Domain-based VPN Routing Script

[privacyguy123]

I would only add the domains specific to sainsburysbank.co.uk (including the root domain which you are missing), I wouldn't add amazonaws.com domains and google domains, etc.

Sorry, done bashing my head tonight.

Script non-functional with some sort of combination of addons/firmware WireGuard - IMHO, on my side at least. But I have no idea what I'm talking about.

 

[Ranger802004]

***v2.1.2-beta1 Release***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.

 

[i5Js]

Hi @Ranger802004

Thanks again, one last question about the following:

- DNSMasq log is now utilized if enabled to query for domain records to route. The log path will be captured from the DNSMasq Configuration

Does it mean it does automatically? Capture the records and add them to an existing policy?

Thanks,

 

[privacyguy123]

***v2.1.2-beta1 Release***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.

Installed this update this morning hoping for something different - unfortunately any domains I add to this script I am effectively blocked out from completely. I can't understand why and don't know where to look.

If I were to hazard a guess it'd be because of how Adguard Home addon "takes over" for dnsmasq. Please advise.

EDIT: script now frozen and spamming in log - I leave my WGC1 DNS blank as it overwrites what Adguard is doing. Specifying router as DNS server seems to fix this.

Oct 11 10:09:27 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
Oct 11 10:09:28 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
Oct 11 10:09:30 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
Oct 11 10:09:31 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS

 

[privacyguy123]

Fix found from this writeup: https://github.com/ZebMcKayhan/WireguardManager#managesetup-ipsets-for-policy-based-routing

the final thing we can do in wgm is to disable the rp_filter for the WAN interface. whenever we use IPSET to force packets to different route we will need to disable this.
"reverse path filter" is a very simple protection that many now days consider obsolete. whenever a packets comes in on i.e. WAN it will change place on Destination and Source and run it trough the routing table to see if a reply to this packet would be routed out the same way. it understands most rules but it will not understand that some packets will recieve a mark and be routed differently. so in this case we need to disable the rp_filter on WAN, otherwise answers from WAN will not be accepted. there are 3 values for rp_filter. 0 means "Disabled", 1 means "Enabled, strict", 2 means "Enabled loose". loose means that it does not check routing explicitly, but will accept if there are any routing ways back this interface. 2 is sufficient for us.

Somewhere in the code you need to add this for WireGuard to work properly at least.

echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter

replace "eth0" with whatever your WAN interface is called.

 

[Ranger802004]

Fix found from this writeup: https://github.com/ZebMcKayhan/WireguardManager#managesetup-ipsets-for-policy-based-routing

Somewhere in the code you need to add this for WireGuard to work properly at least.

replace "eth0" with whatever your WAN interface is called.

I will look into adding this, good find.

 

[Ranger802004]

***v2.1.2-beta3***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.
- The WAN Reverse Path Filter will now be set to loose filtering if enabled and FWMarks are being used for a policy.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
- Fixed an issue that caused Domain VPN Routing to be stuck in a loop if a WireGuard Client DNS Option was null.
- Fixed integration issues with amtm.

 

[privacyguy123]

***v2.1.2-beta2***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.
- The WAN Reverse Path Filter will now be set to loose filtering if enabled and FWMarks are being used for a policy.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
- Fixed an issue that caused Domain VPN Routing to be stuck in a loop if a WireGuard Client DNS Option was null.

New update broke other stuff

Error: argument "0x8000}" is wrong: fwmark value is invalid

Error: argument "0x8000}" is wrong: fwmark value is invalid

domain_vpn_routing: Query Policy - ***Error*** Failed to add IPv4 Rule for Interface: wan using FWMark: 0x8000}/0xf000
Error: argument "0x8000}" is wrong: fwmark value is invalid

iptables v1.4.15: MARK: trailing garbage after value for option "--set-xmark".

Try `iptables -h' or 'iptables --help' for more information.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables OUTPUT rule for IPSET: DomainVPNRouting-1-ipv4 FWMark: 0x8000}
iptables v1.4.15: MARK: trailing garbage after value for option "--set-xmark".

Try `iptables -h' or 'iptables --help' for more information.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables PREROUTING rule for IPSET: DomainVPNRouting-1-ipv4 FWMark: 0x8000}
iptables v1.4.15: MARK: trailing garbage after value for option "--set-xmark".

Try `iptables -h' or 'iptables --help' for more information.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables rule for IPSET: DomainVPNRouting-1-ipv4 Interface: eth4 FWMark: 0x8000}
Error: argument "0x8000}" is wrong: fwmark value is invalid

Error: argument "0x8000}" is wrong: fwmark value is invalid

 

[Ranger802004]

New update broke other stuff

I fixed this as a quick fix, check for an update again (may take a minute) and when you get an invalid checksum error let it reinstall.

 

[privacyguy123]

I fixed this as a quick fix, check for an update again (may take a minute) and when you get an invalid checksum error let it reinstall.

View attachment 53568

Update offered. Reinstalled and same error when querying policy

 

[Ranger802004]

Update offered. Reinstalled and same error when querying policy

Did you get a checksum error?

 

[Ranger802004]

Update offered. Reinstalled and same error when querying policy

Also restart the domain_vpn_routing in your current session after update so it reloads the new code.

 

[privacyguy123]

Did you get a checksum error?

Yes. I can't even find the double }} anywhere in the code to be honest

 

[privacyguy123]

Also restart the domain_vpn_routing in your current session after update so it reloads the new code.

Had to use option 9 to kill - perhaps could be automated.

 

[Ranger802004]

Had to use option 9 to kill - perhaps could be automated.

Update will do this after the update completes except for the same process performing the update, so if you were in the menu you need to Ctrl + C out and reload it.

 

[privacyguy123]

Excellent - keep up the good work!

 

[Ranger802004]

Excellent - keep up the good work!

FYI You can check the RP FIlter status under System Information in the config menu.

 

[privacyguy123]

Opening via amtm vr is now saying:

 

[Ranger802004]

Opening via amtm vr is now saying:

View attachment 53571

I just tested this and it's working fine, did you uninstall and try to load that option?

 

[privacyguy123]

I just tested this and it's working fine, did you uninstall and try to load that option?

No uninstall, just updated a couple of times and used that kill option to sort out the previous bug.

There's chat over here on patching amtm to handle the vr command differently, I didn't think it needed changed at all.

amtm - amtm 4.0 - the Asuswrt-Merlin Terminal Menu, released October 09 2023

Even I can‘t wait for 5.0 to see the light and get that burden off of me :mad: There are major changes to the code - so profound that this amtm 4.0 release seems like a minor update. just code changes, or are there things we should think about and prepare for, functionality- and option-wise...

www.snbforums.com