1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Any way to bypass VPN selectively?

Discussion in 'Tomato Firmware' started by david3, Dec 26, 2010.

  1. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    Tried the above scripts but still no luck.

    I pinged my ip address, but its not seen over the net so it looks like my router ip is still inside the vpn tunnel. It appears to be trying to connect. if I use realvnc, I can connect to a pc on my network and then access the router that way.

    Also I set the router to use the external IP address and that basically killed all my connections. I have to wait til I get home now to set the router back to using the WAN address.
     
  2. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    I finally got it to work with a script by Quidagis in the wanup section:

    Code:
    ## CUSTOMIZE YOUR SCRIPT VARIABLES
    ip_address1="10.0.1.60"
    ip_address2="10.0.1.40"
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
    #
    # Delete table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
      | while read ROUTE ; do
              ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    # IP_ADRESSES - that go in the vpn
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address2 -j MARK --set-mark 0
    Here's the kicker though, I can remote login to my network drives using my dyndns or no-ip external address, so I know my wan ip is correct, but I cannot login to my router itself, except from my lan.

    It is like the router cannot be seen.

    I tried creating a couple of port forwards for https and ssh (which I shouldn't have to since they are taken care of on the admin page), but no luck with that either.

    Has anyone any ideas why I can't remote login to the router, but I can login to everything the router port forwards?

    BTW, I tried using the external ip address checker (every 10 mins), but that doesn't help at all.
     
    Last edited: Sep 19, 2013
  3. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    Can anyone help me with this issue:

    I loaded Quidagis's script in my wan up:
    Code:
    ip_src_lst="10.0.1.40 10.0.1.60"
    
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
    iface_lst=`route | awk ' {print $8}'`
    for tun_if in $iface_lst; do
        if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
        break
      fi
    done
    
    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443,8088,2222 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.0.1.40 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.0.1.60 -j MARK --set-mark 0
    
    for ip_addrs in $ip_src_lst ; do
      iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range "$ip_addrs" -j MARK --set-mark 1
    done
    
    and the vpn tunnel appears to work OK, all my devices except for two AppleTV's are outside the vpn network, all show the normal Wan IP whilst the AppleTV's show a US IP, so all looks good, until I try a remote login from outside my Lan. i.e. via the Wan.

    I checked my dyndns IP and it is correct, in that it reports the correct Wan ip address. The problem is that when I ping it, I get zero packets returned and I cannot remote login to my router.

    If I use RealVNC, I can login to any of my pc's on my Lan, either via https, or by ssh, but I can't login to my router itself.

    From my Lan all is working great, if I shut down the vpn tunnel, then all is working great.

    I don't understand why I can't login to the router itself when the vpn is up, yet it is obviously working ok otherwise the port forwarding of the realvnc would not be working.

    When I issue an iptables -t mangle -L PREROUTING command, the interfaces all appear correct.

    I'm stumped at this point, can anyone offer any advice?

    btw, my router is E4200 v1 with shibby 112 aio firmware installed.

    Thanks guys!
     
  4. dvbguy

    dvbguy Reformed Router Member

    I am loooking for a way that a static internal IP adress, will not be included in the VPN tunnel from my Tomato router. So look for the opposite of the line "All traffic from a particular computer on the LAN will use the VPN"

    Is that possible somehow to make??

     
  5. fearz

    fearz Serious Server Member

    I had this working with Shibby 109, since I updated to 112, I can't get it to work, for some reason, after following the steps and VPN is up after I enable selectively a few devices, no internet for all devices...once stopped, internet is back...any help please?
     
  6. bimmerm3m5

    bimmerm3m5 Network Guru Member

    I couldn't get any of the solutions working out of this thread, but found this which works fine:

    http://serverfault.com/questions/38...-hosts-route-through-openvpn-client-on-tomato
     
  7. Rockstead

    Rockstead Reformed Router Member

    Hi,

    I Just wanted to thank you because I was able to get your script working perfectly with my Linksys E4200 along with my PIA VPN account and that's saying something because I have zero skill at scripting.

    I just need to bypass a few wireless devices and everything I have is set to DHCP, so I just use Tomato Firmware to map Mac address to Static IP.

    My question for you, I though that if the VPN was down, that the script would prevent any connectivity but I stopped my openVPN script and I was still able to get activity.

    I saw it mentioned in some previous messages in this thread that it would prevent this and that's exactly what I'm looking for, just in case the VPN goes down, I don't want it to fall back to my exposed IP.

    Is something missing from version 3 of the script or am I doing something wrong?

    Thanks again!
     
  8. Rockstead

    Rockstead Reformed Router Member

    The VPN provider's refer to it as an Internet Kill Switch.

    I'll provide more details on the Tomato Shibby I'm running.

    tomato-E4200USB-NVRAM60K-1.28.RT-N5x-MIPSR2-112-AIO

    Maybe the Internet Kill Switch Feature is there? but it didn't work because I actually stopped OpenVPN Service?
     
  9. Rockstead

    Rockstead Reformed Router Member

    Looks like this thread died off, no one replies anymore but when you google bypass VPN, there are very few solutions out there.

    Perfect scenario would be to have a kill switch for VPN connections not being bypassed, so if VPN goes down I want the connection to lose Internet connectivity, in addition if by any chance the OpenVPN Service is stopped manually or let's say that OpenVPN account gets suspended and doesn't get logged in, it would be great if the same fail safe can still work regardless.

    I'm using Quidagis bypass-vpn-with-iptables-v3.txt
     
  10. noremacyug

    noremacyug Reformed Router Member

    Is this limited to bypass via ip or could traffic be routed on a per port basis?
     
  11. _wb_

    _wb_ Networkin' Nut Member

    when I enable selective VPN using @quidagis's script my Bandwidth Distribution (Inbound) does not work. There is no traffic showing on that graph. Any idea?

    Update: I am using Shibby's Firmware 1.28.0000 MIPSR2-115 K26AC USB AIO-64K

    Is there anything I could look for @Toastman?
     
    Last edited: Dec 17, 2013
  12. Rockstead

    Rockstead Reformed Router Member

    Hi, this script stopped working for me when I started using PPPoE to connect to the Internet since I have switched my provider's modem to bridge mode.

    This is the final version of the bypass script I was using. http://pastebin.com/QKKK9jsQ

    What modification do I have to make so that it works with PPPoE?
     
  13. Shamus

    Shamus Reformed Router Member

    I got mine to work with PPPoE by changing the following near the top:

    Code:
    #start_modification here
    ppoe_gateway=`ifconfig ppp0 | awk '/P-t-P/ {split ($3,A,":"); print A[2]}'`
    
    #ip route add default table 100 via $(nvram get wan_gateway)
    ip route add default table 100 via $ppoe_gateway
    #end modification here
    
    ip rule add fwmark 1 table 100
    ip route flush cache
     
  14. Shamus

    Shamus Reformed Router Member

    I've got my script working as required... thanks! The only thing that has stopped working for me is my OpenVPN server that I was also using on my router. Has anyone got their OpenVPN server working in addition to the OpenVPN client with the VPN by-pass script?
     
  15. Shamus

    Shamus Reformed Router Member

    I had a brief "DOH" moment when I realized that both my client and server were listening on the same port. I changed the server's port to 1193, and now see that the server sees the connection attempts. However, it doesn't not seem able to send the responses back to the potential client. Can anyone help from an iproute/iptable perspective?
     
  16. bimmerm3m5

    bimmerm3m5 Network Guru Member

    Hi, I've tried using Quidagis's script, which was a breeze to setup and works well....but seems to cause instability with my WAN connection.

    After a day or so, none of the wired or wireless clients can connect to the outside world, and I can't even ping the router. Rebooting doesn't seem to do much either.

    I'm running the latest 1.2v Victek mod on my E4200.

    I'm wondering if this has something to do with my cable provider which has the DHCP timeout of 2 days on the WAN side of the router. Thoughts?
     
  17. Rockstead

    Rockstead Reformed Router Member

    Shamus,

    Thank you so much! finally a reply and solution, I'm sure many will appreciate.

    One problem, I'm using Shibby's Tomato and after adding your changes, it tells me that I'm using the Maximum allowable amount of bytes in my Wan up scripts, which is 4096 and it won't allow me to save the changes.

    Any suggestions?
     
  18. Rockstead

    Rockstead Reformed Router Member

     
  19. Rockstead

    Rockstead Reformed Router Member

    Shamus,

    I finally got it working by removing a ton of comments from the script, I would prefer to have it have it but could not make it fit under 4096 bytes. I know the other solution would be to enable the jffs space and save the script there and then reference the script from WAN up, but I had no idea how to do the way the saving or referencing part.

    Here is my other issue that you might be able to figure out, prior to the bypass, I was running a kill switch, so if the VPN went down, nothing would be able to get out from my WAN, but the problem is with bypass, I want the devices being bypasses to be able to get to the Internet and if the VPN went down, I want the devices behind the VPN to be blocked.

    Here is the script that works at doing this but doesn't work as required with bypass

    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -I FORWARD -i br0 -o vlan2 -j DROP
    iptables -I INPUT -i tun0 -j REJECT
    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
     
  20. stick&puck

    stick&puck Network Newbie Member

    I was wondering if anyone has used Jeffs script with multiple Vlans / ssid.

    I was thinking of having a SSID/Vlan named "Wifi VPN" and that way when i wanted devices to go through the VPN i would connect to that WIFI network and then all my traffic would go through the VPN. From looking at the script i would only need to have the ip range of the Vlan placed in the below section and it should still catch and route it correctly.

    # IP range to route thru VPN
    VPN_IP_LIST="192.168.51.151 192.168.51.152"
     
  21. windozer

    windozer Networkin' Nut Member

    Here's an alternate method. I haven't tried it myself.

    Original source - https://forum.vpn.ac/discussion/12/tomatousb-policy-based-routing-bypassing-the-vpn
     
  22. Malakai

    Malakai Serious Server Member

    Hello,

    I was interested in this too, but I did it slightly differently. I wanted only 1 computer to use the OpenVPN connection and only for ports 80 and 443 so on the router I executed:

    Code:
    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
    
    ip route add table 200 default via 10.0.0.2
    ip rule add fwmark 1 lookup 200
    
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.5 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    With 10.0.0.2 being the OpenVPN client IP (10.0.0.1 is the IP of the server) and 192.168.0.5 being the IP I want to go through the VPN connection.

    I think it is simpler than making a default table for the VPN and select what shouldn't go trough it with another table, with this example you don't touch the default table so you can't mess anything up.

    But I have one question about the echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter, as I understand the rp_filter is used to prevent an address spoofing, by disabling it what are the risks to which I am exposed? I mean what is the worst that could happen?
     
  23. Malakai

    Malakai Serious Server Member

    Hello again,

    I have a little issue regarding routing packets through VPN. I really use my VPN connection only to access 2 or 3 websites that block the access if the visitor is not from that country. Now I just start the routing on ports 80, 443 and 1935 (for rtmp) when I need to access those sites BUT in this case everything on web (ports 80 and 443) goes through the VPN which I don't want.

    The idea is to mark all the packets that are related to the first connection to that site as a lot of information from the site is hosted on a lot of servers with different ips.

    So I've read some forums and tutorials on the net and I think I need to use connmark to mark the entire connection, but I don't really understand how to use this as I have to restore the mark then save it or something like that.

    In short : I want to access domain.com with the ip 1.2.3.4 through the VPN on ports 80, 443 and 1935 but everything else should go to Internet without VPN. The problem is that the content is not only on that server with the ip 1.2.3.4, it is on a lot of servers and I can't get a list of those ips. So using connmark could I do this?

    Now I have something like this that I execute when I need to access the websites through the VPN :

    Code:
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.1.12 -p tcp -m multiport --dport 80,443,1935 -j MARK --set-mark 1
    Could I use something like this to have all the content related to the first connection (1.2.3.4) passing through the VPN :

    Code:
    iptables -A PREROUTING -i br0 -s 192.168.1.12 -d 1.2.3.4 -p tcp -m multiport --dport 80,443,1935 -j CONNMARK --restore-mark
    iptables -A PREROUTING -i br0 -s 192.168.1.12 -d 1.2.3.4 -p tcp -m multiport --dport 80,443,1935 --match mark --mark 1 -j ACCEPT
    iptables -A PREROUTING -i br0 -s 192.168.1.12 -d 1.2.3.4 -p tcp -m multiport --dport 80,443,1935 -j MARK --set-mark 1
    iptables -A PREROUTING -i br0 -s 192.168.1.12 -d 1.2.3.4 -p tcp -m multiport --dport 80,443,1935 -j CONNMARK --save-mark
     
  24. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Hi everyone,

    I would like to have all traffic go through VPN except a few devices. I intend to implement
    quidagis's solution as described in post #90. Here are my questions:

    - Is this still the recommended method to achieve the stated goal?
    - When the VPN service is down, does traffic fall back onto WAN? My guess is no. If so, how do I adapt it to do so? I know the method described in post #43 could be adapted to do so, but I'm not sure how this could be achieved in this setting.

    Thanks so much!
     
  25. eibgrad

    eibgrad Addicted to LI Member

    Using the WAN_Up script (or any other router script) is not the proper way to handle this. OpenVPN already has scripting support for this. Please see my posts in response to post #137 in the following thread:

    http://linksysinfo.org/index.php?th...-through-vpn-openvpn.37240/page-2#post-256859

    As far as blocking the WAN when the VPN drops, you need to handle this yourself w/ the following firewall rule:

    Code:
    iptables -I FORWARD -o $(nvram get wan_iface) -j DROP
     
  26. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Thanks eibgrad. I will look at that thread when I get home.

    The behavior I want when vpn is down is to have everyone access the internet (wan). I assume that the router will try to re-establish vpn continuously until connection is made, which would enable the set devices to be back on vpn. Basically, i never want my devices to not have Internet access. Should I still follow that thread?
     
  27. eibgrad

    eibgrad Addicted to LI Member

    Oh, I misunderstood. Then just ignore that firewall rule. The reason using OpenVPN scripting is a better solution is because when the VPN is brought down, the route-pre-down.sh script will be called and clean everything up. Everything will returned to normal, meaning all your clients will return to using the WAN. But these other solutions that work OUTSIDE the OpenVPN scripting (like WAN_Up) are really hacks. They're not working in coordination w/ the VPN, and so you can run into timing issues, or perhaps routes won’t be returned to normal when the VPN comes down (because they don’t know when that event has occurred). OpenVPN provides its own event-driven scripting model so you can eliminate all these problems.
     
  28. vinhdizzo

    vinhdizzo Networkin' Nut Member

    eibgrad: the solution you pointed to works. I am able to get vpn client working with the specified ip's going through wan and not vpn. I don't know when the vpn service will be down, so I'm going to trust that the vpn service will disconnect and the down script will run, making all computers have access to the internet.

    Will tomato try to login to vpn continuously? If not, how will the user no when vpn is brought down?

    In testing your solution, I noticed that it broke my port forwarding. I searched it, and I believe the responses are going through, and responses are coming back out, but from a different (vpn) ip, which the client is dropping. Per your solution, what is the best way to fix the port forwarding issue?

    Thanks!
     
  29. eibgrad

    eibgrad Addicted to LI Member

    When I say routing will return to the WAN when the VPN comes down, I’m not making any assurances of when the VPN *will* be brought down. Obviously it will be brought down if you stop it. But let’s say communications is lost w/ the VPN server for some reason, perhaps for an extended period. It’s up to the VPN to decide how long to wait and whether to bring itself down (if ever). In the meantime, presumably users behind the VPN will not have internet access. It’s no different than any other situation where you multiple network interface options and need to decide when to give up and move to another network interface (e.g., dual WAN w/ failover). Perhaps OpenVPN provides some options in this regard, but it’s not something I’ve investigated.

    When it comes to port forwarding, you have three options. You can either 1) access the device over the VPN (provided the VPN provider makes port forwarding available), 2) exempt the device from the VPN (based solely on source IP), or 3) exempt the device based on additional criteria (not just source IP).

    The scripts I posted earlier have been modified below to allow you to mark packets in the mangle table based on other criteria and exempt those packets from the VPN using an ip rule that looks for those marks. In my example, 10.10.1.155 is an ip camera listening on port 80. Like everything else, by default, it will use the VPN. But we exempt it from the VPN when its source port is 80 (we also have to disable rp filtering on the WAN as well). Now access to the camera over the WAN will result in replies being sent back over the WAN, not the VPN.

    route-up.sh:
    Code:
    #!/bin/sh
    TID=200
    MARK="0x88"
    VPN_IF="$dev"  # provided by OpenVPN at runtime
    VPN_DFLT_GTWY='^0.0.0.0/1|^128.0.0.0/1'
    
    # copy main routing table to alternate routing table (ignore VPN routes)
    ip route flush table $TID > /dev/null 2>&1
    ip route show table main | grep -v "$VPN_IF" | grep -Ev $VPN_DFLT_GTWY \
      | while read route; do
            ip route add $route table $TID
        done
    ip route flush cache
    
    # specify source IP(s)/network(s) to be routed over the WAN
    ip rule add from 10.10.1.113 table $TID
    
    # make exceptions based on other criteria (e.g., source/destination port)
    echo 0 > /proc/sys/net/ipv4/conf/$(nvram get wan_iface)/rp_filter
    iptables -t mangle -I PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    ip rule add fwmark $MARK table $TID 
    route-down.sh:
    Code:
    #!/bin/sh
    TID=200
    MARK="0x88"
    ip rule del from 10.10.1.113 table $TID
    echo 1 > /proc/sys/net/ipv4/conf/$(nvram get wan_iface)/rp_filter
    iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    ip rule del fwmark $MARK table $TID
    ip route flush table $TID
    ip route flush cache 
     
    QQQTJ likes this.
  30. vinhdizzo

    vinhdizzo Networkin' Nut Member

    eibrad:

    I tried your new scripts, and I'm unable to get the forwarded ports working. The port after --sport should be the internal port, correct? For example, if I'm forwarding 1180 to 80 on an ip, then I should use 80? That's what I did, but did not work. Re-read your post, and what I did NOT do was: " (we also have to disable rp filtering on the WAN as well)". Not sure how this is done in Tomato, but is this the culprit? Just for completeness, the new parts to your script are:

    MARK="0x88"

    # make exceptions based on other criteria (e.g., source/destination port)
    echo 0 > /proc/sys/net/ipv4/conf/$(nvram get wan_iface)/rp_filter
    iptables -t mangle -I PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    ip rule add fwmark $MARK table $TID

    echo 1 > /proc/sys/net/ipv4/conf/$(nvram get wan_iface)/rp_filter
    iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    ip rule del fwmark $MARK table $TID

    Thanks!
     
  31. eibgrad

    eibgrad Addicted to LI Member

    The “echo” lines disable and enable rp filtering, so that’s taken care of in the script.

    Start the VPN w/ the scripts. Attempt to use the port forward (so we can at least see if there are any packets hitting the firewall). Then using telnet/ssh, execute the following command and post the output back here.

    Code:
    ip route show
    ip route show table 200
    ip rule list
    iptables -t mangle -vnL PREROUTING
    iptables -t nat -vnL PREROUTING
    echo "wan_iface=$(nvram get wan_iface)"
    sh -c 'for i in $(ls -1 /proc/sys/net/ipv4/conf/*/rp_filter); do echo "$i=$(cat $i)"; done'
     
  32. vinhdizzo

    vinhdizzo Networkin' Nut Member

  33. eibgrad

    eibgrad Addicted to LI Member

    I see you have added a lot of rules besides 192.168.1.12:443. Did you try any others? Would help to know if it's only this rule having a problem vs. all the rules.

    Btw, I forgot that tomato uses the WANPREROUTING table for port forwarding, not just PREROUTING, so dump it as well.

    iptables -t nat -vnL WANPREROUTING
     
  34. eibgrad

    eibgrad Addicted to LI Member

    P.S. Try adding the following command at the very end of the route-up.sh script:

    ip route flush cache
     
  35. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Yes, I did try two rules: 12:443 and 13:80, and both do not work.

    I added the flush to the up script, and I still don't get a response.

    Where do I put the WANPREROUTING? In up or down script? And where? Thanks so much for your help!
     
  36. eibgrad

    eibgrad Addicted to LI Member

    wrt WANPREROUTING, I wasn’t suggesting any changes to the scripts. I wanted to you dump that firewall chain as well so I could see if your port forwards were even getting hit w/ packets.

    Btw, there wasn’t any .13:80 port forward in your original dumps, so perhaps you added that later or it’s a typo.

    Not sure what the problem is. Everything else in your dumps looks ok. It works here like a charm.

    What happens if you add .12 to the ip rules directly (i.e., force all traffic back over the WAN), does it now work? IOW, is it a case of it not working ONLY when you try to limit the source port to 443, or does it never work, regardless how you configure it?

    Code:
    ip rule add from 192.168.1.12 table $TID
    ip rule add from 192.168.1.13 table $TID
    I made a few changes to the scripts, some cosmetic, but did fix the issue w/ “ip route flush cache”, and I also changed the creation of the routing table to ONLY remove the VPN as the default gateway rather than removing ALL the VPN routes. I was running into some DNS issues unless I made that change. I suspect your problems won’t be fixed w/ these changes since it worked here w/ the prior script, but just in case, I’ve pasted the updated scripts below (using my own examples, of course).

    route-up.sh:
    Code:
    #!/bin/sh
    TID="200"
    MARK="0x88"
    VPN_IF="$dev"                     # provided by OpenVPN at runtime
    VPN_DFLT_GTWY='^0.0.0.0/1|^128.0.0.0/1'
    WAN_IF="$(nvram get wan_iface)"
    
    # copy default/main routing table (exclude VPN default gateway)
    ip route flush table $TID > /dev/null 2>&1
    ip route show table main | grep -Ev "$VPN_DFLT_GTWY" \
      | while read route; do
            ip route add $route table $TID
        done
    # disable WAN reverse path filtering
    echo 0 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    ip route flush cache
    
    # specify source IP(s)/network(s) to be routed over the WAN
    ip rule add from 10.10.1.113  table $TID
    ip rule add from 10.10.2.0/24 table $TID
    
    # additional exceptions based on other criteria (e.g., source/destination port)
    iptables -t mangle -I PREROUTING -p tcp -s 10.10.1.42 --sport 22 -j MARK --set-mark $MARK
    iptables -t mangle -I PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    iptables -t mangle -I PREROUTING -p tcp --dport 443 -j MARK --set-mark $MARK
    iptables -t mangle -I PREROUTING -s my-ipod -j MARK --set-mark $MARK
    ip rule add fwmark $MARK table $TID
    route-down.sh:
    Code:
    #!/bin/sh
    TID="200"
    MARK="0x88"
    WAN_IF="$(nvram get wan_iface)"
    
    ip rule del from 10.10.1.113  table $TID
    ip rule del from 10.10.2.0/24 table $TID
    
    iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.42 --sport 22 -j MARK --set-mark $MARK
    iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    iptables -t mangle -D PREROUTING -p tcp --dport 443 -j MARK --set-mark $MARK
    iptables -t mangle -D PREROUTING -s my-ipod -j MARK --set-mark $MARK
    ip rule del fwmark $MARK table $TID
    
    echo 1 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    ip route flush table $TID
    ip route flush cache
    If the problems continue, you may have to dig deeper. For example, when you try to use the port forward and the VPN is running, see if connection tracking shows anything for that target device by going to a telnet/ssh session and issuing the following command:

    Code:
    cat /proc/net/ip_conntrack | grep <ip-address>
    … where you replace <ip-address> w/ the ip address of the target device of the port forward.
     
  37. vinhdizzo

    vinhdizzo Networkin' Nut Member

    I did not modify the up and down scripts per your response as I wanted to get the requested information to you first.

    I turned on VPN, tried to visit the two destinations, ran the commands to view the traffic, and pasted the results here.

    Let me know if you see anything wrong. If not, let me know what you think I should do next, like apply your latest script. Thanks so much for your help. I really appreciate it.
     
  38. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Hi again,

    I tested allowing the the entire source get through as you suggested, and port 443 and 22 did work. Thus, the issue is when we specify the port.

    I also updated my script to reflect your script, and still no go on port forwarding.

    Here is the connection tracking as you suggested:

    # cat /proc/net/ip_conntrack | grep 192.168.1.12
    tcp 6 31 TIME_WAIT src=192.168.1.216 dst=45.48.34.12 sport=50081 dport=443 src=192.168.1.12 dst=192.168.1.1 sport=443 dport=50081 [ASSURED] mark=0 use=2
    tcp 6 115 TIME_WAIT src=192.168.1.216 dst=45.48.34.12 sport=50096 dport=443 src=192.168.1.12 dst=192.168.1.1 sport=443 dport=50096 [ASSURED] mark=0 use=2
    tcp 6 1 TIME_WAIT src=192.168.1.216 dst=45.48.34.12 sport=50067 dport=443 src=192.168.1.12 dst=192.168.1.1 sport=443 dport=50067 [ASSURED] mark=0 use=2
    tcp 6 92 TIME_WAIT src=192.168.1.216 dst=45.48.34.12 sport=50095 dport=443 src=192.168.1.12 dst=192.168.1.1 sport=443 dport=50095 [ASSURED] mark=0 use=2

    Does this offer any clue to the port forwarding issue?

    Also, as I was testing, I don't know if the VPN service went down or not, but all of a sudden, I wasn't able to access the internet (my computer is going through vpn via the router). I wanted to log into the router to turn off vpn, but I wasn't able to contact the router either. Was this caused by the VPN dropping?

    Thanks so much!
     
  39. eibgrad

    eibgrad Addicted to LI Member

    I had to look into this a little deeper and make sure what I think is the problem, is the problem.

    If you look closely at your dump of ip_conntrack, you'll notice the destination IP (dst=) is the router (192.168.1.1), NOT the actual internet destination IP. Compare your dump to my dump of ip_conntrack (I'm using ssh (port 22) on a local IP of 10.10.1.42):

    Code:
    tcp      6 1193 ESTABLISHED src=107.28.12.254 dst=70.113.104.44 sport=56322 dport=42424 packets=18 bytes=2336 src=10.10.1.42 dst=107.28.12.254 sport=22 dport=56322 packets=18 bytes=3238 [ASSURED] mark=0 use=1
    Unlike your dump where the destination IP is 192.168.1.1, mine if 107.28.12.254, which is the public IP of the remote SSH client.

    That tells me it’s one of two things. Either you’re using some sort of proxy server, or for some other reason your router is NAT’ing inbound traffic (not just outbound traffic), while mine isn’t. Sometimes routers do this in order to be assured traffic from port forwarding is forced back to the router and not out some other default gateway. But of course, if the router’s default gateway is the VPN, you’re back to the same problem.

    So the question is, if you’re not using a proxy of some kind, why is your router NAT’ing (presumably) the inbound traffic while mine isn’t. I suppose a quick fix (if only to prove this is the problem) would be to include the router itself in the source IPs not to be routed over the VPN. But it still begs the question, why the differences between our routers.
     
  40. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Im not using any proxy on my router. If i remember correctly, i did specify a dns server to use (opendns). Could this have caused it? Only other thing is I also set openvpn server on my router. Other than that i dont know whats different.

    To confirm, add my router internal ip to the excluded vpn list, right?

    Thanks.
     
  41. eibgrad

    eibgrad Addicted to LI Member

    Yes, if only to see if it confirms my theory.
     
  42. eibgrad

    eibgrad Addicted to LI Member

    P.S. When I say proxy, I'm using that term in the broadest sense. Some things may effectively act as a proxy, even if they aren't typically known as such. A good example is a captive portal. Maybe even Access Restrictions under certain conditions.
     
  43. vinhdizzo

    vinhdizzo Networkin' Nut Member

    OK, tried it again after router ip to the vpn excluded list, and I get these in the connection log. Any thoughts? In terms of results, port forwarding did not work still. Thanks!
     
  44. eibgrad

    eibgrad Addicted to LI Member

    Only other suggestion I can make is that we disable rp (reverse path) filtering on both the WAN and VPN network interfaces. I've updated the scripts below. If this doesn't work, I'm out of ideas.

    route-up.sh:
    Code:
    #!/bin/sh
    TID="200"
    MARK="0x88"
    WAN_IF="$(nvram get wan_iface)"
    VPN_IF="$dev" # provided by OpenVPN at runtime
    
    # copy default/main routing table (exclude VPN default gateway)
    ip route flush table $TID > /dev/null 2>&1
    ip route show table main | grep -Ev '^0.0.0.0/1|^128.0.0.0/1' \
      | while read route; do
            ip route add $route table $TID
        done
    # disable WAN/VPN reverse path filtering
    echo 0 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    ip route flush cache
    
    # route over WAN based on source IP(s)/network(s) or network interface
    ip rule add from 10.10.1.113  table $TID
    ip rule add from 10.10.2.0/24 table $TID
    ip rule add iif wl0.1 table $TID
    
    # route over WAN based on other criteria (e.g., protocol, source/destination port)
    iptables -t mangle -A PREROUTING -p tcp -s 10.10.1.42 --sport 22 -j MARK --set-mark $MARK
    iptables -t mangle -A PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark $MARK
    iptables -t mangle -A PREROUTING -s my-ipod -j MARK --set-mark $MARK
    ip rule add fwmark $MARK table $TID
    route-down.sh:
    Code:
    #!/bin/sh
    TID="200"
    MARK="0x88"
    WAN_IF="$(nvram get wan_iface)"
    VPN_IF="$dev" # provided by OpenVPN at runtime
    
    ip rule del from 10.10.1.113  table $TID
    ip rule del from 10.10.2.0/24 table $TID
    ip rule del iif wl0.1 table $TID
    
    iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.42 --sport 22 -j MARK --set-mark $MARK
    iptables -t mangle -D PREROUTING -p tcp -s 10.10.1.155 --sport 80 -j MARK --set-mark $MARK
    iptables -t mangle -D PREROUTING -p tcp --dport 443 -j MARK --set-mark $MARK
    iptables -t mangle -D PREROUTING -s my-ipod -j MARK --set-mark $MARK
    ip rule del fwmark $MARK table $TID
    
    echo 1 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 1 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    ip route flush table $TID
    ip route flush cache
     
    Last edited: Mar 1, 2015
  45. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Modified my scripts (added the wl0.1 line and the rp VPN line). Left the router ip on the white list. Still no go for port forwarding. I pasted the connections log here in case you're able to catch anything. Thanks so much for your help thus far.
     
  46. eibgrad

    eibgrad Addicted to LI Member

    The line wl0.1 was only an additional example I added to the script. Not necessary in your case.

    Sorry, but I just don't know what the problem is. As I said, it works fine here. Something else must be different about your config, but I have no clue what that might be.
     
  47. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Still bummed that I'm unable to get port forwarding working. I went back and re-pasted your latest script, just in case I made any error. I will note that there are slight differences in the latest version compared to the thread that you referenced before. However, still no go.

    I looked at the connection tracker log again:
    tcp 6 118 TIME_WAIT src=192.168.1.216 dst=45.48.34.12 sport=49935 dport=44
    3 src=192.168.1.12 dst=192.168.1.1 sport=443 dport=49935 [ASSURED] mark=0 use=2

    Question: what is the *.216 and dst=45.* business? 216 is the computer im using to access the router (not the phone im using to test the 443 port). Why is this 216 showing up? The dst=45.* is my public ip (non-vpn). Any way to force dst= to be my public ip for vpn port forward exceptions?
     
  48. vinhdizzo

    vinhdizzo Networkin' Nut Member

    When VPN is off, I get similar log for the connection tracker:

    tcp 6 48 TIME_WAIT src=192.168.1.216 dst=45.48.34.12 sport=50608 dport=443
    src=192.168.1.12 dst=192.168.1.1 sport=443 dport=50608 [ASSURED] mark=0 use=2

    Is it really a dst=router ip issue?
     
  49. vinhdizzo

    vinhdizzo Networkin' Nut Member

    I just ran it again on my phone with vpn off, and I see:
    tcp 6 17 TIME_WAIT src=66.87.65.58 dst=45.48.34.12 sport=5629 dport=443 sr
    c=192.168.1.12 dst=66.87.65.58 sport=443 dport=5629 [ASSURED] mark=0 use=2

    66.* is my phone's ip. Now, when vpn is on, I never saw that ip before. Could it be that my phone's request never made it through?
     
  50. david3

    david3 Addicted to LI Member

    I've been using the script here in post #43 for years now:

    Any way to bypass VPN selectively?

    I just recently upgraded from my old Asus RT-N16 to an Asus RT-N66U. I loaded the latest Toastman firmware on it, and setup this selective VPN script again, and it's still working. I use it to route my media players for my TV's through the VPN.

    I also run Asterisk on my router, and I wonder if there's any way I can get this script to route the traffic from the router itself (that includes Asterisk) through the VPN, too. I can't just specify the IP of the router, since it's the gateway (I remember trying that once with bad results). I suspect it will be too difficult to do, but if somebody knows how, that would be great.
     
  51. eibgrad

    eibgrad Addicted to LI Member

    Maybe it has something to do w/ reverse path filtering. Just a shot in the dark, but let’s disable ALL of it.

    Replace the following in route-up.sh:
    Code:
    echo 0 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    with
    Code:
    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 0 > $i
    done
    Replace the following in route-down.sh:
    Code:
    echo 1 > /proc/sys/net/ipv4/conf/$WAN_IF/rp_filter
    echo 1 > /proc/sys/net/ipv4/conf/$VPN_IF/rp_filter
    with
    Code:
    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $i
    done
     
  52. eibgrad

    eibgrad Addicted to LI Member

    The most likely the reason you get into trouble when you include the router is because most script writers only bother to add the VPN as a default route. Instead, they should copy ALL of the main routing table over to the alternate routing table, then add the VPN as a default route.

    It’s one thing for the clients behind the router to only have a default gateway over the VPN. But the router is a special case. It needs access to MANY routes, including the ISP’s default gateway, ISP’s DNS servers, modem, etc. In addition, if the VPN goes down, you need to make sure the router is able to re-establish the VPN over the WAN, which means not only having access to the WAN, but being able to resolve the domain-name used in the OpenVPN client configuration. So you may also need to add the nameservers as static routes that point back to the WAN.

    If it’s consolation, even the dd-wrt policy based routing field in their GUI has the same problem. All they do is add the VPN as a default gateway. And as soon as a naïve user adds the router, or incidentally adds it (e.g., 192.168.1.0/24), boom, the router locks up and you’ll probably have to do a hard reset to recover.

    IOW, you can’t be lazy in building these scripts. Too many ppl don’t think through all the issues. They take shortcuts. I’ve seen several scripts, for example, that blindly clear the mangle table of the firewall before they add their own PREROUTING rules. That’s pretty risky. For example, many third party firmwares today come preinstalled w/ a fix for DSCP (http://www.dd-wrt.com/wiki/index.php/Comcast_download_speed_fix_for_Linksys_eSeries ). Wipe out that mangle table rule and you may suddenly find your performance has plummeted, and for no apparent reason. I’ve noted other rules in their as well.
     
  53. vinhdizzo

    vinhdizzo Networkin' Nut Member

    This fixed the the port forwarding issue! Thanks so much! Don't know why it's working now, any explanations?

    Another follow up question: right now everything goes through vpn except the specified ip's. If I wanted reversed, where only certqain ip's go through vpn, how is that accomplished?

    Is there a way to set up a script to check for internet connection through vpn, and if none, force vpn disconnect and reconnect? A little off topic, so let me know if I should start a new thread. Thanks so much again!
     
  54. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Ok, one more issue. I have 4 SSID broadcasted on my router. Two of those uses 192.168.*, and the other two uses 192.168.2/3.*. When VPN is on, the latter two can't access the internet. My guess is the assigned ip is something like 192.168.2.100, and somehow the traffic isn't going through VPN? Thanks.
     
  55. eibgrad

    eibgrad Addicted to LI Member

    Most likely you need to NAT those other networks over the VPN. You can either do it individually:
    Code:
    iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o $dev -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o $dev -j MASQUERADE
    or just NAT everything (can't see why not):
    Code:
    iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
    Whichever your choice, add it to the route-up.sh scripts, and the corresponding deletions in the route-down.sh script.
     
  56. vinhdizzo

    vinhdizzo Networkin' Nut Member

    Thanks again. NATing everything works:

    iptables -t nat -A POSTROUTING -o $dev -j MASQUERADE
     
  57. QQQTJ

    QQQTJ Serious Server Member

    This thread is epic. I used to run two Netgear WNR3500 and now I can do *everything* with one Asus RT-AC68U running Shibby 1.28.0000 -127 K26ARM USB VPN-64K.

    I get PPPoE from a DSL modem in bridge mode, so WAN has a public IP and is ppp0. I have a PPTP connection to a VPN server that provides default route for all clients as ppp1.

    I have a couple of hosts that I want to connect to directly via ISP.

    For example to bpypass VPN for cnnections to 4.3.2.1 I went and issued these commands:

    ip route add default dev ppp0 table 200
    ip rule add to 4.3.2.1 table 200

    now when I ping 4.3.2.1 the response is much faster (~65ms), in line with what I would expect from a direct connection via my ISP vs the offshore VPN (~300ms).

    However, traceroute is broken. If I try to traceroute 4.3.2.1 now, nothing past the first hop resolves.

    # traceroute 4.3.2.1
    traceroute to 4.3.2.1 (4.3.2.1), 30 hops max, 60 byte packets
    1 192.168.2.1 (192.168.2.1) 0.335 ms 0.652 ms 0.638 ms
    2 * * *
    [snip]
    30 * * *


    Is there anything I need to do with iptables or other settings to make this work ?
     
  58. eibgrad

    eibgrad Addicted to LI Member

    Traceroute from where? On the router? From a client behind the router? Both?

    For the record, in that particular example, all you really need is to add a static route to 4.3.2.1. Destination IP(s)/network(s) gain no benefit from the techniques discussed in this thread. That can be handled exclusively via simple static routing. The problem addressed in this thread is when you have criteria OTHER THAN a simple destination IP/network. Static routing then becomes inadequate.

    So given the above, I’m just curious what would happen to your traceroute if you eliminated your current technique and simply created a static route. Because if it now works, that suggests there’s something else beyond what you’ve described so far that’s having an impact.
     
  59. QQQTJ

    QQQTJ Serious Server Member

    Yep I am in this thread because I am working towards having some VLAN go through a HK VPN and some via a US VPN and a bunch of destination hosts need to go direct via ISP. I want to achieve this with iproute2.

    I was taking baby steps with just one VPN running and learning how to bypass it for specific destinations before I move on and introduce more complexity.

    Curious to try your suggestion I just cleared all my customizations and rebooted which went back to just having the PPTP connection to the US VPN and it being the default route.

    I have a host sip1.catnextgen.com (202.129.61.102) to bypass. I ping it. I get a high ping which is in line with what I expect to see getting tunneled around the world. I traceroute and all hops are resolving and it confirm that it goes via ppp1, my PPTP connection to the VPN.

    To bypass VPN for connections to this host I then issue this command:

    ip route add 202.129.61.102 dev ppp0

    (ppp0 is my PPPoE to the ISP, default route for all is ppp1 - the PPTP to the VPN).


    I now ping 202.129.61.102 and the ping is very low which indicates to me I am going direct via ISP.

    But now if I traceroute 202.129.61.102 from any machine behind the router only the first hop (router) resolves. Example from Windows:

    Tracing route to sip1.catnextgen.com [202.129.61.102]
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms BKK1 [192.168.2.1]
    2 * * * Request timed out.
    [snip]
    12 * * * Request timed out.
    13 25 ms 25 ms 25 ms 202.129.61.102

    Or from the Tomato GUI itself:

    Hop Address Min (ms) Max (ms) Avg (ms) +/- (ms)
    1 *
    [snip]
    11 *
    12 202.129.61.102 24.56 25.33 24.85


    Let me just add that the issue seems purely cosmetic in that the VPN is definitely being bypassed and traffic is flowing correctly. I just want to understand what breaks traceroute here for fear that there may be other unintended consequences I need to know of before I roll this out.
     
  60. eibgrad

    eibgrad Addicted to LI Member

    I guess the question I would ask is whether you’re seeing this problem w/ any ip you trace, or only particular ones. For example, what if it’s something clearly used everywhere by everyone, say the Google DNS server (8.8.8.8)?

    By default, traceroute attempts to do a reverse DNS lookup for every IP. But perhaps this information is not available on every DNS server. Even from here, tracing 202.129.61.102 (no VPN, no routing changes, just normal config) is painfully slow and eventually exceeds the 30 hop max. Even pings reach nearly 300ms.

    So at this point it’s not clear whether this is a symptom of a problem, or something to be expected given certain choices in your routing path.

    Try again, but this time without having it map ip addresses back to hostnames (-n option):

    traceroute -n 202.129.61.102
     
  61. QQQTJ

    QQQTJ Serious Server Member


    Yup I tried with 208.67.222.222 and 8.8.8.8 as well. Same deal. If they route through my VPN default route,be it tun11 or ppp1, traceroute works. If I make a static route to ppp0, traceroute fails.

    traceroute -n 202.129.61.102 - same symptoms. So a lack of reverse lookup ability doesn't seem to be the cause. Very strange indeed.


    Edit: check it out, I can reproduce this any time with any host be it with openvpn or pptp client, any static route to ppp0 means traceroute to that host fails. SSH session from tomato:

    No static route existed for this so it used default ppp1 via VPN and traceroute is OK.
    root@bkk1:/tmp/home/root# traceroute -n 8.8.8.8
    traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
    1 10.242.1.1 247.060 ms 247.157 ms 246.967 ms
    2 50.97.199.217 248.767 ms 248.980 ms 248.542 ms
    3 50.23.118.132 248.505 ms 248.223 ms 50.23.118.130 247.773 ms
    4 50.97.19.164 248.758 ms 248.686 ms 248.498 ms
    5 50.97.16.39 250.827 ms 248.989 ms 248.769 ms
    6 72.14.237.191 248.796 ms 64.233.175.211 248.452 ms 64.233.175.241 248.784 ms
    7 8.8.8.8 248.961 ms 248.964 ms 249.012 ms


    Now I add a static route to tell it to route via ppp1 (so the routing is the same as before, I just want to test if the mere existance of a static routing entry for a host is causing it):
    root@bkk1:/tmp/home/root# ip route add 8.8.8.8 dev ppp1
    root@bkk1:/tmp/home/root# ip route flush cache
    root@bkk1:/tmp/home/root# traceroute -n 8.8.8.8
    traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
    1 10.242.1.1 246.880 ms 247.229 ms 247.242 ms
    2 50.97.199.217 288.716 ms 247.988 ms 247.782 ms
    3 50.23.118.132 247.788 ms 248.709 ms 247.993 ms
    4 173.192.18.248 250.078 ms 248.712 ms 248.713 ms
    5 50.97.16.39 248.747 ms 248.268 ms 248.542 ms
    6 64.233.175.241 249.727 ms 72.14.237.191 249.486 ms 64.233.175.243 248.276 ms
    7 8.8.8.8 248.497 ms 248.225 ms 248.957 ms


    That still worked.

    Now i force it to go direct via ISP,s PPPoE on ppp0:

    root@bkk1:/tmp/home/root# ip route del 8.8.8.8
    root@bkk1:/tmp/home/root# ip route add 8.8.8.8 dev ppp0
    root@bkk1:/tmp/home/root# ip route flush cache
    root@bkk1:/tmp/home/root# traceroute -n 8.8.8.8
    traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
    1 * * *
    2 * * *
    3 * * *
    4 * *^C



    Traffic flow works and reduced latency tells me that it did route through ppp0 as instructed, but traceroute fails.
     
  62. eibgrad

    eibgrad Addicted to LI Member

    Try changing the protocol used by traceroute. The default is UDP, but there's usually an option to change it to icmp or even tcp. On my tomato router, it's the -I option. When I used that, it made a huge difference.
     
  63. QQQTJ

    QQQTJ Serious Server Member

    No dice. Same result. There really is an issue. I can replicate it on other device (WNR3500 with Shibby 124-VPN) as well.
     
  64. eibgrad

    eibgrad Addicted to LI Member

    In all this discussion about traceroute, I don't think it's been established whether this is a problem caused by the VPN, or only incidental to it. IOW, do you have this problem ONLY when the VPN is active, or anytime you're routing through the ISP, even if the VPN isn't running? Because while I understand it's a problem for you, I don't want to take this thread down a path that's not even relevant to the VPN.
     
  65. Malakai

    Malakai Serious Server Member

    I think that it is not vpn related.

    I have the same issue, when I'm using an OpenVPN connection or not. Traceroute through the VPN goes well but almost every traceroute through my ISP fails (even if no vpn connection is active).

    Don't know why traceroute fails, but everything else works as expected (browsing, torrent, ftp, ssh, dns ....), so I think that maybe it is something "implemented" by the ISP, because when I use the VPN connection traceroute works.
     
  66. eibgrad

    eibgrad Addicted to LI Member

    That's my suspicion as well, esp. if it happens irrespective of the VPN. traceroute is a bit of a hack of the routing system, and which relies on replies from UDP or icmp messages. I can imagine that some ISP's might be inclined to block these replies.
     
  67. eibgrad

    eibgrad Addicted to LI Member

    deleted
     
  68. QQQTJ

    QQQTJ Serious Server Member

    But my ISP allows traceroute just fine. It's only when I selectively tell Tomato to policy route some source or destination hosts/networks via the ISP rather than the VPN that it breaks. But it's purely cosmetic. Like Malakai has also observed, everything other than traceroutes seems to work.

    This thread is helping me save electricity because instead of two WNR3500 I now run one Asus AC68U :D
     
  69. eibgrad

    eibgrad Addicted to LI Member

    Try adding the gateway's IP, not just the network interface, in your ip route command:

    Code:
    ip route add 8.8.8.8 via x.x.x.x dev ppp0
    In fact, you can probably leave off the network interface completely, since it can be deduced from the IP address of the default gateway (at least if that's the only path to that network):

    Code:
    ip route add 8.8.8.8 via x.x.x.x
    If you compare the main routing table using your initial ip route command vs. these I just posted, you'll see they don't produce the same results.
     
    Last edited: Mar 17, 2015
  70. QQQTJ

    QQQTJ Serious Server Member

    Same result.

    After a fresh boot where 4.3.2.1 has no custom rule and goes via default gw on ppp1:

    traceroute 4.3.2.1
    traceroute to 4.3.2.1 (4.3.2.1), 30 hops max, 38 byte packets
    1 10.242.1.1 (10.242.1.1) 309.266 ms 309.214 ms 309.185 ms

    [snip]
    traceroute works.

    Then on tomato console I issue

    ip route add 4.3.2.1 via xxx.xxx.xxx.1 (gw of isp)

    then traceroute is broken:

    traceroute 4.3.2.1
    traceroute to 4.3.2.1 (4.3.2.1), 30 hops max, 38 byte packets
    1 * * *
    2 * * *




     
  71. eibgrad

    eibgrad Addicted to LI Member

    Ok, here’s something I’ve discovered after playing around w/ this a little more.

    I can execute the following script and it works perfectly regardless whether the VPN is up or down (and the traceroute is very fast). However, if I comment out the disabling of reverse path filtering, while it continues to work w/ the VPN down, it won’t work w/ the VPN up! PING mostly fails (one or two pings gets through, but never more than 50%), and traceroute just doesn’t work at all.

    Code:
    #!/bin/sh
    GW_IP="$(nvram get wan_gateway)"
    
    # add route and disable reverse path filtering
    ip route add 8.8.8.8 via $GW_IP
    ip route flush cache
    sh -c 'for i in $(ls -1 /proc/sys/net/ipv4/conf/*/rp_filter); do echo 0 > $i; done'
    
    # test nslookup (tcp), ping (icmp), and traceroute (icmp)
    nslookup www.cnn.com 8.8.8.8
    ping 8.8.8.8 -c 4
    traceroute -n -I 8.8.8.8
    
    # del route and enable reverse path filtering
    ip route del 8.8.8.8 via $GW_IP
    ip route flush cache
    sh -c 'for i in $(ls -1 /proc/sys/net/ipv4/conf/*/rp_filter); do echo 1 > $i; done'
    I believe what’s happening is that when the route gets changed, the source IP of the packets is now out of sync w/ what the rp filter system is expecting, and so it steps in and drops the packets. Why this seems to affect icmp and not TCP (e.g., nslookup) I don’t know. One difference w/ PING and traceroute is they rely on raw sockets. The analysis done by the rp filters isn’t something I’m privy to. For whatever reasons, it’s made this decision. That’s why it’s probably a good idea to ALWAYS disable reverse path filtering whenever you do this type of routing manipulation. It just avoids all these bizarre and unpredictable problems.
     
    Last edited: Mar 20, 2015
    QQQTJ likes this.
  72. tomatoguy

    tomatoguy Connected Client Member

    I have implemented the WAN up script referenced earlier in the thread, and it seems to work fine. But I see that all of my devices that are set to bypass the VPN are still using the VPN DNS servers (in my case, PIA). Is there any way to get these devices (i.e. the ones which are bypassing the vpn) to use my own ISP's DNS servers? Can someone please take me through the steps to do this? Thanks in advance.

    Edit: for some reason, wired devices are using my ISP DNS servers, but wireless devices are using the VPN DNS server.
     
  73. shibby20

    shibby20 Network Guru Member

    I already have finished Routing Policy by Source ip, destination ip or domain name. It will be implemented in v129-arm for now.
    Best regards.
     
    Ragtag, QQQTJ, quidagis and 1 other person like this.
  74. Goggy

    Goggy Network Guru Member

    @shibby20:
    "Create NAT on tunnel" has to be ticked - even when i want to route only selected domains via routing policy - correct?

    Thx!
     
  75. shibby20

    shibby20 Network Guru Member

    Indeed.
     
    Goggy likes this.
  76. Sparkix

    Sparkix Connected Client Member

    I have been using tomato for at least a decade now and switched to Shibby a couple of years ago. It has been great. I purchased a VPN service a few months ago and upgraded my router to the AC68U for the faster processor. Since I have a server which needs to accept inbound connections, I set up a script to have a range of static addresses bypass the VPN. All other DHCP traffic is sent through the VPN. This was working great until I updated to v129.

    I noticed the addition of the routing policy and decided to try it. Maybe someone could help me with my settings. Here is how my network is laid out.

    I have several devices statically assigned addresses from 192.168.1.2 - 192.168.1.5. The server is 192.168.1.2.
    All other devices are given addresses by DHCP in the range of 192.168.1.32 - 192.168.1.191

    Under OpenVPN Client 1 Configuration, in the Advanced tab, there are 2 check boxes:
    - Redirect Internet Traffic
    - Ignore Redirect Gateway (route-nopull) <- (I have this one checked)
    (If I check one of them, the other disappears.)

    Under OpenVPN Client 1 Configuration, in the Routing Policy tab, I have 3 lines added and enabled.
    From Source IP 192.168.32/27
    From Source IP 192.168.64/26
    From Source IP 192.168.128/26

    As well as the "Redirect through VPN" checkbox is checked.

    Under OpenVPN Client 1 Configuration, in the Basic tab, I have the checkbox for "Create NAT on tunnel" checked.

    This is mostly working.
    The DHCP devices successfully traverse the VPN.
    The static IP devices bypass it.
    Inbound connections are successfully forwarded to the server from outside the network.

    The only problem I am having is that when a DHCP device using the VPN tries to access the server using it's external address, nothing! For example:

    Router external non-VPN address is 128.100.102.201 (SomeDomain points here)
    Server internal address is 192.168.1.2 (forwarding is setup correctly)
    DHCP device internal address is 192.168.1.35

    Try to connect to Server from 192.168.1.35 using the address 192.168.1.2 - it works!
    Try to connect to Server from phone on an external LTE network using the address SomeDomain - it works!
    Try to connect to Server from 192.168.1.35 using the address SomeDomain - nothing!

    What may be the problem?

    EDIT: After some digging, I may find my problem is a "NAT Loopback" issue. When I get home, I'll check my Advanced > Firewall settings to see what they are set to.

    EDIT2: Trying all of the "NAT Loopback" settings under firewall did not help. Any Suggestions?
     
    Last edited: May 14, 2015
    kamaaina likes this.
  77. kamaaina

    kamaaina Serious Server Member

    I have to try this. Sounds like I could get rid off the extra gateway router before the vpn router to enable the VoIP sip boxes. What did you configure for the server in the router to get it exposed? Any magic DMZ settings?
     
  78. Sparkix

    Sparkix Connected Client Member

    No magic DMZ settings. Just port forwarding for the correct ports to the server. Then in the VPN, I used the following lines in the Routing Policy tab:

    From Source IP 192.168.32/27
    From Source IP 192.168.64/26
    From Source IP 192.168.128/26

    And I have DHCP to offer addresses in that range only and the server is given a static address outside that range. The only problem I'm having is reaching the server using the FQDN from a computer on my network.
     
    kamaaina likes this.
  79. kamaaina

    kamaaina Serious Server Member

    Thanks, I will give this a shot next week when I have some time to mess with the settings.
     
  80. kamaaina

    kamaaina Serious Server Member

    On that note: some firmware support guest networks. Would it be possible to have the main network go through the VPN and the guest network access the Internet directly? I guess yes if you can assign specific dhcp range to the gues network.
     
  81. Sparkix

    Sparkix Connected Client Member

    You got it.
     
    kamaaina likes this.
  82. zztroyzz

    zztroyzz New Member Member

    Do you have details how you set up the port forwarding? My VPN Provider forwards port 11453 but with the connection managed by the router with the routing policy configured to a specific machine, how do I also forward that port from the router? Does the Routing Policy allow you to configure this in some way or does it need manual setup in the iptables?
     
  83. Sparkix

    Sparkix Connected Client Member

    There is a whole section in the firmware for port forwarding (on the left side under Advanced).

    I am forwarding to internal PCs which are not passing through the firewall. My VPN provider does not forward traffic.
     
  84. zogg45

    zogg45 Network Newbie Member

    I've been trying to use the new VPN routing feature to setup an SSID that is always routed through the VPN, and I've found what I think is a bug. The "Create NAT on Tunnel" option only adds a NAT for the IP range on the first bridge (br0). If you've setup another bridge for the guest SSID, then it does not had a NAT added. You can confirm this in the source code at router/rc/vpn.c line 391.

