[Jeankri]

Hello,

I have set up a pptp VPN as main connection of my Dd wrt router which is behind my ISP modem. I want to use this connection only for one computer and one port. The others should directly go to internet through my ISP.

Vlan1 is my LAN, vlan2 is the WAN, ppp0 is the tunnel.

How can I do that ? Should I build a Vlan3 between my router and my modem ? Should I use iptables commands to route the traffic properly ?

Please help,

Jean-Christophe

[Jeankri]

Thx.

Is it possible to make policy based routing with vlan2 (wan) and ppp0 (main connection of the router, not simply pptp client), or should I use the pptp client config ?

[Jeankri]

To configuré a VPN, you can do two things : either configure the wan connection to use pptp or use the pptp VPN client. I used the first one. Does that mean that all the traffic is routed trough VPN ? Should I use the pptp VPN client, if I want to do policy based routing ?

[Jeankri]

Isn't there a way through iptables commands, because there --dports options ?

[psufan5]

I do this on my router. This is my firewall setup to do so (I am assuming you have your VPN setup correctly and it connects).

What its doing: Basically I have it setup so my router gives out DHCP addresses from 192.168.1.100 to 192.168.1.105. Any address obtained by DHCP will bypass the VPN. Address 192.168.1.113 is a static server I have bypassing it as well. Any other IP address (I always static address my machines) will go through my VPN which is PrivateInternetAccess.

This is also a VPN killswitch - meaning if your VPN drops out, it will not allow traffic from any of the static IPs not bypassing it.

#----------------------------------------------------

WAN_GTWY="$(nvram get wan_gateway)"
WAN_IF="$(nvram get wan_iface)"

ip route add default via $WAN_GTWY dev $WAN_IF table 10

ip rule add from 192.168.1.100 table 10
ip rule add from 192.168.1.101 table 10
ip rule add from 192.168.1.102 table 10
ip rule add from 192.168.1.103 table 10
ip rule add from 192.168.1.104 table 10
ip rule add from 192.168.1.105 table 10
ip rule add from 192.168.1.113 table 10
#----------------------------------------------------

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I FORWARD -i br0 -s 192.168.1.100 -o vlan2 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.101 -o vlan2 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.102 -o vlan2 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.103 -o vlan2 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.104 -o vlan2 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.105 -o vlan2 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.113 -o vlan2 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE




I set it up like this because I have 2 chomecasts which you can't static IP, a slingbox, and a TiVo. They take up my DHCP bypass addresses (all but 2) and the rest is static going through the VPN tunnel.

[kabadisha]

Hi Guys,

Thanks for sharing all you solutions - I thought I would do the same for anyone else who finds this thread.

My config:

- Routes all traffic from a single LAN IP over the VPN.
- Prevents traffic from the same LAN IP from reaching the internet when the VPN is down

- This is often referred to as a kill switch
- Routes all traffic destined for a specific port over the VPN
- Prevents requests to the same port when the VPN is down

Under Administration > Commands, save the following as a custom script:

[kabadisha]

Hey Guys,

Just a note to say that I have created a guide on how to do this with a bit more detail. Available here:

https://charleswilkinson.co.uk/2016/05/14/selective-routing-using-ddwrt-and-openvpn/

Cheers

[Nilugeator]

Hi all,I used those wonderfull script to allow 3 of my peripherals to bypass my VPN

this works great

But now I also want to let some ports (8080 and 9091) to bypass the VPN too, I tried the following, but it didnt work

This is certainly because they also exist in the "normal " table (table 100?)





Any help will be appreciated! thanks in advance guys

WAN_GTWY="$(nvram get wan_gateway)"
WAN_IF="$(nvram get wan_iface)"

ip route add default via $WAN_GTWY dev $WAN_IF table 10

#autorise le MSI
ip rule add from 192.168.1.125 table 10
#autorise la tablette
ip rule add from 192.168.1.111 table 10
#autorise le shield
ip rule add from 192.168.1.141 table 10
# Assign all packets marked with 11 to table 10 (so they go over the WAN)
ip rule add fwmark 11 table 10

# Flush the cache
ip route flush cache

# Mark all tcp packets whos destination port is 9091 with 11 (so that it will be routed over the WAN)

iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 8080 -j MARK --set-mark 11
iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 9091 -j MARK --set-mark 11




#----------------------------------------------------

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I FORWARD -i br0 -s 192.168.1.125 -o vlan2 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.111 -o vlan2 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.141 -o vlan2 -j ACCEPT
iptab
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

[dave4763]

Great topic. I'm curious. Will each device that is routed through the VPN still be able to file share with each other? Will The non VPN IP's be able to file share with the VPN devices?

If there is no isolation between VPN devices and non-VPN devices, how would you recommend creating that isolation? Setting up different virtual LANs with different gateways perhaps?

Thanks for contributing!

[nashchelsy]

I am unable to get this to work. I tried your walk through

https://charleswilkinson.co.uk/2016/05/14/selective-routing-using-ddwrt-and-

But still it will not work

I have a R8000 and am using PIA
Also, I have the Router set to DHCP Forward to my dhcp server on my network. Could that be what is causing it? If so, is there a work around?

I am able to get the VPN to connect, and the firewall script will block the specified IP(s) from getting out of the network. But the custom script it will not route the ip to the VPN. I've verified everything it typed correctly.

I have tried to disable the "route-nopull" and all devices on my network get the VPN connection. But the specified IPs still won't get VPN access. And the firewall still blocks the specified IP(s) from getting out of the network due to this. Just access to the local network.

It looks to be something with the custom script:

# Some MASQUERADE line that I don't really understand.
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE

# Set the default route for table 200 as over the VPN
ip route add default dev tun1 table 200

# Assign all outgoing connections from 10.0.0.101 to table 200 (so they go over the VPN)
ip rule add from 10.0.0.101 table 200

# Flush the cache
ip route flush cache

As I said in the beginning, I have the Router set to DHCP Forward to my dhcp server on my network. Could that be what is causing it? If so, is there a work around?

[egc]

see: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=307192&highlight=pbr+destination
for @Eibgrad's solution and script

[nashchelsy]

Thanks for the quick reply. Took a look at the script. It looks perfect. I'll use that to see if it fixed the issue. If you don't hear back, everything went perfect!

[wadeshuler]

It would be awesome to detect the difference between the Amazon Firestick and Kodi (side loaded on the Firestick)

Amazon Firestick = ISP traffic
Kodi = VPN

[yorchz]

[egc]

Try disabling SFE