VPN help with whitelisting IP ranges

[Timmeh]

Hi guys

I have been searching the web for a way to have all traffic go via the VPN except for certain IP ranges. The example here https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method) talks about specifying devices to go via the VPN and use WAN by default but I need the opposite. It's not clear to me by that example how I would implement the other way round.

Alternatively I would be fine if I could just use the policy rules (https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing) to exclude one device from the VPN but when I do that ALL traffic goes via the wan. Very weird. I literally have one policy rule for one device and that goes to WAN. Everything else should use the VPN but it doesn't. If someone could help me solve either one of these problems I would be most appreciative!

 

[peraburek]

adjust code below to your needs

/jffs/scripts/vpn-route-1.sh

#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the VPN - OpenVPN Client n - Custom Configuration box
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing VPN IP range from other side of the tunnel via tun11_ip
# ip route add 192.168.X.Y/24 via $tun11_ip

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
ip rule add dev wl1.1 table 11
#ip rule add from 192.168.xxx.yyy table 11
#ip rule add from 192.168.xxx.zzz table 11

# not strictly necessary
ip route flush cache

# force VPN to default to Google Public DNS, you can use DNS from VPN provider if you setup routing VPN IP range
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.yyy -p tcp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p udp --dport 53 -j DNAT --to $ip
#iptables -t nat -A PREROUTING -s 192.168.xxx.zzz -p tcp --dport 53 -j DNAT --to $ip
done

# VPN kill switch for desired IPs
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.yyy -j DROP
#iptables -I FORWARD ! -o tun11 -s 192.168.xxx.zzz -j DROP

exit 0

if you want to read more:
http://www.snbforums.com/threads/de...-usual-with-asuswrt-merlin.31415/#post-253228

 

[john9527]

Alternatively I would be fine if I could just use the policy rules (https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing) to exclude one device from the VPN but when I do that ALL traffic goes via the wan. Very weird.

By default, everything goes through the WAN.....So, to do what you want, first direct everything to go through the VPN. Assuming your router subnet is 192.168.1.1, mask 255.255.255.0 (default), make the first rule

Description = All-Clients, Source IP = 192.168.1.0/24, Dest IP = 0.0.0.0, Iface = VPN

Now exclude the one device

Description = Client_Name, Source IP = ip you want to go around the VPN, Dest IP = 0.0.0.0, Iface = WAN

This should do what you want. Is this how you are setting it up?

 

[Timmeh]

This should do what you want. Is this how you are setting it up?

@john9527 you are a legend! That was almost how I had it set up except I had the source IP of All-Clients set to 0.0.0.0 instead of the CIDR subnet. Stupid me!

Works perfectly now

adjust code below to your needs

/jffs/scripts/vpn-route-1.sh
...

@peraburek

Thanks for your quick response. I was not able to infer how I can adjust this script to my needs and the post you linked me to seems to be solving a slightly different problem to my own.

As far as I can understand it routes all traffic through the VPN, NATs the DNS requests for some reason then optionally drops all traffic coming from certain IPs on the internal subnet. I'm still not quite sure how to convert that into something that is useful for me.

 

[peraburek]

@Timmeh - this script is doing it the other way around

everything is going through normal Internet connection
certain IP range is FORCED through VPN connection
in case VPN connection is down, no traffic will be allowed (kill-switch)

let's say you have default 192.168.1.1 IP range with /24 subnet 255.255.255.0

here is sample script to force IP address 192.168.1.201 and 192.168.1.202 trough VPN connection

create this script /jffs/scripts/vpn-route-1.sh

telnet or ssh to your router:
vi /jffs/scripts/vpn-route-1.sh

paste code below to this script

#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the VPN - OpenVPN Client 1 - Custom Configuration box
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing VPN IP range from other side of the tunnel via tun11_ip
# ip route add 192.168.X.Y/24 via $tun11_ip

# routing table for tun11 with divert rule
ip route add default via $tun11_ip dev tun11 table 11
# ip rule add dev wl1.1 table 11
ip rule add from 192.168.1.201 table 11
ip rule add from 192.168.1.202 table 11

# not strictly necessary
ip route flush cache

# force VPN to default to Google Public DNS, you can use DNS from VPN provider if you setup routing VPN IP range
DNS_SERVER="8.8.8.8 8.8.4.4"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -i wl1.1 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -i wl1.1 -p tcp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -s 192.168.1.201 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -s 192.168.1.201 -p tcp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -s 192.168.1.202 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -s 192.168.1.202 -p tcp --dport 53 -j DNAT --to $ip
done

# VPN kill switch for desired IPs
iptables -I FORWARD ! -o tun11 -s 192.168.1.201 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.1.202 -j DROP

exit 0

:wq
chmod 755 /jffs/scripts/vpn-route-1.sh

Add the following 2 lines to the VPN - OpenVPN Client 1 - Custom Configuration box

route-nopull
route-up /jffs/scripts/vpn-route-1.sh

Apply

reboot and test by manually assigning IPs 192.168.1.201 and 192.168.1.202 to your devices
compare results on https://www.dnsleaktest.com/ (extended test) both before and after IP change
it should be working, if not report back

you can adjust script, so you pass certain IP range through VPN, not only specific IP addresses
hope that helps