How do i split traffic between PPTP VPN and WAN interface

[tomsk]

Hi There. This question has resulted from my attempting to make a DDNS script work through double NAT while i have a VPN client running http://www.snbforums.com/threads/double-nat-custom-ddns-script.34431/
I thought i could route the traffic to the websites where the curl command is grabbing the IP addresses through the WAN and leave the rest of the traffic going through the VPN
I have very little knowledge of iptables and found this script for tomato. I think i could make it work for my Asus-merlin setup.
However i am a little concerned about turning off reverse path filtering.... reading up a little on it seems it would be something you would want to have.

# This code goes in the WAN UP section of the Tomato GUI.
# This code based on the contributions from this thread:
#  http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
#  http://linux-ip.net/html/adv-multi-internet.html
#  http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
#
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# Spotify explicitly uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 78.31.8.1-78.31.15.254 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 193.182.8.1-193.182.15.254 -j MARK --set-mark 0

Anyone know a way to do this without turning off the reverse path filtering... or an alternative?

Thanks

 

[yorgi]

Why dont you save yourself all the problems and just switch over to OpenVPN?

 

[tomsk]

Why dont you save yourself all the problems and just switch over to OpenVPN?

If it were only that simple.... i had an openVPN setup running beautifully, however due to the machinations of my ISP with DPI or some such techniques, now i can't even get connection using TCP on port 443. L2TP is blocked too, so I'm left with PPTP .... i guess thats so easy to crack they can see what I'm up to anytime.

So unfortunately the search goes on for a solution....

 

[yorgi]

If it were only that simple.... i had an openVPN setup running beautifully, however due to the machinations of my ISP with DPI or some such techniques, now i can't even get connection using TCP on port 443. L2TP is blocked too, so I'm left with PPTP .... i guess thats so easy to crack they can see what I'm up to anytime.

So unfortunately the search goes on for a solution....

I will give you a quick solution. Dump your present VPN provider and go with PIA or someone else. Why suffer because of crappy service.

 

[tomsk]

I will give you a quick solution. Dump your present VPN provider and go with PIA or someone else. Why suffer because of crappy service.

I think its the ISP blocking openVPN protocol rather than the VPN provider that is the problem....i think the only alternatives if i want to use openVPN protocol is to go with a provider that uses "stealth" techniques to camouflage it. Not many of those run on routers without some mucking about (router pro, stunnel ,XOR,etc). There must be a way to work around my problems splitting traffic on PPTP with iptables.
At least this provider is still in the fight with netflix where a lot of others have faded out.