211w '0'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'sta'
option network 'wwan'
option ssid 'strawberry'
option encryption 'psk2'
option key 'redacted'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wwan'
option interface 'wwan'
option ignore '1'
config host
option name 'android'
option ip '192.168.1.200'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wwan'
list device 'tun0'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'REJECT'
option src 'lan'
option dest 'wan'
option name 'roku'
list proto 'all'
list src_mac 'redacted'
list src_mac 'redacted'
head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.0.100/24 brd 192.168.0.255 scope global wlan0
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
inet 10.36.0.8/16 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.36.0.1 dev tun0
default via 192.168.0.1 dev wlan0 src 192.168.0.100
10.36.0.0/16 dev tun0 scope link src 10.36.0.8
103.125.235.18 via 192.168.0.1 dev wlan0
103.125.235.18 via 192.168.0.1 dev wlan0
128.0.0.0/1 via 10.36.0.1 dev tun0
192.168.0.0/24 dev wlan0 scope link src 192.168.0.100
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
broadcast 10.36.0.0 dev tun0 table local scope link src 10.36.0.8
local 10.36.0.8 dev tun0 table local scope host src 10.36.0.8
broadcast 10.36.255.255 dev tun0 table local scope link src 10.36.0.8
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.0.0 dev wlan0 table local scope link src 192.168.0.100
local 192.168.0.100 dev wlan0 table local scope host src 192.168.0.100
broadcast 192.168.0.255 dev wlan0 table local scope link src 192.168.0.100
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
0: from all lookup local
1: from all lookup 100
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Oct 15 04:14 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 Nov 7 00:36 /tmp/resolv.conf
-rw-r--r-- 1 root root 36 Nov 7 12:59 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 36 Nov 7 12:59 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wwan
nameserver 1.1.1.1
Thank you
I ran on 'wlan0'
not 'eth1'
as I have no 'eth1
' interface, just 'br-lan
' and 'wlan0'
.
ssh root@192.168.1.1 tcpdump -i wlan0 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -
Wireshark output https://pastebin.com/raw/4kZ4WwPi
This is the output with openvpn stopped (I have no killswitch for openvpn enabled)
ssh root@192.168.1.1 tcpdump -i wlan0 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -
Wireshark output https://pastebin.com/raw/RZn0edec
trendy
November 7, 2022, 10:24am
12
Yeah, you should use wlan0 as it is the wan interface in you router.
You also need to exclude the openvpn traffic from the capture. Change the filter from 'not port 22'
to 'not port 22 or not port 1194'
. Change the 1194 to the port of OpenVPN.
One last thing, better run the tcpdump directly on the router or post the pcap, because the wireshark output you upload is too poor in details.
thank you, I later realized I needed to use wlan0 and updated that post.
I uploaded the pcap file after excluding 22 and 1194 - https://ufile.io/xc8d5b3j
I'm on linux. Sorry for the trouble
I tried adding the filter to tcpdump on openwrt but it wouldn't take it so I let it go to wireshark and saved the pcap file there.
I directly tried in openwrt
root@OpenWrt:~# tcpdump -i wlan0 -U -s0 -w /overlay/samba/downloads/ocap.pcap - 'not port 22 or not port 1194' tcpdump: can't parse filter expression: syntax error '
this works
tcpdump -i wlan0 -U -s0 -w /overlay/samba/downloads/ocap.pcap
Edit:
I tried reading/understanding this https://danielmiessler.com/study/tcpdump/ but it didn't help
trendy
November 7, 2022, 12:30pm
16
Try this one:
tcpdump -i wlan0 -nv 'not port 22 or not port 1194'
Thank you, that worked.
tcpdump - https://ufile.io/1k5r9dhs
trendy
November 7, 2022, 12:47pm
18
There is only wireguard traffic (udp 51820) in there. Are you certain that you are running only OpenVPN?
Ya, I mean, running openvpn and trying to download via transmission
trendy
November 7, 2022, 12:51pm
20
I don't follow.
What is the traffic sent from/to 51820?
OpenVPN is supposed to be on 1194.
Edit
What I meant is, after I start to capture, while openvpn is running, I go to transmission and resume a torrent, so it can try to download and the packet capture can see what transmission is trying to do.
Oh, could it be samba or minidlna, I have those running. I am not actively using them though.
Edit