I have a wanup script to setup split tunneling on my VPN and I'm not quite sure what's happening as recently (after upgrade to Tomato Firmware 1.28.0000 MIPSR2-116 K26 USB AIO) I find that pc's on my network are all running through the vpn when the script should have them bypassing the vpn. This does cause some issues for some apps as port forwarding from the VPN IP to connected machine is not in place - port forwarding (manually or triggered) only does the WAN IP to machine.
Maybe a race condition as although the WAN is up and tries running the script the VPN isn't up yet and so the script doesn't run properly?
I'd like to be able to run the script manually but have no clue and can't find any pointers to where the script is stored when I access my router through ssh.
Is there a line I can add in my script which will log everything?
Sorry, bit of a n00b with Linux but I do read a lot :)
Here's the wanup script in case you're interested:
#!/bin/sh
- This code goes in the WAN UP section of the Tomato GUI.
#
- This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
- the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
- traffic to bypass the VPN and use the regular Internet instead.
#
- To list the current rules on the router, issue the command:
- iptables -t mangle -L PREROUTING
#
- Flush/reset all the rules to default by issuing the command:
- iptables -t mangle -F PREROUTING
#
#
- First it is necessary to disable Reverse Path Filtering on all
- current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#
- Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
#
- Copy all non-default and non-VPN related routes from the main table into table 100.
- Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
- NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 | while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
#
- Define the routing policies for the traffic. The rules will be applied in the order that they
- are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
- to "1" it will bypass the VPN.
#
- EXAMPLES:
#
- All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
- iptables -t mangle -A PREROUTING -i br0 -j MARK —set-mark 1
- Ports 80 and 443 will bypass the VPN
- iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport —dport 80,443 -j MARK —set-mark 1
- All traffic from a particular computer on the LAN will use the VPN
- iptables -t mangle -A PREROUTING -i br0 -m iprange —src-range 192.168.1.2 -j MARK —set-mark 0
- All traffic to a specific Internet IP address will use the VPN
- iptables -t mangle -A PREROUTING -i br0 -m iprange —dst-range 216.146.38.70 -j MARK —set-mark 0
- All UDP and ICMP traffic will bypass the VPN
- iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK —set-mark 1
- iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK —set-mark 1
- Spotify explicitly uses the VPN
- iptables -t mangle -A PREROUTING -i br0 -m iprange —dst-range 78.31.8.1-78.31.15.254 -j MARK —set-mark 0
- iptables -t mangle -A PREROUTING -i br0 -m iprange —dst-range 193.182.8.1-193.182.15.254 -j MARK —set-mark 0
- By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK —set-mark 1
- Kitchen PC routes ALL traffic through the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange —src-range 192.168.1.3 -j MARK —set-mark 0
- Lounge HTPC runs through the VPN - cos of torrent plugin
iptables -t mangle -A PREROUTING -i br0 -m iprange —src-range 192.168.1.12 -j MARK —set-mark 0
- Cameron's PC running utorrent on port 59905 (udp and tcp) runs through the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange —src-range 192.168.1.26 -p tcp —dport 59905 -j MARK —set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange —src-range 192.168.1.26 -p udp —dport 59905 -j MARK —set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange —src-range 192.168.1.26 -p tcp —sport 59905 -j MARK —set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange —src-range 192.168.1.26 -p udp —sport 59905 -j MARK —set-mark 0
