Jump to content
Company Name
Sign in to follow this  
icsy7788

DD-WRT/Tomato/OpenWRT/Padavan route specific traffic around the VPN

Rate this topic

Recommended Posts

I found the need to route specific machines and ports around the VPN.  Since I run the VPN client in my router, all my traffic by default goes through the VPN.  but if you have FTP, trackers that dont allow VPN/Proxy, RDP, SSH or other ports that you would like to go through your ISP's IP address there is a way to do this!

 

I found the answer on a another VPN forum.  I can post the link but I am unsure if that will be breaking TorGuards rules.

 

In a nutshell... what this script does is it makes all of your IP address bypass the VPN, and then it adds rules using
ip_addrs_lst="192.168.1.1-192.168.1.50"

That makes them use the VPN.  So in this example, IP address 192.168.1.1-50 will go through the VPN. 

 

Also, I could not get the specific port section to work at first, but once I added an --sport line it worked great.  You can also add specific websites.  If you want netflix to load at the same speeds and go through your ISP you can achieve this as well.

 

A quick note though:

nvram get wan0_gateway may be router specific.  When I found this script it was "nvram get wan_gateway".  If you SSH into your router and run:

nvram show | grep wan

You should be able to find the correct name.  Just make sure you do and change the line below!

 

And as an additional little nugget, if you run the VPN in your router, and you get TorGuard to open a port for you, you will need to do some port forwarding.  Your Router will receive packets through port XXXXX, but it wont know what to do with them.  While normal port forwarding tells your WAN where to send specific packets to your LAN, you need a line to tell your router where to send packets from tun0 (Tun0 may change depending on your router!)

###########################
VPN Port Forwarding
###########################

iptables -t nat -A PREROUTING -p tcp -i tun0 --dport 50005 -j DNAT --to 17.181.30.100:50005
iptables -t nat -A PREROUTING -p udp -i tun0 --dport 50005 -j DNAT --to 17.181.30.100:50005

Now here is the actual script!

## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and set value(s) as needed to customize your rules
#
# IP addresses, contiguous range AND/OR individual.
#
ip_addrs_lst="192.168.1.1-192.168.1.50"

##Server ports to bypass VPN
server_ports="3389,27,23045"

#
# Specific destination websites ip range - Spotify , Netflix...
#
#web_range_lst="72.44.32.1-72.44.63.254
#67.202.0.1-67.202.63.254
#207.223.0.1-207.223.15.254
#98.207.0.1-98.207.255.254
#208.85.40.1-208.85.47.254
#78.31.8.1-78.31.15.254
#193.182.8.1-193.182.15.254"

########################################
# NO NEED TO CHANGE BELOW THIS LINE #
########################################

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#     iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#     iptables -t mangle -F PREROUTING
sleep 1
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Let's find out the tunnel interface
#
iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
     ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
for ip_addrs in $ip_addrs_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
done

######   Ports that bypass VPN    ######
###### Normal portforwarding will ######
######    need to be applied      ######

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1

# WEBSITES_IP_RANGES -
for web_dst_range in $web_range_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
done

Share this post


Link to post
Share on other sites

Thank you very much.

 

I have some considerations for dd-wrt using OpenVPN.

First of all, don't use any "Policy based Routing" on OpenVPN client.

For my router I had to come back to "nvram get wan_gateway".

Besides that, I had to change the tunel interface to find my "tun1".

After all, in my router I had to coment or put some value to "web_range_lst" variable.

 

My final working script:

 

#!/bin/sh
ip_addrs_lst="192.168.0.148,192.168.0.21-192.168.0.25"
server_ports="80,443,7004"
web_range_lst="216.58.216.110"

########################################
# NO NEED TO CHANGE BELOW THIS LINE #
########################################

sleep 1

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "tun1" ] || [ $tun_if == "tun2" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
     ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
for ip_addrs in $ip_addrs_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
done

######   Ports that bypass VPN    ######
###### Normal portforwarding will ######
######    need to be applied      ######
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1

# WEBSITES_IP_RANGES -
for web_dst_range in $web_range_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
done

 

Share this post


Link to post
Share on other sites

Hi,

 

I would like to run only the VPN dns traffic through my PS4 local lan ip (192.168.0.229) so I think this guide could be helpful for me. Just for the record, I want to do it to watch netflix from USA on my PS4 (instead of netflix from UK).

 

However I think I will need some big help:
 

1-Run Torguard VPN using openwrt router as client

I need to find out how to run torguard vpn using my openwrt router as client (I only found guides for ddwrt).

Once the above it's done. I will move to this guide, however I will need more guidance to get it working as I will mention below:

 

2- Creating the tun interface
I'm guessing that I will need to create a tun interface because my openwrt router lan, wan and wan6. It doesn't have any interface called tun or tun0.
 

