1 (edited by unhammer 2012-11-27 15:30:21)

Topic: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

I'm trying to have a setup where users on the 'lan' network (wifi or ethernet) connect plainly to the internet, while anyone on the 'guest' (wifi) network will be sent through a remote vpn (I don't control that server).

I managed to enable the vpn for 'guest' and verified that they got a remote IP address, but then any connection from 'lan' got borked (e.g. ping google.com just sits there with no response).

logread shows the following:

Nov 27 12:07:07 OpenWrt daemon.notice openvpn(mullvad)[4000]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ifconfig 10.8.0.110 10.8.0.109'

the redirect-gateway seems to be the culprit? I can add "option route_nopull 1" to my openvpn config in order to ignore the redirect-gateway, but then the guest network doesn't go though the vpn any more (at least, https://duckduckgo.com/?q=what%27s+my+ip shows my home ip).

route -n (with openvpn started, without the nopull option):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
95.211.92.236   <provider>.1     255.255.255.255 UGH   0      0        0 br-wan
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wlan1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
<provider>.0     0.0.0.0         255.255.240.0   U     0      0        0 br-wan
0.0.0.0         <provider>.1     0.0.0.0         UG    0      0        0 br-wan
10.8.0.1        10.8.0.141      255.255.255.255 UGH   0      0        0 tun0
10.8.0.141      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
0.0.0.0         10.8.0.141      128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.0.141      128.0.0.0       UG    0      0        0 tun0

(95.211.92.236 seems to be the remote vpn)

So, how can I make it so 'guest' goes through the vpn service and 'lan' does not?

/etc/config/firewall:

config 'defaults'
    option 'syn_flood' '1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'drop_invalid' '1'

config 'zone'
    option 'name' 'lan'
    option 'network' 'lan'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'wan'
    option 'network' 'wan'
    option 'output' 'ACCEPT'
    option 'masq' '1'
    option 'mtu_fix' '1'
    option 'input' 'REJECT'
    option 'forward' 'REJECT'

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'wan'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'dest_port' '68'
    option 'target' 'ACCEPT'
    option 'family' 'ipv4'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'icmp'
    option 'icmp_type' 'echo-request'
    option 'target' 'ACCEPT'

config 'include'
    option 'path' '/etc/firewall.user'



### Guest network, VPN:

config 'zone'
    option 'name' 'guest'
    option 'input' 'REJECT'
    option 'forward' 'REJECT'
    option 'output' 'ACCEPT'

config 'forwarding'
    option 'src' 'guest'
    option 'dest' 'wan'

config 'rule'
    option 'src' 'guest'
    option 'dest_port' '53'
    option 'proto' 'tcpudp'
    option 'target' 'ACCEPT'

config 'rule'
    option 'src' 'guest'
    option 'src_port' '67-68'
    option 'dest_port' '67-68'
    option 'proto' 'udp'
    option 'target' 'ACCEPT'


config zone
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option name 'vpn'
    option masq '1'
    option network 'vpn'

config forwarding
    option dest 'guest'
    option src 'vpn'

config forwarding
    option dest 'vpn'
    option src 'guest'

/etc/config/network:

config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'interface' 'lan'
    option 'ifname' 'eth0.1'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.0'

config 'interface' 'wan'
    option 'ifname' 'eth1'
    option 'proto' 'dhcp'
    option 'type' 'bridge'

config 'interface' 'guest'
    option 'proto' 'static'
    option 'ipaddr' '10.0.0.1'
    option 'netmask' '255.255.255.0'

config interface 'vpn'
    option ifname 'tun0'
    option defaultroute '0'
    option peerdns '0'
    option proto 'none'

config 'switch'
    option 'name' 'rtl8366s'
    option 'reset' '1'
    option 'enable_vlan' '1'
    option 'blinkrate' '2'

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '1'
    option 'ports' '0 1 2 3 5t'

config 'switch_port'
    option 'device' 'rtl8366s'
    option 'port' '1'
    option 'led' '6'

config 'switch_port'
    option 'device' 'rtl8366s'
    option 'port' '2'
    option 'led' '9'

config 'switch_port'
    option 'device' 'rtl8366s'
    option 'port' '5'
    option 'led' '2'

/etc/config/openvpn (translated from the config the vpn provider gave):

package openvpn

config openvpn mullvad
    option enable 1
    option client 1
    option dev tun
    option proto udp
    list remote "openvpn.mullvad.net 1194"
    list remote "openvpn.mullvad.net 443"
    list remote "openvpn.mullvad.net 53"
#    option remote "se.mullvad.net"
#    option remote "nl.mullvad.net"

    # Pick a random server:
#    option remote_random 1
    # Default: try in the order listed

    option resolv_retry infinite
    option nobind 1
    option persist_key 1
    option persist_tun 1

    option ca /etc/openvpn/master.mullvad.net.crt
    option cert /etc/openvpn/mullvad.crt
    option key /etc/openvpn/mullvad.key

    option comp_lzo 1

    option verb 3

    option remote_cert_tls server
    option ping_restart 60
    option script_security 2
    option ping 10

/etc/config/dhcp

config 'dnsmasq'
    option 'domainneeded' '1'
    option 'boguspriv' '1'
    option 'localise_queries' '1'
    option 'rebind_protection' '1'
    option 'rebind_localhost' '1'
    option 'local' '/lan/'
    option 'domain' 'lan'
    option 'expandhosts' '1'
    option 'authoritative' '1'
    option 'readethers' '1'
    option 'leasefile' '/tmp/dhcp.leases'
    option 'resolvfile' '/tmp/resolv.conf.auto'

config 'dhcp' 'lan'
    option 'interface' 'lan'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'

config 'dhcp' 'guest'
    option 'interface' 'guest'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'

config 'dhcp' 'wan'
    option 'interface' 'wan'
    option 'ignore' '1'

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Thanks to jow_laptop on #openwrt for helping me solve this. The solution was indeed to use route_nopull, but also an up-script that manually specifies the routing.

new /etc/config/openvpn (additions in the last two lines):

package openvpn

config openvpn mullvad
        option enable 1
        option client 1
        option dev tun
        option proto udp
        list remote "openvpn.mullvad.net 1194"
        list remote "openvpn.mullvad.net 443"
        list remote "openvpn.mullvad.net 53"
#       option remote "se.mullvad.net"
#       option remote "nl.mullvad.net"

        # Pick a random server:
#       option remote_random 1
        # Default: try in the order listed

        option resolv_retry infinite
        option nobind 1
        option persist_key 1
        option persist_tun 1

        option ca /etc/openvpn/master.mullvad.net.crt
        option cert /etc/openvpn/mullvad.crt
        option key /etc/openvpn/mullvad.key

        option comp_lzo 1

        option verb 3

        option remote_cert_tls server
        option ping_restart 60
        option script_security 2
        option ping 10

        # Ignore the redirect-gateway so 'lan' works, and do policy-based routing "manually" in the script
        option route_nopull 1
        option up /etc/openvpn/guest-up.sh

/etc/openvpn/guest-up.sh (remember to chmod +x):

#!/bin/ash

table=100

# log commands for debugging with logread:
logger ip route add default via $ifconfig_local dev $dev table $table
logger ip rule add from 10.0.0.0/24 table $table
ip route add default via $ifconfig_local dev $dev table $table
ip rule add from 10.0.0.0/24 table $table

iptables -I FORWARD -o $dev -j ACCEPT
iptables -t nat -I POSTROUTING -o $dev -j MASQUERADE

ip route flush cache

It works great :-)

-----

By the way, I first tried manually adding the routes, not from the up script, and kept getting stuff like

root@OpenWrt:~# ip route add default via 10.8.0.141 dev tun0 table 100
RTNETLINK answers: No such process

This rather unhelpful error message simply means that you mistyped the IP address (10.8.0.141 was wrong, in my case it kept changing every time I restarted openvpn – using an up script with $ifconfig_local takes care of that)

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

This works great :-) +1

I have a guest-wlan routing all traffic trough a OpenVPN tunnel (at HideMyAss). I just had to add a static route back to my OpenWrt router's guest network on the main gateway.

4 (edited by emmanuellgd 2016-07-16 16:17:42)

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Hi and thanks for that howto. Unfortunately I haven't been able to make it work with Opewrt 15.05.1

I have no Internet on my guest wifi. What am I missing ? My config (what I have added):


/etc/config/network:

......
config 'interface' 'lan_guest'
        option 'proto' 'static'
        option 'ipaddr' '10.0.0.1'
        option 'netmask' '255.255.255.0'

config interface 'vpn_xyz'
        option ifname 'ovpn_xyz'
        option defaultroute '0'
        option peerdns '0'
        option proto 'none'

/etc/config/firewall

.....
### lan_guest network, vpn_xyz:
config 'zone'
    option 'name' 'lan_guest'
    option 'input' 'REJECT'
    option 'forward' 'REJECT'
    option 'output' 'ACCEPT'

config 'forwarding'
    option 'src' 'lan_guest'
    option 'dest' 'wan'

config 'rule'
    option 'src' 'lan_guest'
    option 'dest_port' '53'
    option 'proto' 'tcpudp'
    option 'target' 'ACCEPT'

config 'rule'
    option 'src' 'lan_guest'
    option 'src_port' '67-68'
    option 'dest_port' '67-68'
    option 'proto' 'udp'
    option 'target' 'ACCEPT'

config zone
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option name 'vpn_xyz'
    option masq '1'
    option network 'vpn_xyz'

config forwarding
    option dest 'lan_guest'
    option src 'vpn_xyz'

config forwarding
    option dest 'vpn_xyz'
    option src 'lan_guest'

By the way, is that necessary ?

config 'forwarding'
    option 'src' 'lan_guest'
    option 'dest' 'wan'

/etc/config/openvpn

config openvpn 'xyz_vpn'
       option config '/etc/openvpn/xyz.conf'
       option enabled '1'

/etc/openvpn/xyz.conf

client
dev ovpn_xyz
dev-type tun
proto udp
remote xyz 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ssl/xyz/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/xyz.txt
comp-lzo
verb 3
reneg-sec 0
crl-verify /etc/openvpn/ssl/xyz/crl.pem
log /var/log/openvpn-xyz.log

script-security 2
route-nopull
up '/etc/openvpn/scripts/xyz-up-iproute.sh'

/etc/openvpn/scripts/xyz-up-iproute.sh

#!/bin/ash
logger "OVPN: ifconfig_remote = $ifconfig_remote"
logger "OVPN: ifconfig_local = $ifconfig_local"
logger "OVPN: trusted_ip = $trusted_ip"

table=100

route="route add default via $ifconfig_local dev $dev table $table"
rule="rule add from 10.0.0.0/24 table $table"
logger "OVPN: ip $route"
logger "OVPN: ip $rule"
ip $route
ip $rule


iptable1="-I FORWARD -o $dev -j ACCEPT"
iptable2="-t nat -I POSTROUTING -o $dev -j MASQUERADE"
logger "OVPN: iptables $iptable1"
logger "OVPN: iptables $iptable2"
iptables $iptable1
iptables $iptable2


flush="route flush cache"
logger "OVPN: ip $flush"
ip $flush

Don't we need a "down" script ?


I can ping from my vpn:

root@OpenWrt:~# ping -I ovpn_xyz 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=50 time=42.742 ms

More:

root@OpenWrt:~# ip route show table 100
default via 10.128.1.6 dev ovpn_xyz
root@OpenWrt:~# ip rule show
0:      from all lookup 128
0:      from 10.0.0.0/24 lookup 100
1:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Thanks for your help

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

up ? smile

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

up ... smile

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Hi,

these are my working up / down scripts.
tun1 = openvpn-tunnel (client)
br-lan_cg = bridged to guest wifi 
10.3.4.0/24 = guest network
Traffic from 10.3.4.128-255 is routed into tun1.

Up

#!/bin/sh
rm /etc/openvpn/cg/down
touch /etc/openvpn/cg/up

ip rule del from 10.3.4.128/25
ip rule add from 10.3.4.128/25 priority 10 table vpn
ip route add 10.3.4.128/25 dev tun1 table vpn
ip route add default via $ifconfig_remote dev tun1 table vpn
ip route flush cache
iptables -I FORWARD -i br-lan_cg -o eth0 -j ACCEPT

Down

#!/bin/sh
rm /etc/openvpn/cg/up
touch /etc/openvpn/cg/down

ip rule del from 10.3.4.128/25
iptables -I FORWARD -i br-lan_cg -o eth0 -j REJECT

Enjoy!

8 (edited by emmanuellgd 2016-08-09 20:22:55)

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Hi and thanks !

