Script to route traffic from home network through VPN selectively. Based off the discussion at http://www.smallnetbuilder.com/forums/showthread.php?t=9311 The setup is a Macbook, Apple Tv and a Raspberry Pi. The aim is to have all traffic from those 3 go through the VPN, all traffic from all other devices should bypassing the VPN.

gistfile1.sh

#!/bin/sh

# Original script: https://gist.github.com/Wysie/7487571
#
# Script to route traffic from home network through VPN selectively.
# Based off the discussion at http://www.smallnetbuilder.com/forums/showthread.php?t=9311
# The setup is a Macbook, Apple Tv and a Raspberry Pi.
# The aim is to have all traffic from those 3 go through the VPN, all traffic from all other devices should bypassing the VPN.
#
# Requirements: Asuswrt-Merlin with OpenVPN already set up

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization Starting... " $0${*:+ $*}."

raspberry="192.168.1.105"
appletv="192.168.1.104"
macbook="192.168.1.100"

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
# List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
# Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING

#
# Disable Reverse Path Filtering on all current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
tun_if="ppp5"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE
logger -t "($(basename $0))" $$ ExpressVPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ Selective customisation for: "$"appletv $appletv
# By default appletv uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $appletv -j MARK --set-mark 0

logger -t "($(basename $0))" $$ Selective customisation for: "$"raspberry $raspberry
# By default Synology uses the VPN, and FORCES the use of the VPN tunnel except for port 9091
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $raspberry -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $macbook -j MARK --set-mark 0
# iptables -I FORWARD -i br0 -s $raspberry -o eth0 -j DROP
# iptables -I FORWARD -i br0 -s $raspberry -o eth0 -p tcp -m multiport --port 9091 -j ACCEPT

# Ports 22 (SSH), 9091 (Torrent RPC/WebUI) and 32400 (Plex) will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port 22,9091,32400 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization completed.