Persistent routes for DD-WRT PPTP VPN client

dd-wrtpptproutingvpn

My home network in the USA is behind a Buffalo router (G300NH) running their version of DD-WRT. I use the built-in PPTP VPN client to connect to a VPN provider in the UK. I route certain traffic over the VPN (so it has a UK source address, for various entirely legal reasons) which I achieved by following the instructions in the DD-WRT docs and my VPN provider's own instructions. I placed two commands like this in the firewall script:

route add -net xxx.xxx.0.0 netmask 255.255.0.0 dev ppp0
route add -net yyy.yyy.0.0 netmask 255.255.0.0 dev ppp0

I didn't put any of the iptables rules in since it my setup doesn't seem to need them. It works like a charm. Traffic to the xxx subnets goes over the VPN, everything else goes out over my ISP's own pipes.

The problem comes when the VPN drops, which it does occasionally. DD-WRT does a fine job of reconnecting it automatically, but the routes are trashed every time that happens.

How do I automate the process of re-establishing my routes? I thought about static routes, but the IP address of the VPN connection is dynamically assigned (which is why I'm using dev ppp0).

Best Answer

The sed command works fine except that dd-wrt does not create the ip-up file until after the pptpd daemon is started. So I added a delay to the startup script to give time and also execute the ip-up command after adding the routes. This should solve it for you.

Here is the startup command for your router:

sleep 40
sed -i '' -e 's|exit 0|route add -net xxx.xxx.0.0 netmask 255.255.0.0 dev ppp0\nroute add -net yyy.yyy.0.0 netmask 255.255.0.0 dev ppp0\n&\n|' /tmp/pptpd_client/ip-up
/tmp/pptpd_client/ip-up

You could alternatively do this:

sleep 40
sed -i '' -e 's|exit 0|route add -net xxx.xxx.0.0 netmask 255.255.0.0 dev ppp0\n&\n|' /tmp/pptpd_client/ip-up
sed -i '' -e 's|exit 0|route add -net xxx.xxx.0.0 netmask 255.255.0.0 dev ppp0\n&\n|' /tmp/pptpd_client/ip-up
sed -i '' -e 's|exit 0|route add -net xxx.xxx.0.0 netmask 255.255.0.0 dev ppp0\n&\n|' /tmp/pptpd_client/ip-up
/tmp/pptpd_client/ip-up

adding as many routes as needed. The & replaces the exit 0.

Related Solutions

Linux – Routing all traffic over VPN on Ubuntu Linux

Your local network is 192.168.1.0/24, as shown by this line in your routing table:

 192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.32  metric 1

Your VPN network is 10.0.0.0/8, as shown by this line:

 10.0.0.0/8 dev tun0  scope link

Currently, your default router is:

 default via 192.168.1.254 dev eth0  proto static

which is of course what you do not want, because it belongs to your local LAN: thus all of your stuff is routed through your local gateway, as if the VPN did not exist.

 You do have however, the all-important statement

 128.122.252.68 via 192.168.1.254 dev eth0  src 192.168.1.32

which is the route to your VPN-provider.

EDIT:

I had not realized that the routing table is simply the one that is obtained from your VPN, without your intervention. This may indicate (indirectly) that your service provider is willing to forward only the traffic explicitly allowed in your table through the interface tun0, and may have taken further steps to block all other traffic, in which case your efforts will be futile.

However, assuming that your provider is willing to forward all of your traffic, what you need to do is the following.

First, you need to find out whether there is a gateway willing to accept your connection on the other side, because we need its IP address. I will give you four methods to do this.

1) With the pc connected to the VPN, try the following command:

   sudo dhclient -v tun0

If everything goes well, you should see a reply containing this line:

 DHCPOFFER of a.b.c.d from x.y.w.z

x.y.w.z is the IP address of the local gateway. You may have to shutdown your VPN after this test, and maybe even to reboot your pc, because we will have just messed up the routing table pretty well.

2) Alternatively, you may try navigating to one of the allowed sites (those that appear in your routing table as going through the tun0 interface), then issuing the command:

  ip neigh show

You should get a list of pcs contacted through the ARP protocol, with MAC and IP address; most likely, you will receive either zero or one reply. If you get a single reply, then that's your router.

3) If you get no such reply, then you may try with

  sudo nmap -sn 10.0.0.0/8

(which is going to be very slow). Your gateway will be one of the pcs listed, most likely the one with address ending in .1 or in .254, if any such exist.

4) Use the tcpdump command:

  sudo tcpdump -n -i tun0

and see the IP addresses spewed out by the command.

If you get no proper reply to this test either, it means someone has really tightened the screws in his network.

But let us be optimistic, and suppose you now have a candidate IP address x.w.y.z for the remote router. You will need to delete the default gateway, (as sudo!):

  ip route del default via 192.168.1.254

an add the new one:

  ip route add default via x.w.y.z

and try to navigate.

Let me repeat: since your provider has allowed traffic only to a few selected IP addresses through his VPN, it is possible he may have taken extra measures (=firewall) to prevent a smart user to force his generic traffic through his VPN. In this case, there is nothing you can do. But if he did not, the above steps should help you find a solution.

Best Answer

Related Solutions

Linux – Routing all traffic over VPN on Ubuntu Linux

Related Question