Domain-based VPN Routing Script

[Ranger802004]

v1.4-beta1 Release: To use the beta use the following command to replace your production version of the script.

/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing_v1.4-beta1.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh

To revert back to production release:

/jffs/scripts/domain_vpn_routing.sh update

Release Notes:
v1.4-beta1
Enhancements:
- General optimization
- Added the ability to select WAN0 or WAN1 interfaces for a policy
- Added Alias as domain_vpn_routing (For initial load on terminals open during upgrade, execute ". /jffs/configs/profile.add" to load new alias)

 

[kuki68ster]

Hello,

First, thanks for this script...

Secondly, i followed the instructions, but i am not having sucess...Hulu, Sling, etc are detecting the vpn...Can anyone help me solve this issue?

I have Nord VPN, that when used with VPN Director (exclusive) and a device like Apple TV, those streaming services work with no problem.

Any help would be appreciated...

 

[Ranger802004]

Hello,

First, thanks for this script...

Secondly, i followed the instructions, but i am not having sucess...Hulu, Sling, etc are detecting the vpn...Can anyone help me solve this issue?

I have Nord VPN, that when used with VPN Director (exclusive) and a device like Apple TV, those streaming services work with no problem.

Any help would be appreciated...

Try getting the underlying domains/addresses for the service and adding those to your policy. You’ll need things like CDN networks routed as well not just the base domain for the service.

 

[kuki68ster]

Try getting the underlying domains/addresses for the service and adding those to your policy. You’ll need things like CDN networks routed as well not just the base domain for the service.

Can you point me to a guide, so i can learn how to get the domains/adresses, etc? I am a novice in these stuff...Any help will be appreciated...

 

[Charles Wilkinson]

Hey @Ranger802004
I've built something very similar myself and found a limitation that I think your excellent script also suffers from and so I thought I would share.

Basically, it stems from the limitation of using nslookup to get a list of IPs from a domain name. Some big sites (like netflix.com) use DNS-level load balancing and so nslookup WILL return a different set of IPs within minutes or even seconds.

Here's an example using the command copied directly from your script:

nslookup netflix.com | awk '(NR>2) && /^Address/ {print $3}' | sort
18.200.8.190
2a05:d018:76c:b683:e1fe:9fbf:c403:57f1
2a05:d018:76c:b684:b233:ac1f:be1f:7
2a05:d018:76c:b685:c898:aa3a:42c7:9d21
54.155.246.232
54.73.148.110

nslookup netflix.com | awk '(NR>2) && /^Address/ {print $3}' | sort
2a05:d018:76c:b683:e1fe:9fbf:c403:57f1
2a05:d018:76c:b684:b233:ac1f:be1f:7
2a05:d018:76c:b685:c898:aa3a:42c7:9d21
3.251.50.149
54.155.178.5
54.74.73.31

The command was executed twice, only a few seconds apart in this case. You can see that nslookup has returned different results in each case.

This issue has some pretty big implications since the IPs in the policy are extremely unlikely to be the same as the ones currently in use by LAN clients (depending on TTLs). I personally can't think of any way around this issue and so have concluded that my script (and I suspect yours too) is only useful for rules where the domain has a small set of IPs that don't change very often.

If you want to see my effort (not quite as slick as yours) you can find it here: https://github.com/kabadisha/host-based-vpn-routing

Charlie

 

[Ranger802004]

Hey @Ranger802004
I've built something very similar myself and found a limitation that I think your excellent script also suffers from and so I thought I would share.

Basically, it stems from the limitation of using nslookup to get a list of IPs from a domain name. Some big sites (like netflix.com) use DNS-level load balancing and so nslookup WILL return a different set of IPs within minutes or even seconds.

Here's an example using the command copied directly from your script:

nslookup netflix.com | awk '(NR>2) && /^Address/ {print $3}' | sort
18.200.8.190
2a05:d018:76c:b683:e1fe:9fbf:c403:57f1
2a05:d018:76c:b684:b233:ac1f:be1f:7
2a05:d018:76c:b685:c898:aa3a:42c7:9d21
54.155.246.232
54.73.148.110

nslookup netflix.com | awk '(NR>2) && /^Address/ {print $3}' | sort
2a05:d018:76c:b683:e1fe:9fbf:c403:57f1
2a05:d018:76c:b684:b233:ac1f:be1f:7
2a05:d018:76c:b685:c898:aa3a:42c7:9d21
3.251.50.149
54.155.178.5
54.74.73.31

The command was executed twice, only a few seconds apart in this case. You can see that nslookup has returned different results in each case.

This issue has some pretty big implications since the IPs in the policy are extremely unlikely to be the same as the ones currently in use by LAN clients (depending on TTLs). I personally can't think of any way around this issue and so have concluded that my script (and I suspect yours too) is only useful for rules where the domain has a small set of IPs that don't change very often.

If you want to see my effort (not quite as slick as yours) you can find it here: https://github.com/kabadisha/host-based-vpn-routing

Charlie

I was aware of that issue from the beginning and that’s why the policies build a permanent list of queried IPs for retention and building the IP rules with them. Over time it collects all of the IP addresses and begins to resolve that problem. That is the purpose of my cron job to continue to query and collect addresses. I have personal use cases this applies to and works perfect.

 

[Charles Wilkinson]

I was aware of that issue from the beginning and that’s why the policies build a permanent list of queried IPs for retention and building the IP rules with them. Over time it collects all of the IP addresses and begins to resolve that problem. That is the purpose of my cron job to continue to query and collect addresses. I have personal use cases this applies to and works perfect.

Ah, that makes sense. Apologies, I couldn't follow the whole flow of your approach from reading the code for only an hour or so, so wasn't sure how you were handling the IPs once collected.

I considered doing something similar, but since my approach creates VPN Director rules, I have a hard limit on number of IPs supported and even if I didn't it would get pretty ungainly very quickly.

How many IPs are you collecting after some time? I would imagine the list could get really rather large quite quickly...
Does your script ever disassociate an IP from a domain once it has been captured? Do you have a TTL or anything like that?

 

[Ranger802004]

Ah, that makes sense. Apologies, I couldn't follow the whole flow of your approach from reading the code for only an hour or so, so wasn't sure how you were handling the IPs once collected.

I considered doing something similar, but since my approach creates VPN Director rules, I have a hard limit on number of IPs supported and even if I didn't it would get pretty ungainly very quickly.

How many IPs are you collecting after some time? I would imagine the list could get really rather large quite quickly...
Does your script ever disassociate an IP from a domain once it has been captured? Do you have a TTL or anything like that?

I think one of my policies that has about 30 domains has collected 1400+ IPs but that is IPv6 and IPv4. No TTL I’m just building IP policy rules directly.

 

[Ranger802004]

Can you point me to a guide, so i can learn how to get the domains/adresses, etc? I am a novice in these stuff...Any help will be appreciated...

You can install the browser add on for Chrome called IPvFoo and connect to your streaming service and start streaming and it will show all of the web domains being used at that given moment.

 

[kuki68ster]

You can install the browser add on for Chrome called IPvFoo and connect to your streaming service and start streaming and it will show all of the web domains being used at that given moment.

Done, in this case for Youtube, i should add all domains i see in the screenshot, right?

 

[Darkje]

So after playing around with de dual wan script. i thought to try this one. All seems to work. But DNS is leaking as far as i can tell. If i add something like dnsleaktest to the site i get different dns's.
So am i being a idiot or do you guys see the same?

 

[Ranger802004]

Done, in this case for Youtube, i should add all domains i see in the screenshot, right?

Not necessarily all of them, some of those are for ads so not necessary.

 

[Ranger802004]

So after playing around with de dual wan script. i thought to try this one. All seems to work. But DNS is leaking as far as i can tell. If i add something like dnsleaktest to the site i get different dns's.
So am i being a idiot or do you guys see the same?

Depending on the service you may have to allow time for the script to query all of the IPs to be rerouted.

 

[Darkje]

Depending on the service you may have to allow time for the script to query all of the IPs to be rerouted.

I hope so but i dont thinks so, if you tell it to use the domain IP, so it should use VPN XX then it should use its DNS as well, right ?

 

[Ranger802004]

I hope so but i dont thinks so, if you tell it to use the domain IP, so it should use VPN XX then it should use its DNS as well, right ?

Ah wait, I think I know what you are saying, you may need to set up some DNSMasq rules for those domains to use a specific DNS Server and then create a route/IP Rule for that DNS Server to go over your VPN.

 

[Darkje]

Ah wait, I think I know what you are saying, you may need to set up some DNSMasq rules for those domains to use a specific DNS Server and then create a route/IP Rule for that DNS Server to go over your VPN.

You know me a bit right? i dont know how to
@Ranger802004 Suggestions?

 

[bartimeaus]

Quick question, would this work with the astrill vpn applet?

 

[Ranger802004]

Quick question, would this work with the astrill vpn applet?

Negative, it only works with OpenVPN and WAN interfaces at this time.

 

[Laxarus]

Is it possible to use a file containing domain lists per line for this script instead of entering them 1 by 1?

Edit: manually editing policy_{name}_domainlist file works

 

[Ranger802004]

Is it possible to use a file containing domain lists per line for this script instead of entering them 1 by 1?

Edit: manually editing policy_{name}_domainlist file works

I see you answered this already, yea there's a generated domain list file you can manually edit and it's called out in the readme for doing so.