Posted: Mon Sep 10, 2012 8:34 Post subject: Open VPN, I want to restrict to only a portion of my network
I am new to DD-WRT and even newer to VPNs. The VPN service I use provides an automatically generated script to put in the router start-up to configure the VPN. The thing is I really don't want everything connected to my router to be routed through the VPN.
I wonder if anyone can point me in the right direction for how to modify the given script so that I can limit the VPN to perhaps a specified IP range or specific IP addresses on my local network? I am of course open to other ways this can be achieved, a vlan.
My router is the Netgear WNDR3700 v2
Here's the script i've got at the moment (private data removed):
# create the config file
echo "
client
nobind
# Here is the IP address of your VPNUK server
# followed by the port and protocol to use
remote xxx.xxx.xxx.xxx 1194 udp
dev tun
dev-type tun
comp-lzo yes
verb 3
script-security 3
auth-user-pass user.txt
<ca>
-----BEGIN CERTIFICATE-----
MIIDNzCCAqCgAwIBAgIJANT/PXbMiYxfMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNV
....
NvOty17e7gFUz+Y=
-----END CERTIFICATE-----
</ca>
for port in $forward_spec;
do
SPORT=`echo $port | cut -d \: -f 4 | cut -d \> -f 1`
DST=`echo $port | cut -d \: -f 4 | cut -d \> -f 2`
DPORT=`echo $port | cut -d \: -f 5`
for proto in tcp udp;
do
echo "$iptables -I FORWARD -i tun0 -p $proto --dport $SPORT -j ACCEPT" > $fw
echo "$iptables -t nat -I PREROUTING -i tun0 -p $proto --dport $SPORT -j DNAT --to $DST:$DPORT" >>$fw
done
done
for port in $forward_port;
do
SPORT1=`echo $port | cut -d \: -f 4`
SPORT2=`echo $port | cut -d \: -f 5 | cut -d \> -f 1`
DST=`echo $port | cut -d \: -f 5 | cut -d \> -f 2`
for proto in tcp udp;
do
echo "$iptables -I FORWARD -i tun0 -p $proto --dport $SPORT1-$SPORT2 -j ACCEPT" >>$fw
echo "$iptables -t nat -I PREROUTING -i tun0 -p $proto --dport $SPORT1-$SPORT2 -j DNAT --to $DST" >>$fw
done
done
sh $fw
# assure the network traffic is NATted
/usr/sbin/iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
sleep 20
# first octets of the network of the VPN tunnel
NET=`ip ro ls 0.0.0.0/1 | cut -d \ -f 3 | awk 'BEGIN {FS="."} {print $1"."$2"."$3}'`
# enter the new DNS server on top of the old ones
echo "nameserver $NET.1" > /tmp/resolv.dnsmasq.TMP
cat /tmp/resolv.dnsmasq >> /tmp/resolv.dnsmasq.TMP
mv /tmp/resolv.dnsmasq.TMP /tmp/resolv.dnsmasq
# change some DNSMasq options
sed -i 's/stop-dns-rebind//g' /tmp/dnsmasq.conf
killall dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf
It routes only selected destination IP ranges via VPN.
Also try to avoid automated setup and use the GUI instead by enabling OpenVPN client in the Services section (based on 18777 BS or 18946 EKO build)
- ServerName/IP: (the given IP address)
- Port: 1194
- Tunnel Device: TUN
- Tunnel Protocol: UDP
- Encryption cipher: (ask your VPN provider or try blowfish or AES-128)
- Hash Algorithm: (ask your VPN provider or try SHA1)
- nsCertValidation: enable
- Advanced options: yes
- LZO compression: adaptive
- TLS Cipher: (ask your VPN provider or try none)
- NAT: enable
- IP address: (leave empty)
- Subnet mask: (leave empty)
- TUN MTU setting: 1500 (or ask your VPN provider)
- MSS-fix: empty (or ask your VPN provider)
- TLS auth key: paste EVERYTHING from in between the <tls-auth> and </tls-auth> (including the BEGIN and END OpenVPN Static key lines) section of the script you've posted
- Additional config:
auth-user-pass /tmp/openvpncl/user.conf
- Policy-based routing: (leave empty)
- CA cert: paste EVERYTHING from in between the <ca> and </ca> (including the BEGIN and END CERTIFICATE lines) section of the script you've posted
Then save but do NOT yet apply settings.
Switch over to the Administration/Commands section and enter the following (including line breaks!) into the commands box:
Then click on "Save startup". Replace username and password with the credentials supplied by your OpenVPN provider. The command above should show up in the Startup section of this page.
Now reboot your router. Once it's up again, you might need to wait a few more minutes for the OpenVPN channel to be established. Once you've made sure that OpenVPN works as desired you may paste the instructions in the thread I've posted above into the "Additional Config" section of you OpenVPN client setup. DO NOT OVERWRITE THE "auth-user-pass /tmp/openvpncl/user.conf" LINE THOUGH as this is needed to point the client to the correct login credentials.
Oh yes, and before doing all this remove the automated script.
Thanks for the setup information. The thread you point to is for selective destinations which i don't think is quite what I want. I want to route to all destinations but selective local IP addresses.
If I understand correctly, the link you provided would route all my traffic to selected destinations via VPN. This isn't quite what i'm after.
I want to route to all destinations via VPN but only for specified IP addresses on my local network (in my case I want my Smart TV to connect through the VPN but not my PC)
Of course policy based routing is a solution if you are by default going to be routing everything through the VPN and want to specify what not to route through it. However, our setup is a bit more complex (at least mine and I know one other person in this thread). We are using these rules in "additional config" :