1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Any way to bypass VPN selectively?

Discussion in 'Tomato Firmware' started by david3, Dec 26, 2010.

  1. windozer

    windozer Networkin' Nut Member

    @ ds408User: It might be worthwhile to (in Winscp) delete the vpn_route.sh file, create a new file (or edit existing), paste the contents (using it's builtin editor), save, set permission, and do the nvram setfile and nvram commit, and restart (ofcourse). I fixed my "could not execute external.." issue once like that.
     
  2. ds408User

    ds408User Serious Server Member

     
  3. ds408User

    ds408User Serious Server Member

    Finally solved it, following the instructions in post #43 works (as everyone says :)), now I have one PC on the VPN, the rest directly connecting through my ISP, and if the VPN is dropped my PC that should only use the VPN loses internet connectivity until the VPN is back.

    The reason I was getting a script failed error was because I cut and paste the script from this thread into notepad and then copied that file using WinSCP to my router. Doing this means it has invalid end of line characters causing the script to file. Cutting and pasting it straight into the WinSCP editor and saving it worked!

    Thanks to everyone and especially thanks to the poster of post #43, I've been looking for how to do this for weeks.
     
  4. ds408User

    ds408User Serious Server Member

    Thanks, I just did that before seeing your idea (what a coincidence) and it worked, so you were right if a few minutes too late :)
     
  5. bmupton

    bmupton Serious Server Member

    If you have vpn client 1 set up, but connect to vpn client 2, the if statement in your script still grabs the client ip list for client 1.

    Rather than try to solve this within the script, I just created two scripts with different stuff for this part:

    Code:
    if [ "$route_gateway_1" != "" ]
    then
        VPN_IP_LIST=$(nvram get vpn_client1_ip_list)
        VPN_TBL=$(nvram get vpn_tbl_1)
        if [ "$VPN_TBL" == "" ]
        then
            VPN_TBL=101
        fi
    elif [ "$route_gateway_2" != "" ]
    then
        VPN_IP_LIST=$(nvram get vpn_client2_ip_list)
        VPN_TBL=$(nvram get vpn_tbl_2)
        if [ "$VPN_TBL" == "" ]
        then
            VPN_TBL=102
        fi
    fi
    And in the advanced config for each vpn client, call the appropriate script.
     
  6. bmupton

    bmupton Serious Server Member

    Another question:

    I have created a VLAN on br3 and assigned port 4 on the router to that VLAN. It's on a different subnet than br0 (obviously). br3 is set to 192.168.4.1 and it's DHCP server is set to hand out only a single IP address of 192.168.4.2. So, the moment a device is plugged in to port 4 of the router, it's assigned that IP address. The idea was to have a single port on the router that's always routed through the VPN (If it's connected).

    I tried adding that ip the the vpn_client1_ip_list and firing up the vpn client, but that client can't connect to the internet when the vpn is connected.

    The question is: what do I need to add and where in order to route the client on br3 through the VPN?
     
  7. nldeluxe

    nldeluxe Serious Server Member

    After strugling to get everything working, this is my home setup:
    ISP modem ==> Linksys E4200 v1 TomatoUSB version 1.28 by Shibby
    I wanted two wifi networks; one ISP and one VPN, both on 2.4 and 5 GHz

    Basic setting
    WAN/Internet
    I route my modem ip to 192.168.1.1

    LAN
    br0, STP disabled, 192.168.0.1 255.255.255.0, DHCP, 192.168.0.10 - 254, leasetime 1440
    br1, STP disabled, 10.0.0.1 255.255.255.0, DHCP, 10.0.0.2 - 254, leasetime 1440

    Wireless eth1
    2.4 GHz
    VPN

    Wireless eth2
    5GHZ
    VPN

    Advanced - Virtual Wireless
    eth1 (wl0), enabled, VPN, Access Point, LAN (br0)
    eth1 (wl1), enabled, VPN, Access Point, LAN (br0)
    wl0.1, enabled, open, Access Point, LAN (br1)
    wl0.2, enabled, open, Access Point, LAN (br1)

    VPN client 1
    Basic
    Start with WAN
    Create NAT on tunnel

    Advanced
    Redirect Internet Traffic
    DNS - Exclusive
    Connection retry -1
    Custom config
    ns-cert-type server (depending on the version of openvpn , your vpn provider uses)
    keepalive 10 60 (otherways the my vpn connection drops after some time...)

    Administration
    Scripts
    INIT (script from the previous page..., with my br1 routes)
    service vpnclient1 start
    ping -c4 localhost

    # Clean up by flushing table 4 and deleting all ip rules
    ip route flush table 4
    ip route flush cache

    # Create backup of default route table
    ip route show table main > /root/route.isp

    # Add rules for all DHCP routes (10.0.0.1 -> 10.0.0.255)
    ip rule add from 10.0.0.1/32 lookup 4
    ip rule add from 10.0.0.2/31 lookup 4
    ip rule add from 10.0.0.4/30 lookup 4
    ip rule add from 10.0.0.8/29 lookup 4
    ip rule add from 10.0.0.16/28 lookup 4
    ip rule add from 10.0.0.32/27 lookup 4
    ip rule add from 10.0.0.64/26 lookup 4
    ip rule add from 10.0.0.128/26 lookup 4
    ip rule add from 10.0.0.192/27 lookup 4
    ip rule add from 10.0.0.224/28 lookup 4
    ip rule add from 10.0.0.240/29 lookup 4
    ip rule add from 10.0.0.248/30 lookup 4
    ip rule add from 10.0.0.252/31 lookup 4

    # Flush route cache
    ip route flush cache

    # Use original (pre-openvpn) route for table 4
    cat /root/route.isp | while read ROUTE; do ip route add table 4 $ROUTE; done

    That's it..., any tips are welkom.
     
    bmupton likes this.
  8. bmupton

    bmupton Serious Server Member

    That's close to what I want, but I don't want all of my main LAN through the VPN (only one client, the rest of it goes through ISP as normal). This is why I'm using the method in post #43. The other thing is, this method allows me to still access my router remotely via my ISP, which is a must for my configuration. If I don't use the method from post #43, I lose access to my router externally.

    All I want, at this point, is the be able to route br3 through the VPN. Everything else is set up and working exactly how I'd like.
     
  9. nldeluxe

    nldeluxe Serious Server Member

    I have a DDNS (ip adress use WAN ip) running and can connect externaly to my router with the previous setup.
    When you use bridge 0 for your VPN connection (as I do), and in the VLAN settings only add port 4 to that VLAN, make another VLAN for your main LAN with the rest of the ports?


    Just trying to help...
     
  10. nldeluxe

    nldeluxe Serious Server Member

    Correction: ddns use "use external IP adress checker"
    Now I can connect externally using my ddns name...
     
  11. bmupton

    bmupton Serious Server Member

    I should have been more clear with what I meant when I said I cannot access the router externally. I *can* access it externally, via the VPN, but the location I'm connecting from allows very few ports, SSH is only allowed on port 22 for example. When connected to the VPN, I cannot use port 22 for SSH any longer (My VPN provider allows port forwarding, but only on ports >2048, so I can't use port 22 for SSH) and I can't access my router remotely from this location.

    Hence my problem.

    I need my router to be accessible via my ISP, not the VPN, which is what you're describing.

    Thanks for the added info though, it is appreciated.
     
  12. bmupton

    bmupton Serious Server Member

    I'm one step closer. DNS now resolves on my VLAN that I want to route through the tunnel. I think that's because I'm using dnsmasq as a local DNS server and I have "Accept DNS Configuration" set to disabled.

    I've also added:
    Code:
    iptables -t nat -I POSTROUTING -s 192.168.4.0/255.255.255.0 -o tun11 -j MASQUERADE
    To my firewall, as I read somewhere (I can't remember where now...soooo many resources and soooo much reading) that the VPN client doesn't add the required rules for NATing bridges other than br0.

    I still don't have internet access on my VLAN though, so I'm pretty much lost as to what to do.
     
  13. bmupton

    bmupton Serious Server Member

    Solved it!

    Following the instructions in post #43 to get it selectively routing works perfectly for br0. In order to also send other bridge traffic, you need to add:

    Code:
    iptables -I FORWARD -i br1 -o tun11 -j ACCEPT
    iptables -I FORWARD -i tun11 -o br1 -j ACCEPT
    iptables -I INPUT -i tun11 -j REJECT
    iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE
    
    to the firewall. Use whatever bridge interface you have clients on you want routed through the VPN. So, now I have my main LAN with a single client routed through the VPN, and a VLAN which I've assigned port 4 on the router too which all DHCP clients are routed through the VPN as well.
    Awesome.
     
  14. bmupton

    bmupton Serious Server Member

    Read post #43 again
     
  15. Mowax

    Mowax Serious Server Member

    Quite an interesting thread as been looking at this for a vodafone sure signal that won't run behind a vpn, is there any way that this can be done using the GUI on Tomato?
     
  16. bmupton

    bmupton Serious Server Member

    You could echo the script into that file using the init script instead of uploading it and saving to nvram. I haven't tried it, but it should work.

    Then on the tools tab you can set up the vpn_client1_ip_list variable (just type the two commands in there and hit save, they'll run)

    You could even echo the contents of the vpn_route.sh on there and save it to nvram as well if you wanted.

    Let us know if that works out!
     
    Mowax likes this.
  17. Mowax

    Mowax Serious Server Member

    Thanks mate, n00b here....I'll have a whole read of the thread again over a cup of coffee and see what's what with it... I might be back for some more help... I defo need an upgrade to a RTN16 or a RTN66U......
     