    I can fix this by manually logging in and using iptables to add the masquerade, but was hoping for a better approach. Any ideas?
     
  85. ipse

    ipse LI Guru Member

    For the life of me, I can't make this work with Shibby 129: I want to tunnel a single IP and I can do that using the Wan Up script method (here: http://serverfault.com/questions/38...-hosts-route-through-openvpn-client-on-tomato ) but it never works using the new "Redirect through VPN" option in Shibby-129.
    No matter if I put in "From source IP" 192.168.5.5 or 192.168.5.5/32 ALL my LAN traffic is tunneled.

    What am I missing?
     
  86. zogg45

    zogg45 Network Newbie Member

    Did you check the box "Ignore Redirect Gateway"?
     
  87. ipse

    ipse LI Guru Member

    No, it was not checked. But I tried to check the option and now all traffic bypasses the VPN.
    BTW- the VPN provider is PIA - if it matters.
     
  88. Sparkix

    Sparkix Connected Client Member

    I have done nothing to the router (as I haven't had time), but it fixed itself as of yesterday. All I can guess is that there was a bug in the VPN service and they have fixed it. Now everything works great.

    EDIT: I was wrong. Unfortunately, the router was reporting that the VPN was started when it actually wasn't. I verified this by using a Geolocation site. I stopped/started the VPN and everything is the same as before. I'm unable to access local servers from the same network using their external IP.
     
    Last edited: Jun 2, 2015
  89. bimmerm3m5

    bimmerm3m5 Network Guru Member

    Can anyone post a working set of up/down OpenVPN scripts based upon the advice of eibgrad?

    My setup is very simple - I want all traffic to default to my regular gateway, and selectively define IP's to go through the VPN.

    I'd like to change from the "WAN Up" method, but haven't had much luck using the above scripts.
     
  90. bimmerm3m5

    bimmerm3m5 Network Guru Member

    I found my issue:

    # add WAN back as default gateway in main/default routing table
    if [ "$REDIRECT_GTWY" == "1" ]; then
    ip route add 0.0.0.0/2 via $WAN_GTWY
    ip route add 64.0.0.0/2 via $WAN_GTWY
    ip route add 128.0.0.0/2 via $WAN_GTWY
    ip route add 192.0.0.0/2 via $WAN_GTWY
    fifi

    The REDIRECT_GTWY variable never gets set. I commented out the if statement and kept the 4 lines in the if.

    Anyone know why this is?
     
  91. JMoore8654

    JMoore8654 Connected Client Member

    Hey guys,

    I too am having trouble with this on Shibby v129. The script below was functioning well on previous versions, now however it no longer functions. =(

    Here's the old script. Does anyone have a solution to bypass the VPN?




    ## CUSTOMIZE YOUR SCRIPT VARIABLES
    #
    ## Uncomment and set value(s) as needed to customize your rules
    #
    # IP addresses, contiguous range AND/OR individual.
    #
    #ip_addrs_lst="192.168.10.100
    #192.168.10.115-192.168.10.118
    #192.168.10.120"
    #
    ip_addrs_lst="192.168.11.7"
    # Specific destination websites ip range - Spotify , Netflix...
    #
    #web_range_lst="72.44.32.1-72.44.63.254
    #67.202.0.1-67.202.63.254
    #207.223.0.1-207.223.15.254
    #98.207.0.1-98.207.255.254
    #208.85.40.1-208.85.47.254
    #78.31.8.1-78.31.15.254
    #193.182.8.1-193.182.15.254"

    ########################################
    # NO NEED TO CHANGE BELOW THIS LINE #
    ########################################

    # SHELL COMMANDS FOR MAINTENANCE.
    # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
    #
    # List Contents by line number
    # iptables -L PREROUTING -t mangle -n --line-numbers
    #
    # Delete rules from mangle by line number
    # iptables -D PREROUTING type-line-number-here -t mangle
    #
    # To list the current rules on the router, issue the command:
    # iptables -t mangle -L PREROUTING
    #
    # Flush/reset all the rules to default by issuing the command:
    # iptables -t mangle -F PREROUTING

    #
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    #
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done

    #
    # Delete table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING

    #
    # Let's find out the tunnel interface
    #
    iface_lst=`route | awk ' {print $8}'`
    for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
    break
    fi
    done

    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
    | while read ROUTE ; do
    ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache

    # EXAMPLES:
    #
    # All LAN traffic will bypass the VPN (Useful to put this rule first,
    # so all traffic bypasses the VPN and you can configure exceptions afterwards)
    # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    #
    # Ports 80 and 443 will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    #
    # All traffic from a particular computer on the LAN will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
    #
    # All traffic to a specific Internet IP address will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    #
    # All UDP and ICMP traffic will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    # iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

    # Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0

    # IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
    for ip_addrs in $ip_addrs_lst ; do
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 1
    done

    # WEBSITES_IP_RANGES -
    #for web_dst_range in $web_range_lst ; do
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
    #done
     
  92. JMoore8654

    JMoore8654 Connected Client Member

    Hey guys,

    I was able to get it working again. Thanks to @shibby20 using the new Routing Policy Tab. See below:

    VPN Client > Client 1 > Basic
    Interface Type = TUN

    VPN Client > Client 1 > Advanced
    Ignore Redirect Gateway = Enable

    VPN Client > Client 1 > Routing Policy
    Redirect through VPN = Enable
    Enable = From Source IP = <LAN IP>
     

    Attached Files:

  93. tommyv

    tommyv Networkin' Nut Member


    Thanks for the info. Have you tried port forwarding through Firewall script, e.g.

    Code:
    iptables -I FORWARD -i tun11 -p udp -d 192.168.1.1 --dport 81 -j ACCEPT
    iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.1 --dport 81 -j ACCEPT
    iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 81 -j DNAT --to-destination 192.168.1.1
    iptables -t nat -I PREROUTING -i tun11 -p udp --dport 81 -j DNAT --to-destination 192.168.1.1
    
    Or it could be now done through GUI as well ?
     
  94. JMoore8654

    JMoore8654 Connected Client Member

    Hey @tommyv

    Scripting was working prior to v.129, but is not longer working in WAN UP - for me at least. The Routing Policy Tab works well for bypassing an entire IP.
     
  95. TomatoUSB

    TomatoUSB New Member Member

    Where do I add this script "iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP"? Tt is suppose to kill my VPN when it's down.
     
  96. tommyv

    tommyv Networkin' Nut Member

    Hey JMoore8654,

    Thanks for this, I'm worried about iptables in firewall script that I use for port forwarding over to my vpn provider.

    Have you perhaps checked that ?
     
  97. James Wichall

    James Wichall New Member Member

    Hello all,

    I've been playing with my VPN routing WAN up script quite heavily the past couple of weeks so I thought I would share!

    The code is a little bit hard to read, but it's compacted to use less NVRAM. You can wipe out the comments to save a load more.

    At the top you have your variables.
    1. By default all traffic bypasses the VPN
    2. Then ports in $Pts1 sourced from the LAN are routed through VPN1
    3. Ports in $Pts1 destined to IPs in $v2I are routed through VPN2
    4. All traffic destined to local network bypasses VPNs
    5. Traffic destined to IPs in $bI bypasses VPNs
    You can add custom rules at the bottom using my syntax or not, up to you!

    The main improvement in this script is that it seems to manage multiple MARK tables really well and it works with domain names, looking up ALL A records.

    I run a modified version with the ip/domain list split into a separate script (firewall up script) for the purpose of keeping a list of netflix etc IP addresses, happy to share that too if it's of interest or if you also hit your 4kb script limit with the one below.

    Also, with my rule/port configuration this should route everything traced with the new bill coming in the UK next year.

    Please let me know your thoughts

    Code:
    #!/bin/sh
    L="/tmp/.slck"
    if [ ! -f $L ]; then touch $L; vOn=1;
    ####
    # Bypass IP List (Plex and iPlayer IPs)
        bI=""
       #bI="$bI 54.241.0.0/16"
        bD=""
       #bD="$bD domainnamesdotcom"
    #
    ####
    # VPN2 IP List (Netflix and NBC Sports IPs)
        v2I=""
       #v2I="$v2I 23.0.0.0/9"
       #v2I="$v2I 54.192.0.0/10"
       #v2I="$v2I 107.20.128.0/18"
        v2D=""
       #v2D="$v2D domainnamesdotcom"
    #
    ####
    # Ports thru VPN (DNS, WEB(S), NTP, Google/Apple ports)
      Pts1="53,80,123,443,5222,5223,5228,10000"
    
