Really!
Really!
What about us others? Are we not worthy your trick(s)? :'(
Please Mr Gerrits!
chmod -x /usr/bin/addon_bypassvpnip.sh#!/bin/sh
iptables -t mangle -N MARKFORCEVPN
iptables -t mangle -A MARKFORCEVPN -j MARK --set-mark 0x32
iptables -t mangle -A MARKFORCEVPN -j CONNMARK --save-mark
##if you want some logging in dmesg, uncomment next line
#iptables -t mangle -A MARKFORCEVPN -j LOG --log-prefix "[MARKFORCEVPN] "
iptables -t mangle -N MARKNOVPN
iptables -t mangle -A MARKNOVPN -j MARK --set-mark 0x64
iptables -t mangle -A MARKNOVPN -j CONNMARK --save-mark
##if you want some logging in dmesg, uncomment next line
#iptables -t mangle -A MARKNOVPN -j LOG --log-prefix "[MARKNOVPN] "
# get the mark on the packet that belongs to an existing connection (outbound from lan)
iptables -t mangle -A PREROUTING -i br0 -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
# get the mark on the packet that belongs to an existing connection (outbound from router)
iptables -t mangle -A OUTPUT -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
######## ONLY MAKE CHANGES BENEATH HERE ###########################
#below this line, add rules for traffic that you want to push to a different route.
#Should mainly be used to make exceptions on process level (uid-owner or gid-owner; only for processes on the router itself) or port / ipaddress level (also for traffic from or to other devices)
#i.e. if you have an ip rule that routes all traffic from a host via the VPN tunnel, then you can override this for a specific port, or destination IP the traffic must go directly
##if you have a configured a process on the router to run with gid vpnroute, then you can route its traffic to go via VPN by:
# iptables -t mangle -A OUTPUT -m owner --gid-owner vpnroute -m state --state NEW -j MARKFORCEVPN
##if you have port-forwarding enabled (for example 80 & 443) and use a static public IP address with static DNS name, you can route traffic of those ports to always go directly via wan interface via:
#iptables -t mangle -A PREROUTING -d <public-ip> -p tcp -m multiport --dports 80,443 -m state --state NEW -j MARKNOVPN
##or for allowing access to the OpenVPN server:
#iptables -t mangle -A PREROUTING -d <public-ip> -p tcp -m multiport --dports 12973,12974 -m state --state NEW -j MARKNOVPN
##or
#iptables -t mangle -A PREROUTING -d <public-ip> -p udp -m multiport --dports 12973,12974 -m state --state NEW -j MARKNOVPN
##if you'd want to force usenet traffic of a specific internal client to go via VPN then you could use:
#iptables -t mangle -A PREROUTING -s <ip.of.internal.client> -p tcp --dport 119 -m state --state NEW -j MARKFORCEVPN
#iptables -t mangle -A PREROUTING -s <ip.of.internal.client> -p tcp --dport 565 -m state --state NEW -j MARKFORCEVPN
## below this line put commands to prevent some traffic from falling back to regular internet connection
##if you have a configured a process on the router to run with gid vpnroute then this would prevent the process from communicating if the VPN is down. (tun21 for OpenVPN; replace with wg0 for WireGuard
#iptables -I OUTPUT 1 -m owner --gid-owner vpnroute ! -o tun21 -m state --state NEW -j REJECT
## and this would block usenet traffic from internal client if VPN is down:
#iptables -t filter -I FORWARD 1 ! -o tun21 -m state --state NEW -j REJECT#!/bin/sh
TID="213"
NOVPN_TABLE="novpn"
[ "$(grep -c "novpn$" /etc/iproute2/rt_tables)" -eq "0" ] && [ "$(grep -c "^$TID" /etc/iproute2/rt_tables)" -eq "0" ] && echo "$TID $NOVPN_TABLE" >> /etc/iproute2/rt_tables
# cleanup if script ran before
while [ "$(ip rule list | grep -cF "lookup $NOVPN_TABLE" )" != "0" ]; do ip rule del table $NOVPN_TABLE 2>/dev/null; done
while [ "$(ip rule list | grep -vF "from all lookup main" | grep -cF "lookup main")" != "0" ]; do ip rule del lookup main 2>/dev/null; done
[ "$(ip rule list | grep -cF "from all lookup main")" = "0" ] && ip rule add table main priority 32766
ip route flush table $NOVPN_TABLE
ip route flush cache
sleep 1
# copy all non-VPN routes from table main to table novpn
if [ -e /etc/init.d/openvpn-client ]; then
tun="$(grep "^tun=" /etc/init.d/openvpn-client|head -n1|awk -F'"|=' '{print $NF}')"
[ -z "$tun" ] && tun="$(grep "grep -q tun" /etc/init.d/openvpn-client|head -n1|awk '{print $NF}')"
[ -z "$tun" ] && tun="tun21"
fi
ip route show table main | grep -vE "$tun|wg0" | while read -r route; do
# shellcheck disable=SC2086
ip route add $route table $NOVPN_TABLE
done
if ifconfig | grep -qF 'wg0'; then
# WAN_IF="brwan" only if PPP not used (All other: PPTP, L2TP, PPPoE(gives ppp0 instead) )
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
# Take care of the case when no default route exist, as with Wireguard Client
[ -z "$WAN_IF" ] && ifconfig ppp0 >/dev/null 2>&1 && WAN_IF='ppp0' || WAN_IF=$(nvram get wan_ifname)
# Get wan gateway ip address:
WAN_GWAY="$(ip route | awk '/^default/{print $3}')"
# Take care of the case when no default route exist, as with Wireguard Client
if [ -z "$WAN_GWAY" ]; then WAN_GWAY="$(ip route | awk '/via/ && /dev "$WAN_IF"/ && !/default/{print $3}')";fi
ip route add default via "$WAN_GWAY" dev "$WAN_IF" table "$NOVPN_TABLE"
fi
######## ONLY MAKE CHANGES BENEATH HERE ###########################
# if you want to bypass vpn for clients that connect via OpenVPN server (tun0), uncomment next line
# or again comment it if you want this to go via VPN
#[ "$(ip rule list | grep -c "iif tun0 lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif tun0 table $NOVPN_TABLE
# if you want to bypass vpn for the router itself, uncomment next line
# or again comment it if you want this to go via VPN
# this allows DDNS to register the real wan ip-address and allows port-forwarding to work.
[ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE
# if you want to bypass vpn for all clients on the lan, uncomment next line
# or again comment it if you want this to go via VPN
[ "$(ip rule list | grep -c "iif br0 lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif br0 table $NOVPN_TABLE
# if you want a specific IP address to always go via VPN then use the following: (replace <IPaddress> with real IP in both places)
#[ "$(ip rule list | grep -c "<IPaddress> lookup main")" = "0" ] && ip rule add from <IPaddress> table main
# if you want a specific IP address to always go directly then use the following: (replace <IPaddress> with real IP in both places)
#[ "$(ip rule list | grep -c "<IPaddress> lookup $NOVPN_TABLE")" = "0" ] && ip rule add from <IPaddress> table $NOVPN_TABLE
## the later the rule is inserted, the higher the priority. So first force a big group to go in one direction and then later overrule with more specific rules.
######## ONLY MAKE CHANGES ABOVE HERE ###########################
#allow for exceptions on port level for traffic that is marked with 0x64 (novpn) or 0x32 (forcevpn), via /opt/scripts/firewall-start.sh
#this exception rule must always be added last, so it has the higest priority (= lowest priority number)
[ "$(ip rule list | grep -c "fwmark 0x64 lookup $NOVPN_TABLE")" = "0" ] && ip rule add fwmark 0x64 table $NOVPN_TABLE priority 0
#and this rule allows to force traffic marked with 0x32 through the tunnel
[ "$(ip rule list | grep -c "fwmark 0x32 lookup main")" = "0" ] && ip rule add fwmark 0x32 table main priority 0Because you are asking so nicely
The only issue I have, is that some of the code might be conflicting with the bypassvpnip from your add-on. (because that one also does similar things with ip route and ip rule)
So ppl who have your addon installed, must disable execution of addon_bypassvpnip.sh via
Code:chmod -x /usr/bin/addon_bypassvpnip.sh
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!
