What's new

Domain-based VPN Routing Script

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ok try adding this IP Rule:
Code:
ip rule add from 192.168.1.3 to 103.86.96.100 table ovpnc3

If that works, add this to a startup script somewhere so it will add every time a service restart or reboot occurs.
Code:
if [ -z "$(ip rule list from 192.168.1.3 to 103.86.96.100 table ovpnc3)" ] >/dev/null;then
   ip rule add from 192.168.1.3 to 103.86.96.100 table ovpnc3
fi
If it doesn't work, how do I remove it ? And do I need to run this after enabling vpn director routing
since my network would go down, thought I would clarify this first :)
 
If it doesn't work, how do I remove it ? And do I need to run this after enableing vpn director routing
Yes, I am using the IP Rule because you have VPN Director enabled for that interface currently so leave that the same.

To delete:
Code:
ip rule del from 192.168.1.3 to 103.86.96.100 table ovpnc3
 
Yes, I am using the IP Rule because you have VPN Director enabled for that interface currently so leave that the same.

To delete:
Code:
ip rule del from 192.168.1.3 to 103.86.96.100 table ovpnc3
wow! it worked.

Now 2 things,
1. I am running vpnmon r2, so the vpn will keep switching, so can we do anything to reroute the same according to the currently running VPN
2. can I add this code to "services-start"


Edit:

it looks like only cached sites are resolving
 
wow! it worked.

Now 2 things,
1. I am running vpnmon r2, so the vpn will keep switching, so can we do anything to reroute the same according to the currently running VPN
2. can I add this code to "services-start"


Edit:

it looks like only cached sites are resolving
Is there some kind of variable or setting that can be used to monitor the "active" VPN you need? I'd recommend adding to wan-event or firewall-start maybe.
 
Is there some kind of variable or setting that can be used to monitor the "active" VPN you need? I'd recommend adding to wan-event or firewall-start maybe.
1656696811357.png


I tv'ed into the Raspi and inside it all sites work
 

Attachments

  • 1656696785019.png
    1656696785019.png
    54.8 KB · Views: 97
wow! it worked.

Now 2 things,
1. I am running vpnmon r2, so the vpn will keep switching, so can we do anything to reroute the same according to the currently running VPN
2. can I add this code to "services-start"


Edit:

it looks like only cached sites are resolving
Allow it time to continue querying the domains to collect all of the resolvable addresses, also sometimes you may have to add subdomains as well to a policy.

Does your VPN Tunnel have IPV6 enabled?
 
Allow it time to continue querying the domains to collect all of the resolvable addresses, also sometimes you may have to add subdomains as well to a policy.

Does your VPN Tunnel have IPV6 enabled?
I think so, it's not disabled in custom configuration
 

Attachments

  • 1656697242114.png
    1656697242114.png
    98.8 KB · Views: 104
Allow it time to continue querying the domains to collect all of the resolvable addresses, also sometimes you may have to add subdomains as well to a policy.

Does your VPN Tunnel have IPV6 enabled?
The website resolves inside the pi but not outside

I don't have ip6 enabled in pihole and unbound
 
The website resolves inside the pi but not outside

I don't have ip6 enabled in pihole and unbound
That may be something going on within the pihole set up? Double check your set up.
 
That may be something going on within the pihole set up? Double check your set up.

Everything looks fine, I tried switching up the interface but no good,
could this have anything to do with unbound ?

Screenshot 2022-07-01 233016.jpg
 
v1.2-beta Release: To use the beta use the following command to replace your production version of the script.
Code:
/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing_v1.2-beta.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh

To revert back to production release:
Code:
/jffs/scripts/domain_vpn_routing.sh update

To use new functions:
Use parameter "deleteip" for new Delete IP Function. Example: /jffs/scripts/domain_vpn_routing.sh deleteip 192.168.1.1
To configure new Private IP Address exclusion/inclusion setting for a policy, use the Edit Policy parameter "editpolicy". ***NOTE: Default behavior will include Private IPs***

Release Notes:
v1.2-beta
- Added Delete IP Function, this is to delete IPs not desired to be routed by the script. ***This will not prevent the IP from being queried again***
- Created routingdirector function to handle all functions determination of creating routes for queried IPs.
- Added configuration option for including or excluding Private IP Addresses per Policy.
 
Last edited:
Hi @Ranger802004 you do great things here. Many Thanks.

Can you extend the functionality of your script by adding ASNs as a policy routing parameter (in parallel to the domains)

For ASN to IP conversion I use regular https://github.com/ipverse/asn-ip

You may give a thought about it.

Thanks!
 
Thanks for your feedback @Ranger802004

Another, maybe more easier (interims) option might be, if external files e.g. /tmp/mnt/usbstick/ipv4-aggregated.txt can be included to an specific policy route.

Code:
170.10.143.0/24
170.10.222.0/24
170.176.240.0/21
172.102.8.0/21
172.110.32.0/21
172.217.0.0/16
172.253.0.0/16
173.194.0.0/16
173.255.112.0/20
176.126.58.0/24
179.61.76.0/24
223.29.216.0/22

That would be an idea as the automatically generated file has about 300 networks in the list.
 
Hello. The task is this: there are two tunnels tun 11 and tun12. The traffic of a local network device with the address 192.168.1.33 via VPN Director goes completely through tun12, but for example the site google.com I need to let through tun11. The question is whether the traffic of the 192.168.1.33 c device will be your script to google.com go through tun11 or will continue to go through tun12?

Does your script work according to the VPN Director principle?

VPN Director allows you to direct LAN traffic through specific OpenVPN tunnels.
  • OpenVPN clients set to redirect all traffic have the highest priority
  • WAN rules will have priority over OpenVPN rules
  • OpenVPN 1 rules have higher priority than OpenVPN 5 rules
  • Rules can be individually enabled or disabled by clicking on the first column
 
Hello. The task is this: there are two tunnels tun 11 and tun12. The traffic of a local network device with the address 192.168.1.33 via VPN Director goes completely through tun12, but for example the site google.com I need to let through tun11. The question is whether the traffic of the 192.168.1.33 c device will be your script to google.com go through tun11 or will continue to go through tun12?

Does your script work according to the VPN Director principle?

VPN Director allows you to direct LAN traffic through specific OpenVPN tunnels.
  • OpenVPN clients set to redirect all traffic have the highest priority
  • WAN rules will have priority over OpenVPN rules
  • OpenVPN 1 rules have higher priority than OpenVPN 5 rules
  • Rules can be individually enabled or disabled by clicking on the first column
I am going to retool some of the backend of this tool after I finish working on WAN Failover script and getting the latest update to full release but test it out and give me some feedback if you have time, please?
 
I am going to retool some of the backend of this tool after I finish working on WAN Failover script and getting the latest update to full release but test it out and give me some feedback if you have time, please?
What exactly to test Domain-based VPN Routing or Dual WAN Failover?
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top