DomainVPNRouting Domain VPN Routing v3.0.6 ***Release***

[Ranger802004]

***v3.0.6-beta1 has been released***

Release Notes:
Fixes:
- Fixed an issue causing errors during installation when the firewall-start script does not exist and the Firewall Restore setting is disabled.

 

[js28194]

Hello @Ranger802004, I have added AS8075 to route out of WAN all the time, but I keep getting this "Mar 27 12:03:45 domain_vpn_routing: Query ASN - ***Error*** Failed to query ASN: AS8075" Everything seems to work fine as I am now able to login to live email (which previously would not work through VPN). Is there anything I can check? A simple tracert to microsoft.com on a machine that is behind VPN, routes traffic properly through WAN also.

 

[iTyPsIDg]

I think I finally found the ASNs and domains for all the streaming services that I use which I am able to then enter into this script. The problem I've having is that I think it takes longer to run all the queries than the time between cron jobs. Could you add a log file that has the total time it takes for the updates to run (similar to what we see when we run a query manually) so that I can figure out what I need to change the cron job to?

 

[Ranger802004]

I think I finally found the ASNs and domains for all the streaming services that I use which I am able to then enter into this script. The problem I've having is that I think it takes longer to run all the queries than the time between cron jobs. Could you add a log file that has the total time it takes for the updates to run (similar to what we see when we run a query manually) so that I can figure out what I need to change the cron job to?

The domains should be cached and restore automatically after a reboot or service restart of firewall if enabled. If you are referring to ASNs they are actively queried so larger sets may take longer to process. The UI prompts the time it takes to process but to add a log feature you can submit a request via GitHub and I can take a look.

 

[Ranger802004]

Hello @Ranger802004, I have added AS8075 to route out of WAN all the time, but I keep getting this "Mar 27 12:03:45 domain_vpn_routing: Query ASN - ***Error*** Failed to query ASN: AS8075" Everything seems to work fine as I am now able to login to live email (which previously would not work through VPN). Is there anything I can check? A simple tracert to microsoft.com on a machine that is behind VPN, routes traffic properly through WAN also.

Submit an issue via GitHub.

 

[iTyPsIDg]

The domains should be cached and restore automatically after a reboot or service restart of firewall if enabled. If you are referring to ASNs they are actively queried so larger sets may take longer to process. The UI prompts the time it takes to process but to add a log feature you can submit a request via GitHub and I can take a look.

I'm referring to this:

Spoiler: (9) querypolicy

Spoiler: (10) queryasn

I always get this message now because the check interval is set to 15 minutes.

Spoiler: config

Rather than blindly pick numbers until I find something that works, I would like to see a log (similar to what you see when you can run a manual query) that says how long the queries took. Then, I can adjust (4) in the config to a more appropriate amount of time.

 

[machinist]

I think I finally found the ASNs and domains for all the streaming services that I use which I am able to then enter into this script

May I ask how you went about doing this?

 

[iTyPsIDg]

May I ask how you went about doing this?

Mostly, time. I spent a lot of time looking up ASNs and following the dnsmasq.log file.

Here is what I found for what I use:

AS40027	Netflix
AS2906	Netflix
AS23286	Hulu
AS22604	Disney
AS11251	Disney
AS398849	Disney
AS14618	Amazon
AS16509	Amazon

For ASN lookups, I used the following websites: https://bgp.tools/, https://netify.ai, https://asnlookup.com, and https://dnschecker.org/asn-whois-lookup.php.

Here is my streaming domain list (I do have CNAME lookup enabled):

auth.hulu.com                              
www.hulu.com                                
assetshuluimcom-a.akamaihd.net              
assetshuluimcom-a.akamaihd.net.edgesuite.net
geolocation.onetrust.com                    
a1355.dscd.akamai.net                      
*.hulu.com                                  
emu.hulu.com                                
play.hulu.com                              
player.hulu.com                              
ariel.hulu.com                              
vortex.hulu.com                            
img2.hulu.com                              
home.hulu.com                              
discover.hulu.com                          
img4.hulu.com                              
img3.hulu.com                              
img.hulu.com                                
img1.hulu.com                                
engage.hulu.com                            
dynamic-manifest.hulustream.com            
doppler.hulu.com                            
wildcard-dual.hulu.com.edgekey.net          
views.hulu.com                              
e91869.dsca.akamaiedge.net                  
views.hulu.com.akadns.net                  
views.ava.hulu.com                          
diproton-play-prod-us-east-1.hulu.com.akadns.net
auth.huluipv6.com.akadns.net                  
wildcard.hulu.com.edgekey.net                  
web.hulu.map.fastly.net                        
ariel.hulu.com.akadns.net                      
vortex.hulu.com.akadns.net                    
dualstack.web.hulu.map.fastly.net              
e91869.a.akamaiedge.net
a1355.dscd.akamai.net
wildcard-dual.hulu.com.edgekey.net
e91869.dsca.akamaiedge.net
views.hulu.com.akadns.net
dualstack.web.hulu.map.fastly.net
atv-ps.amazon.com
auth.huluipv6.com.akadns.net
wildcard.hulu.com.edgekey.net
web.hulu.map.fastly.net
ariel.hulu.com.akadns.net
vortex.hulu.com.akadns.net
f4200d648f.na.api.amazonvideo.com
player.hulu.com.akadns.net
d001.na.prod.t300.ter.int.amazonvideo.com
q419zmlyfb4fa0.na.api.amazonvideo.com
m.media-amazon.com
images-na.ssl-images-amazon.com
*.na.api.amazonvideo.com
mtalk.google.com
fastly-weighted.na-f.prod.ter.int.amazonvideo.com
ab5tfw7p9728.na.api.amazonvideo.com
fastly-failover-l1-05.na-f.prod.ter.int.amazonvideo.com
d001.na.prod.t100.ter.int.amazonvideo.com
fastly-failover-l1-14.na-f.prod.ter.int.amazonvideo.com
g6h0n6c3n5.map.fastly.net
fastly-failover-l1-17.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-08.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-03.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-10.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-13.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-18.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-20.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-15.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-19.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-11.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-06.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-04.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-02.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-09.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-16.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-12.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-07.na-f.prod.ter.int.amazonvideo.com
fastly-failover-l1-01.na-f.prod.ter.int.amazonvideo.com

