Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Selective routing a.k.a split tunneling is required if one wants to route a number of LAN devices through the VPN tunnel, while the remaining devices would go through ISP as they did before.
- In order to introduce selective routing on DD-WRT - some changes has to be made to our script.
- Initially our script looks like this:
- #!/bin/sh
- USERNAME="YourNordVPNusername"
- PASSWORD="YourNordVPNpassword"
- PROTO="udp"
- TUN="tun1"
- REMOTE="remote 85.159.233.233 1194"
- CA_CRT='-----BEGIN CERTIFICATE-----
- MIIExzCCA6+gAwIBAgIJAIQgKiQRmISyMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
- VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
- Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQbmw0Ny5ub3JkdnBu
- LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
- dnBuLmNvbTAeFw0xNjEyMTUxMzI5MTlaFw0yNjEyMTMxMzI5MTlaMIGdMQswCQYD
- VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
- Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQbmw0Ny5ub3JkdnBu
- LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
- dnBuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANKnDD7yArdF
- sGmfK1wHeGMQYhLCJKQkmHKp+DpyMrhqJFNWlkl1LbZu+qRuc1eyOuFBqOdAUCKY
- 1B8URdhfHVMcs+IlLNG50tfCgCXmWGLdQ3gOk5k2mA8ZBloJyIVnC26+Cj0Aki0j
- /N/E5ond6/2VKkG2AR7k9TB2qPyMKlExga3o9nGxj/TYA/JNNMU3f6Izcsx3/Biq
- oYpy/h7Ckqrlg6dccBGx6QdPEIYAlCZHWddkNrWA8r0h1HzdNuOO5wfCYLrRjECb
- NoWAjSTG2EU12BNtsYu0G/EGxx2fF4F27HLN7Hh0EEx6Zh7VKotnozPzwuEAkABA
- 1l92wCAWM+0CAwEAAaOCAQYwggECMB0GA1UdDgQWBBTAMsO6FHhsL2alA5uzQxem
- SR4CsjCB0gYDVR0jBIHKMIHHgBTAMsO6FHhsL2alA5uzQxemSR4CsqGBo6SBoDCB
- nTELMAkGA1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAO
- BgNVBAoTB05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGTAXBgNVBAMTEG5sNDcu
- bm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNl
- cnRAbm9yZHZwbi5jb22CCQCEICokEZiEsjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
- DQEBBQUAA4IBAQBx7T8RQe5+MqjLwCvpmKD4II130cpWejO8GNFamjRHTLto8Fys
- bKZHVX0JqmG2ps/7ypbpNvtVcYRwRNOfms7wDr1tmygrRg8Kydnp5kvNDyYzGWjJ
- Tfuax9jcht4Uqxx1hDWlY/DF/+i6+Rn4+0OtHSbbls3RamtOUR/rvVLk9N8LO8J5
- yNFQH2F4SD6EqbMV1R69dDKe/9TCFG1CbcZg6slD2cwbaMO7WTmzYpVtkFP1rOX7
- BWL0aAT4/q0jwjoaq31Lnm2d1Cu7zOgrvLi39Lt0sRZ6Sqj5evnJ2SMruoBeqUiC
- 260tamxTFnA0NrCo578JAZC1k9UF3/GWwVKZ
- -----END CERTIFICATE-----'
- TLS_AUTH='-----BEGIN OpenVPN Static key V1-----
- 7ebced42abcaa86981fae997026bf1b8
- 934a6a01f0b679dc23b890717a508a6c
- 263fe6663e33edf987d4ba5ed8146701
- a35e71213fd9fd7ba02caf64bb1527d6
- 182ea79158b809c2016b83652e473c26
- 895a581a4aff4a63b7069228d28d5c5b
- d827ec675dad94dae2ac7066ffdff1fe
- 143f3494dfa4473aaca055af86ef3028
- 123c247eb0bb9fc72d34a794dcce2db4
- 4906dfdba554d79423ca1e8f86d35e8e
- 449fe28e8898064cc91ddec802e526bb
- ea49f64973f8c61ee36f45a2315baac8
- b52bea5f9a760ac8215fdce272c14743
- d4ab8dd5a4826818dc2093c0d9db2f64
- 5aaccd9ed6d8f1e078f9e435b45ea373
- 5ced080d87ac70d9555e2fd95ae452ed
