Domain-based VPN Routing Script

[Ranger802004]

What exactly to test Domain-based VPN Routing or Dual WAN Failover?

Domain-based VPN Routing, your testing on WAN Failover has been great and I think the script is now ready for a production update.

 

[lbtboy]

Domain-based VPN Routing, your testing on WAN Failover has been great and I think the script is now ready for a production update.

Tested, does not work according to the principle of VPN Director (higher-level rule). Traffic for the desired site also goes through a VPN where a local device is added via tun12. Well then I will use VPN Director by recognizing IP by domain name and adding one by one or ranges

 

[Ranger802004]

Tested, does not work according to the principle of VPN Director (higher-level rule). Traffic for the desired site also goes through a VPN where a local device is added via tun12. Well then I will use VPN Director by recognizing IP by domain name and adding one by one or ranges

Alright, thank you for testing this! Once I’m finished with v1.5.5 for WAN Failover I will begin improving this tool.

 

[JAX1337]

What was the issue?

It had to do with the way I was using pihole's DNS
basically, it was supposed to work like Router > Pihole > VPN Director > Nord VPN
but since I had configured the DNS in DHCP server, it was going like Router >Pihole > Router in a loop
and my router was literally hitting pihole with, 10000+ queries per sec with no DNS resolution when I tried to do policy routing in VPN DIrector

so what I did was

Added Pihole DNS  to DHCP server on both fields

Added Pihole DNS to Wan (for DOT purposes only)

Set DNS Filter to router

Modified Unbound DNS config to use stubby for DNSSEC

Added a DNS Filter entry for Pihole and set it to no filtering

Added VPN director entry

And everything seem to work flawlessly now, checked DNSSEC as well everything looks secure.

 

[Ranger802004]

I will begin revising this script later this week for a beta.

 

[Ranger802004]

v1.3-beta Release: To use the beta use the following command to replace your production version of the script.

/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing_v1.3-beta.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh

To revert back to production release:

/jffs/scripts/domain_vpn_routing.sh update

To use new functions:
Use parameter "deleteip" for new Delete IP Function. Example: /jffs/scripts/domain_vpn_routing.sh deleteip 192.168.1.1
To configure new Private IP Address exclusion/inclusion setting for a policy, use the Edit Policy parameter "editpolicy". ***NOTE: Default behavior will include Private IPs***

Release Notes:
v1.3-beta
- Added Delete IP Function, this is to delete IPs not desired to be routed by the script. ***This will not prevent the IP from being queried again***
- Created routingdirector function to handle all functions determination of creating routes / IP rules for queried IPs.
- Added configuration option for including or excluding Private IP Addresses per Policy.
- If VPN Director is enabled for an OpenVPN Interface, IP Rules will be created for queried IPv4 Addresses.
- Corrected spelling error for "adddomain" in script menu.
- Decreased Cron Job frequency to every 15 minutes.

 

[lbtboy]

v1.3-beta Release: To use the beta use the following command to replace your production version of the script.

/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing_v1.3-beta.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh

To revert back to production release:

/jffs/scripts/domain_vpn_routing.sh update

To use new functions:
Use parameter "deleteip" for new Delete IP Function. Example: /jffs/scripts/domain_vpn_routing.sh deleteip 192.168.1.1
To configure new Private IP Address exclusion/inclusion setting for a policy, use the Edit Policy parameter "editpolicy". ***NOTE: Default behavior will include Private IPs***

Release Notes:
v1.3-beta
- Added Delete IP Function, this is to delete IPs not desired to be routed by the script. ***This will not prevent the IP from being queried again***
- Created routingdirector function to handle all functions determination of creating routes / IP rules for queried IPs.
- Added configuration option for including or excluding Private IP Addresses per Policy.
- If VPN Director is enabled for an OpenVPN Interface, IP Rules will be created for queried IPv4 Addresses.
- Corrected spelling error for "adddomain" in script menu.
- Decreased Cron Job frequency to every 15 minutes.

It now works perfectly according to the VPN Director principle (a higher-level rule) if two VPN tunnels are used. Even if the device is completely instructed to go through one tunnel, but at the same time it is necessary for a certain site to go through another in beta 1.3 this works. Great job, keep it up.

 

[ugandy]

thanks for the script! working well on my router.
are the rules supposed to show on the router gui vpn director page?

 

[Ranger802004]

thanks for the script! working well on my router.
are the rules supposed to show on the router gui vpn director page?

Negative, it doesn’t utilize the vpn director but it shares concept. You can view policies you created using the showpolicy command, review the readme for full instructions.

 

[ugandy]

Negative, it doesn’t utilize the vpn director but it shares concept. You can view policies you created using the showpolicy command, review the readme for full instructions.

thanks.
what is the "Private IP" option? i didn't see it covered on the readme notes

 

[Ranger802004]

thanks.
what is the "Private IP" option? i didn't see it covered on the readme notes

That is because it only exists in the beta release at this time but it keeps a policy from querying Private IP addresses

 

[Ranger802004]

v1.3 has been published, refer to original post for updating and release notes!

@ugandy readme has been updated as well.

 

[VIper_Rus]

v1.3 has been published, refer to original post for updating and release notes!

@ugandy readme has been updated as well.

Is it possible to make it so that you can configure how often Cron Job frequency?

 

[Ranger802004]

Is it possible to make it so that you can configure how often Cron Job frequency?

I have considered doing this but had more important issues to resolve first so possibly down the road.

 

[VIper_Rus]

Another question.
Found an addon, scMerlin.
https://www.snbforums.com/threads/s...-script-control-menu-for-asuswrt-merlin.67481 /

So, when you install it, it appears in the web interface in the addons section. Maybe it will be possible in the future to make your addons (this and dual wan) also appear in the web interface so that they can be configured and see statistics? It would be very convenient

 

[lbtboy]

@Ranger802004 It would be nice to add WAN by analogy with VPN Director. Then it would be absolutely fine.

 

[Ranger802004]

@Ranger802004 It would be nice to add WAN by analogy with VPN Director. Then it would be absolutely fine.

Are you saying the options to route to specific WAN interfaces?

 

[lbtboy]

Are you saying the options to route to specific WAN interfaces?

I speak simply and directly by analogy with VPN Director as in the screenshot. And how it works, I honestly don't know, separately WAN0 and WAN1 or only WAN0. I think VPN Director works on the principle of an active WAN.

 

[Ranger802004]

I speak simply and directly by analogy with VPN Director as in the screenshot. And how it works, I honestly don't know, separately WAN0 and WAN1 or only WAN0. I think VPN Director works on the principle of an active WAN.

Yea I get the purpose, if you are redirecting all traffic over VPN but want to make exceptions, I'll look into it on a later iteration. I'm sure I can make it happen.

 

[lbtboy]

Yea I get the purpose, if you are redirecting all traffic over VPN but want to make exceptions, I'll look into it on a later iteration. I'm sure I can make it happen.

Yes. As you did last time with a VPN about what I asked. For example, all traffic for the device 192.168.1.33 goes through ovpn2, but traffic for the google,com site needs to be sent through ovpn1 (you've done this, it works fine), and traffic for the site www.amazon.com we need to let it through the wan. That's how you need it and it will be a complete analogy of VPN Director, but according to domain names, I think there will be an ideal script.