    
      #####################
      ## Don't edit this ##
        Rt="ip route"; RtA="$Rt add"; RtF="$Rt flush"; ff="fwmark"; z0="0.0.0"; Rl="ip rule"; RlM="$Rl add $ff"; RlMD="$Rl del $ff"; T="table"; tu1="tun11"; tu2="tun12"; tu3="ppp0"; nG="nvram get"; gS="grep"; gR="$gS -Ev"; dD () { echo $1 | tr " " "\n" | awk '!x[$0]++'; }
        cl () { awk '{print $'"$1"'}'; }
        dnRul () { for dom in $1; do nslookup $dom | awk '{if(NR>3)print}' | $gS "Address.*\." | cl 3 | while read a; do echo "${a%.*}.0/$2"; done; done; }
        tM () { iptables -t mangle -$1 PREROUTING $2 $3 $4; }
        rA () { mk="-j MARK --set-mark $1"; pts="-m multiport --dport $3"; prt="-p $2 ${3:+$pts}"; ip="-$5 $4"; tM "A" "-i br0 ${4:+$ip}" "${2:+$prt}" "${1:+$mk}"; [[ "$2" == "udp" ]] && rA "$1" "tcp" "$3" "$4" "$5"; }
       # IP Lists #
        bI=`dD "$bI $(dnRul "$bD" "24")"`; v2I=`dD "$v2I $(dnRul "$v2D" "24")"`
      if [ -z "$lOn" ] && [ -n "$vOn" ]; then [[ -z "$2" ]] && sleep 18
       # Rev path fltr, Build tbls
        for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i; done; $RtF cache; tM "F"
        route | $gR "$z0|255.0" | $gS '\*' | while read RO ; do tu=`echo "$RO" | cl 8`; gw=`echo "$RO" | cl 1`; if [ "$tu" == "vlan2" ]; then tl="$T 100"; tRm="$tu1|$tu2|$tu3"; n="1"; elif [ "$tu" == "$tu1" ]; then tl="$T 200"; tRm="$tu2|$tu3"; n="2"; elif [ "$tu" == "$tu2" ]; then tl="$T 220"; tRm="$tu1|$tu3"; n="3"; else tl=0; fi; if [ "$tl" != 0 ]; then $RtF $tl; $Rt del default $tl; $Rl del $ff $n $tl; $Rl add $ff $n $tl; $Rt show $T main | $gR "^default|$z0/1|$tRm" | while read ROU ; do $RtA $tl $ROU; done; $RtA default $tl via $gw; fi; done
       # Gway , local net, local IPs
        lG=$($nG lan_ipaddr); lN=${lG%.*}; lIP="$lN.0/24"
      ##
      #####################
      #### EDITABLE Rules
      ## All bypass VPN
        rA "1"
      ## LAN Pts1 > VPN1
        for ipR in $lIP ; do rA "2" "udp" "$Pts1" "$ipR" "s"; done
      ## V2 IPs Pts1 > VPN2
       #for ipR in $v2I ; do rA "3" "" "" "$ipR" "d"; done
      ## LAN Local dest bypass
        rA "1" "" "" "$lG/24" "d"
        rA "1" "" "" "239.255.0.0/16" "d"
        rA "1" "" "" "239.$z0/24" "d"
      ## Bypass IPs
       #for ipR in $bI ; do rA "1" "" "" "$ipR" "d"; done
    ###################################
    #### CUSTOM Rules defined here
    #### (LAN Mark = 1, VPN 1 Mark = 2, VPN 2 Mark = 3)
    #### rA $MarkNo $Protocol $IPAddress $SourceOrDestination
    #### e.g. rA "1" "tcp" "80" "8.8.8.8" "d" # Mark port 80 traffic destined to 8.8.8.8 through LAN
    #### e.g. rA "2" "" "" "10.1.2.6" "s" # Mark traffic sourced from 10.1.2.6 through VPN1
    ####################
        iptables-save | awk '!/PREROUTING/ || !x[$0]++' | iptables-restore
      fi
      rm $L
    fi
    
    Edited 11 Dec: Code updated


    And below with minimizing removed:

    Code:
    #!/bin/sh
    L="/tmp/.slck"
    if [ ! -f $L ]; then
        touch $L; vOn=1;
    ####
    # Bypass IP List (Plex and iPlayer IPs)
        bI=""
       #bI="$bI 54.241.0.0/16"
        bD=""
       #bD="$bD domainnamesdotcom"
    #
    ####
    # VPN2 IP List (Netflix and NBC Sports IPs)
        v2I=""
       #v2I="$v2I 23.0.0.0/9"
       #v2I="$v2I 54.192.0.0/10"
       #v2I="$v2I 107.20.128.0/18"
        v2D=""
       #v2D="$v2D domainnamesdotcom"
    #
    ####
    # Ports thru VPN (DNS, WEB(S), NTP, Google/Apple ports)
      Pts1="53,80,123,443,5222,5223,5228,10000"
    
    
    
      #####################
      ## Don't edit this ##
        dD () {
          echo $1 | tr " " "\n" | awk '!x[$0]++';
        }
    
        cl () {
          awk '{print $'"$1"'}';
        }
    
        dnRul () {
          for dom in $1; do
            nslookup $dom | awk '{if(NR>3)print}' | grep "Address.*\." | cl 3 | while read a; do
              echo "${a%.*}.0/$2";
            done;
          done;
        }
    
        tM () {
          iptables -t mangle -$1 PREROUTING $2 $3 $4;
        }
    
        rA () {
          mk="-j MARK --set-mark $1";
          pts="-m multiport --dport $3";
          prt="-p $2 ${3:+$pts}";
          ip="-$5 $4";
          tM "A" "-i br0 ${4:+$ip}" "${2:+$prt}" "${1:+$mk}";
          [[ "$2" == "udp" ]] && rA "$1" "tcp" "$3" "$4" "$5";
        }
    
       # IP Lists #
        bI=`dD "$bI $(dnRul "$bD" "24")"`;
        v2I=`dD "$v2I $(dnRul "$v2D" "24")"`
    
      if [ -z "$lOn" ] && [ -n "$vOn" ]; then
        [[ -z "$2" ]] && sleep 18
    
       # Rev path fltr, Build tbls
    
        for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
          echo 0 > $i;
        done;
    
        ip route flush cache;
        tM "F"
    
        route | grep -Ev "0.0.0|255.0" | grep '\*' | while read RO ; do
          tu=`echo "$RO" | cl 8`; gw=`echo "$RO" | cl 1`;
          if [ "$tu" == "vlan2" ]; then
            tl="table 100";
            tRm="tun11|tun12|ppp0";
            n="1";
          elif [ "$tu" == "tun11" ]; then
            tl="table 200";
            tRm="tun12|ppp0";
            n="2";
          elif [ "$tu" == "tun12" ]; then
            tl="table 220";
            tRm="tun11|ppp0";
            n="3";
          else
            tl=0;
          fi;
          if [ "$tl" != 0 ]; then
            ip route flush $tl;
            ip route del default $tl;
            ip rule del fwmark $n $tl;
            ip rule add fwmark $n $tl;
            ip route show table main | grep -Ev "^default|0.0.0/1|$tRm" | while read ROU ; do
              ip route add $tl $ROU;
            done;
            ip route add default $tl via $gw;
          fi;
        done
       # Gway , local net, local IPs
        lG=$(nvram get lan_ipaddr); lN=${lG%.*}; lIP="$lN.0/24"
      ##
      #####################
      #### EDITABLE Rules
      ## All bypass VPN
        rA "1"
      ## LAN Pts1 > VPN1
        for ipR in $lIP ; do
        rA "2" "udp" "$Pts1" "$ipR" "s";
        done
      ## V2 IPs Pts1 > VPN2
       #for ipR in $v2I ; do
       #rA "3" "" "" "$ipR" "d";
       #done
      ## LAN Local dest bypass
        rA "1" "" "" "$lG/24" "d"
        rA "1" "" "" "239.255.0.0/16" "d"
        rA "1" "" "" "239.0.0.0/24" "d"
      ## Bypass IPs
       #for ipR in $bI ; do
       #rA "1" "" "" "$ipR" "d";
       #done
    ###################################
    #### CUSTOM Rules defined here
    #### (LAN Mark = 1, VPN 1 Mark = 2, VPN 2 Mark = 3)
    #### rA $MarkNo $Protocol $IPAddress $SourceOrDestination
    #### e.g. rA "1" "tcp" "80" "8.8.8.8" "d" # Mark port 80 traffic destined to 8.8.8.8 through LAN
    #### e.g. rA "2" "" "" "10.1.2.6" "s" # Mark traffic sourced from 10.1.2.6 through VPN1
    ####################
        iptables-save | awk '!/PREROUTING/ || !x[$0]++' | iptables-restore
      fi
      rm $L
    fi
    
     
    Last edited: Dec 11, 2015
  98. James Wichall

    James Wichall New Member Member

    Updated code with better functionality and an alternate version for readability :)

    I'm continuing to work on this script but this thread seems a bit quiet so PM me if you want the latest version/help with your own
     
    Last edited: Dec 2, 2015
  99. boesl_

    boesl_ New Member Member


    Hy guys,

    I'm also playing around with my new Nighthawk R7000 running on Tomato 132. Routing Policy is working as expected, but how can I override the DNS Server? It still uses the DNS Server of my ISP.

    Any help is appreciated.

    regards,
    boesl
     
  100. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    Re your VPN routing WAN up script: http://www.linksysinfo.org/index.ph...pass-vpn-selectively.33468/page-3#post-268958.

    Can you send me your latest and also your Netflix script?

    I have been using one of the old Quadragis scripts for sometime and I'm at the point where I really need to clean up my wanup, init, adblock and fire scripts which have kind of evolved.

    I basically want to clean them all out and redo.

    Thanks,

    PS forum wont let me PM you
     

Share This Page