1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Any way to bypass VPN selectively?

Discussion in 'Tomato Firmware' started by david3, Dec 26, 2010.

  1. david3

    david3 Networkin' Nut Member

    I've got a Buffalo WHR-HP-G54 running Victek's Tomato firmware Tomato-RAF-1.28.8525_VPN.

    I've gotten the VPN working, but I'm wondering if there's any way to bypass the VPN selectively for certain machines, so some would connect through the VPN running on the router, and some would connect directly (bypassing the VPN).

    Any ideas?
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, I'll assume your router is a VPN client, and that your redirecting Internet traffic over the VPN.

    Theoretically, yes, it's possible. However, I haven't heard any reports of anybody getting it to work.

    First, Linux supports multiple routing tables, so one may be able to set it up so some devices use an alternate routing table that isn't redirected.

    Second, the ROUTE iptables target is supposed to have the capability to modify the gateway used for a given packet, so one may be able to set up a rule for certain source IPs to use the regular gateway instead of the VPN gateway.
  3. david3

    david3 Networkin' Nut Member

    Thanks... Yes, the router is the VPN client. It sounds like there may be hope.

    Otherwise, plan 2 is to get a second router just for the VPN traffic and have it connect to the first non-vpn router.

    My router uses DHCP for the clients right now, but I think if I've got two routers on the network, I'd need to use a static IP and gateway for clients connecting to the second one.
  4. pendetim

    pendetim Networkin' Nut Member

    Hi SgtPepperKSU,
    I have the reverse problem. There are is one IP addresse on my LAN that I want to force to connect through the VPN tunnel to "back home" then to the internet while I want the rest of the traffic to connect through the local router directly to the internet.

    For example : static ip 192.168.5.100 in North Carolina connects through client 192.168.5.1 with a VPN tunnel established to server 192.168.0.10 in NJ.

    All other machines at 192.168.5.xxx connect through 192.168.5.1 directly to internet.

    Both routers are WRT54GL running version 1.25
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Whether it's a whitelist or a blacklist, the situation is the same. The
    still applies.
  6. pendetim

    pendetim Networkin' Nut Member

    Thanks. I may try the second router route David3 mentioned.
  7. pendetim

    pendetim Networkin' Nut Member

    Hi David3,
    Have you tried "Plan B", second router, yet? Was it successful?
    Tim
  8. TT76

    TT76 Serious Server Member

    I have tried the first solution which seemed to work.
    input the script below in firewall script tab
    Code:
    ip route add default dev ppp0(if your internet connection is via pppoe, or change it to your own interface name) table 200(any number between 1 and 253)
    ip rule add from xxx.xxx.xxx.xxx(the pc's ip address that accesses internet via vpn) table 200
    
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Awesome! I thought what I saw indicated our builds would support that. Glad it's working. I may need to make a post on the TomatoVPN blog about this if you don't report problems after a while.
  10. pendetim

    pendetim Networkin' Nut Member

    Thanks TT76,
    Since I am a complete NOOB here, please forgive me!

    I looked on the Tomato VPN interface on my remote WRT54GL and do not see a "firewall script tab". Is this a hidden menu somewhere? On the VPN tab there is a Auto/Custom drop down selection but I do not see any place to enter the code you offered.

    Would it be possible to forward a single IP address using the Advanced>Routing and set a static route? For example on the remote LAN there is machine 192.168.7.100 that I want to use the internet connection on my home site. At home the gateway is 192.168.0.18 and the VPN box is 192.168.0.10.
    Could I configure a static route as follows:

    Code:
    Destination           Gateway          Subnet    Metric                            Interface     Coments
    192.168.7.100      192.168.0.18      255.255.255.0   0           LAN
    Or should I use 192.168.0.10 as the gateway?

    My current routing is:
    Code:
    Destination	Gateway	Subnet Mask	          Metric                 Interface
    10.8.0.5	*       	255.255.255.255	       0	tun11
    10.7.102.1	*       	255.255.255.255	       0	ppp0
    192.168.7.0	*       	255.255.255.0	       0	br0 (LAN)
    192.168.3.0	10.8.0.5	255.255.255.0	       0	tun11
    10.8.0.0	10.8.0.5	255.255.255.0	       0	tun11
    192.168.0.0	10.8.0.5	255.255.255.0	       0	tun11
    127.0.0.0	      *  	           255.0.0.0       0	lo
    default	          10.7.102.1	  0.0.0.0              0      	ppp0
  11. lfjeff

    lfjeff Reformed Router Member

    Problems with "ip rule" commands

    I've been trying to get selective routing to work with tomato-vpn v1.27vpn3.6.4b6645f6(ND) running on an ASUS WL-500G v2, but I cannot get the "ip rule" commands to work.

    For example, when I try to set up a rule table, I get the following error:

    # ip rule add from 192.168.50.198 table 100
    RTNETLINK answers: Invalid argument

    I even get errors when I simply try to list the table:
    # ip rule list
    RTNETLINK answers: Invalid argument
    Dump terminated

    Is "ip rule" broken under tomato-vpn? Or is there a config option that needs to be activated?

    I've used the same commands to set up source routing on other Linux routers with no problem, but I can't figure out why they don't work with tomato-vpn.

    Any ideas about how to fix the problem?
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's not in the VPN pages: Administration->Scripts.
    No. You should use the method outlined by TT76.
  13. pendetim

    pendetim Networkin' Nut Member

    OK, I found the firewall script tab, thanks, SgtPepperKSU .

    So in my case I would want this:

    Code:
    ip route add default dev ppp0 table 200
    ip rule add from 192.168.7.100 table 200 
    However, will this force 192.168.7.100 to use the VPN or will it cause the device to bypass the VPN. I want to have all the devices on the 192.168.7.* network to directly access the 'Net but have 192.168.7.100 connect through the VPN. Should I replace the ppp0 with tun11 in the above script to make this happen?

    My current routing is in the post from last night, for reference.

    Also, should I use Automatic or Custom firewall in the VPN>Basic tab with this script?

    Thanks, Tim
  14. lfjeff

    lfjeff Reformed Router Member

    Does "ip rule add" work for you?

    I'm trying to do the same thing, but the "ip rule add" command always fails with an error (see previous post for details).

    What version of Tomato are you using?
  15. pendetim

    pendetim Networkin' Nut Member

    I have not tried this yet but am running "Tomato Firmware v1.25vpn3.4.4a8380cb"
    Tim
  16. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Correct on all accounts.
    Automatic is still fine.
  17. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I haven't actually tried this myself. It's possible that this method is only functional in the Linux 2.6 kernel builds (which I don't provide - however, TomatoUSB has flavors that include all my VPN stuff)...

    If that's the case and switching to the 2.6 builds is desired, investigating the iptables ROUTE target method may also work - and that target is "functional" in the builds I provide. (note: I put "functional" in quotes because the ROUTE target is a bit flaky and has been all but disowned by the people that provide iptables).
  18. pendetim

    pendetim Networkin' Nut Member

    Thanks, SgtPepperKSU!

    I will be at the beach house in a few weeks (when it warms up a little!) and give it a try then. Will report back with results when I do so you can update the KB on this feature.