  18. Mowax

    Mowax Serious Server Member

    all sorted, thanks "quidagis" had a re-read and sorted it thanks again for the useful post. :)

    all my network except one of them goes out via the VPN and the suresignal out via my normal isp...cheers
     
  19. theboyk

    theboyk Serious Server Member

    Hey guys,


    I'm going to be implementing lfjeff's solution (post #43) on my Asus RT-N16 this coming weekend (currently I have something similar working, but more the opposite where I have all traffic going through the VPN and I selectively send traffic, based on IP, to the regular WAN connection—but, since I only want a handful of devices to use VPN and the rest of the network to function as normal, lfjeff's solution will be a lot better/easier to maintain as I add new devices).

    I'm going to reset my RT-N16 (running the latest TomatoUSB/VPN build for the RT-N16) back to factory/wipe the NVRAM and start fresh. That said, I have a couple questions I'm hoping someone could answers:

    1. What does the WAN connection have to be? Currently, my modem is in bridged mode and so Tomato is handling my PPOE connection (giving Tomato a dynamic public WAN IP). Is this OK? Or, would I be better off having the modem handle the PPOE connection, DMZ everything to the Tomato router and have it set with a static WAN IP?

    2. Does this solution selectively use DNS based on the route? What I mean is, will VPN traffic use the VPN server's DNS servers and regular WAN traffic use the DNS I specify? With my current solution, no matter what I do, DNS goes through the VPN provider.

    3. Is it possible to have the device(s) connected to the VPN connection fall back to the regular connection if VPN goes down? Since I'm basically doing this to access Hulu Plus and Netflix on my Apple TV (I'm in Canada but want to "appear" as though I'm in the USA), if VPN goes down I'd like it to just fall back to my regular internet connection (ie. Hulu Plus won't work, Netflix will access the Canadian library). This isn't a huge deal though, as I could just change the IP of the Apple TV if the VPN goes down (thus, sending traffic through the regular WAN connection), then set it back to the VPN-based IP when VPN is back up again.

    Any advice, etc. much appreciated!

    Thanks!
    Kristin.
     
  20. theboyk

    theboyk Serious Server Member

    As a follow up to my question #3 (above), if I changed...

    Code:
    if [ "$script_type" == "route-up" ]
    then
        VPN_GW=$route_vpn_gateway
    else
        VPN_GW=127.0.0.1  # if VPN down, block VPN IPs from WAN
    fi
    to...

    Code:
    if [ "$script_type" == "route-up" ]
    then
        VPN_GW=$route_vpn_gateway
    else
        VPN_GW=$route_net_gateway  # if VPN down, fallback to WAN
    fi
    ...would this work (ie. would it provide a fallback to the WAN in the even the VPN connection goes down)?

    Thanks,
    Kristin.
     
  21. theboyk

    theboyk Serious Server Member

    And one final question (for now) for those who got lfjeff's solution (post #43) working—in your OpenVPN client settings > Advanced, do you have Accept DNS Configuration enabled or disabled? My VPN provider requires this setting to be enabled, but from what I gather, doing this also negates any other "up" scripts. Would this cause a problem?
     
  22. theboyk

    theboyk Serious Server Member

    Just a quick update, applied lfjeff's solution (post #43) to a fresh Tomato USB-VPN (Tomato Firmware v1.28.9054 MIPSR2-beta K26 USB vpn3.6) tonight on my Asus RT-N16 and it's working like a charm!

    Just an FYI for anyone getting a "Route script failed: could not execute external program" error in their logs (which I got initially)—I fixed this by copying/pasting the script from these forums directly onto the router (via vi using telnet) and editing on their. Previously, I was first saving the script to my Mac and it just didn't like it.

    Anyway, thanks again to everyone on this thread—this is exactly what I was looking for!
     
  23. richardvoyageur

    richardvoyageur Serious Server Member

    I'm really hoping someone can help me with this, I've been trying to get this going for 2 days now. I've followed #43 to the best of my abilities, I logged into the router with WinSCP and created the vpn_route.sh file and tried to put it in /root but it gives me a read-only error so it won't let me. In WinSCP I see /<root> as the top level of the tree with 20 subfolder underneath (bin, cifs, cifs2, dev, etc, home, jffs, lib, mmc, mnt, opt, proc, rom, root, sbin, sys, tmp, usr, var, www) and I've tried putting it in various other folders and applying it to nvram with jeff's script. When I do the "check" that David3 provided "ls -al vpn_route.sh" it never shows up as being under root.

    I'm really really bad with linux, so this is very tough for me. I asked a guy at work and he said I might have to go with the jffs to do it. I did a bit of looking around and enabled that, cleared my jffs flash and then was able to put it in that folder, with the same results (nothing). This is killing me because I think I'm close. The OpenVPN works great with my PIA VPN service but of course it sends everything through there. I only want my new smart TV to go through the tunnel at all times.

    I'm using the following firmware: Tomato Firmware v1.28.7501 MIPSR2Toastman-RT K26 USB VPN and an Asus RT n16 router.

    When I do David's check script for "nvram get vpn_client1_ip_list" it shows up with 192.168.1.5, which is the static DHCP binding that I gave my TV, so that's all good.

    PLEASE can someone tell me how to get that .sh script into root? I would be very grateful at this point.
     
  24. theboyk

    theboyk Serious Server Member


    You're trying to put it in the root of your router, which isn't where you want to put it. You want to create/put the .sh file in root's home. So, in WinSCP, put it in /tmp/home/root or /root (they're the same place—one is an alias of the other I think) and that should work.

    Also, make sure you make it executable before sending to/committing to nvram:

    Code:
    chmod 755 tmp/home/root/vpn_route.sh
    Then you should be good to go! I've done this process to two RT-N16 routers in the past month and a half and both worked perfectly!
    k.
     
  25. Mowax

    Mowax Serious Server Member

    does that command show you what IP addresses are listed as an exception? nvram get vpn_client1_ip_list
     
  26. quidagis

    quidagis Networkin' Nut Member

    @richardvoyageur

    I never managed to make lfjeff's script to work out on my Cisco Linsys E4200, however I was lucky enough to find another solution based on iptables rules.

    Below you will find a little script. Edit as you need ( The IP address you gave your TV is already in place - ip_address1="192.168.1.5"), paste the code to ADMINISTRATION - SCRIPTS - WAN Up, reboot the router and you should be all set. Since you're not Linux skilled you don't have to fiddle with command lines, nvram or any other stuff like that.

    Good luck!

    Code:
    ## CUSTOMIZE YOUR SCRIPT VARIABLES
    #
    ## Uncomment and assign/change value(s) as needed to customize your rules
    #
    # ip_range1="192.168.1.200-192.168.1.203"
    # ip_range2="192.168.1.8/29"
    # ip_range3=""
    #
    # If your IP addresses don't fall in a contiguous range, you'll need separate rules instead.
    ip_address1="192.168.1.5"
    # ip_address2="192.168.1.115"
    # ip_address3=""
    #
    # Spotify
    # website_dst_range1="78.31.8.1-78.31.15.254"
    # website_dst_range2="193.182.8.1-193.182.15.254"
    #
    # Another website
    # website_dst_range3=""
    ##
    # SHELL COMMANDS FOR MAINTENANCE.
    # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
    #
    #  List Contents by line number
    #iptables -L PREROUTING -t mangle -n --line-numbers
    #
    #  Delete rules from mangle by line number
    #iptables -D PREROUTING type-line-number-here -t mangle
    #
    #  To list the current rules on the router, issue the command:
    #        iptables -t mangle -L PREROUTING
    #
    #  Flush/reset all the rules to default by issuing the command:
    #        iptables -t mangle -F PREROUTING
    # */* #
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
     
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
     
    #
    # Delete table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
     
    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    # NOTE: Here I assume the OpenVPN tunnel is named "tun11".
    #
    #
     
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
      | while read ROUTE ; do
              ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
     
     
    # EXAMPLES:
    #
    #  All LAN traffic will bypass the VPN (Useful to put this rule first,
    #  so all traffic bypasses the VPN and you can configure exceptions afterwards)
    #      iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    #
    #  Ports 80 and 443 will bypass the VPN
    #      iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    #
    #  All traffic from a particular computer on the LAN will use the VPN
    #      iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
    #
    #  All traffic to a specific Internet IP address will use the VPN
    #      iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    #
    #  All UDP and ICMP traffic will bypass the VPN
    #      iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    #      iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
     
     
    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    # IP_RANGES - Uncomment as necessary
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range1 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range2 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range3 -j MARK --set-mark 0
    # IP_ADRESSES - Uncomment as necessary
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address2 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address3 -j MARK --set-mark 0
     
    # Spotify explicitly uses the VPN
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0
     
    QQQTJ, windozer and richardvoyageur like this.
  27. jbesclapez

    jbesclapez Serious Server Member

    Quidagis, you are THE man! THanks a lot for this info. I am going to try it as we speak... I had the same kind of question (even if this post was with a different question originaly). I presume many people like me would like the routing selected according to the DESTINATION of the ip. Basically you did it (in theory). Now I am going to try to implement that today!:cool:
    My first task will be to reformat the iptables in my previous post to match this script... then i will post the result here as some others could be interested
    Keep in touch please.
     
  28. jbesclapez

    jbesclapez Serious Server Member

    Quidagis, I cleant a bit the code to make it simpler for a simple test. I will make it more complicated later as my rules are already ready!
    I added the website whatismyip.org for test purpose as it is cool to have a website that confirms if the VPN is running OK... need testing now :)
    Please could you confirm this code below:
    The only thing left to do from this code is (and i quote) to paste the code to ADMINISTRATION - SCRIPTS - WAN Up, reboot the router?

    Code:
    ## CUSTOMIZE YOUR SCRIPT VARIABLES
    #
    ## Uncomment and assign/change value(s) as needed to customize your rules
    #
    ip_range1="192.168.1.100-192.168.1.199"
     
    # whatismyip.org
    website_dst_range1="98.207.0.1-98.207.255.254"
    # Spotify
    website_dst_range2="78.31.8.1-78.31.15.254"
    website_dst_range3="193.182.8.1-193.182.15.254"
     
     
    # SHELL COMMANDS FOR MAINTENANCE.
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
    #
    # Delete table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
     
    #Here I assume the OpenVPN tunnel is named "tun11".
     
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
      | while read ROUTE ; do
              ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
     
     
    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
     
    # whats , explicitly uses the VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range3 -j MARK --set-mark 0
     
  29. jbesclapez

    jbesclapez Serious Server Member

    @Quidagis

    I just tried the code below which is the one you sent, but I cleant it again!
    The goal of this one it to have all computer to bypass the VPN except the one with the IP 192.168.1.196
    But when i put that nobody has internet except the 192.168.1.196.
    What am i doing wrong?

    Code:
    ## CUSTOMIZE YOUR SCRIPT VARIABLES
    ip_address1="192.168.1.196"
     
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
     
    #
    # Delete table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
     
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
     
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
      | while read ROUTE ; do
              ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
     
    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
     
    # IP_ADRESSES - that go in the vpn
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0
     
  30. Mowax

    Mowax Serious Server Member

    @ quidagis - mate thanks so much for your script, (From post no. #90) it works a treat, I have 3 devices that are using my normal ISP and the rest of my devices all going out via the VPN, great work man, and thanks for the script. I just have one question, I would now like to be able to find out what IP addresses are listed, Can i FTP into the router and find an ip table somewhere or is there a command that I can issue into the router?

    Thanks and sorry to hijack this thread.
     
  31. quidagis

    quidagis Networkin' Nut Member

    @Mowax

    Wanna find out what IP addresses are listed?

    You go to TOOLS -SYSTEM and execute: "nvram get no_vpn_lst" --- no quotes, OK?


    OR...

    you can edit the script and avoid to fiddle with nvram and command lines:
    #!/bin/sh
    sleep 30
    #NO_VPN_LST=`nvram get no_vpn_lst`
    NO_VPN_LST="192.168.1.1 192.168.1.2 192.168.1.10 "
    [ -z $NO_VPN_LST ] && exit 0
    WAN_GWAY="0.0.0.0"
    while [ $WAN_GWAY == "0.0.0.0" ]; do
    sleep 3
    WAN_GWAY=`nvram get wan_gateway`
    done
    ip route add default via $WAN_GWAY table 10
    for ipa in $NO_VPN_LST; do
    ip rule add from $ipa table 10
    done
    ip route flush cache
    exit 0


    Just use your custom IPAs and you should be all set.
     
    Mowax likes this.
  32. quidagis

    quidagis Networkin' Nut Member

    @jbesclapez

    Good morning J.

    I'm running your custom script (all I changed is ip_address1 to match my subnet) everything works as expected. Check your DNS settings in BASIC - NETWORK - STATIC DNS. Mine looks like this :

    [​IMG]
     
  33. jbesclapez

    jbesclapez Serious Server Member

    @quidagis
    Good evening Q. :)
    When you say my custom cript, you mean the one from post 129?
    The funny thing is that your Static DNS are the same as mine. I use both from OpenDNS and one from google!
    Also, when i am working on my routeur also always to an ongoing ping on :
    192.168.1.1
    google.com
    8.8.8.8
    Then i know if i have a local network problem, an internet problem or a DNS problem, just from my command prompt...;)

    However, my script, is only giving me VPN on 192.168.1.196 and no internet on the other machines.
    Her is below my routing table :
    [​IMG]
    (honestly i would love to understand this blabla... i am not champolion here :D )
    Can you see something weird?
     
  34. quidagis

    quidagis Networkin' Nut Member

    Hey J!

    Yes, your custom script from post 129.

    The only difference worth to mention, I have four (4) wan interfaces.
    The other difference, my internet connection is via Cable-DHCP, yours is PPPoE. That should not pose a problem as far as I know. Maybe my WAN type being Cable-DHCP creates that extra WAN interface.

    [​IMG]
     
  35. richardvoyageur

    richardvoyageur Serious Server Member

    You're a lifesaver and a friend for life! This worked brilliantly, could never get jeff's code to work, even with the other hints and help from the rest of the thread. this way is MUCH easier to do, first try success. whatismyip.com is showing proper proxied IP for the TV and normal ISP for everything else. SWEET dude. thanks so much. anyone wanting to do this should use this method unless proficient with Linux. Actually, just do this one, it's still easier. One cut and paste basically, along with your normal VPN setup from your VPN service. Reboot the router and it comes up golden.
     
  36. quidagis

    quidagis Networkin' Nut Member

    Good morning, Richard!

    Good to know it's worked out for you.

    Yes, this method it's easier than lfjeff's. Besides, you can filter not just IPAs but ports, protocols and websites too. And the added bonus that is all GUI, no command lines to type and no messing around with routing tables / nvram variables.

    Have a nice day, amigo.


    P. S.

    I don't want to take credit for something is not mine. I forgot to mention it when I first posted the script. My apologies for that. So, give credit where credit is due, I found it here:

    http://linksysinfo.org/index.php?th...-ports-through-vpn-openvpn.37240/#post-205781
     
  37. lsi235e

    lsi235e Networkin' Nut Member

    Is it possible to specify a list of domain names that go through the VPN?

    If you can't specify a domain how do you convert from a domain to a list of IP addresses and keep this list updated?

    Thanks
     
  38. quidagis

    quidagis Networkin' Nut Member

    I just added a few lines of code to find out what tunnel interface the script will use (tun11 or tun12), here is the whole new script:

    Code:
    ## CUSTOMIZE YOUR SCRIPT VARIABLES
    #
    ## Uncomment and assign/change value(s) as needed to customize your rules
    #
    # ip_range1="192.168.10.200-192.168.10.203"
    # ip_range2="192.168.10.8/29"
    # ip_range3=""
    #
    # If your IP addresses don't fall in a contiguous range, you'll need separate rules instead.
    # ip_address1="192.168.10.100"
    # ip_address2="192.168.10.115"
    # ip_address3=""
    #
    # Spotify
    # website_dst_range1="78.31.8.1-78.31.15.254"
    # website_dst_range2="193.182.8.1-193.182.15.254"
    # Another website
    #
    # website_dst_range3=""
    ##
     
    # SHELL COMMANDS FOR MAINTENANCE.
    # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
    #
    #  List Contents by line number
    #iptables -L PREROUTING -t mangle -n --line-numbers
    #
    #  Delete rules from mangle by line number
    #iptables -D PREROUTING type-line-number-here -t mangle
    #
    #  To list the current rules on the router, issue the command:
    #      iptables -t mangle -L PREROUTING
    #
    #  Flush/reset all the rules to default by issuing the command:
    #      iptables -t mangle -F PREROUTING
     
    # */* #
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
     
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
     
    #
    # Delete table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
     
    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
     
    iface_lst=`route | awk ' {print $8}'`
    for tun_if in $iface_lst; do
      if [ "$tun_if" = "tun11" ]; then
        exit 0
      elif [ "$tun_if" = "tun12" ]; then
        exit 0
      fi
    done
     
    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
     
     
    # EXAMPLES:
    #
    #  All LAN traffic will bypass the VPN (Useful to put this rule first,
    #  so all traffic bypasses the VPN and you can configure exceptions afterwards)
    #    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    #
    #  Ports 80 and 443 will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    #
    #  All traffic from a particular computer on the LAN will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
    #
    #  All traffic to a specific Internet IP address will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    #
    #  All UDP and ICMP traffic will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    #    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
     
     
    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
     
    # IP_RANGES - Uncomment as necessary
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range1 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range2 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range3 -j MARK --set-mark 0
     
    # IP_ADDRESSES - Uncomment as necessary
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address2 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address3 -j MARK --set-mark 0
     
    # Spotify explicitly uses the VPN
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0
     
  39. Mowax

    Mowax Serious Server Member

    @ quidagis, good work, thanks for sharing I only found your post by searching for ages on Google so thanks for posting and yeah credit to the OP. :)

    I run that command and can see that I have 2 devices running via the normal ISP and the rest out via the tunnel. :)

    I was just wondering, since I run that command and have them two ip addresses how would I go about "un-committing" them to nvram and then I can paste them into the script that you posted, I don't mind using ftp or telnet to get into the router if there's a way to do ip tables.

    How ever, It's cool, I have the 2 devices that I want with static ip addresses doing what I wanted. :) normal isp.

    Thanks again for posting and taking the time to reply bud.

    Mowax
     
  40. quidagis

    quidagis Networkin' Nut Member

    @Mowax

    You want to remove no_vpn_lst from nvram? Do this...

    Go to TOOLS -SYSTEM and execute the two nvram commands below, edit your script to customize your IPAs, save and reboot:

    "nvram unset no_vpn_lst" --- no quotes
    "nvram commit" --- no quotes

    That's all, enjoy!
     
  41. occamsrazor

    occamsrazor Network Guru Member

    Hi,

    I followed Quidagis script in post#90 and it works great. Awesome work. My setup is as follows:

    ISP Modem 192.168.1.1 > DMZ > Tomato Router 192.168.1.2 (modem does not have bridge mode, so had to go down the DMZ route)

    Tomato router runs OpenVPN client to commercial VPN provider
    Tomato router runs OpenVPN server for remote access purposes (for the purpose of my testing the Client I currently have the server switched off)

    At first I wanted all my traffic going over the VPN. But my VPN provider doesn't allow incoming ports, and I quickly realized that my SIP VOIP box wouldn't register properly. So I then used Quidagis' script in post#90 to force traffic from the IP of the VOIP box to bypass the VPN and go directly to the ISP. Now the box registers and all is working nicely, thanks! Except two things:

    1. I want to be able to remote access my home network from outside, specifically: The remote web admin of the router, a remote web admin of Transmission running on a machine on the LAN, other services running on LAN machines using specific ports etc - all of which have port-forwards set in the router. I would also like to be able to remotely OpenVPN in to the OpenVPN server running on my Tomato router. But as my VPN provider doesn't allow incoming ports I can't "come in" through the VPN tunnel, so it requires my DYNDNS address to resolve to the ISP IP and not the VPN IP. I read bmupton's post#113 which seems to be a solution to a similar issue, but frankly I don't understand it.

    2. This is REALLY WEIRD but I swear it's true. All web traffic is going out via the VPN, have checked IP geolocation etc, and all websites work fine. Except one - www.linksysinfo.org ! This clearly doesn't make any sense at all, all other websites work fine, have flushed DNS on my computers, but on every machine if I go to www.linksysinfo.org with the VPN connected it never loads, and as soon as I disconnect the VPN, it loads straight away. Any ideas at all?
    EDIT - Ignore that - this turned out to be an issue with one particularly node of the VPN provider and nothing to do with my router.

    Thanks
     
  42. jbesclapez

    jbesclapez Serious Server Member

    @Everyone using Quidagis script.
    Please inform us if it is working on your firmware (version) and routeur (model). Thanks.
     
  43. jbesclapez

    jbesclapez Serious Server Member

    I collected some IPs to bypass and I re-ordered them to use them in the script above.
    However, you will notice that it is a long list.
    Netflix for example, uses amazon EC2 servers... that is why you have many servers.
    I updated them with the latest info coming directly from amazon...
    Please note that I am not 100% if they are all working... have a try and give us a feedback please.
    Hope it will be usefull for some of you :)

    Code:
    #AMAZON EC2 LISTE UPDATED Dec21, 2012
    #Source:https://forums.aws.amazon.com/ann.jspa?annID=1701
    # US East (Northern Virginia):
    website_dst_range1="72.44.32.1-72.44.63.254"
    website_dst_range2="67.202.0.1-67.202.63.254"
    website_dst_range3="75.101.128.1-75.101.255.254"
    website_dst_range4="174.129.0.1-174.129.255.254"
    website_dst_range5="204.236.192.1-204.236.255.254"
    website_dst_range6="184.73.0.1-184.73.255.254"
    website_dst_range7="184.72.128.1-184.72.255.254"
    website_dst_range8="184.72.64.1-184.72.127.254"
    website_dst_range9="50.16.0.1-50.17.255.254"
    website_dst_range10="50.19.0.1-50.19.255.254"
    website_dst_range11="107.20.0.1-107.23.255.254"
    website_dst_range12="23.20.0.1-23.23.255.254"
    website_dst_range13="54.242.0.1-54.243.255.254"
    website_dst_range14="54.234.0.1-54.235.255.254"
    website_dst_range15="54.236.0.1-54.237.255.254"
    website_dst_range16="54.224.0.1-54.225.255.254"
    website_dst_range17="54.226.0.1-54.227.255.254"
    # US West (Oregon):
    website_dst_range18="50.112.0.1-50.112.255.254"
    website_dst_range19="54.245.0.1-54.245.255.254"
    website_dst_range20="54.244.0.1-54.244.255.254"
    # US West (Northern California):
    website_dst_range21="204.236.128.1-204.236.191.254"
    website_dst_range22="184.72.0.1-184.72.63.254"
    website_dst_range23="50.18.0.1-50.18.255.254"
    website_dst_range24="184.169.128.1-184.169.255.254"
    website_dst_range25="54.241.0.1-54.241.255.254"
    # EU (Ireland):
    website_dst_range26="79.125.0.1-79.125.127.254"
    website_dst_range27="46.51.128.1-46.51.191.254"
    website_dst_range28="46.51.192.1-46.51.207.254"
    website_dst_range29="46.137.0.1-46.137.127.254"
    website_dst_range30="46.137.128.1-46.137.191.254"
    website_dst_range31="176.34.128.1-176.34.255.254"
    website_dst_range32="176.34.64.1-176.34.127.254"
    website_dst_range33="54.247.0.1-54.247.255.254"
    website_dst_range34="54.246.0.1-54.246.255.254"
    website_dst_range35="54.228.0.1-54.228.255.254"
    # Asia Pacific (Singapore)
    website_dst_range36="175.41.128.1-175.41.191.254"
    website_dst_range37="122.248.192.1-122.248.255.254"
    website_dst_range38="46.137.192.1-46.137.255.254"
    website_dst_range39="46.51.216.1-46.51.223.254"
    website_dst_range40="54.251.0.1-54.251.255.254"
    # Asia Pacific (Sydney)
    website_dst_range41="54.252.0.1-54.252.255.254"
    # Asia Pacific (Tokyo)
    website_dst_range42="175.41.192.1-175.41.255.254"
    website_dst_range43="46.51.224.1-46.51.255.254"
    website_dst_range44="176.32.64.1-176.32.95.254"
    website_dst_range45="103.4.8.1-103.4.15.254"
    website_dst_range46="176.34.0.1-176.34.63.254"
    website_dst_range47="54.248.0.1-54.249.255.254"
    # South America (Sao Paulo)
    website_dst_range48="177.71.128.1-177.71.255.254"
    website_dst_range49="54.232.0.1-54.232.255.254"
     
    # netflix
    website_dst_range50="108.175.32.1-108.175.47.254"
    website_dst_range51="208.75.76.1-208.75.79.254"
    website_dst_range52="64.212.0.1-64.215.255.254"
    website_dst_range53="199.92.0.1-199.95.255.254"
    website_dst_range54="206.32.0.1-206.35.255.254"
    website_dst_range55="209.244.0.1-209.247.255.254"
    website_dst_range56="68.142.64.1-68.142.127.254"
    website_dst_range57="69.28.128.1-69.28.191.254"
    website_dst_range58="69.164.0.1-69.164.63.254"
    website_dst_range59="208.111.128.1-208.111.191.254"
    website_dst_range60="128.242.0.1-128.242.255.254"
    website_dst_range61="204.0.0.1-204.3.255.254"
    website_dst_range62="204.141.0.1-204.141.255.254"
    website_dst_range63="204.200.0.1-204.203.255.254"
    website_dst_range64="208.44.0.1-208.47.255.254"
     
    # hulu
    website_dst_range65="23.32.0.1-23.63.255.254"
    website_dst_range66="23.64.0.1-23.67.255.254"
    website_dst_range67="64.221.0.1-64.221.127.254"
    website_dst_range68="64.221.128.1-64.221.191.254"
    website_dst_range69="64.221.192.1-64.221.223.254"
    website_dst_range70="77.109.170.1-77.109.170.254"
    website_dst_range71="80.239.221.1-80.239.221.254"
    website_dst_range72="92.122.0.1-92.123.255.254"
    website_dst_range73="195.27.0.1-195.27.255.254"
    website_dst_range74="199.127.192.1-199.127.195.254"
    website_dst_range75="208.91.156.1-208.91.159.254"
    website_dst_range76="217.156.128.1-217.156.255.254"
     
    # mysqueezebox
    website_dst_range77="192.221.0.1-192.221.255.254"
    website_dst_range78="204.160.0.1-204.163.255.254"
    website_dst_range79="205.128.0.1-205.131.255.254"
    website_dst_range80="207.120.0.1-207.123.255.254"
    website_dst_range81="209.84.0.1-209.84.255.254"
     
    # disney.go.com - WORKS
    website_dst_range82="68.71.208.1-68.71.223.254"
     
    # Viacom i.e. nick.com and all that crap - WORKS
    website_dst_range83="129.228.0.1-129.228.127.254"
    website_dst_range84="166.77.0.1-166.77.255.254"
    website_dst_range85="206.220.40.1-206.220.43.254"
    website_dst_range86="69.31.132.1-69.31.133.254"
    website_dst_range87="72.246.0.1-72.247.255.254"
     
    # CBS - WORKS
    website_dst_range88="198.99.118.1-198.99.119.254"
    website_dst_range89="198.99.120.1-198.99.121.254"
    website_dst_range90="198.99.122.1-198.99.122.254"
     
    # NBC WORKS
    website_dst_range91="66.77.124.1-66.77.124.254"
     
    # ABC & general Disney range works
    website_dst_range92="199.181.129.1-199.181.129.254"
    website_dst_range93="199.181.130.1-199.181.131.254"
    website_dst_range94="199.181.132.1-199.181.135.254"
     
    # Disney (ESPN) STILL NOT WORKING!!
    website_dst_range95="68.71.208.1-68.71.223.254"
    website_dst_range96="192.147.170.1-192.147.170.254"
    website_dst_range97="198.105.192.1-198.105.199.254"
    website_dst_range98="69.31.132.1-69.31.133.254"
    website_dst_range99="107.8.0.1-107.15.255.254"
     
    # FOX NOT WORKING YET!
    website_dst_range100="88.221.94.1-88.221.95.254"
    website_dst_range101="192.204.0.1-192.204.255.254"
     
    #COMCAST Just got this off the ESPN connection so far
    website_dst_range102="207.223.0.1-207.223.15.254"
     
    # whatismyip.org
    website_dst_range103="98.207.0.1-98.207.255.254"
     
    # pandora.com
    website_dst_range104="208.85.40.1-208.85.47.254"
    
     
  44. jbesclapez

    jbesclapez Serious Server Member

    :confused: Oooops forgot to add :
    That would be cool if we could have this in another file that would call the script... i dont know if i am clear... but it otherwise the script is going to be too long, right?
    Unfortunately i dont know how to do this :(...
    Let the challenge begin ::D
     
  45. quidagis

    quidagis Networkin' Nut Member

    @jbesclapez

    You don't need to call the WAN-up script. You need another script you run from TOOLS - SYSTEM - EXECUTE SYSTEM COMMANDS to add the new rules.

    Something like this...

    Code:
    #!/bin/sh
    clear                                                                                                                                                                         
    IPA_list="72.44.32.1-72.44.63.254
    67.202.0.1-67.202.63.254
    75.101.128.1-75.101.255.254
    174.129.0.1-174.129.255.254
    204.236.192.1-204.236.255.254
    184.73.0.1-184.73.255.254
    184.72.128.1-184.72.255.254
    184.72.64.1-184.72.127.254
    50.16.0.1-50.17.255.254
    50.19.0.1-50.19.255.254
    107.20.0.1-107.23.255.254
    23.20.0.1-23.23.255.254
    54.242.0.1-54.243.255.254
    54.234.0.1-54.235.255.254
    54.236.0.1-54.237.255.254
    54.224.0.1-54.225.255.254
    54.226.0.1-54.227.255.254
    50.112.0.1-50.112.255.254
    54.245.0.1-54.245.255.254
    54.244.0.1-54.244.255.254
    204.236.128.1-204.236.191.254
    184.72.0.1-184.72.63.254
    50.18.0.1-50.18.255.254
    184.169.128.1-184.169.255.254
    54.241.0.1-54.241.255.254
    79.125.0.1-79.125.127.254
    46.51.128.1-46.51.191.254
    46.51.192.1-46.51.207.254
    46.137.0.1-46.137.127.254
    46.137.128.1-46.137.191.254
    176.34.128.1-176.34.255.254
    176.34.64.1-176.34.127.254
    54.247.0.1-54.247.255.254
    54.246.0.1-54.246.255.254
    54.228.0.1-54.228.255.254
    175.41.128.1-175.41.191.254
    122.248.192.1-122.248.255.254
    46.137.192.1-46.137.255.254
    46.51.216.1-46.51.223.254
    54.251.0.1-54.251.255.254
    54.252.0.1-54.252.255.254
    175.41.192.1-175.41.255.254
    46.51.224.1-46.51.255.254
    176.32.64.1-176.32.95.254
    103.4.8.1-103.4.15.254
    176.34.0.1-176.34.63.254
    54.248.0.1-54.249.255.254
    177.71.128.1-177.71.255.254
    54.232.0.1-54.232.255.254
    108.175.32.1-108.175.47.254
    208.75.76.1-208.75.79.254
    64.212.0.1-64.215.255.254
    199.92.0.1-199.95.255.254
    206.32.0.1-206.35.255.254
    209.244.0.1-209.247.255.254
    68.142.64.1-68.142.127.254
    69.28.128.1-69.28.191.254
    69.164.0.1-69.164.63.254
    208.111.128.1-208.111.191.254
    128.242.0.1-128.242.255.254
    204.0.0.1-204.3.255.254
    204.141.0.1-204.141.255.254
    204.200.0.1-204.203.255.254
    208.44.0.1-208.47.255.254
    23.32.0.1-23.63.255.254
    23.64.0.1-23.67.255.254
    64.221.0.1-64.221.127.254
    64.221.128.1-64.221.191.254
    64.221.192.1-64.221.223.254
    77.109.170.1-77.109.170.254
    80.239.221.1-80.239.221.254
    92.122.0.1-92.123.255.254
    195.27.0.1-195.27.255.254
    199.127.192.1-199.127.195.254
    208.91.156.1-208.91.159.254
    217.156.128.1-217.156.255.254
    192.221.0.1-192.221.255.254
    204.160.0.1-204.163.255.254
    205.128.0.1-205.131.255.254
    207.120.0.1-207.123.255.254
    209.84.0.1-209.84.255.254
    68.71.208.1-68.71.223.254
    129.228.0.1-129.228.127.254
    166.77.0.1-166.77.255.254
    206.220.40.1-206.220.43.254
    69.31.132.1-69.31.133.254
    72.246.0.1-72.247.255.254
    198.99.118.1-198.99.119.254
    198.99.120.1-198.99.121.254
    198.99.122.1-198.99.122.254
    66.77.124.1-66.77.124.254
    199.181.129.1-199.181.129.254
    199.181.130.1-199.181.131.254
    199.181.132.1-199.181.135.254
    68.71.208.1-68.71.223.254
    192.147.170.1-192.147.170.254
    198.105.192.1-198.105.199.254
    69.31.132.1-69.31.133.254
    107.8.0.1-107.15.255.254
    88.221.94.1-88.221.95.254
    192.204.0.1-192.204.255.254
    207.223.0.1-207.223.15.254
    98.207.0.1-98.207.255.254
    208.85.40.1-208.85.47.254"
     
    for web_dst_range in $IPA_list ; do
      iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
    done
     
    iptables -L PREROUTING -t mangle -n --line-numbers
     
    echo Done!
    
    BTW, something I forgot to mention. Every time you add / delete a rule it takes effect immediately, NO NEED TO REBOOT. That's the beauty of this approach, no messing around with routes / nvram. Simple and elegant.
     
  46. quidagis

    quidagis Networkin' Nut Member

  47. jbesclapez

    jbesclapez Serious Server Member

    The never-ending work from Quidagis :D

    Just kidding mate... Thanks
     
  48. jbesclapez

    jbesclapez Serious Server Member

    Dear All,

    I still did not manage to successfully run the script to bypass some adresses! I am working on it for a while now and I dont know what is wrong!
    I tried the latest shibby firmware and not I am testing this on the latest Toastman firmware for my Asus RT-N66U.
    I am using HMA VPN. I connects OK but the script above is not running...

    Facts :
    Running Tomato Firmware v1.28.0501 MIPSR2Toastman-RT-N K26 USB VP
    I installed HMA VPN using this tutorial : http://wiki.hidemyass.com/Tomato_OpenVPN_Setup_no._2
    so I have in Script init.d
    Code:
    echo -e "YOUR_HMA_ACCOUNT_USRNAME\nYOUR_HMA_ACCOUNT_PASSWORD" > /tmp/userpass.conf
    chmod 600 /tmp/userpass.conf
    In the VPN client I have what is in the tutorial.
    Basically it is working with those settings. VPN is running OK.
    My basic settings are these:
    [​IMG]


    AND
    the routing table ends up like that :
    [​IMG]

    However, I can not run even the basic script from Quidagis! It is sooo frustrating.

    Please could one of you guide me step by step... just to try a simple script? I am curious on what i am doing wrong...

     
  49. quidagis

    quidagis Networkin' Nut Member

    Hey J!

    Here, take a look at my personal Tomato setup. Some config you can skip (e. g. wireless filter )

    http://s373.photobucket.com/albums/oo179/quidagis/woodyf/

    The most recent Shibby's mod allows you to type your credentials in OpenVPN client configuration by ticking Username/Password Authentication, so, forget about:
    echo -e "YOUR_HMA_ACCOUNT_USRNAME\nYOUR_HMA_ACCOUNT_PASSWORD" > /tmp/userpass.conf
    chmod 600 /tmp/userpass.conf

    and remember you have to remove or comment out "auth-user-pass /tmp/userpass.conf" from / in Custom Configuration.

    Any questions... just ask.

    Latest WAN-Up script: http://pastebin.com/download.php?i=sxzipj0v
     
  50. jbesclapez

    jbesclapez Serious Server Member

    Quidagis, thanks a lot... really!
    I do not have time to test that tonight but i will give you a feedback tomorow for sure...
    Keep in touch. :cool:
     
  51. jbesclapez

    jbesclapez Serious Server Member

    @Quidagis

    I tried tonight... still same problem. I spent 2 hours on it again!! I dont know what I am missing as it should be simple...
    Quidagis, i would like to ask you a big favor please but it is only option i have now...
    Please could you give me the script, then i would only copy and paste it.
    Basically, my DHCP is between 192.168.1.100 to 192.168.1.199
    And I would like all traffic to netflix to use the VPN (on any computer).
    All the other trafic to use the ISP settings.
    It would really help me if you could do that... i know you did a lot already and i am grateful for that... but i am so frustrated still... i hope you understand.
    Thanks in advance!
     
  52. quidagis

    quidagis Networkin' Nut Member

    So, all you need is to let all traffic go ISP except one destination website (Netflix).

    Download your Netflix customized script from: http://pastebin.com/download.php?i=kas04Q9S

    I removed almost all comments and examples, copied-pasted Netflix IPAs ranges you posted above (143)

    Good luck!
     
  53. jbesclapez

    jbesclapez Serious Server Member

    :D Happy me :D
    It is now working...
    I totally reviewed my network. Here is how it was before and after...

    BEFORE:
    Modem bridged -> Routeur RT-N66U with VPN
    The routeur was set with PPPOE and VPN. It was working in a "normal" way.
    IP : 192.168.1.1
    DHCP ON for LAN
    PPPOE for WAN
    All PCs connect to the RT-N66U.


    AFTER:
    Modem bridged -> Routeur WRT54G v2.2 -> Routeur RT-N66U with VPN
    Settings of WRT54G:
    WAN : PPPOE
    LAN: 192.168.1.1/24
    NO VPN
    Settings of RT-N66U:
    WAN: DHCP
    LAN: 192.168.2.1/24
    VPN ON
    All PCs connect to the RT-N66U.

    I tested your scripts and they are working OK now.
    Thanks QUIDAGIS.

    However, (there is always an however with me ;)). I am disapointed that i need to use a second routeur for that!! I dont understand why it is not working.... anyone as an explanation?

    Thanks
     
  54. occamsrazor

    occamsrazor Network Guru Member

    No-one else using Quidagis script from post#90? The one that forces all traffic over VPN EXCEPT certain IPs? It's working fine as per my previous post but now can't access anything remotely. Any ideas? Thanks!

     
  55. quidagis

    quidagis Networkin' Nut Member


    I don't understand why you need a second router. What do you want to do exactly?
     
  56. maupicc

    maupicc Serious Server Member

    Hi Quidagis,

    I would like to try your script as I´m interested in bypass the VPN with some of my devices, but I´m running a Merlin Firmware ver. 3.0.0.4.270.24 on a ASUS RT-N66U router but I couldn't find where to run the script.

    Do you have any idea?

    Thanks,

    Mau
     
  57. quidagis

    quidagis Networkin' Nut Member

  58. maupicc

    maupicc Serious Server Member

    Hi Quidagis,

    Thanks for your advice, but I tried several times Tomato mod and was unable to get OpenVPN connected but with Merlin firmware I did.
    Last night I was able to load the script via WinSPC, but bypassing is not working at all. I was making a test only with 1 IP address, but not lucky.

    Do you think it can be the firmware? Even if Merlin one is based on Tomato based?

    I can also try to flash it again with tomato mod.

    Regards,
     
  59. quidagis

    quidagis Networkin' Nut Member

  60. maupicc

    maupicc Serious Server Member

    Hi Quidagis,

    I successfully installed Tomato's firmware and the script is running perfectly. Thanks for all!!

    I have another question that maybe you can guide me:

    - Is there a way to have i.e. an IPAD connected through the VPN for watching Hulu Plus or Netflix and when finishing change the connection through ISP instead? I know that changing the IP address is one way to do it, but is anyother "less disturbing"?

    Thanks again,

    Mau
     
  61. quidagis

    quidagis Networkin' Nut Member

    @Mau

    If all you want is watch Netflix or surf any other specific website:

    You don't have to worry about changing anything. Just build the rules for that specific website by typing the WEBSITES_IP_RANGES list. The script will do the rest for you. Any device connected to the VPNed router will be able to surf websites on that list.

    On the other hand if you built a specific rule for your iPad, that's another story. If you did build a rule for the iPad (IP_ADDRS_LST), forget about building that rule, delete it and you're done. You'll still be able to surf the listed websites.

    Here is the link to download the latest script version: http://pastebin.com/download.php?i=sxzipj0v
     
    windozer likes this.
  62. occamsrazor

    occamsrazor Network Guru Member

    Further to my post #141 above, it seems that the script in Quidagis post #90 probably can't do what I want and I should maybe try the latest one eg in the post above. But I can't understand what needs to be modified. Can anyone tell me how I can do the following:

    1. Have one LAN device 192.168.0.X route OUTSIDE of the VPN on normal WAN
    2. Receive incoming connections on specified ports e.g. Port 1234 through the normal WAN
    3. Have the Dynamic DNS client report the WAN address, not the address of the VPN endpoint

    Anyone? Thanks
     
  63. quidagis

    quidagis Networkin' Nut Member

    1. "Have one LAN device 192.168.0.X route OUTSIDE of the VPN on normal WAN"

    Code:
    ## CUSTOMIZE YOUR SCRIPT VARIABLES
    #
    ## Uncomment and set value(s) as needed to customize your rules
    #
    # IP addresses, contiguous range AND/OR individual.
    #
    ip_addrs_lst="192.168.0.X"
    #
     
    ########################################
    # NO NEED TO CHANGE BELOW THIS LINE    #
    ########################################
     
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
     
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
     
    iface_lst=`route | awk ' {print $8}'`
    for tun_if in $iface_lst; do
      if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ]; then
        break
      fi
    done
     
    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
     
    #I've changed script default mark from 0 to 1 - you could delete (comment out) this rule too, the result would be the same
    #By default ALL TRAFFIC GOES TROUGH VPN Same functionality you get in post # 90
     
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0
     
    # IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S) - $ip_addrs will bypass VPN tunnel - "NORMAL WAN"
     
    for ip_addrs in $ip_addrs_lst ; do
      iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 1
    done
     
    
    2- "Receive incoming connections on specified ports e.g. Port 1234 through the normal WAN"

    You can find lots of documentation on PORT FORWARDING which is what you need to accomplish what you want.

    http://www.fclose.com/b/linux/816/port-forwarding-using-iptables/

    3- "Have the Dynamic DNS client report the WAN address, not the address of the VPN endpoint"

    Go to Basic - DDNS - Dynamic DNS - IP address and Set Dynamic DNS to:

    "Use WAN IP Address aa.bb.cc.dd (recommended)"

    Set Dynamic DNS 1 to match service of choice.


    BTW - My Firmware, Shibby's: Tomato Firmware 1.28.0000 MIPSR2-105 K26 USB AIO
     
  64. occamsrazor

    occamsrazor Network Guru Member

    Hi, thanks a lot for your reply. The problem is that I am using the Tomato router connected to a fiber modem. The modem does the connection to the ISP then forwards all ports to the Tomato router as DMZ (the modem does not have bridge mode). So in my case the fiber modem gets the public IP from the ISP, the fiber modem has LAN address of 192.168.1.1, the Tomato router has LAN address from the modem of 192.168.1.2 to which all traffic is DMZed, and the Tomato router gives out client addresses of 192.168.0.x to my devices.

    So when I am connected to VPN, if I "use external address checker" I get the public IP of the VPN endpoint, and if I "use WAN IP" that just gives me the 192.168.1.1 address of the fiber modem.

    I know how to do port-forwarding in standard use. But my VPN provider doesn't forward incoming ports on the tunnel, and (as above) I can only get my DDNS to obtain the VPN endpoint public IP, not the public IP of the fiber modem. IF... I could find some way for the DDNS to use the fiber modem public IP, then I would need some way for certain incoming and outgoing ports to bypass the VPN.

    Does that make sense? Sorry if I'm not describing it well.
     
  65. quidagis

    quidagis Networkin' Nut Member

    The public IP address you get from the ISP... is it dynamic or static? If a static one... no problem, set Dynamic DNS to CUSTOM IP ADDRESS.
     
  66. naitsuga

    naitsuga Serious Server Member

    Quidagis,
    Good Day..
    I am really happy I find this thread, Thank you for following it , I'm zero knowledge of Unix and and just wondering if your Script working with with VPN tunneling PPTP?
    I'm using E4200 with tomato-E4200-NVRAM60K-1.28.0501.2MIPSR2Toastman-RT-N-VPN.bin and connect with Astrill VPN via VPN tunnelling PPTP client and working.
    They have their own OpenVPN Application I can load to my router with GUI to work like your script.and working too for me.

    But some how for my requirement I need PPTP tunneling for faster speed compare to OpenVPN.
    Thanking you in advance.
     
  67. quidagis

    quidagis Networkin' Nut Member

    @Naitsuga

    Yes, it should work. I've run a few tests and the script works as expected. However, when I set the PPTP client to START WITH WAN it just sits there and the router freezes, I had to reset 30/30/30 several times.(Maybe it's my firmware version, IDK for sure.)

    The solution to stay away from freezes, DON'T START PPTP CLIENT WITH WAN and run the script (http://pastebin.com/download.php?i=m1rrG3tj) from TOOLS -SYSTEM - EXECUTE SYSTEM COMMANDS after starting PPTP client manually.

    Good luck!

    P. S.

    Don't forget to customize ip_addrs_lst

    http://imgur.com/GC6wjDa
     
  68. naitsuga

    naitsuga Serious Server Member

    Hello Q , I admire u taking your time and helping other people in this forum.
    Thank you again I will try the script you gave me in couple hours
    BTW I have never turned on Start With WAN it seems never works with my PPTP too even without any script ( I don't know it's related to WAN UP script?)
    I will report to you ASAP
     
  69. quidagis

    quidagis Networkin' Nut Member

  70. naitsuga

    naitsuga Serious Server Member

    Morning Q
    What I meant, the existing Setup for the Start With WAN always disable and connected Astrilll and working. if I enable It didn't work.
    And with tomato-E4200-NVRAM60K-1.28.0501.2MIPSR2Toastman-RT-N-VPN.bin it didn't work .if I run your script, error but forgot to note the error.

    I searched through your post what firmware was working on #90 and got Firmware 1.28.0000 MIPSR2-085V K26 USB AIO but couldn't find PPTP client under VPN tunnelling so
    I applied the mega VPN, I was guessing the AIO lack of PPTP client sub menu on VPN tunneling. so I applied
    http://tomato.groov.pl/download/K26RT-N/build5x-105-EN/Linksys E-series/tomato-E4200USB-NVRAM60K-1.28.RT-N5x-MIPSR2-105-Mega-VPN.bin

    I was working beautiful per your instruction. even I saw note ..
    Nothing to flush.
    RTNETLINK answers: No such process
    RTNETLINK answers: No such file or directory

    I tried Reboot/ Plug out/ erase NvRam your script still there!
    Your script is Champion !!!! and the only thing if I reboot the Router, I need to to connect via PPTP client again and execute your script.
    and if the router down/reboot (without you aware of) and the IP will be exposed.

    What I do now, I don't connect the PPTP client via VPN tunneling but from Basic WAN Setup
    in TYPE ---> PPTP and keep alive connection and run your script from Execute System Commands and it WORKS!!!!
    Thank you Q. you make my day today.. SO I'm not worried my IP exposed if the router down or reboot and always protected.
    Thank you to all Firmware Developers too certainly.

    So for this solution I think ALL Tomato firmware will Work and execute QUIDAGIS script as simple as 123...

    Have question for you
    Can I just edit to the IP range at the system command and execute again ?
    How can I erase the script without factory default?
    it's possible to run you script automatically, after the PPTP connection in Basic Wan Setup has been established ..? ;) :D

    Thank you, Thank you again all, especially you Q,
    Good Day..
     
  71. quidagis

    quidagis Networkin' Nut Member

    Hey N!

    "Nothing to flush.
    RTNETLINK answers: No such process
    RTNETLINK answers: No such file or directory"

    No worries about these messages.

    Since you're connecting from "Basic WAN Setup" try running the script from "WAN Up" so that you don't have to run it manually. It should work with no problem.

