DD-WRT iptables question

Hi everyone,

My first post. Hope I've picked the correct forum.

First off, I'm not very tech savvy - getting my router (Netgear WNDR4000) working with DD-WRT and AirVPN is the result of much searching, copying and pasting......not my ability.

Anyway, here's my issue. First, here's the setup:

I have three devices that I want to bypass the VPN. This is how I've done it.

nvram set no_vpn_lst="192.168.1.51 192.168.1.50 192.168.1.110 "
nvram commit

Then this is my startup script:
#!/bin/sh
sleep 30
NO_VPN_LST=`nvram get no_vpn_lst`
[ -z $NO_VPN_LST ] && exit 0
WAN_GWAY="0.0.0.0"
while [ $WAN_GWAY == "0.0.0.0" ]; do
sleep 3
WAN_GWAY=`nvram get wan_gateway`
done
ip route add default via $WAN_GWAY table 10
for ipa in $NO_VPN_LST; do
ip rule add from $ipa table 10
done
ip route flush cache
exit 0

That all works fine. Those three IP's bypass the VPN. Great.

Here is what's in my firewall:

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 2076 -j DNAT --to-destination 192.168.1.111
iptables -t nat -I PREROUTING -i tun1 -p udp --dport 2076 -j DNAT --to-destination 192.168.1.111

This line: "iptables -I FORWARD -i br0 -o vlan2 -j DROP" is what stops all traffic if the VPN goes down. I've tested it and it works great. However, it also stops the three IP's mentioned above from accessing the Internet as well. If I remove that line, those three IP's are outside of the VPN and work fine. But then the rest of my network which is going through the VPN will continue to access the Internet even if the VPN goes down.

My question is, how do I allow those three IP's to bypass the VPN and always have access even if the VPN drops, while stopping everything else (which is going through the VPN) if the VPN drops?

I hope that all makes sense. I'd appreciate any help, and I apologize if I've posted this in the wrong forum.

Thanks
Guy

 

I just looked up DD-WRT. I don't really understand it. But is it suppose to make VPN's more secure?

 

It's a Linux-based operating system that can replace the firmware on many different consumer routers, like mine. It allows me to run OpenVPN on my router and protect my entire network as opposed to installing VPN client software on every device.

 

I don't know DD-WRT, but I do see vlan2 in your firewall rules. Does DD-WRT do vLANs? If so, maybe you could route VPN and non-VPN traffic through separate vLANs, and use a smart switch. You wouldn't need to use static IPs on everything, and modify your DD-WRT setup whenever devices change.

 

Yes, DD-WRT does vlans, but that's about as much as I know. Like I said, lots of copying and pasting.

If anyone is familiar with DD-WRT and iptables, and could walk me through configuring it for what I'm trying to accomplish, I'd really appreciate it!

 

Thanks for explaining.