Domain-based VPN Routing Script

[Ranger802004]

Sorry in advance for the nooby questions:

1. I wonder is it possible to use this script the other way around, to "whitelist" a domain to go through WAN interface rather than WireGuard, as I route all my traffic through WG1 in VPN Director? I notice that my credit card provider login portal is blackisted on the VPN I use as it's a shared IP.

2. Does this script play nice with FlexQoS with regards to "marking" packets in iptables and such, I know that Flex does this to differentiate traffic type.

1. Yes, this is the purpose of having WAN interfaces available for policies.
2. The default FWMarks / Masks only mark for the 17th - 20th bit for determining the WAN / VPN Interface, however for custom solutions it is possible to change the default FWMark / Mask for each interface in the configuration menu.

 

[privacyguy123]

1. Yes, this is the purpose of having WAN interfaces available for policies.
2. The default FWMarks / Masks only mark for the 17th - 20th bit for determining the WAN / VPN Interface, however for custom solutions it is possible to change the default FWMark / Mask for each interface in the configuration menu.

1. Perhaps you could point to the documentation where I can add a website to go through WAN specifically? With no VPN IP.
2. Does this mean you think your script will play nice with FlexQoS and their scripts? Or QoS in general?

 

[Ranger802004]

What a job!!

How can I enable the dnmasq log?

Thanks,

You would add the following lines to the file /jffs/configs/dnsmasq.conf.add and then restart the dnsmasq service.

log-queries
log-facility=/var/log/dnsmasq.log

 

[Ranger802004]

1. Perhaps you could point to the documentation where I can add a website to go through WAN specifically? With no VPN IP.
2. Does this mean you think your script will play nice with FlexQoS and their scripts? Or QoS in general?

1. Readme for Domain VPN Routing in the original post.
2. I'm not sure which bits FlexQoS uses to mark packets but if they are different than there shouldn't be an issue and if they overlap you can change the FWMark for Domain VPN Routing interfaces.

EDIT: I just looked at the FlexQoS script and it looks like it doesn't mark / mask the same bits for interfaces and marks around it so I don't think there will be a conflict. All of the rules use a mask of 0xC03F0FFF which as you can see here don't mask the bits being used by default for Domain VPN Routing.

 

[privacyguy123]

1. Readme for Domain VPN Routing in the original post.
2. I'm not sure which bits FlexQoS uses to mark packets but if they are different than there shouldn't be an issue and if they overlap you can change the FWMark for Domain VPN Routing interfaces.

EDIT: I just looked at the FlexQoS script and it looks like it doesn't mark / mask the same bits for interfaces and marks around it so I don't think there will be a conflict. All of the rules use a mask of 0xC03F0FFF which as you can see here don't mask the bits being used by default for Domain VPN Routing.

View attachment 53557

Awesome, thanks for that explanation.

My first (very poor) attempt in whitelisting a domain through WAN - shows this SSL error in FireFox (I have no idea what I'm doing.)

EDIT: trying multiple sites, including an IP checker one to try and see if it's working at all, results in this error in both Chrome and FireFox. Too stupid to understand why or how to fix it.

EDIT2: On second thought, would it not have to be going through br0?

 

[Ranger802004]

Awesome, thanks for that explanation.

My first (very poor) attempt in whitelisting a domain through WAN - shows this SSL error in FireFox (I have no idea what I'm doing.)
View attachment 53558

EDIT: trying multiple sites, including an IP checker one to try and see if it's working at all, results in this error in both Chrome and FireFox. Too stupid to understand why or how to fix it.

EDIT2: On second thought, would it not have to be going through br0?

No br0 is your lan interface and you would not be routing web traffic out to that interface. You may need to let the policy sit for awhile to continue to collect IPs for the ipsets and also there may be additional domains that are needed to support the site (CDN, etc).

 

[privacyguy123]

No br0 is your lan interface and you would not be routing web traffic out to that interface. You may need to let the policy sit for awhile to continue to collect IPs for the ipsets and also there may be additional domains that are needed to support the site (CDN, etc).

As far as I can see it's not working as expected. I'm using your recommended Chrome/FireFox addon to pick up all IPs the site connects to.

Is this because I have VPN Director set up to already route all traffic through WGC1? This is what I want + a way to whitelist a certain website that I'm blocked out from.
Or perhaps Adguard Home changes to dnsmasq interfere with it? Would this mean Diversion also is not compatible?

