Openvpn and selective traffic

Discussion in 'DD-WRT Firmware' started by slugshell, Jun 9, 2013.

  1. slugshell

    slugshell Reformed Router Member

    Hello,

    i am running a Router with dd-wrt v24 preSP2 (Build 21061) firmware.
    I have set up my openvpn with blackvpn and used this script to selective route my http and https traffic through the vpn connection.

    Here the script:

    Code:
    # First it is necessary to disable Reverse Path Filtering on all
        # current and future network interfaces:
     
        echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/vlan1/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/vlan2/rp_filter
     
     
        # Delete and table 100 and flush any existing rules if they exist.
     
        ip route flush table 100
        route del default table 100
        ip rule del fwmark 1 table 100
        ip route flush cache
        iptables -t mangle -F PREROUTING
     
        # Copy all non-default and non-VPN related routes from the main table into table 100.
        # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
     
        ip route show table main | grep -Ev ^default | grep -Ev tun0 | while read ROUTE ; do route add table 100 $ROUTE
        done
        ip route add default table 100 via $(nvram get wan_gateway)
        ip rule add fwmark 1 table 100
        ip route flush cache
     
        # Define the routing policies for the traffic. The rules will be applied in the order that they
        # are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
        # to "1" it will bypass the VPN.
     
        # EXAMPLES:
        #
        #  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
        #    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
        #  Ports 80 and 443 will bypass the VPN
        #    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
        #  All traffic from a particular computer on the LAN will use the VPN
        #    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
        #  All traffic to a specific Internet IP address will use the VPN
        #    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
        #  All UDP and ICMP traffic will bypass the VPN
        #    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
        #    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
     
        iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
        iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0
     
        iptables -I INPUT -i tun0 -j REJECT
        iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
    
    This all works just fine, but if i try to setup the opposite, so that all traffic runs through the vpn and only a certain ip address lets say 192.168.1.123 should bypass the vpn and use the wan, it just sends the selected iprange through the vpn anyway.

    Here what i am trying:


    Code:
    ...
     
      iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0 #all goes through vpn
     
      iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.123 -j MARK --set-mark 1 #server with ip 192.168.1.123 should bypass the vpn
     
    ...


    But like i mentioned further up, the server still goes through the vpn.
    I would be very thankful, if someone could help me out here.

    Thanks in advance,

    slugshell
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice