Selective routing (Netflix, Amazon, etc)

[ChrisULM]

I have a VPN running on my router and would like to redirect some traffic to the WAN (Netflix, Amazon, etc). I understand that I can input ip addresses in the policy rules section of the "OpenVPN clients" page, but I'm curious if there's an alternative option that would allow me to enter "Netflix.com" rather than entering the many different ip addresses used by Netflix.

Is this possible?

 

[pattiri]

when you try to connect a web site you're not connecting only one IP address or only one domain. You can find all IP address of popular services with a google search and you can add these with bigger subnets using x.x.x.x/20. Everyone knows each other with their IP addresses in internet, not their domain names

 

[Xentrk]

I have a VPN running on my router and would like to redirect some traffic to the WAN (Netflix, Amazon, etc). I understand that I can input ip addresses in the policy rules section of the "OpenVPN clients" page, but I'm curious if there's an alternative option that would allow me to enter "Netflix.com" rather than entering the many different ip addresses used by Netflix.

Is this possible?

I support a router for a family member who wants to have all of their clients use the WAN here in the land of smiles, but the Roku player needs to go through the VPN to access content in USA (Amazon, Hula Hoops, Netfluckus, etc). Yes, there are still some VPN providers that work with major streaming services. I set OpenVPN to policy rules. I also have static ip for all of the devices. I then define which devices go to WAN and which ones to VPN.

I saw a guy on dd-wrt who wrote a script that searched a web site for the ip addresses of the streaming services and scripted the entire thing. It was amazing. But I think these services change their ip addresses which then breaks things. Here are the links

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1014263#1014263

http://www.dd-wrt.com/phpBB2/viewto...start=30&sid=1fdb2bdd179b8d5fd9b014e48788c8cd

So, lets say you watch streaming media on a Roku or other device, you can get the mac address and assign it a static ip, and route it to the WAN according to policy rules on the OpenVPN page, thereby bypassing the VPN tunnel. See Yorgi's vpn setup guide in the vpn forum on how to configure.

 

[ChrisULM]

I support a router for a family member who wants to have all of their clients use the WAN here in the land of smiles, but the Roku player needs to go through the VPN to access content in USA (Amazon, Hula Hoops, Netfluckus, etc). Yes, there are still some VPN providers that work with major streaming services. I set OpenVPN to policy rules. I also have static ip for all of the devices. I then define which devices go to WAN and which ones to VPN.

I saw a guy on dd-wrt who wrote a script that searched a web site for the ip addresses of the streaming services and scripted the entire thing. It was amazing. But I think these services change their ip addresses which then breaks things. Here are the links

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1014263#1014263

http://www.dd-wrt.com/phpBB2/viewto...start=30&sid=1fdb2bdd179b8d5fd9b014e48788c8cd

So, lets say you watch streaming media on a Roku or other device, you can get the mac address and assign it a static ip, and route it to the WAN according to policy rules on the OpenVPN page, thereby bypassing the VPN tunnel. See Yorgi's vpn setup guide in the vpn forum on how to configure.

I think those dd-wrt forum posts are inline with what I'm after. I don't wish to split WAN and VPN by device. I'm looking to have everything on the network covered by a VPN except for when I attempt to access specific websites.

Is there a way to import the very long list of Netflix associated IP addresses into a policy rule that would exclude them from using the VPN (opening Netflix up to WAN)?

 

[Xentrk]

I think those dd-wrt forum posts are inline with what I'm after. I don't wish to split WAN and VPN by device. I'm looking to have everything on the network covered by a VPN except for when I attempt to access specific websites.

Is there a way to import the very long list of Netflix associated IP addresses into a policy rule that would exclude them from using the VPN (opening Netflix up to WAN)?

I believe you would put the rules in the firewall-start file. You can read more here

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

You need to enable ssh access on your router, use LAN access only. I use MobAXterm for ssh and sftp access to my router. It has an editor built in. WinSCP is another one but I have not used it. There was another thread where a person wrote a script to capture all of the in addresses from a web site. I will look for It tomorrow as it is getting late in my time zone now.

 

[Xentrk]

Try this solution here
http://www.snbforums.com/threads/policy-rules-or-selective-routing-question.31326/

You need to use policy based routing in the vpn client, then enter each line as Yorgi lists in his post. If it works with Netfluckus, then hunt down the Hula Hoops ip's and try.


0.0.0.0 107.20.177.0/24 WAN
0.0.0.0 107.20.154.0/24 WAN
0.0.0.0 174.129.2.0/24 WAN
0.0.0.0 75.101.139.0/24 WAN
0.0.0.0 54.243.253.0/24 WAN
0.0.0.0 50.19.210.0/24 WAN
0.0.0.0 23.23.191.0/24 WAN
0.0.0.0 54.204.2.0/24 WAN
0.0.0.0 54.204.43.0/24 WAN
0.0.0.0 54.225.192.0/24 WAN
0.0.0.0 23.21.190.0/24 WAN
0.0.0.0 107.20.151.0/24 WAN

 

[ferkan]

Hello. Related to this, I'd like to route all calls to the BBC inlayer through the VPN. I've looked up the BBC block which appears to be:

212.58.224.0/19

And have thus configured source: 0.0.0.0 Destination: 212.58.224.0/19 -> VPN.

However, the iPlayer still refuses to work. It works when all traffic is routed this way.

Any thoughts?

 

[Xentrk]

Hello. Related to this, I'd like to route all calls to the BBC inlayer through the VPN. I've looked up the BBC block which appears to be:

212.58.224.0/19

And have thus configured source: 0.0.0.0 Destination: 212.58.224.0/19 -> VPN.

However, the iPlayer still refuses to work. It works when all traffic is routed this way.

Any thoughts?

https://www.snbforums.com/threads/bbc-iplayer-vpn-policy-based-routing.29403/

I thought BBC blocks VPNs? But I am sure some services can get around it.

Instead of trying to keep up with the IP address blocks, you can also try the method I implemented here which uses dnsmasq log to see what domain names the streaming media service is referencing and writing a script to route that traffic accordingly.

https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-28#post-339141

 

[ferkan]

https://www.snbforums.com/threads/bbc-iplayer-vpn-policy-based-routing.29403/

I thought BBC blocks VPNs? But I am sure some services can get around it.

Instead of trying to keep up with the IP address blocks, you can also try the method I implemented here which uses dnsmasq log to see what domain names the streaming media service is referencing and writing a script to route that traffic accordingly.

https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-28#post-339141

Thanks! The BBC does try and block VPNs but some are ok. I'm using NordVPN, which seems to work, but can be slow from over here in Ecuador. I'll have a look and feedback.

 

[ferkan]

Hi Xentrk:

I'm trying to follow your other post, but am struggling!

I've enabled (as far as I can tell) dnsmasq logging (following this: https://www.snbforums.com/threads/how-can-i-log-dns-querries.11608/), but can't find the log file. Perhaps I'm doing something silly?

 

[Xentrk]

Hi Xentrk:

I'm trying to follow your other post, but am struggling!

I've enabled (as far as I can tell) dnsmasq logging (following this: https://www.snbforums.com/threads/how-can-i-log-dns-querries.11608/), but can't find the log file. Perhaps I'm doing something silly?

I have the ad blocking solution installed written by @thelonelycoder. It has an option to follow the log file where you could watch the domain names as they are being called. It places the log files in /tmp/mnt/absolution/adblocking/logs/ directory. I did the tail -f dnsmsq.log and piped the output to a file when I was doing it. This allowed me to import the file to excel and I was able to sort and clean it up for my purposes.

See this post by @thelonelycoder, it appears you will need to specify the log file location in dnsmasq.conf.add and issue a restart for it to start working
https://www.snbforums.com/threads/problems-with-dnsmasq-conf-add.23875/#post-177520

 

[Bob Sapp]

Hi all, just a follow up to the posts above.

I'm also recently having problems with BBC Iplayer, over a router based VPN connection.

My VPN provider gives configuration files for use with OpenVPN. When I use this from my PC (using OpenVPN Client obviously), I can connect to the UK fine and view Iplayer.

When I use the SAME configuration file and details via my router, running Merlin, and set a route for ALL traffic from my PC to go via the tunnel, the Iplayer recognises this and tells me I'm not in the UK.

BUT... when I go to whatismyip.com it shows my IP as being in the UK, and other UK TV providers also allow me to view their content.

So the question is - what is the difference connecting via VPN to the UK via the router and via an OpenVPN software client, using the same configuration?! I'm at a complete loss.... Could it be DNS related...? Any ideas anyone?

Thanks.

 

[Xentrk]

Hi all, just a follow up to the posts above.

I'm also recently having problems with BBC Iplayer, over a router based VPN connection.

My VPN provider gives configuration files for use with OpenVPN. When I use this from my PC (using OpenVPN Client obviously), I can connect to the UK fine and view Iplayer.

When I use the SAME configuration file and details via my router, running Merlin, and set a route for ALL traffic from my PC to go via the tunnel, the Iplayer recognises this and tells me I'm not in the UK.

