DD-WRT :: View topic - Bypass VPN with policy based routing

Bypass VPN with policy based routing

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

Woohoo
DD-WRT Novice

Joined: 15 Feb 2015
Posts: 4

Posted: Sun Feb 15, 2015 18:05 Post subject: Bypass VPN with policy based routing

Hi all - I have been trying to solve this one for some time now and I hope someone can help me - I am trying to allow certain IPs to access the Internet via my traditional (non-VPN) route.

I have setup my vpnwith btguard using their wiki tutorial (script), which works perfectly at routing all ips through the VPN. Could someone please guide me as to how to edit the script to bypass the VPN?

The tutorial I following for btguard- instruction set 1 was used. Please note that using the openvpn client does not work for some reason... Therefore it will have to be a script edit

https://wiki.btguard.com/index.php/OpenVPN_dd-wrt

Thank you! Very Happy

Sponsor

Woohoo
DD-WRT Novice

Joined: 15 Feb 2015
Posts: 4

Posted: Sun Feb 15, 2015 19:51 Post subject:
Thank you very much for your help! I will give it a go tonight and let you know how I get on

Woohoo
DD-WRT Novice

Joined: 15 Feb 2015
Posts: 4

Posted: Sat Mar 14, 2015 16:50 Post subject:

Hi again - i've tried for sometime and read quite a bit about policy based routing, but unfortunately I am a beginner with this, so not making any progress!

My preference would be to amend the current code to add the route-noexec directive to the VPN provider’s script, in order to stop the VPN from being the default gateway. There is only 1 or 2 IPs that I really need to route through VPN.

I've pasted the code below - appreciate any help that you can provide!! Very Happy

start-up

Code:

#!/bin/sh

USERNAME="username"
PASSWORD="password"
PROTOCOL="udp"

REMOTE_SERVERS="
remote vpn.btguard.com 1194
"

#### DO NOT CHANGE below this line ####

CA_CRT='-----BEGIN CERTIFICATE-----
MIIDcjCCAtugAwIBAgIJAPKjuBleHokmMA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD
VQQGEwJERTEVMBMGA1UECBMMSGVzc2UtTmFzc2F1MRIwEAYDVQQHEwlGcmFua2Z1
cnQxEDAOBgNVBAoTB0JUR3VhcmQxEzARBgNVBAMTCkJUR3VhcmQgQ0ExIjAgBgkq
hkiG9w0BCQEWE3N1cHBvcnRAYnRndWFyZC5jb20wHhcNMTAwODA3MDc0NTA5WhcN
MjAwODA0MDc0NTA5WjCBgzELMAkGA1UEBhMCREUxFTATBgNVBAgTDEhlc3NlLU5h
c3NhdTESMBAGA1UEBxMJRnJhbmtmdXJ0MRAwDgYDVQQKEwdCVEd1YXJkMRMwEQYD
VQQDEwpCVEd1YXJkIENBMSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0QGJ0Z3VhcmQu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4cBR6VLQICqdpTsjosIQ5
9elQZSRNQFaxWW3MeRC1xpJqjkbLJ9B9IO/Q/UyOa4a3qYHg8rI43wIF/RR6bwNX
3sZ5w6TrdVBk0DFZq6lDQ8/4Kpg1dKbdAgJjvtxiyrHWFtB0jYVGTlxwBSPflc2J
RZDMAVVj83gQh8ODJeGjnwIDAQABo4HrMIHoMB0GA1UdDgQWBBQCj1U+EICMz8hF
++KZ8Ld1vR0sqTCBuAYDVR0jBIGwMIGtgBQCj1U+EICMz8hF++KZ8Ld1vR0sqaGB
iaSBhjCBgzELMAkGA1UEBhMCREUxFTATBgNVBAgTDEhlc3NlLU5hc3NhdTESMBAG
A1UEBxMJRnJhbmtmdXJ0MRAwDgYDVQQKEwdCVEd1YXJkMRMwEQYDVQQDEwpCVEd1
YXJkIENBMSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0QGJ0Z3VhcmQuY29tggkA8qO4
GV4eiSYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAgVeYTxvAonucE
qWloEvzCCUWs8bS/HJ6M85WzG7FPNAXx2QbWwN3EMwKxtGc7QF8f+APoMukzsvd2
vuI+1n0YwtD12cWMM9PLV2FhA2B+ajzssBTgvrbtX/SzKt0//lzrBp5Gyo6T/vO5
9KRb6DVfVWfB76+DLpTf9f3SLTgzKw==
-----END CERTIFICATE-----'

OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

if [ "$OPVPNENABLE" != 0 ]
then
nvram set openvpncl_enable=0
nvram commit
fi

sleep 30
mkdir /tmp/btguard; cd /tmp/btguard
echo -e "$USERNAME\n$PASSWORD" > userpass.conf
echo "$CA_CRT" > ca.crt
echo "#!/bin/sh" > route-up.sh; echo -e "#!/bin/sh\nsleep 2" > route-down.sh
echo "#!/bin/sh
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE" > /tmp/.rc_firewall
chmod 644 ca.crt; chmod 600 userpass.conf; chmod 700 route-up.sh route-down.sh
chmod 700 /tmp/.rc_firewall
sleep 30
echo "client
dev tun
proto $PROTOCOL
script-security 2
hand-window 60
verb 3
mute 5
mtu-disc yes
resolv-retry infinite
nobind
persist-key
persist-tun
keepalive 20 120
reneg-sec 0
log btguard.log
ca ca.crt
mute-replay-warnings
daemon
auth-user-pass userpass.conf
$REMOTE_SERVERS" > openvpn.conf
ln -s /tmp/btguard/btguard.log /tmp/btguard.log
(killall openvpn; openvpn --config /tmp/btguard/openvpn.conf --route-up /tmp/btguard/route-up.sh --down-pre /tmp/btguard/route-down.sh) &
exit 0

Firewall

Code:

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Thanks!

Woohoo
DD-WRT Novice

Joined: 15 Feb 2015
Posts: 4

Posted: Sun Mar 15, 2015 12:37 Post subject:
Thank you so much so your help - this works perfectly. Really appreciate the help and time you have spent!!!

James Greystone
DD-WRT User

Joined: 20 Nov 2011
Posts: 194

Posted: Tue Jan 05, 2016 3:37 Post subject:

eibgrad wrote:

Fortunately this VPN provider has made it relatively simple since his route-up/route-down scripts don’t do much of anything anyway. Normally you would at least place firewall rules in there, but they decided to add them directly to the firewall script. I’m puzzled why they bothered w/ these scripts at all.

Anyway, I’d stored the modified script in PasteBin.

http://pastebin.com/G6u6fbkL

I commented out the original code that created route-up.sh and route-down.sh, then added code to the top of the script that creates these same scripts but w/ the code we want. All you need to do is specify the source IPs you want to force over the VPN. I provided some examples. Just be sure to keep the source IPs in-sync between the scripts (one adds them, the other deletes them).

The scripts are designed to write to syslog, so should anything go wrong, you can dump the results from telnet/ssh.

Code:

cat /var/log/messages | grep route-up.sh
cat /var/log/messages | grep route-down.sh

Obviously I have no way to test it against your VPN provider, so there’s always a chance of some error(s). But give it a try and see what happens.

I am having a similar issue and am confused by startup scripts and would very much appreciate your assistance if you are able to.

I saw your post and saw you were very knowledgeable in this topic and I am quite stuck and was hoping you might have a moment to help.

My old VPN provider I was able to use the OpenVPN client and merely paste my ip's into the routing table and all was good.

Unfortunately my new provider IPvanish will only function by running a startup script because the newest DD-WRT software is more up to date than what they currently support and therefore I can't enable the OpenVpn client to put in the IP's so I need to run them through their startup command script.

I can't seem to make enough sense of your explanation and was hoping you could assist.

This is what I had in Policy based routing table which should go through the VPN. so basically 100-149 through the VPN and any range outside from 150 above don't. This way I can create static IP's outside the DHCP range and they won't go through the VPN. For example my OOMA phone won't work through a VPN, so I need to route it around the VPN. Currently using 192.168.1.150 for this purpose.

I will also Post their startup script which is where this would need to be installed I guess.

Much appreciated if you have the time to assist.

