Route specific traffic around OpenVPN for LEDE or OpenWRT (from Torguard.net forum)

I found the need to route specific machines and ports around the VPN.  Since I run the VPN client in my router, all my traffic by default goes through the VPN.  but if you have FTP, trackers that dont allow VPN/Proxy, RDP, SSH or other ports that you would like to go through your ISP's IP address there is a way to do this!

 

I found the answer on a another VPN forum.  I can post the link but I am unsure if that will be breaking TorGuards rules.

 

In a nutshell... what this script does is it makes all of your IP address bypass the VPN, and then it adds rules using
ip_addrs_lst="192.168.1.1-192.168.1.50"

That makes them use the VPN.  So in this example, IP address 192.168.1.1-50 will go through the VPN. 

 

Also, I could not get the specific port section to work at first, but once I added an --sport line it worked great.  You can also add specific websites.  If you want netflix to load at the same speeds and go through your ISP you can achieve this as well.

 

A quick note though:

nvram get wan0_gateway may be router specific.  When I found this script it was "nvram get wan_gateway".  If you SSH into your router and run:

nvram show | grep wan

You should be able to find the correct name.  Just make sure you do and change the line below!

 

And as an additional little nugget, if you run the VPN in your router, and you get TorGuard to open a port for you, you will need to do some port forwarding.  Your Router will receive packets through port XXXXX, but it wont know what to do with them.  While normal port forwarding tells your WAN where to send specific packets to your LAN, you need a line to tell your router where to send packets from tun0 (Tun0 may change depending on your router!)

###########################
VPN Port Forwarding
###########################

iptables -t nat -A PREROUTING -p tcp -i tun0 --dport 50005 -j DNAT --to 17.181.30.100:50005
iptables -t nat -A PREROUTING -p udp -i tun0 --dport 50005 -j DNAT --to 17.181.30.100:50005

Now here is the actual script!

## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and set value(s) as needed to customize your rules
#
# IP addresses, contiguous range AND/OR individual.
#
ip_addrs_lst="192.168.1.1-192.168.1.50"

##Server ports to bypass VPN
server_ports="3389,27,23045"

#
# Specific destination websites ip range - Spotify , Netflix...
#
#web_range_lst="72.44.32.1-72.44.63.254
#67.202.0.1-67.202.63.254
#207.223.0.1-207.223.15.254
#98.207.0.1-98.207.255.254
#208.85.40.1-208.85.47.254
#78.31.8.1-78.31.15.254
#193.182.8.1-193.182.15.254"

########################################
# NO NEED TO CHANGE BELOW THIS LINE #
########################################

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#     iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#     iptables -t mangle -F PREROUTING
sleep 1
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Let's find out the tunnel interface
#
iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
     ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
for ip_addrs in $ip_addrs_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
done

######   Ports that bypass VPN    ######
###### Normal portforwarding will ######
######    need to be applied      ######

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1

# WEBSITES_IP_RANGES -
for web_dst_range in $web_range_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
done