Domain-based VPN Routing Script

[lbtboy]

Ouch. Was the same for me but fixed with 2.beta5

So there is currently in beta 5

 

[Ranger802004]

So there is currently in beta 5

That’s because you are using Dual WAN, WAN0 will stay mapped to WAN0, vice versa for WAN1, and WAN would stay mapped to your active WAN.

 

[FalenDemon]

Hi! I've been watching for your work for some months, awaiting WG support, thank you for adding. Now question is, how to add to route policy a bunch of IPs (a lot) without domain, because in my country gov blocking access to sites and services via IP. And most serious problem with CDNs.

 

[Ranger802004]

Hi! I've been watching for your work for some months, awaiting WG support, thank you for adding. Now question is, how to add to route policy a bunch of IPs (a lot) without domain, because in my country gov blocking access to sites and services via IP. And most serious problem with CDNs.

I have not added this functionality as this can be achieved with the built in VPN Director

 

[FalenDemon]

I have not added this functionality as this can be achieved with the built in VPN Director

Yeah, but VPN director limited to 199 (or lower) rules...

 

[Olivier L]

it would good indeed to add ipset feature to your script.

 

[ComputerSteve]

it would good indeed to add ipset feature to your script.

I think thats why i'm still using x3mrouting !! Yes it would be great if he can figure out to emulate that cause I think that script is gonna be depreciated since the developer seems to be MIA.

 

[Ranger802004]

it would good indeed to add ipset feature to your script.

I thought about it but since ipset is for IPTables and creating firewall / mangle rules it would be more complications that don’t necessarily effect routing. The only use case for this would be to have the ipset get flagged with an fwmark by Mangle rules and then have that FWMark routed via ip rules but as of now the script is just creating rules directly into ip rules, I don’t see a huge advantage in implementing ipsets. I use ipsets for other personal use cases but that is for firewall rules.

 

[ComputerSteve]

I thought about it but since ipset is for IPTables and creating firewall / mangle rules it would be more complications that don’t necessarily effect routing. The only use case for this would be to have the ipset get flagged with an fwmark by Mangle rules and then have that FWMark routed via ip rules but as of now the script is just creating rules directly into ip rules, I don’t see a huge advantage in implementing ipsets. I use ipsets for other personal use cases but that is for firewall rules.

Yes but with this current iteraton of the script. I can't seem to get streaming services such as Netflix or peacock to bypass the VPN with x3mrouting all I have to do is create a rule using dnsmaq and it starts adding ips to it based on just peacocktv.com or netflix.com. I originally thought I can do that with this script but it doesn't seem to work =(

 

[Ranger802004]

Yes but with this current iteraton of the script. I can't seem to get streaming services such as Netflix or peacock to bypass the VPN with x3mrouting all I have to do is create a rule using dnsmaq and it starts adding ips to it based on just peacocktv.com or netflix.com. I originally thought I can do that with this script but it doesn't seem to work =(

I did some digging into this script and I see how it works grabbing the IPs it needs and that works but I also see some disadvantages as well which I'm not going to dive into other than this tool does not require turning on dnsmasq logging which may not be desired by everyone which I can look into adding in some optional enhancements to utilize that if available but for now I would suggest researching the service you are trying to route, you can use IPFoo browser extension and figure out all of the domains you need to add to your policy and then allow the tool to run for awhile collecting all of the necessary IP Addresses to properly route the service over the desired interface.

 

[ComputerSteve]

I did some digging into this script and I see how it works grabbing the IPs it needs and that works but I also see some disadvantages as well which I'm not going to dive into other than this tool does not require turning on dnsmasq logging which may not be desired by everyone which I can look into adding in some optional enhancements to utilize that if available but for now I would suggest researching the service you are trying to route, you can use IPFoo browser extension and figure out all of the domains you need to add to your policy and then allow the tool to run for awhile collecting all of the necessary IP Addresses to properly route the service over the desired interface.

I've tried that.. I let it run for like 2 days and still the same thing that was working on x3mrouting wasn't working with this script ! I even tried adding additional domains the vpn was still detected & not bypassed.

 

[Ranger802004]

I've tried that.. I let it run for like 2 days and still the same thing that was working on x3mrouting wasn't working with this script ! I even tried adding additional domains the vpn was still detected & not bypassed.

What service are you specifically trying to route? What domains have you added so far for it? You can DM if preferred.

 

[ComputerSteve]

I’ve tried to route directv on an osprey box. The domains needed are att.com,att.net,att.tv,dtvce.com,imrworldwide.com,footprint.net,akamaized.net,llnwi.net,bugsnag.com,rollout.io,ueiwsp.com,newrelic.com,braze.com,omtrdc.net -- those are the same domains I use in x3mrouting and it works fine !

 

[Ranger802004]

I’ve tried to route directv on an osprey box. The domains needed are att.com,att.net,att.tv,dtvce.com,imrworldwide.com,footprint.net,akamaized.net,llnwi.net,bugsnag.com,rollout.io,ueiwsp.com,newrelic.com,braze.com,omtrdc.net -- those are the same domains I use in x3mrouting and it works fine !

Ok again, with this you'll need to do some more investigate work on figuring out which subdomains these services uses like CDN Network domains etc and also add those to your policy. I will research for a later release to see if I can help alleviate that some utilizing dnsmasq logging if it is enabled.

 

[CntrlAltDel]

This is absolutely amazing and deals with an issue I've just figured out I had now.
Just a quick question though:

What of DNS's with rotating IPs? How are they handled?

 

[Ranger802004]

This is absolutely amazing and deals with an issue I've just figured out I had now.
Just a quick question though:

What of DNS's with rotating IPs? How are they handled?

It will continue to query the domains for new IPs and add them to the policy files to be routed.

 

[abir1909]

Hello, I have written a domain based VPN routing script. This is a beta release and will need testers and feedback! Please try this out and let me know if any issues or suggestions you can find, thank you much! All of the instructions are in the readme file!

Readme - https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/readme.txt

Script - https://raw.githubusercontent.com/R...main/domain_vpn_routing/domain_vpn_routing.sh

Install Command:

/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh && sh /jffs/scripts/domain_vpn_routing.sh install

Release Notes:
v1.4 - 03/13/2023
Enhancements:
- General optimization
- Added the ability to select WAN0 or WAN1 interfaces for a policy
- Added Alias as domain_vpn_routing (For initial load on terminals open during upgrade, execute ". /jffs/configs/profile.add" to load new alias)

Fixes:
- Corrected issue where WAN Interface wouldn't show up if not using Dual WAN Mode

***v2.0.0-beta5 Release****
This is the release information regarding v2.0.0-beta5, please read the notes carefully prior to installing.

Considerations ***READ CAREFULLY***:
- Due to the configuration differences between v1.x and v2.x.x there are configuration changes made during the upgrade that will not allow the script to automatically be reverted back to v1.x, a back up of the original configuration is created under /jffs/configs/domain_vpn_routing/domain_vpn_routing.conf-<Datestamp>.bak and would have to be restored to be used if Domain VPN Routing is reverted back to v1.x.
- Domain VPN Routing will now use interface friendly names instead of actual interface names. Example: tun11 will be replaced by ovpnc1, eth0 will be replaced by wan0
- There is an option to select "wan" when using Dual WAN mode, this will essentially keep the domain routing tied to the primary WAN at any given time as opposed to wan0 / wan1 keeping the traffic bound to the specific interface.
- A new global configuration will be created during the upgrade, by default Dev Mode is Disabled during the creation. To enable you can use the new SSH UI Menu to enable in the Global Configuration Menu.
- Domain VPN Routing will now be called by wan-event script in addition to openvpn-event.

Readme - https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/readme-beta.txt

Script - https://raw.githubusercontent.com/R...domain_vpn_routing/domain_vpn_routing-beta.sh

Install Command:

/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing-beta.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh && sh /jffs/scripts/domain_vpn_routing.sh install

Upgrade from v1.x Command:

/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing-beta.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh && sh /jffs/scripts/domain_vpn_routing.sh

SSH UI Menu Example:
View attachment 49655

Release Notes:
v2.0.0-beta5 - 06/04/2023
Enhancements:
- SSH UI
- Interfaces will now list the friendly name of the interface instead of the tunnel / physical interface name.
- Querying policies will take low CPU priority automatically.
- Cron Jobs will now be added to wan-event.
- NVRAM Checks have been integrated to prevent lock ups.
- Domain VPN Routing will now be called from wan-event in addition to openvpn-event.
- Global Configuration Menu.
- Developer Mode available for testing beta releases.
- Enhanced update function.
- If the IPV6 Service is disabled, IPV6 IP Addresses will not be queried or added to policies. In addition, existing IPv6 IP Addresses in policy files will be removed for optimization.
- Added WireGuard VPN Clients for support
- Changed dark blue text prompts to light cyan for easier reading.
- NVRAM variables are now synchronized with error checking during initial load of Domain VPN Routing in order to reduce nvram calls and reduce potential failures during operation.
- General optimization.

Fixes:
- Visual errors when domain fails to perform DNS lookup.
- Visual bugs when Query Policy was executing domain queries.
- Fixed bug introducted in earlier beta for deleting old routes when WAN interface was selected.
- False positive errors stating IP routes failed to create.
- Fixed issue with Edit Policy Mode erroring out due to unset parameters.

Hi Ranger. Just installed and I am getting an Error when running #8
domain_vpn_routing: Query Policy - ***Error*** Unable to add IP Rule for 142.251.37.78 table wgc2 priority 7000

Also, how do I test it to see that it’s working? Thx

 

[Ranger802004]

Hi Ranger. Just installed and I am getting an Error when running #8
domain_vpn_routing: Query Policy - ***Error*** Unable to add IP Rule for 142.251.37.78 table wgc2 priority 7000

Also, how do I test it to see that it’s working? Thx

A lot of these are false positives in the current version, I’m working on a fix.

 

[abir1909]

A lot of these are false positives in the current version, I’m working on a fix.

Understood. However for the time being how do I know if I am up and running?
I made a routing policy for YouTube.com to go through my wireguard. And it doesn’t seem like it does anything. Thx

 

[ComputerSteve]

Understood. However for the time being how do I know if I am up and running?
I made a routing policy for YouTube.com to go through my wireguard. And it doesn’t seem like it does anything. Thx

Thats what I noticed... If you want that type of bypass I would recommend x3mrouting though it doesn't work with wireguard. Plus it seems to be dead meaning out of active development =(