Jump to content
Not connected, Your IP:

Route specific IP's/Subnet through VPN only?

Recommended Posts



What I'm trying to achive;


Have NO traffic go through the VPN execpt if it comes from specific IPs or subnet ( in wich case everything should go through VPN )



What I've done so far;


(using TomatoUSB by shibby)


In order for normal traffic to not get VPN'ed I had to make a few changes to the install guide;


Client -> Basic:

"Create NAT on tunnel" - NOT checked

Client -> Advanced:

"Redirect Internet traffic" - NOT checked


The two above doesn't actually work as AirVPN forces routes - to disable this;


Client -> Advanced -> Custom Configuration:


At this point no traffic goes through the VPN
Now force specific subnets and IPs to go throught vpn I added these lines to Custom Configuration
To test it I added an IP alias ( using linux)
ifconfig eth0:0
And used wget to fetch a page through the alias;
wget "http://checkip.dyndns.com/" -O - --bind-address=

Now before adding the last route line above this quickly returns my ip, after I just get timeouts.
What am I doing wrong? - the thing with the routes is just something I googled so I may have it entirely wrong.

Share this post

Link to post

Seems the ip in the routes is the TARGET ip not the source.


Is there another way for me to achive my goal?

Share this post

Link to post

So after desperately searching I found the answer at a competing vpn provider ( one who is aparently a bit of a joke at that ) but forum rules prevents me from linking to that so I'll reproduce the steps below;


Do what I did in the initial post, but stop at "At this point no traffic goes through the VPN" and instead do this;


Go to Administration -> Scripts


In the "Firewall" tab put


iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

In the 'WAN UP' tab put

sleep 30
ip route flush table 200
ip route flush cache
ip rule add from lookup 200
VPN_GW=`ifconfig tun11 | awk '/inet addr/ {split ($2,A,":"); print A[2]}'`
ip route add table 200 default via $VPN_GW dev tun11


Replace the IP in line 4 with the IP on your lan that you want to force to go through VPN


You can repeat this line multiple times if need be, and doing

ip rule add from lookup 200

Should work to force that entire network though vpn - meaning you could rout all your phones traffic through VPN just by changing wireless network \o/


But all is not well - see that "sleep 30" in line 1 ?


I assume it's there for a good reason but it does mean that every time you for what ever reason need to reboot your router there is 30 seconds where those IPs are not being forced through the VPN, which could be disasterous - as with the net connection down those client are properly going to be spamming to get reconnected/loggin in again/ etc.



If somebody could help me prevent those IP's from getting any access in those 30s that would *really* be appreciated.



Share this post

Link to post

I guess you would want to replace that sleep with something like:


iptables -A OUTPUT -s -j DROP

if [[ $(ifconfig tun11 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}') ]]; then

iptables -D OUTPUT -s -j DROP




That will drop all traffic from that address before your tunnel interface will be up, and later delete that rule.

Ofcourse you can complicate it as much as you want and add more interfaces, IPs or subnets.

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

iptables -A OUTPUT -s -j DROP


This doesn't prevent from accessing the internet, isn't that what it's supposed to do?


my output chain is empty except for that one rule

# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --        anywhere 

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image

  • Create New...