I understand your commands and I agree it should work. Nevertheless, I have tried it without success. I put that into my files:

#!/bin/sh
ip rule del from 10.3.4.0/24
ip rule add from 10.3.4.0/24 priority 10 table 108
ip route add 10.3.4.0/24 dev ovpn_pia table 108
ip route add default via $ifconfig_remote dev ovpn_pia table 108
ip route flush cache
iptables -I FORWARD -i br-lan_guest -o eth0.2 -j ACCEPT
#!/bin/sh
ip rule del from 10.3.4.0/24
iptables -I FORWARD -i br-lan_guest -o eth0 -j REJECT

I have changed vpn to 108 because else I get an error: Error: argument "vpn" is wrong: invalid table ID
In the OpenVPN logs (on start and stop) I have :

RTNETLINK answers: No such file or directory

ip route says:

default via 192.168.50.254 dev eth0.2  proto static  src 192.168.50.2
10.3.4.0/24 dev br-lan_guest  proto kernel  scope link  src 10.3.4.1
10.138.1.5 dev ovpn_xyz  proto kernel  scope link  src 10.138.1.6
.....

And ping -I ovpn_xyz 8.8.8.8 does not ping anything.

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Hi,

not quite sure, if it is necessary:
Did you install "ip-full"?

10 (edited by emmanuellgd 2016-08-09 21:56:05)

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Hi riodoro,

Yes I did, by the way I didn't have "vpn" in /etc/iproute2/rt_tables as described there : https://wiki.openwrt.org/doc/networking/routing

It's still the same

For info :

$ /usr/sbin/ip -V
ip utility, iproute2-ss4.0.0-1-openwrt

UPDATE : I can't even ping my gateway from my wifi

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Hi,
try to not Route your GW Adresse through the Tunnel with the /25 mask.
(Assuming GW Adress is .1 or similar)

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Hi,

Still the same ... sad

lan guest IP : 10.3.4.1/24
DHCP start: 129 and limit: 100
IP of the client: 10.3.4.191

And up script:

#!/bin/sh
ip rule del from 10.3.4.128/25
ip rule add from 10.3.4.128/25 priority 10 table vpn
ip route add 10.3.4.128/25 dev ovpn_xyz table vpn
ip route add default via $ifconfig_remote dev ovpn_xyz table vpn
ip route flush cache
iptables -I FORWARD -i br-lan_guest -o eth0.2 -j ACCEPT
# I have tried with eth0 as well

Any command to debug?

Thanks for all your help.

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Hi,

did you solve the
RTNETLINK answers: No such file or directory
problem?
Think this should be fixed first.

Perhaps it is helpfull to post the whole ovpn starting-log.
"logread tail" after /etc/init/openvpn restart should do this.

Do you use the ovpn-luci-app?

14 (edited by emmanuellgd 2016-08-10 21:31:28)

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Hi,

No I haven't been able to solve it. I was using the luci-app then I have migrated to my own configuration file (the problem was the same). When I don't put no-pull I have Internet throw the VPN.

My OpenVPN logs:


Wed Aug 10 22:04:43 2016 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 31 2016
Wed Aug 10 22:04:43 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Aug 10 22:04:43 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Aug 10 22:04:43 2016 Socket Buffers: R=[163840->131072] S=[163840->131072]
Wed Aug 10 22:04:43 2016 UDPv4 link local: [undef]
Wed Aug 10 22:04:43 2016 UDPv4 link remote: [AF_INET]************************:1194
Wed Aug 10 22:04:43 2016 TLS: Initial packet from [AF_INET]************************:1194, sid=0bcee7e6 09913cc4
Wed Aug 10 22:04:43 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Aug 10 22:04:43 2016 CRL CHECK OK: ************************
Wed Aug 10 22:04:43 2016 VERIFY OK: ************************
Wed Aug 10 22:04:43 2016 Validating certificate key usage
Wed Aug 10 22:04:43 2016 ++ Certificate has key usage  00a0, expects 00a0
Wed Aug 10 22:04:43 2016 VERIFY KU OK
Wed Aug 10 22:04:43 2016 Validating certificate extended key usage
Wed Aug 10 22:04:43 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Aug 10 22:04:43 2016 VERIFY EKU OK
Wed Aug 10 22:04:43 2016 CRL CHECK OK: ************************
Wed Aug 10 22:04:43 2016 VERIFY OK: ************************
Wed Aug 10 22:04:44 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Aug 10 22:04:44 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 10 22:04:44 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Aug 10 22:04:44 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 10 22:04:44 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Aug 10 22:04:44 2016 [9ff091955ae90b03bcd0e7e5caf74c0e] Peer Connection Initiated with [AF_INET]************************:1194
Wed Aug 10 22:04:47 2016 SENT CONTROL [9ff091955ae90b03bcd0e7e5caf74c0e]: 'PUSH_REQUEST' (status=1)
Wed Aug 10 22:04:47 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.116.1.1,topology net30,ifconfig 10.116.1.6 10.116.1.5'
Wed Aug 10 22:04:47 2016 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Aug 10 22:04:47 2016 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Aug 10 22:04:47 2016 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Aug 10 22:04:47 2016 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Wed Aug 10 22:04:47 2016 OPTIONS IMPORT: timers and/or timeouts modified
Wed Aug 10 22:04:47 2016 OPTIONS IMPORT: LZO parms modified
Wed Aug 10 22:04:47 2016 OPTIONS IMPORT: --ifconfig/up options modified
Wed Aug 10 22:04:47 2016 TUN/TAP device ovpn_pia opened
Wed Aug 10 22:04:47 2016 TUN/TAP TX queue length set to 100
Wed Aug 10 22:04:47 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Aug 10 22:04:47 2016 /sbin/ifconfig ovpn_xyz 10.116.1.6 pointopoint 10.116.1.5 mtu 1500
Wed Aug 10 22:04:47 2016 /etc/openvpn/scripts/xyz-up.sh ovpn_xyz 1500 1542 10.116.1.6 10.116.1.5 init
RTNETLINK answers: No such file or directory
Wed Aug 10 22:04:47 2016 Initialization Sequence Completed

Do you see something ?

My router: TP-Link TL-WDR3600 v1


And :

# cat /etc/openwrt_*

DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='15.05.1'
DISTRIB_REVISION='r48532'
DISTRIB_CODENAME='chaos_calmer'
DISTRIB_TARGET='ar71xx/generic'
DISTRIB_DESCRIPTION='OpenWrt Chaos Calmer 15.05.1'
DISTRIB_TAINTS=''
15.05.1

~# lsmod

act_connmark             832  1
act_ipt                 2432  0
act_mirred              2336  1
act_police              3168  0
act_skbedit             1600  0
arc4                    1312  4
ath                    19925  3 ath9k
ath9k                  86966  0
ath9k_common           16894  1 ath9k
ath9k_hw              337464  2 ath9k
cfg80211              214641  4 ath9k
cls_basic               3024  0
cls_flow                5040  0
cls_fw                  3456 16
cls_route               4576  0
cls_tcindex             4256  0
cls_u32                 6176  1
compat                  1332  4 ath9k
compat_xtables           571  0
crc16                   1015  1 ext4
crc_ccitt               1019  1 ppp_async
crypto_blkcipher       10487  1 arc4
crypto_hash             9698  2 ext4
ehci_hcd               32092  1 ehci_platform
ehci_platform           3488  0
em_cmp                   736  0
em_meta                 4512  0
em_nbyte                 720  0
em_text                 1344  0
em_u32                   576  0
ext4                  311868  2
gpio_button_hotplug     4480  0
ifb                     2656  0
ip6_tables              9281  3 ip6table_raw
ip6t_REJECT             1184  2
ip6table_filter          608  1
ip6table_mangle         1072  1
ip6table_raw             576  1
ip_set                 21268 16 xt_set
ip_set_bitmap_ip        6592  0
ip_set_bitmap_ipmac     6368  0
ip_set_bitmap_port      5824  0
ip_set_hash_ip         16736  0
ip_set_hash_ipmark     16816  0
ip_set_hash_ipport     17376  0
ip_set_hash_ipportip   18320  0
ip_set_hash_ipportnet   23520  0
ip_set_hash_mac         8496  0
ip_set_hash_net        20560  0
ip_set_hash_netiface   22496  0
ip_set_hash_netnet     23680  0
ip_set_hash_netport    22144  0
ip_set_hash_netportnet   24768  0
ip_set_list_set         7232  0
ip_tables               9421  4 iptable_nat
ipt_ECN                 1376  0
ipt_MASQUERADE           624  2
ipt_REJECT               912  3
iptable_filter           672  1
iptable_mangle           944  1
iptable_nat              768  1
iptable_raw              640  1
ipv6                  269251 32 nf_conntrack_ipv6
jbd2                   47362  1 ext4
ledtrig_usbdev          1936  0
mac80211              381907  1 ath9k
mbcache                 4557  1 ext4
nf_conntrack           48862 16 nf_nat_ipv4
nf_conntrack_ftp        5280  1 nf_nat_ftp
nf_conntrack_ipv4       5152 15
nf_conntrack_ipv6       5536  3
nf_conntrack_rtcache    2480  0
nf_defrag_ipv4           838  1 nf_conntrack_ipv4
nf_defrag_ipv6          9063  1 nf_conntrack_ipv6
nf_log_common           2479  2 nf_log_ipv4
nf_log_ipv4             3136  0
nf_log_ipv6             3296  0
nf_nat                  9948  6 nf_nat_ipv4
nf_nat_ftp              1200  0
nf_nat_ipv4             4225  1 iptable_nat
nf_nat_masquerade_ipv4    1388  1 ipt_MASQUERADE
nf_reject_ipv4          1955  1 ipt_REJECT
nf_reject_ipv6          2055  1 ip6t_REJECT
nfnetlink               3995  1 ip_set
nls_base                4976  1 usbcore
ppp_async               6320  0
ppp_generic            20658  3 pppoe
pppoe                   8144  0
pppox                   1354  1 pppoe
sch_codel               4096  0
sch_dsmark              3600  0
sch_fq                  5936  0
sch_gred                6384  0
sch_hfsc               13344  2
sch_htb                12576  0
sch_ingress              944  1
sch_pie                 4016  0
sch_prio                3184  0
sch_red                 4496  0
sch_sfq                 8160  0
sch_tbf                 5104  0
sch_teql                3648  0
scsi_mod               85623  3 ums_cypress
sd_mod                 25600  5
slhc                    4299  1 ppp_generic
tun                    15135  4
ums_alauda              8256  0
ums_cypress             2240  0
ums_datafab             4672  0
ums_freecom             1968  0
ums_isd200              5024  0
ums_jumpshot            3600  0
ums_karma               1536  0
ums_sddr09              8704  0
ums_sddr55              4816  0
ums_usbat               7328  0
usb_common              1160  1 usbcore
usb_storage            37695 13 ums_usbat
usbcore               117912 14 ums_usbat
x_tables               10741 52 ipt_REJECT
xt_CLASSIFY              576  0
xt_CT                   2224  0
xt_DSCP                 1504  0
xt_HL                   1296  0
xt_IPMARK                864  0
xt_LOG                   768  0
xt_NETMAP               1168  0
xt_REDIRECT             1056  2
xt_TCPMSS               2608  2
xt_addrtype             2144  0
xt_comment               480111
xt_connbytes            1488  0
xt_connlimit            3360  0
xt_connmark             1040  3
xt_conntrack            2160 14
xt_dscp                  992  0
xt_ecn                  1296  0
xt_helper                880  0
xt_hl                    800  0
xt_id                    480  0
xt_iface                 912  0
xt_ipv4options           656  0
xt_length                688  1
xt_limit                 992 20
xt_mac                   624  0
xt_mark                  672 28
xt_multiport            1184 10
xt_nat                  1072  3
xt_owner                 688  0
xt_physdev              1344  0
xt_pkttype               624  0
xt_quota                 736  0
xt_recent               6336  0
xt_set                  5712  0
xt_state                 688  0
xt_statistic             784  0
xt_tcpmss                992  0
xt_tcpudp               1696 34
xt_time                 1632  0

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

UPDATE

That works, but I still have the RTNETLINK answers: No such file or directory in logs...:

#!/bin/sh
ip rule del from 10.3.4.128/25
ip rule add from 10.3.4.128/25 priority 10 table vpn
ip route add 10.3.4.128/25 dev $dev table vpn
ip route add default via $ifconfig_remote dev $dev table vpn

ip route flush cache
iptables -I FORWARD -o $dev -j ACCEPT
iptables -t nat -I POSTROUTING -o $dev -j MASQUERADE

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Great,

but sorry, I can't help with RTNETLINK prob.

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

No Problem,

Thanks for your time and your help. I'll try to tune my settings, removing rules one by one to see what's blocking.

Have a great day !

Re: [SOLVED] run vpn client only for 'guest' network, no vpn for 'lan'

Hi riodoro

I found from where the RTNETLINK  Error came and that seems very logic:

ip rule del from 10.3.4.128/25

I have done a Howto on the forum that I'll update to have something more clear, concise and powerful (with firewall rules and examples of how to redirect a single IP).