Posted: Wed Apr 25, 2018 16:28 Post subject: route specific devices through OpenVPN
I really hope this is the right place to ask for help with this. This seems like a very technical forum about much deeper stuff than I need help with. If this isn't the place for this, hopefully somebody can direct me to the proper resource.
I'm running DD-WRT firmware on my Netgear r7000. I currently have it setup as an OpenVPN client, so all Internet traffic is routed through the VPN. I want to setup my network so that wired traffic gets routed through the VPN but wireless traffic does not.
Actually, I'd ideally like to pick and choose which specific devices go through the VPN and which ones don't but for my current situation, it just happens that all the devices I want routed through the VPN happen to be wired.
Can anybody tell me how to do that? I don't necessarily need a step-by-step guide. "Use [name of feature or process]" might be enough that I can Google up a solution.
I do have a second router I can setup (a Netgear wnr3500) but I'd really rather not have to.
Joined: 31 Jan 2012 Posts: 80 Location: North Carolina
Posted: Wed Apr 25, 2018 17:10 Post subject:
1. First thing assign static leases to all devices. This may take some time.
2. Under OpenVPN Client, look for Policy Based Routing and enter every devices static IP that you want routed through the VPN. Like the following examples.
3. If you want a killswitch to block internet to those devices if the VPN goes down, go to Commands and add a line for each device again and save as firewall. Like these examples
iptables -I FORWARD -s 192.168.1.2 -o $(nvram get wan_iface) -j REJECT
iptables -I FORWARD -s 192.168.1.3 -o $(nvram get wan_iface) -j REJECT
iptables -I FORWARD -s 192.168.1.7 -o $(nvram get wan_iface) -j REJECT
iptables -I FORWARD -s 192.168.1.12 -o $(nvram get wan_iface) -j REJECT
Thanks! That seems like everything I need. I'll give it a try tonight and see if it eases my woes. I already use static IP addresses with every device that lives in my house, so time saved there.
So this will mean that anything that doesn't have a specific rule will NOT get routed through the VPN? That should be adequate but is there a way I can do the opposite? So have the default behavior be "route everything through the VPN" but have rules that say "but not this specific device."
Ah! I can make rules for all the devices that live here and need the VPN, and also make a rule for a separate address range. Then I can tell it to assign addresses within that range to any device that doesn't already have a static address.