Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- export DEBUG= # uncomment/comment to enable/disable debug mode
- # name: ddwrt-ovpn-redirect-vpn-to-wan-v2.sh
- # version: 1.2.0, 22-mar-2017, by eibgrad
- # purpose: redirect specific VPN traffic back to WAN
- # script type: firewall
- # installation:
- # 1. define router specific rules (if any)
- # 2. define lan specific rules (if any)
- # 3. compress script (optional, see http://pastebin.com/vXfWLnPe)
- # 4. install modified script in the router's firewall script
- # 5. enable syslogd service (required for debug mode)
- # 6. reboot
- # debug/dump options (syslog must be enabled)
- # using Administration->Commands->Run Commands:
- # cat /var/log/messages | grep ovpn_split
- # using telnet/ssh (cli):
- # cat /var/log/messages | grep ovpn_split | less
- (
- [ "${DEBUG+x}" ] && set -x
- add_rules() {
- # ----------------------------------- FYI ------------------------------------ #
- # * all rules are evaluated for each packet
- # * the order of rules doesn't matter (there is no order of precedence)
- # * if any rule matches, that packet is redirected from the VPN to the WAN
- # * for port forwards, always specify *internal* port, not *external* port
- # ---------------------------------------------------------------------------- #
- # bypass VPN (router only)
- # --------------------------- BEGIN FIREWALL RULES --------------------------- #
- add_rule_rtr -p tcp --sport 22 # ssh
- add_rule_rtr -p udp --sport 1194 # openvpn (may require multihome directive)
- add_rule_rtr -p tcp --sport 1194 # openvpn
- add_rule_rtr -p tcp --sport 1723 # pptp
- add_rule_rtr -p 47 # gre (required by pptp)
- add_rule_rtr -p tcp --sport 8080 # gui
- # ---------------------------- END FIREWALL RULES ---------------------------- #
- # bypass VPN (lan only)
- # --------------------------- BEGIN FIREWALL RULES --------------------------- #
- add_rule_lan -s 192.168.2.0/24 # guest network
- add_rule_lan -p tcp --sport 3389 # rdp (port forward)
- add_rule_lan -p tcp -s 192.168.1.110 --sport 5900 # vnc (port forward)
- add_rule_lan -m iprange --src-range 192.168.1.200-192.168.1.209
- add_rule_lan -d 104.25.112.26 # ipchicken.com
- add_rule_lan -d 104.25.113.26 # ipchicken.com
- add_rule_lan -d google.com # unreliable w/ some forms of dns load-balancing
- add_rule_lan -d amazon.com # unreliable w/ some forms of dns load-balancing
- #add_rule_lan -p tcp --dport 443 # ssl/tls
- add_rule_lan -p tcp -s 192.168.1.200 -m multiport --dports 2000:3000,3100
- add_rule_lan -m mac --mac-source 00:11:22:33:44:55
- # ---------------------------- END FIREWALL RULES ---------------------------- #
- :;}
- # ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #
- # convenience functions for adding firewall rules
- add_rule_rtr() {
- $IPT_MAN -A $FW_CHN_RTR "$@" $IPT_MRK
- $IPT_MAN -A $FW_CHN_RTR "$@" $IPT_RTN
- }
- add_rule_lan() {
- $IPT_MAN -A $FW_CHN_LAN "$@" $IPT_MRK
- $IPT_MAN -A $FW_CHN_LAN "$@" $IPT_RTN
- }
- TID="200" # alternate routing table ID
- WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
- # firewall structures
- FW_MRK="$TID"
- FW_PFX="ovpn_split"
- FW_CHN_RTR="$FW_PFX.rtr"
- FW_CHN_LAN="$FW_PFX.lan"
- # useful abbreviations
- IPT_MAN="iptables -t mangle"
- IPT_MRK="-j MARK --set-mark $FW_MRK"
- IPT_RTN="-j RETURN"
- # cleanup from possible prior execution
- (
- # stop split tunnel
- ip rule del fwmark $FW_MRK table $TID
- # delete firewall rules (router)
- $IPT_MAN -D OUTPUT -j $FW_CHN_RTR
- $IPT_MAN -F $FW_CHN_RTR
- $IPT_MAN -X $FW_CHN_RTR
- # delete firewall rules (lan)
- $IPT_MAN -D PREROUTING -j $FW_CHN_LAN
- $IPT_MAN -F $FW_CHN_LAN
- $IPT_MAN -X $FW_CHN_LAN
- # delete alternate routing table
- ip route flush table $TID
- # force routing system to recognize changes
- ip route flush cache
- # enable reverse path filtering
- for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
- echo 1 > $i
- done
- sleep 3
- ) >/dev/null 2>&1
- # quit if OpenVPN client has been disabled
- [ "$(nvram get openvpncl_enable)" == "0" ] && exit
- # copy main routing table (exclude all default gateway routes)
- ip route show | grep -Ev '^default|^0.0.0.0/1|^128.0.0.0/1' \
- | while read route; do
- ip route add $route table $TID
- done
- # add WAN as default gateway
- ip route add default via $(nvram get wan_gateway) table $TID
- # force routing system to recognize changes
- ip route flush cache
- # disable reverse path filtering
- for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
- echo 0 > $i
- done
- # add user chain for firewall rules (router)
- $IPT_MAN -N $FW_CHN_RTR
- $IPT_MAN -A OUTPUT -j $FW_CHN_RTR
- # add user chain for firewall rules (lan)
- $IPT_MAN -N $FW_CHN_LAN
- $IPT_MAN -A PREROUTING -j $FW_CHN_LAN
- # load additional netfilter modules
- insmod xt_mac; insmod ipt_mac
- # add user-defined firewall rules
- add_rules
- # start split tunnel
- ip rule add fwmark $FW_MRK table $TID
- ) 2>&1 | logger -t "ovpn_split[$$]"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement