OpenWrt Forum Archive

Topic: how to determine the wan gateway from command line/script? [SOLVED]

The content of this topic has been archived on 1 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
GNUser
22 Sep 2017, 01:10

Please, how does one determine the wan gateway from command line/shell script in OpenWrt using uci or some other command?

Some context:
I'd like to try my luck with using a shell script as an alternative to the vpnbypass package. I want to learn about this stuff and think I'd have a better chance of understanding what's going on if I were to use something like this.

Trouble is I need an alternative to the "nvram get wan0_gateway" expression that occurs near the middle of the script I found.

I figured out that OpenWrt uses uci instead of nvram, but it doesn't seem that uci can find the wan gateway on my router. The OpenWrt documentation mentions the existence of a network.wan.gateway variable, but my router doesn't seem to have it:

# uci get network.wan.gateway
uci: Entry not found

# uci -P/var/state show network.wan
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.up='1'
network.wan.device='eth1'

Here's the script I'd like to try. The "nvram get wan0_gateway" in the command substitution near the middle of the script is mucking things up because my router doesn't have the nvram command:

#!/bin/sh

## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and set value(s) as needed to customize your rules
#
# IP addresses, contiguous range AND/OR individual.
#
ip_addrs_lst="192.168.10.60-192.168.10.69"

##Server ports to bypass VPN
server_ports="5500,22"

#
# Specific destination websites ip range - Spotify , Netflix...
#
#web_range_lst="72.44.32.1-72.44.63.254
#67.202.0.1-67.202.63.254
#207.223.0.1-207.223.15.254
#98.207.0.1-98.207.255.254
#208.85.40.1-208.85.47.254
#78.31.8.1-78.31.15.254
#193.182.8.1-193.182.15.254"

########################################
# NO NEED TO CHANGE BELOW THIS LINE #
########################################

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#     iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#     iptables -t mangle -F PREROUTING
sleep 1
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Let's find out the tunnel interface
#
iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
     ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0

# IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
for ip_addrs in $ip_addrs_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 1
done

######   Ports that bypass VPN    ######
###### Normal portforwarding will ######
######    need to be applied      ######

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1

# WEBSITES_IP_RANGES -
#for web_dst_range in $web_range_lst ; do
#  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
#done

(Last edited by GNUser on 22 Sep 2017, 03:55)

Post #2
GNUser
22 Sep 2017, 01:59

I thought I'd try getting my wan gateway like this:

# route | grep eth1 | grep default | awk '{print $2}'
c-73-226-68-1.h

But that output doesn't look like an IP address sad What the heck is that? I thought the second column in the output of the "route" command was for IP addresses.

Post #3
angelos
22 Sep 2017, 03:15

# ifstatus wan | grep nexthop | awk '{print $2}' | sed 's/^.\(.*\)..$/\1/'

(Last edited by angelos on 22 Sep 2017, 03:45)

Post #4
GNUser
22 Sep 2017, 03:53

Beautiful, angelos. Thank you. I just added one more command at the end to get just the gateway's ip address:

# ifstatus wan | grep nexthop | awk '{print $2}' | sed 's/^.\(.*\)..$/\1/' | grep -v '0.0.0.0'

I'll mark as solved.

P.S. Unfortunately, now that this part works, my router complains of several other things in the script. I think I'm giving up on an alternative to vpnbypass for now--will just try to understand vpnbypass itself to the best of my ability.

Post #5
angelos
22 Sep 2017, 04:03

What kind of environment does the script need in order to be "runnable"?
A typical linux distro maybe?

Anyway... this one-liner is useful, I'll keep it in a text for future use!
Cheers! smile

(Last edited by angelos on 22 Sep 2017, 04:09)

Post #6
GNUser
22 Sep 2017, 14:47

It seems the script is for routers and was meant to be distro-agnostic. I found it here:
https://torguard.net/forums/index.php?/ … d-the-vpn/

Alas, even after replacing the nvram command with your offering, it seems there are other things about this script that make it unusable on OpenWrt as-is.

Post #7
ulmwind
22 Sep 2017, 15:04

Yes, it is better to figure out, how vpnbypass works. nvram is used in Padavan firmware. So what is your error message, running compound command above&

Post #8
GNUser
22 Sep 2017, 15:23

Thank you, ulmwind. I definitely want to make this script work, but given all the time I've spent looking for, installing, and now troubleshooting vpnbypass, my wife calls the router my "girlfriend". As much as I would like to, I don't want to make matters worse by working on two projects simultaneously.

May I suggest that once vpnbypass is squared away I open a new thread so that we can attack this script? The script does look simpler than the contents of the vpnbypass package, so it would be a good learning exercise.

Post #9
ulmwind
23 Sep 2017, 13:53

Let's do it step-by-step. After solving vpnbypass issue, please, see my request in topic.

The discussion might have continued from here.