ddwrt-ovpn-redirect-vpn-to-wan-v2.sh

1. #!/bin/sh
2. export DEBUG= # uncomment/comment to enable/disable debug mode
3.  
4. #         name: ddwrt-ovpn-redirect-vpn-to-wan-v2.sh
5. #      version: 1.2.0, 22-mar-2017, by eibgrad
6. #      purpose: redirect specific VPN traffic back to WAN
7. #  script type: firewall
8. # installation:
9. #   1. define router specific rules (if any)
10. #   2. define lan specific rules (if any)
11. #   3. compress script (optional, see http://pastebin.com/vXfWLnPe)
12. #   4. install modified script in the router's firewall script
13. #   5. enable syslogd service (required for debug mode)
14. #   6. reboot
15.  
16. # debug/dump options (syslog must be enabled)
17. #   using Administration->Commands->Run Commands:
18. #     cat /var/log/messages | grep ovpn_split
19. #   using telnet/ssh (cli):
20. #     cat /var/log/messages | grep ovpn_split | less
21.  
22. (
23. [ "${DEBUG+x}" ] && set -x
24.  
25. add_rules() {
26.  
27. # ----------------------------------- FYI ------------------------------------ #
28. # * all rules are evaluated for each packet
29. # * the order of rules doesn't matter (there is no order of precedence)
30. # * if any rule matches, that packet is redirected from the VPN to the WAN
31. # * for port forwards, always specify *internal* port, not *external* port
32. # ---------------------------------------------------------------------------- #
33.  
34. # bypass VPN (router only)
35. # --------------------------- BEGIN FIREWALL RULES --------------------------- #
36. add_rule_rtr -p tcp --sport 22 # ssh
37. add_rule_rtr -p udp --sport 1194 # openvpn (may require multihome directive)
38. add_rule_rtr -p tcp --sport 1194 # openvpn
39. add_rule_rtr -p tcp --sport 1723 # pptp
40. add_rule_rtr -p 47 # gre (required by pptp)
41. add_rule_rtr -p tcp --sport 8080 # gui
42. # ---------------------------- END FIREWALL RULES ---------------------------- #
43.  
44. # bypass VPN (lan only)
45. # --------------------------- BEGIN FIREWALL RULES --------------------------- #
46. add_rule_lan -s 192.168.2.0/24 # guest network
47. add_rule_lan -p tcp --sport 3389 # rdp (port forward)
48. add_rule_lan -p tcp -s 192.168.1.110 --sport 5900 # vnc (port forward)
49. add_rule_lan -m iprange --src-range 192.168.1.200-192.168.1.209
50. add_rule_lan -d 104.25.112.26 # ipchicken.com
51. add_rule_lan -d 104.25.113.26 # ipchicken.com
52. add_rule_lan -d google.com # unreliable w/ some forms of dns load-balancing
53. add_rule_lan -d amazon.com # unreliable w/ some forms of dns load-balancing
54. #add_rule_lan -p tcp --dport 443 # ssl/tls
55. add_rule_lan -p tcp -s 192.168.1.200 -m multiport --dports 2000:3000,3100
56. add_rule_lan -m mac --mac-source 00:11:22:33:44:55
57. # ---------------------------- END FIREWALL RULES ---------------------------- #
58. :;}
59.  
60. # ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #
61.  
62. # convenience functions for adding firewall rules
63. add_rule_rtr() {
64.     $IPT_MAN -A $FW_CHN_RTR "$@" $IPT_MRK
65.     $IPT_MAN -A $FW_CHN_RTR "$@" $IPT_RTN
66. }
67. add_rule_lan() {
68.     $IPT_MAN -A $FW_CHN_LAN "$@" $IPT_MRK
69.     $IPT_MAN -A $FW_CHN_LAN "$@" $IPT_RTN
70. }
71.  
72. TID="200" # alternate routing table ID
73. WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
74.  
75. # firewall structures
76. FW_MRK="$TID"
77. FW_PFX="ovpn_split"
78. FW_CHN_RTR="$FW_PFX.rtr"
79. FW_CHN_LAN="$FW_PFX.lan"
80.  
81. # useful abbreviations
82. IPT_MAN="iptables -t mangle"
83. IPT_MRK="-j MARK --set-mark $FW_MRK"
84. IPT_RTN="-j RETURN"
85.  
86. # cleanup from possible prior execution
87. (
88. # stop split tunnel
89. ip rule del fwmark $FW_MRK table $TID
90.  
91. # delete firewall rules (router)
92. $IPT_MAN -D OUTPUT -j $FW_CHN_RTR
93. $IPT_MAN -F $FW_CHN_RTR
94. $IPT_MAN -X $FW_CHN_RTR
95.  
96. # delete firewall rules (lan)
97. $IPT_MAN -D PREROUTING -j $FW_CHN_LAN
98. $IPT_MAN -F $FW_CHN_LAN
99. $IPT_MAN -X $FW_CHN_LAN
100.  
101. # delete alternate routing table
102. ip route flush table $TID
103.  
104. # force routing system to recognize changes
105. ip route flush cache
106.  
107. # enable reverse path filtering
108. for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
109.     echo 1 > $i
110. done
111.  
112. sleep 3
113. ) >/dev/null 2>&1
114.  
115. # quit if OpenVPN client has been disabled
116. [ "$(nvram get openvpncl_enable)" == "0" ] && exit
117.  
118. # copy main routing table (exclude all default gateway routes)
119. ip route show | grep -Ev '^default|^0.0.0.0/1|^128.0.0.0/1' \
120.   | while read route; do
121.         ip route add $route table $TID
122.     done
123.  
124. # add WAN as default gateway
125. ip route add default via $(nvram get wan_gateway) table $TID
126.  
127. # force routing system to recognize changes
128. ip route flush cache
129.  
130. # disable reverse path filtering
131. for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
132.     echo 0 > $i
133. done
134.  
135. # add user chain for firewall rules (router)
136. $IPT_MAN -N $FW_CHN_RTR
137. $IPT_MAN -A OUTPUT -j $FW_CHN_RTR
138.  
139. # add user chain for firewall rules (lan)
140. $IPT_MAN -N $FW_CHN_LAN
141. $IPT_MAN -A PREROUTING -j $FW_CHN_LAN
142.  
143. # load additional netfilter modules
144. insmod xt_mac; insmod ipt_mac
145.  
146. # add user-defined firewall rules
147. add_rules
148.  
149. # start split tunnel
150. ip rule add fwmark $FW_MRK table $TID
151.  
152. ) 2>&1 | logger -t "ovpn_split[$$]"