1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Single PC out via VPN

Discussion in 'Tomato Firmware' started by Miramyn, Nov 21, 2013.

  1. Miramyn

    Miramyn Reformed Router Member

    Greetings all,

    I have an ASUS RT-N66U and I am at a loss of how to route a single PC out a VPN while having all other PCs go out the normal internet connection.

    Is this possible? Which firmware should I be using and how would I set this up?

    Any assistance would be greatly appreciated.
    Thanks in advance
     
  2. JoeDirte

    JoeDirte Serious Server Member

    You could run the VPN client on the single PC and not have to deal with configuring it on the router.
     
  3. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    I use a script from Quidagis which basically goes in the Wan Up section of the admin scripts:

    Code:
    ## CUSTOMIZE YOUR SCRIPT VARIABLES
    #
    ## Uncomment and set value(s) as needed to customize your rules
    #
    # IP ADRESS RANGE OR SINGLE IP ADDRESS
    ip_src_lst="192.168.1.104-192.168.1.106 192.168.1.15"
    #ip_dst_lst=""
    ## CIDR NOTATION or SINGLE IP ADDRESS - E. G. "98.207.0.0/16 74.125.229.0/24 80.130.125.163"
    #cidr_src_rnge=""
    #cidr_dst_rnge=""
    
    #################################################################
    # CHANGE MARK VALUE(S) (0 or 1) IN FOR LOOPS BELOW IF NECESSARY #
    #################################################################
    
    # SHELL COMMANDS FOR MAINTENANCE.
    # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
    #
    #  List Contents by line number
    # iptables -L PREROUTING -t mangle -n --line-numbers
    #
    #  Delete rules from mangle by line number
    # iptables -D PREROUTING type-line-number-here -t mangle
    #
    #  To list the current rules on the router, issue the command:
    #      iptables -t mangle -L PREROUTING
    #
    #  Flush/reset all the rules to default by issuing the command:
    #      iptables -t mangle -F PREROUTING
    #
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    #
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
    #
    # Delete table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    
    #
    # Let's find out the tunnel interface
    #
    iface_lst=`route | awk ' {print $8}'`
    for tun_if in $iface_lst; do
        if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
        break
      fi
    done
    
    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    # EXAMPLES:
    #
    #  All LAN traffic will bypass the VPN (Useful to put this rule first,
    #  so all traffic bypasses the VPN and you can configure exceptions afterwards)
    #    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    #
    #  Ports 80 and 443 will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    #
    #  All traffic from a particular computer on the LAN will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
    #
    #  All traffic to a specific Internet IP address will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    #
    #  All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -s  74.125.229.0/24 -j MARK --set-mark 0
    #
    #  All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -d  98.207.0.0/16 -j MARK --set-mark 0
    #
    #  All UDP and ICMP traffic will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    #    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
    
    # Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    
    for ip_addrs in $ip_src_lst ; do
      iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range "$ip_addrs" -j MARK --set-mark 1
    done
    
    for ip_addrs in $ip_dst_lst ; do
      iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range "$ip_addrs" -j MARK --set-mark 0
    done
    
    for ip_rnge in $cidr_src_rnge ; do
      iptables -t mangle -A PREROUTING -i br0 -s "$ip_rnge" -j MARK --set-mark 1
    done
    
    for ip_rnge in $cidr_dst_rnge ; do
      iptables -t mangle -A PREROUTING -i br0 -d "$ip_rnge" -j MARK --set-mark 0
    done
    Just place the ip's of the devices you want to go through the vpn at the top and uncomment the rule you want, which would be first the rule that says all traffic to bypass the vpn, followed bt a second rule with the ip address of the device you want to force through the vpn.
     

Share This Page