Block VPN devices when VPN is down, but still allow non-VPN

[Fawkesguy]

Hello everyone,



I'm running DD-WRT on x86 hardware (v24-sp2 (03/19/12) std (SVN revision 18777). OpenVPN is configured and connects to my VPN provider without issue. Here's what I'm trying to achieve:



All devices on my network go through my DD-WRT router. Let's say I want one device on my network to bypass the VPN. If I put 192.168.1.100 in the "Policy Based Routing" box on the OpenVPN configuration screen, that IP bypasses the VPN, as it should.



What I would like to do is set it up so if the VPN goes down, all VPN traffic will stop, while still allowing the non-VPN traffic through the router. Here is what I have in my firewall:



iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE


Now, if I add the rule " iptables -I FORWARD -i br0 -o eth0 -j DROP" that will stop all traffic that is non-VPN. That would be fine if I didn't want a few devices to bypass the VPN. If I use that rule, the IP address I add in the "Policy Based Routing" box is blocked.

What rules do I need to set to allow traffic to bypass the VPN and stay up if the VPN drops, but that will also block the other clients on my network if the VPN drops?



I hope that makes sense. Any help would be greatly appreciated.



Thank you!