2.1- Protocol to be used in the interface that is created?

DHCP Cliente, Unmanaged, DHCPv6 CLient, PPP or PPPoE

 

2.2- Which Physicall settings that I should use for that interface (cover of the interface)?

Bridge interfaces (check or uncheck??)
help.gif creates a bridge over specified interface(s)
Interface
  •    Ethernet Adapter: "eth0" (tun0, wan, wan6)
  •    VLAN Interface: "eth0.1"
  •    VLAN Interface: "eth0.2"
  •    Ethernet Adapter: "eth1" (lan)
  •    Wireless Network: Master "OpenWrt" (lan)
  •    Wireless Network: Master "TP-LINK_23FE" (lan)
  •    Custom Interface:

 

 

2.2- I don't now what to do with the Firewall Settings (should I left it blank because we will add some rules later???)

Create / Assign firewall-zone

  •   lan: lan: ethernet.pngwifi.pngwifi.png
  •   wan: wan: ethernet.png wan6: ethernet.png
  •  
    unspecified -or- create: 

3- My openwrt router doesn't have nvram, it has uci.

I'm guessing that wouldn't be a problem but should I run it also to look for wan and not wan6 or lan?
The command "nvram uci | grep wan" shows the following:

dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
[email protected][1].name='wan'
[email protected][1].network='wan' 'wan6'
[email protected][0].dest='wan'
[email protected][0].src='wan'
[email protected][1].src='wan'
[email protected][2].src='wan'
[email protected][3].src='wan'
[email protected][4].src='wan'
[email protected][5].src='wan'
[email protected][6].src='wan'
[email protected][7].src='wan'
[email protected][8].src='wan'
[email protected][0].src='wan'
[email protected][1].src='wan'
[email protected][2].src='wan'
[email protected][3].src='wan'
[email protected][4].src='wan'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'

4- Should I also run the lines that are mentioned as "VPN Port Forwarding"?
If the answer is yes. Should I replace the IP 17.181.30.100:50005??

Hope all that helps to get helped :)

 

Thank you!
 

I'm trying to do this on with  openwrt router as what I want to do is to run my PS4 traffic through the VPS

Share this post


Link to post
Share on other sites

I have a question about this. 

 

My windows 10 box is connecting to OpenVPN as a client, NOT on the DDWRT. So can this be accomplished with a second NIC (one for LAN traffic and one for VPN traffic)?

Is this possible? Is this a router issue or Windows?

Share this post


Link to post
Share on other sites

Ok, I tried the script on my router with dd-wrt (the modified version in the 3rd post) but I can't get it to work.

I always get this: RTNETLINK answers: No such process 

 

Any ideas?

 

Also I don't know what this means:

....Besides that, I had to change the tunel interface to find my "tun1".....

Share this post


Link to post
Share on other sites

 

I found the need to route specific machines and ports around the VPN.  Since I run the VPN client in my router, all my traffic by default goes through the VPN.  but if you have FTP, trackers that dont allow VPN/Proxy, RDP, SSH or other ports that you would like to go through your ISP's IP address there is a way to do this!

 

I found the answer on a another VPN forum.  I can post the link but I am unsure if that will be breaking TorGuards rules.

 

In a nutshell... what this script does is it makes all of your IP address bypass the VPN, and then it adds rules using

ip_addrs_lst="192.168.1.1-192.168.1.50"

 

That makes them use the VPN.  So in this example, IP address 192.168.1.1-50 will go through the VPN. 

 

Also, I could not get the specific port section to work at first, but once I added an --sport line it worked great.  You can also add specific websites.  If you want netflix to load at the same speeds and go through your ISP you can achieve this as well.

 

A quick note though:

nvram get wan0_gateway may be router specific.  When I found this script it was "nvram get wan_gateway".  If you SSH into your router and run:

nvram show | grep wan

You should be able to find the correct name.  Just make sure you do and change the line below!

 

And as an additional little nugget, if you run the VPN in your router, and you get TorGuard to open a port for you, you will need to do some port forwarding.  Your Router will receive packets through port XXXXX, but it wont know what to do with them.  While normal port forwarding tells your WAN where to send specific packets to your LAN, you need a line to tell your router where to send packets from tun0 (Tun0 may change depending on your router!)

###########################
VPN Port Forwarding
###########################

iptables -t nat -A PREROUTING -p tcp -i tun0 --dport 50005 -j DNAT --to 17.181.30.100:50005
iptables -t nat -A PREROUTING -p udp -i tun0 --dport 50005 -j DNAT --to 17.181.30.100:50005

Now here is the actual script!

## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and set value(s) as needed to customize your rules
#
# IP addresses, contiguous range AND/OR individual.
#
ip_addrs_lst="192.168.1.1-192.168.1.50"

##Server ports to bypass VPN
server_ports="3389,27,23045"

#
# Specific destination websites ip range - Spotify , Netflix...
#
#web_range_lst="72.44.32.1-72.44.63.254
#67.202.0.1-67.202.63.254
#207.223.0.1-207.223.15.254
#98.207.0.1-98.207.255.254
#208.85.40.1-208.85.47.254
#78.31.8.1-78.31.15.254
#193.182.8.1-193.182.15.254"

########################################
# NO NEED TO CHANGE BELOW THIS LINE #
########################################

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#     iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#     iptables -t mangle -F PREROUTING
sleep 1
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Let's find out the tunnel interface
#
iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
     ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
for ip_addrs in $ip_addrs_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
done

######   Ports that bypass VPN    ######
###### Normal portforwarding will ######
######    need to be applied      ######

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1

# WEBSITES_IP_RANGES -
for web_dst_range in $web_range_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
done


its old thread,but looking for same solusion myself for my Asus RT-N11P with padavan firmware. I tried above,but still having problems to get this working.

where you got these ip-s used on vpn port fowarding 17.181.30.100? is it the vpn ip?

in ip_addrs_lst="192.168.1.1-192.168.1.50" i tried to set it up for my dhcp assigned static ip 192.168.0.104.

and what about this line if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; ?

i see in my log that my vpn uses tun0,so i need to edit lines above to tun0?  i want only 192.168.0.101-192.168.0.104 work with vpn,other traffic without vpn.

 

 

Share this post


Link to post
Share on other sites
On 16/3/2015 at 8:38 AM, icsy7788 said:

I found the need to route specific machines and ports around the VPN.  Since I run the VPN client in my router, all my traffic by default goes through the VPN.  but if you have FTP, trackers that dont allow VPN/Proxy, RDP, SSH or other ports that you would like to go through your ISP's IP address there is a way to do this!

 

I found the answer on a another VPN forum.  I can post the link but I am unsure if that will be breaking TorGuards rules.

 

In a nutshell... what this script does is it makes all of your IP address bypass the VPN, and then it adds rules using
ip_addrs_lst="192.168.1.1-192.168.1.50"

That makes them use the VPN.  So in this example, IP address 192.168.1.1-50 will go through the VPN. 

 

Also, I could not get the specific port section to work at first, but once I added an --sport line it worked great.  You can also add specific websites.  If you want netflix to load at the same speeds and go through your ISP you can achieve this as well.

 

A quick note though:

nvram get wan0_gateway may be router specific.  When I found this script it was "nvram get wan_gateway".  If you SSH into your router and run:

nvram show | grep wan

You should be able to find the correct name.  Just make sure you do and change the line below!

 

And as an additional little nugget, if you run the VPN in your router, and you get TorGuard to open a port for you, you will need to do some port forwarding.  Your Router will receive packets through port XXXXX, but it wont know what to do with them.  While normal port forwarding tells your WAN where to send specific packets to your LAN, you need a line to tell your router where to send packets from tun0 (Tun0 may change depending on your router!)

###########################
VPN Port Forwarding
###########################

iptables -t nat -A PREROUTING -p tcp -i tun0 --dport 50005 -j DNAT --to 17.181.30.100:50005
iptables -t nat -A PREROUTING -p udp -i tun0 --dport 50005 -j DNAT --to 17.181.30.100:50005

Now here is the actual script!

## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and set value(s) as needed to customize your rules
#
# IP addresses, contiguous range AND/OR individual.
#
ip_addrs_lst="192.168.1.1-192.168.1.50"

##Server ports to bypass VPN
server_ports="3389,27,23045"

#
# Specific destination websites ip range - Spotify , Netflix...
#
#web_range_lst="72.44.32.1-72.44.63.254
#67.202.0.1-67.202.63.254
#207.223.0.1-207.223.15.254
#98.207.0.1-98.207.255.254
#208.85.40.1-208.85.47.254
#78.31.8.1-78.31.15.254
#193.182.8.1-193.182.15.254"

########################################
# NO NEED TO CHANGE BELOW THIS LINE #
########################################

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#     iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#     iptables -t mangle -F PREROUTING
sleep 1
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Let's find out the tunnel interface
#
iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
     ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
for ip_addrs in $ip_addrs_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
done

######   Ports that bypass VPN    ######
###### Normal portforwarding will ######
######    need to be applied      ######

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1

# WEBSITES_IP_RANGES -
for web_dst_range in $web_range_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
done

Hello, thanks for the info. I've been trying to set my linksys + ddwrt router with this script but have some questions. 
   - This script should go on the startup or firewall section?
   - Testing thru telnet line by line I can confirm my traffic is going and bypassing vpn according to the MARK 1/0  I enter, but when trying to browse the internet, I dont seem to get any web page when in "bypass mode" only thru VPN. Any ideas on what Im doing wrong?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×