Home / server / Questions / 577553
Accepted
stighy
Asked: 2014-02-23 02:46:15 +0800 CST

Configuring a route table to route only one (or range of ip) via a VPN connection

  • 772

This is my home network configuration:

Devices/Pc/Smartphone ---> DD-WRT Router ---> Internet Router ---> Internet/World

  • DD WRT router ip: 192.168.1.1 (default gw is 192.168.1.254)

  • Internet Router ip: 192.168.1.254

  • Devices ip going from 192.168.1.2 to 192.168.1.253

I would like to configure the DD WRT flashed router with a PPTP VPN client running. The PPTP VPN virtual device is called ppp0.

then :

  • All ip ranging from 192.168.1.40 to 192.168.1.50 pass through Vpn (so, pass through ppp0 inteface and ppp0 gateway)
  • All others ip uses default lan gateway (so, not uses vpn)

When i start VPN client on DD WRT, my route table is

0.0.0.0 via 192.168.1.254 dev eth0 
default via 192.168.120.10 dev ppp0  scope link 
8.8.8.8 via 192.168.1.254 dev eth0 
62.101.93.101 via 192.168.1.254 dev eth0 
127.0.0.0/8 dev lo  scope link 
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1 
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.132 
192.168.1.254 via 192.168.1.254 dev eth0 
192.168.120.10 dev ppp0  scope link

Now, i think i've to replace

  • default via 192.168.120.10 dev ppp0

with

  • default via 192.168.1.254 dev eth0

so ALL ip go through standard internet gateway (no PPTP vpn)... then add a rule like

  • 192.168.1.40 via 192.168.120.10 dev ppp0

to allow ONLY ip 192.168.1.40 to exit using PPTP.

But..it isn't working!

So my final question is:

  • How to configure my router route all IP through default internet gateway (192.168.1.254) AND only One Ip (or a range of ip) to exit using pptp vpn connection ?

Thanks a lot!

routing

1 Answers

  1. Best Answer

    A network route does not take into account the source ip address, only the destination ip address. This is like saying "if someone wants to go to network 1.2.3.4, use the 192.168.1.xx as the gateway".

    What you want to do is saying: " Traffic coming from this ip address goes to internet via this specific gateway ".

    This is slightly more complicated. The standard solution for this in Linux is to use the features of the iproute2 package.

    1. Create a new default route on an alternative table ip route add table 55 default via 192.168.20.10 dev ppp0
    2. Mark traffic you want to route iptables -t mangle -I PREROUTING 1 -s 192.168.1.40 -j MARK --set-mark 55
    3. Create a rule so that traffic marked as 55 is routed via table 55 ip rule add fwmark 55 table 55

    At this point if you run a tcpdump on interface ppp0 and send some traffic from your 192.168.1.40 device you should see some traffic.

    Now you will probably have 2 problems:

    1. NAT : it is likely that you have to add a nat rule so that traffic going out via the ppp0 interface is natted with the interface ip address
    2. fragmentation : your ppp0 interface has probably a MTU which is smaller than the mtu of your eth0 interface, so you have to install a TCPMSS rule to clamp the traffic to something between 1300 and 1400
    • 2