This is an old revision of the document!
The point of this is to route traffic for specific LAN IP addresses (my NAS) through an openVPN connection on a router running OpenWRT/Tomato firmware. I'm also running “tinyproxy” on the NAS so I can have an individual browser configured on my own station to route through the VPN as well.
I've never used awk before and didn't devote a lot of time to these scripts, so save your judgement please.
Get optware installed and mounting automatically on boot.
Set your USB support with the option Automatically mount all partitions to sub-directories in /mnt.
Set the USB Run after mounting
script:
if [ -d /mnt/optware ]; then mount -o bind /mnt/optware /opt fi
Contents of Administration→Scripts→Init:
#Mount optware echo "LABEL=optware /opt ext3 defaults 1 1" >> /etc/fstab /bin/mount /opt /opt
These are the packages I have installed:
ipkg-opt - 0.99.163-10 - The Itsy Package Manager libcurl - 7.24.0-1 - Curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FI libidn - 1.25-1 - GNU Libidn is an implementation of the Stringprep, Punycode and IDNA specifications defined by the IETF Internationalized Domai netcat - 1.10pl32-5 - TCP/IP swiss army knife. openssl - 0.9.7m-6 - Openssl provides the ssl implementation in libraries libcrypto and libssl, and is needed by many other applications and librari uclibc-opt - 0.9.28-13 - micro C library for embedded Linux systems wget-ssl - 1.12-2 - A network utility to retrieve files from the Web zlib - 1.2.5-1 - zlib is a library implementing the 'deflate' compression system.
persist-key persist-tun tls-client auth-user-pass /opt/etc/pia/pia.txt comp-lzo verb 1 reneg-sec 0 route-noexec route-up /opt/etc/scripts/vpnrouteup.sh down /opt/etc/scripts/vpnroutedown.sh
Contents of pia.txt is VPN username on first line, password on second line.
The vpnrouteup.sh script sets a second routing table with ip route to direct traffic for ip's listed in “vpndhosts” (space delimited) through the VPN connection. It then calls a script to get a forwarding port from my VPN provider, and then a script to update the transmission client config that's running on the NAS.
I don't remember why I needed to use my ISP's DNS servers over the VPN's DNS servers, but there must be a good reason. Maybe it was because I couldn't figure out how to dynamically update the /etc/resolv.conf file on my NAS. If you don't need to use your ISPs DNS, comment out the third for loop.
Contents of vpnrouteup.sh:
#!/bin/sh privateinternetaccess=$(nslookup www.privateinternetaccess.com |grep ^A |tail -1 |awk -F ' ' '{ print $3 }') vpndhosts="192.168.xxx.xxx" dnsservers="89.xxx.xxx.xxx 89.xxx.xxx.xxx" tun_iface=$(ifconfig|grep tun|awk '{ print $1 }') tun_inet=$(ifconfig $tun_iface|grep P-t-P|awk -F ':' '{ print $2 }'|awk -F ' ' '{ print $1 }') tun_ptp=$(ifconfig $tun_iface|grep P-t-P|awk -F ':' '{ print $3 }'|awk -F ' ' '{ print $1 }') tun_gw=$(echo $tun_inet |awk -F '.' '{print $1"."$2"."$3".1"}') tun_net=$(echo $tun_inet |awk -F '.' '{print $1"."$2"."$3".0/24"}') ip route add 0.0.0.0/1 via $tun_ptp dev $tun_iface table 10 ip route add 128.0.0.0/1 via $tun_ptp dev $tun_iface table 10 ip route add $tun_gw via $tun_ptp dev $tun_iface metric 1 table 10 ip rule add from $tun_net table 10 ip rule add to $tun_net table 10 for host in $privateinternetaccess;do ip rule add from $host table 10;ip rule add to $host table 10;done for host in $vpndhosts;do ip rule add from $host table 10;done for host in $vpndhosts;do for server in $dnsservers;do ip rule add from $host to $server lookup main;ip rule add from $server to $host lookup main;done;done /opt/etc/scripts/port_forward_update.sh /opt/etc/scripts/transmission_port_update.sh
Contents of vpnroutedown.sh:
#!/bin/sh for rule in $(ip rule list |grep -v "all lookup"|awk -F ":" '{ print $1 }');do ip rule delete pref $rule;done