What's new

Asus AC66U - Policy Based Routing/OpenVPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

stosh2k

New Around Here
I am running Merlin 3.0.0.4.374.40 and have a working OpenVPN client set up back to my work. As by design, whenever I fire up the OVPN client, all traffic behind my router traverses the VPN. My goal is to only route traffic from specific devices (work laptop via dock, wifi, and tablet) to the work VPN.

I used a script that I found here, as below, and stuck it in /jffs/scripts as openvpn-event. Script:

----------------------
#!/bin/sh

sleep 10
touch /tmp/000wanstarted
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

# Delete and table 100 and flush any existing rules if they exist.
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
ip route show table main | grep -Ev ^default | grep -Ev tun12 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.

# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.50 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.51 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.52 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.55 -j MARK --set-mark 0

exit 0

--------------------
The script executes when I turn on the OVPN tunnel , and allows the devices I have defined above access to the VPN. However no other devices behind the router can access the internet. Even worse, when I shut down the tunnel, there is no internet access at all for any of the devices. I can, however, ping outbound (yahoo.com was the test) from the router. Rebooting the router does not rectify the problem. It's as if the script left something persistent, yet I do not know what that would be.

So, I'm looking for help with two things: 1. Getting the script to route as per above, and 2. Ultimately route only the traffic destined for the remote VPN for these specific devices over the OVPN connect (i.e. general internet traffic routes over standard WAN connection.

Any tips/pointers? This one has stumped me something fierce.

Thanks.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top