DD-WRT iptables question

Discussion in 'privacy technology' started by Fawkesguy, Jan 29, 2013.

Thread Status:
Not open for further replies.
  1. Fawkesguy
    Offline

    Fawkesguy Registered Member

    Hi everyone,

    My first post. Hope I've picked the correct forum. :)

    First off, I'm not very tech savvy - getting my router (Netgear WNDR4000) working with DD-WRT and AirVPN is the result of much searching, copying and pasting......not my ability. :D

    Anyway, here's my issue. First, here's the setup:

    I have three devices that I want to bypass the VPN. This is how I've done it.

    nvram set no_vpn_lst="192.168.1.51 192.168.1.50 192.168.1.110 "
    nvram commit

    Then this is my startup script:
    #!/bin/sh
    sleep 30
    NO_VPN_LST=`nvram get no_vpn_lst`
    [ -z $NO_VPN_LST ] && exit 0
    WAN_GWAY="0.0.0.0"
    while [ $WAN_GWAY == "0.0.0.0" ]; do
    sleep 3
    WAN_GWAY=`nvram get wan_gateway`
    done
    ip route add default via $WAN_GWAY table 10
    for ipa in $NO_VPN_LST; do
    ip rule add from $ipa table 10
    done
    ip route flush cache
    exit 0

    That all works fine. Those three IP's bypass the VPN. Great.

    Here is what's in my firewall:

    iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
    iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
    iptables -I FORWARD -i br0 -o vlan2 -j DROP
    iptables -I INPUT -i tun1 -j REJECT
    iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
    iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 2076 -j DNAT --to-destination 192.168.1.111
    iptables -t nat -I PREROUTING -i tun1 -p udp --dport 2076 -j DNAT --to-destination 192.168.1.111

    This line: "iptables -I FORWARD -i br0 -o vlan2 -j DROP" is what stops all traffic if the VPN goes down. I've tested it and it works great. However, it also stops the three IP's mentioned above from accessing the Internet as well. If I remove that line, those three IP's are outside of the VPN and work fine. But then the rest of my network which is going through the VPN will continue to access the Internet even if the VPN goes down.

    My question is, how do I allow those three IP's to bypass the VPN and always have access even if the VPN drops, while stopping everything else (which is going through the VPN) if the VPN drops?

    I hope that all makes sense. I'd appreciate any help, and I apologize if I've posted this in the wrong forum.

    Thanks
    Guy
  2. caspian
    Offline

    caspian Registered Member

    I just looked up DD-WRT. I don't really understand it. But is it suppose to make VPN's more secure?
  3. Fawkesguy
    Offline

    Fawkesguy Registered Member

    It's a Linux-based operating system that can replace the firmware on many different consumer routers, like mine. It allows me to run OpenVPN on my router and protect my entire network as opposed to installing VPN client software on every device.
  4. mirimir
    Offline

    mirimir Registered Member

    I don't know DD-WRT, but I do see vlan2 in your firewall rules. Does DD-WRT do vLANs? If so, maybe you could route VPN and non-VPN traffic through separate vLANs, and use a smart switch. You wouldn't need to use static IPs on everything, and modify your DD-WRT setup whenever devices change.
  5. Fawkesguy
    Offline

    Fawkesguy Registered Member

    Yes, DD-WRT does vlans, but that's about as much as I know. Like I said, lots of copying and pasting. :)

    If anyone is familiar with DD-WRT and iptables, and could walk me through configuring it for what I'm trying to accomplish, I'd really appreciate it!
  6. caspian
    Offline

    caspian Registered Member

    Thanks for explaining.
Thread Status:
Not open for further replies.