 

[Ranger802004]

As far as I can see it's not working as expected. I'm using your recommended Chrome/FireFox addon to pick up all IPs the site connects to.

Is this because I have VPN Director set up to already route all traffic through WGC1? This is what I want + a way to whitelist a certain website that I'm blocked out from.
Or perhaps Adguard Home changes to dnsmasq interfere with it? Would this mean Diversion also is not compatible?

Send me an output of your these commands? No it shouldn't interfere but again you need to allow time for the query policy function to collect the correct IP Addresses for your policy.

ip rule list
ip -6 rule list

 

[privacyguy123]

Send me an output of your these commands? No it shouldn't interfere but again you need to allow time for the query policy function to collect the correct IP Addresses for your policy.

ip rule list
ip -6 rule list

ip rule list

0: from all lookup local
150: from all fwmark 0x8000/0xf000 lookup main
10010: from all to 10.6.0.0/24 lookup main
11210: from 192.168.50.0/24 lookup wgc1
11211: from all to 10.2.0.0/24 lookup wgc1
11212: from 10.6.0.0/24 lookup wgc1
32766: from all lookup main
32767: from all lookup default

ipv6 is off

By "time" do you mean longer than 15 minutes? The websites I add to the policy become completely non-functional within the browser - they will respond to pings though.

EDIT: eventually sites will load and complain about "Secure Site Not Available" in FireFox and ask me to connect via http - this fails also. Seems SSL cert related.

 

[Ranger802004]

ip rule list


ipv6 is off

By "time" do you mean longer than 15 minutes? The websites I add to the policy become completely non-functional within the browser - they will respond to pings though.

EDIT: eventually sites will load and complain about "Secure Site Not Available" in FireFox and ask me to connect via http - this fails also. Seems SSL cert related.

Have you verified there are no other additional domains you need to add to your policy? What is the website?

 

[privacyguy123]

Have you verified there are no other additional domains you need to add to your policy? What is the website?

sainsburysbank.co.uk - I added everything I see in IPvFoo. The domain does not work whatsoever in any browser, addons on/off, fresh profile/private session/whatever you can think of. Adding a policy effectively blocks me from the site completely. Perhaps some deeper issue in the router settings or how this script interacts with WireGuard?

 

[Ranger802004]

I see a few and make sure you're adding the www. subdomain to your policy. I have 3 WireGuard clients and routing domains to all of them without issues.

 

[privacyguy123]

I see a few and make sure you're adding the www. subdomain to your policy. I have 3 WireGuard clients and routing domains to all of them without issues.

View attachment 53559

Why is my list 3 sites long and you see all that?

 

[privacyguy123]

Here's the log in page I am specifically blacklisted from using VPN IP. There is NO WAY this script is working as intended ... when I turn WGC1 off in ASUS admin page I can access it fine.

https://online.sainsburysbank.co.uk/servicing/signin

 

[Ranger802004]

Here's the log in page I am specifically blacklisted from using VPN IP. There is NO WAY this script is working as intended ... when I turn WGC1 off in ASUS admin page I can access it fine.

https://online.sainsburysbank.co.uk/servicing/signin

I would route all of the domains for that site and treat it as a single service.

 

[privacyguy123]

I would route all of the domains for that site and treat it as a single service.

When I connect my IPvFoo addon shows 15 less entries than yours - how do I set it up right?

 

[Ranger802004]

When I connect my IPvFoo addon shows 15 less entries than yours - how do I set it up right?

Remove it from your policy and load it without any policy and see what you get.

 

[privacyguy123]

Remove it from your policy and load it without any policy and see what you get.

For the record, here's what I have and it's non functioning.

Policy Name: 2
Interface: wan
Verbose Logging: Enabled
Private IP Addresses: Enabled
Domains:
corvidae.sainsburysbank.co.uk
sbmm.s3-eu-west-1.amazonaws.com
smetrics.sainsburysbank.co.uk
tags.tiqcdn.com
www.sainsburysbank.co.uk

 

[privacyguy123]

Seeing totally different things on my side all around.

 

[Ranger802004]

For the record, here's what I have and it's non functioning.

I would only add the domains specific to sainsburysbank.co.uk (including the root domain which you are missing), I wouldn't add amazonaws.com domains and google domains, etc.