openvpn client policy routing question

[Tubby]

Hey folks just set up a PIA VPN on my ac68u router runnin Merlin 380.65_2
And have been trying to get a few services white listed to go through my WAN rather than the VPN. The three big ones I'm concerned about are Plex, Netflix and Amazon prime video.

The client policy routing feature seems to be pretty great but I'm struggling to get it to do everything I need it to do within the 100 rule limits that it provides.

Would it be possible to use a domain address rather than a destination IP? For instance, the domain "plex.tv" includes 7 ip addresses that I'd like to whitelist. If I could just set one rule for that domain it would save me 6 rule entries and keep me covered in case plex changed the ips later. I had kind of hoped I'd be able to do something similar with Netflix which as I understand it has 100s of ip addresses that I'd need to whitelist.

Should this be a feature request? Is it even feasible? Can anyone point me in the right direction to get those services up and running properly while using the vpn for everything else?

 

[Martineau]

The client policy routing feature seems to be pretty great but I'm struggling to get it to do everything I need it to do within the 100 rule limits that it provides.

You can specify a range of target addresses in CIDR format (..assuming you can identify ALL of the subnets for your region) to significantly reduce the number of entries in the table...

e.g. These 4 rules for Netflix cover over a thousand addresses

Netblock                Description                Num IPs
45.57.40.0/24   Netflix Streaming Services Inc.      256
45.57.8.0/23    Netflix Streaming Services Inc.      512
45.57.8.0/24    Netflix Streaming Services Inc.      256
45.57.9.0/24    Netflix Streaming Services Inc.      256
etc.

Would it be possible to use a domain address rather than a destination IP? ...........and keep me covered in case plex changed the ips later.

No, you cannot directly specify a domain name as a target for the Selective Routing Policy rules (RPDB 'ip rule' command will only accept I/P addresses/CIDR ranges.)

However, you can use the IPSETs method which can dynamically maintain a valid list of current I/P addresses, rather than rely on a static list.

https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-25#post-289515

 

[Tubby]

Oh my god....

I feel as though I'm in waaaaaaaaaaay over my head. I don't know anything about scripting. I don't even know how I'd add said scripts even if I was able to put them together. I had hoped this whole process would be much simpler...

 

[Martineau]

I don't even know how I'd add said scripts even if I was able to put them together...

Well the documentation is always a good start... Section Usage->User scripts etc.

https://github.com/RMerl/asuswrt-merlin/wiki

 

[GPMAZ]

Are you using dedicated devices to access those services or are you using a computer? I use Roku and Fire TV devices as well as two Dish Network receivers. I just assign those static IP addresses and send them straight through the WAN with everything else going through the VPN. If you're using a computer and have to specify it by service address, well, never mind.