Jump to content
TorGuard
  • 0
Greybox

DD-WRT Configuration with Selective VPN Tunneling and Port Forwarding

Rate this question

Question

Greybox

I use my DD-WRT equipped router, with the built in OpenVPN Client, to open a VPN tunnel, but I only wanted one specific machine to use the tunnel. That machine doesn't have the processing power to handle a high speed VPN connection, to the tunnel had to come from the router. I wanted to create this connection with 3 guidelines

 

1) Only one specific machine would connect through the VPN tunnel

2) That machine would connect only to the VPN tunnel, never to the public traffic

3) I want 2 specific ports forwarded, through the VPN and through the router, to that machine

 

With a combination of TorGuard support and learning a lot on the dd-wrt forums, I was able to accomplish all 3 goals

 

First, to connect one or more specific machines to the VPN, this functionality is already built into DD-WRT. In DD-WRT, go to the Services tab, and then the VPN sub-tab. Fill out the fields based on this guide, but skip the 'Save Firewall' section at the beginning, as well as the UsernamePassword file generation, since Username and Password fields are now a standard part of later DD-WRT builtds. On the same VPN page, in the 'Policy Based Routing' field, include the IP address of each machine you want to use the VPN followed by '/32' then hit 'Apply Settings'. As an example

192.168.1.20/32

Second, go to the Administration tab and then the Commands sub-tab. There, enter this command, replacing IPADDRESS with each IP address you want to be blocked from the WAN, and click Save Firewall

iptables -I FORWARD -s IPADDRESS -o $(nvram get wan_iface) -j DROP

Again, as an example

iptables -I FORWARD -s 192.168.1.20 -o $(nvram get wan_iface) -j DROP

This will allow that machine to only use the VPN, when both the first and second steps are completed successfully

 

 

Third, on the same command page, edit the Firewall script, and add the following lines, replacing IPADDRESS and PORT appropriately, followed by clicking Save Firewall

iptables -I FORWARD -i tun1 -p udp -d IPADDRESS --dport PORT -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d IPADDRESS --dport PORT -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport PORT -j DNAT --to-destination IPADDRESS
iptables -t nat -I PREROUTING -i tun1 -p udp --dport PORT -j DNAT --to-destination IPADDRESS

This example will forward port 8080 to IP address 192.168.1.20 from the VPN tunnel

iptables -I FORWARD -i tun1 -p udp -d 192.168.1.20 --dport 8080 -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.20 --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.20
iptables -t nat -I PREROUTING -i tun1 -p udp --dport 8080 -j DNAT --to-destination 192.168.1.20

Once all 3 steps are completed and saved, everything should work as designed

  • Like 2

Share this post


Link to post
Share on other sites

6 answers to this question

Recommended Posts

  • 0
Support

thanks for sharing here - much appreciated :)

Share this post


Link to post
Share on other sites
  • 0
tortor

Hi there,

 

Thank you for this post. It was helpful to me because I am trying to accomplish the same end. 

 

I was not however successful in setting up the openvpn using this method. I am wondering what I did wrong or if I did not understand the instuctions correctly. I understand you skipped a few steps in the link to the guide from Torguard. Maybe you could clarify this part?

 

Also what did you use for IP address for TorGuard. I am using "fl.east.usa.torguardvpnaccess.com" for example and I am wondering if this is incorrect.

 

Thank you for your help and time!

 

Share this post


Link to post
Share on other sites
  • 0
icsy7788

I actually posted a similar thing in the tutorial section! I would not if I saw this here!

 

http://torguard.net/forums/index.php?/topic/499-dd-wrttomatoopenwrtpadavan-route-specific-traffic-around-the-vpn/

 

Basically you can just plop the script into your router.  Preferably one that runs after VPN connects, assign the IP address you want to use the VPN, and ports you don't want to use the VPN.  You can even make it so web pages, such as netflix, hulu, etc, bypass your VPN if you want it to load at full speeds!

 

Also, as a note, you must have IPROUTE2 installed on your router.  I believe most custom firmwares would have this.  I am on Padavan's firmware on my asus router.

 

ALSO:

(nvram get wan_iface)  Also this may not be correct on other firmwares.  If you SSH into your router you can run "nvram show" or "nvram show | grep wan" and find out what your interface is.  Mine was wan0_iface.

Share this post


Link to post
Share on other sites
  • 0
z3ro3x

I have the newer build so I used these directions.  https://torguard.net/knowledgebase.php?action=displayarticle&id=192&useful=vote

Initially I had it setup to route all devices through the VPN.  It didn't become an issue until I wanted to get Xbox Live to work properly.  Than I figured there was no point in routing EVERYTHING through the vpn.  lol

In the article I linked I stopped at the point it said "If you want to route only certain devices through VPN you can do that by doing the following, add this additional line in the Additional Config box:".

This time around I went back to the article and followed the rest of the directions.  Initially it seemed to work.  That's until I noticed all other devices NOT going through the VPN could longer access the Internet.  I figured it was probably an issue with the firewall.  I wasn't that familiar with iptables to fix it myself.  That's when I found this post.

Before reading this post this was my firewall config.  Note:  I removed ip's and ports specific to my config for privacy purposes.
 

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -I FORWARD -i tun1 -p udp -d IPADDRESS --dport PORT -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d IPADDRESS --dport PORT -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport PORT -j DNAT --to-destination IPADDRESS
iptables -t nat -I PREROUTING -i tun1 -p udp --dport PORT -j DNAT --to-destination IPADDRESS
 
This is my Firewall now after reading your post.
 
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -s IPADDRESS-1 -o vlan2 -j DROP
iptables -I FORWARD -s IPADDRESS-2 -o vlan2 -j DROP
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -I FORWARD -i tun1 -p udp -d IPADDRESS --dport PORT -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d IPADDRESS --dport PORT -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport PORT -j DNAT --to-destination IPADDRESS
iptables -t nat -I PREROUTING -i tun1 -p udp --dport PORT -j DNAT --to-destination IPADDRESS

My question is, will this new firewall config stop IP leakage (from VPNed devices) if the VPN disconnects/goes down?

Share this post


Link to post
Share on other sites
  • 0
Majd

Hey guys, 

 

this post is really helpful, thanks a lot for it, but i was wondering the following:

 

- i have a main router, which all my devices are connected to, then a dd-wrt router connected to this router, with 1 device connected to this dd-wrt.

 

- if i want to disable the DHCP feature from my dd-wrt router so the device connected to it can have a similar IP to the other devices on the network, and i managed to setup OpenVPN successfully, can i still have this device go through VPN or must it have an IP assigned from the dd-wrt router?

Share this post


Link to post
Share on other sites
  • 0
Milan

Thank you so much for this tutorial, it works like a charm.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×