Domain-based VPN Routing Script

[Ranger802004]

This is exactly what I was looking for. I also vastly prefer to not have to login to the console every time I want to make any router changes, lol, would LOVE if there were a GUI for this. Has @Jack Yaz seen this yet? He's the resident (beloved ) GUI arteest. (I didn't read through all 8 pages)

Unfortunately my skills are not vast in the Web GUI side of the house.

 

[mcdull2k]

I am having weird behavior. Suspecting that the webcontent are region locked but implementing CDN with e.g. cloudfront.
The IP collected without vpn belongs to my home region, and after adding the domain, in initially route through the vpn but it was redirected back to the home region ip and thus were block again.
The traceroute it something like this when visiting a japanese domain:-

1 10.33.27.33 (10.33.27.33) 59.319 ms 59.228 ms 59.084 ms <-- vpn interface
2 45.250.255.2 (45.250.255.2) 60.535 ms 59.967 ms 45.250.255.3 (45.250.255.3) 60.303 ms <--- vpn IP address (Japan)
3 10.10.200.4 (10.10.200.4) 86.286 ms 10.10.200.6 (10.10.200.6) 61.062 ms 60.235 ms
4 * 10.10.200.2 (10.10.200.2) 60.419 ms *
5 be3000.ccr71.tyo01.atlas.cogentco.com (154.54.89.185) 61.565 ms * 61.066 ms <-- still in Japan
6 be3011.ccr21.hkg02.atlas.cogentco.com (154.54.89.202) 113.724 ms 113.092 ms be3000.ccr71.tyo01.atlas.cogentco.com (154.54.89.185) 61.204 ms <-- back to Hong Kong (home region)
7 be3011.ccr21.hkg02.atlas.cogentco.com (154.54.89.202) 113.731 ms be2414.rcr51.hkg01.atlas.cogentco.com (154.54.88.50) 115.241 ms 116.352 ms
8 amazon.demarc.cogentco.com (154.18.7.2) 118.965 ms 112.754 ms be2414.rcr51.hkg01.atlas.cogentco.com (154.54.88.50) 116.961 ms
9 54.240.241.36 (54.240.241.36) 114.123 ms * *
10 54.240.241.72 (54.240.241.72) 110.968 ms 54.240.241.48 (54.240.241.48) 119.142 ms 54.240.241.101 (54.240.241.101) 115.543 ms
11 52.93.156.191 (52.93.156.191) 111.574 ms 54.240.241.33 (54.240.241.33) 114.614 ms 54.240.241.239 (54.240.241.239) 114.923 ms
12 52.93.35.140 (52.93.35.140) 115.603 ms 52.93.35.60 (52.93.35.60) 117.228 ms 52.93.35.144 (52.93.35.144) 112.731 ms

 

[Ranger802004]

I am having weird behavior. Suspecting that the webcontent are region locked but implementing CDN with e.g. cloudfront.
The IP collected without vpn belongs to my home region, and after adding the domain, in initially route through the vpn but it was redirected back to the home region ip and thus were block again.
The traceroute it something like this when visiting a japanese domain:-

1 10.33.27.33 (10.33.27.33) 59.319 ms 59.228 ms 59.084 ms <-- vpn interface
2 45.250.255.2 (45.250.255.2) 60.535 ms 59.967 ms 45.250.255.3 (45.250.255.3) 60.303 ms <--- vpn IP address (Japan)
3 10.10.200.4 (10.10.200.4) 86.286 ms 10.10.200.6 (10.10.200.6) 61.062 ms 60.235 ms
4 * 10.10.200.2 (10.10.200.2) 60.419 ms *
5 be3000.ccr71.tyo01.atlas.cogentco.com (154.54.89.185) 61.565 ms * 61.066 ms <-- still in Japan
6 be3011.ccr21.hkg02.atlas.cogentco.com (154.54.89.202) 113.724 ms 113.092 ms be3000.ccr71.tyo01.atlas.cogentco.com (154.54.89.185) 61.204 ms <-- back to Hong Kong (home region)
7 be3011.ccr21.hkg02.atlas.cogentco.com (154.54.89.202) 113.731 ms be2414.rcr51.hkg01.atlas.cogentco.com (154.54.88.50) 115.241 ms 116.352 ms
8 amazon.demarc.cogentco.com (154.18.7.2) 118.965 ms 112.754 ms be2414.rcr51.hkg01.atlas.cogentco.com (154.54.88.50) 116.961 ms
9 54.240.241.36 (54.240.241.36) 114.123 ms * *
10 54.240.241.72 (54.240.241.72) 110.968 ms 54.240.241.48 (54.240.241.48) 119.142 ms 54.240.241.101 (54.240.241.101) 115.543 ms
11 52.93.156.191 (52.93.156.191) 111.574 ms 54.240.241.33 (54.240.241.33) 114.614 ms 54.240.241.239 (54.240.241.239) 114.923 ms
12 52.93.35.140 (52.93.35.140) 115.603 ms 52.93.35.60 (52.93.35.60) 117.228 ms 52.93.35.144 (52.93.35.144) 112.731 ms

Sounds like you may want to make a DNSMasq rule to specify which IP is queried for the specific hostname you are trying to access so it doesn't go to your home region.

 

[mcdull2k]

Sounds like you may want to make a DNSMasq rule to specify which IP is queried for the specific hostname you are trying to access so it doesn't go to your home region.

I am thinking, the domain_vpn_routing.sh querypolicy all to collect ip address should be using corresponding vpn. then the cdn will be returning the vpn regions' ip instead of the local one.

 

[Ranger802004]

I am thinking, the domain_vpn_routing.sh querypolicy all to collect ip address should be using corresponding vpn. then the cdn will be returning the vpn regions' ip instead of the local one.

That would be determined by your DNS configuration and how your router resolves addresses. The issue you are having is a DNS resolution issue, that needs to be resolved in your DNSMasq rules. You need to assign a custom DNS server for the problem domain.

 

[js28194]

@Ranger802004 Question. Anyway to automate when changing VPN tunnels? Me using VPNMngr and when I change VPN naturally tun # changes and produces error when updating query all. All 5 VPN setup, initial setup to route through tun11, so when VPN Client 1 stops and VPN client 2 launches, it changes to tun12 and error in logs.

GT-AX11000-25C0 domain_vpn_routing.sh: Query Policy - ***Error*** Unable to add route for xxxx:xxxx:xxxx:xxxx:x:xxxx:xxx:xxxx dev tun11

Hope to explain properly.

 

[Ranger802004]

@Ranger802004 Question. Anyway to automate when changing VPN tunnels? Me using VPNMngr and when I change VPN naturally tun # changes and produces error when updating query all. All 5 VPN setup, initial setup to route through tun11, so when VPN Client 1 stops and VPN client 2 launches, it changes to tun12 and error in logs.

GT-AX11000-25C0 domain_vpn_routing.sh: Query Policy - ***Error*** Unable to add route for xxxx:xxxx:xxxx:xxxx:x:xxxx:xxx:xxxx dev tun11

Hope to explain properly.

When this happens does the device for client 1 actually change from tun11 to tun12 in your example?

 

[js28194]

Yes, all devices behind VPN use tun12, so tunnel is up and working fine. I will double check tracert to said domains and will get back to you.

 

[Ranger802004]

Yes, all devices behind VPN use tun12, so tunnel is up and working fine. I will double check tracert to said domains and will get back to you.

I don’t have an automated way for this right now but what you can do is go to edit policy and change the interface and it should recreate all of the routes on the new interface.

 

[js28194]

Manual.. sure. It sucks Share some thoughts... script calls upon domain_vpn_routing.conf file... I see that policy and tun are "hard coded" if u will in that file.
router|/jffs/configs/domain_vpn_routing/policy_router_domainlist|/jffs/configs/domain_vpn_routing/policy_router_domaintoIP|tun11|VERBOSELOGGING=1|PRIVATEIPS=0

Wondering if tun11 can be changed to a variable that reads current tunXX instead in the default.vpn_conf file?

OR OPENVPN allows scripts after tun up/down... thoughts

Can create multiple domain_vpn_routing.conf files, 1 for each VPN interface... that can be executed after tun up in each of .ovpn config file.

client1:
up /jffs/scripts/domain_based_routing.sh -conf domain_vpn_routing.conf1.conf

client2:
up /jffs/scripts/domain_based_routing.sh -conf domain_vpn_routing.conf2.conf

client3:
up /jffs/scripts/domain_based_routing.sh -conf domain_vpn_routing.conf3.conf

default_vpn_conf1.conf would have: router|/jffs/configs/domain_vpn_routing/policy_router_domainlist|/jffs/configs/domain_vpn_routing/policy_router_domaintoIP|tun11|VERBOSELOGGING=1|PRIVATEIPS=0

default_vpn_conf2.conf would have: router|/jffs/configs/domain_vpn_routing/policy_router_domainlist|/jffs/configs/domain_vpn_routing/policy_router_domaintoIP|tun12|VERBOSELOGGING=1|PRIVATEIPS=0

default_vpn_conf3.conf would have: router|/jffs/configs/domain_vpn_routing/policy_router_domainlist|/jffs/configs/domain_vpn_routing/policy_router_domaintoIP|tun13|VERBOSELOGGING=1|PRIVATEIPS=0


Catch my drift? I no coder, so would not know how to modify you script.
Thank you for patience and annoyance.


--script-security level [method]
This directive offers policy-level control over OpenVPN’s usage
of external programs and scripts. Lower level values are more
restrictive, higher values are more permissive. Settings for
level:

0 -- Strictly no calling of external programs.
1 -- (Default) Only call built-in executables such as ifconfig,
ip, route, or netsh.
2 -- Allow calling of built-in executables and user-defined
scripts.
3 -- Allow passwords to be passed to scripts via environmental
variables (potentially unsafe).
--up cmd
Shell command to run after successful TUN/TAP device open (pre
--user UID change). The up script is useful for specifying
route commands which route IP traffic destined for private
subnets which exist at the other end of the VPN connection into
the tunnel.
Script Order of Execution
--up Executed after TCP/UDP socket bind and TUN/TAP open.
--down Executed after TCP/UDP and TUN/TAP close.

 

[mcdull2k]

do you have any issue with cpu loading when using this script?
my AC5300 occassionally having cpu goes up to 1000% usage, and ping time goes up to few seconds, or no response at all. I have one config only to route like 10 domains to a single vpn client connection.

 

[mcdull2k]

It seems that the entries appending everytime it run updates, regradless it is the same entry, so the routing entries duplicating alots across the time.

 

[Ranger802004]

It seems that the entries appending everytime it run updates, regradless it is the same entry, so the routing entries duplicating alots across the time.

I plan on overhauling this script when I’m done working on my WAN Failover script so keep the suggestions up and I will use them. I’m aware of this particular one and already plan cleaning it up.

 

[iTyPsIDg]

Is it possible to use this script to force specific domains to only use the WAN? For example, nearly all my traffic goes through a VPN, but I would like to exclude *.zoom.us from using the VPN. If I use VPN Director, I must add all IP addresses here to the WAN routing. Using one wildcard DNS would be much easier to work with.

 

[iTyPsIDg]

Is it possible to use this script to force specific domains to only use the WAN? For example, nearly all my traffic goes through a VPN, but I would like to exclude *.zoom.us from using the VPN. If I use VPN Director, I must add all IP addresses here to the WAN routing. Using one wildcard DNS would be much easier to work with.

It looks like this might have just been added recently.

Release Notes:
v1.4 - 03/13/2023
Enhancements:
- General optimization
- Added the ability to select WAN0 or WAN1 interfaces for a policy
- Added Alias as domain_vpn_routing (For initial load on terminals open during upgrade, execute ". /jffs/configs/profile.add" to load new alias)
- Query Policy Mode is ran in low priority

 

[iTyPsIDg]

I ran into two issues:

1. Wildcard domains are not supported by nslookup.
   1. 
2. I got an error when I added the base domain.
   1. 

I have the following in policy_Zoom_domaintoIP:

I don't understand how to edit this file properly. It seems that I could add everything in this list, but I want to make sure of proper formatting if there are multiple IPs for a single domain. Do I use one per line or comma separate them?

Example:
Is this correct: zoom.us>>3.7.35.0/25,3.21.137.128/25, etc.
Or is this correct: zoom.us>>3.7.35.0/25
zoom.us>>3.21.137.128/25
zoom.us>>etc.?

 

[Ranger802004]

I ran into two issues:

1. Wildcard domains are not supported by nslookup.
   1. View attachment 48602
2. I got an error when I added the base domain.
   1. View attachment 48603

I have the following in policy_Zoom_domaintoIP: View attachment 48604

I don't understand how to edit this file properly. It seems that I could add everything in this list, but I want to make sure of proper formatting if there are multiple IPs for a single domain. Do I use one per line or comma separate them?

Example:
Is this correct: zoom.us>>3.7.35.0/25,3.21.137.128/25, etc.
Or is this correct: zoom.us>>3.7.35.0/25
zoom.us>>3.21.137.128/25
zoom.us>>etc.?

Yes, no wildcards supported and one IP per line.

 

[Dan_88H]

Hi all hope this is Ok…
My use case is that i have a RT-AC86U running Merlin.

I have a OpenVPN client setup and all traffic goes out through the VPN

When attempting to go to a sports streaming site - KayoSports I’m blocked due to them not allowing VPN even if I’m connected to an Australian server while I’m in Australia

What I’m trying to find out is will this script work for me ? I’d like to somehow whitelist all traffic going to kayosports domain names to go directly to WAN ?

 

[Ranger802004]

Hi all hope this is Ok…
My use case is that i have a RT-AC86U running Merlin.

I have a OpenVPN client setup and all traffic goes out through the VPN

When attempting to go to a sports streaming site - KayoSports I’m blocked due to them not allowing VPN even if I’m connected to an Australian server while I’m in Australia

What I’m trying to find out is will this script work for me ? I’d like to somehow whitelist all traffic going to kayosports domain names to go directly to WAN ?

Create a policy and target your WAN interface for that policy.

 

[Dan_88H]

Create a policy and target your WAN interface for that policy.

Wait, so I can use this script to achieve this?