192.168.1.100/32
192.168.1.101/32
192.168.1.102/32
192.168.1.103/32
192.168.1.104/32
192.168.1.105/32
192.168.1.106/32
192.168.1.107/32
192.168.1.108/32
192.168.1.109/32
192.168.1.110/32
192.168.1.111/32
192.168.1.112/32
192.168.1.113/32
192.168.1.114/32
192.168.1.115/32
192.168.1.116/32
192.168.1.117/32
192.168.1.118/32
192.168.1.119/32
192.168.1.120/32
192.168.1.121/32
192.168.1.122/32
192.168.1.123/32
192.168.1.124/32
192.168.1.125/32
192.168.1.126/32
192.168.1.127/32
192.168.1.128/32
192.168.1.129/32
192.168.1.130/32
192.168.1.131/32
192.168.1.132/32
192.168.1.133/32
192.168.1.134/32
192.168.1.135/32
192.168.1.136/32
192.168.1.137/32
192.168.1.138/32
192.168.1.139/32
192.168.1.140/32
192.168.1.141/32
192.168.1.142/32
192.168.1.143/32
192.168.1.144/32
192.168.1.145/32
192.168.1.146/32
192.168.1.147/32
192.168.1.148/32
192.168.1.149/32

#!/bin/sh

SERVER="man-c01.ipvanish.com"
PROTOCOL="udp" # You can use tcp or udp, but make sure the letters are lowercase.
PORT="443" # You can select port 443 for either tcp or udp. Port 1194 also works for udp.
USER="MYUSERNAME" # Replace MYUSERNAME with your IPVanish Username.
PASS="MYPASSWORD" # Replace MYPASSWORD with your IPVanish Password.

# This script will cause the entire router startup sequence to be about 2 minutes.

ntpclient pool.ntp.org
stopservice process_monitor
startservice process_monitor
sleep 30

mkdir /tmp/openvpncl

echo client > /tmp/openvpncl/openvpn.conf &&
echo dev tun >> /tmp/openvpncl/openvpn.conf &&
echo proto "$PROTOCOL" >> /tmp/openvpncl/openvpn.conf &&
echo remote "$SERVER" "$PORT" >> /tmp/openvpncl/openvpn.conf &&
echo resolv-retry infinite >> /tmp/openvpncl/openvpn.conf &&
echo nobind >> /tmp/openvpncl/openvpn.conf &&
echo persist-key >> /tmp/openvpncl/openvpn.conf &&
echo persist-tun >> /tmp/openvpncl/openvpn.conf &&
echo persist-remote-ip >> /tmp/openvpncl/openvpn.conf &&
echo tun-mtu 1500 >> /tmp/openvpncl/openvpn.conf &&
echo ca /tmp/openvpncl/ca.crt >> /tmp/openvpncl/openvpn.conf &&
echo remote-cert-tls server >> /tmp/openvpncl/openvpn.conf &&
echo auth-user-pass /tmp/auth.conf >> /tmp/openvpncl/openvpn.conf &&
echo comp-lzo >> /tmp/openvpncl/openvpn.conf &&
echo verb 4 >> /tmp/openvpncl/openvpn.conf &&
echo auth SHA256 >> /tmp/openvpncl/openvpn.conf &&
echo cipher AES-256-CBC >> /tmp/openvpncl/openvpn.conf &&
echo keysize 256 >> /tmp/openvpncl/openvpn.conf &&
echo tls-cipher DHE-RSA-AES256-SHA >> /tmp/openvpncl/openvpn.conf &&
echo script-security 3 system >> /tmp/openvpncl/openvpn.conf
echo log /tmp/openvpncl/openvpn.log >> /tmp/openvpncl/openvpn.conf
echo daemon >> /tmp/openvpncl/openvpn.conf
echo status-version 3 >> /tmp/openvpncl/openvpn.conf
echo status /tmp/openvpncl/status.log 5 >> /tmp/openvpncl/openvpn.conf
echo -e "$USER\n$PASS" > /tmp/auth.conf

