Selective Routing with Asuswrt-Merlin

[rockstead]

Selective bypass not working for RT-AC68U

Hi guys, can someone please help me out. I've read every message in this entire thread and I can't get the script working for my RT-AC68U.

I enabled and formatted JFFS
I enabled SSH
I placed it in file wan-start
I applied permissions on the file and I can execute it.
I tried using ip route add default table 100 via $(nvram get wan0_gateway) as suggested in this thread.

I manually executed every line in the script and found this errors on:
ip route del default table 100
RTNETLINK answers: No such process

The entire script is here, I would appreciate help please.


#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
#ip route show table main | grep -Ev ^default | grep -Ev tun11 \
# | while read ROUTE ; do
# ip route add table 100 $ROUTE
# done



ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#



# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1




# All traffic from Laptop will use US VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0


# All traffic from PS3 will use the US VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0


# All traffic from Nexus 10 will use the US VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0



# All traffic from VOIP will use the WAN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1



exit 0

 

[faria]

Hi guys, can someone please help me out. I've read every message in this entire thread and I can't get the script working for my RT-AC68U.

I enabled and formatted JFFS
I enabled SSH
I placed it in file wan-start
I applied permissions on the file and I can execute it.
I tried using ip route add default table 100 via $(nvram get wan0_gateway) as suggested in this thread.

I manually executed every line in the script and found this errors on:
ip route del default table 100
RTNETLINK answers: No such process

The entire script is here, I would appreciate help please.


#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
#ip route show table main | grep -Ev ^default | grep -Ev tun11 \
# | while read ROUTE ; do
# ip route add table 100 $ROUTE
# done



ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#



# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1




# All traffic from Laptop will use US VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0


# All traffic from PS3 will use the US VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0


# All traffic from Nexus 10 will use the US VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0



# All traffic from VOIP will use the WAN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1



exit 0

#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
 | while read ROUTE ; do
 ip route add table 100 $ROUTE
done



ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#



# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1




# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1

First you have the iptables etc entries commented out (#) so the script never gonna work.
Use the one i have edited.
then you have to add the folowing lines to the vpn client custom configuration box:

script-security 2
route-up /jffs/scripts/name-of-your-file.sh

 

[rockstead]

#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
 | while read ROUTE ; do
 ip route add table 100 $ROUTE
done



ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#



# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1




# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1

First you have the iptables etc entries commented out (#) so the script never gonna work.
Use the one i have edited.
then you have to add the folowing lines to the vpn client custom configuration box:

script-security 2
route-up /jffs/scripts/name-of-your-file.sh

Thanks a lot, sorry I didn't realize I pasted the commented code, I had been playing around with the code and left in by accident.

This did the trick

script-security 2
route-up /jffs/scripts/wan-start

I also changed it so that VPN is default and I specify what bypasses it, I prefer that since I have no idea what guests will surf when they come over, so I prefer they hit the VPN.

If I enable my guest wireless, will the code still work or does it have to be altered? are there any examples of people who have done it?

Or any Leak protection for the connections hitting the VPN, so if the VPN goes down, those connections won't get an outside connection?

 

[faria]

Thanks a lot, sorry I didn't realize I pasted the commented code, I had been playing around with the code and left in by accident.

This did the trick

script-security 2
route-up /jffs/scripts/wan-start

I also changed it so that VPN is default and I specify what bypasses it, I prefer that since I have no idea what guests will surf when they come over, so I prefer they hit the VPN.

If I enable my guest wireless, will the code still work or does it have to be altered? are there any examples of people who have done it?

Or any Leak protection for the connections hitting the VPN, so if the VPN goes down, those connections won't get an outside connection?

If you changed the Script for all traffic to go via the vpn then the guest network will also go via the vpn unless specified otherwise, as for you last question , there is a way of dropping the traffic if vpn down. i seen it here in this thread but i cant pinpoint you to it , im afraid you will have to look for it.

 

[ptommson]

Hi all,
Started using this a couple of days ago and it's working great so thanks to everyone for really useful info, the only difference in my setup is a small change to bypass L2TP VPN instead of OpenVPN (For some reason it is faster and more stable with my provider).
Was wondering if anyone could please help out with a few questions:

- Is there an equivalent to 'openvpn-event' for L2TP (start/stop)? What would be a good way to do this? I thought of using 'wan-start' but that doesn't help when I manually change it to another country.
- How/can you stop/start a selected L2TP VPN from the command line(ssh)?
- Any way to trigger an event (e.g. update a file with some text) when the VPN fails?

