Network VPN except 1 client

av2zeal · 06-15-2018, 12:47 AM

I'll try to keep this as simple as possible...

I recently subscribed to a vpn service provider and I configured my router (dd-wrt) to connect (openvpn client) and everything is working great. However, I would like to be able to access a server on my network to get to my files when I am away, but this service does not allow port forwarding as any number of users could be connected to a node at any given time. Is there a way to have the vpn as the default connection method for any given client, but specify one computer on my network to NOT use vpn? I've been searching on the internet and think that iptables for the router may be the answer?

nini09 · 06-18-2018, 04:41 PM

The iptables can help this.

av2zeal · 06-26-2018, 02:51 AM

After a bunch of digging, and trying to learn iptables, this is what I came up with:

echo 200 novpn >> /etc/iproute2/rt_tables
echo 201 yesvpn >> /etc/iproute2/rt_tables
ip rule add from <ip_i_don't_want_to_use_vpn> dev wan0 table novpn
ip rule add from default dev tun1 table yesvpn
ip route add <ip_i_don't_want_to_use_vpn> via <isp_gateway> dev wan0 table novpn
ip route add default via <vpn_server> dev tun1 table yesvpn

...but it doesn't seem to work, <ip_i_don't_want_to_use_vpn> is still behind the vpn and I cannot access it remotely. vpn provider does not offer port forwarding, nor do i want to go that route. Any help is much appreciated. Thank you!

av2zeal · 06-28-2018, 08:49 PM

I was able to go into Services -> VPN and under the VPN Client settings, there is a box called "Policy Based Routing" I added 192.168.1.201/32 and it seems to work for my main system.
However, if i remove this line and I try to add blocks of addresses (to protect a range of ips on my network), i.e.:

192.168.1.200/30
192.168.1.205/27
192.168.1.237/28
192.168.1.253/31

it places 192.168.1.204 behind the vpn (which is the one I want to leave exposed).
Am I misunderstanding CIDR? I even had this corrupt the settings on my router and I had to do a 30/30/30 reset to clear my settings.

Any help is much appreciated.

nini09 · 07-05-2018, 03:45 PM

Describe network topology. Where is 192.168.1.200/30? Is it IPSec inside network or IPSec network?