I still need to figure out Peacock next.

EDIT: I also used IPvFoo as a broswer extention to help me currate this list and check IPs to see if I could find ASNs for them.

 

[cohomology]

When you enable ASN, do you still need name based routing?

I found it almost impossible to figure out all domain names used by a website, or app.

 

[iTyPsIDg]

When you enable ASN, do you still need name based routing?

I found it almost impossible to figure out all domain names used by a website, or app.

If that is directed to me, yes. Many of the URLs used by streaming services are handled by Fastly and I didn't want to allow the entire ASN, just the specific domains/IPs used by the specific streaming services I use.

 

[iTyPsIDg]

I have a strange issue lately where the script says that one of my OpenVPN clients is down when I can see that it is up. What can I do to troubleshoot why it is returning this message and force the script to update?

 

[Ranger802004]

***v3.0.6 has been released***

Release Notes:
Fixes:
- Fixed an issue causing errors during installation when the firewall-start script does not exist and the Firewall Restore setting is disabled.

 

[Ranger802004]

I have a strange issue lately where the script says that one of my OpenVPN clients is down when I can see that it is up. What can I do to troubleshoot why it is returning this message and force the script to update?

View attachment 64697
View attachment 64698
View attachment 64699

Open a GitHub issue

 

[Ranger802004]

***v3.1.0-beta1 has been released to the beta channel***

Release Notes:
v3.1.0-beta1 - 04/02/2025
Enhancements:
- Added functionality to cache ASN IP Subnets for faster restoration from reboot or service restart. This can be enabled or disabled via the ASNCACHE configuration option. Default: Disabled
- ASN queries will now check existing IPSets for IP Subnets that are no longer applicable to the ASN and remove them.

 

[iTyPsIDg]

Open a GitHub issue

At some point it just resolved itself. I was looking more to see how it does the check so that I could troubleshoot it on the fly.

 

[js28194]

@Ranger802004 My issue with ASN is that the log states, "jq package is not installed from entware" however it is infact installed.

admin@GT-AX11000-25C0:/tmp/home/root# opkg install jq
Package jq (1.7.1-1) installed in root is up to date.

Any thoughts?

 

[Ranger802004]

@Ranger802004 My issue with ASN is that the log states, "jq package is not installed from entware" however it is infact installed.

admin@GT-AX11000-25C0:/tmp/home/root# opkg install jq
Package jq (1.7.1-1) installed in root is up to date.

Any thoughts?

Open a GitHub issue so I can investigate.

 

[Ranger802004]

***v3.1.0-beta2 has been released to the update channel***

Release Notes:
v3.1.0-beta2 - 04/05/2025
Enhancements:
- Added functionality to cache ASN IP Subnets for faster restoration from reboot or service restart. This can be enabled or disabled via the ASNCACHE configuration option. Default: Disabled
- ASN queries will now check existing IPSets for IP Subnets that are no longer applicable to the ASN and remove them.
- New configuration options to enable DNS-over-TLS for an interface if a custom DNS Server is configured for it, the options in the configuration menu will become displayed when a DNS Server is configured. DoT requires dig to be installed to function properly.

 

[js28194]

@Ranger802004 Which policy takes priority over which policy? I just wanted to validate this with you. I added an ASN to the WAN policy (it's a massive amount of IP's), however, a subset of those domains I wanted to route over VPN, so added those to my "Inside" Policy. I did a tracepath (yes, entware package, not tracert) to a URL and it went over WAN as expected, then did a tracepath to another known URL under the same ASN, and it behaved correctly to go through VPN. Can you please confirm? I know these update every 15 minutes via cron, but just want to seek your insights on normal behaviour and if there might be any leakage?

Thanks again for all of your work on this!

 

[js28194]

@Ranger802004 Which policy takes priority over which policy? I just wanted to validate this with you. I added an ASN to the WAN policy (it's a massive amount of IP's), however, a subset of those domains I wanted to route over VPN, so added those to my "Inside" Policy. I did a tracepath (yes, entware package, not tracert) to a URL and it went over WAN as expected, then did a tracepath to another known URL under the same ASN, and it behaved correctly to go through VPN. Can you please confirm? I know these update every 15 minutes via cron, but just want to seek your insights on normal behaviour and if there might be any leakage?

Thanks again for all of your work on this!

Ok, I did some testing and there is indeed some leakage. When I queried my inside policy first, everything worked as expect, however, immediately after I queried my ASN which goes over WAN, URLs tracepathed over WAN which are explicitly added to the Inside Policy. Any appetite for you to give us some control over policy heiarchy? Is that even possible?