Xentrk
Part of the Furniture
The way this script works, any IP addresses not in OVPNC1 will default to the WAN. There is no need to specify devices in the VPN GUI table using this method. You list them in OVPNC1.What should I still have for the Policy Rules? Should I have 0.0.0.0 set for the Appltv ip? Or should the policy rules fields be blank?
Either way it isn't working properly. With 0.0.0.0 everything goes through VPN as youd expect, as if the script doesn't exist, and if Policy rules are blank, nothing goes through the VPN, as if script doesn't exist.
I am not sure why you are getting the error message with iptables. The only thing I can suggest is to create a new copy of the script and delete everything after this line:
Code:
ip route flush cache
Then run the script. First, verify the ipset lists got created (e.g. ipset -L LAN_GW). Then, type the iptables command directly on the command line. First time running, you should get the error message for the -D line but not for the -A line.
WAN
Code:
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
Code:
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
Output should appear like this:
Code:
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
What is your router model and firmware version?
Last edited: