1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Openvpn and selective traffic

Discussion in 'DD-WRT Firmware' started by slugshell, Jun 9, 2013.

  1. slugshell

    slugshell Reformed Router Member

    Hello,

    i am running a Router with dd-wrt v24 preSP2 (Build 21061) firmware.
    I have set up my openvpn with blackvpn and used this script to selective route my http and https traffic through the vpn connection.

    Here the script:

    Code:
    # First it is necessary to disable Reverse Path Filtering on all
        # current and future network interfaces:
     
        echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/vlan1/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/vlan2/rp_filter
     
     
        # Delete and table 100 and flush any existing rules if they exist.
     
        ip route flush table 100
        route del default table 100
        ip rule del fwmark 1 table 100
        ip route flush cache
        iptables -t mangle -F PREROUTING
     
        # Copy all non-default and non-VPN related routes from the main table into table 100.
        # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
     
        ip route show table main | grep -Ev ^default | grep -Ev tun0 | while read ROUTE ; do route add table 100 $ROUTE
        done
        ip route add default table 100 via $(nvram get wan_gateway)
        ip rule add fwmark 1 table 100
        ip route flush cache
     
        # Define the routing policies for the traffic. The rules will be applied in the order that they
        # are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
        # to "1" it will bypass the VPN.
     
        # EXAMPLES:
        #
        #  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
        #    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
        #  Ports 80 and 443 will bypass the VPN
        #    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
        #  All traffic from a particular computer on the LAN will use the VPN
        #    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
        #  All traffic to a specific Internet IP address will use the VPN
        #    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
        #  All UDP and ICMP traffic will bypass the VPN
        #    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
        #    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
     
        iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
        iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0
     
        iptables -I INPUT -i tun0 -j REJECT
        iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
    
    This all works just fine, but if i try to setup the opposite, so that all traffic runs through the vpn and only a certain ip address lets say 192.168.1.123 should bypass the vpn and use the wan, it just sends the selected iprange through the vpn anyway.

    Here what i am trying:


    Code:
    ...
     
      iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0 #all goes through vpn
     
      iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.123 -j MARK --set-mark 1 #server with ip 192.168.1.123 should bypass the vpn
     
    ...


    But like i mentioned further up, the server still goes through the vpn.
    I would be very thankful, if someone could help me out here.

    Thanks in advance,

    slugshell
     

Share This Page