Routing certain IPs over VPN with DD-WRT without IPTables

I decided I wanted to be able to route certain devices on my network over a VPN connection for reasons that I am sure you can use your imagination (geo-restrictions etc). I didn’t want everything to go through the VPN because that would slow down my connection for things I didn’t need it for.

It’s worth noting that before this year you could just use some fancy DNS tricks to route only traffics from a certain domain over your VPN, but I found this failed on devices with hard-coded DNS (like the chromecast or the Android Netflix app).

Media devices like Smart TVs and Chromecasts can’t run OpenVPN so it has to be done on the router. If you want to do this, make sure your router is up to scratch. Encryption uses processing power which most routers lack. You want to be getting minimum 5Mbps with a recommended 10 for this to be usable. I forked out for an R7000 which is probably overkill. Another option is choosing a VPN provider (or setting up your own) that enables you to use weaker encryption – the idea being that it doesn’t really matter that the NSA can snoop on your netflix, it’s up to you.

My first idea was to have a separate WLAN (Wireless LAN) with it’s own subnet and DHCP and route all connections through the VPN. That way you could choose to go over the VPN just by switching networks. I’m sure there is a way to do this, but I couldn’t get it working with my limited knowledge of dd-wrt and iptables and the like. Issues I ran into went from not being able to access the other local subnets (which I wanted to for things like Plex) and just generally getting it to play nice.

So I scrapped that idea and moved onto the next. Give every device you want to route over the VPN a static DHCP lease (i.e their IP doesn’t change) and then use the Policy Based Routing field to tell the router to route internet traffic over OpenVPN. This worked perfectly. The only catch is with Chromecast your mobile device also has to be over the VPN or you won’t be able to see the geo-restricted content. If you don’t always want your phone to go over the VPN for wifi then you could use a cheap tablet as a Chromecast remote OR install OpenVPN on your phone and only connect when you want to access geo-restricted content.

OK so here is how you do it. These instructions assume that you have set up your router to the point of having an internet connection and a single subnet with DHCP turned on.

  1. Put your devices on a Static Lease
    Go to Services > DHCP Server > Static Leases
    Add each device one at a time, pressing save and apply after each time. Note that the hostname doesn’t really matter here, MAC Addresses do and I found some of the hostnames made nothing resolve so if there are any special characters in your hostname just name it something else.
  2. Set up OpenVPN
    Instructions will be different for each provider. OpenVPN is under Services > VPN > OpenVPN Client.
    The only deviation will be that you don’t want to redirect your gateway so remove redirect-gateway from the additional commands
  3. Add you IPs to OpenVPN Client config
    Under Services > VPN > OpenVPN Client > Policy based Routing add each IP in the form of X.X.X.X/32 with one per line. I put both my Chromecasts and my TV on it as well as my cheapo tablet that I use solely for Plex/Netflix.
  4. Bingo. You’re done. No telneting, no iptables no messing around.

I wish I had found this earlier and maybe I would have saved myself some messing around.