I have setup openvpn client on a asus router, it is running padavan firmware, which is similar to tomato and other.
The VPN client works, but I would like to limits it's use to one or 2 ips on my LAN (i.e. AppleTV) and all other clients bypass the VPN connection.
The padavan vpn client has a custom script that is executed with the interface goes up and down on tun0 which is the interface.
I have attempted to route the IP address of the client that I want to use, but it does not prevent access via all of the other clients:
#!/bin/sh
### Custom user script
### Called after internal VPN client connected/disconnected to remote VPN server
### $1 - action (up/down)
### $IFNAME - tunnel interface name (e.g. ppp5 or tun0)
### $IPLOCAL - tunnel local IP address
### $IPREMOTE - tunnel remote IP address
### $DNS1 - peer DNS1
### $DNS2 - peer DNS2
# private LAN subnet behind a remote server (example)
peer_lan="192.168.0.130"
peer_msk="255.255.255.253"
### example: add static route to private LAN subnet behind a remote server
func_ipup()
{
# route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
# route add -net $peer_lan gw $IPREMOTE dev $IFNAME
route add default dev tun0 table 200
rule add from 192.168.0.130 table 200
return 0
}
func_ipdown()
{
# route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
return 0
}
logger -t vpnc-script "$IFNAME $1"
case "$1" in
up)
func_ipup
;;
down)
func_ipdown
;;
esac
I realise that this is very specific to the padavan firmware, but I think that the commands that are executed when it goes up should be universal, and my routing skills are very limited !
Maybe I need to block / allow using ip tables instead?
Any suggestions or help gratefully appreciated !
