1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Bypassing VPN for certain ip addresses

Discussion in 'Networking Issues' started by N3vrN3vr, Nov 30, 2017.

  1. N3vrN3vr

    N3vrN3vr New Member Member

    Hi everyone

    I have spent hours reading on the forums but most of the threads are about setups where the VPN router is client or Only allowing VPN to run on specific IP's

    I have tried adding this script to the WAN up tab under admin/scripts:

    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
    iptables -t mangle -F PREROUTING
    ip route add default table 200 via 192.168.1.1
    ip rule add fwmark 1 table 200
    ip route flush cache
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.1.122/32 -j MARK —set-mark 1

    When I use this script and check my external IP it still shows the VPN.

    When I use this one my vpn shows connected but the excluded device will not connect to the internet:

    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
    iptables -t mangle -F PREROUTING
    ip route add default table 200 via 192.168.1.1
    ip rule add fwmark 1 table 200
    ip route flush cache
    iptables -t mangle -I PREROUTING -i br0 -s 192.168.1.11/32 -j MARK --set-mark 1


    I have tried a other settings but I didn't get anywhere.
     
  2. Bunsen

    Bunsen New Member Member

    So table 200 only has a default route and nothing else?
    Are you using the "route-noexec" directive in your VPN additional config?
    This setting in the config will change if the WAN-interface or the VPN-interface is used by devices by default.
    When the VPN connects it will configure its routes:
    - Including the "route-noexec" will prevent it from altering the routes, meaning that the connected devices will continue to use the WAN-interface [public ip]. You can then use the iptables rules to mark the traffic to/from specific devices/ips/ports/etc indicating that it should use the VPN-interface.
    - NOT including the "route-noexec" will allow the VPN to make its routing changes, meaning that connected devices will use the VPN-interface [vpn ip]. You can then use the iptables rules to mark the traffic to/from specific devices/ips/ports/etc indicating that it should use the WAN-interface.
    I'd like to point you to a couple great scripts that have already been created by another member of the forum, Eibgrad:
    - For DD-WRT:
    https://pastebin.com/W2P3TDZT (basic script)
    https://pastebin.com/nC27ETsp (advanced script)
    - For Tomato:
    https://pastebin.com/xEziw8Pq (basic script)
    https://pastebin.com/GMUbEtGj (advanced script)
    I'd recommend starting with those.
    Hope this helps.
     

Share This Page