- -----END OpenVPN Static key V1-----'
- #### Don't modify below here ####
- #### Ensure gui client disabled ####
- if [ `nvram get openvpncl_enable` != 0 ]; then
- nvram set openvpncl_enable=0
- nvram commit
- sleep 10
- fi
- mkdir /tmp/vpncl; cd /tmp/vpncl
- echo -e "$USERNAME\n$PASSWORD" > userpass.txt
- echo "#!/bin/sh
- iptables -t nat -I POSTROUTING -o $TUN -j MASQUERADE" > route-up.sh
- echo "#!/bin/sh
- iptables -t nat -D POSTROUTING -o $TUN -j MASQUERADE" > route-down.sh
- echo "$CA_CRT" > ca.crt
- echo "$TLS_AUTH" > tls-auth.key
- sleep 10
- echo "client
- dev $TUN
- proto $PROTO
- $REMOTE
- resolv-retry infinite
- nobind
- tun-mtu 1500
- tun-mtu-extra 32
- mssfix 1450
- persist-key
- persist-tun
- keepalive 5 30
- comp-lzo
- mute 20
- verb 3
- log-append vpn.log
- fast-io
- auth-user-pass userpass.txt
- script-security 2
- remote-cert-tls server
- cipher AES-256-CBC
- ca ca.crt
- tls-auth tls-auth.key 1
- daemon" > openvpn.conf
- chmod 600 ca.crt tls-auth.key userpass.txt openvpn.conf; chmod 700 route-up.sh route-down.sh
- (killall openvpn ; openvpn --config openvpn.conf --route-up /tmp/vpncl/route-up.sh --down-pre /tmp/vpncl/route-down.sh) &
- exit 0
- The main focus is in these lines:
- echo "#!/bin/sh
- iptables -t nat -I POSTROUTING -o $TUN -j MASQUERADE" > route-up.sh
- echo "#!/bin/sh
- iptables -t nat -D POSTROUTING -o $TUN -j MASQUERADE" > route-down.sh
- as they describe what the routing table will look like while being connected to the VPN and after disconnecting from it.
- In order to route only a few IP addresses through the VPN connection we can change these lines into these ones:
- echo "#!/bin/sh
- iptables -t nat -I POSTROUTING -o $TUN -j MASQUERADE
- ip route add default dev $TUN table 200
- ip rule add from 192.168.2.198 table 200
- ip route flush cache
- iptables -I FORWARD -s 192.168.2.198 -o wl0 -j DROP" > route-up.sh
- echo "#!/bin/sh
- iptables -t nat -D POSTROUTING -o $TUN -j MASQUERADE
- ip route del default dev $TUN table 200
- ip rule del from 192.168.2.198 table 200
- ip route flush cache
- iptables -D FORWARD -s 192.168.2.198 -o wl0 -j DROP" > route-down.sh
- The changes made to route-up.sh are as follows:
- ip route add default dev $TUN table 200 - changes the default gateway of table 200 to TUN which is "tun1" interface (our VPN).
- ip rule add from 192.168.2.198 table 200 - adds 192.168.2.198 to table 200.
- iptables -I FORWARD -s 192.168.2.198 -o wl0 -j DROP - drops every packet which is going directly from 192.168.2.198 to wl0 interface (Wi-Fi).
- The lines in route-down.sh deletes the previously issued instructions.
- Also, this line:
- chmod 600 ca.crt tls-auth.key userpass.txt openvpn.conf; chmod 700 route-up.sh route-down.sh
- has to be changed into:
- chmod 600 ca.crt tls-auth.key userpass.txt openvpn.conf; chmod 777 route-up.sh route-down.sh
- because in some cases permissions 700 are not enough.
Add Comment
Please, Sign In to add comment