I recently switched from DD-WRT to TomatoUSB and couldn’t be happier! It’s fast, stable and offers an immense amount of features, not to mention the support community is great! If you’re like me and use a VPN service to access certain video streaming resources not available in Canada (I won’t mention any names here! ;)) you’ll probably find that once you enable the OpenVPN client on your TomatoUSB router, your port forwards from the outside stop working. This can be quite an inconvenience if you have an FTP or Web server you need to access from the outside.
Today I will show you how to configure selective routing on your TomatoUSB enabled router connected to an OpenVPN client. The way this script is designed is by default ALL traffic from hosts on your network flows through the VPN EXCEPT the IP addresses of the hosts you define.
Login to your router and click the VPN Tunneling and then Client. Verifiy that “Start with WAN” and “Create NAT on Tunnel” are both Checked.
Then click the “Advanced” tab and verify that “Redirect Internet Traffic” is Checked
Now we will configure the WAN Up Script. Click “Administration” and then “Wan Up”
Now paste the following script in your WAN Up Script
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
# Delete and table 100 and flush any existing rules if they exist.
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark “1″
# NOTE: Here I assume the OpenVPN tunnel is named “tun11″.
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
# By default all traffic flows through the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK –set-mark 0
# All traffic from particular computers on the LAN will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange –src-range 192.168.1.10 -j MARK –set-mark 1
# Ports 80 and 443 will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport –dport 80,443 -j MARK –set-mark 1
# All traffic to a specific Internet IP address will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange –dst-range 18.104.22.168 -j MARK –set-mark 0
# All UDP and ICMP traffic will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK –set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK –set-mark 1
# Spotify explicitly uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange –dst-range 22.214.171.124-126.96.36.199 -j MARK –set-mark
Written By: Amardeep Juneja