Posted: Fri Jan 02, 2015 9:26 Post subject: Route some traffic through VPN, some through isp
Hello,
I have set up a pptp VPN as main connection of my Dd wrt router which is behind my ISP modem. I want to use this connection only for one computer and one port. The others should directly go to internet through my ISP.
Vlan1 is my LAN, vlan2 is the WAN, ppp0 is the tunnel.
How can I do that ? Should I build a Vlan3 between my router and my modem ? Should I use iptables commands to route the traffic properly ?
Is it possible to make policy based routing with vlan2 (wan) and ppp0 (main connection of the router, not simply pptp client), or should I use the pptp client config ?
To configuré a VPN, you can do two things : either configure the wan connection to use pptp or use the pptp VPN client. I used the first one. Does that mean that all the traffic is routed trough VPN ? Should I use the pptp VPN client, if I want to do policy based routing ?
I do this on my router. This is my firewall setup to do so (I am assuming you have your VPN setup correctly and it connects).
What its doing: Basically I have it setup so my router gives out DHCP addresses from 192.168.1.100 to 192.168.1.105. Any address obtained by DHCP will bypass the VPN. Address 192.168.1.113 is a static server I have bypassing it as well. Any other IP address (I always static address my machines) will go through my VPN which is PrivateInternetAccess.
This is also a VPN killswitch - meaning if your VPN drops out, it will not allow traffic from any of the static IPs not bypassing it.
WAN_GTWY="$(nvram get wan_gateway)"
WAN_IF="$(nvram get wan_iface)"
ip route add default via $WAN_GTWY dev $WAN_IF table 10
ip rule add from 192.168.1.100 table 10
ip rule add from 192.168.1.101 table 10
ip rule add from 192.168.1.102 table 10
ip rule add from 192.168.1.103 table 10
ip rule add from 192.168.1.104 table 10
ip rule add from 192.168.1.105 table 10
ip rule add from 192.168.1.113 table 10
#----------------------------------------------------
I set it up like this because I have 2 chomecasts which you can't static IP, a slingbox, and a TiVo. They take up my DHCP bypass addresses (all but 2) and the rest is static going through the VPN tunnel.
Posted: Sat May 14, 2016 12:50 Post subject: My solution
Hi Guys,
Thanks for sharing all you solutions - I thought I would do the same for anyone else who finds this thread.
My config:
- Routes all traffic from a single LAN IP over the VPN.
- Prevents traffic from the same LAN IP from reaching the internet when the VPN is down
- This is often referred to as a kill switch
- Routes all traffic destined for a specific port over the VPN
- Prevents requests to the same port when the VPN is down
Under Administration > Commands, save the following as a custom script:
Code:
#!/bin/sh
# Some MASQUERADE line that I don't really understand.
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
# Set the default route for table 200 as over the VPN
ip route add default dev tun1 table 200
# Assign all outgoing connections from 192.168.11 to table 200 (so they go over the VPN)
ip rule add from 192.168.1.11 table 200
# Assign all packets marked with 11 to table 200 (so they go over the VPN)
ip rule add fwmark 11 table 200
# Flush the cache
ip route flush cache
# Mark all tcp packets whos destination port is 563 with 11 (so that it will be routed over the VPN)
iptables -t mangle -I PREROUTING -p tcp --dport 563 -j MARK --set-mark 11
Under Administration > Commands, save the following to the firewall script:
Code:
# Prevent 192.168.1.11 from reaching the internet directly (so no connection if VPN down)
iptables -I FORWARD -i br0 -s 192.168.1.11 -o vlan2 -j DROP
# Prevent 192.168.1.11 from connecting to port 563 (NZB servers) directly (so no connection if VPN down)
iptables -I FORWARD -i br0 -s 192.168.1.11 -p tcp --dport 563 -o vlan2 -j DROP
Under additional config for OpenVPN client:
Code:
# Write to a log file for easy viewing
log /tmp/tigervpn.log
# Mute messages that repeat a bunch of times
mute 50
# Do not accept the routes provided by the VPN server
# (will manage those myself)
route-nopull
# Keep the connection alive and attempt to reestablish it if it dies
keepalive 10 60
# Additional settings specified by VPN provider
tls-client
remote-cert-tls server
# Dont use auth-nocache as it prevents reconnection due to a bug
# auth-nocache
# Script to run when the link is established
# This sets up my custom routes and iptables rules
up /tmp/custom.sh
Generated OpenVPN config (viewable under '/tmp/openvpncl/openvpn.conf' on the router) looks like this:
Code:
ca /tmp/openvpncl/ca.crt
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto udp
cipher aes-256-cbc
auth sha1
auth-user-pass /tmp/openvpncl/credentials
remote zur.tigervpn.com 1194
comp-lzo adaptive
tun-mtu 1500
mtu-disc yes
fast-io
tun-ipv6
# Write to a log file for easy viewing
log /tmp/tigervpn.log
# Mute messages that repeat a bunch of times
mute 50
# Do not accept the routes provided by the VPN server
# (will manage those myself)
route-nopull
# Keep the connection alive and attempt to reestablish it if it dies
keepalive 10 60
# Additional settings specified by VPN provider
tls-client
remote-cert-tls server
# Script to run when the link is established
# This sets up my custom routes and iptables rules
up /tmp/custom.sh
Posted: Wed Aug 03, 2016 22:13 Post subject: need help to open portsin https (to bypass VPN)
Hi all,I used those wonderfull script to allow 3 of my peripherals to bypass my VPN
this works great
But now I also want to let some ports (8080 and 9091) to bypass the VPN too, I tried the following, but it didnt work
This is certainly because they also exist in the "normal " table (table 100?)
Any help will be appreciated! thanks in advance guys
WAN_GTWY="$(nvram get wan_gateway)"
WAN_IF="$(nvram get wan_iface)"
ip route add default via $WAN_GTWY dev $WAN_IF table 10
#autorise le MSI
ip rule add from 192.168.1.125 table 10
#autorise la tablette
ip rule add from 192.168.1.111 table 10
#autorise le shield
ip rule add from 192.168.1.141 table 10
# Assign all packets marked with 11 to table 10 (so they go over the WAN)
ip rule add fwmark 11 table 10
# Flush the cache
ip route flush cache
# Mark all tcp packets whos destination port is 9091 with 11 (so that it will be routed over the WAN)
iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 8080 -j MARK --set-mark 11
iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 9091 -j MARK --set-mark 11
Great topic. I'm curious. Will each device that is routed through the VPN still be able to file share with each other? Will The non VPN IP's be able to file share with the VPN devices?
If there is no isolation between VPN devices and non-VPN devices, how would you recommend creating that isolation? Setting up different virtual LANs with different gateways perhaps?
I have a R8000 and am using PIA
Also, I have the Router set to DHCP Forward to my dhcp server on my network. Could that be what is causing it? If so, is there a work around?
I am able to get the VPN to connect, and the firewall script will block the specified IP(s) from getting out of the network. But the custom script it will not route the ip to the VPN. I've verified everything it typed correctly.
I have tried to disable the "route-nopull" and all devices on my network get the VPN connection. But the specified IPs still won't get VPN access. And the firewall still blocks the specified IP(s) from getting out of the network due to this. Just access to the local network.
It looks to be something with the custom script:
# Some MASQUERADE line that I don't really understand.
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
# Set the default route for table 200 as over the VPN
ip route add default dev tun1 table 200
# Assign all outgoing connections from 10.0.0.101 to table 200 (so they go over the VPN)
ip rule add from 10.0.0.101 table 200
# Flush the cache
ip route flush cache
As I said in the beginning, I have the Router set to DHCP Forward to my dhcp server on my network. Could that be what is causing it? If so, is there a work around?
Thanks for the quick reply. Took a look at the script. It looks perfect. I'll use that to see if it fixed the issue. If you don't hear back, everything went perfect!
I do this on my router. This is my firewall setup to do so (I am assuming you have your VPN setup correctly and it connects).
What its doing: Basically I have it setup so my router gives out DHCP addresses from 192.168.1.100 to 192.168.1.105. Any address obtained by DHCP will bypass the VPN. Address 192.168.1.113 is a static server I have bypassing it as well. Any other IP address (I always static address my machines) will go through my VPN which is PrivateInternetAccess.
This is also a VPN killswitch - meaning if your VPN drops out, it will not allow traffic from any of the static IPs not bypassing it.
WAN_GTWY="$(nvram get wan_gateway)"
WAN_IF="$(nvram get wan_iface)"
ip route add default via $WAN_GTWY dev $WAN_IF table 10
ip rule add from 192.168.1.100 table 10
ip rule add from 192.168.1.101 table 10
ip rule add from 192.168.1.102 table 10
ip rule add from 192.168.1.103 table 10
ip rule add from 192.168.1.104 table 10
ip rule add from 192.168.1.105 table 10
ip rule add from 192.168.1.113 table 10
#----------------------------------------------------
I set it up like this because I have 2 chomecasts which you can't static IP, a slingbox, and a TiVo. They take up my DHCP bypass addresses (all but 2) and the rest is static going through the VPN tunnel.
PSUFAN5 Could you assist on this? Or someone that help me to figure it out this issue?
So this is the script I've been using for months but for some reason in the latest DD-WRT versions of my router stopped working. I have a WRT3200 and this script works on any version below Jul 7 2017, unfortunately this version have an old WIFI driver that drops the 5Ghz connection so that is the reason I updated it to the latest version but the script do not work anymore.
Basically this IPs used to bypass the VPN connection but not anymore the error now is that all the ips listed here do not have internet anymore any ideas??
WAN_GTWY="$(nvram get wan_gateway)"
WAN_IF="$(nvram get wan_iface)"
ip route add default via $WAN_GTWY dev $WAN_IF table 10
ip rule add from 192.168.1.100 table 10
ip rule add from 192.168.1.101 table 10
ip rule add from 192.168.1.102 table 10
ip rule add from 192.168.1.103 table 10
ip rule add from 192.168.1.104 table 10
ip rule add from 192.168.1.105 table 10
ip rule add from 192.168.1.106 table 10
ip rule add from 192.168.1.107 table 10
ip rule add from 192.168.1.108 table 10
ip rule add from 192.168.1.109 table 10
ip rule add from 192.168.1.110 table 10
ip rule add from 192.168.1.111 table 10
ip rule add from 192.168.1.112 table 10
ip rule add from 192.168.1.113 table 10
ip rule add from 192.168.1.114 table 10
ip rule add from 192.168.1.115 table 10
ip rule add from 192.168.1.116 table 10
ip rule add from 192.168.1.117 table 10
ip rule add from 192.168.1.118 table 10
ip rule add from 192.168.1.119 table 10
ip rule add from 192.168.1.120 table 10
ip rule add from 192.168.1.121 table 10
ip rule add from 192.168.1.122 table 10
ip rule add from 192.168.1.123 table 10
ip rule add from 192.168.1.124 table 10
ip rule add from 192.168.1.125 table 10
#----------------------------------------------------