chmod 600 /tmp/auth.conf

echo -----BEGIN CERTIFICATE----- > /tmp/openvpncl/ca.crt
echo MIIErTCCA5WgAwIBAgIJAMYKzSS8uPKDMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYD >> /tmp/openvpncl/ca.crt
echo VQQGEwJVUzELMAkGA1UECBMCRkwxFDASBgNVBAcTC1dpbnRlciBQYXJrMREwDwYD >> /tmp/openvpncl/ca.crt
echo VQQKEwhJUFZhbmlzaDEVMBMGA1UECxMMSVBWYW5pc2ggVlBOMRQwEgYDVQQDEwtJ >> /tmp/openvpncl/ca.crt
echo UFZhbmlzaCBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBpcHZhbmlzaC5jb20w >> /tmp/openvpncl/ca.crt
echo HhcNMTIwMTExMTkzMjIwWhcNMTcwMTEwMTkzMjIwWjCBlTELMAkGA1UEBhMCVVMx >> /tmp/openvpncl/ca.crt
echo CzAJBgNVBAgTAkZMMRQwEgYDVQQHEwtXaW50ZXIgUGFyazERMA8GA1UEChMISVBW >> /tmp/openvpncl/ca.crt
echo YW5pc2gxFTATBgNVBAsTDElQVmFuaXNoIFZQTjEUMBIGA1UEAxMLSVBWYW5pc2gg >> /tmp/openvpncl/ca.crt
echo Q0ExIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAaXB2YW5pc2guY29tMIIBIjANBgkq >> /tmp/openvpncl/ca.crt
echo hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9DBWNr/IKOuY3TmDP5x7vYZR0DGxLbX >> /tmp/openvpncl/ca.crt
echo U8TyAzBbjUtFFMbhxlHiXVQrZHmgzih94x7BgXM7tWpmMKYVb+gNaqMdWE680Qm3 >> /tmp/openvpncl/ca.crt
echo nOwmhy/dulXDkEHAwD05i/iTx4ZaUdtV2vsKBxRg1vdC4AEiwD7bqV4HOi13xcG9 >> /tmp/openvpncl/ca.crt
echo 71aQ55Mj1KeCdA0aNvpat1LWx2jjWxsfI8s2Lv5Fkoi1HO1+vTnnaEsJZrBgAkLX >> /tmp/openvpncl/ca.crt
echo pItqP29Lik3/OBIvkBIxlKrhiVPixE5qNiD+eSPirsmROvsyIonoJtuY4Dw5K6pc >> /tmp/openvpncl/ca.crt
echo NlKyYiwo1IOFYU3YxffwFJk+bSW4WVBhsdf5dGxq/uOHmuz5gdwxCwIDAQABo4H9 >> /tmp/openvpncl/ca.crt
echo MIH6MB0GA1UdDgQWBBRL/RQliR3nwXCD1/afERwlThnurjCBygYDVR0jBIHCMIG/ >> /tmp/openvpncl/ca.crt
echo gBRL/RQliR3nwXCD1/afERwlThnurqGBm6SBmDCBlTELMAkGA1UEBhMCVVMxCzAJ >> /tmp/openvpncl/ca.crt
echo BgNVBAgTAkZMMRQwEgYDVQQHEwtXaW50ZXIgUGFyazERMA8GA1UEChMISVBWYW5p >> /tmp/openvpncl/ca.crt
echo c2gxFTATBgNVBAsTDElQVmFuaXNoIFZQTjEUMBIGA1UEAxMLSVBWYW5pc2ggQ0Ex >> /tmp/openvpncl/ca.crt
echo IzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAaXB2YW5pc2guY29tggkAxgrNJLy48oMw >> /tmp/openvpncl/ca.crt
echo DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAho5ynpvtXISz3neqGXpL >> /tmp/openvpncl/ca.crt
echo BBlOM35pd1ZSNHLCb2yHQwAjZbfYqfX2MDs9ytH4Cf1OfaVqwe777QyyIC2XR2QK >> /tmp/openvpncl/ca.crt
echo kw4c2hCT8wPzWhmkLx8Q+jnKdOKkdz+L8+Ji9/vjtaFOcYjMDalI6CbjBiuMFWhB >> /tmp/openvpncl/ca.crt
echo IzOaYljmA2UeQCVIz9aW80BC8+sLQ6oeWVnFjx7zqK1gbbc2bNuy3slOMdyoEj2m >> /tmp/openvpncl/ca.crt
echo hkxfiffuHKV+GQoR7tFIr3M7KFFwYgkXeyLh1Pc0rZu7dGe4fUAbR1okB1DgelBd >> /tmp/openvpncl/ca.crt
echo n6rWTZ8XcNzT/YngtH4bXB9DM7pKWpDWc94va4hFrGgaOxjE861TdoDqHaMO9bW+ >> /tmp/openvpncl/ca.crt
echo Pg== >> /tmp/openvpncl/ca.crt
echo -----END CERTIFICATE----- >> /tmp/openvpncl/ca.crt

chmod 644 /tmp/openvpncl/ca.crt

touch /tmp/openvpncl/openvpn.log
chmod 664 /tmp/openvpncl/openvpn.log

echo "#!/bin/sh" > /tmp/openvpncl/route-up.sh
echo "iptables -I POSTROUTING -t nat -o tun0 -j MASQUERADE" >> /tmp/openvpncl/route-up.sh
echo "iptables -I INPUT -t filter -i tun0 -j ACCEPT" >> /tmp/openvpncl/route-up.sh
echo -e "#!/bin/sh\nsleep 2" > /tmp/openvpncl/route-down.sh
echo "iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE" >> /tmp/openvpncl/route-down.sh
echo "iptables -D INPUT -t filter -i tun0 -j ACCEPT" >> /tmp/openvpncl/route-down.sh

chmod 700 /tmp/openvpncl/route-up.sh
chmod 700 /tmp/openvpncl/route-down.sh

(openvpn --config /tmp/openvpncl/openvpn.conf --ca /tmp/openvpncl/ca.crt --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh &)

sleep 480
echo "*** SYSTEM REPORT ***" > /tmp/openvpncl/report.txt
echo >> /tmp/openvpncl/report.txt
echo "------------> * OpenVPN Information * <------------" >> /tmp/openvpncl/report.txt
echo "Command: openvpn --version" >> /tmp/openvpncl/report.txt
echo "Command: cat /tmp/openvpncl/status.log" >> /tmp/openvpncl/report.txt
echo "Command: cat /tmp/openvpncl/openvpn.log" >> /tmp/openvpncl/report.txt
echo >> /tmp/openvpncl/report.txt
openvpn --version >> /tmp/openvpncl/report.txt
cat /tmp/openvpncl/status.log >> /tmp/openvpncl/report.txt
cat /tmp/openvpncl/openvpn.log >> /tmp/openvpncl/report.txt
echo >> /tmp/openvpncl/report.txt
echo "------------> * System Log * <------------" >> /tmp/openvpncl/report.txt
echo "Command: cat /var/log/messages" >> /tmp/openvpncl/report.txt
echo >> /tmp/openvpncl/report.txt
sleep 120
cat /var/log/messages >> /tmp/openvpncl/report.txt
echo >> /tmp/openvpncl/report.txt
echo "------------> * Current Adapters * <------------" >> /tmp/openvpncl/report.txt
echo "Command: ifconfig" >> /tmp/openvpncl/report.txt
echo >> /tmp/openvpncl/report.txt
ifconfig >> /tmp/openvpncl/report.txt
echo >> /tmp/openvpncl/report.txt
echo "------------> * IP Tables * <------------" >> /tmp/openvpncl/report.txt
echo "Command: iptables -nvxL" >> /tmp/openvpncl/report.txt
echo "Command: iptables -nvxL nat" >> /tmp/openvpncl/report.txt
echo "Command: ip ro" >> /tmp/openvpncl/report.txt
echo >> /tmp/openvpncl/report.txt
iptables -nvxL >> /tmp/openvpncl/report.txt
iptables -nvxL nat >> /tmp/openvpncl/report.txt
ip ro >> /tmp/openvpncl/report.txt
echo >> /tmp/openvpncl/report.txt
echo "------------> * Processes * <------------" >> /tmp/openvpncl/report.txt
echo "Command: ps" >> /tmp/openvpncl/report.txt
echo >> /tmp/openvpncl/report.txt
ps >> /tmp/openvpncl/report.txt

exit 0

James Greystone
DD-WRT User

Joined: 20 Nov 2011
Posts: 194

Posted: Tue Jan 05, 2016 22:47 Post subject:

eibgrad wrote:

James Greystone wrote:

I am having a similar issue and am confused by startup scripts and would very much appreciate your assistance if you are able to.

I have a modified ipvanish script from a prior thread. But I don't know if anything else besides my modifications has changed between the two scripts. Perhaps that's something you can verify for yourself.

http://pastebin.com/xmetzKxb

You don't need to list each and every IP. You can use an "IP range to CIDR calculator" to cut down that list substantially.

http://www.ipaddressguide.com/cidr

So 192.168.1.100 thru 192.168.1.149 can be represented as:

Code:

192.168.1.100/30
192.168.1.104/29
192.168.1.112/28
192.168.1.128/28
192.168.1.144/30
192.168.1.148/31

You would use these IPs in the "ip rule add ..." and "ip rule del ..." sections of the script.

Great thanks for the help.

I compared your Ipvanish with the latest Ipvanish script and there is only 1 line that was different so I changed it easily.

This line

echo tls-remote "$SERVER" >> /tmp/openvpncl/openvpn.conf &&

is now this in the new script

echo remote-cert-tls server >> /tmp/openvpncl/openvpn.conf &&

2 quick questions is this the correct code for the ip's? Thanks for the CIDR utility very handy.

# return WAN back to default gateway in main routing table
ip route add 192.168.1.100/30 via $WAN_GW
ip route add 192.168.1.104/29 via $WAN_GW
ip route add 192.168.1.112/28 via $WAN_GW
ip route add 192.168.1.128/28 via $WAN_GW
ip route add 192.168.1.144/30 via $WAN_GW
ip route add 192.168.1.148/31 via $WAN_GW

# reset main routing table
ip route del 192.168.1.100/30 via $WAN_GW
ip route del 192.168.1.104/29 via $WAN_GW
ip route del 192.168.1.112/28 via $WAN_GW
ip route del 192.168.1.128/28 via $WAN_GW
ip route del 192.168.1.144/30 via $WAN_GW
ip route del 192.168.1.148/31 via $WAN_GW

also do I need to adjust these values at all??

# copy main routing table to bypass routing table (exclude all
# default gateways)
ip route show | grep -Ev '^default|^0.0.0.0/1|^128.0.0.0/1' \
| while read route; do
ip route add $route table $TID
done

Not sure what the 128 should refer to?

Thanks again.

James Greystone
DD-WRT User

Joined: 20 Nov 2011
Posts: 194

Posted: Wed Jan 06, 2016 13:23 Post subject:

eibgrad wrote:

No, you need to change the "ip rule add" and "ip rule del" sections, not "ip route add"! Leave the "ip route add" section (and everything else) alone.

Okay think this is right now. Just want to make sure I did the ip rule add from and del from correct. Thanks.

# add source IP(s)/network(s) to be routed over VPN
ip rule add from 192.168.1.100/30 table $TID
ip rule add from 192.168.1.104/29 table $TID
ip rule add from 192.168.1.112/28 table $TID
ip rule add from 192.168.1.128/28 table $TID
ip rule add from 192.168.1.144/30 table $TID
ip rule add from 192.168.1.148/31 table $TID

) 2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT

SCRIPT="/tmp/openvpncl/route-down.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE
iptables -D INPUT -t filter -i tun0 -j ACCEPT
(
[ -n "${DEBUG+x}" ] && set -x
TID="200"
VPN_IF="$dev" # provided by OpenVPN at runtime
VPN_GW="$route_vpn_gateway" # provided by OpenVPN at runtime
WAN_GW="$route_net_gateway" # provided by OpenVPN at runtime

# reset main routing table
ip route del 0.0.0.0/2 via $WAN_GW
ip route del 64.0.0.0/2 via $WAN_GW
ip route del 128.0.0.0/2 via $WAN_GW
ip route del 192.0.0.0/2 via $WAN_GW

# delete alternate routing table
ip route flush table $TID

# force routing system to recognize our changes
ip route flush cache

# delete source IP(s)/network(s) to be routed over VPN
ip rule del from 192.168.1.100/30 table $TID
ip rule del from 192.168.1.104/29 table $TID
ip rule del from 192.168.1.112/28 table $TID
ip rule del from 192.168.1.128/28 table $TID
ip rule del from 192.168.1.144/30 table $TID
ip rule del from 192.168.1.148/31 table $TID

James Greystone
DD-WRT User

Joined: 20 Nov 2011
Posts: 194

Posted: Sat Jan 16, 2016 17:11 Post subject:

eibgrad wrote:

Looks good.

Thanks again for the help.

tggargano
DD-WRT Novice

Joined: 27 Mar 2016
Posts: 1

Posted: Sun Mar 27, 2016 16:54 Post subject:
I am trying to do the same thing for TORGuard, but cannot figure it out. Here is what I tried to do: http://pastebin.com/C9J5UeRS This is the original startup script that works: http://pastebin.com/4nhEW4nS Any help would be appreciated. Thanks.

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

Bypass VPN with policy based routing

Quick Links

Log in