    - Sure you can edit the IP Range and add, delete new rules also. No need to execute the script again, everything is in place when the script runs for the first time. No need to reboot either. The original script has these comment lines you can run from system command for maintenance:

    # SHELL COMMANDS FOR MAINTENANCE.
    # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
    #
    # List Contents by line number
    #iptables -L PREROUTING -t mangle -n --line-numbers
    #
    # Delete rules from mangle by line number
    #iptables -D PREROUTING type-line-number-here -t mangle
    #
    # To list the current rules on the router, issue the command:
    # iptables -t mangle -L PREROUTING
    #
    # Flush/reset all the rules to default by issuing the command:
    # iptables -t mangle -F PREROUTIN

    You're free to do whatever you need / want.

    "How can I erase the script without factory default?"

    What you type at System Command is transient (unless committed to nvram, which is not the case), no need to delete anything. On the other hand, if you type/paste the script to Wan Up, just delete, save blank and reboot.

    Enjoy!

    http://pastebin.com/download.php?i=sxzipj0v
     
  72. naitsuga

    naitsuga Serious Server Member

    Good Evening Q

    You are the Champ, it WORKS!!!!
    after specify the IPA for VPN only ,I ran all your script at WAN UP and save

    The thing every time I made change at Basic setup the router Freeze,(cant access the router, need Power Cycle and after that your script works flawless, I suspect the Firmware is not stable yet.
    It is also the same thing if I save the script after editing.
    But If I reboot on purpose the router working, but will loose DNS so Just go to Status and do the Disconnect and Connect => and your script working after WAN PPTP connected.
    I will try to change my firmware per your link above. do you know Shibby AIO is specified for? I want to activate Samba server later.

    Do you think your script will Work with DD-WRT.?

    So The Solution for PPTP Client Setup Only selective Devices/ IP go to VPN is
    - Set PPTP client via Basic WAN Setup (make sure is working and connected to our VPN provider)
    - Edit the necessary IP or IP range of devices we want to pass via VPN from Quidagis's Script http://pastebin.com/download.php?i=sxzipj0v
    - Run the script by Cut and Paste from ADMIN==>Scripts==WAN UP and Save, and the script will run automatically or Reboot (in my case).
    - we are not to be worried of exposing our IP which is specified for VPN but it goes through regular ISP, if the VPN down or the router reboot by it self the Script will run automatically after Wan connected (some time we are not aware that actually our device is connected through regular ISP instead of VPN tunnel).

    This solution will not happened without Quidagis the credit all goes to him.

    Thank you again.Q
     
  73. quidagis

    quidagis Networkin' Nut Member

    Good morning N.

    I've come to the conclusion that freezes are the result of PPTP taking long to connect. Changing firmware might not solve that issue, give it a shot though, maybe you're lucky. Shibby's All_In_One has all Tomato bells and whistles, Samba included.

    I haven't tried on DD-WRT yet. If you can get a K26 firmware it might work. IDK for sure. lfjeff on post # 31 says "..., as the K24 version does not implement the "ip rule" commands correctly. "

    http://www.linksysinfo.org/index.php?threads/any-way-to-bypass-vpn-selectively.33468/#post-164681

    BTW, the credit for the script is not mine. I just changed/added a few lines here and there, that's all.

    http://linksysinfo.org/index.php?th...-ports-through-vpn-openvpn.37240/#post-205781
     
  74. sayBubba

    sayBubba Serious Server Member

    I have a related question. I want to route the internet traffic of one machine on my server lan through the VPN to a client lan. I have multiple site-to-site clients connecting to the server. How would I go about doing that. I have been mucking around with the scripts in this thread but not been able to make it work. Thanks!
     
  75. occamsrazor

    occamsrazor Network Guru Member

    Sorry for the delay in replying, been away a few days. My public IP from the ISP is dynamic...
     
  76. JoeKamel

    JoeKamel Serious Server Member

  77. jbesclapez

    jbesclapez Serious Server Member

    Q, when i did read your post, i had to think of all that... it took me another half a day to redo all that!!
    Thanks Q. I dont know why i was even installing the other routeur... it made the overall more complicated.

    I now connected my Modem directly to the routeur. Should i activate the Firewall on the modem? It is on a different subdomain, like modem is 192.168.0.1 and the routeur is 192.168.1.2 Is that OK.? I mean... it works, but i want to be sure in terms of security!
     
  78. bmupton

    bmupton Serious Server Member

    The part that tells is what tunnel device to use (near the top of the script) will ALWAYS return tun11 if vpn_client1_ip_list is set, so what I did was created two scripts, identical except for that bit, and call them individually in the clients.

    I have not tried running both tunnels simultaneously, though. I imagine that firing up the second tunnel will destroy the routing for the first tunnel, but maybe not. I only have one VPN provider and can only make a single connection, so I cannot test.
     
  79. quidagis

    quidagis Networkin' Nut Member

    Hey J!

    Sure, activate the FW. In terms of security is the best you can do.
     
  80. Toastman

    Toastman Super Moderator Staff Member Member

    If your modem is in bridge mode, then it is passing all data straight through to the router. The only firewall in operation will be Tomato's.
     
  81. jbesclapez

    jbesclapez Serious Server Member

    Hi T and Q!
    The modems is not in bridge mode. It seems not to work with the VPN otherwise...
    So I will set the firewall on the modem.
    The strange thing is that then there are 2 firewalls : One on the modem and One on the routeur (I exclude the ones one PCs...) It seems strange to me... thats all i wanted to say
     
  82. JoeKamel

    JoeKamel Serious Server Member

    Luckily enough my VPN provider allows multiple concurrent logins under a single account, so I can have a US exit for the PCs and occasionally put the xbox on a European exit node for NHL Gamecenter at the same time (ergo needing two clients open enough. But, on to the good news.....I got it! Haven't coded in about 10 years, and near zero experience with linux/netfilter/iptables, but it works.

    As you said, it requires two different scripts. I inserted some logging and it turns out that even with both VPN clients up, whichever client is started second still returns $route_gateway_1 as its gateway even if the first client is connected. Please keep in mind the scripts are large (about 4k each, though could be trimmed since they include the logging commands) so I had to save them in jffs. Please note that I do not feel anywhere competent enough to answer any questions regarding debugging and such, but I wanted to include them here in case anyone is looking for a similar solution to mine.

    I've included the two scripts as well as the logfile outputs for each below, hopefully people can use put them to use. In order to help, the start/stop order was start client 1, start client 2, stop client 1, stop client 2. The scripts should be used in the same way as ljeff said in post 43, you just wind up with one script specific to VPN client 1, and one specific to VPN client 2.

    VPN Client 1 script:
    http://pastebin.com/NvAtmAb9

    VPN Client 2 script:
    http://pastebin.com/SG7asKMw

    VPN Client 1 log output:
    http://pastebin.com/iv9swxAH

    VPN Client 2 log output:
    http://pastebin.com/dcUQC41q

    I would have loved to include everything as inline code, unfortunately I was WAY over the 15k post limit. Anyway, good luck to everyone else!
     
  83. ArmoredDragoon

    ArmoredDragoon Serious Server Member

    On cisco routers/switches you can define "interesting traffic" using ACL's, and that traffic goes through the VPN.

    For example, 172.16.0.1/24 to 192.168.0.1/24 could be defined as interesting traffic and would be sent over the VPN, whereas 172.16.0.1/24 to anywhere else would go to the open internet rather than through the VPN tunnel. This allows you to truly bridge two private networks.

    Any idea if this kind of functionality already exists or could be integrated into tomato? I'm not a programmer, otherwise I'd work on it myself.
     
  84. koitsu

    koitsu Network Guru Member

    You mean like exactly what's being done here?

    http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-223922
    http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-223956

    Read some of the other comments in that thread as well. You can "mark" traffic based on criteria (source/destination), then do something based on those marks. Linux iptables already has this capability.
     
  85. JoeKamel

    JoeKamel Serious Server Member

    Well, I'm trying to refine my vpn rules and went with quidagis' script as I am really looking more to only put BitTorrent and traffic to Socks5 proxies (receiving on port 1080) onto the VPN.

    So my setup is as follows (four PCs total):

    192.168.1.100: BitTorrent only on VPN (set to send traffic only on ports 53500-53524) - will need both TCP and UDP traffic
    192.168.1.210: BitTorrent only on VPN (set to send traffic only on ports 53525-53549) - will need both TCP and UDP traffic
    192.168.1.220: BitTorrent only on VPN (set to send traffic only on ports 53550-53574) - will need both TCP and UDP traffic
    192.168.1.250: All traffic on VPN

    So with quidagis' script, it looks as if my iptables rules should be:

    Code:
    # Traffic to SOCKS5 proxy:
     
    iptables -t mangle -A PREROUTING -i br0 --dport 1080 -j MARK --set-mark 0
     
    # Outgoing BitTorrent traffic (ports 53500-53574)
     
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 53500:53574 -j MARK --set-mark 0
     
    #Traffic from PC 192.168.1.250
     
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.250 -j MARK --set-mark 0
    Is this correct?
     
  86. koitsu

    koitsu Network Guru Member

    No, it doesn't look correct. I believe if you tried that you'd get an error from the iprange module stating that you're not giving it correct syntax.

    See subsequent posts in that thread, specifically these:

    http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-223966
    http://www.linksysinfo.org/index.ph...-ports-through-vpn-openvpn.37240/#post-223972

    Basically, there's no point to use of the iprange module in 99% of cases out there. Get rid of it and just use -s (--src) or -d (--dst) for matching against source or destination addresses or network ranges in CIDR format.

    Also, I don't know if you can accomplish what you're doing based on source address given how the NAT layer works. You'd have to experiment/try.
     
