Menu
What's new
By:
Filters Better Search

Domain-based VPN Routing Script

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ranger802004 said:
I would only add the domains specific to sainsburysbank.co.uk (including the root domain which you are missing), I wouldn't add amazonaws.com domains and google domains, etc.
Click to expand...
Sorry, done bashing my head tonight.

Script non-functional with some sort of combination of addons/firmware WireGuard - IMHO, on my side at least. But I have no idea what I'm talking about.
 
***v2.1.2-beta1 Release***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
 
Hi @Ranger802004

Thanks again, one last question about the following:

- DNSMasq log is now utilized if enabled to query for domain records to route. The log path will be captured from the DNSMasq Configuration

Does it mean it does automatically? Capture the records and add them to an existing policy?

Thanks,
 
Ranger802004 said:
***v2.1.2-beta1 Release***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
Click to expand...
Installed this update this morning hoping for something different - unfortunately any domains I add to this script I am effectively blocked out from completely. I can't understand why and don't know where to look.

If I were to hazard a guess it'd be because of how Adguard Home addon "takes over" for dnsmasq. Please advise.

EDIT: script now frozen and spamming in log - I leave my WGC1 DNS blank as it overwrites what Adguard is doing. Specifying router as DNS server seems to fix this.
Oct 11 10:09:27 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
Oct 11 10:09:28 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
Oct 11 10:09:30 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
Oct 11 10:09:31 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
Click to expand...
 
Last edited:
Fix found from this writeup: https://github.com/ZebMcKayhan/WireguardManager#managesetup-ipsets-for-policy-based-routing
the final thing we can do in wgm is to disable the rp_filter for the WAN interface. whenever we use IPSET to force packets to different route we will need to disable this.
"reverse path filter" is a very simple protection that many now days consider obsolete. whenever a packets comes in on i.e. WAN it will change place on Destination and Source and run it trough the routing table to see if a reply to this packet would be routed out the same way. it understands most rules but it will not understand that some packets will recieve a mark and be routed differently. so in this case we need to disable the rp_filter on WAN, otherwise answers from WAN will not be accepted. there are 3 values for rp_filter. 0 means "Disabled", 1 means "Enabled, strict", 2 means "Enabled loose". loose means that it does not check routing explicitly, but will accept if there are any routing ways back this interface. 2 is sufficient for us.
Click to expand...
Somewhere in the code you need to add this for WireGuard to work properly at least.
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
Click to expand...
replace "eth0" with whatever your WAN interface is called.
 
Last edited:
***v2.1.2-beta3***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.
- The WAN Reverse Path Filter will now be set to loose filtering if enabled and FWMarks are being used for a policy.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
- Fixed an issue that caused Domain VPN Routing to be stuck in a loop if a WireGuard Client DNS Option was null.
- Fixed integration issues with amtm.
 
Last edited:
Ranger802004 said:
***v2.1.2-beta2***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.
- The WAN Reverse Path Filter will now be set to loose filtering if enabled and FWMarks are being used for a policy.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
- Fixed an issue that caused Domain VPN Routing to be stuck in a loop if a WireGuard Client DNS Option was null.
Click to expand...
New update broke other stuff

Error: argument "0x8000}" is wrong: fwmark value is invalid

Error: argument "0x8000}" is wrong: fwmark value is invalid

domain_vpn_routing: Query Policy - ***Error*** Failed to add IPv4 Rule for Interface: wan using FWMark: 0x8000}/0xf000
Error: argument "0x8000}" is wrong: fwmark value is invalid

iptables v1.4.15: MARK: trailing garbage after value for option "--set-xmark".

Try `iptables -h' or 'iptables --help' for more information.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables OUTPUT rule for IPSET: DomainVPNRouting-1-ipv4 FWMark: 0x8000}
iptables v1.4.15: MARK: trailing garbage after value for option "--set-xmark".

Try `iptables -h' or 'iptables --help' for more information.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables PREROUTING rule for IPSET: DomainVPNRouting-1-ipv4 FWMark: 0x8000}
iptables v1.4.15: MARK: trailing garbage after value for option "--set-xmark".

Try `iptables -h' or 'iptables --help' for more information.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables rule for IPSET: DomainVPNRouting-1-ipv4 Interface: eth4 FWMark: 0x8000}
Error: argument "0x8000}" is wrong: fwmark value is invalid

Error: argument "0x8000}" is wrong: fwmark value is invalid
Click to expand...
 
privacyguy123 said:
New update broke other stuff
Click to expand...
I fixed this as a quick fix, check for an update again (may take a minute) and when you get an invalid checksum error let it reinstall.

1697044549312.png
 
privacyguy123 said:
Update offered. Reinstalled and same error when querying policy
Click to expand...
Also restart the domain_vpn_routing in your current session after update so it reloads the new code.
 
privacyguy123 said:
Had to use option 9 to kill - perhaps could be automated. :)
Click to expand...
Update will do this after the update completes except for the same process performing the update, so if you were in the menu you need to Ctrl + C out and reload it.
 
Ranger802004 said:
I just tested this and it's working fine, did you uninstall and try to load that option?
Click to expand...
No uninstall, just updated a couple of times and used that kill option to sort out the previous bug.

There's chat over here on patching amtm to handle the vr command differently, I didn't think it needed changed at all.

www.snbforums.com

amtm - amtm 4.0 - the Asuswrt-Merlin Terminal Menu, released October 09 2023

Even I can‘t wait for 5.0 to see the light and get that burden off of me :mad: There are major changes to the code - so profound that this amtm 4.0 release seems like a minor update. just code changes, or are there things we should think about and prepare for, functionality- and option-wise...
www.snbforums.com www.snbforums.com
 
You must log in or register to reply here.

Similar threads

R
DomainVPNRouting Domain VPN Routing
3 4 5
Replies
96
Views
8K
Joyz
J
K
DomainVPNRouting Domain VPN Routing help
Replies
4
Views
260
js28194
J
A
DomainVPNRouting Domain VPN Routing Question
2
Replies
32
Views
2K
Ranger802004
R
A
x3mRouting x3mRouting vs Domain based VPN routing
2
Replies
29
Views
2K
ComputerSteve
C
johndoe85
DomainVPNRouting Domain-based VPN routing script
Replies
2
Views
1K
Ranger802004
R
Similar threads
Thread starter Title Forum Replies Date
A x3mRouting x3mRouting vs Domain based VPN routing Asuswrt-Merlin AddOns 29
johndoe85 DomainVPNRouting Domain-based VPN routing script Asuswrt-Merlin AddOns 2
R DomainVPNRouting Domain VPN Routing v3.0.0-beta2 ***Release*** Asuswrt-Merlin AddOns 9
K DomainVPNRouting Domain VPN Routing help Asuswrt-Merlin AddOns 4
Q Unbound external Domain exclude Asuswrt-Merlin AddOns 2
tRiFFiD Unbound Unbound & local domain DNS Asuswrt-Merlin AddOns 0
A DomainVPNRouting Domain VPN Routing Question Asuswrt-Merlin AddOns 32
R DomainVPNRouting Domain VPN Routing Asuswrt-Merlin AddOns 96
A Diversion's handling of prefixed domain definitions in hostsfiles (www., etc) Asuswrt-Merlin AddOns 0
S Unbound DHCP DNS same as WAN DNS based on merlin-dns-monitor.sh Asuswrt-Merlin AddOns 0

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 834 (members: 14, guests: 820)
Top