Prevent leaks and selectively route clients using TomatoUSB

If you are a TomatoUSB user, and your version has the OpenVPN client and GUI, the following will allow you to prevent leaks and selectively route shich clients on your LAN you'd like sent through the VPN. I cannot take credit for this method, I'm re-posting here from the linksysinfo.org forums from this thread: http://linksysinfo.org/index.php?threads/any-way-to-bypass-vpn-selectively.33468/#post-164693

First, get the VPN client set up so it will connect to AirVPN. Once you have it connecting, and ALL traffic is routed through the VPN by default, continue on.

Then, create a file at /root/vpn_route.sh

Paste this into it:

#!/bin/sh

if [ "$script_type" == "up" -o "$script_type" == "down" ]
then
	/rom/openvpn/updown.sh
fi

if [ "$route_gateway_1" != "" ]
then
	VPN_IP_LIST=$(nvram get vpn_client1_ip_list)
	VPN_TBL=$(nvram get vpn_tbl_1)
	if [ "$VPN_TBL" == "" ]
	then
		VPN_TBL=101
	fi
elif [ "$route_gateway_2" != "" ]
then
	VPN_IP_LIST=$(nvram get vpn_client2_ip_list)
	VPN_TBL=$(nvram get vpn_tbl_2)
	if [ "$VPN_TBL" == "" ]
	then
		VPN_TBL=102
	fi
fi

export VPN_GW VPN_IP VPN_TBL

# delete rules for IPs not on list
IP_LIST=`ip rule show|awk '$2 == "from" && $4=="lookup" && $5==ENVIRON["VPN_TBL"] {print $3}'`
for IP in $IP_LIST
do
	DEL_IP="y"
	for VPN_IP in $VPN_IP_LIST
	do
		if [ "$IP" == "$VPN_IP" ]
		then
			DEL_IP=
		fi
	done

	if [ "$DEL_IP" == "y" ]
	then
		ip rule del from $IP table $VPN_TBL
	fi
done

# add rules for any new IPs
for VPN_IP in $VPN_IP_LIST
do
	IP_LIST=`ip rule show|awk '$2=="from" && $3==ENVIRON["VPN_IP"] && $4=="lookup" && $5==ENVIRON["VPN_TBL"] {print $3}'`
	if [ "$IP_LIST" == "" ]
	then
		ip rule add from $VPN_IP table $VPN_TBL
	fi
done

if [ "$script_type" == "route-up" ]
then
	VPN_GW=$route_vpn_gateway
else
	VPN_GW=127.0.0.1  # if VPN down, block VPN IPs from WAN
fi

# delete VPN routes
NET_LIST=`ip route show|awk '$2=="via" && $3==ENVIRON["VPN_GW"] && $4=="dev" && $5==ENVIRON["dev"] {print $1}'`
for NET in $NET_LIST
do
	ip route del $NET dev $dev 
done

# route VPN IPs thru VPN gateway
if [ "$VPN_IP_LIST" != "" ]
then
	ip route del default table $VPN_TBL
	ip route add default via $VPN_GW table $VPN_TBL
	logger "Routing $VPN_IP_LIST via VPN gateway $VPN_GW"
fi

# route other IPs thru WAN gateway
if [ "$route_net_gateway" != "" ]
then
	ip route del default
	ip route add default via $route_net_gateway
fi

ip route flush cache

exit 0

Now make the file executable and save it to nvram:

chmod 755 /root/vpn_route.sh
nvram setfile2nvram /root/vpn_route.sh
nvram commit

Now, in the advanced configuration of the VPN client put:

script-security 2
route-up /root/vpn_route.sh
down /root/vpn_route.sh

What this will do is get rid of all the routes that are pushed to you from AirVPN and everything will use your ISP. To add which hosts you would like to route through the VPN do the following:

nvram set vpn_client1_ip_list="192.168.1.10 192.168.1.11 192.168.1.12"
nvram commit

If you also set up VPN client 2, change vpn_client1_ip_list above to vpn_client2_ip_list. Each IP address listed will automatically get sent through the tunnel. Once the VPN tunnel is established for the first time, if it drops the listed clients will no longer have internet access until the VPN tunnel is re-established or you reboot the router. I have tested this with Shibby's Tomato 102 on a Linksys E3000, and it works flawlessly.

Please use caution, however. Until you connect to the VPN for the first time, NO LEAKS will be prevented.

EDIT: I forgot to mention that if you want to change which IP's get routed through the VPN, you have to edit the vpn_client1<2>_ip_list variable, commit it to NVRAM, and restart the VPN client. I have not tested this at all, as once I had mine set up I haven't changed it. A router reboot *may* be required to get everything routing properly agian.

Also, I think that if you want to route the entire subnet through the VPN, instead of something like:

nvram set vpn_client1_ip_list="192.168.1.10 192.168.1.11 192.168.1.12"
nvram commit

You could use:

nvram set vpn_client1_ip_list="192.168.1.1/24"
nvram commit

I have not tested this, but the relevant bits in the script that add the clients to the route you want through the VPN accepts that as a valid IP address, so it *should* work. If someone tests that please respond here to let us know. If it does completely and you lose all access, simply reboot the router and it will restore to defaults.

This part:

if [ "$route_gateway_1" != "" ]
then
	VPN_IP_LIST=$(nvram get vpn_client1_ip_list)
	VPN_TBL=$(nvram get vpn_tbl_1)
	if [ "$VPN_TBL" == "" ]
	then
		VPN_TBL=101
	fi
elif [ "$route_gateway_2" != "" ]
then
	VPN_IP_LIST=$(nvram get vpn_client2_ip_list)
	VPN_TBL=$(nvram get vpn_tbl_2)
	if [ "$VPN_TBL" == "" ]
	then
		VPN_TBL=102
	fi
fi

Does NOT work for VPN Client 2 in Tomato.

In order to get this to work, I created TWO scripts instead, and replaced the above with:

VPN_IP_LIST=$(nvram get vpn_client1_ip_list)
VPN_TBL=$(nvram get vpn_tbl_1)
if [ "$VPN_TBL" == "" ]
then
	VPN_TBL=101
fi

For VPN client 1 and:

VPN_IP_LIST=$(nvram get vpn_client2_ip_list)
VPN_TBL=$(nvram get vpn_tbl_2)
if [ "$VPN_TBL" == "" ]
then
	VPN_TBL=102
fi

For VPN client 2.

Then saved both those scripts to nvram so I have two:

/root/vpn_route.sh

/root/vpn_route2.sh

Then in the advanced config for VPN client 2, I changed it to use vpn_route2.sh instead of vpn_route.sh.

There's likely a way to build that in to the script so you only need one, but I have never actually written a bash script, so I don't know how it would work.

Also, this part:

Also, I think that if you want to route the entire subnet through the VPN, instead of something like:

nvram set vpn_client1_ip_list="192.168.1.10 192.168.1.11 192.168.1.12"
nvram commit

You could use:

nvram set vpn_client1_ip_list="192.168.1.1/24"
nvram commit

I have not tested this, but the relevant bits in the script that add the clients to the route you want through the VPN accepts that as a valid IP address, so it *should* work. If someone tests that please respond here to let us know. If it does completely and you lose all access, simply reboot the router and it will restore to defaults.

does NOT work. the vpn_client1_ip_list and vpn_client2_ip_list variables must just be a list of ip addresses you want routed over the VPN. I tested this thoroughly, and as soon as you include the subnet things stop working. I should also mention that I've had trouble if I include my router's LAN IP in the list of IP's to route. It seems to break DNS in some cases if you add it. So, don't add your router's IP to the list and you'll be fine. Using the subnet in the list of ip's may be related to this, as when you do so the router's IP would be part of the list. This has the benefit that your router will still be accessible externally via your ISP connection, so any clients inside your LAN that aren't routed through the VPN can be accessed with port forwards as normal.

Clients that ARE routed through the VPN that you would like port forwards for, you must add a line to the firewall script (Administration -> Scripts -> Firewall) that look like:

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 12345 -j DNAT --to-destination 192.168.1.10
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 12345 -j DNAT --to-destination 192.168.1.10
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 23456 -j DNAT --to-destination 192.168.1.12:22
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 23456 -j DNAT --to-destination 192.168.1.12:22

The first two forward port 12345 (tcp and udp) internally to 192.168.1.10

The second two forward port 23456 (tcp and udp) internally to 192.168.1.12 on port 22.

Cheers!

I have a wnr3500l v2 router running Tomato Firmware 1.28.0000 MIPSR2-102 K26 USB AIO. I have both vpn clients set up using lfjeff script found here (http://www.linksysinfo.org/index.php?threads/any-way-to-bypass-vpn-selectively.33468/, post #43) and edited using ?PsychoWolf script found here (https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=5540&Itemid=142). What I would like to do know is have certain destination websites bypass the vpn and go thru the wan gateway. For example if someone typed in google.com it would skip the vpn and go thru with my ISP address. Is this possible and if so how do I do it? I have 5 computers connected to my router and everything is routed where I want it to thru the two vpn clients.Thank you for any help.

The second page of the thread I linked to at linksysinfo.org has instructions to help you do what you want, but it's not bulletproof especially in the case of Google, where they have many many IPs.

(I realize your post is over a month old, but I figured I would respond here in case others see this and want to know the same thing)