Help with asus RT-AC56R Vpn split tunneling

[Azazel35]

I have asus rt-ac56r router with asus wrt-Merlin v 378.55. Running private Internet access openvpn. I bought me an apple tv and bought a subscription of Hulu. Well Hulu has pia blocked. So I have been trying to figure out how to let Hulu be the only app to see my real IP address without me having to stop the vpn. I have read about ip tables, and scripts but no luck in getting it to work. Can someone share their setup with me.

Thanks

 

[RMerlin]

Upgrade to 378.56_2, determine what's the IP address of Hulu's servers, and configure an exception rule for those IPs through the webui's policy-based routing.

 

[Azazel35]

Upgrade to 378.56_2, determine what's the IP address of Hulu's servers, and configure an exception rule for those IPs through the webui's policy-based routing.

Can you explain a little more. I updated to newest stable build. I changed redirect traffic to policy base routing. I put my Apple TV as source and put 0.0.0.0 in other box. And select wan. But when I do that my Von still connects but my real ip shows when I do a dns leak test.

 

[RMerlin]

Can you explain a little more. I updated to newest stable build. I changed redirect traffic to policy base routing. I put my Apple TV as source and put 0.0.0.0 in other box. And select wan. But when I do that my Von still connects but my real ip shows when I do a dns leak test.

If you still use your ISP's DNS, then a VPN tunnel won't change that. If you want everyone to use the VPN provider's DNS then you must configure the VPN client DNS setting to "Enforce", and define a DNSFilter rule for your Apple TV to force it to use the ISP's DNS.

 

[RMerlin]

Can you explain a little more. I updated to newest stable build. I changed redirect traffic to policy base routing. I put my Apple TV as source and put 0.0.0.0 in other box. And select wan. But when I do that my Von still connects but my real ip shows when I do a dns leak test.

You also need to define a rule to determine which client goes through the VPN. By default, none do.

 

[Azazel35]

You also need to define a rule to determine which client goes through the VPN. By default, none do.

Thank you I got it working now. One other question I have is about ip table.
Do I need make separate scripts for the tunnels?

So if I want change the sleep 11 to sleep 12 for another device, do I need a new script or can I start script from the bottom of the script I'm using already?

Update: looks like that works, now I need work on firewall.

Like this?

#!/bin/sh

Sleep 11

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.x.xxx -j MARK --set-mark 0

Sleep 12

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.x.xxx -j MARK --set-mark 0



exit 1