  87. saarta

    saarta Reformed Router Member

    I have been following the discussions and my thanks to Quidagis for some excellent work.
    I am facing a similar issue that was raised above without any solution. I need to access the SSH Daemon on Tomato remotely for two reasons: 1) Remote Admin and 2) I use it as a SSH proxy for internet access.
    I had the need to selectively bypass the VPN and Quidagis' script in post 90 and 130 addressed this need. I still cannot access the ssh daemon remotely. I was wondering whether adding the router address of 192.168.1.1 to the script in posting 90 and 131 would solve my issue but I am not sure what else it may do.

    Any suggestions?
     
  88. JunJun

    JunJun Reformed Router Member

    Quidagis;
    hey, i was wondering if you can help me out... i have a E4200, and pretty much new with third party firmware... I' have used DD-WRT so i can use my HMA account for the Open VPN.. unfortunately after so many tech support from email and team viewer from HMA tech support, none of the firmware really works with Open VPN.. I was searching online and mostly it mention about Tomato firmware instead....

    After changing back to stock firmware linksys, i now have this on my router >>>
    >>>>>>>>> tomato-E4200USB-NVRAM60K-1.28.0502.1MIPSR2Toastman-RT-N-VLAN-VPN.bin

    I tried following the tutorial on HMA website>>>
    http://wiki.hidemyass.com/Tomato_OpenVPN_Setup......Unfortunately i must have done something wrong with the setup esp on the VPN Client config...

    Is there a firmware and configurations you can suggest that would help me to set up my router .I just want to use my HMA account for open vpn to work on my router and the 5Ghz (if possible)

    thank you
    Jerry
     
  89. thisisgil

    thisisgil Reformed Router Member

    I am experimenting with this issue on shibby's tomato firmware. So far, the only script that has worked for me was Tunde Oloworaran's script - this is because I am assigning all known devices a static IP address.

    So whilst I can selectively bypass the VPN using IP address, I am now at the stage where I'd also like to *always* bypass VPN for specific destination IP addresses. I thought it would be as simple as tweaking the code I'm already using (quoted below for reference), using the command
    Code:
    ip rule add to xx.xx.xx.xx lookup 4
    but sadly, that doesn't work for me at all.

    Can anybody suggest an addition to the script I'm using below that will allow me to completely bypass VPN based on destination IP Address?

    Code:
    service vpnclient1 start
    ping -c4 localhost
     
    # Clean up by flushing table 4 and deleting all ip rules
    ip route flush table 4
    ip route flush cache
     
    # Create backup of default route table
    ip route show table main > /root/route.isp
     
    # Add rules for all DHCP routes (192.168.1.100 -> 192.168.1.255)
    ip rule add from 192.168.1.100/30 lookup 4
    ip rule add from 192.168.1.104/29 lookup 4
    ip rule add from 192.168.1.112/28 lookup 4
    ip rule add from 192.168.1.128/25 lookup 4
     
    # Flush route cache
    ip route flush cache
     
    # Use original (pre-openvpn) route for table 4
    cat /root/route.isp | while read ROUTE; do ip route add table 4 $ROUTE; done
     
    windozer likes this.
  90. dboyd13

    dboyd13 Reformed Router Member

    Maybe not quiet what you're looking for.... but...

    I've recently released code and instructions on GitHub on how to build a Domain-Specific VPN router based on a Raspberry Pi.

    This solution allows for a plug-n-play appliance that you install between your provider modem and your router that allows for multiple outbound VPN connections (PPTP only for now), for each VPN connection you can specify a wildcard domain to route down it. This way "normal" internet connectivity remains on your native connection, but domains you specify as "interesting" route down the VPN connection you specify.

    Hope this is of use to someone.

    https://github.com/dboyd13/DSVR.git
     
  91. windozer

    windozer Networkin' Nut Member

    Thanks for sharing your result. Now I have Tunde's script working as well. What a joy!

    In 2012 and early 2013 I had lfjeff's script work perfectly, but I don't know what happened now; I have flashed numerous builds and red-button cleared nvram numerous times but it wont work. As soon as I set vpn_clientlist1 variable to nvram, those ips have no internet at all. Secondly, after adding vpnroute.sh to the custom config, all the other ips successfully bypass the vpn.

    quidais' method left me with a perpetually rebooting router because the script is in Wanup. Never worked.

    To make Tunde Oloworaran's script work for me (exclude/bypass vpn for IPs 192.168.1.0 to 192.168.1.127), I replaced all the "ip rule add" lines with my line. I put my DHCP range from 1 to 127... and I manual configure my device an ip from 128 to 255 to access via vpn.
    Code:
    ip rule add from 192.168.1.0/25 lookup 4
    PS: 192.168.1.0/25 means 192.168.1.0 - 192.168.1.127. To make your own you can use Online IP CIDR / VLSM Supernet Calculator
     
    Last edited: Sep 6, 2013
  92. windozer

    windozer Networkin' Nut Member

    @thisisgil
    I suppose you'd need to add a CIDR range instead of a single IP address? I don't know; I haven't tried it.

    To get the CIDR range for your 'destination' whether it be an ip or domain, you can use WhosIP: Get IP address information from command-line. You'd need to execute whosip with -r switch - then you can see the CIDR to add. Example - Hulu has two sets of CIDR ranges (23.64.0.0/14 & 23.32.0.0/11) shown below.
    Code:
    C:\>whosip -r hulu.com
    
    WHOIS Source: ARIN
    IP Address:  23.62.98.106
    Country:      USA - Massachusetts
    Network Name: AKAMAI
    Owner Name:  Akamai Technologies, Inc.
    From IP:      23.32.0.0
    To IP:        23.67.255.255
    Allocated:    Yes
    Contact Name: Akamai Technologies, Inc.
    Address:      8 Cambridge Center, Cambridge
    Email:        ip-admin@akamai.com
    Abuse Email:  ip-admin@akamai.com
    Phone:        +1-617-444-2535
    Fax:
    
    
    WHOIS Record:
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    
    
    #
    # The following results may also be obtained via:
    # http://whois.arin.net/rest/nets;q=23.62.98.106?showDetails=true&showARIN=fal
    &ext=netref2
    #
    
    NetRange:      23.32.0.0 - 23.67.255.255
    CIDR:          23.64.0.0/14, 23.32.0.0/11
    OriginAS:
    NetName:        AKAMAI
    NetHandle:      NET-23-32-0-0-1
    Parent:        NET-23-0-0-0-0
    NetType:        Direct Allocation
    RegDate:        2011-05-16
    Updated:        2012-03-02
    Ref:            http://whois.arin.net/rest/net/NET-23-32-0-0-1
    
    
    OrgName:        Akamai Technologies, Inc.
    OrgId:          AKAMAI
    Address:        8 Cambridge Center
    City:          Cambridge
    StateProv:      MA
    PostalCode:    02142
    Country:        US
    RegDate:        1999-01-21
    Updated:        2011-09-24
    Ref:            http://whois.arin.net/rest/org/AKAMAI
    
    OrgAbuseHandle: MHA379-ARIN
    OrgAbuseName:  Hannigan, Martin
    OrgAbusePhone:  +1-617-444-2535
    OrgAbuseEmail:  ip-admin@akamai.com
    OrgAbuseRef:    http://whois.arin.net/rest/poc/MHA379-ARIN
    
    OrgTechHandle: MHA379-ARIN
    OrgTechName:  Hannigan, Martin
    OrgTechPhone:  +1-617-444-2535
    OrgTechEmail:  ip-admin@akamai.com
    OrgTechRef:    http://whois.arin.net/rest/poc/MHA379-ARIN
    
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
     
  93. koitsu

    koitsu Network Guru Member

    Using WHOIS (to query ARIN, RIPE, etc.) is not the only step you need to do to determine a network block for a company. It's a proper start, but you need to look at actual routes being advertised on the Internet to determine what the proper network size (re: CIDR) is.

    Use a public looking glass like route-views.routeviews.org. If you want to know how to do this, I can tell you.

    And quite often companies have multiple AS numbers making this a very tedious, very painful process. Welcome to Networking 101. :)
     
  94. windozer

    windozer Networkin' Nut Member

    Tunde Oloworaran's script works perfectly for bypassing. But it breaks my tunnelbroker IPv6; without the script, tunnelbroker IPv6 works perfectly.
     
  95. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    Did anyone ever find out why ifjeff's solution only works selectively? I could never get it to work on my E4200 with shibby 110 or 112 firmware builds.

    I can get Quidagis's first script to work fine, but I lkie ijeff's better since it uses the IP's you want to pass through the vpn as opposed to listing all the ip's that you don't want to go through.

    Hopefully someone can help
     
  96. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    Another thing I noticed is that it breaks port forwarding on ip's supposedly outside of the vpn.

    Has anyone else seen that?
     
  97. bimmerm3m5

    bimmerm3m5 Network Guru Member

    I have successfully been able to use lfjeff's post to setup VPN-specific clients. The one thing that doesn't work anymore is the connection to my cable modem interface. I can ping it, but can't access through a browser. Any ideas?

    This is what I used to be able to access my cable modem interface:

    FIREWALL script:
    iptables -I POSTROUTING -t nat -o $(nvram get wan_ifname) -d 192.168.1.0/24 -j MASQUERADE

    WAN Up script:
    sleep 5
    ip addr add 192.168.100.1/24 dev $(nvram get wan_ifname) brd +
     
  98. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    Thanks bimmerm3m5, I will try that with my IP 10.0.1.1/24.

    I assume I need to add
    #!/bin/sh
    before the start of each script yes?

    TIA
     
  99. koitsu

    koitsu Network Guru Member

    If inserted into the relevant Administration -> Scripts section as bimmerm3m5 states, then no, the hashbang (#!/bin/sh) line is not needed.
     
  100. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    Excellent!

    Thanks for the help guys.
     

Share This Page