Routing certain IPs over VPN with DD-WRT without IPTables

I decided I wanted to be able to route certain devices on my network over a VPN connection for reasons that I am sure you can use your imagination (geo-restrictions etc). I didn’t want everything to go through the VPN because that would slow down my connection for things I didn’t need it for.

It’s worth noting that before this year you could just use some fancy DNS tricks to route only traffics from a certain domain over your VPN, but I found this failed on devices with hard-coded DNS (like the chromecast or the Android Netflix app).

Media devices like Smart TVs and Chromecasts can’t run OpenVPN so it has to be done on the router. If you want to do this, make sure your router is up to scratch. Encryption uses processing power which most routers lack. You want to be getting minimum 5Mbps with a recommended 10 for this to be usable. I forked out for an R7000 which is probably overkill. Another option is choosing a VPN provider (or setting up your own) that enables you to use weaker encryption – the idea being that it doesn’t really matter that the NSA can snoop on your netflix, it’s up to you.

My first idea was to have a separate WLAN (Wireless LAN) with it’s own subnet and DHCP and route all connections through the VPN. That way you could choose to go over the VPN just by switching networks. I’m sure there is a way to do this, but I couldn’t get it working with my limited knowledge of dd-wrt and iptables and the like. Issues I ran into went from not being able to access the other local subnets (which I wanted to for things like Plex) and just generally getting it to play nice.

So I scrapped that idea and moved onto the next. Give every device you want to route over the VPN a static DHCP lease (i.e their IP doesn’t change) and then use the Policy Based Routing field to tell the router to route internet traffic over OpenVPN. This worked perfectly. The only catch is with Chromecast your mobile device also has to be over the VPN or you won’t be able to see the geo-restricted content. If you don’t always want your phone to go over the VPN for wifi then you could use a cheap tablet as a Chromecast remote OR install OpenVPN on your phone and only connect when you want to access geo-restricted content.

OK so here is how you do it. These instructions assume that you have set up your router to the point of having an internet connection and a single subnet with DHCP turned on.

  1. Put your devices on a Static Lease
    Go to Services > DHCP Server > Static Leases
    Add each device one at a time, pressing save and apply after each time. Note that the hostname doesn’t really matter here, MAC Addresses do and I found some of the hostnames made nothing resolve so if there are any special characters in your hostname just name it something else.
  2. Set up OpenVPN
    Instructions will be different for each provider. OpenVPN is under Services > VPN > OpenVPN Client.
    The only deviation will be that you don’t want to redirect your gateway so remove redirect-gateway from the additional commands
  3. Add you IPs to OpenVPN Client config
    Under Services > VPN > OpenVPN Client > Policy based Routing add each IP in the form of X.X.X.X/32 with one per line. I put both my Chromecasts and my TV on it as well as my cheapo tablet that I use solely for Plex/Netflix.
  4. Bingo. You’re done. No telneting, no iptables no messing around.

I wish I had found this earlier and maybe I would have saved myself some messing around.

4 thoughts on “Routing certain IPs over VPN with DD-WRT without IPTables”

  1. Good write up, however as soon as I enter my computer’s IP in the policy-based routing field I lose my ability to do DNS lookups – it’s trying my router with OpenVPN client configured on it. My goal is to allow LAN (172.20.30.1/24) to access other LAN devices and all Internet bound traffic is routed over the VPN.

    Router ModelLinksys WRT1900ACS
    Firmware Version DD-WRT v3.0-r30796 std (10/25/16)
    I’m using Private Internet Access for my VPN provider and the only additional config options they have me set are below
    persist-key
    persist-tun
    tls-client
    remote-cert-tls server

    https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn

    I’m thinking it’s something related to DNSMasq settings but am not sure which to change. Any ideas?
    Thanks in advance
    Jersey

    1. Hey

      Weird. I have my settings I have are
      Under DHCP settings
      Use DNSMasq for DHCP ON
      Use DNSMasq for DNS OFF
      Recursive DNS Resolving OFF
      Forced DNS Redirection OFF

      Also under Local DNS under router IP I just have it empty (0.0.0.0)

      And under static DNS 1, 2 and 3 I have the two google DNS servers (8.8.8.8 8.8.4.4) then my isps. Under DNSMasq everything is disabled except for DNSMasq itself. If you’re actually using dnsmasq as a DNS server then you’re on your own cos I could never get it to work properly.

      Hope this helps.
      Jason

      1. I have different SSIDs for different subnets, one main, one guest, one without VPN. After setting policy based routing so that only the main and guest subnets/SSIDs would go through the VPN, DNS stopped working and I couldn’t ping the gateway (on the main and guest). Disabling DNSMasq did the trick and everything is working now.
        I followed the instructions for NordVPN exactly, except the DNSMasq setting. https://nordvpn.com/tutorials/dd-wrt/
        Thank you for sharing your solution.

  2. Thank you so much for this blogpost! Helped me a lot, because I was initially thinking that I have to fiddle with Iptable rules as well to implement some policy based routing. But works like a charm and so easy. Really love dd-wrt today! 🙂 BIG BIG THX

Leave a Reply

Your email address will not be published. Required fields are marked *