1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Please correct my script for VPN

Discussion in 'Tomato Firmware' started by jbesclapez, Jan 18, 2014.

  1. jbesclapez

    jbesclapez Serious Server Member

    Hi there!

    I am using a script (see below) to have all IPs from a certain range to go through a VPN. The rest being used in DHCP is not using the VPN.
    The problem is that my PC which is not in the VPN range, is also in the VPN!! It is unstable because sometime the routeur is puttin me in the VPN and sometime, I am using the VPN... really weird!!
    I am using shibby 115 on a RN-N66U...

    I rebooted my routeur and my PC, but it comes back in the VPN... (the IP of my PC is 192.168.1.196)

    Please help

    Thanks

    PHP:
    ip_range1="192.168.1.50-192.168.1.99"

    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done

    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING


    iface_lst=`route | awk ' {print $8}'`
    for tun_if in $iface_lst; do
      if [ "$tun_if" = "tun11" ]; then
        exit 0
      elif [ "$tun_if" = "tun12" ]; then
        exit 0
      fi
    done

    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache


    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

    # IP_RANGES - Uncomment as necessary
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range1 -j MARK --set-mark 0

     
  2. kthaddock

    kthaddock Network Guru Member

    Set static ip on your pc:s in "192.168.1.50-192.168.1.99" range and make sure that is outside your IP DHCP range.
     
  3. jbesclapez

    jbesclapez Serious Server Member

    I was digging a bit on that and found 2 differences in a script (made by qudgis)

    Mine line is :
    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \

    As you can see there is a tun_if at the end, but i found another script using
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \

    The routing table is showing a tun11...
    What should i do?
     
  4. jbesclapez

    jbesclapez Serious Server Member

    Hello Haddock!!
    The static IPs are going to VPN but not the DHCP ones... And sure, i did not forget to start the DHCP from 192.168.1.100 onward !!!
     
  5. jbesclapez

    jbesclapez Serious Server Member

    OK, i think i found the solution. I did some tests and it seems that the problem was coming from the tun_if mentionned above...
    Hope it will also help someone!

    Have a great week end all (you included Captain!!) ;)
     
  6. kthaddock

    kthaddock Network Guru Member

    You should use this:
    ip_range1="192.168.1.50-192.168.1.99"for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done

    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING


    iface_lst=`route | awk ' {print $8}'`
    for tun_if in $iface_lst; do
    if [ "$tun_if" = "tun11" ]; then
    exit 0
    elif [ "$tun_if" = "tun12" ]; then
    exit 0
    fi
    done

    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
    | while read ROUTE ; do
    ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache


    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

    # IP_RANGES - Uncomment as necessary
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range1 -j MARK --set-mark 0
     
  7. jbesclapez

    jbesclapez Serious Server Member

    Haddock, I am happy to see your message.
    Just after posting my previous message, the problem came back... :mad:

    I will now test your script.
    Did you put it in the WanUP section or in the Init?
     
  8. kthaddock

    kthaddock Network Guru Member

    Well it's your script with explanation which raw you must use. I had put it under firewall.
     
  9. jbesclapez

    jbesclapez Serious Server Member

    Haddock, i tried that but no luck... I did another post with more print screens as I doubt now that the script is the problem. Could it be because the routeur is managing WAN and VPN at the same time?? I am lost now!!
     
  10. kthaddock

    kthaddock Network Guru Member

    This script should work, then it must be any other settings affect this.
    Test with "route-nopull" in top of your scipt.
    What connection do you have, DSL, FIBER ?
    What ip-address do you have under overview WAN ?
     
    Last edited: Jan 21, 2014
  11. jbesclapez

    jbesclapez Serious Server Member

Share This Page