Hello,
I've installed openvpn using this guide.
Everything works fine. the openvpn, tunnel the whole wan traffic.
But I trying to create a new wlan network(WiFi) and I want this specific network "don't pass through VPN connection".
for exp:
I create two wireless network:
1.Direct
2.Tunneld
I want everything connect to 'Direct' network, access to internet directly.
And then every other devices that connected to 'Tunneld', accessing to wan through the VPN.
Unfortunately it isn't a good solutions! during the downloading and install 'Requirement Packages' my device run out from free space and show: "No space left on device".
I looking for proper solution for this.
In other side, I thought that 'VPN Policy Routing' is a pro-solution. I just need to set a separate network from tunneled network(using VLAN functions or...?) and share it via wifi.
I have an example, but it is based on IP, you only need to make simple changes to it, should be able to achieve the effect you want.
First , I created a new routing table 52, the data through the VPN will go to the MAIN table, and the data bypassing the VPN will go to table 52
root@GL-X750:~# ip route show table 52
default via 192.168.17.1 dev eth0 proto static src 192.168.17.43
85.25.210.73 via 192.168.17.1 dev eth0
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
192.168.17.0/24 dev eth0 proto kernel scope link src 192.168.17.43
root@GL-X750:~# ip route show table main
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.17.1 dev eth0 proto static src 192.168.17.43
10.8.0.0/18 dev tun0 proto kernel scope link src 10.8.0.7
85.25.210.73 via 192.168.17.1 dev eth0
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
192.168.17.0/24 dev eth0 proto kernel scope link src 192.168.17.43
Then I need to have the connection marked 0x80000/0x80000 select table 52
root@GL-X750:~# ip rule
0: from all lookup local
52: from all fwmark 0x80000/0x80000 lookup 52
32766: from all lookup main
32767: from all lookup default
Finally, I need to mark the corresponding packet
root@GL-X750:~# iptables -t mangle -S PREROUTING
-P PREROUTING ACCEPT
-A PREROUTING -j ROUTE_POLICY
root@GL-X750:~# iptables -t mangle -S ROUTE_POLICY
-N ROUTE_POLICY
-A ROUTE_POLICY -i br-lan -m set --match-set gl_bypass_vpn_ip dst -j MARK --set-xmark 0x80000/0x80000
-A ROUTE_POLICY -j CONNMARK --save-mark --nfmask 0x80000 --ctmask 0x80000
To ensure that your data can pass through the firewall properly, you'd better add the following rules to the FILTER table
iptables -I FORWARD -m mark --mark 0x80000/0x80000 -j ACCEPT
The above rules only apply to data forwarding. If you want to process data from a local process, you also need to process the OUTPUT chain.
I hope it helps.
Marking the packet in iptables seems to me unnecessary.
Just create the new routing table, add the default gateway and everything else that you need there and finally create the rule based on the source address.
I've done this to a set of static IP addresses to access the internet directly, bypassing my VPN, but in this case it should also work to only include the wireless network.
Based on @Lombus post, a wireless interface named DIRECT which is functioning.
So it's a matter of installing the ip package, and editing /etc/config/network and /etc/iproute2/rt_tables, then stopping, reloading and starting services again.
Install ip package:
opkg update
opkg install ip
Define a new routing table named exvpn in/etc/iproute2/rt_tables, by inserting 10 exvpn NOTE: Your rt_tables file may look different but only insert the above.
#
# reserved values
#
128 prelocal
255 local
254 main
253 default
10 exvpn
0 unspec
#
# local
#
#1 inr.ruhep
Add routes and rules in /etc/config/network: NOTE:
replace x.x.x.x with your gateway IP address
replace direct with your named wireless interface
replace x.x.x with your wireless interface subnet
# Stage the alternative default route in table exvpn
config route
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway 'x.x.x.x'
option table 'exvpn'
# Direct the wireless interface 'direct' to table exvpn
config rule
option in 'direct'
option src 'x.x.x.0/24'
option lookup 'exvpn'
It's not works!
In the "Network > Wireless > Edit" below the 'Interface Configuration', I chooses lan as network for my direct wireless. would I create a new interface for lan with different ip range and share that? or use the same network for my 'direct' wireless?
also you mentioned:
replace x.x.x.x with your gateway IP address
But witch gateway? VPN? or my WAN gateway?
because I don't have static IP Address and every time I reconnect to WAN, the Public IP Address will change.
Unfortunately these changes cannot be done in Luci, you'll have to login with SSH and change them from there.
The WAN gateway. This should remain the same regardless of the WAN IP address.
The gateway is not a mandatory option though. It is mandatory to specify the interface, so that will do in case of point-to-point protocols.
Thank's a lot! It's now working.
Yes! I done it using 'SCP Protocol'.
My fault is I put the exact name of wireless in option in 'direct'. I must create a new interface and then cover it by a new wlan network(wireless). finally put the 'interface' name to the config:
# Stage the alternative default route in table exvpn
config route
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table 'exvpn'
# Direct the wireless interface 'direct' to table exvpn
config rule
option in 'dr_interface'
option src '192.168.2.0/24'
option lookup 'exvpn'
and as you mentioned, I delete the option gateway 'x.x.x.x' because I don't need it.