What's new

Domain-based VPN Routing Script

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I would only add the domains specific to sainsburysbank.co.uk (including the root domain which you are missing), I wouldn't add amazonaws.com domains and google domains, etc.
Sorry, done bashing my head tonight.

Script non-functional with some sort of combination of addons/firmware WireGuard - IMHO, on my side at least. But I have no idea what I'm talking about.
 
***v2.1.2-beta1 Release***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
 
Hi @Ranger802004

Thanks again, one last question about the following:

- DNSMasq log is now utilized if enabled to query for domain records to route. The log path will be captured from the DNSMasq Configuration

Does it mean it does automatically? Capture the records and add them to an existing policy?

Thanks,
 
***v2.1.2-beta1 Release***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
Installed this update this morning hoping for something different - unfortunately any domains I add to this script I am effectively blocked out from completely. I can't understand why and don't know where to look.

If I were to hazard a guess it'd be because of how Adguard Home addon "takes over" for dnsmasq. Please advise.

EDIT: script now frozen and spamming in log - I leave my WGC1 DNS blank as it overwrites what Adguard is doing. Specifying router as DNS server seems to fix this.
Oct 11 10:09:27 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
Oct 11 10:09:28 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
Oct 11 10:09:30 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
Oct 11 10:09:31 RT-AX58U-5468 domain_vpn_routing: Debug - failed to set WGC1DNS
 
Last edited:
Fix found from this writeup: https://github.com/ZebMcKayhan/WireguardManager#managesetup-ipsets-for-policy-based-routing
the final thing we can do in wgm is to disable the rp_filter for the WAN interface. whenever we use IPSET to force packets to different route we will need to disable this.
"reverse path filter" is a very simple protection that many now days consider obsolete. whenever a packets comes in on i.e. WAN it will change place on Destination and Source and run it trough the routing table to see if a reply to this packet would be routed out the same way. it understands most rules but it will not understand that some packets will recieve a mark and be routed differently. so in this case we need to disable the rp_filter on WAN, otherwise answers from WAN will not be accepted. there are 3 values for rp_filter. 0 means "Disabled", 1 means "Enabled, strict", 2 means "Enabled loose". loose means that it does not check routing explicitly, but will accept if there are any routing ways back this interface. 2 is sufficient for us.
Somewhere in the code you need to add this for WireGuard to work properly at least.
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
replace "eth0" with whatever your WAN interface is called.
 
Last edited:
***v2.1.2-beta3***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.
- The WAN Reverse Path Filter will now be set to loose filtering if enabled and FWMarks are being used for a policy.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
- Fixed an issue that caused Domain VPN Routing to be stuck in a loop if a WireGuard Client DNS Option was null.
- Fixed integration issues with amtm.
 
Last edited:
***v2.1.2-beta2***
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.
- The WAN Reverse Path Filter will now be set to loose filtering if enabled and FWMarks are being used for a policy.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
- Fixed an issue that caused Domain VPN Routing to be stuck in a loop if a WireGuard Client DNS Option was null.
New update broke other stuff

Error: argument "0x8000}" is wrong: fwmark value is invalid

Error: argument "0x8000}" is wrong: fwmark value is invalid

domain_vpn_routing: Query Policy - ***Error*** Failed to add IPv4 Rule for Interface: wan using FWMark: 0x8000}/0xf000
Error: argument "0x8000}" is wrong: fwmark value is invalid

iptables v1.4.15: MARK: trailing garbage after value for option "--set-xmark".

Try `iptables -h' or 'iptables --help' for more information.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables OUTPUT rule for IPSET: DomainVPNRouting-1-ipv4 FWMark: 0x8000}
iptables v1.4.15: MARK: trailing garbage after value for option "--set-xmark".

Try `iptables -h' or 'iptables --help' for more information.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables PREROUTING rule for IPSET: DomainVPNRouting-1-ipv4 FWMark: 0x8000}
iptables v1.4.15: MARK: trailing garbage after value for option "--set-xmark".

Try `iptables -h' or 'iptables --help' for more information.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables rule for IPSET: DomainVPNRouting-1-ipv4 Interface: eth4 FWMark: 0x8000}
Error: argument "0x8000}" is wrong: fwmark value is invalid

Error: argument "0x8000}" is wrong: fwmark value is invalid
 
New update broke other stuff
I fixed this as a quick fix, check for an update again (may take a minute) and when you get an invalid checksum error let it reinstall.

1697044549312.png
 
Update offered. Reinstalled and same error when querying policy
Also restart the domain_vpn_routing in your current session after update so it reloads the new code.
 
Had to use option 9 to kill - perhaps could be automated. :)
Update will do this after the update completes except for the same process performing the update, so if you were in the menu you need to Ctrl + C out and reload it.
 
I just tested this and it's working fine, did you uninstall and try to load that option?
No uninstall, just updated a couple of times and used that kill option to sort out the previous bug.

There's chat over here on patching amtm to handle the vr command differently, I didn't think it needed changed at all.

 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top