Block VPN devices when VPN is down, but still allow non-VPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> X86 based Hardware
Author Message
fawkesguy
DD-WRT Novice


Joined: 22 Jan 2013
Posts: 3

PostPosted: Fri Sep 27, 2013 0:19    Post subject: Block VPN devices when VPN is down, but still allow non-VPN Reply with quote
Hello everyone,



I'm running DD-WRT on x86 hardware (v24-sp2 (03/19/12) std (SVN revision 18777). OpenVPN is configured and connects to my VPN provider without issue. Here's what I'm trying to achieve:



All devices on my network go through my DD-WRT router. Let's say I want one device on my network to bypass the VPN. If I put 192.168.1.100 in the "Policy Based Routing" box on the OpenVPN configuration screen, that IP bypasses the VPN, as it should.



What I would like to do is set it up so if the VPN goes down, all VPN traffic will stop, while still allowing the non-VPN traffic through the router. Here is what I have in my firewall:



iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE


Now, if I add the rule " iptables -I FORWARD -i br0 -o eth0 -j DROP" that will stop all traffic that is non-VPN. That would be fine if I didn't want a few devices to bypass the VPN. If I use that rule, the IP address I add in the "Policy Based Routing" box is blocked.

What rules do I need to set to allow traffic to bypass the VPN and stay up if the VPN drops, but that will also block the other clients on my network if the VPN drops?



I hope that makes sense. Any help would be greatly appreciated.



Thank you!
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17627
Location: Hesse/Germany

PostPosted: Sat Oct 05, 2013 9:58    Post subject: Reply with quote
upgrade 1st.
2nd wiki: openvpn for general info

and u want to do something like

Code:
iptables -I FORWARD ! -o tun1 -s IP -j DROP
while -s filter the devices ip
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
fawkesguy
DD-WRT Novice


Joined: 22 Jan 2013
Posts: 3

PostPosted: Sat Oct 12, 2013 23:02    Post subject: Reply with quote
Sash,

"iptables -I FORWARD ! -o tun1 -s IP -j DROP"

That was very helpful, thank you. Smile
luba
DD-WRT Novice


Joined: 11 Jan 2015
Posts: 5

PostPosted: Thu Mar 12, 2015 13:58    Post subject: Reply with quote
Sash wrote:
upgrade 1st.
2nd wiki: openvpn for general info

and u want to do something like

Code:
iptables -I FORWARD ! -o tun1 -s IP -j DROP
while -s filter the devices ip


Hi thank you very much its working Very Happy

I have big question on you.
I have in vpn settings route smtp ips server that is routed by the openvpn.
The additional options is:
Code:
route xx.xx.xx.xx 255.255.255.255 net_gateway
so my smtp goes around OpenVPN.

Is there any way to add this ip to the exceptions?
I have tried
Code:
iptables -I FORWARD ! -o tun1 -s 192.168.1.1/25 xx.xx.xx.xx/25  -j DROP

But its not working .
Thank you for help.

Best Regards
netguru76
DD-WRT User


Joined: 14 Sep 2014
Posts: 52

PostPosted: Fri Jun 05, 2015 11:30    Post subject: Reply with quote
Hi,

pls help, because i think i made a big mistake.

To block all NON - VPN (tun0) traffic i should use

"iptables -I FORWARD ! -o tun0 -j DROP"

, right ?

I used this line (network range LAN):

"iptables -I FORWARD ! -o tun0 -s 192.168.178.0/24 -j DROP"

thinking this should be the right command to say that my complete network should only use tun0 or nothing.

reading this thread again lets me know, that this is a big mistake? so my complete network is filterd and able to use other routes than tun0???

Is that right?
mirazmac
DD-WRT Novice


Joined: 11 Jun 2015
Posts: 1
Location: Narail

PostPosted: Thu Jun 11, 2015 3:04    Post subject: Reply with quote
I also faced the same problem. But neer got any solution Sad
_________________
Writing about Wapka SEO & Tips & Tricks in MirazMac.Info
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17627
Location: Hesse/Germany

PostPosted: Tue Jun 30, 2015 18:59    Post subject: Reply with quote
ddwrt always listens on the emergency ip
Code:
169.254.255.1
wih web gui and telnet
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
Matlock
DD-WRT Novice


Joined: 23 Nov 2010
Posts: 5

PostPosted: Tue Jul 21, 2015 0:33    Post subject: Reply with quote
Hey everyone- found this thread and it's certainly helpful but my setup is slighlty different in that I am leveraging policy based routing to forward only certain devices/ip addresses through the vpn tunnel and the rest of my network bypasses the vpn using my isp.

What would the command look like for this setup?

Thanks for the help
Matlock
outernational
DD-WRT Novice


Joined: 23 Oct 2015
Posts: 28

PostPosted: Fri Oct 23, 2015 16:24    Post subject: Reply with quote
192.168.1.50 is a device which I don't care if it goes thru the VPN or not. In fact I'd rather have it not go thru the VPN at all (reducing the processing load on the router), so whatever is easier:

A) 192.168.1.50 doesn't go thru VPN & all other IPs lose WAN connection when the VPN disconnects/drops*

OR

B) 192.168.1.50 goes thru VPN but remains connected when the VPN disconnects/drops* & all other IPs lose WAN connection when the VPN disconnects/drops*

*for whatever reason

I tried to save this as a firewall command

Code:
iptables -I FORWARD ! -o tun1 -s 192.168.1.50 -j DROP


Then I disconnected the firewall manually and the other IPs remained connected (with the ISP IP).

What should I try next?
jeanericblass
DD-WRT Novice


Joined: 01 Mar 2016
Posts: 11

PostPosted: Thu Mar 24, 2016 10:55    Post subject: Reply with quote
However i got the solution after reading your problem from vpnranks articles.
cbarrett
DD-WRT Novice


Joined: 12 Jul 2016
Posts: 4

PostPosted: Thu Aug 11, 2016 0:05    Post subject: Allow ntp to get around VPN Reply with quote
I am using the iptables rule suggested in this thread as follows to block traffic not traveling through the VPN.

Code:
iptables -I FORWARD -i br0 -o vlan2 -j DROP


However, in the case of a power outage or a manual power reset, the time on the router is reset. The VPN cannot connect without the proper time (tls requires the proper time).

Is there a way I can whitelist the call to a ntp.org server so that the timesync on bootup passes successfully? All other non-vpn traffic should remain blocked.

Thanks!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> X86 based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum