Hi everybody,
as i wanted to setup vpnc to route only specific traffic, it came to me that
ppp
is missing a routing rule. Thus it was not easy to setup vpnc and i decided to
change that.
My idea of network setup is like this:
# ./ip rule show
0: from all lookup local
32762: from 212.202.210.56 lookup 10
32763: from 192.168.10.1 lookup 4
32764: from 192.168.1.1 lookup 2
32765: from 127.0.0.1 lookup 1
32766: from all lookup main
32767: from all lookup default
# ./ip route show table 1
default dev lo
# ./ip route show table 2
default dev eth0
# ./ip route show table 4
default dev wl0
# ./ip route show table 10
default dev ppp0
# ./ip route show table main
193.174.167.12 dev ppp0 src 212.202.210.56
213.148.128.18 dev ppp0 proto kernel scope link src 212.202.210.56
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev wl0 proto kernel scope link src 192.168.10.1
140.98.193.0/24 dev tun0 src 130.149.218.25
130.149.0.0/17 dev tun0 src 130.149.218.25
default dev ppp0 scope link
The result is quite clear:
Traffic that has to go out a certain interface (e.g. the connection is over
this
specific interface), is caught by the rules that give a specific "from"
address.
Thus, connections coming in over tun0 are always returned over tun0, and
connections coming over ppp0 are also returned over ppp0.
If a packet has no local interface assigned yet, all "from xxx" rules will not
match and the packet will be routed with table "main". Here one can savely
define certain nets to be reached over tun0 or ppp0, just as one likes (i have
two nets that should always be routed through tun0, as you can see).
This setup is achieved by adding the rules automagically by a new hotplug
script
called 00rule-setup. This script also sets up the corresponding default route
in
the correct table. The table id is taken from the interface number (returned
from "ip address show IFNAME").
As I am very new to multi-link configurations, i just tried to do my best. If
there are any mistakes or if you have a better idea of how to solve the
problem,
please let me know!
Attached is a patch that modifies /etc/ppp/ip-up (which does not call hotplug
since $6 seems not to be specified). The patch also adds 00rule-setup and
removes the unused /etc/ppp/ip-up.d/if-rename. Since we do not need any default
rule setup for vpnc in table main, this is also modified in /etc/vpnc/vpnc-route
Clemens
Index: package/ppp/files/etc/ppp/ip-up
===================================================================
--- package/ppp/files/etc/ppp/ip-up (Revision 2357)
+++ package/ppp/files/etc/ppp/ip-up (Arbeitskopie)
@@ -1,6 +1,5 @@
#!/bin/sh
-[ -z "$6" ] || env -i ACTION="ifup" INTERFACE="$6" PROTO=ppp /sbin/hotplug
"iface"
-
+env -i ACTION="ifup" INTERFACE="$IFNAME" PROTO=ppp /sbin/hotplug "iface"
[ -d /etc/ppp/ip-up.d ] && {
for SCRIPT in /etc/ppp/ip-up.d/*
do
Index: package/ppp/files/etc/ppp/ip-up.d/if-rename
===================================================================
--- package/ppp/files/etc/ppp/ip-up.d/if-rename (Revision 2357)
+++ package/ppp/files/etc/ppp/ip-up.d/if-rename (Arbeitskopie)
@@ -1,17 +0,0 @@
-#!/bin/sh
-exit 0 # This script breaks ppp accounting
-
-[ "$LINKNAME" ] || exit 0
-
-PATH=/bin:/usr/sbin:$PATH
-if ip link show dev $LINKNAME >/dev/null;then
- logger "$0: interface '$LINKNAME' already exists, cannot rename
'$IFNAME'."
- exit 0
-fi
-
-if ip route | grep -qE "^default.*dev $IFNAME *$"; then DEFAULT_ROUTE=1; fi
-
-ip link set $IFNAME down
-ip link set $IFNAME name $LINKNAME
-ip link set $LINKNAME up
-if [ -n "$DEFAULT_ROUTE" ]; then ip route add default via $IPREMOTE; fi
Index: package/vpnc/files/vpnc-route
===================================================================
--- package/vpnc/files/vpnc-route (Revision 2357)
+++ package/vpnc/files/vpnc-route (Arbeitskopie)
@@ -4,28 +4,27 @@
#* TUNDEV -- tunnel device (always present)
#* INTERNAL_IP4_ADDRESS -- address (always present)
+# define which traffic should be routed through the tunnel device
+# any traffic that is not bound to a local interface will be
+# mangled by the "main" routing table, so we add our rules to
+# the main routing table
-# Set up the routing table for the kernel.
-# This script must be modified in order to route the traffic through the
-# VPN tunnel.
+# the setup for remote traffic and already bound traffic is done by
+# the hotplug scripts.
if [ "x$TUNDEV" == "x" ]; then
- echo "No TUNDEV given. Script must be called from vpnc-script"
- exit 1;
+ echo "No TUNDEV given. Script must be called from vpnc-script"
+ exit 1;
fi
-
case "$1" in
- start)
- ip route show 0.0.0.0/0 > /var/run/vpnc/default.old
- ip route del 0.0.0.0/0
- ip route add 0.0.0.0/0 dev $TUNDEV
+ start)
+ # for each subnet that should be reached from this machine
over the vpn tunnel,
+ # add a line like this:
+ # ip route add some.sub.net/msk dev $TUNDEV src
$INTERNAL_IP4_ADDRESS
;;
stop)
- ip route del 0.0.0.0/0
- ip route add `cat /var/run/vpnc/default.old`
- rm /var/run/vpnc/default.old
- ;;
+ # remove the routing entries
+ ;;
esac;
-
-
exit 0;
+
_______________________________________________
freewrt-developers mailing list
[EMAIL PROTECTED]
https://www.freewrt.org/lists/listinfo/freewrt-developers
