Jump to content
  • 0

How to set up a VPN only Internet connection

Rate this question



How do I configure DD-WRT/OpenVPN with no Internet access unless the VPN is connected?


I did a quick scan of topics in this forum and didn't see anything that seemed to be a on topic.


Objective Summary:

Configure VPN router (DD-WRT/OpenVPN using LinkSys 2500 re:Firmware: DD-WRT v24-sp2 (03/25/13) mega) so that any machine using it as a gateway to access the internet fails if the VPN connection is down.


By default, this is not what happens. If the VPN connection is off-line then the default behavior is to allow a direct, insecure connection to the Internet, which is somewhat less than desirable . . .


Since I figure I am not the first person wanting to do this, and it is likely that members of your own support team have likely had the same question themselves, before I spend any more time reading other user forums... I thought I would ask the guys who should know... the only stupid question is one you don't ask right?


Now, if there is an easier way to do this than the path I started down, explained below, please enlighten me...



The obvious answer would seem to be to configure the WAN side without a default gateway (not sure how exactly to do that), or using a gw IP that cannot access the Internet. Then configure a static route to the VPN server(s) so that the VPN can be established. I tried this and managed to establish the VPN connection, but something about the routing didn't work right since any packet moving between the networks returned an unroutable message.


FYI Below, I used as the gw which is a valid IP, but not a router or gw. The idea being that anything that goes around the VPN fails... the actual gw is on the WAN side is


Static routes were setup for all VPN server IP's, example:

route add -net netmask gw metric 2


OpenVPN started... and connected... but ...


cert key validation failed, apparently as a result of the router's time being the default of 1970... set time manually and retried...


OpenVPN started... and connected...successfully... sort of...


My guess is that the statement in route-up.sh


iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE


uses the default gateway rather than my static route traffic to the VPN's IP that overrides my static route. These statements seem to be documented in torguard.log file as follows


/sbin/route add -net netmask gw

/sbin/route add -net netmask gw

/sbin/route add -net netmask gw

/sbin/route add -net netmask gw


Now, I managed to get this to work by manually deleting


route del -net netmask gw


thus restoring my static route.


However, this methodology has two big issues:

1) I have no way of automating it

2) Having no actual path the the Internet causes the router's initial ntp lookup to fail. While I can set the time manually, and/or could set static routes to the time servers if I can figure out which it is using, I still have no way of automating it.


So, that said, there must be an easier way of doing this, right?

Link to comment
Share on other sites

4 answers to this question

Recommended Posts

  • 0

I had a small script i wrote to automate this - al post once i find it.


However if connecting via PPTP, you could just use below in the commands section:



sleep 120

PPTPSERVER=$(/usr/sbin/nvram get pptpd_client_srvip)

PPTPGWY=$(/usr/sbin/nvram get wan_gateway)

/sbin/route add -host $PPTPSERVER gw $PPTPGWY dev vlan2

/sbin/route del default

/sbin/route add default dev ppp0

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


This would block all traffic until you re-established a connection to the VPN.



Link to comment
Share on other sites

  • 0

short answer: SUCCESS!


I am using a modification of the torguard supplied script for the Canadian VPN pool. While not directly useful, the above script posted by Support2 gave me a syntax example I had not seen, resulting in an easy solution.


1.) First command in the router's startup script is now:

/sbin/route del default


This kills Internet access unless there is a specified route. While it is not a perfect solution as it does allow access for few seconds during the router's boot process, it also does allow time for the router's ntp process to fire and set the clock. A fair trade off I think.


2.) I fire a script that creates a static route for each of the VPN servers and few websites, example:

route add -net netmask gw metric 2


Where is my cable modem's LAN side gateway IP. Note that "My" LAN is on the other side of the DD-WRT router using a subnet. So from my workstation's perspective, the cable modem's gateway IP is the start of the WAN.


3.) Modified route-up.sh to include:

/sbin/route add default dev tun0


This sets a default route that makes everything, not specified in the static routes, go through the VPN. If the connection is down, only access to IP addresses specified in step#2 can be accessed until a VPN is re-established.


Note that this methodology causes an error in the torguard.log as follows:

Sun Dec 22 22:57:12 2013 us=738670 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system


This is understandable since no default gateway is present at the time that part of the VPN service is started, but since there is already a static route to the VPN server, this does not create a problem.

Link to comment
Share on other sites

  • 0

Peter - thanks for sharing the info with us, i see what you have done and I'm sure will be handy for anyone else looking to do the same thing.


If you have made a good bit of changes would handy if you could paste it in this thread for future reference.



Link to comment
Share on other sites

  • 0

lol - I was thinking about that as I wrote the previous post...


I plan to, but still have one or two things to work out...


not the least of which is why I am getting these errors


Mon Dec 23 09:30:45 2013 us=179283 Authenticate/Decrypt packet error: packet HMAC authentication failed

Mon Dec 23 09:30:51 2013 us=495379 Authenticate/Decrypt packet error: packet HMAC authentication failed

Mon Dec 23 09:30:52 2013 us=990192 Authenticate/Decrypt packet error: packet HMAC authentication failed

Mon Dec 23 09:30:56 2013 us=771678 Authenticate/Decrypt packet error: packet HMAC authentication failed


but thats a topic for a new thread... ;-)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...