@ ds408User: It might be worthwhile to (in Winscp) delete the vpn_route.sh file, create a new file (or edit existing), paste the contents (using it's builtin editor), save, set permission, and do the nvram setfile and nvram commit, and restart (ofcourse). I fixed my "could not execute external.." issue once like that.
Finally solved it, following the instructions in post #43 works (as everyone says ), now I have one PC on the VPN, the rest directly connecting through my ISP, and if the VPN is dropped my PC that should only use the VPN loses internet connectivity until the VPN is back. The reason I was getting a script failed error was because I cut and paste the script from this thread into notepad and then copied that file using WinSCP to my router. Doing this means it has invalid end of line characters causing the script to file. Cutting and pasting it straight into the WinSCP editor and saving it worked! Thanks to everyone and especially thanks to the poster of post #43, I've been looking for how to do this for weeks.
Thanks, I just did that before seeing your idea (what a coincidence) and it worked, so you were right if a few minutes too late
If you have vpn client 1 set up, but connect to vpn client 2, the if statement in your script still grabs the client ip list for client 1. Rather than try to solve this within the script, I just created two scripts with different stuff for this part: Code: if [ "$route_gateway_1" != "" ] then VPN_IP_LIST=$(nvram get vpn_client1_ip_list) VPN_TBL=$(nvram get vpn_tbl_1) if [ "$VPN_TBL" == "" ] then VPN_TBL=101 fi elif [ "$route_gateway_2" != "" ] then VPN_IP_LIST=$(nvram get vpn_client2_ip_list) VPN_TBL=$(nvram get vpn_tbl_2) if [ "$VPN_TBL" == "" ] then VPN_TBL=102 fi fi And in the advanced config for each vpn client, call the appropriate script.
Another question: I have created a VLAN on br3 and assigned port 4 on the router to that VLAN. It's on a different subnet than br0 (obviously). br3 is set to 192.168.4.1 and it's DHCP server is set to hand out only a single IP address of 192.168.4.2. So, the moment a device is plugged in to port 4 of the router, it's assigned that IP address. The idea was to have a single port on the router that's always routed through the VPN (If it's connected). I tried adding that ip the the vpn_client1_ip_list and firing up the vpn client, but that client can't connect to the internet when the vpn is connected. The question is: what do I need to add and where in order to route the client on br3 through the VPN?
After strugling to get everything working, this is my home setup: ISP modem ==> Linksys E4200 v1 TomatoUSB version 1.28 by Shibby I wanted two wifi networks; one ISP and one VPN, both on 2.4 and 5 GHz Basic setting WAN/Internet I route my modem ip to 192.168.1.1 LAN br0, STP disabled, 192.168.0.1 255.255.255.0, DHCP, 192.168.0.10 - 254, leasetime 1440 br1, STP disabled, 10.0.0.1 255.255.255.0, DHCP, 10.0.0.2 - 254, leasetime 1440 Wireless eth1 2.4 GHz VPN Wireless eth2 5GHZ VPN Advanced - Virtual Wireless eth1 (wl0), enabled, VPN, Access Point, LAN (br0) eth1 (wl1), enabled, VPN, Access Point, LAN (br0) wl0.1, enabled, open, Access Point, LAN (br1) wl0.2, enabled, open, Access Point, LAN (br1) VPN client 1 Basic Start with WAN Create NAT on tunnel Advanced Redirect Internet Traffic DNS - Exclusive Connection retry -1 Custom config ns-cert-type server (depending on the version of openvpn , your vpn provider uses) keepalive 10 60 (otherways the my vpn connection drops after some time...) Administration Scripts INIT (script from the previous page..., with my br1 routes) service vpnclient1 start ping -c4 localhost # Clean up by flushing table 4 and deleting all ip rules ip route flush table 4 ip route flush cache # Create backup of default route table ip route show table main > /root/route.isp # Add rules for all DHCP routes (10.0.0.1 -> 10.0.0.255) ip rule add from 10.0.0.1/32 lookup 4 ip rule add from 10.0.0.2/31 lookup 4 ip rule add from 10.0.0.4/30 lookup 4 ip rule add from 10.0.0.8/29 lookup 4 ip rule add from 10.0.0.16/28 lookup 4 ip rule add from 10.0.0.32/27 lookup 4 ip rule add from 10.0.0.64/26 lookup 4 ip rule add from 10.0.0.128/26 lookup 4 ip rule add from 10.0.0.192/27 lookup 4 ip rule add from 10.0.0.224/28 lookup 4 ip rule add from 10.0.0.240/29 lookup 4 ip rule add from 10.0.0.248/30 lookup 4 ip rule add from 10.0.0.252/31 lookup 4 # Flush route cache ip route flush cache # Use original (pre-openvpn) route for table 4 cat /root/route.isp | while read ROUTE; do ip route add table 4 $ROUTE; done That's it..., any tips are welkom.
That's close to what I want, but I don't want all of my main LAN through the VPN (only one client, the rest of it goes through ISP as normal). This is why I'm using the method in post #43. The other thing is, this method allows me to still access my router remotely via my ISP, which is a must for my configuration. If I don't use the method from post #43, I lose access to my router externally. All I want, at this point, is the be able to route br3 through the VPN. Everything else is set up and working exactly how I'd like.
I have a DDNS (ip adress use WAN ip) running and can connect externaly to my router with the previous setup. When you use bridge 0 for your VPN connection (as I do), and in the VLAN settings only add port 4 to that VLAN, make another VLAN for your main LAN with the rest of the ports? Just trying to help...
Correction: ddns use "use external IP adress checker" Now I can connect externally using my ddns name...
I should have been more clear with what I meant when I said I cannot access the router externally. I *can* access it externally, via the VPN, but the location I'm connecting from allows very few ports, SSH is only allowed on port 22 for example. When connected to the VPN, I cannot use port 22 for SSH any longer (My VPN provider allows port forwarding, but only on ports >2048, so I can't use port 22 for SSH) and I can't access my router remotely from this location. Hence my problem. I need my router to be accessible via my ISP, not the VPN, which is what you're describing. Thanks for the added info though, it is appreciated.
I'm one step closer. DNS now resolves on my VLAN that I want to route through the tunnel. I think that's because I'm using dnsmasq as a local DNS server and I have "Accept DNS Configuration" set to disabled. I've also added: Code: iptables -t nat -I POSTROUTING -s 192.168.4.0/255.255.255.0 -o tun11 -j MASQUERADE To my firewall, as I read somewhere (I can't remember where now...soooo many resources and soooo much reading) that the VPN client doesn't add the required rules for NATing bridges other than br0. I still don't have internet access on my VLAN though, so I'm pretty much lost as to what to do.
Solved it! Following the instructions in post #43 to get it selectively routing works perfectly for br0. In order to also send other bridge traffic, you need to add: Code: iptables -I FORWARD -i br1 -o tun11 -j ACCEPT iptables -I FORWARD -i tun11 -o br1 -j ACCEPT iptables -I INPUT -i tun11 -j REJECT iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE to the firewall. Use whatever bridge interface you have clients on you want routed through the VPN. So, now I have my main LAN with a single client routed through the VPN, and a VLAN which I've assigned port 4 on the router too which all DHCP clients are routed through the VPN as well. Awesome.
Quite an interesting thread as been looking at this for a vodafone sure signal that won't run behind a vpn, is there any way that this can be done using the GUI on Tomato?
You could echo the script into that file using the init script instead of uploading it and saving to nvram. I haven't tried it, but it should work. Then on the tools tab you can set up the vpn_client1_ip_list variable (just type the two commands in there and hit save, they'll run) You could even echo the contents of the vpn_route.sh on there and save it to nvram as well if you wanted. Let us know if that works out!
