How to bypass VPN for 1 device & drop connection for oth

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
outernational
DD-WRT Novice


Joined: 23 Oct 2015
Posts: 28
PostPosted: Thu Oct 29, 2015 22:23    Post subject: How to bypass VPN for 1 device & drop connection for oth Reply with quote
I am using a DD-WRT 3.0 (r27775M kongac) router to connect to the VPN. In the LAN, 192.168.1.50 is a device which should not go thru the VPN.

How do I set the firewall to have 192.168.1.50 not go thru VPN, or setup another subnet for wired devices which does not go thru the VPN

and

How to make all other IPs (or the VPN subnet) lose WAN connection when the VPN disconnects/drops?

This rule didn't work:

Code:
iptables -I FORWARD ! -o tun1 -s 192.168.1.50 -j DROP


borrowed from here.

If you are inclined to gain some ServerFault points, this question is also there.

Question

Last edited by outernational on Fri Oct 30, 2015 0:29; edited 1 time in total
Back to top View user's profile Send private message
Sponsor
outernational
DD-WRT Novice


Joined: 23 Oct 2015
Posts: 28
PostPosted: Fri Oct 30, 2015 0:26    Post subject: Reply with quote
eibgrad wrote:
PPTP or OpenVPN?


OpenVPN

here's the routing

http://i.stack.imgur.com/XeEbR.png
Back to top View user's profile Send private message
outernational
DD-WRT Novice


Joined: 23 Oct 2015
Posts: 28
PostPosted: Fri Oct 30, 2015 14:22    Post subject: Reply with quote
Thank you. When you know you KNOW.

It's a bit simpler.

    DHCP dishes out 1 thru 127.

    All devices I want on the VPN are assigned static IPs >127

    The policy based routing mask is 192.168.1.128/25


In this way I get the .50 off the VPN, and I still can place my network guests on the VPN by assigning them a static IP > .127 or I can just change the DHCP range to start at .128.

Voilá!

Now for the 2nd part, REJECT does work better for me. Is this what I need now?

Code:
iptables -I FORWARD ! -s 192.168.1.1/25 -o $(nvram get wan_iface) -m state --state NEW -j --reject-with icmp-host-prohibited
iptables -I FORWARD -p tcp ! -s 192.168.1.1/25 -o $(nvram get wan_iface) -m state --state NEW -j REJECT --reject-with tcp-reset


Thanks again!

eibgrad wrote:
The proper way to control what does and doesn’t use the VPN is via the policy based routing field of the GUI. As soon as you specify at least one IP, that stops the VPN server from changing the default gateway to the VPN. And now only those IP’s listed will use the VPN.

Now granted, in this case, since all but one IP will use the WAN, it may seem a bit of a hassle. But you can cut down the IP list considerably by using an “ip range to CIDR calculator”.

http://www.ipaddressguide.com/cidr

So in this case, you could use (note, you must exclude the router’s IP from the list due to a bug in dd-wrt):

Code:
192.168.1.2/31
192.168.1.4/30
192.168.1.8/29
192.168.1.16/28
192.168.1.32/28
192.168.1.48/31
192.168.1.51/32
192.168.1.52/30
192.168.1.56/29
192.168.1.64/26
192.168.1.128/25


As far as blocking these same IPs from the WAN, I would reference the WAN specifically instead of NOT’ing the tunnel (are you even sure that’s the tunnel name, tun1?):

Code:
iptables -I FORWARD ! -s 192.168.1.50 -o $(nvram get wan_iface) -m state --state NEW -j --reject-with icmp-host-prohibited
iptables -I FORWARD -p tcp ! -s 192.168.1.50 -o $(nvram get wan_iface) -m state --state NEW -j REJECT --reject-with tcp-reset


Notice I’m checking the state of the connection for “NEW” as well. By checking for NEW, we’re preventing those devices from initiating outbound connections, but not preventing them from being accessed remotely and sending replies through the WAN (at least when the VPN is down). But if you want to prevent remote access as well, you could remove state from those rules.

I also use REJECT since it’s a bit friendlier than DROP. DROP doesn’t respond and requires the client to timeout, which can be annoying for users. In contrast, REJECT causes the client to quit IMMEDIATELY.
Back to top View user's profile Send private message
outernational
DD-WRT Novice


Joined: 23 Oct 2015
Posts: 28
PostPosted: Fri Oct 30, 2015 15:52    Post subject: Reply with quote
sorry, I am confused. I don't need to set policy based routing anymore and just apply the revised rules to the firewall?
Or do I apply the rules in conjunction with policy based routing?

eibgrad wrote:
Since your VPN list is based on a single line CIDR, you could just as easily specify that in your firewall rules (rather than the negation of everything else):

Code:
iptables -I FORWARD -s 192.168.1.128/25 -o $(nvram get wan_iface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -p tcp -s 192.168.1.128/25 -o $(nvram get wan_iface) -m state --state NEW -j REJECT --reject-with tcp-reset


IOW, anyone using the VPN is not allowed to use the WAN. Everyone else can use the WAN.

Note, I had a syntax error in my original rules. I left off the REJECT target in the first rule, which I've since corrected above and here.
Back to top View user's profile Send private message
outernational
DD-WRT Novice


Joined: 23 Oct 2015
Posts: 28
PostPosted: Fri Oct 30, 2015 15:54    Post subject: Reply with quote
wait, i get it. you took out the ! from the rules. I will apply them in conjunction with the PBR.
Back to top View user's profile Send private message
outernational
DD-WRT Novice


Joined: 23 Oct 2015
Posts: 28
PostPosted: Fri Oct 30, 2015 16:49    Post subject: Reply with quote
GREAT solution, thank you!
Back to top View user's profile Send private message
ta2ta2
DD-WRT Novice


Joined: 22 May 2018
Posts: 23
PostPosted: Thu Jun 07, 2018 5:02    Post subject: Reply with quote
eibgrad wrote:
PPTP or OpenVPN?


