ANSWERED ASUSWRT bypass VPN for 1 IP.

[omgitslurch 0]

Hi,

 

Have given my SmartTV which runs Amazon Prime, BBC iPlayer, etc a static IP, and want to bypass the VPN which I run on my DSL-AC68U. As its the DSL model I can't run the Merlin firmware, just the official Asus firmware. After Googling have tried configuring via SSH (have done similar for port forwarding previously) I have a script, but its not working as expected, when applied lose connectivity for the TV, but works for everything else. Did try 1 script I found which gave the TV access by bypassing the TV but killed the internet for everything else, however have since lost the link.

 

As someone on here last time I got stuck spotted where I had gone wrong, I am hoping someone can see again! The current script for the config I am running is as follows.

 

 

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter  
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
ip route show table main | grep -Ev ^default | grep -Ev tun15 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.11 -j MARK --set-mark 1
 

output of ip route show is below which may help.

 

lurch@(none):/tmp/mnt/LABEL/asusware.arm# ip route show
89.243.144.1 dev vlan3880  proto kernel  scope link 
217.151.98.167 via <GW-HIDDEN> dev vlan3880 
169.254.0.1 dev vlan2  scope link 
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.254 
<IP-HIDDDEN>/20 dev vlan3880  proto kernel  scope link  src <IP-HIDDEN> 
10.4.0.0/16 dev tun15  proto kernel  scope link  src 10.4.18.0 
169.254.0.0/16 dev vlan2  proto kernel  scope link  src 169.254.70.103 
127.0.0.0/8 dev lo  scope link 
0.0.0.0/1 via 10.4.0.1 dev tun15 
128.0.0.0/1 via 10.4.0.1 dev tun15 
default via 89.243.144.1 dev vlan3880 
 

 

[omgitslurch 0]

Hi,

 

Just thought would update that after finding a couple of similar scripts and mashing the 2 together that have a working script I've got saved on my router which achieves the goal of my TV now bypassing the VPN running on my router. For those who are stuck using ASUS own ASUSWRT firmware the script I am using is below. I have it saved on memory stick so that can run it directly on the router via SSH.

 

  echo #!/bin/sh
nvram set no_vpn_lst="192.168.1.11"
nvram commit


sleep 30
NO_VPN_LST=`nvram get no_vpn_lst`
[ -z "$NO_VPN_LST" ] && exit 0
WAN_GWAY="0.0.0.0"
while [ $WAN_GWAY == "0.0.0.0" ]; do
sleep 3
WAN_GWAY=`nvram get wan0_gateway`
done
ip route add default via $WAN_GWAY table 10
for ipa in $NO_VPN_LST; do
ip rule add from $ipa table 10
done
ip route flush cache
exit 0
 

 

If you want more than 1 IP to bypass then you add additional IPs to the no_vpn_lst section just leaving a space between the IPs. Script needs running after each reboot and possibly if your DSL or VPN connection drops out and reconnects. 

[thomasl78 0]

Just tried the script, but does not seem to be working with my 4g-ac53u with the latest Asus firmware version 3.0.0.4.384_81975-g4290df7. Can you please confirm if it still works? 

Edited ... by thomasl78
updates

[OpenSourcerer 1435]

3 hours ago, thomasl78 said:

Just tried the script, but does not seem to be working with my 4g-ac53u with the latest Asus firmware version 3.0.0.4.384_81975-g4290df7. Can you please confirm if it still works? 

Some logs would help, at least post the errors you get, if any. Or at the very least outline what doesn't work. The question at the end is of little use to anyone but you…

[thomasl78 0]

On 7/1/2021 at 3:54 AM, OpenSourcerer said:

Some logs would help, at least post the errors you get, if any. Or at the very least outline what doesn't work. The question at the end is of little use to anyone but you…

HI, thanks for replying. 
Here's some more info with this script on this 4g-ac53u router. 
I can run the script without error. However, I can not surf Internet and traceroute command fails after the script run. 

Ping command works fine on the workstation 192.168.1.11 and I do notice a response time difference before and after the script run. So I believe routing may have been updated. 

screen shot as below. Thanks. 

Edited ... by thomasl78

[Similiar 0]

I tried a similar dsl model with the AsusWRT firmware. I remember that i could specify which devices traffic get routed through the vpn and which not. Isnt this the case in your router?
Btw in the case you use your DSL Router not as the DSL receiver but as a WAN Router then you can deploy Merlin on it.

Maybe this helps