Thanks mate, n00b here....I'll have a whole read of the thread again over a cup of coffee and see what's what with it... I might be back for some more help... I defo need an upgrade to a RTN16 or a RTN66U......
all sorted, thanks "quidagis" had a re-read and sorted it thanks again for the useful post. all my network except one of them goes out via the VPN and the suresignal out via my normal isp...cheers
Hey guys, I'm going to be implementing lfjeff's solution (post #43) on my Asus RT-N16 this coming weekend (currently I have something similar working, but more the opposite where I have all traffic going through the VPN and I selectively send traffic, based on IP, to the regular WAN connection—but, since I only want a handful of devices to use VPN and the rest of the network to function as normal, lfjeff's solution will be a lot better/easier to maintain as I add new devices). I'm going to reset my RT-N16 (running the latest TomatoUSB/VPN build for the RT-N16) back to factory/wipe the NVRAM and start fresh. That said, I have a couple questions I'm hoping someone could answers: 1. What does the WAN connection have to be? Currently, my modem is in bridged mode and so Tomato is handling my PPOE connection (giving Tomato a dynamic public WAN IP). Is this OK? Or, would I be better off having the modem handle the PPOE connection, DMZ everything to the Tomato router and have it set with a static WAN IP? 2. Does this solution selectively use DNS based on the route? What I mean is, will VPN traffic use the VPN server's DNS servers and regular WAN traffic use the DNS I specify? With my current solution, no matter what I do, DNS goes through the VPN provider. 3. Is it possible to have the device(s) connected to the VPN connection fall back to the regular connection if VPN goes down? Since I'm basically doing this to access Hulu Plus and Netflix on my Apple TV (I'm in Canada but want to "appear" as though I'm in the USA), if VPN goes down I'd like it to just fall back to my regular internet connection (ie. Hulu Plus won't work, Netflix will access the Canadian library). This isn't a huge deal though, as I could just change the IP of the Apple TV if the VPN goes down (thus, sending traffic through the regular WAN connection), then set it back to the VPN-based IP when VPN is back up again. Any advice, etc. much appreciated! Thanks! Kristin.
As a follow up to my question #3 (above), if I changed... Code: if [ "$script_type" == "route-up" ] then VPN_GW=$route_vpn_gateway else VPN_GW=127.0.0.1 # if VPN down, block VPN IPs from WAN fi to... Code: if [ "$script_type" == "route-up" ] then VPN_GW=$route_vpn_gateway else VPN_GW=$route_net_gateway # if VPN down, fallback to WAN fi ...would this work (ie. would it provide a fallback to the WAN in the even the VPN connection goes down)? Thanks, Kristin.
And one final question (for now) for those who got lfjeff's solution (post #43) working—in your OpenVPN client settings > Advanced, do you have Accept DNS Configuration enabled or disabled? My VPN provider requires this setting to be enabled, but from what I gather, doing this also negates any other "up" scripts. Would this cause a problem?
Just a quick update, applied lfjeff's solution (post #43) to a fresh Tomato USB-VPN (Tomato Firmware v1.28.9054 MIPSR2-beta K26 USB vpn3.6) tonight on my Asus RT-N16 and it's working like a charm! Just an FYI for anyone getting a "Route script failed: could not execute external program" error in their logs (which I got initially)—I fixed this by copying/pasting the script from these forums directly onto the router (via vi using telnet) and editing on their. Previously, I was first saving the script to my Mac and it just didn't like it. Anyway, thanks again to everyone on this thread—this is exactly what I was looking for!
I'm really hoping someone can help me with this, I've been trying to get this going for 2 days now. I've followed #43 to the best of my abilities, I logged into the router with WinSCP and created the vpn_route.sh file and tried to put it in /root but it gives me a read-only error so it won't let me. In WinSCP I see /<root> as the top level of the tree with 20 subfolder underneath (bin, cifs, cifs2, dev, etc, home, jffs, lib, mmc, mnt, opt, proc, rom, root, sbin, sys, tmp, usr, var, www) and I've tried putting it in various other folders and applying it to nvram with jeff's script. When I do the "check" that David3 provided "ls -al vpn_route.sh" it never shows up as being under root. I'm really really bad with linux, so this is very tough for me. I asked a guy at work and he said I might have to go with the jffs to do it. I did a bit of looking around and enabled that, cleared my jffs flash and then was able to put it in that folder, with the same results (nothing). This is killing me because I think I'm close. The OpenVPN works great with my PIA VPN service but of course it sends everything through there. I only want my new smart TV to go through the tunnel at all times. I'm using the following firmware: Tomato Firmware v1.28.7501 MIPSR2Toastman-RT K26 USB VPN and an Asus RT n16 router. When I do David's check script for "nvram get vpn_client1_ip_list" it shows up with 192.168.1.5, which is the static DHCP binding that I gave my TV, so that's all good. PLEASE can someone tell me how to get that .sh script into root? I would be very grateful at this point.
You're trying to put it in the root of your router, which isn't where you want to put it. You want to create/put the .sh file in root's home. So, in WinSCP, put it in /tmp/home/root or /root (they're the same place—one is an alias of the other I think) and that should work. Also, make sure you make it executable before sending to/committing to nvram: Code: chmod 755 tmp/home/root/vpn_route.sh Then you should be good to go! I've done this process to two RT-N16 routers in the past month and a half and both worked perfectly! k.
does that command show you what IP addresses are listed as an exception? nvram get vpn_client1_ip_list
@richardvoyageur I never managed to make lfjeff's script to work out on my Cisco Linsys E4200, however I was lucky enough to find another solution based on iptables rules. Below you will find a little script. Edit as you need ( The IP address you gave your TV is already in place - ip_address1="192.168.1.5"), paste the code to ADMINISTRATION - SCRIPTS - WAN Up, reboot the router and you should be all set. Since you're not Linux skilled you don't have to fiddle with command lines, nvram or any other stuff like that. Good luck! Code: ## CUSTOMIZE YOUR SCRIPT VARIABLES # ## Uncomment and assign/change value(s) as needed to customize your rules # # ip_range1="192.168.1.200-192.168.1.203" # ip_range2="192.168.1.8/29" # ip_range3="" # # If your IP addresses don't fall in a contiguous range, you'll need separate rules instead. ip_address1="192.168.1.5" # ip_address2="192.168.1.115" # ip_address3="" # # Spotify # website_dst_range1="78.31.8.1-78.31.15.254" # website_dst_range2="193.182.8.1-193.182.15.254" # # Another website # website_dst_range3="" ## # SHELL COMMANDS FOR MAINTENANCE. # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE # # List Contents by line number #iptables -L PREROUTING -t mangle -n --line-numbers # # Delete rules from mangle by line number #iptables -D PREROUTING type-line-number-here -t mangle # # To list the current rules on the router, issue the command: # iptables -t mangle -L PREROUTING # # Flush/reset all the rules to default by issuing the command: # iptables -t mangle -F PREROUTING # */* # # First it is necessary to disable Reverse Path Filtering on all # current and future network interfaces: for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i done # # Delete table 100 and flush any existing rules if they exist. # ip route flush table 100 ip route del default table 100 ip rule del fwmark 1 table 100 ip route flush cache iptables -t mangle -F PREROUTING # # Copy all non-default and non-VPN related routes from the main table into table 100. # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1" # # NOTE: Here I assume the OpenVPN tunnel is named "tun11". # # ip route show table main | grep -Ev ^default | grep -Ev tun11 \ | while read ROUTE ; do ip route add table 100 $ROUTE done ip route add default table 100 via $(nvram get wan_gateway) ip rule add fwmark 1 table 100 ip route flush cache # EXAMPLES: # # All LAN traffic will bypass the VPN (Useful to put this rule first, # so all traffic bypasses the VPN and you can configure exceptions afterwards) # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1 # # Ports 80 and 443 will bypass the VPN # iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1 # # All traffic from a particular computer on the LAN will use the VPN # iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0 # # All traffic to a specific Internet IP address will use the VPN # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0 # # All UDP and ICMP traffic will bypass the VPN # iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1 # iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1 # By default all traffic bypasses the VPN iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1 # IP_RANGES - Uncomment as necessary #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range1 -j MARK --set-mark 0 #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range2 -j MARK --set-mark 0 #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range3 -j MARK --set-mark 0 # IP_ADRESSES - Uncomment as necessary iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0 #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address2 -j MARK --set-mark 0 #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address3 -j MARK --set-mark 0 # Spotify explicitly uses the VPN #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0 #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0
Quidagis, you are THE man! THanks a lot for this info. I am going to try it as we speak... I had the same kind of question (even if this post was with a different question originaly). I presume many people like me would like the routing selected according to the DESTINATION of the ip. Basically you did it (in theory). Now I am going to try to implement that today! My first task will be to reformat the iptables in my previous post to match this script... then i will post the result here as some others could be interested Keep in touch please.
Quidagis, I cleant a bit the code to make it simpler for a simple test. I will make it more complicated later as my rules are already ready! I added the website whatismyip.org for test purpose as it is cool to have a website that confirms if the VPN is running OK... need testing now Please could you confirm this code below: The only thing left to do from this code is (and i quote) to paste the code to ADMINISTRATION - SCRIPTS - WAN Up, reboot the router? Code: ## CUSTOMIZE YOUR SCRIPT VARIABLES # ## Uncomment and assign/change value(s) as needed to customize your rules # ip_range1="192.168.1.100-192.168.1.199" # whatismyip.org website_dst_range1="98.207.0.1-98.207.255.254" # Spotify website_dst_range2="78.31.8.1-78.31.15.254" website_dst_range3="193.182.8.1-193.182.15.254" # SHELL COMMANDS FOR MAINTENANCE. for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i done # # Delete table 100 and flush any existing rules if they exist. # ip route flush table 100 ip route del default table 100 ip rule del fwmark 1 table 100 ip route flush cache iptables -t mangle -F PREROUTING #Here I assume the OpenVPN tunnel is named "tun11". ip route show table main | grep -Ev ^default | grep -Ev tun11 \ | while read ROUTE ; do ip route add table 100 $ROUTE done ip route add default table 100 via $(nvram get wan_gateway) ip rule add fwmark 1 table 100 ip route flush cache # By default all traffic bypasses the VPN iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1 # whats , explicitly uses the VPN iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0 iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0 iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range3 -j MARK --set-mark 0
@Quidagis I just tried the code below which is the one you sent, but I cleant it again! The goal of this one it to have all computer to bypass the VPN except the one with the IP 192.168.1.196 But when i put that nobody has internet except the 192.168.1.196. What am i doing wrong? Code: ## CUSTOMIZE YOUR SCRIPT VARIABLES ip_address1="192.168.1.196" for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i done # # Delete table 100 and flush any existing rules if they exist. # ip route flush table 100 ip route del default table 100 ip rule del fwmark 1 table 100 ip route flush cache iptables -t mangle -F PREROUTING # Copy all non-default and non-VPN related routes from the main table into table 100. # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1" ip route show table main | grep -Ev ^default | grep -Ev tun11 \ | while read ROUTE ; do ip route add table 100 $ROUTE done ip route add default table 100 via $(nvram get wan_gateway) ip rule add fwmark 1 table 100 ip route flush cache # By default all traffic bypasses the VPN iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1 # IP_ADRESSES - that go in the vpn iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0
@ quidagis - mate thanks so much for your script, (From post no. #90) it works a treat, I have 3 devices that are using my normal ISP and the rest of my devices all going out via the VPN, great work man, and thanks for the script. I just have one question, I would now like to be able to find out what IP addresses are listed, Can i FTP into the router and find an ip table somewhere or is there a command that I can issue into the router? Thanks and sorry to hijack this thread.
@Mowax Wanna find out what IP addresses are listed? You go to TOOLS -SYSTEM and execute: "nvram get no_vpn_lst" --- no quotes, OK? OR... you can edit the script and avoid to fiddle with nvram and command lines: #!/bin/sh sleep 30 #NO_VPN_LST=`nvram get no_vpn_lst` NO_VPN_LST="192.168.1.1 192.168.1.2 192.168.1.10 " [ -z $NO_VPN_LST ] && exit 0 WAN_GWAY="0.0.0.0" while [ $WAN_GWAY == "0.0.0.0" ]; do sleep 3 WAN_GWAY=`nvram get wan_gateway` done ip route add default via $WAN_GWAY table 10 for ipa in $NO_VPN_LST; do ip rule add from $ipa table 10 done ip route flush cache exit 0 Just use your custom IPAs and you should be all set.
@jbesclapez Good morning J. I'm running your custom script (all I changed is ip_address1 to match my subnet) everything works as expected. Check your DNS settings in BASIC - NETWORK - STATIC DNS. Mine looks like this :
@quidagis Good evening Q. When you say my custom cript, you mean the one from post 129? The funny thing is that your Static DNS are the same as mine. I use both from OpenDNS and one from google! Also, when i am working on my routeur also always to an ongoing ping on : 192.168.1.1 google.com 8.8.8.8 Then i know if i have a local network problem, an internet problem or a DNS problem, just from my command prompt... However, my script, is only giving me VPN on 192.168.1.196 and no internet on the other machines. Her is below my routing table : (honestly i would love to understand this blabla... i am not champolion here ) Can you see something weird?
Hey J! Yes, your custom script from post 129. The only difference worth to mention, I have four (4) wan interfaces. The other difference, my internet connection is via Cable-DHCP, yours is PPPoE. That should not pose a problem as far as I know. Maybe my WAN type being Cable-DHCP creates that extra WAN interface.
You're a lifesaver and a friend for life! This worked brilliantly, could never get jeff's code to work, even with the other hints and help from the rest of the thread. this way is MUCH easier to do, first try success. whatismyip.com is showing proper proxied IP for the TV and normal ISP for everything else. SWEET dude. thanks so much. anyone wanting to do this should use this method unless proficient with Linux. Actually, just do this one, it's still easier. One cut and paste basically, along with your normal VPN setup from your VPN service. Reboot the router and it comes up golden.
Good morning, Richard! Good to know it's worked out for you. Yes, this method it's easier than lfjeff's. Besides, you can filter not just IPAs but ports, protocols and websites too. And the added bonus that is all GUI, no command lines to type and no messing around with routing tables / nvram variables. Have a nice day, amigo. P. S. I don't want to take credit for something is not mine. I forgot to mention it when I first posted the script. My apologies for that. So, give credit where credit is due, I found it here: http://linksysinfo.org/index.php?th...-ports-through-vpn-openvpn.37240/#post-205781
Is it possible to specify a list of domain names that go through the VPN? If you can't specify a domain how do you convert from a domain to a list of IP addresses and keep this list updated? Thanks
I just added a few lines of code to find out what tunnel interface the script will use (tun11 or tun12), here is the whole new script: Code: ## CUSTOMIZE YOUR SCRIPT VARIABLES # ## Uncomment and assign/change value(s) as needed to customize your rules # # ip_range1="192.168.10.200-192.168.10.203" # ip_range2="192.168.10.8/29" # ip_range3="" # # If your IP addresses don't fall in a contiguous range, you'll need separate rules instead. # ip_address1="192.168.10.100" # ip_address2="192.168.10.115" # ip_address3="" # # Spotify # website_dst_range1="78.31.8.1-78.31.15.254" # website_dst_range2="193.182.8.1-193.182.15.254" # Another website # # website_dst_range3="" ## # SHELL COMMANDS FOR MAINTENANCE. # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE # # List Contents by line number #iptables -L PREROUTING -t mangle -n --line-numbers # # Delete rules from mangle by line number #iptables -D PREROUTING type-line-number-here -t mangle # # To list the current rules on the router, issue the command: # iptables -t mangle -L PREROUTING # # Flush/reset all the rules to default by issuing the command: # iptables -t mangle -F PREROUTING # */* # # First it is necessary to disable Reverse Path Filtering on all # current and future network interfaces: for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i done # # Delete table 100 and flush any existing rules if they exist. # ip route flush table 100 ip route del default table 100 ip rule del fwmark 1 table 100 ip route flush cache iptables -t mangle -F PREROUTING # # Copy all non-default and non-VPN related routes from the main table into table 100. # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1" # iface_lst=`route | awk ' {print $8}'` for tun_if in $iface_lst; do if [ "$tun_if" = "tun11" ]; then exit 0 elif [ "$tun_if" = "tun12" ]; then exit 0 fi done ip route show table main | grep -Ev ^default | grep -Ev $tun_if \ | while read ROUTE ; do ip route add table 100 $ROUTE done ip route add default table 100 via $(nvram get wan_gateway) ip rule add fwmark 1 table 100 ip route flush cache # EXAMPLES: # # All LAN traffic will bypass the VPN (Useful to put this rule first, # so all traffic bypasses the VPN and you can configure exceptions afterwards) # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1 # # Ports 80 and 443 will bypass the VPN # iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1 # # All traffic from a particular computer on the LAN will use the VPN # iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0 # # All traffic to a specific Internet IP address will use the VPN # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0 # # All UDP and ICMP traffic will bypass the VPN # iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1 # iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1 # By default all traffic bypasses the VPN iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1 # IP_RANGES - Uncomment as necessary #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range1 -j MARK --set-mark 0 #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range2 -j MARK --set-mark 0 #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range3 -j MARK --set-mark 0 # IP_ADDRESSES - Uncomment as necessary #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0 #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address2 -j MARK --set-mark 0 #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address3 -j MARK --set-mark 0 # Spotify explicitly uses the VPN #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0 #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0
@ quidagis, good work, thanks for sharing I only found your post by searching for ages on Google so thanks for posting and yeah credit to the OP. I run that command and can see that I have 2 devices running via the normal ISP and the rest out via the tunnel. I was just wondering, since I run that command and have them two ip addresses how would I go about "un-committing" them to nvram and then I can paste them into the script that you posted, I don't mind using ftp or telnet to get into the router if there's a way to do ip tables. How ever, It's cool, I have the 2 devices that I want with static ip addresses doing what I wanted. normal isp. Thanks again for posting and taking the time to reply bud. Mowax
@Mowax You want to remove no_vpn_lst from nvram? Do this... Go to TOOLS -SYSTEM and execute the two nvram commands below, edit your script to customize your IPAs, save and reboot: "nvram unset no_vpn_lst" --- no quotes "nvram commit" --- no quotes That's all, enjoy!
Hi, I followed Quidagis script in post#90 and it works great. Awesome work. My setup is as follows: ISP Modem 192.168.1.1 > DMZ > Tomato Router 192.168.1.2 (modem does not have bridge mode, so had to go down the DMZ route) Tomato router runs OpenVPN client to commercial VPN provider Tomato router runs OpenVPN server for remote access purposes (for the purpose of my testing the Client I currently have the server switched off) At first I wanted all my traffic going over the VPN. But my VPN provider doesn't allow incoming ports, and I quickly realized that my SIP VOIP box wouldn't register properly. So I then used Quidagis' script in post#90 to force traffic from the IP of the VOIP box to bypass the VPN and go directly to the ISP. Now the box registers and all is working nicely, thanks! Except two things: 1. I want to be able to remote access my home network from outside, specifically: The remote web admin of the router, a remote web admin of Transmission running on a machine on the LAN, other services running on LAN machines using specific ports etc - all of which have port-forwards set in the router. I would also like to be able to remotely OpenVPN in to the OpenVPN server running on my Tomato router. But as my VPN provider doesn't allow incoming ports I can't "come in" through the VPN tunnel, so it requires my DYNDNS address to resolve to the ISP IP and not the VPN IP. I read bmupton's post#113 which seems to be a solution to a similar issue, but frankly I don't understand it. 2. This is REALLY WEIRD but I swear it's true. All web traffic is going out via the VPN, have checked IP geolocation etc, and all websites work fine. Except one - www.linksysinfo.org ! This clearly doesn't make any sense at all, all other websites work fine, have flushed DNS on my computers, but on every machine if I go to www.linksysinfo.org with the VPN connected it never loads, and as soon as I disconnect the VPN, it loads straight away. Any ideas at all? EDIT - Ignore that - this turned out to be an issue with one particularly node of the VPN provider and nothing to do with my router. Thanks
@Everyone using Quidagis script. Please inform us if it is working on your firmware (version) and routeur (model). Thanks.
I collected some IPs to bypass and I re-ordered them to use them in the script above. However, you will notice that it is a long list. Netflix for example, uses amazon EC2 servers... that is why you have many servers. I updated them with the latest info coming directly from amazon... Please note that I am not 100% if they are all working... have a try and give us a feedback please. Hope it will be usefull for some of you Code: #AMAZON EC2 LISTE UPDATED Dec21, 2012 #Source:https://forums.aws.amazon.com/ann.jspa?annID=1701 # US East (Northern Virginia): website_dst_range1="72.44.32.1-72.44.63.254" website_dst_range2="67.202.0.1-67.202.63.254" website_dst_range3="75.101.128.1-75.101.255.254" website_dst_range4="174.129.0.1-174.129.255.254" website_dst_range5="204.236.192.1-204.236.255.254" website_dst_range6="184.73.0.1-184.73.255.254" website_dst_range7="184.72.128.1-184.72.255.254" website_dst_range8="184.72.64.1-184.72.127.254" website_dst_range9="50.16.0.1-50.17.255.254" website_dst_range10="50.19.0.1-50.19.255.254" website_dst_range11="107.20.0.1-107.23.255.254" website_dst_range12="23.20.0.1-23.23.255.254" website_dst_range13="54.242.0.1-54.243.255.254" website_dst_range14="54.234.0.1-54.235.255.254" website_dst_range15="54.236.0.1-54.237.255.254" website_dst_range16="54.224.0.1-54.225.255.254" website_dst_range17="54.226.0.1-54.227.255.254" # US West (Oregon): website_dst_range18="50.112.0.1-50.112.255.254" website_dst_range19="54.245.0.1-54.245.255.254" website_dst_range20="54.244.0.1-54.244.255.254" # US West (Northern California): website_dst_range21="204.236.128.1-204.236.191.254" website_dst_range22="184.72.0.1-184.72.63.254" website_dst_range23="50.18.0.1-50.18.255.254" website_dst_range24="184.169.128.1-184.169.255.254" website_dst_range25="54.241.0.1-54.241.255.254" # EU (Ireland): website_dst_range26="79.125.0.1-79.125.127.254" website_dst_range27="46.51.128.1-46.51.191.254" website_dst_range28="46.51.192.1-46.51.207.254" website_dst_range29="46.137.0.1-46.137.127.254" website_dst_range30="46.137.128.1-46.137.191.254" website_dst_range31="176.34.128.1-176.34.255.254" website_dst_range32="176.34.64.1-176.34.127.254" website_dst_range33="54.247.0.1-54.247.255.254" website_dst_range34="54.246.0.1-54.246.255.254" website_dst_range35="54.228.0.1-54.228.255.254" # Asia Pacific (Singapore) website_dst_range36="175.41.128.1-175.41.191.254" website_dst_range37="122.248.192.1-122.248.255.254" website_dst_range38="46.137.192.1-46.137.255.254" website_dst_range39="46.51.216.1-46.51.223.254" website_dst_range40="54.251.0.1-54.251.255.254" # Asia Pacific (Sydney) website_dst_range41="54.252.0.1-54.252.255.254" # Asia Pacific (Tokyo) website_dst_range42="175.41.192.1-175.41.255.254" website_dst_range43="46.51.224.1-46.51.255.254" website_dst_range44="176.32.64.1-176.32.95.254" website_dst_range45="103.4.8.1-103.4.15.254" website_dst_range46="176.34.0.1-176.34.63.254" website_dst_range47="54.248.0.1-54.249.255.254" # South America (Sao Paulo) website_dst_range48="177.71.128.1-177.71.255.254" website_dst_range49="54.232.0.1-54.232.255.254" # netflix website_dst_range50="108.175.32.1-108.175.47.254" website_dst_range51="208.75.76.1-208.75.79.254" website_dst_range52="64.212.0.1-64.215.255.254" website_dst_range53="199.92.0.1-199.95.255.254" website_dst_range54="206.32.0.1-206.35.255.254" website_dst_range55="209.244.0.1-209.247.255.254" website_dst_range56="68.142.64.1-68.142.127.254" website_dst_range57="69.28.128.1-69.28.191.254" website_dst_range58="69.164.0.1-69.164.63.254" website_dst_range59="208.111.128.1-208.111.191.254" website_dst_range60="128.242.0.1-128.242.255.254" website_dst_range61="204.0.0.1-204.3.255.254" website_dst_range62="204.141.0.1-204.141.255.254" website_dst_range63="204.200.0.1-204.203.255.254" website_dst_range64="208.44.0.1-208.47.255.254" # hulu website_dst_range65="23.32.0.1-23.63.255.254" website_dst_range66="23.64.0.1-23.67.255.254" website_dst_range67="64.221.0.1-64.221.127.254" website_dst_range68="64.221.128.1-64.221.191.254" website_dst_range69="64.221.192.1-64.221.223.254" website_dst_range70="77.109.170.1-77.109.170.254" website_dst_range71="80.239.221.1-80.239.221.254" website_dst_range72="92.122.0.1-92.123.255.254" website_dst_range73="195.27.0.1-195.27.255.254" website_dst_range74="199.127.192.1-199.127.195.254" website_dst_range75="208.91.156.1-208.91.159.254" website_dst_range76="217.156.128.1-217.156.255.254" # mysqueezebox website_dst_range77="192.221.0.1-192.221.255.254" website_dst_range78="204.160.0.1-204.163.255.254" website_dst_range79="205.128.0.1-205.131.255.254" website_dst_range80="207.120.0.1-207.123.255.254" website_dst_range81="209.84.0.1-209.84.255.254" # disney.go.com - WORKS website_dst_range82="68.71.208.1-68.71.223.254" # Viacom i.e. nick.com and all that crap - WORKS website_dst_range83="129.228.0.1-129.228.127.254" website_dst_range84="166.77.0.1-166.77.255.254" website_dst_range85="206.220.40.1-206.220.43.254" website_dst_range86="69.31.132.1-69.31.133.254" website_dst_range87="72.246.0.1-72.247.255.254" # CBS - WORKS website_dst_range88="198.99.118.1-198.99.119.254" website_dst_range89="198.99.120.1-198.99.121.254" website_dst_range90="198.99.122.1-198.99.122.254" # NBC WORKS website_dst_range91="66.77.124.1-66.77.124.254" # ABC & general Disney range works website_dst_range92="199.181.129.1-199.181.129.254" website_dst_range93="199.181.130.1-199.181.131.254" website_dst_range94="199.181.132.1-199.181.135.254" # Disney (ESPN) STILL NOT WORKING!! website_dst_range95="68.71.208.1-68.71.223.254" website_dst_range96="192.147.170.1-192.147.170.254" website_dst_range97="198.105.192.1-198.105.199.254" website_dst_range98="69.31.132.1-69.31.133.254" website_dst_range99="107.8.0.1-107.15.255.254" # FOX NOT WORKING YET! website_dst_range100="88.221.94.1-88.221.95.254" website_dst_range101="192.204.0.1-192.204.255.254" #COMCAST Just got this off the ESPN connection so far website_dst_range102="207.223.0.1-207.223.15.254" # whatismyip.org website_dst_range103="98.207.0.1-98.207.255.254" # pandora.com website_dst_range104="208.85.40.1-208.85.47.254"
Oooops forgot to add : That would be cool if we could have this in another file that would call the script... i dont know if i am clear... but it otherwise the script is going to be too long, right? Unfortunately i dont know how to do this ... Let the challenge begin :
@jbesclapez You don't need to call the WAN-up script. You need another script you run from TOOLS - SYSTEM - EXECUTE SYSTEM COMMANDS to add the new rules. Something like this... Code: #!/bin/sh clear IPA_list="72.44.32.1-72.44.63.254 67.202.0.1-67.202.63.254 75.101.128.1-75.101.255.254 174.129.0.1-174.129.255.254 204.236.192.1-204.236.255.254 184.73.0.1-184.73.255.254 184.72.128.1-184.72.255.254 184.72.64.1-184.72.127.254 50.16.0.1-50.17.255.254 50.19.0.1-50.19.255.254 107.20.0.1-107.23.255.254 23.20.0.1-23.23.255.254 54.242.0.1-54.243.255.254 54.234.0.1-54.235.255.254 54.236.0.1-54.237.255.254 54.224.0.1-54.225.255.254 54.226.0.1-54.227.255.254 50.112.0.1-50.112.255.254 54.245.0.1-54.245.255.254 54.244.0.1-54.244.255.254 204.236.128.1-204.236.191.254 184.72.0.1-184.72.63.254 50.18.0.1-50.18.255.254 184.169.128.1-184.169.255.254 54.241.0.1-54.241.255.254 79.125.0.1-79.125.127.254 46.51.128.1-46.51.191.254 46.51.192.1-46.51.207.254 46.137.0.1-46.137.127.254 46.137.128.1-46.137.191.254 176.34.128.1-176.34.255.254 176.34.64.1-176.34.127.254 54.247.0.1-54.247.255.254 54.246.0.1-54.246.255.254 54.228.0.1-54.228.255.254 175.41.128.1-175.41.191.254 122.248.192.1-122.248.255.254 46.137.192.1-46.137.255.254 46.51.216.1-46.51.223.254 54.251.0.1-54.251.255.254 54.252.0.1-54.252.255.254 175.41.192.1-175.41.255.254 46.51.224.1-46.51.255.254 176.32.64.1-176.32.95.254 103.4.8.1-103.4.15.254 176.34.0.1-176.34.63.254 54.248.0.1-54.249.255.254 177.71.128.1-177.71.255.254 54.232.0.1-54.232.255.254 108.175.32.1-108.175.47.254 208.75.76.1-208.75.79.254 64.212.0.1-64.215.255.254 199.92.0.1-199.95.255.254 206.32.0.1-206.35.255.254 209.244.0.1-209.247.255.254 68.142.64.1-68.142.127.254 69.28.128.1-69.28.191.254 69.164.0.1-69.164.63.254 208.111.128.1-208.111.191.254 128.242.0.1-128.242.255.254 204.0.0.1-204.3.255.254 204.141.0.1-204.141.255.254 204.200.0.1-204.203.255.254 208.44.0.1-208.47.255.254 23.32.0.1-23.63.255.254 23.64.0.1-23.67.255.254 64.221.0.1-64.221.127.254 64.221.128.1-64.221.191.254 64.221.192.1-64.221.223.254 77.109.170.1-77.109.170.254 80.239.221.1-80.239.221.254 92.122.0.1-92.123.255.254 195.27.0.1-195.27.255.254 199.127.192.1-199.127.195.254 208.91.156.1-208.91.159.254 217.156.128.1-217.156.255.254 192.221.0.1-192.221.255.254 204.160.0.1-204.163.255.254 205.128.0.1-205.131.255.254 207.120.0.1-207.123.255.254 209.84.0.1-209.84.255.254 68.71.208.1-68.71.223.254 129.228.0.1-129.228.127.254 166.77.0.1-166.77.255.254 206.220.40.1-206.220.43.254 69.31.132.1-69.31.133.254 72.246.0.1-72.247.255.254 198.99.118.1-198.99.119.254 198.99.120.1-198.99.121.254 198.99.122.1-198.99.122.254 66.77.124.1-66.77.124.254 199.181.129.1-199.181.129.254 199.181.130.1-199.181.131.254 199.181.132.1-199.181.135.254 68.71.208.1-68.71.223.254 192.147.170.1-192.147.170.254 198.105.192.1-198.105.199.254 69.31.132.1-69.31.133.254 107.8.0.1-107.15.255.254 88.221.94.1-88.221.95.254 192.204.0.1-192.204.255.254 207.223.0.1-207.223.15.254 98.207.0.1-98.207.255.254 208.85.40.1-208.85.47.254" for web_dst_range in $IPA_list ; do iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0 done iptables -L PREROUTING -t mangle -n --line-numbers echo Done! BTW, something I forgot to mention. Every time you add / delete a rule it takes effect immediately, NO NEED TO REBOOT. That's the beauty of this approach, no messing around with routes / nvram. Simple and elegant.
To make the WAN Up script more flexible, shorter and easier to customize I've added three (3) for loops to build the iptables rules. Link to download below: http://pastebin.com/download.php?i=DasyaL0w
Dear All, I still did not manage to successfully run the script to bypass some adresses! I am working on it for a while now and I dont know what is wrong! I tried the latest shibby firmware and not I am testing this on the latest Toastman firmware for my Asus RT-N66U. I am using HMA VPN. I connects OK but the script above is not running... Facts : Running Tomato Firmware v1.28.0501 MIPSR2Toastman-RT-N K26 USB VP I installed HMA VPN using this tutorial : http://wiki.hidemyass.com/Tomato_OpenVPN_Setup_no._2 so I have in Script init.d Code: echo -e "YOUR_HMA_ACCOUNT_USRNAME\nYOUR_HMA_ACCOUNT_PASSWORD" > /tmp/userpass.conf chmod 600 /tmp/userpass.conf In the VPN client I have what is in the tutorial. Basically it is working with those settings. VPN is running OK. My basic settings are these: AND the routing table ends up like that : However, I can not run even the basic script from Quidagis! It is sooo frustrating. Please could one of you guide me step by step... just to try a simple script? I am curious on what i am doing wrong...
Hey J! Here, take a look at my personal Tomato setup. Some config you can skip (e. g. wireless filter ) http://s373.photobucket.com/albums/oo179/quidagis/woodyf/ The most recent Shibby's mod allows you to type your credentials in OpenVPN client configuration by ticking Username/Password Authentication, so, forget about: echo -e "YOUR_HMA_ACCOUNT_USRNAME\nYOUR_HMA_ACCOUNT_PASSWORD" > /tmp/userpass.conf chmod 600 /tmp/userpass.conf and remember you have to remove or comment out "auth-user-pass /tmp/userpass.conf" from / in Custom Configuration. Any questions... just ask. Latest WAN-Up script: http://pastebin.com/download.php?i=sxzipj0v
Quidagis, thanks a lot... really! I do not have time to test that tonight but i will give you a feedback tomorow for sure... Keep in touch.
@Quidagis I tried tonight... still same problem. I spent 2 hours on it again!! I dont know what I am missing as it should be simple... Quidagis, i would like to ask you a big favor please but it is only option i have now... Please could you give me the script, then i would only copy and paste it. Basically, my DHCP is between 192.168.1.100 to 192.168.1.199 And I would like all traffic to netflix to use the VPN (on any computer). All the other trafic to use the ISP settings. It would really help me if you could do that... i know you did a lot already and i am grateful for that... but i am so frustrated still... i hope you understand. Thanks in advance!
So, all you need is to let all traffic go ISP except one destination website (Netflix). Download your Netflix customized script from: http://pastebin.com/download.php?i=kas04Q9S I removed almost all comments and examples, copied-pasted Netflix IPAs ranges you posted above (143) Good luck!
Happy me It is now working... I totally reviewed my network. Here is how it was before and after... BEFORE: Modem bridged -> Routeur RT-N66U with VPN The routeur was set with PPPOE and VPN. It was working in a "normal" way. IP : 192.168.1.1 DHCP ON for LAN PPPOE for WAN All PCs connect to the RT-N66U. AFTER: Modem bridged -> Routeur WRT54G v2.2 -> Routeur RT-N66U with VPN Settings of WRT54G: WAN : PPPOE LAN: 192.168.1.1/24 NO VPN Settings of RT-N66U: WAN: DHCP LAN: 192.168.2.1/24 VPN ON All PCs connect to the RT-N66U. I tested your scripts and they are working OK now. Thanks QUIDAGIS. However, (there is always an however with me ). I am disapointed that i need to use a second routeur for that!! I dont understand why it is not working.... anyone as an explanation? Thanks
No-one else using Quidagis script from post#90? The one that forces all traffic over VPN EXCEPT certain IPs? It's working fine as per my previous post but now can't access anything remotely. Any ideas? Thanks!
Hi Quidagis, I would like to try your script as I´m interested in bypass the VPN with some of my devices, but I´m running a Merlin Firmware ver. 3.0.0.4.270.24 on a ASUS RT-N66U router but I couldn't find where to run the script. Do you have any idea? Thanks, Mau
@ Mau Merlin firmware is Tomato-RT based. My piece of advice... flash a full Tomato mod so that you can get OpenVPN. Read as many guides as you can to flash your router and avoid a possible brick. Shibby's mod would be my choice. http://www.shadowandy.net/2012/03/asus-rt-n66u-tomatousb-firmware-flashing-guide.htm http://tomatousb.org/forum/t-513938
Hi Quidagis, Thanks for your advice, but I tried several times Tomato mod and was unable to get OpenVPN connected but with Merlin firmware I did. Last night I was able to load the script via WinSPC, but bypassing is not working at all. I was making a test only with 1 IP address, but not lucky. Do you think it can be the firmware? Even if Merlin one is based on Tomato based? I can also try to flash it again with tomato mod. Regards,
Good morning, M. Maybe it's the software, I can't say for sure. Try to flash again. Besides, Tomato has more options than factory firmware. (Shibby's AIO is the one I flashed. http://tomato.groov.pl/download/K26...ato-K26USB-1.28.RT-N5x-MIPSR2-105-AIO-64K.trx)
Hi Quidagis, I successfully installed Tomato's firmware and the script is running perfectly. Thanks for all!! I have another question that maybe you can guide me: - Is there a way to have i.e. an IPAD connected through the VPN for watching Hulu Plus or Netflix and when finishing change the connection through ISP instead? I know that changing the IP address is one way to do it, but is anyother "less disturbing"? Thanks again, Mau
@Mau If all you want is watch Netflix or surf any other specific website: You don't have to worry about changing anything. Just build the rules for that specific website by typing the WEBSITES_IP_RANGES list. The script will do the rest for you. Any device connected to the VPNed router will be able to surf websites on that list. On the other hand if you built a specific rule for your iPad, that's another story. If you did build a rule for the iPad (IP_ADDRS_LST), forget about building that rule, delete it and you're done. You'll still be able to surf the listed websites. Here is the link to download the latest script version: http://pastebin.com/download.php?i=sxzipj0v
Further to my post #141 above, it seems that the script in Quidagis post #90 probably can't do what I want and I should maybe try the latest one eg in the post above. But I can't understand what needs to be modified. Can anyone tell me how I can do the following: 1. Have one LAN device 192.168.0.X route OUTSIDE of the VPN on normal WAN 2. Receive incoming connections on specified ports e.g. Port 1234 through the normal WAN 3. Have the Dynamic DNS client report the WAN address, not the address of the VPN endpoint Anyone? Thanks
1. "Have one LAN device 192.168.0.X route OUTSIDE of the VPN on normal WAN" Code: ## CUSTOMIZE YOUR SCRIPT VARIABLES # ## Uncomment and set value(s) as needed to customize your rules # # IP addresses, contiguous range AND/OR individual. # ip_addrs_lst="192.168.0.X" # ######################################## # NO NEED TO CHANGE BELOW THIS LINE # ######################################## for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i done ip route flush table 100 ip route del default table 100 ip rule del fwmark 1 table 100 ip route flush cache iptables -t mangle -F PREROUTING iface_lst=`route | awk ' {print $8}'` for tun_if in $iface_lst; do if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ]; then break fi done ip route show table main | grep -Ev ^default | grep -Ev $tun_if \ | while read ROUTE ; do ip route add table 100 $ROUTE done ip route add default table 100 via $(nvram get wan_gateway) ip rule add fwmark 1 table 100 ip route flush cache #I've changed script default mark from 0 to 1 - you could delete (comment out) this rule too, the result would be the same #By default ALL TRAFFIC GOES TROUGH VPN Same functionality you get in post # 90 iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0 # IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S) - $ip_addrs will bypass VPN tunnel - "NORMAL WAN" for ip_addrs in $ip_addrs_lst ; do iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 1 done 2- "Receive incoming connections on specified ports e.g. Port 1234 through the normal WAN" You can find lots of documentation on PORT FORWARDING which is what you need to accomplish what you want. http://www.fclose.com/b/linux/816/port-forwarding-using-iptables/ 3- "Have the Dynamic DNS client report the WAN address, not the address of the VPN endpoint" Go to Basic - DDNS - Dynamic DNS - IP address and Set Dynamic DNS to: "Use WAN IP Address aa.bb.cc.dd (recommended)" Set Dynamic DNS 1 to match service of choice. BTW - My Firmware, Shibby's: Tomato Firmware 1.28.0000 MIPSR2-105 K26 USB AIO
Hi, thanks a lot for your reply. The problem is that I am using the Tomato router connected to a fiber modem. The modem does the connection to the ISP then forwards all ports to the Tomato router as DMZ (the modem does not have bridge mode). So in my case the fiber modem gets the public IP from the ISP, the fiber modem has LAN address of 192.168.1.1, the Tomato router has LAN address from the modem of 192.168.1.2 to which all traffic is DMZed, and the Tomato router gives out client addresses of 192.168.0.x to my devices. So when I am connected to VPN, if I "use external address checker" I get the public IP of the VPN endpoint, and if I "use WAN IP" that just gives me the 192.168.1.1 address of the fiber modem. I know how to do port-forwarding in standard use. But my VPN provider doesn't forward incoming ports on the tunnel, and (as above) I can only get my DDNS to obtain the VPN endpoint public IP, not the public IP of the fiber modem. IF... I could find some way for the DDNS to use the fiber modem public IP, then I would need some way for certain incoming and outgoing ports to bypass the VPN. Does that make sense? Sorry if I'm not describing it well.
The public IP address you get from the ISP... is it dynamic or static? If a static one... no problem, set Dynamic DNS to CUSTOM IP ADDRESS.
Quidagis, Good Day.. I am really happy I find this thread, Thank you for following it , I'm zero knowledge of Unix and and just wondering if your Script working with with VPN tunneling PPTP? I'm using E4200 with tomato-E4200-NVRAM60K-1.28.0501.2MIPSR2Toastman-RT-N-VPN.bin and connect with Astrill VPN via VPN tunnelling PPTP client and working. They have their own OpenVPN Application I can load to my router with GUI to work like your script.and working too for me. But some how for my requirement I need PPTP tunneling for faster speed compare to OpenVPN. Thanking you in advance.
@Naitsuga Yes, it should work. I've run a few tests and the script works as expected. However, when I set the PPTP client to START WITH WAN it just sits there and the router freezes, I had to reset 30/30/30 several times.(Maybe it's my firmware version, IDK for sure.) The solution to stay away from freezes, DON'T START PPTP CLIENT WITH WAN and run the script (http://pastebin.com/download.php?i=m1rrG3tj) from TOOLS -SYSTEM - EXECUTE SYSTEM COMMANDS after starting PPTP client manually. Good luck! P. S. Don't forget to customize ip_addrs_lst http://imgur.com/GC6wjDa
Hello Q , I admire u taking your time and helping other people in this forum. Thank you again I will try the script you gave me in couple hours BTW I have never turned on Start With WAN it seems never works with my PPTP too even without any script ( I don't know it's related to WAN UP script?) I will report to you ASAP
Good morning. Are you telling me, PPTP CLIENT is not working? Maybe you should try flashing another firmware version. I'm using Shibby's most recent... http://tomato.groov.pl/download/K26...00USB-NVRAM60K-1.28.RT-N5x-MIPSR2-105-AIO.bin Remember not to run the script in Wan UP - leave it blank, OK? PPTP won't work, at least not on my router. Good day!
Morning Q What I meant, the existing Setup for the Start With WAN always disable and connected Astrilll and working. if I enable It didn't work. And with tomato-E4200-NVRAM60K-1.28.0501.2MIPSR2Toastman-RT-N-VPN.bin it didn't work .if I run your script, error but forgot to note the error. I searched through your post what firmware was working on #90 and got Firmware 1.28.0000 MIPSR2-085V K26 USB AIO but couldn't find PPTP client under VPN tunnelling so I applied the mega VPN, I was guessing the AIO lack of PPTP client sub menu on VPN tunneling. so I applied http://tomato.groov.pl/download/K26RT-N/build5x-105-EN/Linksys E-series/tomato-E4200USB-NVRAM60K-1.28.RT-N5x-MIPSR2-105-Mega-VPN.bin I was working beautiful per your instruction. even I saw note .. Nothing to flush. RTNETLINK answers: No such process RTNETLINK answers: No such file or directory I tried Reboot/ Plug out/ erase NvRam your script still there! Your script is Champion !!!! and the only thing if I reboot the Router, I need to to connect via PPTP client again and execute your script. and if the router down/reboot (without you aware of) and the IP will be exposed. What I do now, I don't connect the PPTP client via VPN tunneling but from Basic WAN Setup in TYPE ---> PPTP and keep alive connection and run your script from Execute System Commands and it WORKS!!!! Thank you Q. you make my day today.. SO I'm not worried my IP exposed if the router down or reboot and always protected. Thank you to all Firmware Developers too certainly. So for this solution I think ALL Tomato firmware will Work and execute QUIDAGIS script as simple as 123... Have question for you Can I just edit to the IP range at the system command and execute again ? How can I erase the script without factory default? it's possible to run you script automatically, after the PPTP connection in Basic Wan Setup has been established ..? Thank you, Thank you again all, especially you Q, Good Day..
Hey N! "Nothing to flush. RTNETLINK answers: No such process RTNETLINK answers: No such file or directory" No worries about these messages. Since you're connecting from "Basic WAN Setup" try running the script from "WAN Up" so that you don't have to run it manually. It should work with no problem. - Sure you can edit the IP Range and add, delete new rules also. No need to execute the script again, everything is in place when the script runs for the first time. No need to reboot either. The original script has these comment lines you can run from system command for maintenance: # SHELL COMMANDS FOR MAINTENANCE. # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE # # List Contents by line number #iptables -L PREROUTING -t mangle -n --line-numbers # # Delete rules from mangle by line number #iptables -D PREROUTING type-line-number-here -t mangle # # To list the current rules on the router, issue the command: # iptables -t mangle -L PREROUTING # # Flush/reset all the rules to default by issuing the command: # iptables -t mangle -F PREROUTIN You're free to do whatever you need / want. "How can I erase the script without factory default?" What you type at System Command is transient (unless committed to nvram, which is not the case), no need to delete anything. On the other hand, if you type/paste the script to Wan Up, just delete, save blank and reboot. Enjoy! http://pastebin.com/download.php?i=sxzipj0v
Good Evening Q You are the Champ, it WORKS!!!! after specify the IPA for VPN only ,I ran all your script at WAN UP and save The thing every time I made change at Basic setup the router Freeze,(cant access the router, need Power Cycle and after that your script works flawless, I suspect the Firmware is not stable yet. It is also the same thing if I save the script after editing. But If I reboot on purpose the router working, but will loose DNS so Just go to Status and do the Disconnect and Connect => and your script working after WAN PPTP connected. I will try to change my firmware per your link above. do you know Shibby AIO is specified for? I want to activate Samba server later. Do you think your script will Work with DD-WRT.? So The Solution for PPTP Client Setup Only selective Devices/ IP go to VPN is - Set PPTP client via Basic WAN Setup (make sure is working and connected to our VPN provider) - Edit the necessary IP or IP range of devices we want to pass via VPN from Quidagis's Script http://pastebin.com/download.php?i=sxzipj0v - Run the script by Cut and Paste from ADMIN==>Scripts==WAN UP and Save, and the script will run automatically or Reboot (in my case). - we are not to be worried of exposing our IP which is specified for VPN but it goes through regular ISP, if the VPN down or the router reboot by it self the Script will run automatically after Wan connected (some time we are not aware that actually our device is connected through regular ISP instead of VPN tunnel). This solution will not happened without Quidagis the credit all goes to him. Thank you again.Q
Good morning N. I've come to the conclusion that freezes are the result of PPTP taking long to connect. Changing firmware might not solve that issue, give it a shot though, maybe you're lucky. Shibby's All_In_One has all Tomato bells and whistles, Samba included. I haven't tried on DD-WRT yet. If you can get a K26 firmware it might work. IDK for sure. lfjeff on post # 31 says "..., as the K24 version does not implement the "ip rule" commands correctly. " http://www.linksysinfo.org/index.php?threads/any-way-to-bypass-vpn-selectively.33468/#post-164681 BTW, the credit for the script is not mine. I just changed/added a few lines here and there, that's all. http://linksysinfo.org/index.php?th...-ports-through-vpn-openvpn.37240/#post-205781
I have a related question. I want to route the internet traffic of one machine on my server lan through the VPN to a client lan. I have multiple site-to-site clients connecting to the server. How would I go about doing that. I have been mucking around with the scripts in this thread but not been able to make it work. Thanks!
Out of curiosity, has anyone been able to get ljeff's script from post 43 (http://www.linksysinfo.org/index.php?threads/any-way-to-bypass-vpn-selectively.33468/#post-164693) to work with multiple VPN tunnels? ie) some devices on tun11, some on tun12, everything else on WAN?
Q, when i did read your post, i had to think of all that... it took me another half a day to redo all that!! Thanks Q. I dont know why i was even installing the other routeur... it made the overall more complicated. I now connected my Modem directly to the routeur. Should i activate the Firewall on the modem? It is on a different subdomain, like modem is 192.168.0.1 and the routeur is 192.168.1.2 Is that OK.? I mean... it works, but i want to be sure in terms of security!
The part that tells is what tunnel device to use (near the top of the script) will ALWAYS return tun11 if vpn_client1_ip_list is set, so what I did was created two scripts, identical except for that bit, and call them individually in the clients. I have not tried running both tunnels simultaneously, though. I imagine that firing up the second tunnel will destroy the routing for the first tunnel, but maybe not. I only have one VPN provider and can only make a single connection, so I cannot test.
If your modem is in bridge mode, then it is passing all data straight through to the router. The only firewall in operation will be Tomato's.
Hi T and Q! The modems is not in bridge mode. It seems not to work with the VPN otherwise... So I will set the firewall on the modem. The strange thing is that then there are 2 firewalls : One on the modem and One on the routeur (I exclude the ones one PCs...) It seems strange to me... thats all i wanted to say
Luckily enough my VPN provider allows multiple concurrent logins under a single account, so I can have a US exit for the PCs and occasionally put the xbox on a European exit node for NHL Gamecenter at the same time (ergo needing two clients open enough. But, on to the good news.....I got it! Haven't coded in about 10 years, and near zero experience with linux/netfilter/iptables, but it works. As you said, it requires two different scripts. I inserted some logging and it turns out that even with both VPN clients up, whichever client is started second still returns $route_gateway_1 as its gateway even if the first client is connected. Please keep in mind the scripts are large (about 4k each, though could be trimmed since they include the logging commands) so I had to save them in jffs. Please note that I do not feel anywhere competent enough to answer any questions regarding debugging and such, but I wanted to include them here in case anyone is looking for a similar solution to mine. I've included the two scripts as well as the logfile outputs for each below, hopefully people can use put them to use. In order to help, the start/stop order was start client 1, start client 2, stop client 1, stop client 2. The scripts should be used in the same way as ljeff said in post 43, you just wind up with one script specific to VPN client 1, and one specific to VPN client 2. VPN Client 1 script: http://pastebin.com/NvAtmAb9 VPN Client 2 script: http://pastebin.com/SG7asKMw VPN Client 1 log output: http://pastebin.com/iv9swxAH VPN Client 2 log output: http://pastebin.com/dcUQC41q I would have loved to include everything as inline code, unfortunately I was WAY over the 15k post limit. Anyway, good luck to everyone else!
On cisco routers/switches you can define "interesting traffic" using ACL's, and that traffic goes through the VPN. For example, 172.16.0.1/24 to 192.168.0.1/24 could be defined as interesting traffic and would be sent over the VPN, whereas 172.16.0.1/24 to anywhere else would go to the open internet rather than through the VPN tunnel. This allows you to truly bridge two private networks. Any idea if this kind of functionality already exists or could be integrated into tomato? I'm not a programmer, otherwise I'd work on it myself.
You mean like exactly what's being done here? http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-223922 http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-223956 Read some of the other comments in that thread as well. You can "mark" traffic based on criteria (source/destination), then do something based on those marks. Linux iptables already has this capability.
Well, I'm trying to refine my vpn rules and went with quidagis' script as I am really looking more to only put BitTorrent and traffic to Socks5 proxies (receiving on port 1080) onto the VPN. So my setup is as follows (four PCs total): 192.168.1.100: BitTorrent only on VPN (set to send traffic only on ports 53500-53524) - will need both TCP and UDP traffic 192.168.1.210: BitTorrent only on VPN (set to send traffic only on ports 53525-53549) - will need both TCP and UDP traffic 192.168.1.220: BitTorrent only on VPN (set to send traffic only on ports 53550-53574) - will need both TCP and UDP traffic 192.168.1.250: All traffic on VPN So with quidagis' script, it looks as if my iptables rules should be: Code: # Traffic to SOCKS5 proxy: iptables -t mangle -A PREROUTING -i br0 --dport 1080 -j MARK --set-mark 0 # Outgoing BitTorrent traffic (ports 53500-53574) iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 53500:53574 -j MARK --set-mark 0 #Traffic from PC 192.168.1.250 iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.250 -j MARK --set-mark 0 Is this correct?
No, it doesn't look correct. I believe if you tried that you'd get an error from the iprange module stating that you're not giving it correct syntax. See subsequent posts in that thread, specifically these: http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-223966 http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-223972 Basically, there's no point to use of the iprange module in 99% of cases out there. Get rid of it and just use -s (--src) or -d (--dst) for matching against source or destination addresses or network ranges in CIDR format. Also, I don't know if you can accomplish what you're doing based on source address given how the NAT layer works. You'd have to experiment/try.
