1

I am using a DD-WRT 3.0 router to connect via openVPN. In the LAN, 192.168.1.50 is a device which should not go thru the VPN.

(How do I set the firewall to have 192.168.1.50 not go thru VPN and How to make all other IPs lose WAN connection when the VPN disconnects/drops?)

OR

(Create two subnets, one thru VPN (wi-fi devices) and the other direct (wired devices) and Have the VPN subnet lose WAN connectivity when the VPN drops)

I have no preference for either setup. Whatever is easier.

This rule didn't work (for the 1st scenario):

iptables -I FORWARD ! -o tun1 -s 192.168.1.50 -j DROP

Here's the route table in use, with the router in gateway mode:

enter image description here

Gaia
  • 1,855
  • 5
  • 34
  • 60
  • 1
    I haven't tried it on DD-WRT, but can you add some variant of `iptables -I OUTPUT -o eth0 -s 192.168.1.0/24 -j DROP` to forbid all IPs from using the internet directly, add an allow rule before it to allow .50 out to the internet. Then configure the tunnel routing so 1.50 isn't included - e.g. break it into two ranges .1-.49 and .51 - .254. – TessellatingHeckler Oct 29 '15 at 22:30
  • Thank you for the input, but I need a complete answer. – Gaia Oct 29 '15 at 22:31

2 Answers2

1

To block all outbound traffic for clients on the normal WAN, you can use the nvram variable get wan_iface

IPV4_WAN=$(nvram get wan_iface)
iptables -I FORWARD -s 192.168.x.x/24 -o "$IPV4_WAN" -j DROP

You'll want to define your specific IPv4 subnet, be careful not to block your entire LAN range!

This will block any outbound traffic going beyond your router, when not on the VPN interface, you can confirm by doing a traceroute to any external IPv4 address, you'll find after the first hop the traffic will drop.

For your specific IPv4 client, I'm a little confused. Can't you create a IPv4 subnet for the clients you want going to the VPN and then based on the range make sure that 192.168.1.50 client is not within it? Then just add an ACCEPT rule to allow it to use the WAN as normal?

iptables -I FORWARD -s 192.168.1.50 -o "$IPV4_WAN" -j ACCEPT
James White
  • 674
  • 3
  • 18
  • 32
  • That's great help, I will test it. Do I save both lines under firewall commands? I assume you don't know how to make .50 bypass the VPN? – Gaia Oct 29 '15 at 22:32
  • @Gaia Yes add to firewall within the DD-WRT webif, variables are parsed like a shell script, see my edit for the bypass. You can always apply the rules directly via telnet/SSH and test. If anything bad happens you can flush the firewall with `stopservice firewall` and `startservice firewall` before actually applying them in nvram – James White Oct 29 '15 at 22:46
  • I have ssh access enabled. I can vi the proper file, which one should I add the rules to? – Gaia Oct 29 '15 at 23:39
  • And yes I can place the .50 device on another subnet. That sounds like an even simpler solution. How do I apply the VPN to only 192.168.1.1 and leave 192.181.2.1 out (I know the notation is not proper but you get the pic) – Gaia Oct 29 '15 at 23:40
  • Don't edit rc.firewall directly, it won't be commited to nvram. You can literally just run the commands in SSH. Just make sure the `-s` isn't within the subnet you applying the `DROP` rule on and it won't be tagged in the rule. – James White Oct 30 '15 at 10:26
1

Someone in the DD-WRT forum helped me solve this in the best possible (simplest) way.

Policy based routing is the proper way to accomplish the selective VPN tunneling part of the problem. It is one of the fields where you specify details for the OpenVPN connection. You have to enter in here the devices which you DO want to go thru the VPN. Note that due to a bug in DD-WRT the IP of the router itself cannot be on this list.

So I setup the following:

  • DHCP dishes out 1 thru 127.
  • All devices I want on the VPN are assigned static IPs >127
  • The devices that should not go thru the VPN should get a static IP <128 or just receive a DHCP IP, which will be <128
  • The policy based routing CIDR is 192.168.1.128/25 (which means put all devices with IP > 127 thru the VPN)

Now for the second part of the problem, which is denying WAN access to devices that should be on VPN when the VPN is off/fails can be done by entering the following commands in the Save Firewall section:

iptables -I FORWARD -s 192.168.1.128/25 -o $(nvram get wan_iface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited 
iptables -I FORWARD -p tcp -s 192.168.1.128/25 -o $(nvram get wan_iface) -m state --state NEW -j REJECT --reject-with tcp-reset

Two notes regarding the above commands:

  1. It uses REJECT instead of DROP since the former it’s a bit friendlier than the latter. DROP doesn’t respond and requires the client to timeout, which can be annoying for users. In contrast, REJECT causes the client to quit IMMEDIATELY.
  2. The state of the connection checked for is NEW. By checking for NEW, we’re preventing those devices from initiating outbound connections, but not preventing them from being accessed remotely and sending replies through the WAN (at least when the VPN is down). If you want to prevent remote access as well remove --state NEW from those rules.
Gaia
  • 1,855
  • 5
  • 34
  • 60