Posted: Sun Feb 15, 2015 18:05 Post subject: Bypass VPN with policy based routing
Hi all - I have been trying to solve this one for some time now and I hope someone can help me - I am trying to allow certain IPs to access the Internet via my traditional (non-VPN) route.
I have setup my vpnwith btguard using their wiki tutorial (script), which works perfectly at routing all ips through the VPN. Could someone please guide me as to how to edit the script to bypass the VPN?
The tutorial I following for btguard- instruction set 1 was used. Please note that using the openvpn client does not work for some reason... Therefore it will have to be a script edit
Hi again - i've tried for sometime and read quite a bit about policy based routing, but unfortunately I am a beginner with this, so not making any progress!
My preference would be to amend the current code to add the route-noexec directive to the VPN provider’s script, in order to stop the VPN from being the default gateway. There is only 1 or 2 IPs that I really need to route through VPN.
I've pasted the code below - appreciate any help that you can provide!!
Fortunately this VPN provider has made it relatively simple since his route-up/route-down scripts don’t do much of anything anyway. Normally you would at least place firewall rules in there, but they decided to add them directly to the firewall script. I’m puzzled why they bothered w/ these scripts at all.
Anyway, I’d stored the modified script in PasteBin.
I commented out the original code that created route-up.sh and route-down.sh, then added code to the top of the script that creates these same scripts but w/ the code we want. All you need to do is specify the source IPs you want to force over the VPN. I provided some examples. Just be sure to keep the source IPs in-sync between the scripts (one adds them, the other deletes them).
The scripts are designed to write to syslog, so should anything go wrong, you can dump the results from telnet/ssh.
Obviously I have no way to test it against your VPN provider, so there’s always a chance of some error(s). But give it a try and see what happens.
I am having a similar issue and am confused by startup scripts and would very much appreciate your assistance if you are able to.
I saw your post and saw you were very knowledgeable in this topic and I am quite stuck and was hoping you might have a moment to help.
My old VPN provider I was able to use the OpenVPN client and merely paste my ip's into the routing table and all was good.
Unfortunately my new provider IPvanish will only function by running a startup script because the newest DD-WRT software is more up to date than what they currently support and therefore I can't enable the OpenVpn client to put in the IP's so I need to run them through their startup command script.
I can't seem to make enough sense of your explanation and was hoping you could assist.
This is what I had in Policy based routing table which should go through the VPN. so basically 100-149 through the VPN and any range outside from 150 above don't. This way I can create static IP's outside the DHCP range and they won't go through the VPN. For example my OOMA phone won't work through a VPN, so I need to route it around the VPN. Currently using 192.168.1.150 for this purpose.
I will also Post their startup script which is where this would need to be installed I guess.
SERVER="man-c01.ipvanish.com"
PROTOCOL="udp" # You can use tcp or udp, but make sure the letters are lowercase.
PORT="443" # You can select port 443 for either tcp or udp. Port 1194 also works for udp.
USER="MYUSERNAME" # Replace MYUSERNAME with your IPVanish Username.
PASS="MYPASSWORD" # Replace MYPASSWORD with your IPVanish Password.
# This script will cause the entire router startup sequence to be about 2 minutes.
I am having a similar issue and am confused by startup scripts and would very much appreciate your assistance if you are able to.
I have a modified ipvanish script from a prior thread. But I don't know if anything else besides my modifications has changed between the two scripts. Perhaps that's something you can verify for yourself.
echo remote-cert-tls server >> /tmp/openvpncl/openvpn.conf &&
2 quick questions is this the correct code for the ip's? Thanks for the CIDR utility very handy.
# return WAN back to default gateway in main routing table
ip route add 192.168.1.100/30 via $WAN_GW
ip route add 192.168.1.104/29 via $WAN_GW
ip route add 192.168.1.112/28 via $WAN_GW
ip route add 192.168.1.128/28 via $WAN_GW
ip route add 192.168.1.144/30 via $WAN_GW
ip route add 192.168.1.148/31 via $WAN_GW
# reset main routing table
ip route del 192.168.1.100/30 via $WAN_GW
ip route del 192.168.1.104/29 via $WAN_GW
ip route del 192.168.1.112/28 via $WAN_GW
ip route del 192.168.1.128/28 via $WAN_GW
ip route del 192.168.1.144/30 via $WAN_GW
ip route del 192.168.1.148/31 via $WAN_GW
also do I need to adjust these values at all??
# copy main routing table to bypass routing table (exclude all
# default gateways)
ip route show | grep -Ev '^default|^0.0.0.0/1|^128.0.0.0/1' \
| while read route; do
ip route add $route table $TID
done
No, you need to change the "ip rule add" and "ip rule del" sections, not "ip route add"! Leave the "ip route add" section (and everything else) alone.
Okay think this is right now. Just want to make sure I did the ip rule add from and del from correct. Thanks.
# add source IP(s)/network(s) to be routed over VPN
ip rule add from 192.168.1.100/30 table $TID
ip rule add from 192.168.1.104/29 table $TID
ip rule add from 192.168.1.112/28 table $TID
ip rule add from 192.168.1.128/28 table $TID
ip rule add from 192.168.1.144/30 table $TID
ip rule add from 192.168.1.148/31 table $TID
SCRIPT="/tmp/openvpncl/route-down.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE
iptables -D INPUT -t filter -i tun0 -j ACCEPT
(
[ -n "${DEBUG+x}" ] && set -x
TID="200"
VPN_IF="$dev" # provided by OpenVPN at runtime
VPN_GW="$route_vpn_gateway" # provided by OpenVPN at runtime
WAN_GW="$route_net_gateway" # provided by OpenVPN at runtime
# reset main routing table
ip route del 0.0.0.0/2 via $WAN_GW
ip route del 64.0.0.0/2 via $WAN_GW
ip route del 128.0.0.0/2 via $WAN_GW
ip route del 192.0.0.0/2 via $WAN_GW
# delete alternate routing table
ip route flush table $TID
# force routing system to recognize our changes
ip route flush cache
# delete source IP(s)/network(s) to be routed over VPN
ip rule del from 192.168.1.100/30 table $TID
ip rule del from 192.168.1.104/29 table $TID
ip rule del from 192.168.1.112/28 table $TID
ip rule del from 192.168.1.128/28 table $TID
ip rule del from 192.168.1.144/30 table $TID
ip rule del from 192.168.1.148/31 table $TID