VPN.ac Homepage
Important OpenVPN / Apps update

TomatoUSB policy based routing howto

Instructions were tested on TomatoUSB Version 1.28 by shibby.
We always recommend Tomato Advance, if your router is compatible. It includes a policy based routing setup page in the web interface.

Scenario: Excluding a single LAN IP from using the VPN

In this scenario we will exclude a single LAN IP address from using the OpenVPN tunnel established on the TomatoUSB router. This is useful if you want some device from your network (smart TV, gaming console etc.) NOT to use the VPN and access the Internet directly through your ISP. Below are the rules to achieve this, you can either enter them from the SSH console on the TomatoUSB router or you can add them as a WAN UP script in Administration > Scripts > WAN Up tab

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter  
iptables -t mangle -F PREROUTING  
ip route add default table 200 via 1.2.3.4   
ip rule add fwmark 1 table 200  
ip route flush cache
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.115/32 -j MARK --set-mark 1

in the example above, router's gateway is 1.2.3.4, the LAN IP we want to bypass the VPN tunnel (use the ISP connection) is 192.168.0.115.

**Please note that in examples below we will only add the firewall (iptables) rules, the routing rules (first 5 lines) will be unchanged and you should get them from the example above. **

Scenario: Excluding several LAN IPs from using the VPN

The routing rules are the same from the same example, only the iptables line is different:

iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.100/29 -j MARK --set-mark 1

Notice the /29 network mask (6 IP addresses) instead of /32 (a single IP). In this example, 6 IPs from the LAN will bypass the VPN tunnel: from 192.168.0.97 to 192.168.0.102. Use a network mask calculator for this, like subnet-calculator.com, jodies.de/ipcalc. Google "network mask calculator" for more.

Scenario: Excluding LAN IPs based on external destination port/protocol

In this example we will exclude a single IP address from using the VPN for a single destination port. We will use port 80/HTTP which means that all browsing on port 80 will go via ISP and all other traffic via VPN

iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.115/32 -p tcp --dport 80 -j MARK --set-mark 1

We can use multiple ports, for example port 80 and 443 (https)

iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.115/32 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1

Or we can use the rules in opposite: all traffic via ISP and only ports 80 and 443 via VPN:

iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.115/32 -p tcp -m multiport --dport ! 80,443 -j MARK --set-mark 1

Scenario: Excluding LAN IPs from using the VPN when accessed from the Internet

In this scenario, we want to be able to access a PC from the LAN on a service such as VNC.

When the router is connected to the VPN and we port-forward an inbound connection to a LAN PC, like FTP or VNC, the connection can't be establish because the LAN PC will reply through the VPN tunnel. So we have to bypass the tunnel based on source port in order to be able to connect to that service.

iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.115 -p tcp --sport 5900 -j MARK --set-mark 1

In the above example we marked the packets from VNC to be excluded from the VPN tunnel. Change the port from 5900 to other you want to be able to access from the Internet, like 21 for FTP or 80 for HTTP if you run a web-site on the LAN PC.


Also Read

Other tutorials: