DomainVPNRouting Domain VPN Routing v3.1.0 ***Release***

[Ranger802004]

***v3.1.0-beta3 has been released to the beta channel***

Release Notes:
v3.1.0-beta3 - 04/08/2025
Enhancements:
- Added functionality to cache ASN IP Subnets for faster restoration from reboot or service restart. This can be enabled or disabled via the ASNCACHE configuration option. Default: Disabled
- ASN queries will now check existing IPSets for IP Subnets that are no longer applicable to the ASN and remove them.
- New configuration options to enable DNS-over-TLS for an interface if a custom DNS Server is configured for it, the options in the configuration menu will become displayed when a DNS Server is configured. DoT requires dig to be installed to function properly.

Fixes:
- Fixed an issue when Domain VPN Routing is getting system parameters it was not applying the boot delay timer configuration.
- Fixed an issue where dig,jq,python3 packages were being checked before Entware was mounted. Will now continue to check if Entware is mounted if Entware is detected as being installed until it times out after 30 checks.

 

[Ranger802004]

@Ranger802004 Which policy takes priority over which policy? I just wanted to validate this with you. I added an ASN to the WAN policy (it's a massive amount of IP's), however, a subset of those domains I wanted to route over VPN, so added those to my "Inside" Policy. I did a tracepath (yes, entware package, not tracert) to a URL and it went over WAN as expected, then did a tracepath to another known URL under the same ASN, and it behaved correctly to go through VPN. Can you please confirm? I know these update every 15 minutes via cron, but just want to seek your insights on normal behaviour and if there might be any leakage?

Thanks again for all of your work on this!

The priority is interface based with the following hardcoded values. I'm not opposed to adding logic for customizing the priorities, it's just never been requested but the request can be made via GitHub.

WAN (Single WAN): 150
WAN0/WAN1 (Dual WAN): 150
OVPNC1: 1000
OVPNC2: 2000
OVPNC3: 3000
OVPNC4: 4000
OVPNC5: 5000
WGC1: 6000
WGC2: 7000
WGC3: 8000
WGC4: 9000
WGC5: 10000

 

[iTyPsIDg]

If @js28194 makes the Github request, please let us know. I would like to follow the request. I prefer my WireGuard policy have precedence over my OpenVPN policies due to performance.

 

[js28194]

I created a new "issue" on github referencing this thread. I hope I explained myself correctly though.

 

[MayBe]

domain_vpn_routing-beta.sh does not route to the vpn interface · Issue #66 · Ranger802004/asusmerlin

Router GT-BE98, 3006.102.3_1-gnuton0_beta1. Script installation, domain policy configuration, Query Policy without errors. The domain added to the policy stops opening in the browser. I did a littl...

github.com

I have same issue on 3006.102.4_beta1 on AX6000, how to fix it anybody known?

 

[Ranger802004]

***v3.1.0 has been released to the production channel***

Release Notes:
Enhancements:
- Added functionality to cache ASN IP Subnets for faster restoration from reboot or service restart. This can be enabled or disabled via the ASNCACHE configuration option. Default: Disabled
- ASN queries will now check existing IPSets for IP Subnets that are no longer applicable to the ASN and remove them.
- New configuration options to enable DNS-over-TLS for an interface if a custom DNS Server is configured for it, the options in the configuration menu will become displayed when a DNS Server is configured. DoT requires dig to be installed to function properly.

Fixes:
- Fixed an issue when Domain VPN Routing is getting system parameters it was not applying the boot delay timer configuration.
- Fixed an issue where dig,jq,python3 packages were being checked before Entware was mounted. Will now continue to check if Entware is mounted if Entware is detected as being installed until it times out after 30 checks.

 

[Ranger802004]

domain_vpn_routing-beta.sh does not route to the vpn interface · Issue #66 · Ranger802004/asusmerlin

Router GT-BE98, 3006.102.3_1-gnuton0_beta1. Script installation, domain policy configuration, Query Policy without errors. The domain added to the policy stops opening in the browser. I did a littl...

github.com

I have same issue on 3006.102.4_beta1 on AX6000, how to fix it anybody known?

domain_vpn_routing-beta.sh does not route to the vpn interface · Issue #66 · Ranger802004/asusmerlin

Router GT-BE98, 3006.102.3_1-gnuton0_beta1. Script installation, domain policy configuration, Query Policy without errors. The domain added to the policy stops opening in the browser. I did a littl...

github.com

 

[MayBe]

I added default route, and all works, thx, BUT rule
unreachable still re-added, its normal or need something to edit?

- my rules:
ip rule add fwmark 0xa000/0xf000 lookup 101 prio 6000
ip route add default via <vpn_gateway> dev wgc1 table 101

 

[Ranger802004]

***v3.1.1-beta1 has been added to the beta update channel***

Release Notes:
Enhancements:
- If DNS-over-TLS is enabled and servers are configured on the system DNS-over-TLS DNS server list, dig will configure use for DNS-over-TLS by randomly selecting a DNS-over-TLS DNS server.
- Python3 and dig are required to be installed for this functionality.
- An existing DNS configuration for the interface in Domain VPN Routing will override this functionality.
- Added debug logging for DNS-over-TLS configuration during querypolicy function execution.

 

[Ranger802004]

I added default route, and all works, thx, BUT rule
unreachable still re-added, its normal or need something to edit?

- my rules:
ip rule add fwmark 0xa000/0xf000 lookup 101 prio 6000
ip route add default via <vpn_gateway> dev wgc1 table 101

Open a GitHub issue and I can take a look, provide logs (with debug logs enabled). I will say by default I don't think WGC1 uses table 101 but you can verify by looking at this file, instead of adding the rule by the number you can use "wgc1" in lieu of the number.

/etc/iproute2/rt_tables

Should look similar to this:

100 wan0
111 ovpnc1
112 ovpnc2
113 ovpnc3
114 ovpnc4
115 ovpnc5
116 wgc1
117 wgc2
118 wgc3
119 wgc4
120 wgc5
200 wan1