Guest User

Untitled

a guest
Sep 13th, 2017
30
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.57 KB | None | 0 0
  1. Selective routing a.k.a split tunneling is required if one wants to route a number of LAN devices through the VPN tunnel, while the remaining devices would go through ISP as they did before.
  2.  
  3. In order to introduce selective routing on DD-WRT - some changes has to be made to our script.
  4.  
  5. Initially our script looks like this:
  6.  
  7. #!/bin/sh
  8. USERNAME="YourNordVPNusername"
  9. PASSWORD="YourNordVPNpassword"
  10.  
  11. PROTO="udp"
  12. TUN="tun1"
  13. REMOTE="remote 85.159.233.233 1194"
  14.  
  15. CA_CRT='-----BEGIN CERTIFICATE-----
  16. MIIExzCCA6+gAwIBAgIJAIQgKiQRmISyMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
  17. VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
  18. Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQbmw0Ny5ub3JkdnBu
  19. LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
  20. dnBuLmNvbTAeFw0xNjEyMTUxMzI5MTlaFw0yNjEyMTMxMzI5MTlaMIGdMQswCQYD
  21. VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
  22. Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQbmw0Ny5ub3JkdnBu
  23. LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
  24. dnBuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANKnDD7yArdF
  25. sGmfK1wHeGMQYhLCJKQkmHKp+DpyMrhqJFNWlkl1LbZu+qRuc1eyOuFBqOdAUCKY
  26. 1B8URdhfHVMcs+IlLNG50tfCgCXmWGLdQ3gOk5k2mA8ZBloJyIVnC26+Cj0Aki0j
  27. /N/E5ond6/2VKkG2AR7k9TB2qPyMKlExga3o9nGxj/TYA/JNNMU3f6Izcsx3/Biq
  28. oYpy/h7Ckqrlg6dccBGx6QdPEIYAlCZHWddkNrWA8r0h1HzdNuOO5wfCYLrRjECb
  29. NoWAjSTG2EU12BNtsYu0G/EGxx2fF4F27HLN7Hh0EEx6Zh7VKotnozPzwuEAkABA
  30. 1l92wCAWM+0CAwEAAaOCAQYwggECMB0GA1UdDgQWBBTAMsO6FHhsL2alA5uzQxem
  31. SR4CsjCB0gYDVR0jBIHKMIHHgBTAMsO6FHhsL2alA5uzQxemSR4CsqGBo6SBoDCB
  32. nTELMAkGA1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAO
  33. BgNVBAoTB05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGTAXBgNVBAMTEG5sNDcu
  34. bm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNl
  35. cnRAbm9yZHZwbi5jb22CCQCEICokEZiEsjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
  36. DQEBBQUAA4IBAQBx7T8RQe5+MqjLwCvpmKD4II130cpWejO8GNFamjRHTLto8Fys
  37. bKZHVX0JqmG2ps/7ypbpNvtVcYRwRNOfms7wDr1tmygrRg8Kydnp5kvNDyYzGWjJ
  38. Tfuax9jcht4Uqxx1hDWlY/DF/+i6+Rn4+0OtHSbbls3RamtOUR/rvVLk9N8LO8J5
  39. yNFQH2F4SD6EqbMV1R69dDKe/9TCFG1CbcZg6slD2cwbaMO7WTmzYpVtkFP1rOX7
  40. BWL0aAT4/q0jwjoaq31Lnm2d1Cu7zOgrvLi39Lt0sRZ6Sqj5evnJ2SMruoBeqUiC
  41. 260tamxTFnA0NrCo578JAZC1k9UF3/GWwVKZ
  42. -----END CERTIFICATE-----'
  43.  
  44. TLS_AUTH='-----BEGIN OpenVPN Static key V1-----
  45. 7ebced42abcaa86981fae997026bf1b8
  46. 934a6a01f0b679dc23b890717a508a6c
  47. 263fe6663e33edf987d4ba5ed8146701
  48. a35e71213fd9fd7ba02caf64bb1527d6
  49. 182ea79158b809c2016b83652e473c26
  50. 895a581a4aff4a63b7069228d28d5c5b
  51. d827ec675dad94dae2ac7066ffdff1fe
  52. 143f3494dfa4473aaca055af86ef3028
  53. 123c247eb0bb9fc72d34a794dcce2db4
  54. 4906dfdba554d79423ca1e8f86d35e8e
  55. 449fe28e8898064cc91ddec802e526bb
  56. ea49f64973f8c61ee36f45a2315baac8
  57. b52bea5f9a760ac8215fdce272c14743
  58. d4ab8dd5a4826818dc2093c0d9db2f64
  59. 5aaccd9ed6d8f1e078f9e435b45ea373
  60. 5ced080d87ac70d9555e2fd95ae452ed
  61. -----END OpenVPN Static key V1-----'
  62.  
