I recently switched from DD-WRT to TomatoUSB and couldn’t be happier! It’s fast, stable and offers an immense amount of features, not to mention the support community is great! If you’re like me and use a VPN service to access certain video streaming resources not available in Canada (I won’t mention any names here! ;)) you’ll probably find that once you enable the OpenVPN client on your TomatoUSB router, your port forwards from the outside stop working. This can be quite an inconvenience if you have an FTP or Web server you need to access from the outside.

Today I will show you how to configure selective routing on your TomatoUSB enabled router connected to an OpenVPN client. The way this script is designed is by default ALL traffic from hosts on your network flows through the VPN EXCEPT the IP addresses of the hosts you define.

Login to your router and click the VPN Tunneling and then Client. Verifiy that “Start with WAN” and “Create  NAT on Tunnel” are both Checked.


Then click the “Advanced” tab and verify that “Redirect Internet Traffic” is Checked


Now we will configure the WAN Up Script. Click “Administration” and then “Wan Up”


Now paste the following script in your WAN Up Script

# This script configures “selective” VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
# Delete and table 100 and flush any existing rules if they exist.
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark “1″
# NOTE: Here I assume the OpenVPN tunnel is named “tun11″.
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# By default all traffic flows through the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK –set-mark 0

#  All traffic from particular computers on the LAN will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange –src-range -j MARK –set-mark 1

The script above will give you basic routing capabilities to pick which tunnel hosts on your network will flow through. If you want to get a bit more advanced, take a look at some of the examples below:

# Ports 80 and 443 will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport –dport 80,443 -j MARK –set-mark 1

# All traffic to a specific Internet IP address will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange –dst-range -j MARK –set-mark 0

# All UDP and ICMP traffic will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK –set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK –set-mark 1 

# Spotify explicitly uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange –dst-range -j MARK –set-mark 

Written By: Amardeep Juneja

Similar Articles

Comments are closed.