HOW TO: Open VPN for specific internal IP's only

[wizin]

Asus N-66U
Merlin f/w
Ace VPN Service and works great with Open VPN

But

I need to configure it such a way that only certain IP use that VPN, rest work of the natural internet speed?
Is this possble

 

[janosek]

Hello,

The information is slightly scattered still, however.
Here is the basic script:
http://forums.smallnetbuilder.com/showpost.php?p=59839&postcount=5


you need to enable JFFS, then you need to figure out WINSCP and use an SCP connection to your router.

modify the script above, copy it to /jffs/scripts/openvpn-event

then chmod 700 openvpn-event to make it executable.


If you run into trouble, there are forum posts here:
http://forums.smallnetbuilder.com/showthread.php?t=9311
http://forums.smallnetbuilder.com/showthread.php?t=10263

 

[wizin]

I am trying to grasp lot of info however I am stuck at "Enable JFFS", I used WinSCP and see the jffs folder, cannot make a directory inside it since I don't have permission, tried to change them but cant do it either

Any help there

 

[janosek]

Hello,

Check this page out:
https://github.com/RMerl/asuswrt-merlin/wiki/JFFS

Then poke around the wiki. Lots of good information there.

 

[wizin]

So I JFFS partition enabled
> SCP into Router
> Went to JFFS/Scripts

Saved the script in that link called wan-start.sh

Moved it under script folder
Changed it to permission 0777

Executed it and get

Command '"./wan-start.sh"'
failed with return code 127 and error message
-sh: ./wan-start.sh: not found.
========

Where did I screw up

 

[janosek]

first don't put .sh

second, please post your script.

 

[Sky1111]

... it would be totally AWESOME if Merlin could find some time to implement this functionality in his firmware as a feature with UI

I think a lot of people would totally want this feature - esp AC/N66 owners...

 

[wizin]

first don't put .sh

second, please post your script.

#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
#ip route show table main | grep -Ev ^default | grep -Ev tun11 \
# | while read ROUTE ; do
# ip route add table 100 $ROUTE
# done



ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#



# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1



# All traffic from Nexus 10 will use the UK VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.184 -j MARK --set-mark 0






exit 0

 

[wizin]

... it would be totally AWESOME if Merlin could find some time to implement this functionality in his firmware as a feature with UI

I think a lot of people would totally want this feature - esp AC/N66 owners...

Would be sweet