guppy 10 Posted ... Hi, What I'm trying to achive; Have NO traffic go through the VPN execpt if it comes from specific IPs or subnet ( in wich case everything should go through VPN ) What I've done so far; (using TomatoUSB by shibby) In order for normal traffic to not get VPN'ed I had to make a few changes to the install guide; Client -> Basic:"Create NAT on tunnel" - NOT checkedClient -> Advanced:"Redirect Internet traffic" - NOT checked The two above doesn't actually work as AirVPN forces routes - to disable this; Client -> Advanced -> Custom Configuration:(add)route-nopull At this point no traffic goes through the VPN Now force specific subnets and IPs to go throught vpn I added these lines to Custom Configuration route 192.168.50.0 255.255.255.0route 192.168.1.203 255.255.255.255route 192.168.1.202 255.255.255.255 Testing To test it I added an IP alias ( using linux) ifconfig eth0:0 192.168.1.202 And used wget to fetch a page through the alias; wget "http://checkip.dyndns.com/" -O - --bind-address=192.168.1.202Now before adding the last route line above this quickly returns my ip, after I just get timeouts. What am I doing wrong? - the thing with the routes is just something I googled so I may have it entirely wrong. Quote Share this post Link to post
guppy 10 Posted ... Seems the ip in the routes is the TARGET ip not the source. Is there another way for me to achive my goal? Quote Share this post Link to post
guppy 10 Posted ... So after desperately searching I found the answer at a competing vpn provider ( one who is aparently a bit of a joke at that ) but forum rules prevents me from linking to that so I'll reproduce the steps below; Do what I did in the initial post, but stop at "At this point no traffic goes through the VPN" and instead do this; Go to Administration -> Scripts In the "Firewall" tab put iptables -I FORWARD -i br0 -o tun11 -j ACCEPT iptables -I FORWARD -i tun11 -o br0 -j ACCEPT iptables -I INPUT -i tun11 -j REJECT iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE In the 'WAN UP' tab put sleep 30 ip route flush table 200 ip route flush cache ip rule add from 192.168.1.203 lookup 200 VPN_GW=`ifconfig tun11 | awk '/inet addr/ {split ($2,A,":"); print A[2]}'` ip route add table 200 default via $VPN_GW dev tun11 Replace the IP in line 4 with the IP on your lan that you want to force to go through VPN You can repeat this line multiple times if need be, and doing ip rule add from 192.168.50.0/24 lookup 200 Should work to force that entire network though vpn - meaning you could rout all your phones traffic through VPN just by changing wireless network \o/ But all is not well - see that "sleep 30" in line 1 ? I assume it's there for a good reason but it does mean that every time you for what ever reason need to reboot your router there is 30 seconds where those IPs are not being forced through the VPN, which could be disasterous - as with the net connection down those client are properly going to be spamming to get reconnected/loggin in again/ etc. If somebody could help me prevent those IP's from getting any access in those 30s that would *really* be appreciated. Quote Share this post Link to post
zhang888 1066 Posted ... I guess you would want to replace that sleep with something like: iptables -A OUTPUT -s 192.168.1.203 -j DROPif [[ $(ifconfig tun11 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}') ]]; theniptables -D OUTPUT -s 192.168.1.203 -j DROPfiexit That will drop all traffic from that address before your tunnel interface will be up, and later delete that rule.Ofcourse you can complicate it as much as you want and add more interfaces, IPs or subnets. 1 guppy reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
guppy 10 Posted ... iptables -A OUTPUT -s 192.168.1.203 -j DROP This doesn't prevent 192.168.1.203 from accessing the internet, isn't that what it's supposed to do? my output chain is empty except for that one rule # iptables -L OUTPUT Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP all -- 192.168.1.203 anywhere Quote Share this post Link to post