# ip rule
0: from all lookup local
9990: from all fwmark 0x7000/0x7000 lookup main
10001: from 192.168.22.1 lookup main
10101: from 192.168.22.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 4102 packets, 1974K bytes)
num pkts bytes target prot opt in out source destination
1 635 709K MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 1 60 MARK all -- tun12 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
3 1 60 MARK all -- tun13 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
4 0 0 MARK all -- tun21 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
5 9612 8025K BWDPI_FILTER udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
6 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX dst,dst MARK or 0x7000
7 231 55363 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZONAWS dst,dst MARK or 0x7000
# ip route show table main | grep -E "^0\.|^128\.|^default|tun1"
10.22.0.13 dev tun11 proto kernel scope link src 10.22.0.14
10.24.0.9 dev tun13 proto kernel scope link src 10.24.0.10
10.9.0.9 dev tun12 proto kernel scope link src 10.9.0.10
default via 84.81.218.1 dev vlan34
Apr 18 09:36:22 (IPSET_Netflix): 666 Starting IPSET_Netflix.sh... /jffs/scripts/IPSET_Netflix.
Apr 18 09:36:23 nat: apply nat rules (/tmp/nat_rules_vlan34_vlan34)
Apr 18 09:36:23 custom_script: Running /jffs/scripts/nat-start
Apr 18 09:36:23 (IPSET_Netflix): 677 Starting IPSET_Netflix.sh... /jffs/scripts/IPSET_Netflix.
# nslookup whatismypublicip.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name: whatismypublicip.com
Address 1: 108.160.151.39 whatismypublicip.com
This is due to my internet provider (not my VPN provider which is IPVanish), internet is tagged on vlan 34. My router is an ASUS RT-AC5300.When comparing the ip route show table command with your output, I notice you have a different output. Not sure if this is due to your router or VPN provider.
Code:default via 84.81.218.1 dev vlan34
My ISP WAN IP address is shown.Here are some additional debugging tips.
Add a rule to route 108.160.151.3 (whatismypublicip.com) thru the wan in the OpenVPN Client GUI.
Code:# nslookup whatismypublicip.com Server: 127.0.0.1 Address 1: 127.0.0.1 localhost.localdomain Name: whatismypublicip.com Address 1: 108.160.151.39 whatismypublicip.com
Go to whatismypublicip.com. The ip address it reports should be how Netflix sees you, which is your WAN IP address. You can also confirm your WAN address on the web gui.
My VPN IP address is shown.Go to whatismyipaddress.com. It should report the IP address of your VPN location.
So it appears the Netflix and/or Amazon ASN may not contain all of the IP addresses required to work from your geolocation. Before I learned about using ASN, I would capture the domain names logged in dnsmasq.log file. I use ASN for most of my streaming media services. But for some, I have to use domain names. When I returned from my recent trip, one of the ASN numbers stopped working for SlingTV. I got it to work again by adding the domain names I captured. So, let us try the domain name method rather than ASN numbers.My ISP WAN IP address is shown.
My VPN IP address is shown.
#!/bin/sh
# script name: getdomainnames.sh
#set -xo
# This script will format the output of tail -f dnsmasq.log > logfile
# where logfile is the output of tail -f dnsmasq.log
# 1. extract records whose contents contain the word "query"
# 2. output only the domain name
# 3. sort file for unique contents to elimnate duplicates
# 4. save to $1_output
#
# Parameters Passed
# $1 = provide the name of the source file when running the script
# e.g. ./getdomainnames.sh logfile
#
source_file=/tmp/mnt/absolution/adblocking/logs/$1
output_file=$source_file"_output"
cat $source_file | grep query | grep 192.168.22.157 | awk '{ print $6 }' | sort -u > $output_file
#!/bin/sh
####################################################################################################
# Written By: Xentrk
# Script Name: netflix_bypass.sh
# Version 1.0
#
# Description:
# Selective Routing Script for WAN and OpenVPN Clients
#
# Grateful:
# Thank you to @Martineau on snbforums.com for sharing his Selective Routing expertise
# and on-going support!
####################################################################################################
logger -t "($(basename $0))" $$ Starting..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
# Prevent script from running twice at boot up
#exec 400>/tmp/vpnroutingcheck.lck
#flock -x 400 || exit 0
#sleep 120
PROGNAME=$(basename "$0")
LOCKFILE_DIR=/tmp
LOCK_FD=200
lock() {
local prefix=$1
local fd=${2:-$LOCK_FD}
local lock_file=$LOCKFILE_DIR/$prefix.lock
# create lock file
eval "exec $fd>$lock_file"
# acquier the lock
flock -n $fd \
&& return 0 \
|| return 1
}
eexit() {
local error_str="$@"
echo $error_str
exit 1
}
main() {
lock $PROGNAME \
|| eexit "Only one instance of $PROGNAME can run at one time."
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990
#VPN Client 1
#ip rule del fwmark 0x1000
#ip rule add fwmark 0x1000 table 111 prio 9991
ip route flush cache
# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
#Pull Netflix Domain Names and route to WAN
for DNS in $(awk '{ print $1 }' /jffs/scripts/NETFLIX)
do
iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x7000/0x7000
done
ip route flush cache
logger -t "($(basename $0))" $$ Ending..." $0${*:+ $*}."
}
main
I will look into the differences and analyze what changes may be required to the script to change the ASN source from ipinfo.io to peeringdb.com. There are some other sources as well. It would be interesting to compare and determine if there are any differences among the providers of ASN information.I have posted a connection log while watching netflix on my laptop (post #101), so yes I can watch netflix when I turn off the VPN. I do not block routed clients if tunnel goes down.
Regarding my geo location, checking netflix ip addresses on https://www.peeringdb.com/asn/2906 I see for instance two AMS-IX ip addresses netflix uses (80.249.211.250 and 80.249.210.250) which are not in the NETFLIX ipset your script creates.
#Pull all IPv4s listed for Netflix Streaming Services, Inc - AS40027
netsv4=`curl https://ipinfo.io/AS40027 2>/dev/null | grep -E "a href.*40027\/" | grep -v ":" |sed 's/^.*\">//; s/<.*//; /^\s*$/d'`
for net in $netsv4
do
ipset add NETFLIX $net
done
unset netsv4
Thanks @EduardS, excellent feedback! I have seen the nflxvideo.net domains posted on other forums. Sounds like they will differ by ISP provider.That last one didn't do the trick either, but I found out where the culprit lies. It lies in the Netflix Open Connect network;
https://www.theregister.co.uk/2016/06/22/boffins_map_netflixs_open_connect_cdn/
https://arxiv.org/abs/1606.05519v3
https://arxiv.org/pdf/1606.05519v3.pdf
https://openconnect.netflix.com/en/
http://oc.nflxvideo.net/docs/OpenConnect-Deployment-Guide.pdf
https://media.netflix.com/en/compan...e-globe-to-deliver-a-great-viewing-experience
Netflix provides video streaming appliances to local ISP's to provide high speed video streaming experience for the ISP customers. These appliances have local ISP network IP addresses. Now on my laptop I started a Netflix session and with [Shift][Ctrl][Alt][D] I retrieved the dns names of the Netflix Open Connect streaming appliances of my ISP (KPN), these were c016.rtm.001.kpn.isp.nflxvideo.net and c023.rtm001.kpn.isp.nflxvideo.net, with nslookup I resolved these to IP4 addresses 195.121.126.230 and 195.121.126.236, I added these to the NETFLIX ipset and voila, netflix was finally playing with VPN tunnel enabled. Of course next time playing another ISP Netflix Open Connect streaming appliance was used (c019.ams001.kpn.isp.nflxvideo.net) which was also a 195.121.126.x ip address so I added 195.121.126.0/24 to the NETFLIX ipset and now netflix is playing from all my devices without problems so far.
Conclusion, the script is fine but one has to add the local ip addresses of the ISP Netflix Open Connect streaming appliances. I now can finally protect my privacy with router based VPN and reroute netflix outside the VPN tunnel.
# list domains for selective routing
for domain in \
"netflix.com" \
"ichnaea.netflix.com" \
"movies.netflix.com" \
"www.netflix.com" \
"nflxext.com" \
"cdn1.nflxext.com" \
"nflximg.com" \
"nflxvideo.net" \
"ipv4_1.cxl0.c145.sjc002.ix.nflxvideo.net" \
"amazonaws.com" \
"whatsmyip.org"
do
# extract ip addresses
for ip in $(nslookup $domain | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
ipset add NETFLIX $ip
done
Correct, every ISP uses his own Netflix Open Connect appliances. Of course some ISP's are just fronts for other ISP's, like the Dutch company Telfort is just a front for the Dutch ISP KPN, thus Telfort uses the Netflix appliances of KPN. Once the ip addresses of these ISP streaming appliances are know, one can effectively reroute Netflix apart from the VPN thanks to your script.Thanks @EduardS, excellent feedback! I have seen the nflxvideo.net domains posted on other forums. Sounds like they will differ by ISP provider.
Again a very helpful script addition. Thanks for all your continuing help and support!You should be able to harvest the domain names over time. Once you collect them, place the domain names in a file use the script in post #108 to add to ipset list.
Following is an alternative method to add the IPv4 addresses to the NETFLIX ipset list. But I prefer the post #108 method. It does return an error message if the nslookup returns an IPv6 addresses. But does not cause the collection of IPv4 addresses to fail. Some additional coding would be required to capture the IPv6 error and send the message to /dev/null.
Code:# list domains for selective routing for domain in \ "netflix.com" \ "ichnaea.netflix.com" \ "movies.netflix.com" \ "www.netflix.com" \ "nflxext.com" \ "cdn1.nflxext.com" \ "nflximg.com" \ "nflxvideo.net" \ "ipv4_1.cxl0.c145.sjc002.ix.nflxvideo.net" \ "amazonaws.com" \ "whatsmyip.org" do # extract ip addresses for ip in $(nslookup $domain | awk '/^Name:/,0{if (/^Addr/)print $3}'); do ipset add NETFLIX $ip done
I will look at the sed/ipinfo.io syntax again in case something changed.I used v3.3 but there was an issue with the sed portion. I had to change it to sed 's/^.*<a href="\/AS2906\///; s/" >//' in order to get the IPs from ipinfo.io
Any suggestions on why the original sed would not work for me?
The IPs got populated in the IPSET but netflix still would not work. I then tried harvesting the domain names (I used PIHole) but I still had no luck when adding them using the code in post #111.
ipset add 108.10.151.39 NETFLIX
#Pull CBS Domain Names and route to OVPNC2
for DNS in $(awk '{ print $1 }' /jffs/scripts/CBS_Domains)
do
iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000/0x2000
done
ip route flush cache
#!/bin/sh
# VPNFlix By Adamm - 5/5/18
# Route Netflix Traffic Thorugh VPN Client1
Check_Lock () {
if [ -f "/tmp/vpnflix.lock" ] && [ -d "/proc/$(sed -n '2p' /tmp/vpnflix.lock)" ] && [ "$(sed -n '2p' /tmp/vpnflix.lock)" != "$$" ] ; then
logger -st Netflix "[INFO] Lock File Detected ($(sed -n '1p' /tmp/vpnflix.lock)) (pid=$(sed -n '2p' /tmp/vpnflix.lock)) - Exiting (cpid=$$)"
echo
exit 1
else
echo "$@" > /tmp/vpnflix.lock
echo "$$" >> /tmp/vpnflix.lock
fi
}
case "$1" in
start)
Check_Lock "$@"
if [ -d "/opt/bin" ] && [ ! -f "/opt/bin/vpnflix" ]; then
ln -s /jffs/scripts/vpnflix.sh /opt/bin/vpnflix
fi
if [ -f "/jffs/scripts/netflix.ipset" ]; then ipset restore -! -f "/jffs/scripts/netflix.ipset"; else ipset create NETFLIX hash:net; fi
ip rule del fwmark 0x7000/0x7000
ip rule add fwmark 0x7000/0x7000 table 254 prio 9990
ip rule del fwmark 0x1000/0x7000
ip rule add fwmark 0x1000/0x7000 table 111 prio 9991
iptables -D PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark 0x1000/0x1000
iptables -A PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark 0x1000/0x1000
sed -i '\~#VPNFlix~d' /jffs/configs/dnsmasq.conf.add
echo "ipset=/netflix.com/nflxvideo.net/nflxso.net/nflxext.com/nflximg.net/NETFLIX #VPNFlix" >> /jffs/configs/dnsmasq.conf.add
chmod +x /jffs/configs/dnsmasq.conf.add
cru d Netflix_save
cru a Netflix_save "30 * * * * sh /jffs/scripts/vpnflix.sh save"
;;
save)
Check_Lock "$@"
echo "Saving Netflix Server List..."
if ipset -L -n NETFLIX >/dev/null 2>&1; then ipset save NETFLIX > "/jffs/scripts/netflix.ipset"; fi
echo "Complete! - $(wc -l < /jffs/scripts/netflix.ipset) Entries Total"
;;
disable)
Check_Lock "$@"
echo "Disabing Netflix Policy Routing..."
ip rule del fwmark 0x7000/0x7000
ip rule del fwmark 0x1000/0x7000
iptables -D PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark 0x1000/0x1000
if ipset -L -n NETFLIX >/dev/null 2>&1; then ipset save NETFLIX > "/jffs/scripts/netflix.ipset"; fi
ipset destroy NETFLIX
echo "Complete!"
;;
*)
echo "Command Not Recognized, Please Try Again"
echo "Accepted Commands Are; (sh $0 [start|save|disable])"
echo; exit 2
;;
esac
if [ -f "/tmp/vpnflix.lock" ] && [ "$$" = "$(sed -n '2p' /tmp/vpnflix.lock)" ]; then rm -rf "/tmp/vpnflix.lock"; fi
aam2beujngdc6o5kpyc6q.r.nflxso.net
aczzqee67micyn37j5htq.r.nflxso.net
ad4pa67hlk7n4ou3jttje.r.nflxso.net
anycast.ftl.netflix.com
assets.nflxext.com
codex.nflxext.com
future.prod.ftl.netflix.com
ipv4-c001-bne001-waia-isp.1.oca.nflxvideo.net
ipv4-c004-was001-ix.1.oca.nflxvideo.net
ipv4-c015-was001-ix.1.oca.nflxvideo.net
ipv4-c016-syd002-ix.1.oca.nflxvideo.net
ipv4-c016-was001-ix.1.oca.nflxvideo.net
ipv4-c092-was001-ix.1.oca.nflxvideo.net
ipv4-c104-was001-ix.1.oca.nflxvideo.net
oca-api.netflix.com
occ-0-2088-2567.1.nflxso.net
occ-0-2430-2433.1.nflxso.net
push.prod.netflix.com
www.netflix.com
netflix.com
nflxso.net
nflxext.com
nflxvideo.net
nflximg.net
ipset=/netflix.com/nflxvideo.net/nflxso.net/nflxext.com/nflximg.net/NETFLIX
-A PREROUTING -i tun11 -j MARK --set-xmark 0x1/0x7
Hi @Adamm, Welcome to the world of Selective Routing. Like you, I prefer to route my Netflix traffic thru one of my OpenVPN tunnels rather than the WAN iface. User testing of the script to route Netflix traffic thru the WAN using the ASN for Amazon AWS and Netflix exposed some information. An unexpected outcome is Amazon and Amazon Prime traffic will also get routed to the WAN. In my use case, I route both to the the same VPN tunnel. @EduardS discovered the Netflix Open Connect domains which using the ASN method does not address. So doing the old fashion method of mining the log file for domains appears to be the best option. Or using the ipset method to collect the domains as you are using. I have experimented with that method previously and wrote some test scripts to help in my learning. They are posted somewhere in this thread.@Xentrk
So I decided to dabble into selective routing but in the opposite direction then posted about here. I want only my Netflix traffic to flow through my Astrill VPN not vise versa (I'm surprised how limited the information was compared to having Netflix WAN only). I'm not exactly familiar with the ip binary or packet marking but from the posts I read on the topic I was able to put something together (pointing out any mistakes would be appreciated!)..
#!/bin/sh
sh /jffs/scripts/VPN_Routing.sh
sh /jffs/scripts/netflix.sh
sh /jffs/scripts/cbs.sh
sh /jffs/scripts/bbc.sh
#!/bin/sh
####################################################################################################
# Script Name: VPN_Routing.sh
# Written By: Xentrk
# Version 4.0
#
# Grateful:
# Thank you to @Martineau on snbforums.com for sharing his Selective Routing expertise
# and on-going support!
#
# Description:
# Selective Routing Script for LAN Clients using Asus-MerlinWRT firmware.
# Specify the LAN Clients that will use each OpenVPN Client interface in a singe file rather
# than the Web GUI page for each OpenVPN Client. See (2) Pre-Staging below for instructions.
#
# Instructions:
# (1) place the line:
# sh /jffs/scripts/VPN_Routing.sh
# inside of /jffs/scripts/nat-start so the script will run automatically at boot.
# Place other selective routing scripts in nat-start after the entry above.
#
# (2) Pre-Staging;
# (a) You must define static-ip address to your lan clients on the DHCP Server page.
# Run the script get_lan_clients.sh to create the initial /jffs/configs/lan_clients configuration
# file. The next step is to assign the iface to each lan client by editing the first column in the
# /jffs/configs/lan_clients file as follows: 0=WAN, 1=OVPNC1, 2=OVPNC2, 3=OVPNC3, 4=OVPNC4, 5=OVPNC5.
# Optionally, you can delete any DHCP clients defined to use the WAN as these will be ignored by the script.
# DHCP
# clients not defined to use a VPN Client will autoatically default to the WAN.
# (b) get_lan_clients.sh will create a backup of the /jffs/configs/lan_clients file if one exits. This provides the
# ability to restore a previous version if neccessary. If you do create a new version
# of a /jffs/configs/lan_clients file, run /jffs/scripts/purge_lan_clients_sr.sh to purge the old
# routing rules before running VPN_Routing.sh or you may get unexpected results! You have been warned.
#
####################################################################################################
logger -t "($(basename $0))" $$ Starting..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -x
# Prevent script from running concurrently when called from nat-start
PROGNAME=$(basename "$0")
LOCKFILE_DIR=/tmp
LOCK_FD=200
lock() {
local prefix=$1
local fd=${2:-$LOCK_FD}
local lock_file=$LOCKFILE_DIR/$prefix.lock
# create lock file
eval "exec $fd>$lock_file"
# acquier the lock
flock -n $fd \
&& return 0 \
|| return 1
}
eexit() {
local error_str="$@"
echo $error_str
exit 1
}
main() {
lock $PROGNAME \
|| eexit "Only one instance of $PROGNAME can run at one time."
# check if /jffs/congis/lan_clients file exist. Exit script if true.
if [ ! -f /jffs/configs/lan_clients ]
then
logger -t "($(basename $0))" $$ Warning: required file /jffs/configs/lan_clients does not exist. Exiting script..." $0${*:+ $*}."
exit
fi
# WAN
ip rule del fwmark 0x7000/0x7000
ip rule add fwmark 0x7000/0x7000 table 254 prio 4000
# Any special overrides for WAN traffic go here. Start with prio 4001 and increment by 1
#ip rule del from 192.168.1.152 table 254
#ip rule add from 192.168.1.152 table 254 prio 4001
# Any special overrides for OVPNC1 traffic go here. Start with prio 4101 and increment by 1
#ip rule del from 192.168.1.152 table 100
#ip rule add from 192.168.1.152 table 100 prior 4101
# Any special overrides for OVPNC2 traffic go here. Start with prio 4201 and increment by 1
# Route whatismypublicip.com to OVPNC2 no matter the iface connected to
ip rule del to 108.160.151.39 table 112
ip rule add to 108.160.151.39 table 112 prio 4201
# Any special overrides for OVPNC3 traffic go here. Start with prio 4301 and increment by 1
# Any special overrides for OVPNC4 traffic go here. Start with prio 4401 and increment by 1
# Any special overrides for OVPNC5 traffic go here. Start with prio 4501 and increment by 1
# Perform routing for lan clients specified in /jffs/configs/lan_clients
old_IFS="$IFS"
IFS=" "
file="/jffs/configs/lan_clients"
while IFS=" " read -r f1 f2
do
case "$f1" in
1) echo "$f2" >> /tmp/ovpnc1.$$ ;;
2) echo "$f2" >> /tmp/ovpnc2.$$ ;;
3) echo "$f2" >> /tmp/ovpnc3.$$ ;;
4) echo "$f2" >> /tmp/ovpnc4.$$ ;;
5) echo "$f2" >> /tmp/ovpnc5/$$ ;;
*) echo "Unexpected value ignored" ;;
esac
# Uncomment the lines below for debugging
#printf 'iface: %s ip: %s desc: %s\n' "$f1" "$f2" "$f3"
#echo "$line"
done < "$file"
IFS=$old_IFS
# route OVPNC1 clients
if [ -f /tmp/ovpnc1.$$ ]
then
count=5100
for ip in $(awk '{ print $1 }' /tmp/ovpnc1.$$); do
ip rule del from $ip table 111 2> /dev/null > /dev/null
ip rule add from $ip table 111 prior $count
count=`expr $count + 1`
done
unset ip
fi
# route OVPNC2 clients
if [ -f /tmp/ovpnc1.$$ ]
then
count=5200
for ip in $(awk '{ print $1 }' /tmp/ovpnc2.$$); do
ip rule del from $ip table 112 2> /dev/null > /dev/null
ip rule add from $ip table 112 prior $count
count=`expr $count + 1`
done
unset ip
fi
# route OVPNC3 clients
if [ -f /tmp/ovpnc3.$$ ]
then
count=5300
for ip in $(awk '{ print $1 }' /tmp/ovpnc3.$$)
do
ip rule del from $ip table 113 2> /dev/null > /dev/null
ip rule add from $ip table 113 prior $count
count=`expr $count + 1`
done
unset ip
fi
# route OVPNC4 clients
if [ -f /tmp/ovpnc4.$$ ]
then
count=5400
for ip in $(awk '{ print $1 }' /tmp/ovpnc4.$$)
do
ip rule del from $ip table 114 2> /dev/null > /dev/null
ip rule add from $ip table 114 prior $count
count=`expr $count + 1`
done
unset ip
fi
# route OVPNC5 clients
if [ -f /tmp/ovpnc5.$$ ]
then
count=5500
for ip in $(awk '{ print $1 }' /tmp/ovpnc5.$$)
do
ip rule del from $ip table 115 2> /dev/null > /dev/null
ip rule add from $ip table 115 prior $count
count=`expr $count + 1`
done
unset ip
fi
# Remove temporary files
rm /tmp/ovpnc*.*
################################################################################################
# Optional Section
# Enable fwmarks for OpenVPN Clients to support selective routing by other scripts
################################################################################################
#VPN Client 1
ip rule del fwmark 0x1000/0x1000
ip rule add fwmark 0x1000/0x1000 table 111 prio 5001
#VPN Client 2
ip rule del fwmark 0x2000/0x2000
ip rule add fwmark 0x2000/0x2000 table 112 prio 5002
#VPN Client 3
ip rule del fwmark 0x3000/0x3000
ip rule add fwmark 0x3000/0x3000 table 113 prio 5003
#VPN Client 4
#ip rule del fwmark 0x4000/0x4000
#ip rule add fwmark 0x4000/0x4000 table 114 prio 5004
#VPN Client 5
#ip rule del fwmark 0x5000/0x5000
#ip rule add fwmark 0x5000/0x5000 table 115 prio 5005
ip route flush cache
# Default non VPN clients to the WAN iface
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset add LAN_GW $(nvram get lan_ipaddr)
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
logger -t "($(basename $0))" $$ Ending..." $0${*:+ $*}."
}
main
#!/bin/sh
####################################################################################################
# Written By: Xentrk
# Version 2.0
#
# Description:
# Selective Routing Script Netflix
#
# Grateful:
# Thank you to @Martineau on snbforums.com for sharing his Selective Routing expertise
# and on-going support!
# 108.160.151.39
#
####################################################################################################
logger -t "($(basename $0))" $$ Starting netflix.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
# Create IPSET lists
ipset create NETFLIX hash:net family inet hashsize 1024 maxelem 65536
#Pull all IPv4s listed for Netflix USA - AS2906
netsv4=`curl http://ipinfo.io/AS2906 2>/dev/null | grep -E "a href.*2906\/" | grep -v ":" |sed 's/^.*\">//; s/<.*//; /^\s*$/d'`
for net in $netsv4
do
ipset add NETFLIX $net
done
unset netsv4
#Pull all IPv4s listed for Amazon AWS - AS16509
netsv4=`curl http://ipinfo.io/AS16509 2>/dev/null | grep -E "a href.*16509\/" | grep -v ":" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'`
for net in $netsv4
do
ipset add NETFLIX $net
done
unset netsv4
# VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x1000/0x1000
logger -t "($(basename $0))" $$ Ending netflix.sh..." $0${*:+ $*}."
#!/bin/sh
####################################################################################################
# Written By: Xentrk
# Version 2.0
#
# Description:
# Selective Routing Script for CBS
#
# Grateful:
# Thank you to @Martineau on snbforums.com for sharing his Selective Routing expertise
# and on-going support!
####################################################################################################
logger -t "($(basename $0))" $$ Starting cbs.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
#Pull CBS Domain Names and route to OVPNC2
for DNS in $(awk '{ print $1 }' /jffs/scripts/CBS_Domains)
do
iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000/0x2000
done
ip route flush cache
logger -t "($(basename $0))" $$ Ending cbs.sh..." $0${*:+ $*}."
#!/bin/sh
####################################################################################################
# Written By: Xentrk
# Version 2.0
#
# Description:
# Selective Routing Script for BBC
#
# Grateful:
# Thank you to @Martineau on snbforums.com for sharing his Selective Routing expertise
# and on-going support!
####################################################################################################
logger -t "($(basename $0))" $$ Starting bbc.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
# Create IPSET lists
ipset create IPLAYER hash:net family inet hashsize 1024 maxelem 65536
#Pull all IPv4s listed for BBC - AS2818
netsv4=`curl https://ipinfo.io/AS2818 2>/dev/null | grep -E "a href.*2818\/" | grep -v ":" |sed 's/^.*\">//; s/<.*//; /^\s*$/d'`
for net in $netsv4
do
ipset add IPLAYER $net
done
unset netsv4
#Pull all IPv4s listed for BBC - AS31459
netsv4=`curl https://ipinfo.io/AS31459 2>/dev/null | grep -E "a href.*31459\/" | grep -v ":" |sed 's/^.*\">//; s/<.*//; /^\s*$/d'`
for net in $netsv4
do
ipset add IPLAYER $net
done
unset netsv4
#Pull all IPv4s listed for BBC - AS54113
#netsv4=`curl https://ipinfo.io/AS54113 2>/dev/null | grep -E "a href.*54113\/" | grep -v ":" |sed 's/^.*\">//; s/<.*//; /^\s*$/d'`
#for net in $netsv4
#do
# ipset add IPLAYER $net
#done
#unset netsv4
#========================================================================================
# Route BBC Player to VPN Client 3
for DNS in $(awk '{ print $1 }' /jffs/scripts/BBCpfsense); do
iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x3000/0x3000
iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x3000/0x3000
done
#========================================================================================
# VPN Client 3
iptables -t mangle -D PREROUTING -m set --match-set IPLAYER dst,dst -j MARK --set-mark 0x3000/0x3000
iptables -t mangle -A PREROUTING -m set --match-set IPLAYER dst,dst -j MARK --set-mark 0x3000/0x3000
logger -t "($(basename $0))" $$ Ending bbc.sh..." $0${*:+ $*}."
Hi @Adamm, Welcome to the world of Selective Routing. Like you, I prefer to route my Netflix traffic thru one of my OpenVPN tunnels rather than the WAN iface. User testing of the script to route Netflix traffic thru the WAN using the ASN for Amazon AWS and Netflix exposed some information. An unexpected outcome is Amazon and Amazon Prime traffic will also get routed to the WAN. In my use case, I route both to the the same VPN tunnel. @EduardS discovered the Netflix Open Connect domains which using the ASN method does not address. So doing the old fashion method of mining the log file for domains appears to be the best option. Or using the ipset method to collect the domains as you are using. I have experimented with that method previously and wrote some test scripts to help in my learning. They are posted somewhere in this thread.
There are some comments in the thread from @Martineau explaining why the Selective Routing code in the Wiki, which your code appears to use, is flawed. See this post for more information of the reason. This code uses the recommended method.
What I am going to share with you is the next iteration of VPN_Routing.sh script I last worked on. I still have some work to do. It can replace the selective routing functionality of the Web GUI. Or, the two can coexist. I am using Prior numbers that do not conflict with AsusWrt-Merlin. The first part of the script assigns the LAN clients to the WAN or appropriate VPN Interface. You may not required this part of the code. There is another script I will need to send you to automate creation of rules for LAN clients if you want to use this. The later portion sets up the fwmarks for each OpenVPN client that are used by the separate scripts I created for each streaming media. Easier to manage that way. So, nat-start looks like
ip rule add fwmark 0x7000 table 254 prio 9990
ip rule add fwmark 0x1000 table 111 prio 9991
iptables -A PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark 0x1000/0x1000
awk '{print "add NETFLIX " $1}'
Correct. But, you should also apply a mask when you set the ip rules:Thanks for pointing me in the right direction, so going by the linked post my rules should look something like this instead?
Code:ip rule add fwmark 0x7000 table 254 prio 9990 ip rule add fwmark 0x1000 table 111 prio 9991 iptables -A PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark 0x1000/0x1000
I think I'm slowly starting to wrap my head around it . I assume any packets marked 0x1000 are send to client 1 and 0x7000 wan correct? Still no clue what the table and prio values are for
ip rule add fwmark 0x7000/0x7000 table 254 prio 9970
cat /etc/iproute2/rt_tables
100 wan0
111 ovpnc1
112 ovpnc2
113 ovpnc3
114 ovpnc4
115 ovpnc5
200 wan1
Love the suggestions for improvement. I'll incorporate those changes in the next version. Thanks for the tips.In any case, thanks for the scripts to reference, made my life a bunch easier. May I suggest a few improvements;
For pulling ASN's use the following domain instead, they are plaintext and require no extra processing (besides converting spaces to newlines) - http://asn.blawk.net/2906
"ipset add" in a for loop is slow and inefficient, I suggest using a similar method as I do in Skynet via the restore console. You can add/remove hundreds of thousands of entries in a fraction of a second using a single ipset process.
Print all your IP's to a list (or stdin), add the correct format via awk;
Code:awk '{print "add NETFLIX " $1}'
Then pipe the output to ipset restore -!
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
H | Routing wireguard | VPN | 0 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!