DomainVPNRouting Domain VPN Routing Question

[denkl]

Hello,

Please help me figure out why when using the rule in VPN Director, all traffic including routing domain goes via VPN on the specified interface. At the same time, on other devices with other IPs, the specified domain vpn routing policy also works, although it should not.

Configuration.

=================

Rule in VPN Director:
Enable - true
Description - Test
Local IP - 192.168.1.202
Remote IP - blank
Iface - OVPN2

OpenVPN Client Settings:
Accept DNS Configuration - Exclusive
Redirect internet traffic through tunnel - VPN Director (policy rules)

# Domain VPN Routing for ASUS Routers using Merlin Firmware v386.7 or newer
# Author: Ranger802004 - https://github.com/Ranger802004/asusmerlin/
# Date: 02/26/2024
# Version: v2.1.3

Select the Policy You Want to View: 3

Policy Name: Test
Interface: ovpnc2
Verbose Logging: Disabled
Private IP Addresses: Disabled
Domains:
ip.me

=================

Testing.

Current results:
From device with IP 192.168.1.202:
ip.me - VPN (Amsterdam)
other domains - VPN (Amsterdam)

From other devices:
ip.me - VPN (Amsterdam)
other domains - without VPN

Expected results:

From device with IP 192.168.1.202:
ip.me - VPN (Amsterdam)
other domains - without VPN

From other devices:
ip.me - without VPN
other domains - without VPN

Thank you for the help.

 

[Kyjiep]

Hello,

Please help me figure out why when using the rule in VPN Director, all traffic including routing domain goes via VPN on the specified interface. At the same time, on other devices with other IPs, the specified domain vpn routing policy also works, although it should not.

Configuration.

=================

Rule in VPN Director:
Enable - true
Description - Test
Local IP - 192.168.1.202
Remote IP - blank
Iface - OVPN2

OpenVPN Client Settings:
Accept DNS Configuration - Exclusive
Redirect internet traffic through tunnel - VPN Director (policy rules)

# Domain VPN Routing for ASUS Routers using Merlin Firmware v386.7 or newer
# Author: Ranger802004 - https://github.com/Ranger802004/asusmerlin/
# Date: 02/26/2024
# Version: v2.1.3

Select the Policy You Want to View: 3

Policy Name: Test
Interface: ovpnc2
Verbose Logging: Disabled
Private IP Addresses: Disabled
Domains:
ip.me

=================

Testing.

Current results:
From device with IP 192.168.1.202:
ip.me - VPN (Amsterdam)
other domains - VPN (Amsterdam)

From other devices:
ip.me - VPN (Amsterdam)
other domains - without VPN

Expected results:

From device with IP 192.168.1.202:
ip.me - VPN (Amsterdam)
other domains - without VPN

From other devices:
ip.me - without VPN
other domains - without VPN

Thank you for the help.

As far as I understand, your results show that everything works as intended. What you expect does not correspond to the functionality of the Domain VPN Routing script. Domain VPN Routing filters by domains before the traffic enters the VPN interface. If the device traffic is sent directly to the VPN interface using a rule in the VPN Director, then Domain VPN Routing will no longer be able to affect it.

 

[denkl]

@Kyjiep,
Thank you very much for the explanation.
From the beginning I didnt catch how Domain VPN Routing works.
Missed that Domain VPN Routing filters by domains before the traffic enters interface.
It seemed to me that filtering should happen after the traffic enters interface.
Thanks for your time, I really appreciate.

 

[Ranger802004]

@Kyjiep,
Thank you very much for the explanation.
From the beginning I didnt catch how Domain VPN Routing works.
Missed that Domain VPN Routing filters by domains before the traffic enters interface.
It seemed to me that filtering should happen after the traffic enters interface.
Thanks for your time, I really appreciate.

If you are using Domain VPN Routing the purpose to is to capture the traffic from the domains in your policies to redirect them to the configured interface(s). "Filtering" isn't probably the best word here but it's essentially just creating domain based policy routing and creating the routing logic to perform that function.

 

[denkl]

If you are using Domain VPN Routing the purpose to is to capture the traffic from the domains in your policies to redirect them to the configured interface(s). "Filtering" isn't probably the best word here but it's essentially just creating domain based policy routing and creating the routing logic to perform that function.

@Ranger802004,
Now it's much clearer, I'll keep that in mind.
Thanks a lot.

 

[denkl]

@Kyjiep, @Ranger802004,

Sorry for another stupid question.
I can't understand why some domains are not resolved by Domain VPN Routing. Possibly the problem is in dns, but I don't understand how to fix it. Сould you please give me more information about this.

Steps:
(1) I create Domain VPN Routing policy (KinoPub) with domain (kino.pub), (2) send traffic to vpn interface, (3) manually query policy.
Results:
Domain VPN Routing can't detect new IP address for policy.
Additional info: initially kino.pub domain is not available via wan interface.

Domain VPN Routing policy:
Policy Name: KinoPub
Interface: ovpnc2
Verbose Logging: Disabled
Private IP Addresses: Disabled
Domains:
kino.pub

OpenVPN Client Settings:
Accept DNS Configuration - Exclusive
Redirect internet traffic through tunnel - VPN Director (policy rules)

Thank you in advance.

 

[Ranger802004]

@Kyjiep, @Ranger802004,

Sorry for another stupid question.
I can't understand why some domains are not resolved by Domain VPN Routing. Possibly the problem is in dns, but I don't understand how to fix it. Сould you please give me more information about this.

Steps:
(1) I create Domain VPN Routing policy (KinoPub) with domain (kino.pub), (2) send traffic to vpn interface, (3) manually query policy.
Results:
Domain VPN Routing can't detect new IP address for policy.
Additional info: initially kino.pub domain is not available via wan interface.

Domain VPN Routing policy:
Policy Name: KinoPub
Interface: ovpnc2
Verbose Logging: Disabled
Private IP Addresses: Disabled
Domains:
kino.pub

OpenVPN Client Settings:
Accept DNS Configuration - Exclusive
Redirect internet traffic through tunnel - VPN Director (policy rules)

Thank you in advance.

Make sure you get all of the domains for that particular website (Use IpFoo browser add on to help). Allow time for the policy to run and query the domains to capture all possible IPs for it.

 

[denkl]

Make sure you get all of the domains for that particular website (Use IpFoo browser add on to help). Allow time for the policy to run and query the domains to capture all possible IPs for it.

IpFoo showed only one domain for needed site (kino.pub). Waited long enough but nothing happened automatically.
I found workaround - manually add following strings to configs:
1) /jffs/configs/domain_vpn_routing/policy_KinoPub-ipv4.ipset
add DomainVPNRouting-KinoPub-ipv4 5.188.189.95 comment "kino.pub"
2) /jffs/configs/domain_vpn_routing/policy_KinoPub_domaintoIP
kino.pub>>5.188.189.95

After that everything worked as it should.
However, I still don't understand why the IP address wasn't added automatically.
@Ranger802004, thanks for your time.

 

[Ranger802004]

IpFoo showed only one domain for needed site (kino.pub). Waited long enough but nothing happened automatically.
I found workaround - manually add following strings to configs:
1) /jffs/configs/domain_vpn_routing/policy_KinoPub-ipv4.ipset
add DomainVPNRouting-KinoPub-ipv4 5.188.189.95 comment "kino.pub"
2) /jffs/configs/domain_vpn_routing/policy_KinoPub_domaintoIP
kino.pub>>5.188.189.95

After that everything worked as it should.
However, I still don't understand why the IP address wasn't added automatically.
@Ranger802004, thanks for your time.

Do you have issues with DNS queries in general? What happens if you do an nslookup of that domain from CLI of your router?

 

[denkl]

Do you have issues with DNS queries in general? What happens if you do an nslookup of that domain from CLI of your router?

@Ranger802004 ,

It looks like you're right, my provider's DNS doesn't resolve the domain name kino.pub.

admin@RT-AC86U-7D68:/tmp/home/root# nslookup kino.pub
Server: 212.1.224.6
Address 1: 212.1.224.6 dns1

nslookup: can't resolve 'kino.pub'

If specify DNS server, for example Google, the address will be determined correctly.

admin@RT-AC86U-7D68:/tmp/home/root# nslookup kino.pub 8.8.8.8
Server: 8.8.8.8
Address 1: 8.8.8.8 dns.google

Name: kino.pub
Address 1: 5.188.189.95

It seems like it would be great if you could add DNS server selection functionality (use provider DNS, or specify manually) in one of the next releases of Domain VPN Routing.

Thanks again.

 

[Ranger802004]

@Ranger802004 ,

It looks like you're right, my provider's DNS doesn't resolve the domain name kino.pub.

admin@RT-AC86U-7D68:/tmp/home/root# nslookup kino.pub
Server: 212.1.224.6
Address 1: 212.1.224.6 dns1

nslookup: can't resolve 'kino.pub'

If specify DNS server, for example Google, the address will be determined correctly.

admin@RT-AC86U-7D68:/tmp/home/root# nslookup kino.pub 8.8.8.8
Server: 8.8.8.8
Address 1: 8.8.8.8 dns.google

Name: kino.pub
Address 1: 5.188.189.95

It seems like it would be great if you could add DNS server selection functionality (use provider DNS, or specify manually) in one of the next releases of Domain VPN Routing.

Thanks again.

Open up a GitHub issue as a feature request.

 

[Amwjujo]

Hi,
This is a great script. Thank you @Ranger802004 for your work.

Would you guys please help a noob in setting this up for an app on an android tv.

I am trying to add www.digionline.ro through an OpenVpn client that runs in Romania, but it has a limited functionality for me.
What I have done so far:
1. I have created the rule and added the domain to it - it didn't worked at 1st.
2. Installed IPVFoo to my chrome browser and this is what I get:
www.digionline.ro
edge70.rcs-rds.ro
s.iw.ro
apis.google.com
fonts.googleapis.com
www.gstatic.com
3. This only works on my computer browser, but not always, as the number after edge.rcs-rds.ro keeps changing and it onky works if i add that to the rule.

I think the android app uses a different set of ip addresses but i don't know how to trace that.
Is there a workaround for this?
If I create a VPN Director rule where I point my android TV to it, then it works, but I would like to be able to access that content from multiple Android TV's without redirecting the whole device through the VPN.

Hope it makes sense what I was trying to describe above .

Thank you.

 

[Ranger802004]

Hi,
This is a great script. Thank you @Ranger802004 for your work.

Would you guys please help a noob in setting this up for an app on an android tv.

I am trying to add www.digionline.ro through an OpenVpn client that runs in Romania, but it has a limited functionality for me.
What I have done so far:
1. I have created the rule and added the domain to it - it didn't worked at 1st.
2. Installed IPVFoo to my chrome browser and this is what I get:
www.digionline.ro
edge70.rcs-rds.ro
s.iw.ro
apis.google.com
fonts.googleapis.com
www.gstatic.com
3. This only works on my computer browser, but not always, as the number after edge.rcs-rds.ro keeps changing and it onky works if i add that to the rule.

I think the android app uses a different set of ip addresses but i don't know how to trace that.
Is there a workaround for this?
If I create a VPN Director rule where I point my android TV to it, then it works, but I would like to be able to access that content from multiple Android TV's without redirecting the whole device through the VPN.

Hope it makes sense what I was trying to describe above .

Thank you.

Open a GitHub issue please.