Active Bypass

## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and set value(s) as needed to customize your rules
#
# IP ADRESS RANGE OR SINGLE IP ADDRESS
#ip_src_lst="192.168.1.104-192.168.1.106 192.168.1.15"
#ip_src_lst="192.168.1.9 192.168.1.29"
#ip_dst_lst=""
## CIDR NOTATION or SINGLE IP ADDRESS - E. G. "98.207.0.0/16 74.125.229.0/24 80.130.125.163"
#cidr_src_rnge=""
#cidr_dst_rnge=""

#################################################################
# CHANGE MARK VALUE(S) (0 or 1) IN FOR LOOPS BELOW IF NECESSARY #
#################################################################

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING

#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Let's find out the tunnel interface
#
iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All traffic from a specific Internet IP address range USING CIDR NOTATION will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -s  74.125.229.0/24 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address range USING CIDR NOTATION will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -d  98.207.0.0/16 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0

for ip_addrs in $ip_src_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range "$ip_addrs" -j MARK --set-mark 1
done

for ip_addrs in $ip_dst_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range "$ip_addrs" -j MARK --set-mark 0
done

for ip_rnge in $cidr_src_rnge ; do
  iptables -t mangle -A PREROUTING -i br0 -s "$ip_rnge" -j MARK --set-mark 0
done

for ip_rnge in $cidr_dst_rnge ; do
  iptables -t mangle -A PREROUTING -i br0 -d "$ip_rnge" -j MARK --set-mark 0
done