What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

:)
I have added rule
Code:
ip rule add from 192.168.1.8/29 to 198.18.0.1 table ovpnc1 prio 8001
in nat-start
I suggest you don't hardcode the RPDB rule in nat-start, perhaps you should consider

/jffs/scripts/vpnclient1-route-up
Code:
#!/bin/sh

VPN_ID=${dev:4:1}

VPNDNS="$(iptables -t nat -L DNSVPN${VPN_ID}  2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
   DNSONLY_IPS="$(nvram get vpn_client${VPN_ID}_clientlist | sed -n 's/^.*UseDNSOnly\>//p' | tr '>' ' ' | awk '{print $1}')"
   ip rule del prio 800$VPN_ID
   ip rule add from $DNSONLY_IPS to $VPNDNS table 11$VPN_ID prio 800$VPN_ID
   logger -st "($(basename $0))" "Forcing DNS Server $VPNDNS requests via VPN Client $VPN_ID tunnel" 
fi
Also don't hard-code the VPN DNS using
Code:
dhcp-option 'xxx.xxx.xxx.xxx'
as the 'UseDNSOnly' GUI entry as shown in post #17 will correctly build the DNSVPNx chain and the forced Exclusive DNS will be applied.

Furthermore, if the VPN ISP change their DNS servers, then you wouldn't know until the VPN connection acted "weird", so this method ensures the Exclusive DNS configuration is always correct.

Additionally, in nat-start you should prevent the creation of duplicates RPDB rules...
Code:
# Ensure duplicate rules are not created as nat-start can be called several times.
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

Regarding the DNS Leak test, do both of these ipleak.net test and dnsleaktest.com test also indicate a DNS Leak?

Anyway glad you finally got it working to your satisfaction.
 
Last edited:
Something went wrong.
Accept DNS Configuration: Exclusive
Removed custom config "dhcp-option xxx.xxx.xxx.xxx"
Removed in nat-start
Code:
ip rule add from 192.168.1.8/29 to 198.18.0.1 table ovpnc1 prio 8001
Added in nat-start
Code:
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done
Now nat-start is
Code:
#!bin/sh                                            
sleep 10                                            
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark                    
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark                    
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark                    
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
logger "runned nat-start"
# Ensure duplicate rules are not created as nat-start can be called several times.
for VPN_ID in 0 1 2 3 4 5
        do
                ip rule del prio 999$VPN_ID 2>/dev/null
        done
Also i've created vpnclient1-route-up as follow
Code:
#!/bin/sh
VPN_ID=${dev:4:1}
VPNDNS="$(iptables -t nat -L DNSVPN$VPN_ID 2>/dev/null | grep -E -m 1 "^1" | awk 'BEGIN { FS = "=" } {print $2}')"
if [ -n "$VPNDNS" ];then
        ip rule del prio 800$VPN_ID
        ip rule add from $(echo nvram get vpn_client${VPN_ID}_clientlist) | tr '>' ' ' | grep -E "UseDNSOnly\>.*\>" | awk '{print $2}' to $VPNDNS table ovpnc1 prio 800$VPN_ID
fi
No internet connection for devices in 192.168.1.8/29
 
Something went wrong.
Now nat-start is
Code:
#!bin/sh                                      
sleep 10                                      
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark              
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark              
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark              
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
logger "runned nat-start"
# Ensure duplicate rules are not created as nat-start can be called several times.
for VPN_ID in 0 1 2 3 4 5
        do
                ip rule del prio 999$VPN_ID 2>/dev/null
        done
To prevent duplicates, you delete any existing matching rules before you attempt to create them, not after! :rolleyes:

nat-start should look like this

Code:
#!/bin/sh

sleep 10  # During the boot process nat-start may run multiple times so this is required           

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark

# Ensure duplicates are not created
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000 2>dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000

Also did you clone /jffs/scripts/openvpn-event from @john9527's openvpn-event script template so you can explicitly choose which openvpn-event trigger code is actually used by each individual Server/Client - in your case vpnclient1-route-up

EDIT: :oops: There was a typo in the vpnclient1-route-up script in post #21 - so please recreate from the edited code.
 
Last edited:
To prevent duplicates, you delete any existing matching rules before you attempt to create them, not after! :rolleyes:
Sorry :oops:

There was a typo in the vpnclient1-route-up script in post #21 - so please recreate from the edited code.
If you mean UseDNSOnly instead of UseDNSonly, I had already seen it.

Now i have the nat-start as follow
Code:
#!/bin/sh

sleep 10  # During the boot process nat-start may run multiple times so this is required         

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
   do
     ip rule del prio 999$VPN_ID  2>/dev/null
   done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark

# Ensure duplicates are not created
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000 2>dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000

I've created the openvpn-event as follow
Code:
#!/bin/sh
scr_name="$(basename $0)[$$]"
case "$1" in
        "tun11")
                vpn_name="client1"
                ;;
        "tun12")
                vpn_name="client2"
                ;;
        "tun13")
                vpn_name="client3"
                ;;
        "tun14")
                vpn_name="client4"
                ;;
        "tun15")
                vpn_name="client5"
                ;;
        "tun21")
                vpn_name="server1"
                ;;
        "tun22")
                vpn_name="server2"
                ;;
        *)
                vpn_name=""
                ;;
esac
# Call appropriate script based on script_type
vpn_script_name="vpn$vpn_name-$script_type"
# Check script state/use nvram to save last script runvpn_script_state=$(nvram get vpn_script_state)
nvram set vpn_script_state="$vpn_script_name"
if [ "$vpn_script_name" = "$vpn_script_state" ]; then         echo "VPN script" $vpn_script_name "already run" | logger -t "$scr_name"
        exit 0
fi
if [[ -f "/jffs/scripts/$vpn_script_name" ]] ; then
        sh /jffs/scripts/$vpn_script_name $*
else
        echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
        exit 0
fi

exit 0

and vpnclient1-route-up
Code:
#!/bin/sh

VPN_ID=${dev:4:1}

VPNDNS="$(iptables -t nat -L DNSVPN$VPN_ID  2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
        ip rule del prio 800$VPN_ID
        ip rule add from $(echo nvram get vpn_client${VPN_ID}_clientlist) | tr '>' ' ' | grep -E "UseDNSOnly\>.*\>" | awk '{print $2}' to $VPNDNS table ovpnc1 prio 800$VPN_ID
fi
But no internet connection
In log i have
Code:
May 18 01:02:17 openvpn-updown: Forcing 192.168.1.8/29 to use DNS server 198.18.0.1
...
May 18 01:02:17 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1553 172.21.24.235 255.255.254.0 init)
May 18 01:02:17 openvpn-event[1838]: Script not defined for event: vpnclient1-up
May 18 01:02:19 ovpn-client1[1715]: /bin/ip route add 45.56.137.76/32 via 31.156.227.1
May 18 01:02:19 ovpn-client1[1715]: /bin/ip route add 0.0.0.0/1 via 172.21.24.1
May 18 01:02:19 ovpn-client1[1715]: /bin/ip route add 128.0.0.0/1 via 172.21.24.1
May 18 01:02:19 openvpn-routing: Configuring policy rules for client 1
May 18 01:02:19 openvpn-routing: Creating VPN routing table (mode 2)
May 18 01:02:19 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from main routing table
May 18 01:02:19 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from main routing table
May 18 01:02:19 openvpn-routing: Removing rule 10101 from routing policy
May 18 01:02:19 openvpn-routing: Adding route for 192.168.1.8/29 to 0.255.255.255 through VPN client 1
May 18 01:02:19 openvpn-routing: Tunnel re-established, restoring WAN access to clients
May 18 01:02:19 openvpn-routing: Completed routing policy configuration for client 1
May 18 01:02:19 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1553 172.21.24.235 )
May 18 01:02:19 ovpn-client1[1715]: Initialization Sequence Completed
 
Last edited:
Now i have.....no internet connection
vpnclient1-route-up
Code:
#!/bin/sh

VPN_ID=${dev:4:1}

VPNDNS="$(iptables -t nat -L DNSVPN$VPN_ID  2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
        ip rule del prio 800$VPN_ID
        ip rule add from $(echo nvram get vpn_client${VPN_ID}_clientlist) | tr '>' ' ' | grep -E "UseDNSOnly\>.*\>" | awk '{print $2}' to $VPNDNS table ovpnc1 prio 800$VPN_ID
fi

Perhaps it might be wise to revert to the previously (non-automated) working state and hardcode both the pushed VPN ISP DNS server, and the IP range 192.168.1.8-192.168.1.15 tagging rule in nat-start
:oops::oops::oops:

However if you have the desire/time to continue with attempting to implement an automated method, I have finally identified and fixed the brain-dead catastrophic typo (why did I leave the 'echo' command embedded? :rolleyes:) and updated the vpnclient1-route-up script
NOTE: I have also now included a confirmation message to Syslog
Code:
(vpnclient1-route-up): Forcing DNS Server 198.18.0.1  requests via VPN Client 1 tunnel
So now it probably makes sense to also move (as alluded to in the Wiki) the Selective Port tagging rule
Code:
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
from nat-start to vpnclient1-route-up ?
 
However if you have the desire/time to continue with attempting to implement an automated method, I have finally identified and fixed the brain-dead catastrophic typo (why did I leave the 'echo' command embedded? :rolleyes:) and updated the vpnclient1-route-up script
Ok, now It work.
Have both nat-start and vpnclient1-route-up.
So now it probably makes sense to also move (as alluded to in the Wiki) the Selective Port tagging rule
Code:
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
from nat-start to vpnclient1-route-up ?
Ok i moved this iptables rules from nat-start to vpnclient1-route-up before "fi" and it seems to work.

The devices not in 192.168.1.8/29 use defined DNS in WAN config pages (Google's DNS) and all traffic go by WAN.

The devices in 192.168.1.8/29 use VPN DNS and all traffic go by WAN except port 2300 that go by VPN.

Now I ask you, is it technically possible to use VPN DNS only for requests based on the destination port?
 
Last edited:
Ok, now It work.
Have both nat-start and vpnclient1-route-up.

Ok i moved this iptables rules from nat-start to vpnclient1-route-up before "fi" and it seems to work.

The devices not in 192.168.1.8/29 use defined DNS in WAN config pages (Google's DNS) and all traffic go by WAN.

The devices in 192.168.1.8/29 use VPN DNS and all traffic go by WAN except port 2300 that go by VPN

:):)

Thank you for your time and hopefully you were able to understand how we have automated the process and enhanced your skillset whilst demonstrating for others that 'advanced' Selective Routing using scripting isn't that daunting! :D

P.S. I'm not sure if you still have concerns about the perceived DNS Leak?
 
:):)

Thank you for your time and hopefully you were able to understand how we have automated the process and enhanced your skillset whilst demonstrating for others that 'advanced' Selective Routing using scripting isn't that daunting! :D
Thank you for helping me solve the problem and I hope it can serve other forum users :D

P.S. I'm not sure if you still have concerns about the perceived DNS Leak?
I don't think there are any dns leaks because the dns requests come from an ip referable to the vpn provider
 
I'm here again! :D
Hi guys, I continue this post because I have a similar problem.
I would like to apply the rule to my torrent client that uses 47455 as the local port, so i've added as follow in vpnclient1-route-up:
Code:
 iptables -t mangle -D PREROUTING -i br0 -m iprange --src 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
 iptables -t mangle -A PREROUTING -i br0 -m iprange --src 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
but not working, because on ipleak.net in torrent address detection I see my WAN public IP address.

This is my vpnclient1-route-up:
Code:
#!/bin/sh
VPN_ID=${dev:4:1}
VPNDNS="$(iptables -t nat -L DNSVPN${VPN_ID} 2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
        DNSONLY_IPS="$(nvram get vpn_client${VPN_ID}_clientlist | sed -n 's/^.*UseDNSOnly\>//p' | tr '>' ' ' | awk '{print $1}')"
        ip rule del prio 800$VPN_ID
        ip rule add from $DNSONLY_IPS to $VPNDNS table 11$VPN_ID prio 800$VPN_ID

        iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000

        #Rule for Torrent
        iptables -t mangle -D PREROUTING -i br0 -m iprange --src 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -m iprange --src 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000

        logger -st "($(basename $0))" "New Forcing DNS Server $VPNDNS requests via VPN Client $VPN_ID tunnel"
fi

Many Thanks!
 
I should add your new port to exiting rule, 2300,47455 as its already in ip-range.
 
The torrent port 47455 is source port, the port 2300 is destination port, so i've created new rule
Im not sure -p all is working try with tcp and udp rules and test.
 
I'm trying with -p tcp and -p udp but not working.

Since there is no IP range, try removing the -m iprange directive. Optionally, you can specify -s rather than --src. Both will work
Code:
 #Rule for Torrent
 iptables -t mangle -D PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
 iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
 
Since there is no IP range, try removing the -m iprange directive. Optionally, you can specify -s rather than --src. Both will work
Code:
 #Rule for Torrent
 iptables -t mangle -D PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
 iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000

I tried what you suggested, but it doesn't work. I also tried to perform the same thing for transmission installed on the router as described here https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method), but I keep seeing my public ip. Here are the iptables rules

Code:
#!/bin/sh
VPN_ID=${dev:4:1}
VPNDNS="$(iptables -t nat -L DNSVPN${VPN_ID} 2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
        DNSONLY_IPS="$(nvram get vpn_client${VPN_ID}_clientlist | sed -n 's/^.*UseDNSOnly\>//p' | tr '>' ' ' | awk '{print $1}')"
        ip rule del prio 800$VPN_ID
        ip rule add from $DNSONLY_IPS to $VPNDNS table 11$VPN_ID prio 800$VPN_ID

        iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p all -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p all -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000

        #Rule for Dell Torrent
        iptables -t mangle -D PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
        
        #Rule for Transmission on Merlin
        iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 51413  -j MARK --set-mark 0x1000/0x1000
        iptables -t nat -A POSTROUTING -s $(nvram get wan0_ipaddr) -o tun11 -j MASQUERADE

        logger -st "($(basename $0))" "New Forcing DNS Server $VPNDNS requests via VPN Client $VPN_ID tunnel"
fi

Thanks for any reply
 
I tried what you suggested, but it doesn't work. I also tried to perform the same thing for transmission installed on the router as described here https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method), but I keep seeing my public ip. Here are the iptables rules

Code:
#!/bin/sh
VPN_ID=${dev:4:1}
VPNDNS="$(iptables -t nat -L DNSVPN${VPN_ID} 2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
        DNSONLY_IPS="$(nvram get vpn_client${VPN_ID}_clientlist | sed -n 's/^.*UseDNSOnly\>//p' | tr '>' ' ' | awk '{print $1}')"
        ip rule del prio 800$VPN_ID
        ip rule add from $DNSONLY_IPS to $VPNDNS table 11$VPN_ID prio 800$VPN_ID

        iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p all -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p all -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000

        #Rule for Dell Torrent
        iptables -t mangle -D PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
       
        #Rule for Transmission on Merlin
        iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 51413  -j MARK --set-mark 0x1000/0x1000
        iptables -t nat -A POSTROUTING -s $(nvram get wan0_ipaddr) -o tun11 -j MASQUERADE

        logger -st "($(basename $0))" "New Forcing DNS Server $VPNDNS requests via VPN Client $VPN_ID tunnel"
fi

Thanks for any reply

If you want Transmission installed on the router to use a VPN, you can use this method. Works well.
https://www.snbforums.com/threads/transmission-for-asuswrt-merlin.31278/page-3#post-266164
 
If you want Transmission installed on the router to use a VPN, you can use this method. Works well.
https://www.snbforums.com/threads/transmission-for-asuswrt-merlin.31278/page-3#post-266164
I follow this guide, the https://ipleak.net/ in Torrent address detection show me the VPN IP address, but transmission not downloading, and in log I have Tracker error: "Connection failed"
I have install Transmission how reported here https://github.com/RMerl/asuswrt-merlin/wiki/Installing-Transmission-through-Entware, and I have binded IPv4 address to 192.168.1.2
I have added in VPN Client1 Table the 192.168.1.2 to go trought VPN (0.0.0.0 as destination)
This is my firewall-start
Code:
#!/bin/sh
ifconfig br0:0 192.168.1.2 up
iptables -I INPUT -p tcp --destination-port 51413 -j ACCEPT
iptables -I INPUT -p udp --destination-port 51413 -j ACCEPT
This is my services-start
Code:
#wait for VPN
until [ $(nvram get vpn_client1_state) -gt 1 ]
  do
  logger "Waiting 5 seconds for VPN..."
  sleep 5
  done


Many Thanks
 
I follow this guide, the https://ipleak.net/ in Torrent address detection show me the VPN IP address, but transmission not downloading, and in log I have Tracker error: "Connection failed"
I have install Transmission how reported here https://github.com/RMerl/asuswrt-merlin/wiki/Installing-Transmission-through-Entware, and I have binded IPv4 address to 192.168.1.2
I have added in VPN Client1 Table the 192.168.1.2 to go trought VPN (0.0.0.0 as destination)
This is my firewall-start
Code:
#!/bin/sh
ifconfig br0:0 192.168.1.2 up
iptables -I INPUT -p tcp --destination-port 51413 -j ACCEPT
iptables -I INPUT -p udp --destination-port 51413 -j ACCEPT
This is my services-start
Code:
#wait for VPN
until [ $(nvram get vpn_client1_state) -gt 1 ]
  do
  logger "Waiting 5 seconds for VPN..."
  sleep 5
  done


Many Thanks

In services-start you need to start the script with:
Code:
#!/bin/sh
Otherwise the script will not execute.

[Edit]
Then reboot router.
If that does not work, try to stop and start transmission manually through ssh. I had to do that once for some reason (I have transmission through debian though).
 
Last edited:
Need som help..........

I just implemented this and it's working fine with some desires.

Using rules without any port specified and working fine.
Code:
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.12.120-192.168.12.127 -p tcp -j MARK --set-mark 0x1000/0x1000 2>dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.12.120-192.168.12.127 -p tcp -j MARK --set-mark 0x1000/0x1000

I want to add some exception in vpnclient1, Have tried add it in "Rules for routing client traffic through the tunnel"
But when use "UseDNSOnly 192.168.12.120/29 0.255.255.255 VPN" and add exception it wont work and I have DNS-leak.

Example:
exception1 192.168.12.120 123.123.123.123 WAN
@Martineau
 
Need som help..........

I just implemented this and it's working fine with some desires.

Using rules without any port specified and working fine.
Code:
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.12.120-192.168.12.127 -p tcp -j MARK --set-mark 0x1000/0x1000 2>dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.12.120-192.168.12.127 -p tcp -j MARK --set-mark 0x1000/0x1000

I want to add some exception in vpnclient1, Have tried add it in "Rules for routing client traffic through the tunnel"
But when use "UseDNSOnly 192.168.12.120/29 0.255.255.255 VPN" and add exception it wont work and I have DNS-leak.

Example:
exception1 192.168.12.120 123.123.123.123 WAN
@Martineau

Rightly or wrongly, my script generated custom RPDB rules take priority over GUI generated rules

i.e.
Code:
     Script: UseDNSOnly                                               <-HIGHEST priority
     Script: Selective Routing IPSET / Port / MAC (fwmark tagging)

     GUI:    Selective Routing Source/Destination (Client 1 WAN)
     GUI:    Selective Routing Source/Destination (Client 1 VPN)
     <snip>
     GUI:    Selective Routing Source/Destination (Client 5 WAN)
     GUI:    Selective Routing Source/Destination (Client 5 VPN)      <-LOWEST priority

NOTE: The crude 'UseDNSOnly' hack was intended to allow a non-VPN Client to use the VPN ISP DNS (via the VPN tunnel), but access the Internet via the WAN.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top