Openwrt vpn routing

Required packages:

• openvpn-openssl
• iptables-mod-iprange
• ip

Create your vpn client connection using any of the many howtos available online.
Make sure to check the box for route_noexec so you don't route all your traffice through your VPN

Here's a copy of a working VPN config on my LEDE router. Note the option up script and option script_security.

vi /etc/config/openvpn

config openvpn 'USCAPIA'
    option dev 'tun'
    option script_security '2'
    option up '/etc/openvpn/up.sh'
    option nobind '1'
    option verb '3'
    option fast_io '1'
    option persist_tun '1'
    option persist_key '1'
    option client '1'
    option proto 'udp'
    option tls_client '1'
    option remote_cert_tls 'server'
    option cipher 'aes-256-cbc'
    option auth 'sha256'
    option ca '/etc/config/ca.rsa.4096.crt'
    option keepalive '10 120'
    list remote 'us-california.privateinternetaccess.com'
    option comp_lzo 'adaptive'
    option auth_user_pass '/etc/openvpn/authuser'
    option resolv_retry 'infinite'
    option reneg_sec '0'
    option disable_occ '1'
    option crl_verify '/etc/config/crl.rsa.4096.pem'
    option port '1197'
    option enabled '1'
    option float '1'
    option route_noexec '1'

Create a script to run when openvpn connects. This script will create an routing policy, set the default route to the VPN and flush the existing cache.

vi /etc/openvpn/up.sh

Add the folowing

ip rule add fwmark 1 table vpn
ip route add default dev tun0 table vpn
ip route flush cache

In the custom rules tab of the firewall settings create mangle rules in the PREROUTING table to mark whatever packets you want to be routed through your VPN. In this example the IP range 100-199 will be marked.

iptables -A PREROUTING  -i br-lan -t mangle -m iprange --src-range 192.168.1.100-192.168.1.199  -j MARK --set-mark 1

Make sure everything works.

ip rule show
ip route show table vpn
iptables -L -vt mangle