    Tim
  19. TT76

    TT76 Serious Server Member

    It seemed that everything's fine. I haven't found any problem with it.
    my firmware is teddy bear mod k26noUSBvpn 1.28, it is perhaps that ip command is not included in 1.27 version. you can try k261.28
  20. david3

    david3 Networkin' Nut Member

    I did get a second router and dedicated it for the VPN network, running the VPN client. Systems that use it as a gateway are routed automatically over the VPN. It's working ok for my purposes.
  21. lfjeff

    lfjeff Reformed Router Member

    After some more testing with various 2.4 builds, it appears that the 2.4 kernel version does NOT support the "ip rule" commands. Something must be missing from the build config, because I have used "ip rule" on other 2.4 Linux systems in the past.

    However, when I loaded the 2.6 kernel version (tomato-K26USB-1.28.9054MIPSR1-beta-vpn3.6) on my WL-500gp the "ip rule" commands seem to work.

    I haven't tested the source routing thru the VPN yet -- will report on that later.
  22. pendetim

    pendetim Networkin' Nut Member

    Does VPN 1.25 build contain the 2.6 kernel? The add route command does not seem to work with my 1.25 build. By adding the route into the firewall tab, there is no change in routing on my target device.

    Any suggestions as to what I should try loading into my Linksys WRT54GL router to get the 2.6 kernel. This box, of course, does not have a USB port so probably don't want to load a USB build, correct?

    Tim
  23. pendetim

    pendetim Networkin' Nut Member

    BUMP...

    If I want to use a 1.28 VPN build, containing the 2.6 kernel without the USB support, which version should I try?

    There appear to be about 9 build versions of the Victec modification avaiable. Some are called MIPSR2 and some are MIPSR1 - what is the difference here? This will be used on a WRT54GL V1.0
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    This indicates you need a MIPSR1 version.
  25. pendetim

    pendetim Networkin' Nut Member

    Hi David3,
    So if I understand what you did... You set up a router, lets say 192.168.0.1 that connects to the WAN. This has DHCP enabled and will allow clients that connect to it to directly access the internet. You then set up a second router with a VPN client, with an address of lets say 192.168.0.2 disabled the WAN interface, assigned the gateway field to 192.168.0.1 , gave it a DNS server (like 4.2.2.2) and turned off DHCP. 192.168.0.2 has a VPN client running with "redirect internet traffic" checked.

    For a client that is forced through the VPN tunnel you assign a static IP address, a subnet and 192.168.0.2 as the gateway. For a client that is allowed direct internet access, you let the 192.168.0.1 router do the client configuration or manually assign it a 192.168.0.1 gateway.

    Anything else?
  26. david3

    david3 Networkin' Nut Member

    That's close. I didn't think of trying to disable the WAN interface on the VPN router, though, so I'm not sure how that would work. Maybe it would be better?

    Here's what I did.

    My main router (Router #1) has the LAN IP address set to 192.168.3.1 with a subnet mask of 255.255.255.0, and DHCP enabled (I use static DHCP as well, with all the clients including router #2 defined).

    Normal clients connect to this router with DHCP and get routed directly through my DSL line.

    My VPN router (Router #2) has the WAN setup with a Static IP address of 192.168.3.5, a subnet mask of 255.255.255.128, and a gateway of 192.168.3.1. The LAN IP address is set to 192.168.3.130 with a subnet mask of 255.255.255.128.

    So the VPN router's WAN connects as a normal client to router #1, except it's using a static IP address so it can be set with a more exclusive subnet mask. The WAN is on the lower portion of 192.168.3.* and the LAN is on the upper portion of 192.168.3.*

    It didn't like it if the WAN and LAN overlapped. The 255.255.255.128 subnet on the VPN router is just for the router's benefit. Clients are still set to 255.255.255.0 so they can see the whole network.

    I configure VPN clients with a static IP address, like 192.168.3.151 (in the upper portion of 192.168.3.*) and a gateway address of 192.168.3.130, and subnet mask of 255.255.255.0.

    This way, the VPN clients' internet traffic gets routed through the VPN router, and they can also still access non-VPN clients on the local network (file shares, media servers, etc.).

    Here's Router #1 (main router):
    [​IMG]

    Here's Router #2 (VPN router):
    [​IMG]

    My main router is a Buffalo WHR-HP-G54 and my VPN router is an Asus WL-520GU. I notice the cpu gets up to around 60-70% streaming 2mbps over the VPN router, and I suspect it would max out around 3mbps. I'd probably need to upgrade to an Asus RT-N16 or similar if I wanted to go faster.
  27. pendetim

    pendetim Networkin' Nut Member

    Thanks for sharing that David3. I will give your way a try in the next week or so when I am the remote site. I will also try turning off the WAN interface in router 2 and see if that also works.

    I currently have a WRT54GL @192.168.0.10 running as VPN a server inside my LAN that has a 192.168.0.18 gateway. That seems to be OK with the WAN set to disabled and reusing the WAN port for a LAN port.

    When I get a chance to test the client running inside the LAN, I will report back to add to the community of knowledge here.

    Tim
  28. david3

    david3 Networkin' Nut Member

    I tried disabling the WAN interface on the VPN router, and setting the subnet mask to 255.255.255.0 and setting the gateway to my main router. I hadn't noticed before that the Default Gateway setting appears under the LAN when you disable the WAN.

    That works well, too, and it looks like a better way to do it.

    However, the vpnclient wasn't starting with the "Start with WAN" setting when the router first boots (makes sense, since the WAN is disabled). I added a "service vpnclient1 start" as an Init Script and "service vpnclient1 stop" as a Shutdown Script. That seems to work just as well, and the vpnclient starts when the router first boots now.

    Thanks for the tip.

    [​IMG]
  29. pendetim

    pendetim Networkin' Nut Member

    Hi David3,

    GOOD CATCH!
    I just took a quick look at my VPN server router which is running VPN build 1.25 and the "start box" is "start with router" However the 1.27 version says 'start with WAN". It looks like there was a change between V1.25 and V1.27.

    I will need to make sure I add the init and shutdown script on the 1.27 version.

    Tim
  30. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The "Start with Router" vs "Start with WAN" discrepancy that causes problems for people with WAN disabled was an oversight on my part, is fixed in my GIT tree, and will be corrected in the next release. In the meantime, you've already found the correct workaround.
  31. lfjeff

    lfjeff Reformed Router Member

    VPN selective routing script

    I have created the script below to handle selective routing of certain IPs thru the VPN. It tags traffic based on the IP source and routes them via the VPN.

    When the VPN starts, it changes to default gateway to route all traffic through the VPN. So this script resets the default back to the WAN gateway. That way all the normal traffic goes thru the WAN gateway and only the specified IPs go through the VPN.

    It needs a little cleanup and more testing, but it seems to work. However, I cannot figure out how to save it in order to make it run automatically. It is too big to save as a custom script (max 2048 bytes) or with "nvram setfile2nvram"

    I could not find any hooks for VPN up/down, so I had intended to run it as a scheduled script and let it monitor the connection every minute. But I was unable to save the script because of the 2K limit.

    Any ideas about how to implement this script and make it run automatically?

    If there were some custom scripts for VPN client up/down, it would be much easier to make this work. Or even better, modify the current VPN client configuration to add a few extra boxes that would allow you specify which IPs should be routed thru the VPN.

    Code:
    #!/bin/sh
    
    # IP range to route thru VPN
    VPN_IP_LIST="192.168.51.151 192.168.51.152"
    
    VPN_DEV="tun11" # VPN gateway device, normally "tun11" for client1
    #-------------------------------------------------------------------
    export VPN_IP
    export VPN_IP_LIST
    export VPN_DEV
    
    # get WAN gateway
    GW=`nvram get wan_gateway`
    
    # get VPN gateway
    VPN_GW=`ip route show | awk '$2 == "dev" && $3 == ENVIRON["VPN_DEV"] && $4 == "proto" {print $1}'`
    export VPN_GW
    
    # get current default gateway
    DEFAULT_GW=`ip route show | awk '$1 == "default" && $2 == "via" {print $3}'`
    
    VPN_TBL=100
    export VPN_TBL
    
    if [ "$VPN_GW" != "" ]
    then
      echo "VPN is active"  # jjj
      # VPN is active
    
      # route normal traffic thru WAN gateway
      if [ "$DEFAULT_GW" != "" -a "$GW" != "" -a "$DEFAULT_GW" != "$GW" ]
      then
        echo ip route change default via $GW  # jjj
        ip route change default via $GW
        FLUSH_CACHE="yes"
      fi
    
      # set up source routing rules to tag VPN IPs
      for VPN_IP in $VPN_IP_LIST
      do
        echo VPN_IP=$VPN_IP  # jjj
        VPN_RULES=`ip rule show | awk '$2 == "from" && $3 == ENVIRON["VPN_IP"] && $4 == "lookup" && $5 == ENVIRON["VPN_TBL"]'`
        echo "VPN_RULES=$VPN_RULES"  # jjj
        if [ "$VPN_RULES" = "" ]
        then
          echo ip rule add from $VPN_IP table $VPN_TBL  # jjj
          ip rule add from $VPN_IP table $VPN_TBL
        fi
      done
    
      # route VPN table IPs thru VPN gateway
      VPN_ROUTES=`ip route show table $VPN_TBL | awk '$1 == "default" && $2 == "via" && $3 == ENVIRON["VPN_GW"]'`
      echo "VPN_ROUTES=$VPN_ROUTES"  # jjj
      if [ "$VPN_ROUTES" = "" ]
      then
        echo ip route add default via $VPN_GW table $VPN_TBL  # jjj
        ip route add default via $VPN_GW table $VPN_TBL
        FLUSH_CACHE="yes"
      fi
    
      if [ "$FLUSH_CACHE" = "yes" ]
      then
        ip route flush cache
        logger "Routing $VPN_IP_LIST thru VPN gateway $VPN_GW"
      fi
    else
      echo "VPN is not active"  # jjj
      # VPN is not active
    
      # delete any default VPN routes
      VPN_ROUTES=`ip route show table $VPN_TBL`
      echo "VPN_ROUTES=$VPN_ROUTES"  # jjj
      if [ "$VPN_ROUTES" != "" ]
      then
        ip route del default table $VPN_TBL
        ip route flush cache
        logger "VPN not active, disabled VPN routing"
      fi
    
      # delete any VPN table rules
      VPN_RULE_IP_LIST=`ip rule show | awk '$2 == "from" && $4 == "lookup" && $5 == ENVIRON["VPN_TBL"] {print $3}'`
      echo "VPN_RULE_IP_LIST=$VPN_RULE_IP_LIST"
      if [ "$VPN_RULE_IP_LIST" != "" ]
      then
        for VPN_RULE_IP in $VPN_RULE_IP_LIST
        do
          echo "VPN_RULE_IP=$VPN_RULE_IP"  # jjj
          echo ip rule del table $VPN_TBL  # jjj
          ip rule del table $VPN_TBL
        done
        logger "Deleted entries from VPN rule table"
      fi
    fi
    
    Please note that this script only works with the K26 version, as the K24 version does not implement the "ip rule" commands correctly.
  32. david3

    david3 Networkin' Nut Member

    Wow, that would be excellent if everything could work on one router with that script! I have an Asus N16 on order, so maybe I'll try the script with it once I receive it.

    If I remove the comments and extra spaces/formatting from your script, it gets the size down to 1,982 bytes, so maybe that would work for saving it as a custom script?
  33. david3

    david3 Networkin' Nut Member

    At least for my purposes, I leave the VPN up all the time. And if it stops for some reason, it's preferable that the systems being routed through the VPN remain down until the VPN is back up. So that might simplify things.
  34. lfjeff

    lfjeff Reformed Router Member

    I'll try trimming out the spaces and see if I can get it to work.
  35. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Great! Thanks for your work! There are VPN up/down hooks. Just add "up /path/to/script.sh" and/or "down /path/to/script" to the VPN custom config. However, the up/down script is already taken if you use the "Accept DNS" options. If you do, you can disable "Accept DNS" and call /rom/openvpn/updown.sh (with proper parameters) from your script.

    If you can't get it small enough to fit in NVRAM/JFFS, you can always save it to a CIFS share.
  36. lfjeff

    lfjeff Reformed Router Member

    What does the "Accept DNS configuration" option do? Mine is set to "Exclusive" but I don't understand what it does and whether I really need it.

    I noticed the /rom/openvpn/updown.sh script earlier, but I couldn't figure out how it was called. How are parameters passed to it? I saw that the script referenced a variable named "$script_type" but I was unable to determine where this was set.

    I've trimmed my script to under 2K and I'll play with the VPN up/down hooks you mentioned. If I can figure out how the current updown.sh script works, I may be able to modify it to include my routing functions or create a wrapper script that calls it.

    Will report back in a few days -- gotta do some work to pay the bills right now.
  37. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Search for "--up cmd" in the OpenVPN documentation for details on how up/down scripts are called.

    Accept DNS:
    • Disabled
      • Ignores DNS stuff sent from server
    • Relaxed
      • Adds the DNS servers sent from the server to our list, but doesn't guarantee that they're always used (dnsmasq, by default tries to use the fastest in the list)
    • Strict
      • Adds the DNS servers sent from the server to the top of our list, and instructs dnsmasq to use the servers in order (so the added entries will always be used until they fail)
    • Exclusive
      • Adds the DNS servers sent from the server to our list, and removes the existing ones (so the only DNS servers we know about are the ones sent from the server)
  38. lfjeff

    lfjeff Reformed Router Member

    Can I use any of the OpenVPN options in the custom configuration section? Or does it only support certain options?

    Instead of using "--up cmd" I'd prefer to use "--route-up cmd"

    Could I do this by adding "route-up /path/to/my-route-up.sh" to custom config?
  39. lfjeff

    lfjeff Reformed Router Member

    After some testing, it appears that I can use the custom configuration to specify a "route-up" script, which should make things fairly simple.

    Am working on modifying my current script so that it will be called automatically when the VPN goes up or down.
  40. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sounds like you've already figured it out, but you can use any of the commands there (just drop the leading --). Whatever is in the custom config section just gets tacked on to the end of the auto-generated config built from the GUI input.
  41. lfjeff

    lfjeff Reformed Router Member

    Thanks for confirming that information. I had suspected that was how it works, but didn't want to hack through the source code to make sure.

    One thing I'm trying to figure out...

    If I specify new "up" and "down" scripts, will they replace the /rom/openvpn/updown.sh script and prevent it from being called?

    If so, then my scripts include the original script to make sure it is still called.
  42. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You'll have to do trial and error there. I'm not sure, if the config file contains multiple "up" and "down" directives whether the first will be used, the last will be used, or if an error will be given.
  43. lfjeff

    lfjeff Reformed Router Member

    I have selective VPN routing working with Tomato running the 2.6 kernel...

    First, save the following script as /root/vpn_route.sh
    Code:
    #!/bin/sh
    
    if [ "$script_type" == "up" -o "$script_type" == "down" ]
    then
    	/rom/openvpn/updown.sh
    fi
    
    if [ "$route_gateway_1" != "" ]
    then
    	VPN_IP_LIST=$(nvram get vpn_client1_ip_list)
    	VPN_TBL=$(nvram get vpn_tbl_1)
    	if [ "$VPN_TBL" == "" ]
    	then
    		VPN_TBL=101
    	fi
    elif [ "$route_gateway_2" != "" ]
    then
    	VPN_IP_LIST=$(nvram get vpn_client2_ip_list)
    	VPN_TBL=$(nvram get vpn_tbl_2)
    	if [ "$VPN_TBL" == "" ]
    	then
    		VPN_TBL=102
    	fi
    fi
    
    export VPN_GW VPN_IP VPN_TBL
    
    # delete rules for IPs not on list
    IP_LIST=`ip rule show|awk '$2 == "from" && $4=="lookup" && $5==ENVIRON["VPN_TBL"] {print $3}'`
    for IP in $IP_LIST
    do
    	DEL_IP="y"
    	for VPN_IP in $VPN_IP_LIST
    	do
    		if [ "$IP" == "$VPN_IP" ]
    		then
    			DEL_IP=
    		fi
    	done
    
    	if [ "$DEL_IP" == "y" ]
    	then
    		ip rule del from $IP table $VPN_TBL
    	fi
    done
    
    # add rules for any new IPs
    for VPN_IP in $VPN_IP_LIST
    do
    	IP_LIST=`ip rule show|awk '$2=="from" && $3==ENVIRON["VPN_IP"] && $4=="lookup" && $5==ENVIRON["VPN_TBL"] {print $3}'`
    	if [ "$IP_LIST" == "" ]
    	then
    		ip rule add from $VPN_IP table $VPN_TBL
    	fi
    done
    
    if [ "$script_type" == "route-up" ]
    then
    	VPN_GW=$route_vpn_gateway
    else
    	VPN_GW=127.0.0.1  # if VPN down, block VPN IPs from WAN
    fi
    
    # delete VPN routes
    NET_LIST=`ip route show|awk '$2=="via" && $3==ENVIRON["VPN_GW"] && $4=="dev" && $5==ENVIRON["dev"] {print $1}'`
    for NET in $NET_LIST
    do
    	ip route del $NET dev $dev 
    done
    
    # route VPN IPs thru VPN gateway
    if [ "$VPN_IP_LIST" != "" ]
    then
    	ip route del default table $VPN_TBL
    	ip route add default via $VPN_GW table $VPN_TBL
    	logger "Routing $VPN_IP_LIST via VPN gateway $VPN_GW"
    fi
    
    # route other IPs thru WAN gateway
    if [ "$route_net_gateway" != "" ]
    then
    	ip route del default
    	ip route add default via $route_net_gateway
    fi
    
    ip route flush cache
    
    exit 0
    
    Make it executable and save in NVRAM:
    Code:
    chmod 755 /root/vpn_route.sh
    nvram setfile2nvram /root/vpn_route.sh
    nvram commit
    
    Now configure the "Custom Configuration" section of the VPN Client Configuration:
    Code:
    script-security 2
    route-up /root/vpn_route.sh
    down /root/vpn_route.sh
    
    You can specify the IPs you want routed through the VPN by setting the vpn_client1_ip_list variable:
    Code:
    nvram set vpn_client1_ip_list="192.168.1.10 192.168.1.11 192.168.1.12"
    nvram commit
    
    If you change the value of vpn_client1_ip_list, you must restart the VPN to force it to read the new value.

    If you are using Client 2 VPN, use the vpn_client2_ip_list variable. I have not tested Client 2, but it should work.

    After doing some testing, the VPN routing seems to work.

    However, my VOIP phones quit working after all my trial and error experimentation. The problem seems to have something to do with the VPN or maybe my NVRAM is corrupted. All the routing tables look OK, but the VOIP phones don't register. I didn't have any problems with the VOIP phones until I started playing with the routing and VPN, so something is probably screwed up.

    I think I'll reload the router from scratch and see if that fixes the VOIP problem. Fortunately, I did all the work on my dev router and was able to get the phones working by just switching back the main router (which was not touched).

    If anybody has any ideas about what could cause problems with the VOIP, please let me know.
    theboyk, bmupton and windozer like this.
  44. lfjeff

    lfjeff Reformed Router Member

    After erasing NVRAM and reconfiguring the router from scratch, the VOIP problems were fixed and script in the previous post is working fine.

    It is now routing ONLY the specified IP addresses via the VPN. All the other IPs (like my VOIP phones) are routed via the WAN gateway.
  45. trezno

    trezno Networkin' Nut Member

    Excuse me for not starting a new thread, but I think this is a somewhat related question.

    The solution to route all data from specific IPs trough VPN could work for me, but I wonder if it is possible to conditionally route specified traffic through the VPN and leave all the rest to route directly? E.g. by having a list of IPs, and when an IP-address on the list is requested, then all data is routed through the VPN. If all other IPs are requested, it will happen directly through WAN.

    Would anything like this be possible using the Tomato VPN firmware on a wrt54GL?
  46. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    That's not a related question - it's the exact same question :tongue:

    Look just a few posts back for an example.
  47. trezno

    trezno Networkin' Nut Member

    Ok, maybe it's just me then :)

    So by using lfjeff's script it is possible to specify that www.google.com (hostname or IP?) should be routed through the VPN and all other requests should be routed directly?

    Where can I specify which IPs get routed through VPN?
  48. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, no, I didn't realize you meant destination IPs. That's a much, much simpler problem.

    Just add
    Code:
    route www.google.com
    to your custom config. However, the routing table is IP-based and that will only add one of "www.google.com"'s IP addresses (whatever it resolved to when the command was run). If you want to add multiple IP addresses for one DNS name, you'll have to do it manually (separate route lines per IP). If the site you're wanting to redirect only has one IP address, then specifying the name should work fine. Of course, you can always just use the IP address anyway.
  49. trezno

    trezno Networkin' Nut Member

    That sounds wonderful. I will try this in the near future!

    Thanks :)
  50. lfjeff

    lfjeff Reformed Router Member

    If you want to route to a "normal" website that has only one address, it would be easy to add a specific route.

    However, busy sites like google.com probably have a dozen or more IP addresses and they are constantly changing.

    You could get a list of some of the IPs by using this command:

    Code:
    nslookup google.com
    Server:    127.0.0.1
    Address 1: 127.0.0.1 localhost
    
    Name:      google.com
    Address 1: 72.14.204.104 iad04s01-in-f104.1e100.net
    Address 2: 72.14.204.103 iad04s01-in-f103.1e100.net
    Address 3: 72.14.204.147 iad04s01-in-f147.1e100.net
    Address 4: 72.14.204.99 iad04s01-in-f99.1e100.net
    
    If you wanted to get a little clever, it would be possible to write a simple script that would run under the Tomato cron and periodically look up the current IP addresses for your desired destination and add them to the routing table. It would be somewhat similar to the script I wrote above. I don't have to time to write a full script right now, but here's a quick example of how to get a list of the IP addresses for google.com and add them to the routing table for the VPN gateway:

    Code:
    VPN_GW="1.2.3.4"   # IP address of VPN gateway
    IP_LIST=`nslookup google.com | awk '$1 == "Address" && $3 != "127.0.0.1" {print $3}'`
    for IP in $IP_LIST
    do
      ip route add $IP via $VPN_GW
    done
    
  51. david3

    david3 Networkin' Nut Member

    I just received an Asus N16 today so I tried lfjeff's script out, but so far I'm not having much luck. Everything still gets routed through the vpn regardless of the vpn_client1_ip_list setting.

    I've also got IPv6 setup on the router, and when the vpn connection is active, sites that have IPv6 addresses available have a long delay while they timeout.
  52. david3

    david3 Networkin' Nut Member

    I should learn to read logs before I post. :)

    There was an error in the log that said something about requiring "script-security 2" to run external scripts. So I added it to the vpn client custom configuration:

    script-security 2
    route-up /root/vpn_route.sh
    down /root/vpn_route.sh

    And now it looks like it's working fine! Thanks!
  53. lfjeff

    lfjeff Reformed Router Member

    Thanks for the configuration tip. I added your extra option to my original post (although it doesn't make any difference on my particular router). Mine seems to work with or without the "script-security 2" setting.

    I'm not using IPv6, so I don't know if that has anything to do with the problem or not.
  54. trezno

    trezno Networkin' Nut Member

    lfjeff>
    That little script works perfectly. Thanks!

    Can I add two (or more eventually) sites to look up ip addresses for and add them to the routing table? And is it possible to add ranges, or does the IP have to be specified?
  55. lfjeff

    lfjeff Reformed Router Member

    You can specify more than one IP address in the list, for example:

    Code:
    nvram set vpn_client1_ip_list="192.168.1.111 192.168.1.112 192.168.1.115 192.168.1.157"
    
    Only single IP addresses are allowed, you cannot use network ranges. I originally tried using network ranges, but it made the code more complex and I had to keep the size of the script below 2048 bytes to make it fit in NVRAM.
  56. david3

    david3 Networkin' Nut Member

    I just wanted to say I've been using that script for awhile now on a recent version of TomatoUSB on an Asus N16, and it's been working really well. Thanks again.
  57. yo_adrian_eh

    yo_adrian_eh Networkin' Nut Member

    I used vi, saved the file, used chmod, went to "setfile2nvram" and received the following error "file too big".

    Yo!Adrian
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Edited: I went to sleep scratching my head about this but woke up with a much clearer head (note to self, don't think that late at night)

    setfile2nvram=file too big=nvram is probably full, duh!

    I reset the router and and checked the nvram commitment is now 32.00 KB / 12.30 KB (38.43%). Will try running the script again later.
  58. andrewjsb

    andrewjsb Reformed Router Member

    Restrict outbound traffic to VPN only?

    Is it possible for me to configure the VPN client so that for all clients the only traffic being passed through the router is through the VPN? Right now, if the VPN fails it defaults to the local internet connection. I would like there to be no connectivity at all when the VPN is down. Thanks.

    -Andrew
  59. lfjeff

    lfjeff Reformed Router Member

    Resetting the router and reconfiguring everything from scratch can often solve a lot of problems. When I was developing and testing the script, I was constantly adding and deleting stuff to NVRAM and started to get a lot of strange errors and general weirdness.

    After I reset the router and reconfigured, the problems disappeared.
  60. yo_adrian_eh

    yo_adrian_eh Networkin' Nut Member

    lfjeff, I'm planning on using the solution described here: http://vpnblog.info/strongvpn-open-on-tomato.html. I'm struglling/wrestling with sending all router traffic via the VPN if I use the described method from that post vs. sending only specific IP's as your script doe and what OpenVPN solution I might be able to use. Or is it that by combining the StronVPN solution only Client1 IP's from the script implementation would use the tunnel and all other traffic would be exempt?

    Yo!Adrian
  61. windozer

    windozer Networkin' Nut Member

    Do the following (steps):
    1. Get VPN to work the regular way as described http://vpnblog.info/strongvpn-open-on-tomato.html.
    2. Backup configuration (.cfg) of the working setup. (just in case : ))
    3. Do the slight change as described in lfjeff's post
    4. Backup configuration!
  62. lfjeff

    lfjeff Reformed Router Member

    Windozer's advice in the previous post is good...

    If you use the VPN without my script, then ALL traffic will go through the VPN by default. If you turn off the VPN, then the traffic will go through the regular WAN.

    If my script is active, then ONLY the selected IP addresses (like your Boxee) will go through the VPN and everything else (like your VOIP devices) will go through the WAN.

    I created the script because I did not want my VOIP devices to have the extra latency that would be added by going through the VPN.
  63. yo_adrian_eh

    yo_adrian_eh Networkin' Nut Member

    I got as far as "script-security 2"
    but I get the following error "-sh: script-security: not found"

    I have everything else more or less under control and my OpenVPN config is running under Client 1 in Tomato.

    Yo!Adrian
  64. windozer

    windozer Networkin' Nut Member

    script-security 2 has to be in the Custom Configuration text-box found in VPN Tunneling > Client > Client1 (tab) > Advanced (tab)

    It looks like this:
    [​IMG]

    Are you sure you've typed it there?
  65. yo_adrian_eh

    yo_adrian_eh Networkin' Nut Member

    Amazing what happens when you read the instructions properly...I had entered that into the Telnet session. I entered it into the Custom Config above the Auth Key info and started the service, it appears to be running but that entry is no longer there, just the key info I had before for OpenVPN.
    Like this:
    tls-auth ta.key 1
    <tls-auth>
    -----BEGIN OpenVPN Static key V1-----
    09cea02ae8e2cf9b3333eeb857f5bcd4
    <snip>

    This may sound like a dumb question, how do I check to see if it's running or not...?

    Yo!Adrian
  66. windozer

    windozer Networkin' Nut Member

    @yo_adrian_eh, You can find the log at Status > Logs > View all. I'd suggest you to quicky look over this helpful but long thread at VPN build with Web GUI. Read atleast the last 50 pages or so to get a good idea for using openvpn & tomato.

    Please remember that this thread is a discussion for those who can access internet via vpn , and want to bypass/selectively use vpn for whatever reason.
  67. zulu

    zulu Reformed Router Member

    Dear Tomato lovers,

    I followed closely this thread as it it exactly what I am looking for.

    My router (Netgear WNR3500L) is running as in the gateway/dhcp modes behind - in the DMZ of my ISP box (modem/router/phone).

    This router runs Tomato Firmware v1.28.9054 MIPSR2-beta K26 USB vpn3.6 in order to be similar to the one used by lfjeff.

    I have carefully followed lfjeff post http://www.linksysinfo.org/forums/showpost.php?p=373431&postcount=43 with nvram erase, hard reset, and reconfigure by hand.

    all seems OK, VPN up and running, etc... but all the connected PCs are routed thru the vpn, even the one with the nvram variable vpn_client1_ip_list=192.168.1.10.

    I am a little puzzeled: I must have missed something but what? I re-read back and forth the 7 pages of this thread without any new ideas.

    Shall I uncheck Redirect Internet traffic? something else?

    Any ideas welcomed! thanks in advance.

    Cheers,
    Zul'
  68. david3

    david3 Networkin' Nut Member

    This selective VPN function is still working great for me. "Redirect Internet traffic" in the Advanced VPN Client tab is unchecked in my configuration, so you may want to give that a try.
  69. darthcheddar

    darthcheddar Reformed Router Member

    Code:
    # route other IPs thru WAN gateway
    if [ "$route_net_gateway" != "" ]
    then
        ip route del default
        ip route add default via $route_net_gateway
    fi
    
    I don't think this works properly. What I noticed is the 'default' route is setup as 0.0.0.0/1 not as "default". So 'ip route del default' won't properly route other IPs through the WAN gateway??
  70. supermags

    supermags Reformed Router Member

    I've followed (hopefully) these instructions very very carefully, and i still can't seem to get it to work... I'm running this firmware on a E4200 router;
    tomato-E4200-NVRAM60K-1.28.7471MIPSR2-Toastman-RT-VPN

    I'm trying to get the router to use VPN only for 192.168.1.91 and 192.168.1.150, but all computers (incl those) seem to be on my normal WAN (no VPN active)...
    When i remove "route-up /root/vpn_route.sh" and "down /root/vpn_route.sh" from my custom configuration, the VPN works as intended (for all computers), since the script isn't called.

    My log file:

    Attached Files:

    • log.txt
      File size:
      5.4 KB
      Views:
      57
  71. iainjh

    iainjh Reformed Router Member

    Hi

    I have a netgear 3500dl running tomato 1.28. I'm able to connect via Open VPN and it's very stable - however I cannot presently get the selective routing (as per the above script) to work, when I try to 'connect' via one of the identified client IP's ...nothing seems to happen. Please can someone give me a little advice how to track the issue down? TIA :)

    My motivation is to have all devices in my lan to connect to the internet via the ISP, but have 2 devices with fixed IP's initiate a openVPN session for watching bbc iplayer etc. I'm a brit overseas needing uk tv, thats my reason. I was hoping this script would do that so when I boot the PS3 or ipad (both over wireless with fixed IP's), it would initiate an openVPN connection and that wouldnt affect the other devices that can still connect over the normal ISP route.

    I copied/pasted the script and entered it via telnet, using vi. The script is saved as /root/vpn_route.sh and when I open it up all looks as above. I've done the permissions and rest as per above, I think, and committed to nvram without apparent error. it's

    I can also execute vpn-route.sh without apparent error.. what am I doing wrong, can I post the log here without giving out any private info and would that help?

    my script under INIT looks like this:

    echo "user
    password" > /tmp/openvpn-client1-userpass.conf
    sh /root/vpn_route.sh

    and in custom configuration:
    script-security 2
    ns-cert-type server
    auth-nocache
    auth-user-pass /tmp/openvpn-client1-userpass.conf
    route-up /root/vpn_route.sh
    down /root/vpn_route.sh

    Thanks in advance and extra thanks to lfjeff and contributors of course for what appears to be a great bit of script ;)

    thanks for any pointers! Iain
  72. noyp

    noyp Addicted to LI Member

    hello,
    i've tried everything as per lfjeff, but still my selected ip for VPN side doesnt work, ,while the rest of the ip address can traverse the WAN.
    im running out of idea's why :D
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]

    regards,
    noyp
  73. Dave Rapin

    Dave Rapin Reformed Router Member

    Is the selective script currently working for anyone? If so, can you post your exact firmware version and setup? Thanks!
  74. grahamgo

    grahamgo Guest

    Please guy's add me to this request. I have searched the internet for hours and this thread sounds exactly what I need. In my case I am in Mexico and want to selectively switch via VPN to watch BBC iplayer!
  75. syntron

    syntron Reformed Router Member

    guys,

    Is it possible to configure selective routing when using PPTP?
  76. quidagis

    quidagis Reformed Router Member

    Although this thread looks dead :confused::mad:, I'll ask you (and anybody else who has managed to make the script work) anyway.

    Would you, please, be so kind to post your router configuration and the vpn_route.sh script?

    I have tried the vpn_route.sh script from post number 43 to no avail. All it does is delete the tunnel and leave my IP address exposed to the world.
  77. david3

    david3 Networkin' Nut Member

    My vpn_route.sh script looks like the same one in post number 43. Here it is:
    Code:
    #!/bin/sh
    
    if [ "$script_type" == "up" -o "$script_type" == "down" ]
    then
        /rom/openvpn/updown.sh
    fi
    
    if [ "$route_gateway_1" != "" ]
    then
        VPN_IP_LIST=$(nvram get vpn_client1_ip_list)
        VPN_TBL=$(nvram get vpn_tbl_1)
        if [ "$VPN_TBL" == "" ]
        then
            VPN_TBL=101
        fi
    elif [ "$route_gateway_2" != "" ]
    then
        VPN_IP_LIST=$(nvram get vpn_client2_ip_list)
        VPN_TBL=$(nvram get vpn_tbl_2)
        if [ "$VPN_TBL" == "" ]
        then
            VPN_TBL=102
        fi
    fi
    
    export VPN_GW VPN_IP VPN_TBL
    
    # delete rules for IPs not on list
    IP_LIST=`ip rule show|awk '$2 == "from" && $4=="lookup" && $5==ENVIRON["VPN_TBL"] {print $3}'`
    for IP in $IP_LIST
    do
        DEL_IP="y"
        for VPN_IP in $VPN_IP_LIST
        do
            if [ "$IP" == "$VPN_IP" ]
            then
                DEL_IP=
            fi
        done
    
        if [ "$DEL_IP" == "y" ]
        then
            ip rule del from $IP table $VPN_TBL
        fi
    done
    
    # add rules for any new IPs
    for VPN_IP in $VPN_IP_LIST
    do
        IP_LIST=`ip rule show|awk '$2=="from" && $3==ENVIRON["VPN_IP"] && $4=="lookup" && $5==ENVIRON["VPN_TBL"] {print $3}'`
        if [ "$IP_LIST" == "" ]
        then
            ip rule add from $VPN_IP table $VPN_TBL
        fi
    done
    
    if [ "$script_type" == "route-up" ]
    then
        VPN_GW=$route_vpn_gateway
    else
        VPN_GW=127.0.0.1  # if VPN down, block VPN IPs from WAN
    fi
    
    # delete VPN routes
    NET_LIST=`ip route show|awk '$2=="via" && $3==ENVIRON["VPN_GW"] && $4=="dev" && $5==ENVIRON["dev"] {print $1}'`
    for NET in $NET_LIST
    do
        ip route del $NET dev $dev 
    done
    
    # route VPN IPs thru VPN gateway
    if [ "$VPN_IP_LIST" != "" ]
    then
        ip route del default table $VPN_TBL
        ip route add default via $VPN_GW table $VPN_TBL
        logger "Routing $VPN_IP_LIST via VPN gateway $VPN_GW"
    fi
    
    # route other IPs thru WAN gateway
    if [ "$route_net_gateway" != "" ]
    then
        ip route del default
        ip route add default via $route_net_gateway
    fi
    
    ip route flush cache
    
    exit 0
    
    NOTE: When I paste that in, it turns the tabs into spaces, but there are tabs for the indentation on the version that's saved on my router. Not sure if that makes a difference.

    I'm using an Asus N16 router with this version of TomatoUSB:

    [​IMG]

    I suspect a newer version should still work fine, too. That's just the last time I upgraded the firmware.

    Here's the VPN Client Configuration screens for my setup:

    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG]

    You might double check to make sure that you've got "vpn_client1_ip_list" set in nvram.

    You can check from the shell:

    nvram get vpn_client1_ip_list

    That should return the list of local client IPs that will be routed through the VPN.

    If it's not set yet, you'd set it like this (replace with the IPs you're using):

    nvram set vpn_client1_ip_list="192.168.1.5 192.168.1.6 192.168.1.7"
    nvram commit

    vpn_route.sh is saved to nvram and permissions are set correctly, too, right?

    Code:
    # ls -al vpn_route.sh
    -rwxr-xr-x    1 root    root          1769 Jan  1  1970 vpn_route.sh
    
    Hope that helps. Everything's still working great for me.
  78. quidagis

    quidagis Reformed Router Member

    @David3

    Hey David.

    Thank you for your detailed reply.

    I have not managed to make it work. Except for a couple options (Redirect internet traffic and Accept DNS configuration) my setup looks much like yours.
    Just in case you can give me a hand, I'm uploading my routing table before and after running the vpn_route script:

    BEFORE

    BEFORE.png

    AFTER

    AFTER.png
  79. david3

    david3 Networkin' Nut Member

    You might try unchecking "Redirect Internet traffic" to see if that helps.
  80. quidagis

    quidagis Reformed Router Member

    I tried that already, but no cigar.

    Thank you anyway.
  81. david3

    david3 Networkin' Nut Member

    For what it's worth, I just upgraded the firmware in my N16 to the latest Toastman build (including clearing the NVRAM):

    tomato-K26USB-1.28.7495.1MIPSR2-Toastman-RT-VPN

    And re-input all my settings, and set up this selective VPN again from scratch. It all still works fine for me.
  82. quidagis

    quidagis Reformed Router Member

    Thank you David. I think I'll tweak the script code and see what I get. My guess is the routing table is the issue.
  83. Tunde Oloworaran

    Tunde Oloworaran Network Newbie Member

    I used the script here and it served me well for a little while until i wanted to add some static routes that didn't work because the script wasn't referencing the main routing tables. I have been able to find a simpler way to do this including adding ip ranges! The only catch is that the range you specify is the range that doesn't go through your vpn conection. Here's what i did...

    I copied the code below into Administration > Scripts > Init (Tab)

    Code:
    service vpnclient1 start
    ping -c4 localhost
    
    # Clean up by flushing table 4 and deleting all ip rules
    ip route flush table 4
    ip route flush cache
    
    # Create backup of default route table
    ip route show table main > /root/route.isp
    
    # Add rules for all DHCP routes (192.168.1.100 -> 192.168.1.255)
    ip rule add from 192.168.1.100/30 lookup 4
    ip rule add from 192.168.1.104/29 lookup 4
    ip rule add from 192.168.1.112/28 lookup 4
    ip rule add from 192.168.1.128/25 lookup 4
    
    # Flush route cache
    ip route flush cache
    
    # Use original (pre-openvpn) route for table 4
    cat /root/route.isp | while read ROUTE; do ip route add table 4 $ROUTE; done
    For a different ip range you would need to update as required.

    The script essentially starts vpn connection on boot and creates a routing table 4 that is used by ip ranges that you don't want to go via vpn gateway.

    It's as simple as that! Remember to remove or comment out "route-up" and "down" in your vpn custom configuration entry.

    Please post back if you have issues with this method.
    thisisgil, Daniel P. and windozer like this.
  84. windozer

    windozer Networkin' Nut Member

    @Tunde Oloworaran, I have "Start with WAN" checked in the Openvpn Client setting. Should I uncheck that option if I had to use the above init-script?

    Edit: lfjeff's script on post #43 is the best for tomato user (i mean myself) because you can 'bypass' the Openvpn client 1 or 2
    I am still using it with latest (as of today) toastman VPN build.

  85. windozer

    windozer Networkin' Nut Member

    I pasted the script into Notepad2, saved it on my pc as vpn_route.sh , then transferred it to /root. Then I had trouble with the script not running and as a result all IPs were using the vpn connection. My log showed:
    Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: TUN/TAP device tun11 opened
    Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: TUN/TAP TX queue length set to 100
    Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: /sbin/ifconfig tun11 10.8.0.14 pointopoint 10.8.0.13 mtu 1500
    Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: /sbin/route add -net 69.64.49.238 netmask 255.255.255.255 gw 195.229.244.26
    Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.13
    Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.13
    Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.13
    Feb 27 18:26:24 unknown daemon.warn openvpn[1155]: Route script failed: could not execute external program
    Feb 27 18:26:24 unknown daemon.notice openvpn[1155]: Initialization Sequence Completed

    Then I used WinSCP, created a file in /root with it's built-in editor, pasted the script code from lfjeff's post #43 and saved as vpn_route.sh, it worked! (Remember to run the nvram setfile2nvram and commit commands again if you edited the existing script like I did.) WinSCP is a fool-proof way if you want to do it right. : D
  86. Tunde Oloworaran

    Tunde Oloworaran Network Newbie Member


    To answer your question: You don't necessarily need to enable "start with wan" as the init scripts run as soon as router is done with background tasks.

    On your comment about bypassing both clients 1 and 2. If the original script works better for you then stick with it. As i said it wasn't perfect for me hence the need for change.

    My situation is that:
    1. I wanted certain devices e.g. Sonos & WD TV live streamer to be always routed through vpn
    2. I wanted some computers always routed through my ISP
    3. I wanted my laptop routed through vpn for hulu, netflix etc. but i also wanted some local traffic from this laptop routed through my ISP (hence the need to create a static routing table)

    What i found with lfjeff's script is that static routing is always ignored. With my solution i can easily address all my needs and it is a very simple single step process.
    windozer likes this.
  87. reddwarf

    reddwarf Network Newbie Member

    Somewhat of a different question, but is there a way to except local servers from the site to site VPN. I tried entering things in the route table, but that doesn't seem to work once the site to site vpn comes up.
  88. paulies

    paulies Network Newbie Member

    Hi,

    I have followed this thread with interest, one question

    Instead of have selected machine ip's been routed through vpn etc is it possibe to have a single ip go straight through the WAN. My bank does not likes vpns and keeps locking me out so I need that IP to bypass the vpn. I know this is possible on DDWRT I had it working but since changing to Tomato I cant get this working.

    Can anybody help ?

    Thanks Paul
  89. Daniel P.

    Daniel P. Network Newbie Member

    @Tunde Oloworaran
    Works great for my Tomato Firmware v1.28.7500 MIPSR2Toastman-VLAN-RT K26 USB VPN-NOCAT on Netgear WNR3500L/U/v2. Thank you very much. This script takes a lot of the work out of something I'm trying to accomplish.

    Use this website if you have never encountered CIDR before: https://www.countryipblocks.net/create_network_cidr.php

    It will make those 192.168.1.100/30 etc. numbers for you (a.k.a. CIDR).
  90. quidagis

    quidagis Reformed Router Member

    After struggling to no avail with lfjeff's script, I (finally) managed to figure out a similar procedure to selectively bypass VPN on a Linksys E4200 - Shibby's Tomato Firmware 1.28.0000 MIPSR2-085V K26 USB AIO:

    By default once a router is running a VPN client every device using that connection goes through the tunnel, If you want to filter devices to connect via the ISP's IP address bypassing VPN, do this:

    Transient solution

    A- Go to TOOLS - SYSTEM - EXECUTE SYTEM COMMANDS and get the value of wan_gateway by running this command: nvram get wan_gateway
    B- Run a couple more commands:
    ip route add default via (what you got in A) table 10 e. g. ip route add default via 173.234.216.1 table 10
    ip rule add from (IP address you want to filter) table 10 e. g. ip rule add from 192.168.1.10 table 10
    ip route flush cache

    Permanent solution that survives reboots

    1. Go to TOOLS - SYSTEM - EXECUTE SYTEM COMMANDS and create a nvram variable wich will contain a list of the IP Addresses you want to filter, like this:

    nvram set no_vpn_lst="192.168.1.11 192.168.1.12 192.168.1.13"
    nvram commit

    2. Download this script from http://pastebin.com/....php?i=nttcdVX3

    3. Copy the script contents and paste to ADMINISTRATION - SCRIPTS - WAN UP, click Save

    [​IMG]


    4. Reboot

    5. That's it. Now the devices on your NO_VPN_LST list will be routed outside the VPN tunnel.

    Attached Files:

    bimmerm3m5, Mowax and windozer like this.
  91. windozer

    windozer Networkin' Nut Member

    @ quidagis
    Not sure of syntax; I was wondering if it would work like this
    for ipa not in $NO_VPN_LST; do
  92. quidagis

    quidagis Reformed Router Member

    No windozer, it wouldn't work. What the for loop does is populate the table with values that will bypass the VPN tunnel. BTW, the not is not part of the for loop syntax.
  93. shadowken

    shadowken Serious Server Member

    But it's working for me like a charm .
  94. Daniel P.

    Daniel P. Network Newbie Member

    Hey Tunde Oloworaran, reporting back with one issue.

    I created a separate VLAN and SSID using essentially this guide: https://code.google.com/p/tomato-sdhc-vlan/wiki/ExperimentalMultiSSID.

    Upon creation, the new second SSID / VLAN / Bridge would not connect to the WAN. So, I added the new second ip range to the script thus excluding it from the VPN. This seems to have fixed it, however, I thought you might like to know.

    Here is what it looks like:
    # Add rules for all DHCP routes (192.168.29.100 -> 192.168.29.255)
    ip rule add from 192.168.1.90/31 lookup 4
    ip rule add from 192.168.1.92/30 lookup 4
    ip rule add from 192.168.2.96/30 lookup 4
    ip rule add from 192.168.2.2/31 lookup 4
    ip rule add from 192.168.2.4/31 lookup 4

    The 192.168.2.x is the second SSID that I had to add in order to get it to connect to the WAN.

    Like I said, it isn't a big deal for me but others might profit if both VLANs connected through the VPN automatically.
  95. edward3h

    edward3h Network Newbie Member

    I'm trying to do like in post #48 - I want to send certain destination IPs through the VPN, but have other traffic go through the normal ISP connection.

    I understand that I need to add
    Code:
    route-nopull
    route a.b.c.d x.x.x.x
    
    lines in my custom config. However, the list of route IP addresses I have is over 400 lines long, and when I naively pasted it in the box it caused issues which I am guessing were because it was too big for NVRAM. (I have a script which tries to discover all IP ranges for a given list of domains)

    Is the best workaround for this to set up a CIFS mount and read a script from there? I have a fileserver so I can easily add a mount, but how would I tell OpenVPN to use a file there instead of where-ever it is currently getting the client configuration?
  96. edward3h

    edward3h Network Newbie Member

    I answered my own question in the end, after doing some research. The config file for openvpn can include a 'config' directive which refers to another file to load.

    So I set up a CIFS mount and I put the file with my routes there. Then in the VPN client 'Custom Configuration' settings on Tomato I add in:
    Code:
    routes-nopull
    config /cifs1/openvpn/routes.conf
    
    The routes file I'm using now is actually smaller than the 400 line one, because I decided I didn't need every domain I had put in, so I haven't entirely tested what I was trying to do. But I have a setup which seems to work.
  97. ds408User

    ds408User Network Newbie Member

    I'm hoping someone can help me here. I have a new Asus RT-N66U router with the latest shibby Tomato on it, and I want to get the script to make certain internal IPs go over the VPN, as posted above, work. I have the VPN working, but I can't get the script to work, when set it up as above then all my computers are still on the VPN even though I only added one to the vpn_client1_ip_list.

    My questions are:

    1. Should I turn on Create NAT on tunnel?
    2. Is the Accept DNS configuration setting important, I currently have it set to disable with a static DNS to 8.8.8.8 and 8.8.4.4?
    2. As you can see from my log below I am getting a few messages that so far I haven't been able to get rid of. I think they may have something to do with my problem:


    Thanks for any help, I'd love to get this working!
  98. windozer

    windozer Networkin' Nut Member

    @ ds408User: You have to file-permission of /root/vpn_route.sh to executable. Use Winscp program to set file permission. The connection settings window to make Winscp work with the router looks like this:
    [​IMG]
  99. ds408User

    ds408User Network Newbie Member

    Thanks for the reply, I logged on with WinSCP and checked the permissions, they are set to 775 as specified in the instructions in post #43, and therefore as far as I can tell the script is marked as executable. I have followed all the instructions in post #43 but just can;t get it to work properly. Any other ideas, and thanks again for your time.

    chmod 755 /root/vpn_route.sh
    nvram setfile2nvram /root/vpn_route.sh
    nvram commit
  100. bmupton

    bmupton Reformed Router Member

    You should be able to use an ip/subnet in your client ip list, as the route add bit accepts that. So if you wanted to do an IP range, you could do it with something like: 192.168.1.1/25 (that'd give you from IP .1 to .128 as a range).

    (I haven't tested that, of course, but it should work).

    Also, I have a Question: if I use this method, will the clients that are set to go through the VPN able to connect to the Internet if the VPN drops? I want to prevent their access if the VPN drops.

    Another question: I have a couple virtual wirless interfaces (on br1 (192.168.2.0/24) and br2 (192.168.3.0/24)), and when the VPN connects, those interfaces cannot access the Internet. Is there a way to get them routed through the VPN as well? If I added them to the VPN client list will they route through the VPN properly? It seems that the VPN client only automatically routes br0 through the VPN, and kills the routes for everything else.

    Ideally I'd like my VPN connected *always* and if it drops those clients that should be routed through it have no access.

Share This Page