Thanks in advance

 

[Ironsides]

Hello. New user here. I've read through all of the posts in this thread, and most of it seems to be over my head, I've never done any kind of scripting or ever really used Linux before. I'm hoping someone can help me with this. I have an OpenVPN connection on my Asus RT-AC87U with AsusWRT-Merlin, and that works well. But I only want 1 machine to use the VPN. It has an IP address of 192.168.0.50. I want everything else to bypass the VPN. But, importantly, if the VPN loses connection, I don't want that one machine to go public, I just want it cut off until the VPN connection is restored. Can someone walk me through how to accomplish that? Thanks.

 

[Greeno]

Hello. I try on your router rt-ac68u do selective routing through openvpn but long i can not deal with it. Generally need to redirect the vpn one service Outgoing (SMTP server running on the router - 10.0.0.1) and other traffic channeled through the wan.

Traced the script "Janosek" and changed it to their needs. Sorry but in my case, all traffic is routed through the VPN.

jffs/scripts/wan-start

#!/bin/sh
touch /tmp/000wanstarted
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#VPN
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#WAN
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#WAN ROUTE
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

#VPN ROUTE
iptables -t mangle -A PREROUTING -s 10.0.0.1 -p tcp -m multiport --port 25 -j MARK --set-mark 0

exit 0



creates a file in the tmp/000wanstarted
but unfortunately it is empty.

Can anyone help me and something prompt.

 

[PnoT]

I've been having issues with trying to get selective forwarding working for a week now with limited success.

Interface Type: TUN
Protocol: UDP
Firewall: Automatic
Authorization Mode: TLS
Username/ Password Auth: No
Extra HMAC auth: Outgoing (1)
Create NAT on tunnel: Yes
Redirect Internet traffic: No
Accept DNS configuration: Relaxed
Encryption cipher: Default
Compression: Adaptive
Custom configuration:
ns-cert-type server
comp-lzo
mute 20
script-security 2
route-up /jffs/scripts/openvpn-event.sh

With the below script I get everything going out the WAN and 192.168.0.90 going through the VPN.

PC_Home="192.168.0.90"

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# By default PC_Home uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $PC_Home -j MARK --set-mark 0

Selective routing, in this case, does work for testing but my ultimate goal is to have a port, for torrenting, forwarded over VPN and that's it.

I tried adding

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 57677 -j MARK --set-mark 0

but the port doesn't seem to be forwarding properly.

I'm also confused about adding "route-nopull" to my configuration as I can't get that to work period when I see other users mention you must have it.

I do have my ISP router in bridged mode but not sure if that would cause any issues with what's going on here.

This code looked to be the easiest to setup and get working and exactly what I needed yet it doesn't work properly and forwards everything out the VPN probably because I can't use the "route-nopull" option with it?

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"  
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 57677 -j MARK --set-mark 10

 

[Greeno]

little success

I was able to after long efforts to reach the goal of each founded.
The script that i gave above is correct and works:

jffs/scripts/wan-start:

#!/bin/sh
touch /tmp/000wanstarted
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# WAN ROUTE
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# VPN ROUTE
iptables -t mangle -A PREROUTING -s 10.0.0.1 -p tcp -m multiport --port 25 -j MARK --set-mark 0

exit 0


Not everything i read with understanding and put additional configuration in the vpn client configuration custom box:

script-security 2
route-up /jffs/scripts/wan-start

With this configuration all network traffic is carried out by WAN and mail server on the router sends messages via VPN.

Sorry, but when I type:
script-security 2
route-up /JFFS/scripts/wan-start

cease to operate other scripts located at: /JFFS/scripts

jffs/scripts/nat-start:

#!/bin/sh
iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p tcp -d 10.0.0.13 --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.13:8080

jffs/scripts/firewall-start:

#!/bin/sh
iptables -I INPUT -p tcp --destination-port 80 -j ACCEPT
iptables -I INPUT -p tcp --destination-port 25 -j ACCEPT

I can also connect to a server running on port openvpn 443. As to all open ports are closed.

Any ideas on how to tweak?

 

[Ironsides]

Hey guys, just a quick update. I couldn't figure out how to script the selective routing, so I put DD-WRT on my RT-AC87U instead, which has a 'Policy Based Routing' field right on the OpenVPN client configuration screen. All I had to do was put the machines IP in there followed by /32 and now just that computer goes through the VPN, exactly like I wanted. It was incredibly easy.

 

[aventus]

Yes on ddwrt its easy but merlin firmware is more stable

 

[eggejm11]

RT-AC68P both VPN running and networks avail

So I'm running a RT-AC68P Merlin 376.49 5 , my goal was to have all DHCP traffic go out over router based client VPN PIA. Then be able to run openvpn server to come back to the network and be able to sync PLEX or RDP to local PC's for whatever reason. The below scripts patch together form reading this thread 400 times is what I'm using and it seems to be working ok. Any thing look crazy in the below? Does it work for anyone else?

#!/bin/sh
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.55 -j MARK --set-mark 10

exit

 

[eggejm11]

Crap, I fooled myself.... So with the above script running I can now run a VPN server to access my network from WAN but cannot access LAN IP's that are in 192.168.1.X to sync PLEX or RDP. If I simply turn off the client VPN to PIA everything works... how can I bridge the two tunnels?

 

[dnj1964]

Thanks

Just wanted to say a big thanks to Martineau for compiling and posting the selective routing code.

Works perfectly

 

[chrisk]

Can someone explain this error to me?

Jan 21 15:41:48 (openvpn-event): 26825 ExpressVPN Selective Customization Starting... /jffs/scripts/openvpn-event tun11 1500 1542 10.173.1.10 10.173.1.9 init.^M
Jan 21 15:41:48 openvpn[26783]: WARNING: Failed running command (--route-up): could not execute external program
Jan 21 15:41:48 openvpn[26783]: Initialization Sequence Completed

I just copied a script from this thread to test out and changed the port numbers to what i need open.

Thanks,
Chris

 

[john9527]

Can someone explain this error to me?

Jan 21 15:41:48 (openvpn-event): 26825 ExpressVPN Selective Customization Starting... /jffs/scripts/openvpn-event tun11 1500 1542 10.173.1.10 10.173.1.9 init.^M
Jan 21 15:41:48 openvpn[26783]: WARNING: Failed running command (--route-up): could not execute external program
Jan 21 15:41:48 openvpn[26783]: Initialization Sequence Completed

I just copied a script from this thread to test out and changed the port numbers to what i need open.

Thanks,
Chris

The ^M is a sign that you used a Windows/DOS editor to edit the file instead of a Linux compatible editor. (The ^M is a representation of a carriage return).

The editor in WinSCP and NotePad++ both can correctly handle Linux format.

 

[Greeno]

Gentlemen, you may find a person who will be able to do something to me a hint that will solve my problem. I have read the following thread but unfortunately have not yet managed to resolve it to the end of my problem. I want all traffic to take place through the WAN and VPN particular services (for example, outgoing mail).The first script launched by the "Janosek" works and my performance, but as you know all fired cease to operate services on the router (VPN Server, Web-server, etc).

script in my performance by Janosek:

#!/bin/sh
touch /tmp/000wanstarted
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#WAN ROUTE
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

#VPN ROUTE
iptables -t mangle -A PREROUTING -s 10.0.0.1 -p tcp -m multiport --port 25 -j MARK --set-mark 0

exit 0

Currently I'm trying to use a script proposed by the "DJR747" but unfortunately without results. Already tried all possible ways but unfortunately the service of the outgoing mail server does not pass through the VPN.

script in my performance by DJR747:
#!/bin/sh

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -s 10.0.0.1 -p tcp -m multiport --port 25 -j MARK --set-mark 10

exit

Below my vpn client configuration:

client
dev tun
proto udp
remote 91.232.54.54 1194
nobind
persist-key
persist-tun
ns-cert-type server
cipher AES-128-CBC # AES
comp-lzo
verb 3

# vpn client custom configuration box:
script-security 2
route-up /jffs/scripts/vpn-route.sh
"redirect Internet traffic," I have set to "no"

I also tried with the option of a: “route-nopull” but unfortunately in this case, I no longer work at all online.

I also tried with the option of a: “route-nopull”.
Unfortunately, in this case, does not work at all online.

I checked their routing tables:

/jffs/scripts# ip rule
0: from all lookup local
32763: from all fwmark 0xa lookup 10
32764: from all fwmark 0xc lookup 12
32766: from all lookup main
32767: from all lookup default
/jffs/scripts# ip route show table 10
default via 10.8.0.6 dev tun11
/jffs/scripts# ip route show table 12
default via 89.51.83.1 dev eth0

It seems that it is ok but unfortunately the mail server running on the router sends mail through WAN and VPN not.

Is there a person more familiar topic to prompt me something in the subject. Unfortunately there are no longer my ideas.

 

[Alfsu]

Hi,

Try changing the first script using: wan0_gateway.

Good luck

 

[Greeno]

Hey, but where i have to change it. In the script there is no entry for the default array.
Command: "nvram get wan_gateway" and "nvram get wan0_gateway" returns the same address: 89.51.83.1
"wan_gateway" presents in the first script and it works.
So I do not think that this was a problem.

Thank you very much for your interest but probably not the way to go.

 

[Alfsu]

Adding the default route in table 100 via WAN? of course all traffic will go to the WAN; instead you should use the VPN gateway.

replace: ip route add default table 100 via $(nvram get wan_gateway)

with:
tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
ip route add default table 100 via $tun_ip

For the above to work you need the VPN client to:

- "redirect Internet traffic," set to "no"
- Enable “route-nopull” in custom configuration before calling the "route-up" command.