  63. #### Don't modify below here ####
  64.  
  65. #### Ensure gui client disabled ####
  66. if [ `nvram get openvpncl_enable` != 0 ]; then
  67. nvram set openvpncl_enable=0
  68. nvram commit
  69. sleep 10
  70. fi
  71.  
  72. mkdir /tmp/vpncl; cd /tmp/vpncl
  73.  
  74. echo -e "$USERNAME\n$PASSWORD" > userpass.txt
  75.  
  76. echo "#!/bin/sh
  77. iptables -t nat -I POSTROUTING -o $TUN -j MASQUERADE" > route-up.sh
  78.  
  79. echo "#!/bin/sh
  80. iptables -t nat -D POSTROUTING -o $TUN -j MASQUERADE" > route-down.sh
  81.  
  82. echo "$CA_CRT" > ca.crt
  83. echo "$TLS_AUTH" > tls-auth.key
  84. sleep 10
  85.  
  86. echo "client
  87. dev $TUN
  88. proto $PROTO
  89.  
  90. $REMOTE
  91. resolv-retry infinite
  92. nobind
  93.  
  94. tun-mtu 1500
  95. tun-mtu-extra 32
  96. mssfix 1450
  97.  
  98. persist-key
  99. persist-tun
  100. keepalive 5 30
  101.  
  102. comp-lzo
  103. mute 20
  104. verb 3
  105. log-append vpn.log
  106. fast-io
  107.  
  108. auth-user-pass userpass.txt
  109. script-security 2
  110. remote-cert-tls server
  111. cipher AES-256-CBC
  112.  
  113. ca ca.crt
  114. tls-auth tls-auth.key 1
  115.  
  116. daemon" > openvpn.conf
  117.  
  118. chmod 600 ca.crt tls-auth.key userpass.txt openvpn.conf; chmod 700 route-up.sh route-down.sh
  119.  
  120. (killall openvpn ; openvpn --config openvpn.conf --route-up /tmp/vpncl/route-up.sh --down-pre /tmp/vpncl/route-down.sh) &
  121.  
  122. exit 0
  123. The main focus is in these lines:
  124.  
  125. echo "#!/bin/sh
  126. iptables -t nat -I POSTROUTING -o $TUN -j MASQUERADE" > route-up.sh
  127.  
  128. echo "#!/bin/sh
  129. iptables -t nat -D POSTROUTING -o $TUN -j MASQUERADE" > route-down.sh
  130. as they describe what the routing table will look like while being connected to the VPN and after disconnecting from it.
  131.  
  132. In order to route only a few IP addresses through the VPN connection we can change these lines into these ones:
  133.  
  134. echo "#!/bin/sh
  135. iptables -t nat -I POSTROUTING -o $TUN -j MASQUERADE
  136. ip route add default dev $TUN table 200
  137. ip rule add from 192.168.2.198 table 200
  138. ip route flush cache
  139. iptables -I FORWARD -s 192.168.2.198 -o wl0 -j DROP" > route-up.sh
  140.  
  141. echo "#!/bin/sh
  142. iptables -t nat -D POSTROUTING -o $TUN -j MASQUERADE
  143. ip route del default dev $TUN table 200
  144. ip rule del from 192.168.2.198 table 200
  145. ip route flush cache
  146. iptables -D FORWARD -s 192.168.2.198 -o wl0 -j DROP" > route-down.sh
  147. The changes made to route-up.sh are as follows:
  148.  
  149. ip route add default dev $TUN table 200 - changes the default gateway of table 200 to TUN which is "tun1" interface (our VPN).
  150. ip rule add from 192.168.2.198 table 200 - adds 192.168.2.198 to table 200.
  151. iptables -I FORWARD -s 192.168.2.198 -o wl0 -j DROP - drops every packet which is going directly from 192.168.2.198 to wl0 interface (Wi-Fi).
  152. The lines in route-down.sh deletes the previously issued instructions.
  153.  
  154. Also, this line:
  155.  
  156. chmod 600 ca.crt tls-auth.key userpass.txt openvpn.conf; chmod 700 route-up.sh route-down.sh
  157. has to be changed into:
  158.  
  159. chmod 600 ca.crt tls-auth.key userpass.txt openvpn.conf; chmod 777 route-up.sh route-down.sh
  160. because in some cases permissions 700 are not enough.
Add Comment
Please, Sign In to add comment