Routing to or bypass OpenVPN interface by client IP filter

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Contributions Upload
Author Message
nmordasov
DD-WRT Novice


Joined: 05 Jun 2016
Posts: 4

PostPosted: Sun Jun 05, 2016 1:45    Post subject: Routing to or bypass OpenVPN interface by client IP filter Reply with quote
I had hard time making my home devices access or bypass OpenVPN.

SELECTIVE PASS TO VPN

The first solution is to makes sure that listed IP's are connected to VPN while everything else is connected to default interface. In this case DNS queries and DDNS updated will stay on default interface. This one works for me.

Startup Script:

Code:
echo '#!/bin/sh
 sleep 5
VPN_INTFCE="tun0"
 YES_VPN_LST="192.168.1.6 192.168.1.7 192.168.1.5 192.168.1.8 192.168.1.9 192.168.1.10 "
 [ -z $YES_VPN_LST ] && exit 0
ip route add default dev tun0 table 10
 for ipa in $YES_VPN_LST; do
 ip rule add from $ipa table 10
iptables -t nat -A POSTROUTING -s $ipa -o $VPN_INTFCE -j MASQUERADE
 done
 ip route flush cache
 exit 0
/tmp/openvpncl/route-up.sh "$@"
stopservice dnsmasq
startservice dnsmasq
' > /tmp/openvpn-up.sh
chmod +x /tmp/openvpn-up.sh
echo '#!/bin/sh
sleep 5
ip route flush table 10
ip route flush cache
exit 0
/tmp/openvpncl/route-down.sh "$@"
stopservice dnsmasq
startservice dnsmasq
' > /tmp/openvpn-down.sh
chmod +x /tmp/openvpn-down.sh


VPN_INTFCE - VPN interface
YES_VPN_LST - list of IP's followed by space

Strings to add to OpenVPN Client:

Code:
up /tmp/openvpn-up.sh
down /tmp/openvpn-down.sh
route-noexec
dev tun0


After that everything will work, also good idea to set predefined DHCP IPs for devices MACs.

SELECTIVE VPN BYPASS

The second variation works in reverse, making listed IPs to bypass VPN directly to WAN while the rest of the pool including router services like DNS and DDNS to go through VPN.

Startup Script:

Code:
echo '#!/bin/sh
 sleep 5
 NO_VPN_LST="192.168.1.1 192.168.1.6 192.168.1.7 192.168.1.5 192.168.1.8 192.168.1.9 192.168.1.10 "
 [ -z $NO_VPN_LST ] && exit 0
 WAN_GWAY="0.0.0.0"
 while [ $WAN_GWAY == "0.0.0.0" ]; do
 sleep 3
 WAN_GWAY=`nvram get wan_gateway`
 done
 ip route add default via $WAN_GWAY table 10
 for ipa in $NO_VPN_LST; do
 ip rule add from $ipa table 10
 done
 ip route flush cache
 exit 0
/tmp/openvpncl/route-up.sh "$@"
stopservice dnsmasq
startservice dnsmasq
' > /tmp/openvpn-up.sh
chmod +x /tmp/openvpn-up.sh
echo '#!/bin/sh
sleep 5
ip route flush table 10
ip route flush cache
exit 0
/tmp/openvpncl/route-down.sh "$@"
stopservice dnsmasq
startservice dnsmasq
' > /tmp/openvpn-down.sh
chmod +x /tmp/openvpn-down.sh


NO_VPN_LST - IPs that will bypass VPN followed by space
WAN_GWAY - gateway to route selected IPs being dynamically identified

Strings to add to OpenVPN Client:

Code:
up /tmp/openvpn-up.sh
down /tmp/openvpn-down.sh


Another problem left: Is there way to split DNSMasq queries between VPN and other interface based on requestor MAC or IP and by Domain.

P.S. I've found initial form of the script on the Internet and added some to make this 2 variations.

And this is also enchantment option for GUI: Ability to force bypass/select particular interface for router utils/self ip.
Sponsor
nmordasov
DD-WRT Novice


Joined: 05 Jun 2016
Posts: 4

PostPosted: Fri Jun 10, 2016 2:37    Post subject: Reply with quote
More optimal setting is to calculate common mask rather and add one rule rather then add extra rule for each ip:

Code:
echo '#!/bin/sh
sleep 2
ip route flush table 10
iptables -t nat -D PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -D PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
ip route add default dev tun0 table 10
ip rule add from 192.168.1.8/29 table 10
iptables -t nat -A PREROUTING -s 192.168.1.8/29 -p udp --dport 53 -j DNAT --to 208.67.222.222:5353
iptables -t nat -A PREROUTING -s 192.168.1.8/29 -p tcp --dport 53 -j DNAT --to 208.67.222.222:5353
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.1:53
ip route flush cache
exit 0
/tmp/openvpncl/route-up.sh "$@"
stopservice dnsmasq
startservice dnsmasq
' > /tmp/openvpn-up.sh
chmod +x /tmp/openvpn-up.sh
echo '#!/bin/sh
sleep 2
iptables -t nat -D PREROUTING -s 192.168.1.8/29 -p udp --dport 53 -j DNAT --to 208.67.222.222:5353
iptables -t nat -D PREROUTING -s 192.168.1.8/29 -p tcp --dport 53 -j DNAT --to 208.67.222.222:5353
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
ip route flush table 10
ip route flush cache
exit 0
/tmp/openvpncl/route-down.sh "$@"
stopservice dnsmasq
startservice dnsmasq
' > /tmp/openvpn-down.sh
chmod +x /tmp/openvpn-down.sh


To avoid duplicate rules, I've added deletion (-D) before addition (-A) and redirection of all DNS queries to the only DNS - in this case 208.67.222.222:5353 for VPN connection requests and 192.168.1.1:53 for all other requests.

Here for convenience host IPs starts from *.008 with mask /29 it will cover 8 hosts:
from *.008 to *.015.

All other hosts will not get access to VPN.

This way you can start from every next 8 range:
001, 008, 016, 024, 032, .. with mask /29.
But do not start with 001, it may block router access.

It is possible to use larger mask to contain 16, 32 or more hosts in one range.

P.S. This is guide for power users like me Smile
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum