Domain-based VPN Routing Script

[JAX1337]

Ok try adding this IP Rule:

ip rule add from 192.168.1.3 to 103.86.96.100 table ovpnc3

If that works, add this to a startup script somewhere so it will add every time a service restart or reboot occurs.

if [ -z "$(ip rule list from 192.168.1.3 to 103.86.96.100 table ovpnc3)" ] >/dev/null;then
   ip rule add from 192.168.1.3 to 103.86.96.100 table ovpnc3
fi

If it doesn't work, how do I remove it ? And do I need to run this after enabling vpn director routing
since my network would go down, thought I would clarify this first

 

[Ranger802004]

If it doesn't work, how do I remove it ? And do I need to run this after enableing vpn director routing

Yes, I am using the IP Rule because you have VPN Director enabled for that interface currently so leave that the same.

To delete:

ip rule del from 192.168.1.3 to 103.86.96.100 table ovpnc3

 

[JAX1337]

Yes, I am using the IP Rule because you have VPN Director enabled for that interface currently so leave that the same.

To delete:

ip rule del from 192.168.1.3 to 103.86.96.100 table ovpnc3

wow! it worked.

Now 2 things,
1. I am running vpnmon r2, so the vpn will keep switching, so can we do anything to reroute the same according to the currently running VPN
2. can I add this code to "services-start"


Edit:

it looks like only cached sites are resolving

 

[Ranger802004]

wow! it worked.

Now 2 things,
1. I am running vpnmon r2, so the vpn will keep switching, so can we do anything to reroute the same according to the currently running VPN
2. can I add this code to "services-start"


Edit:

it looks like only cached sites are resolving

Is there some kind of variable or setting that can be used to monitor the "active" VPN you need? I'd recommend adding to wan-event or firewall-start maybe.

 

[JAX1337]

Is there some kind of variable or setting that can be used to monitor the "active" VPN you need? I'd recommend adding to wan-event or firewall-start maybe.

I tv'ed into the Raspi and inside it all sites work

 

[Ranger802004]

wow! it worked.

Now 2 things,
1. I am running vpnmon r2, so the vpn will keep switching, so can we do anything to reroute the same according to the currently running VPN
2. can I add this code to "services-start"


Edit:

it looks like only cached sites are resolving

Allow it time to continue querying the domains to collect all of the resolvable addresses, also sometimes you may have to add subdomains as well to a policy.

Does your VPN Tunnel have IPV6 enabled?

 

[JAX1337]

Allow it time to continue querying the domains to collect all of the resolvable addresses, also sometimes you may have to add subdomains as well to a policy.

Does your VPN Tunnel have IPV6 enabled?

I think so, it's not disabled in custom configuration

 

[JAX1337]

Allow it time to continue querying the domains to collect all of the resolvable addresses, also sometimes you may have to add subdomains as well to a policy.

Does your VPN Tunnel have IPV6 enabled?

The website resolves inside the pi but not outside

I don't have ip6 enabled in pihole and unbound

 

[Ranger802004]

The website resolves inside the pi but not outside

I don't have ip6 enabled in pihole and unbound

That may be something going on within the pihole set up? Double check your set up.

 

[JAX1337]

That may be something going on within the pihole set up? Double check your set up.

Everything looks fine, I tried switching up the interface but no good,
could this have anything to do with unbound ?

 

[Ranger802004]

Everything looks fine, I tried switching up the interface but no good,
could this have anything to do with unbound ?

View attachment 42351

Possibly (I'm not familiar with Unbound) and maybe DNSSEC as well?

 

[Ranger802004]

v1.2-beta Release: To use the beta use the following command to replace your production version of the script.

/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing_v1.2-beta.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh

To revert back to production release:

/jffs/scripts/domain_vpn_routing.sh update

To use new functions:
Use parameter "deleteip" for new Delete IP Function. Example: /jffs/scripts/domain_vpn_routing.sh deleteip 192.168.1.1
To configure new Private IP Address exclusion/inclusion setting for a policy, use the Edit Policy parameter "editpolicy". ***NOTE: Default behavior will include Private IPs***

Release Notes:
v1.2-beta
- Added Delete IP Function, this is to delete IPs not desired to be routed by the script. ***This will not prevent the IP from being queried again***
- Created routingdirector function to handle all functions determination of creating routes for queried IPs.
- Added configuration option for including or excluding Private IP Addresses per Policy.

 

[Pak Kriss]

Hi @Ranger802004 you do great things here. Many Thanks.

Can you extend the functionality of your script by adding ASNs as a policy routing parameter (in parallel to the domains)

For ASN to IP conversion I use regular https://github.com/ipverse/asn-ip

You may give a thought about it.

Thanks!

 

[Ranger802004]

Hi @Ranger802004 you do great things here. Many Thanks.

Can you extend the functionality of your script by adding ASNs as a policy routing parameter (in parallel to the domains)

For ASN to IP conversion I use regular https://github.com/ipverse/asn-ip

You may give a thought about it.

Thanks!

I will look into this for a later release.

 

[Pak Kriss]

Thanks for your feedback @Ranger802004

Another, maybe more easier (interims) option might be, if external files e.g. /tmp/mnt/usbstick/ipv4-aggregated.txt can be included to an specific policy route.

170.10.143.0/24
170.10.222.0/24
170.176.240.0/21
172.102.8.0/21
172.110.32.0/21
172.217.0.0/16
172.253.0.0/16
173.194.0.0/16
173.255.112.0/20
176.126.58.0/24
179.61.76.0/24
223.29.216.0/22

That would be an idea as the automatically generated file has about 300 networks in the list.

 

[lbtboy]

Hello. The task is this: there are two tunnels tun 11 and tun12. The traffic of a local network device with the address 192.168.1.33 via VPN Director goes completely through tun12, but for example the site google.com I need to let through tun11. The question is whether the traffic of the 192.168.1.33 c device will be your script to google.com go through tun11 or will continue to go through tun12?

Does your script work according to the VPN Director principle?

VPN Director allows you to direct LAN traffic through specific OpenVPN tunnels.

• OpenVPN clients set to redirect all traffic have the highest priority
• WAN rules will have priority over OpenVPN rules
• OpenVPN 1 rules have higher priority than OpenVPN 5 rules
• Rules can be individually enabled or disabled by clicking on the first column

 

[JAX1337]

Possibly (I'm not familiar with Unbound) and maybe DNSSEC as well?

I figured it out. All is well now!
Took some serious brainstorming

 

[Ranger802004]

Hello. The task is this: there are two tunnels tun 11 and tun12. The traffic of a local network device with the address 192.168.1.33 via VPN Director goes completely through tun12, but for example the site google.com I need to let through tun11. The question is whether the traffic of the 192.168.1.33 c device will be your script to google.com go through tun11 or will continue to go through tun12?

Does your script work according to the VPN Director principle?

VPN Director allows you to direct LAN traffic through specific OpenVPN tunnels.

• OpenVPN clients set to redirect all traffic have the highest priority
• WAN rules will have priority over OpenVPN rules
• OpenVPN 1 rules have higher priority than OpenVPN 5 rules
• Rules can be individually enabled or disabled by clicking on the first column

I am going to retool some of the backend of this tool after I finish working on WAN Failover script and getting the latest update to full release but test it out and give me some feedback if you have time, please?

 

[Ranger802004]

I figured it out. All is well now!
Took some serious brainstorming

What was the issue?

 

[lbtboy]

I am going to retool some of the backend of this tool after I finish working on WAN Failover script and getting the latest update to full release but test it out and give me some feedback if you have time, please?

What exactly to test Domain-based VPN Routing or Dual WAN Failover?