In case of using PPTP, how can achieve similar result?

excluding destination IP/website and excluding local IP addresses from the VPN...

PS. I'm using the PPTP because my ISP blocked all openvpn ports..
Back to top View user's profile Send private message
ta2ta2
DD-WRT Novice


Joined: 22 May 2018
Posts: 23
PostPosted: Thu Jun 07, 2018 5:35    Post subject: Reply with quote
eibgrad wrote:

The only way I can see OpenVPN being blocked across the board, irrespective of port, is if the OpenVPN connection was under traffic analysis by the ISP, and perhaps then it might provide some hints that it was an OpenVPN connection. Is that what we're talking about here?

Exactly this! regardless which VPN provider / ports I use, the openvpn status shows connected successfully however I never get internet and when try to ping any website...always very high packet loss..

eibgrad wrote:

So something doesn't seem quite right here about your analysis of the situation.


wotking with smartydns and nordvpn techincal teams they confirmed to me the same .. my ISP blocking the openvpn connection..
Back to top View user's profile Send private message
ta2ta2
DD-WRT Novice


Joined: 22 May 2018
Posts: 23
PostPosted: Thu Jun 07, 2018 5:41    Post subject: Reply with quote
ta2ta2 wrote:
eibgrad wrote:

The only way I can see OpenVPN being blocked across the board, irrespective of port, is if the OpenVPN connection was under traffic analysis by the ISP, and perhaps then it might provide some hints that it was an OpenVPN connection. Is that what we're talking about here?

Exactly this! regardless which VPN provider / ports I use, the openvpn status shows connected successfully however I never get internet and when try to ping any website...always very high packet loss..

eibgrad wrote:

So something doesn't seem quite right here about your analysis of the situation.



working with smartydns and nordvpn techincal teams they confirmed to me the same .. my ISP blocking the openvpn connection..


This my post regarding the same issue...you can check all trials we did together..

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=315200
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Thu Jun 07, 2018 7:58    Post subject: Reply with quote
Security is maybe so weak for PPTP that they allow it as they (government) can easily break and read it?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
ta2ta2
DD-WRT Novice


Joined: 22 May 2018
Posts: 23
PostPosted: Sat Jun 09, 2018 10:56    Post subject: Reply with quote
Thanks a million for the efforts. I have managed to get the script installed. however, for the IP addresses/destinations specified in the script they are no longer having internet access... other devices connected successfully through the PPTP.. below my script

EDIT: code removed.

Last edited by ta2ta2 on Sat Jun 09, 2018 17:57; edited 1 time in total
Back to top View user's profile Send private message
ta2ta2
DD-WRT Novice


Joined: 22 May 2018
Posts: 23
PostPosted: Sat Jun 09, 2018 18:11    Post subject: Reply with quote
Apologies for pasting the code. Excuse my limited knowledge... I checked and there is no kill switch, in fact I have the firewall disabled..

I have also checked the logs you mentioned earlier, nothing is there..just empty?

when I ran the watch command, this what i got

Code:



default via 10.**.**.** dev ppp0 scope link
8.8.4.4 via 94.**.**.** dev vlan2
8.8.8.8 via 94.**.**.** dev vlan2
10.**.**.** dev ppp0 scope link
80.227.101.19 via 94.**.**.** dev vlan2 <-- 80.227... is the destination IP address
91.74.74.74 via 94.**.**.** dev vlan2
94.200.200.200 via 94.**.**.** dev vlan2
94.206.24.0/22 dev vlan2 scope link  src 94.206.25.9
111.111.111.111 via 94.**.**.** dev vlan2
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 scope link  src 169.254.255.1
192.168.1.0/24 dev br0 scope link  src 192.168.1.1
199.115.116.83 via 94.**.**.** dev vlan2  src 94.206.25.9
222.222.222.0/24 via 94.**.**.** dev vlan2

default via 94.**.**.** dev vlan2
8.8.4.4 via 94.**.**.** dev vlan2
8.8.8.8 via 94.**.**.** dev vlan2
10.**.**.** dev ppp0 scope link
91.74.74.74 via 94.**.**.** dev vlan2
94.200.200.200 via 94.**.**.** dev vlan2
94.206.24.0/22 dev vlan2 scope link  src 94.206.25.9
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 scope link  src 169.254.255.1
192.168.1.0/24 dev br0 scope link  src 192.168.1.1
199.115.116.83 via 94.**.**.** dev vlan2  src 94.206.25.9

0:      from all lookup local
32763:  from all iif br1 lookup 200
32764:  from 192.168.1.91 lookup 200 <-- static IP address to be routed through WAN
32765:  from 192.168.1.90 lookup 200 <-- static IP address to be routed through WAN
32766:  from all lookup main
32767:  from all lookup default
Back to top View user's profile Send private message
ta2ta2
DD-WRT Novice


Joined: 22 May 2018
Posts: 23
PostPosted: Sat Jun 09, 2018 18:54    Post subject: Reply with quote
UPDATE: I have restarted the router couple of times and viola, static IP addresses are excluded from the VPN..

Only the destination (osn.com) is not excluded from the VPN for some reason... any help?
Back to top View user's profile Send private message
ta2ta2
DD-WRT Novice


Joined: 22 May 2018
Posts: 23
PostPosted: Sat Jun 09, 2018 20:54    Post subject: Reply with quote
Thanks a million of your support! Now I’m all set and good to go Smile
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum