route certain domains through client vpn

[abir1909]

thank you both
ill do some tests tonight and come back if i require more help

I would love to hear how it goes. I am also trying to add a domain to Client1 and I am not very good with all these scripts... thx

 

[andresmorago]

hi,
i just cant get this to work.

I have my openvpn client running on client 1. Accept DNS Configuration is STRICT

i installed the script

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/master/install_x3mRouting.sh" -o "/jffs/scripts/install_x3mRouting.sh" && chmod 755 /jffs/scripts/install_x3mRouting.sh && sh /jffs/scripts/install_x3mRouting.sh

and ran option 3

then, i ran the following command hoping that ifconfig.io loads through my vpn client and not my wan

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# . load_DNSMASQ_ipset_iface.sh 1 US_vpn1 ifconfig.io
(-sh): 3833 Starting Script Execution
(-sh): 3833 IPSET created: US_vpn1 hash:net family inet hashsize 1024 maxelem 65536
(-sh): 3833 CRON schedule created: #US_vpn1# '0 2 * * * ipset save US_vpn1'
(-sh): 3833 Selective Routing Rule via VPN Client 1 created for US_vpn1 (TAG fwmark 0x1000/0x1000)
(-sh): 3833 Completed Script Execution
admin@RT-AC68U-5358:/jffs/scripts/x3mRouting#

still, access to ifconfig.io is being done through wan

some diagnostics in case you can give me a hand

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 9794 packets, 12M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       0  0       MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn1 dst MARK or 0x1000

dont know why a ovpcn3 shows

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# ip rule
0:      from all lookup local
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U-5358:/jffs/scripts/x3mRouting#

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# ipset -L US_vpn1
Name: US_vpn1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 316
References: 1
Number of entries: 0
Members:

my dnsmasq.conf.add file

strict-order


dhcp-option=lan,42,10.0.0.1 # ntpMerlin
server=/pool.ntp.org/1.1.1.1

ipset=/pandora.com/US_vpn1
ipset=/ifconfig.io/US_vpn1

 

[Xentrk]

hi,
i just cant get this to work.

I have my openvpn client running on client 1. Accept DNS Configuration is STRICT

i installed the script

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/master/install_x3mRouting.sh" -o "/jffs/scripts/install_x3mRouting.sh" && chmod 755 /jffs/scripts/install_x3mRouting.sh && sh /jffs/scripts/install_x3mRouting.sh

and ran option 3

then, i ran the following command hoping that ifconfig.io loads through my vpn client and not my wan

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# . load_DNSMASQ_ipset_iface.sh 1 US_vpn1 ifconfig.io
(-sh): 3833 Starting Script Execution
(-sh): 3833 IPSET created: US_vpn1 hash:net family inet hashsize 1024 maxelem 65536
(-sh): 3833 CRON schedule created: #US_vpn1# '0 2 * * * ipset save US_vpn1'
(-sh): 3833 Selective Routing Rule via VPN Client 1 created for US_vpn1 (TAG fwmark 0x1000/0x1000)
(-sh): 3833 Completed Script Execution
admin@RT-AC68U-5358:/jffs/scripts/x3mRouting#

still, access to ifconfig.io is being done through wan

some diagnostics in case you can give me a hand

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 9794 packets, 12M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       0  0       MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn1 dst MARK or 0x1000

dont know why a ovpcn3 shows

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# ip rule
0:      from all lookup local
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U-5358:/jffs/scripts/x3mRouting#

my dnsmasq.conf.add file

strict-order


dhcp-option=lan,42,10.0.0.1 # ntpMerlin
server=/pool.ntp.org/1.1.1.1

ipset=/pandora.com/US_vpn1
ipset=/ifconfig.io/US_vpn1

Thanks for using the script. The problem looks like the IPSET list is not getting populated. I used pandora to duplicate your issue:

sh load_DNSMASQ_ipset_iface.sh 1 US_vpn1 pandora.com

I confirmed the IPSET list exists and there are no entries:

ipset -L US_vpn1
Name: US_vpn1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 316
References: 1
Number of entries: 0
Members:

In the past, I could to an nslookup command to populate the ipset list. At least I thought I could. But no IP address appears in the list after running nslookup on pandora.com.

But when I went to a browser and type in pandora.com, the list gets populated:

#ipset -L US_vpn1

Name: US_vpn1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 372
References: 1
Number of entries: 1
Members:
208.85.40.20

I confirmed the restart of dnsmasq is being run after the IPSET list is added to /jffs/configs/dnsmasq.conf.add. But you can also try issuing the restart command.

service_restart dnsmasq

Or, try a reboot. Shouldn't be necessary though. When I flashed to 384.11x, I had some issues with dnsmasq. It appeared as if the lookups on domain names was not being performed. I uninstalled Diversion and reinstalled to get things working again.

Another option is to add the IP address manually to the IPSET list.

ipset add US_vpn1 208.85.40.20

But that shouldn't be required. dnsmasq should be taking care of this for you. For example, in /opt/var/log/dnsmasq.log, I see the entry below after going to the website:

ipset add US_vpn1 208.85.40.20 pandora.com

Once the ipset list is populated, the routing should work.

 

[Xentrk]

hi,
i just cant get this to work.

I have my openvpn client running on client 1. Accept DNS Configuration is STRICT

i installed the script

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/master/install_x3mRouting.sh" -o "/jffs/scripts/install_x3mRouting.sh" && chmod 755 /jffs/scripts/install_x3mRouting.sh && sh /jffs/scripts/install_x3mRouting.sh

and ran option 3

then, i ran the following command hoping that ifconfig.io loads through my vpn client and not my wan

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# . load_DNSMASQ_ipset_iface.sh 1 US_vpn1 ifconfig.io
(-sh): 3833 Starting Script Execution
(-sh): 3833 IPSET created: US_vpn1 hash:net family inet hashsize 1024 maxelem 65536
(-sh): 3833 CRON schedule created: #US_vpn1# '0 2 * * * ipset save US_vpn1'
(-sh): 3833 Selective Routing Rule via VPN Client 1 created for US_vpn1 (TAG fwmark 0x1000/0x1000)
(-sh): 3833 Completed Script Execution
admin@RT-AC68U-5358:/jffs/scripts/x3mRouting#

still, access to ifconfig.io is being done through wan

some diagnostics in case you can give me a hand

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 9794 packets, 12M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       0  0       MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn1 dst MARK or 0x1000

dont know why a ovpcn3 shows

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# ip rule
0:      from all lookup local
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U-5358:/jffs/scripts/x3mRouting#

my dnsmasq.conf.add file

strict-order


dhcp-option=lan,42,10.0.0.1 # ntpMerlin
server=/pool.ntp.org/1.1.1.1

ipset=/pandora.com/US_vpn1
ipset=/ifconfig.io/US_vpn1

I think I found a setting that may be causing the issue. Go to Tools -> Other Settings and set local caching to yes. Now, when I perform an nslookup on pandora.com, the IPSET is getting populated. Note to @Martineau.

I will update the installer script to set Wan: Use local caching DNS server as system resolver (default: No) to Yes to prevent issues.

 

[elorimer]

I'm probably not understanding this, but I use policy rules under a vpn client to route RTP.PT through the client connected to a portuguese server, and everything else not through the vpn client. I expected it to be complicated but it wasn't.

 

[Xentrk]

I'm probably not understanding this, but I use policy rules under a vpn client to route RTP.PT through the client connected to a portuguese server, and everything else not through the vpn client. I expected it to be complicated but it wasn't.

Policy routing for a handful of domains or websites can be done using the Policy Routing section of the OpenVPN Client Screen and will probably meet the requirements of most people. But for some sites like Netflix, there are many IP addresses:

ipset -L NETFLIX
Name: NETFLIX
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 7540
References: 1
Number of entries: 138
23.246.14.0/24
45.57.72.0/24
23.246.57.0/24
45.57.19.0/24
45.57.7.0/24
<snip>

Entering all of the IP addresses in the OpenVPN Client screen would be burdensome. Plus, there is a limit on how many IP addresses can be entered in the screen. The IPSET method helps for these use cases.

 

[andresmorago]

@Xentrk

Hello and thanks!
i checked the Wan: Use local caching DNS server as system resolver (default: Yes) and its been ON all the time

i have restarted dnsmasq several times and rebooted with no good results.

list is now populated but still, traffic to pandora.com and ifconfig.io goes through wan and not the ovpn client 1. i can verify this as pandora is geoblocked on my country and ipinfo will show my wan ip address

admin@RT-AC68U-5358:/tmp/home/root# ipset -L US_vpn1
Name: US_vpn1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 484
References: 1
Number of entries: 3
Members:
104.24.123.146
208.85.40.20
104.24.122.146

here is also the dnsmasq log

andresmorago@RT-AC68U-5358:/tmp/home/root# tail -f /opt/var/log/dnsmasq.log | grep ipset
May 25 22:54:59 dnsmasq[19532]: ipset add US_vpn1 208.85.40.20 pandora.com
May 25 22:54:59 dnsmasq[19532]: ipset add US_vpn1 2620:106:e003:f00e::63 pandora.com
May 25 22:55:04 dnsmasq[19532]: ipset add US_vpn1 104.24.122.146 ifconfig.io
May 25 22:55:04 dnsmasq[19532]: ipset add US_vpn1 104.24.123.146 ifconfig.io
May 25 22:55:04 dnsmasq[19532]: ipset add US_vpn1 2606:4700:30::6818:7b92 ifconfig.io
May 25 22:55:04 dnsmasq[19532]: ipset add US_vpn1 2606:4700:30::6818:7a92 ifconfig.io

what else can i do?
an extra question: if i reboot, how can i make sure i dont lose the configuration?

thanks

 

[Xentrk]

@Xentrk

Hello and thanks!
i checked the Wan: Use local caching DNS server as system resolver (default: Yes) and its been ON all the time

i have restarted dnsmasq several times and rebooted with no good results.

list is now populated but still, traffic to pandora.com and ifconfig.io goes through wan and not the ovpn client 1. i can verify this as pandora is geoblocked on my country and ipinfo will show my wan ip address

admin@RT-AC68U-5358:/tmp/home/root# ipset -L US_vpn1
Name: US_vpn1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 484
References: 1
Number of entries: 3
Members:
104.24.123.146
208.85.40.20
104.24.122.146

here is also the dnsmasq log

andresmorago@RT-AC68U-5358:/tmp/home/root# tail -f /opt/var/log/dnsmasq.log | grep ipset
May 25 22:54:59 dnsmasq[19532]: ipset add US_vpn1 208.85.40.20 pandora.com
May 25 22:54:59 dnsmasq[19532]: ipset add US_vpn1 2620:106:e003:f00e::63 pandora.com
May 25 22:55:04 dnsmasq[19532]: ipset add US_vpn1 104.24.122.146 ifconfig.io
May 25 22:55:04 dnsmasq[19532]: ipset add US_vpn1 104.24.123.146 ifconfig.io
May 25 22:55:04 dnsmasq[19532]: ipset add US_vpn1 2606:4700:30::6818:7b92 ifconfig.io
May 25 22:55:04 dnsmasq[19532]: ipset add US_vpn1 2606:4700:30::6818:7a92 ifconfig.io

what else can i do?
an extra question: if i reboot, how can i make sure i dont lose the configuration?

thanks

I ran the script for Pandora and was able to have the traffic routed. I first used my Private IP in US and it worked. I then tested using a shared VPN server in LA. By doing this, I wanted to see if Pandora was blocking known VPN servers.

Make sure Policy Rules (Strict) is enabled on the OpenVPN Client Screen. If you use more than one OpenVPN Client, I strongly suggest adding the router's IP address to the first OpenVPN Client screen and route it to the WAN iface in the Policy Rules section as follows:

Note the pkts and bytes traversing the rule for pandora in the last entry:

iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 16463 packets, 4034K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1920 2413K MARK       all  --  tun15  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  tun14  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3        0     0 MARK       all  --  tun13  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4    17845   14M MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
5     4949 2871K MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
6        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
7        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK or 0x1000
8       30  2200 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set HULU_WEB dst MARK or 0x1000
9        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x4000
10     901 49186 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set CBS_WEB dst MARK or 0x3000
11       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set MOVETV dst MARK or 0x3000
12      75  7751 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn1 dst MARK or 0x2000

 

[Xentrk]

Currently, the x3mRouting project only supports IPv4 addresses. Adding support for IPv6 is something I had planned to do once the project had gotten some use by the community. I already have done the analysis and the effort shouldn't be that difficult.

 

[andresmorago]

@Xentrk hello again
still, no luck. i have taken into account all your recommendations. still. traffic to pandora.com and ifconfig.io (my 2 test websites) is going through wan and not tun11
i have restarted dnsmasq and rebooted router several times
i only have 1 openvpn client running and have tested it on a different device which confirms that the vpn doesnt block these 2 websites.

i also tried everything again from scratch

installing your script

admin@RT-AC68U-5358:/tmp/home/root# /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/master/install_x3mRouting.sh" -o "/jffs/scripts
/install_x3mRouting.sh" && chmod 755 /jffs/scripts/install_x3mRouting.sh && sh /jffs/scripts/install_x3mRouting.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 20846  100 20846    0     0  14837      0  0:00:01  0:00:01 --:--:-- 25863

_______________________________________________________________________
|                                                                     |
|  Welcome to the x3mRouting installation script                      |
|  Version 1.0.0 by Xentrk                                            |
|         ____        _         _                                     |
|        |__  |      | |       | |                                    |
|  __  __  _| |_ _ _ | |_  ___ | | __    ____ ____  _ _ _             |
|  \ \/ / |_  | ` ` \  __|/ _ \| |/ /   /  _//    \| ` ` \            |
|   /  /  __| | | | |  |_ | __/|   <   (  (_ | [] || | | |            |
|  /_/\_\|___ |_|_|_|\___|\___||_|\_\[] \___\\____/|_|_|_|            |
|_____________________________________________________________________|
|                                                                     |
| Requirements: jffs partition and USB drive with entware installed   |
|                                                                     |
| See the project repository at                                       |
| https://github.com/Xentrk/x3mRouting                                |
| for helpful tips.                                                   |
|_____________________________________________________________________|

[1] = Install x3mRouting for LAN Clients
[2] = Install x3mRouting OpenVPN Client GUI & IPSET Shell Scripts
[3] = Install x3mRouting IPSET Shell Scripts
[4] = Check for updates to existing x3mRouting installation
[5] = Force update existing x3mRouting installation
[6] = Remove x3mRouting Repository

[e] = Exit Script

Option ==> 3
Installing jq (1.6-1) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/jq_1.6-1_armv7-2.6.ipk
Configuring jq.
jq successfully installed
Created project directory /jffs/scripts/x3mRouting
load_MANUAL_ipset_iface.sh downloaded successfully
load_ASN_ipset_iface.sh downloaded successfully
load_DNSMASQ_ipset_iface.sh downloaded successfully
load_AMAZON_ipset_iface.sh downloaded successfully

Installation of x3mRouting for IPSET Shell Scripts completed
Press enter to continue

running load_DNSMASQ_ipset_iface.sh

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# . load_DNSMASQ_ipset_iface.sh 1 US_vpn pandora.com
(-sh): 3248 Starting Script Execution
(-sh): 3248 IPSET created: US_vpn hash:net family inet hashsize 1024 maxelem 65536
(-sh): 3248 CRON schedule created: #US_vpn# '0 2 * * * ipset save US_vpn'
(-sh): 3248 Selective Routing Rule via VPN Client 1 created for US_vpn (TAG fwmark 0x1000/0x1000)
(-sh): 3248 Completed Script Execution

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# . load_DNSMASQ_ipset_iface.sh 1 US_vpn ifconfig.io
(-sh): 3248 Starting Script Execution
0 2 * * * ipset save US_vpn > /opt/tmp/US_vpn #US_vpn#
(-sh): 3248 Selective Routing Rule via VPN Client 1 created for US_vpn (TAG fwmark 0x1000/0x1000)
(-sh): 3248 Completed Script Execution

diagnostics

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 2412 packets, 1354K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn dst MARK or 0x1000

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# ip rule
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# ipset -L US_vpn
Name: US_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 316
References: 1
Number of entries: 0
Members:

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# nslookup pandora.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      pandora.com
Address 1: 2620:106:e003:f00e::63
Address 2: 208.85.40.20 www.pandora.com


admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# nslookup ifconfig.io
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      ifconfig.io
Address 1: 2606:4700:30::6818:7a92
Address 2: 104.24.122.146
Address 3: 104.24.123.146

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# ipset -L US_vpn
Name: US_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 484
References: 1
Number of entries: 3
Members:
208.85.40.20
104.24.122.146
104.24.123.146

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 5152 packets, 1984K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       33  3036 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn dst MARK or 0x1000

when i run a traceroute from my router to pandora.com i can clearly see that traffic doesnt go through vpn client 1. hop #3 is a local ISP router.

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# traceroute pandora.com
traceroute to pandora.com (208.85.40.20), 30 hops max, 38 byte packets
 1  *  *  *
 2  172.21.113.198 (172.21.113.198)  12.136 ms  8.582 ms  7.891 ms
 3  190.85.254.145 (190.85.254.145)  10.585 ms  13.329 ms  15.008 ms
 4  10.14.16.18 (10.14.16.18)  39.771 ms  34.652 ms  39.599 ms
 5  10.14.18.41 (10.14.18.41)  32.124 ms  85.490 ms  39.845 ms
 6  ix-et-2-0-2-0.tcore2.a56-atlanta.as6453.net (64.86.8.37)  78.584 ms  70.571 ms  atl-b22-link.telia.net (62.115.145.12)  71.286 ms
 7  if-ae-43-2.tcore1.a56-atlanta.as6453.net (64.86.113.149)  73.825 ms  *  73.541 ms
 8  dls-b21-link.telia.net (80.91.246.75)  92.749 ms  209.58.44.2 (209.58.44.2)  72.557 ms  dls-b21-link.telia.net (80.91.246.75)  94.225 ms
 9  las-b21-link.telia.net (62.115.123.137)  121.568 ms  be-11491-cr02.56marietta.ga.ibone.comcast.net (68.86.83.177)  75.537 ms  las-b21-link.telia.net (62.115.123.137)  123.615 ms
10  be-11423-cr01.houston.tx.ibone.comcast.net (68.86.85.22)  91.553 ms  93.387 ms  sjo-b21-link.telia.net (62.115.116.40)  131.133 ms
11  be-11523-cr02.losangeles.ca.ibone.comcast.net (68.86.87.173)  122.840 ms  pandora-ic-318321-sjo-b21.c.telia.net (213.248.85.255)  129.119 ms  131.700 ms
12  be-11525-cr01.9greatoaks.ca.ibone.comcast.net (68.86.84.150)  129.933 ms  www.pandora.com (208.85.40.20)  133.533 ms  be-11525-cr01.9greatoaks.ca.ibone.comcast.net (68.86.84.150)  130.298 ms
/x3mRouting#

dnsmasq.conf.add

#strict-order


dhcp-option=lan,42,10.0.0.1 # ntpMerlin
server=/pool.ntp.org/1.1.1.1

ipset=/pandora.com/US_vpn
ipset=/ifconfig.io/US_vpn

vpn is working correctly
*i have full access to server. tried to connect from a different client and works
*pings from router to my vpn server are ok. also, i can force a traceroute through vpn client 1 and hops show traffic being router like i need to.

 

[Martineau]

@Xentrk hello again
still, no luck. i have taken into account all your recommendations. still. traffic to pandora.com and ifconfig.io (my 2 test websites) is going through wan and not tun11
i have restarted dnsmasq and rebooted router several times
i only have 1 openvpn client running and have tested it on a different device which confirms that the vpn doesnt block these 2 websites.

i also tried everything again from scratch

installing your script

admin@RT-AC68U-5358:/tmp/home/root# /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/master/install_x3mRouting.sh" -o "/jffs/scripts
/install_x3mRouting.sh" && chmod 755 /jffs/scripts/install_x3mRouting.sh && sh /jffs/scripts/install_x3mRouting.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 20846  100 20846    0     0  14837      0  0:00:01  0:00:01 --:--:-- 25863

_______________________________________________________________________
|                                                                     |
|  Welcome to the x3mRouting installation script                      |
|  Version 1.0.0 by Xentrk                                            |
|         ____        _         _                                     |
|        |__  |      | |       | |                                    |
|  __  __  _| |_ _ _ | |_  ___ | | __    ____ ____  _ _ _             |
|  \ \/ / |_  | ` ` \  __|/ _ \| |/ /   /  _//    \| ` ` \            |
|   /  /  __| | | | |  |_ | __/|   <   (  (_ | [] || | | |            |
|  /_/\_\|___ |_|_|_|\___|\___||_|\_\[] \___\\____/|_|_|_|            |
|_____________________________________________________________________|
|                                                                     |
| Requirements: jffs partition and USB drive with entware installed   |
|                                                                     |
| See the project repository at                                       |
| https://github.com/Xentrk/x3mRouting                                |
| for helpful tips.                                                   |
|_____________________________________________________________________|

[1] = Install x3mRouting for LAN Clients
[2] = Install x3mRouting OpenVPN Client GUI & IPSET Shell Scripts
[3] = Install x3mRouting IPSET Shell Scripts
[4] = Check for updates to existing x3mRouting installation
[5] = Force update existing x3mRouting installation
[6] = Remove x3mRouting Repository

[e] = Exit Script

Option ==> 3
Installing jq (1.6-1) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/jq_1.6-1_armv7-2.6.ipk
Configuring jq.
jq successfully installed
Created project directory /jffs/scripts/x3mRouting
load_MANUAL_ipset_iface.sh downloaded successfully
load_ASN_ipset_iface.sh downloaded successfully
load_DNSMASQ_ipset_iface.sh downloaded successfully
load_AMAZON_ipset_iface.sh downloaded successfully

Installation of x3mRouting for IPSET Shell Scripts completed
Press enter to continue

running load_DNSMASQ_ipset_iface.sh

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# . load_DNSMASQ_ipset_iface.sh 1 US_vpn pandora.com
(-sh): 3248 Starting Script Execution
(-sh): 3248 IPSET created: US_vpn hash:net family inet hashsize 1024 maxelem 65536
(-sh): 3248 CRON schedule created: #US_vpn# '0 2 * * * ipset save US_vpn'
(-sh): 3248 Selective Routing Rule via VPN Client 1 created for US_vpn (TAG fwmark 0x1000/0x1000)
(-sh): 3248 Completed Script Execution

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# . load_DNSMASQ_ipset_iface.sh 1 US_vpn ifconfig.io
(-sh): 3248 Starting Script Execution
0 2 * * * ipset save US_vpn > /opt/tmp/US_vpn #US_vpn#
(-sh): 3248 Selective Routing Rule via VPN Client 1 created for US_vpn (TAG fwmark 0x1000/0x1000)
(-sh): 3248 Completed Script Execution

diagnostics

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 2412 packets, 1354K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn dst MARK or 0x1000

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# ip rule
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# ipset -L US_vpn
Name: US_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 316
References: 1
Number of entries: 0
Members:

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# nslookup pandora.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      pandora.com
Address 1: 2620:106:e003:f00e::63
Address 2: 208.85.40.20 www.pandora.com


admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# nslookup ifconfig.io
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      ifconfig.io
Address 1: 2606:4700:30::6818:7a92
Address 2: 104.24.122.146
Address 3: 104.24.123.146

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# ipset -L US_vpn
Name: US_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 484
References: 1
Number of entries: 3
Members:
208.85.40.20
104.24.122.146
104.24.123.146

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 5152 packets, 1984K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       33  3036 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn dst MARK or 0x1000

when i run a traceroute from my router to pandora.com i can clearly see that traffic doesnt go through vpn client 1. hop #3 is a local ISP router.

admin@RT-AC68U-5358:/jffs/scripts/x3mRouting# traceroute pandora.com
traceroute to pandora.com (208.85.40.20), 30 hops max, 38 byte packets
 1  *  *  *
 2  172.21.113.198 (172.21.113.198)  12.136 ms  8.582 ms  7.891 ms
 3  190.85.254.145 (190.85.254.145)  10.585 ms  13.329 ms  15.008 ms
 4  10.14.16.18 (10.14.16.18)  39.771 ms  34.652 ms  39.599 ms
 5  10.14.18.41 (10.14.18.41)  32.124 ms  85.490 ms  39.845 ms
 6  ix-et-2-0-2-0.tcore2.a56-atlanta.as6453.net (64.86.8.37)  78.584 ms  70.571 ms  atl-b22-link.telia.net (62.115.145.12)  71.286 ms
 7  if-ae-43-2.tcore1.a56-atlanta.as6453.net (64.86.113.149)  73.825 ms  *  73.541 ms
 8  dls-b21-link.telia.net (80.91.246.75)  92.749 ms  209.58.44.2 (209.58.44.2)  72.557 ms  dls-b21-link.telia.net (80.91.246.75)  94.225 ms
 9  las-b21-link.telia.net (62.115.123.137)  121.568 ms  be-11491-cr02.56marietta.ga.ibone.comcast.net (68.86.83.177)  75.537 ms  las-b21-link.telia.net (62.115.123.137)  123.615 ms
10  be-11423-cr01.houston.tx.ibone.comcast.net (68.86.85.22)  91.553 ms  93.387 ms  sjo-b21-link.telia.net (62.115.116.40)  131.133 ms
11  be-11523-cr02.losangeles.ca.ibone.comcast.net (68.86.87.173)  122.840 ms  pandora-ic-318321-sjo-b21.c.telia.net (213.248.85.255)  129.119 ms  131.700 ms
12  be-11525-cr01.9greatoaks.ca.ibone.comcast.net (68.86.84.150)  129.933 ms  www.pandora.com (208.85.40.20)  133.533 ms  be-11525-cr01.9greatoaks.ca.ibone.comcast.net (68.86.84.150)  130.298 ms
/x3mRouting#

dnsmasq.conf.add

#strict-order
#server=3.16.174.94

dhcp-option=lan,42,10.0.0.1 # ntpMerlin
server=/pool.ntp.org/1.1.1.1

ipset=/pandora.com/US_vpn
ipset=/ifconfig.io/US_vpn

vpn is working correctly
*i have full access to server. tried to connect from a different client and works
*pings from router to my vpn server are ok. also, i can force a traceroute through vpn client 1 and hops show traffic being router like i need to.

The tagging rule is showing that the fwmark is being applied

iptables -nvL PREROUTING -t mangle --line
 
Chain PREROUTING (policy ACCEPT 5152 packets, 1984K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       33  3036 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn dst MARK or 0x1000

Did you confirm that the Selective Routing is enabled

ip route show table main | grep -E "^0\.|^128.|^default"
ip route show table ovpnc1

nvram get ctf_disable
nvram get ctf_fa_mode

 

[andresmorago]

hi @Martineau

10.0.0.1 is routers ip
10.0.0.6 is pixelserv
10.0.2.3 is routers vpn client ip - vpn server has 10.0.2.1 ip

ASUSWRT-Merlin RT-AC68U 384.11-0 Wed May  8 22:14:43 UTC 2019
admin@RT-AC68U-5358:/tmp/home/root# ip route show table main | grep -E "^0\.|^128.|^default"
default via 181.56.148.1 dev eth0

admin@RT-AC68U-5358:/tmp/home/root# ip route show table ovpnc1
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
10.0.2.0/24 dev tun11  proto kernel  scope link  src 10.0.2.3
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.0.0.6

and selective routing commands:

admin@RT-AC68U-5358:/tmp/home/root# nvram get ctf_disable
1

admin@RT-AC68U-5358:/tmp/home/root# nvram get ctf_fa_mode

when i run iptables -nvL PREROUTING -t mangle --line open pandora.com and then run again iptables -nvL PREROUTING -t mangle --line i can see the bytes counter increasing. still pandora will remain geoblocked.
the same happens with ifconfig.io as the website will show my wan ip and not my vpn server wan ip

 

[Xentrk]

@andresmorago
Did you make sure the router's IP address is entered in the Policy Rules section per the example below and routed to the WAN iface?

 

[andresmorago]

Hi @Xentrk @Martineau . good news!
Thanks for insisting on this. I had entered yesterday and made sure it was stored properly but Didn’t work then.
I just deleted it and re-entered again and after restarting dnsmasq and ovpn client, it’s now redirecting traffic as I needed.

Thanks so so much. I’m gonna do some more testing and let you know anything.

Regards
Andres

 

[andresmorago]

hello again
some minor issues:

i have noticed that when i first call any of the websites, traffic will first go through wan. i have to ping websites from router first so i can have them be routed through vpn

admin@RT-AC68U-5358:/tmp/home/root# ipset -L US_vpn
Name: US_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 428
References: 1
Number of entries: 2
Members:

admin@RT-AC68U-5358:/tmp/home/root# ping pandora.com
PING pandora.com (208.85.40.20): 56 data bytes
64 bytes from 208.85.40.20: seq=0 ttl=239 time=134.389 ms
--- pandora.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 134.381/134.385/134.389 ms

admin@RT-AC68U-5358:/tmp/home/root# ping ifconfig.io
PING ifconfig.io (104.24.122.146): 56 data bytes
64 bytes from 104.24.122.146: seq=0 ttl=54 time=91.313 ms
--- ifconfig.io ping statistics ---
1 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 90.109/90.711/91.313 ms

admin@RT-AC68U-5358:/tmp/home/root# ipset -L US_vpn
Name: US_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 484
References: 1
Number of entries: 3
Members:
104.24.123.146
208.85.40.20
104.24.122.146

 

[andresmorago]

i have also noticed that the install script isnt enabling the liststats function. i have restarted putty and get

admin@RT-AC68U-5358:/tmp/home/root# liststats
-sh: liststats: not found

profile.add

alias FreshJR_QOS="sh /jffs/scripts/FreshJR_QOS -menu"
alias freshjr="sh /jffs/scripts/FreshJR_QOS -menu"
alias freshjrqos="sh /jffs/scripts/FreshJR_QOS -menu"
alias freshjr_qos="sh /jffs/scripts/FreshJR_QOS -menu"
alias FreshJR_QOS="sh /jffs/scripts/FreshJR_QOS -menu"

 

[Xentrk]

i have also noticed that the install script isnt enabling the liststats function. i have restarted putty and get

admin@RT-AC68U-5358:/tmp/home/root# liststats
-sh: liststats: not found

profile.add

alias FreshJR_QOS="sh /jffs/scripts/FreshJR_QOS -menu"
alias freshjr="sh /jffs/scripts/FreshJR_QOS -menu"
alias freshjrqos="sh /jffs/scripts/FreshJR_QOS -menu"
alias freshjr_qos="sh /jffs/scripts/FreshJR_QOS -menu"
alias FreshJR_QOS="sh /jffs/scripts/FreshJR_QOS -menu"

For liststats, check if the file /jffs/configs/profile.add exists. Type:

ls -al /jffs/configs | grep profile.add

And show me the output.

Update:

I renamed my existing profile.add to profile.add.bkup and ran the installer. /jffs/configs/profile.add was created and I was able to run the command after opening up a new SSH session.

 

[andresmorago]

For liststats, check if the file /jffs/configs/profile.add exists. Type:

ls -al /jffs/configs | grep profile.add

And show me the output.

Update:

I renamed my existing profile.add to profile.add.bkup and ran the installer. /jffs/configs/profile.add was created and I was able to run the command after opening up a new SSH session.

hi.
ouput

admin@RT-AC68U-5358:/tmp/home/root# ls -al /jffs/configs | grep profile.add
-rw-rw-rw-    1 admin root           270 Mar 18 15:35 profile.add

please take into account that my profile.add has extra lines already from freshJR qos script.

 

[Xentrk]

hello again
some minor issues:

i have noticed that when i first call any of the websites, traffic will first go through wan. i have to ping websites from router first so i can have them be routed through vpn

admin@RT-AC68U-5358:/tmp/home/root# ipset -L US_vpn
Name: US_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 428
References: 1
Number of entries: 2
Members:

admin@RT-AC68U-5358:/tmp/home/root# ping pandora.com
PING pandora.com (208.85.40.20): 56 data bytes
64 bytes from 208.85.40.20: seq=0 ttl=239 time=134.389 ms
--- pandora.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 134.381/134.385/134.389 ms

admin@RT-AC68U-5358:/tmp/home/root# ping ifconfig.io
PING ifconfig.io (104.24.122.146): 56 data bytes
64 bytes from 104.24.122.146: seq=0 ttl=54 time=91.313 ms
--- ifconfig.io ping statistics ---
1 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 90.109/90.711/91.313 ms

admin@RT-AC68U-5358:/tmp/home/root# ipset -L US_vpn
Name: US_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 484
References: 1
Number of entries: 3
Members:
104.24.123.146
208.85.40.20
104.24.122.146

Every 24 hours at 2:00 am, a backup copy of the current IPSET list is made to /opt/tmp. This will allow the IPSET list to be restored upon system boot. dnsmasq is supposed to auto populate the IPSET list. But as I found with 384.12 alpha release, it wasn't working as expected unless DNS local cache was set to Yes. If you have rebooted before the cron job could run, the backup never got created. After you have the ipset list populated with the three entries, type the following command to save the backup. This should prevent the issue from occurring in the future after a reboot:

ipset save US_VPN > /opt/tmp/US_VPN

 

[Xentrk]

hi.
ouput

admin@RT-AC68U-5358:/tmp/home/root# ls -al /jffs/configs | grep profile.add
-rw-rw-rw-    1 admin root           270 Mar 18 15:35 profile.add

please take into account that my profile.add has extra lines already from freshJR qos script.

Thanks for letting me know. I think I see the issue. But I need to wait until tomorrow to fix and test as it's getting late in my time zone and I might make a mistake. For now, copy the code below to /jffs/configs/profile.add:

# List number of entries in each IPSET list
# Usage: liststats
liststats () {
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
    true > /tmp/liststats
    for SETLIST in $(ipset -L -n); do
        printf '%s - %b%s%b\n' "$SETLIST" "$GREEN" "$(($(ipset -L "$SETLIST" | wc -l) - 8))" "$NC" >> /tmp/liststats
    done
    cat /tmp/liststats | sort
    rm /tmp/liststats
}

Sample Output

/jffs/scripts# liststats

AMAZON_US - 331
BBC_WEB - 135
CBS_WEB - 134
HULU_WEB - 9
MOVETV - 117
NETFLIX - 150
Skynet-Blacklist - 157564
Skynet-BlockedRanges - 1569
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 3512
US_VPN - 1