Selective routing script

#!/bin/sh

# (Credit to SmallNetBuilder member DJR747 and Jobongo's Wiki - Howto Set SSID VPN)

# This script 'VPN_Select.sh' allows selective VPN routing:
#
#   A single device, or
#   A range of devices, or
#   A subnet
#   A Guest WiFi SSID
#
#	The optional args passed to this script is a list of Guest SSID interfaces:
#   e.g.
#		wl1.3					# 5GHz Guest #3 will use this VPN (if defined in /etc/dnsmasq.conf)
#		wl0.1 wl1.3				# 2.4GHz Guest #1 and 5GHz Guest #3 will use this VPN (if defined in /etc/dnsmasq.conf)
#		*"						# All Guests defined in /etc/dnsmasq.conf will use this VPN.

# The following two custom variables are used:
#
#  e.g. Table 100 will be used and any device tagged with 'fwmark 1' (ON/OFF) will use this VPN Client

#MY_VPNTAB=100				# Now read from /jffs/configs/VPNSelect
#TAG_MARK=1					# Now read from /jffs/configs/VPNSelect


# To overcome timing issues, this method relies on the VPN Client custom configuration to call this script.

#    The following VPN client custom configuration directives MUST be defined:
#    *************************************************************************
#        route-nopull
#        script-security 2
#        route-up "/jffs/scripts/VPN_Select.sh  [Guest_SSID_interfaces]"
#   **************************************************************************

# These optional VPN client custom configuration directives help to keep the VPN connection alive,
#       although the Host VPN server can terminate the connection based on their lease renewal policy

#inactive 0
#keepalive 5 60


# Also /jffs/configs/dnsmasq.conf must also define the Guest WiFi interface to be used by this VPN
#       So include the following three directives in /jffs/configs/dnsmasq.config.add
#
#       e.g. wl0.1 represents 2.4GHz Guest #1 aka '241' octet
#            so
#            wl1.3 5GHz Guest #3 would use '53' octet ...to aid debugging! connection by I/P
#
#			interface=wl0.1
#			dhcp-range=wl0.1,192.168.241.2,192.168.241.20,255.255.255.0,21600s
#			dhcp-option=wl0.1,3,192.168.241.1


# NOTE: These commands may be specified in wan-start to block ALL WAN access except http/https until the VPN Client is UP
#       i.e. when this script runs.

#       iptables -I FORWARD -i br0 -s xxx.xxx.xxx.0/24 -o `nvram get wan0_ifname` -j DROP
#       iptables -I FORWARD -s xxx.xxx.xxx.0/24 -o ! $dev -p tcp --dport 80 -j ACCEPT
#       iptables -I FORWARD -s xxx.xxx.xxx.0/24 -o ! $dev -p tcp --dport 443 -j ACCEPT

#       iptables -I FORWARD -s xxx.xxx.xxx.0/24 -o ! $dev -p tcp -m multiport --dport 80,443,25,110,143,8888 -j ACCEPT


logger -s -t "($(basename $0))" $$ OpenVPN Client`echo -n $dev | tail -c -1` Selective routing starting.... " $0${*:+ $*}"

MYROUTER=$(nvram get computer_name)
USEPATH="/tmp/mnt/$MYROUTER"


# Get the values from /jffs/scripts/configs/VPNSelect
VPN_ID=`echo -n $dev | tail -c -1`
MY_VPNTAB=`grep -i "VPN$VPN_ID" /jffs/configs/VPNSelect  | awk '{print $2}'`
TAG_MARK=`grep -i "VPN$VPN_ID" /jffs/configs/VPNSelect  | awk '{print $3}'`
#MY_VPNTAB=100				# Now read from /jffs/configs/VPNSelect
#TAG_MARK=1					# Now read from /jffs/configs/VPNSelect

# Use the OpenVPN environment variables
if [ "X$dev" = "X" ]; then
   logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
   exit
fi
# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
#        or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK $MY_VPNTAB
ip rule del table $MY_VPNTAB

ip route flush cache
iptables -t mangle -F PREROUTING


# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter

logger -s -t "($(basename $0))" $$ "CMD: ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB"
ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
logger -s -t "($(basename $0))" $$ "CMD: ip rule add fwmark $TAG_MARK table $MY_VPNTAB"
ip rule add fwmark $TAG_MARK table $MY_VPNTAB

# Mark the Guest SSID(s) to use this VPN Client

GUEST_IFS=${*:+ $*}			# List of Guest WiFi interfaces to use this VPN

if [ "$GUEST_IFS" != "" ];then
   for GUEST_IF in $GUEST_IFS
   do
	  SSID=$(nvram get $GUEST_IF"_ssid")
      logger -s -t "($(basename $0))" $$ "SSID $SSID is being configured to use OpenVPN Client`echo -n $dev | tail -c -1`....."
	  # Validate the Guest SSID(s) to be forced to use this VPN
	  GUEST_IF_IP=`grep -i "dhcp-option=$GUEST_IF,3" /etc/dnsmasq.conf  | awk 'BEGIN { FS = "," } {print $3}'`		# Extract I/P from 'dhcp-option=$GUEST_IF,3,10.88.241.1'
	  GUEST_SUBNET_PREFIX=`echo $GUEST_IF_IP | awk 'BEGIN { FS = "." } {print $1"."$2"."$3}'`						# Extract first three octets of I/P
	  logger -s -t "($(basename $0))" $$ "     Lookup '$GUEST_IF' in DNSMASQ returned:>$GUEST_IF_IP< and Subnet Prefix >$GUEST_SUBNET_PREFIX<"
	  if [ "$GUEST_IF_IP" != "" ];then
         logger -s -t "($(basename $0))" $$ "     CMD: ip rule add dev $GUEST_IF table $MY_VPNTAB"
		 ip rule del dev $GUEST_IF
         ip rule add dev $GUEST_IF table $MY_VPNTAB
	     logger -s -t "($(basename $0))" $$ "SSID $SSID is configured to use OpenVPN Client`echo -n $dev | tail -c -1`."
	  else
	     logger -s -t "($(basename $0))" $$ "*** ERROR SSID $SSID cannot be configured to use OpenVPN Client`echo -n $dev | tail -c -1`."
	  fi
   done
fi

# To list if custom MARK tables exist use
#
# ip rule
logger -s -t "($(basename $0))" $$ "CMD: ip rule"
logger -s -t "($(basename $0))" $$ "     `ip rule`"

# To list if custom route tables exist use
#
# ip route show table $MY_VPNTAB
logger -s -t "($(basename $0))" $$ "CMD: ip route show table $MY_VPNTAB"
logger -s -t "($(basename $0))" $$ "     `ip route show table $MY_VPNTAB`"

# If the VPN isn't firewalled by the ISP, then this rule should protect inbound access to the router
#iptables -I INPUT -i $dev -p tcp --dport 0:1023 -m state --state NEW -j DROP

# Select the I/P devices to be routed.
# ====================================


if [ -e "/jffs/scripts/VPN_Select_ON_OFF.sh" ]; then
   # Call VPN_select_ON_OFF [host.dnsmasq | ip_address | KEY_tag] [ON | OFF] {FORCE}
   #
   #
   #      where  Host.dnsmasq will be matched against /etc/hosts.dnsmasq contents
   #
   #             Key_tag      will be matched against /mnt/$MYROUTER/VPN_MASKS.txt
   #
   #             FORCE        will ensure designated target will ONLY use the VPN.
   #
   # Use HOSTS.DNSMASQ lookup to resolve PS3-Bedroom and ensure it ONLY uses the VPN
   if [ -e "/jffs/scripts/VPN_Select_ON_OFF.sh" ]; then
      /jffs/scripts/VPN_Select_ON_OFF.sh PS3-Bedroom ON FORCE
      # Others that are not individual I/P addresses.......
      #/jffs/scripts/VPN_Select_ON_OFF.sh ALL ON
      #/jffs/scripts/VPN_Select_ON_OFF.sh ANDROID ON
   fi
else
   # Explicitly select the I/P devices to be routed.

   logger -s -t "($(basename $0))" $$ "Manually issue iptables -t mangle -A PREROUTING -i br0 commands"
   # Examples for routing a specific device, all devices on the subnet or a range of devices via VPN
   #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx -j MARK --set-mark $TAG_MARK
   #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.0/24 -j MARK --set-mark $TAG_MARK
   #iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.nnn-xxx.xxx.xxx.nnn+y -j MARK --set-mark $TAG_MARK

   # Example for routing a specific port via VPN
   # iptables -t mangle -A PREROUTING -i br0 -s xxx.xxx.xxx.xxx -p tcp --dport ppppp -j MARK --set-mark $TAG_MARK
fi


# Debug the routing tables
if [ -e "/jffs/scripts/IPTablesDump.sh" ]; then
   /jffs/scripts/IPTablesDump.sh "VPN_Client_Select"`echo -n $dev | tail -c -1`
fi

logger -s -t "($(basename $0))" $$ OpenVPN Client`echo -n $dev | tail -c -1` Selective routing completed....