4

I have all traffic going through a VPN in my tomato router. I’d like to exclude my gaming server’s address from the VPN. How do I exclude that one specific external IP address from the VPN in the tomato router?

I tried adding:

route my.external.server.ip 255.255.255.255 net_gateway

…which resolves from OpenVPN syntax to the underlying route command:

/sbin/route add -net my.external.server.ip netmask 255.255.255.255 gw 10.0.0.1

…but that yields the error

ERROR: Linux route add command failed: external program exited with error status: 1

What is the OpenVPN syntax to route one external ip through net_gateway ?

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
Walrus the Cat
  • 260
  • 1
  • 4
  • 16
  • In general terms you would add a more specific route for your gaming servers with the WAN interface name. – davidgo Nov 06 '17 at 03:45
  • interesting -- do you have an iptables syntax etc? – Walrus the Cat Nov 06 '17 at 04:31
  • You would not typically use iptables. (I don't use Tomato, but it most likely uses route or ip command). Try "route add ip.of.game.server gw wan.nexthop". You could find the wan.nexthop by doing a route -n, and looking at the gateway used by the line with the IP the VPN connects to. – davidgo Nov 06 '17 at 04:38
  • I dont know Tomato, however, it seems like you have to change 10.0.0.1 with your real usual default GW, the one you use if there is no VPN. Check https://forums.openvpn.net/viewtopic.php?t=16818 – DGoiko Nov 14 '17 at 03:43
  • no it's telling it to route it through `10.0.0.1` which is my gateway to the internet, bypassing the VPN on that router. – Walrus the Cat Nov 14 '17 at 05:18
  • @WalrustheCat check https://slickdeals.net/f/1963456-tomato-static-routing or http://tomatousb.org/forum/t-825571/tomato-1-28-shibby:add-or-delete-static-route. Maybe there's something wrong with the permissions or the vpn config file. You should try to execute route add -net my.external.server.ip netmask 255.255.255.255 gw 10.0.0.1 as root from outside the VPN file, directly in the shell. If it still gives error, disable vpn and try the command again, then enable VPN and try. If it works, manually add the rute permanently later. – DGoiko Nov 15 '17 at 01:56
  • @WalrustheCat please use @ and my name in your reply so I can see it in my mailbox. I thought the error was on 10.0.0.1 because I usually use that IP as the virtual gw to get through the VPN, hehe. Try executing the route add command directly from shell and paste output, please – DGoiko Nov 15 '17 at 02:03

2 Answers2

3

As you have not answered my comments to say if it worked or not, I come with a bit more formated answer:

I'm almost sure that Tomato is throwing that error because your OpenVPN client user is trying to add the route. You can check if I'm right following one of those, in this order of success chance:

  • Remove the route config line from OpenVPN config file and try to add it manually by executing the following code in the shell as root:

    route add -net my.external.server.ip netmask 255.255.255.255 gw 10.0.0.1

  • If that doesnt work, try DISABLING VPN SERVICE and executing the route add command then.

  • Check for other errors in your VPN config file, it may be screwing things a bit
  • Use webgui to make the changes. HiHat posted a link where it is nicely explained: Selective routing for Tomato firmware. Remember to remove the route line from the VPN file first!

Please post your results and more data about VPN client, tomato version, webgui or not webgui...

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
DGoiko
  • 1,014
  • 6
  • 13
-2

I think you can achieve it in several ways:

  1. By using Routing Policy option in modern version of Tomato (AdvancedTomato) OpenVPN settings and adding exclusion for your gaming server address. Please see here for example settings: http://www.linksysinfo.org/index.php?threads/shibby-tomato-selective-routing-of-openvpn-and-dns.71609/#post-270105
  2. By using selective routing in classic Tomato according to examples here: https://support.hidemyass.com/hc/en-us/articles/202798226-Selective-routing-for-Tomato-firmware-Per-source-IP-address
Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
HiHat
  • 98
  • 6
  • 2
    While your intentions might be good, this answer is a link-only answer. Links die and so do their details. It would be best if you could edit your answer to provide more specifics while still linking to their source. – Giacomo1968 Nov 19 '17 at 00:20