Jump to content
Not connected, Your IP: 35.171.146.141
guppy

Route specific IP's/Subnet through VPN only?

Recommended Posts

Hi,

 

What I'm trying to achive;

 

Have NO traffic go through the VPN execpt if it comes from specific IPs or subnet ( in wich case everything should go through VPN )

 

 

What I've done so far;

 

(using TomatoUSB by shibby)

 

In order for normal traffic to not get VPN'ed I had to make a few changes to the install guide;

 

Client -> Basic:

"Create NAT on tunnel" - NOT checked

Client -> Advanced:

"Redirect Internet traffic" - NOT checked

 

The two above doesn't actually work as AirVPN forces routes - to disable this;

 

Client -> Advanced -> Custom Configuration:

(add)

route-nopull
 
 
 
At this point no traffic goes through the VPN
 
Now force specific subnets and IPs to go throught vpn I added these lines to Custom Configuration
 
route 192.168.50.0 255.255.255.0
route 192.168.1.203 255.255.255.255
route 192.168.1.202 255.255.255.255
 
 
 
Testing
 
To test it I added an IP alias ( using linux)
 
ifconfig eth0:0 192.168.1.202
 
And used wget to fetch a page through the alias;
 
wget "http://checkip.dyndns.com/" -O - --bind-address=192.168.1.202

Now before adding the last route line above this quickly returns my ip, after I just get timeouts.
 
 
What am I doing wrong? - the thing with the routes is just something I googled so I may have it entirely wrong.
 
 
 

Share this post


Link to post

Seems the ip in the routes is the TARGET ip not the source.

 

Is there another way for me to achive my goal?

Share this post


Link to post

So after desperately searching I found the answer at a competing vpn provider ( one who is aparently a bit of a joke at that ) but forum rules prevents me from linking to that so I'll reproduce the steps below;

 

Do what I did in the initial post, but stop at "At this point no traffic goes through the VPN" and instead do this;

 

Go to Administration -> Scripts

 

In the "Firewall" tab put

 

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

In the 'WAN UP' tab put

sleep 30
ip route flush table 200
ip route flush cache
ip rule add from 192.168.1.203 lookup 200
VPN_GW=`ifconfig tun11 | awk '/inet addr/ {split ($2,A,":"); print A[2]}'`
ip route add table 200 default via $VPN_GW dev tun11

 

Replace the IP in line 4 with the IP on your lan that you want to force to go through VPN

 

You can repeat this line multiple times if need be, and doing

ip rule add from 192.168.50.0/24 lookup 200

Should work to force that entire network though vpn - meaning you could rout all your phones traffic through VPN just by changing wireless network \o/

 

But all is not well - see that "sleep 30" in line 1 ?

 

I assume it's there for a good reason but it does mean that every time you for what ever reason need to reboot your router there is 30 seconds where those IPs are not being forced through the VPN, which could be disasterous - as with the net connection down those client are properly going to be spamming to get reconnected/loggin in again/ etc.

 

 

If somebody could help me prevent those IP's from getting any access in those 30s that would *really* be appreciated.

 

 

Share this post


Link to post

I guess you would want to replace that sleep with something like:

 

iptables -A OUTPUT -s 192.168.1.203 -j DROP

if [[ $(ifconfig tun11 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}') ]]; then

iptables -D OUTPUT -s 192.168.1.203 -j DROP

fi
exit

 

 

That will drop all traffic from that address before your tunnel interface will be up, and later delete that rule.

Ofcourse you can complicate it as much as you want and add more interfaces, IPs or subnets.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

iptables -A OUTPUT -s 192.168.1.203 -j DROP

 

This doesn't prevent 192.168.1.203 from accessing the internet, isn't that what it's supposed to do?

 

my output chain is empty except for that one rule

# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  192.168.1.203        anywhere 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...