Posted: Fri Sep 27, 2013 0:19 Post subject: Block VPN devices when VPN is down, but still allow non-VPN
Hello everyone,
I'm running DD-WRT on x86 hardware (v24-sp2 (03/19/12) std (SVN revision 18777). OpenVPN is configured and connects to my VPN provider without issue. Here's what I'm trying to achieve:
All devices on my network go through my DD-WRT router. Let's say I want one device on my network to bypass the VPN. If I put 192.168.1.100 in the "Policy Based Routing" box on the OpenVPN configuration screen, that IP bypasses the VPN, as it should.
What I would like to do is set it up so if the VPN goes down, all VPN traffic will stop, while still allowing the non-VPN traffic through the router. Here is what I have in my firewall:
Now, if I add the rule " iptables -I FORWARD -i br0 -o eth0 -j DROP" that will stop all traffic that is non-VPN. That would be fine if I didn't want a few devices to bypass the VPN. If I use that rule, the IP address I add in the "Policy Based Routing" box is blocked.
What rules do I need to set to allow traffic to bypass the VPN and stay up if the VPN drops, but that will also block the other clients on my network if the VPN drops?
I hope that makes sense. Any help would be greatly appreciated.
Hey everyone- found this thread and it's certainly helpful but my setup is slighlty different in that I am leveraging policy based routing to forward only certain devices/ip addresses through the vpn tunnel and the rest of my network bypasses the vpn using my isp.
192.168.1.50 is a device which I don't care if it goes thru the VPN or not. In fact I'd rather have it not go thru the VPN at all (reducing the processing load on the router), so whatever is easier:
A) 192.168.1.50 doesn't go thru VPN & all other IPs lose WAN connection when the VPN disconnects/drops*
OR
B) 192.168.1.50 goes thru VPN but remains connected when the VPN disconnects/drops* & all other IPs lose WAN connection when the VPN disconnects/drops*
*for whatever reason
I tried to save this as a firewall command
Code:
iptables -I FORWARD ! -o tun1 -s 192.168.1.50 -j DROP
Then I disconnected the firewall manually and the other IPs remained connected (with the ISP IP).
Posted: Thu Aug 11, 2016 0:05 Post subject: Allow ntp to get around VPN
I am using the iptables rule suggested in this thread as follows to block traffic not traveling through the VPN.
Code:
iptables -I FORWARD -i br0 -o vlan2 -j DROP
However, in the case of a power outage or a manual power reset, the time on the router is reset. The VPN cannot connect without the proper time (tls requires the proper time).
Is there a way I can whitelist the call to a ntp.org server so that the timesync on bootup passes successfully? All other non-vpn traffic should remain blocked.