BUT... when I go to whatismyip.com it shows my IP as being in the UK, and other UK TV providers also allow me to view their content.

So the question is - what is the difference connecting via VPN to the UK via the router and via an OpenVPN software client, using the same configuration?! I'm at a complete loss.... Could it be DNS related...? Any ideas anyone?

Thanks.

Go to ipleak.net and dnsleak.com using your PC and again with your router to see if one of the connections are reporting DNS leaks.

Also, the selective routing thread is an interesting ready if you have some time. I have a post in there with a script to route traffic over a specific vpn client based on domain name referenced.
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-28#post-339141

 

[Bob Sapp]

Hi Xentrk and thanks for taking the time to respond.

I checked the different scenarios and without getting into all the details, I can tell clearly that both methods use the same DNS Servers (I did a TCPdump on the router each time). So, the DNS lookups are the same, but still the problem persists of working via OpenVPN client but not working when routing all traffic from PC over the tunnel built via my router (connected to the same VPN server).

Next step - I'll take a look at the link you posted and will report back.
Thanks again.

 

[Bob Sapp]

Xentrk - your talk of checking for DNS leaks eventually lead me to changing the DNS mode to exclusive. And... it worked! So, thank you. BUT.... this leads me to another problem where you may be able to help or point me in the right direction.

Requirement: From one client in my network I want to route some destination IPs to go via the VPN and other destinations to bypass the VPN and use the 'normal' WAN path. Unfortunately, one of these services insists on using the DNS server of my VPN provider. The others aren't fussy what they use.

With exclusive DNS mode enabled:

192.168.1.10 (my client) ---> destination 1.1.1.1 ---> use VPN
192.168.1.10 (my client) ---> destination 1.1.1.2 ---> use VPN

All works fine. BUT.... when I then set an additional policy like this, for the same client:

192.168.1.10 (my client) ---> destination 2.2.2.2 ---> use WAN
192.168.1.10 (my client) ---> destination 2.2.2.3 ---> use WAN

it breaks the connection to 1.1.1.1/2 above. Why? Because when adding a second set of policies going out of the WAN port it stops the exclusive DNS usage :-( Extract from log:

<snip>
Sep 6 12:06:57 openvpn-updown: Forcing 192.168.1.10 to use DNS server 198.x.x.x <-- my VPN DNS Server
Sep 6 12:06:57 openvpn-updown: Excluding 192.168.1.10 from forced DNS routing <--- immediately removed when it reads the policy to send certain destinations out of the WAN port, thus killing my service that requires the VPN DNS.
<snip>

Question - would you know is there any way to avoid this disabling of the forced DNS routing in this scenario?

Thanks for any tips or pointers.

 

[Martineau]

Xentrk - your talk of checking for DNS leaks eventually lead me to changing the DNS mode to exclusive. And... it worked! So, thank you. BUT.... this leads me to another problem where you may be able to help or point me in the right direction.

Requirement: From one client in my network I want to route some destination IPs to go via the VPN and other destinations to bypass the VPN and use the 'normal' WAN path. Unfortunately, one of these services insists on using the DNS server of my VPN provider. The others aren't fussy what they use.

With exclusive DNS mode enabled:

192.168.1.10 (my client) ---> destination 1.1.1.1 ---> use VPN
192.168.1.10 (my client) ---> destination 1.1.1.2 ---> use VPN

All works fine. BUT.... when I then set an additional policy like this, for the same client:

192.168.1.10 (my client) ---> destination 2.2.2.2 ---> use WAN
192.168.1.10 (my client) ---> destination 2.2.2.3 ---> use WAN

it breaks the connection to 1.1.1.1/2 above. Why? Because when adding a second set of policies going out of the WAN port it stops the exclusive DNS usage :-( Extract from log:

<snip>
Sep 6 12:06:57 openvpn-updown: Forcing 192.168.1.10 to use DNS server 198.x.x.x <-- my VPN DNS Server
Sep 6 12:06:57 openvpn-updown: Excluding 192.168.1.10 from forced DNS routing <--- immediately removed when it reads the policy to send certain destinations out of the WAN port, thus killing my service that requires the VPN DNS.
<snip>

Question - would you know is there any way to avoid this disabling of the forced DNS routing in this scenario?

Thanks for any tips or pointers.

You will have to add the required Selective routing RPDB WAN rules manually:

Issue:

ip rule add from 192.168.1.10 to 2.2.2.2  table main prio 9998
ip rule add from 192.168.1.10 to 2.2.2.3  table main prio 9999

To have these RPDB rules automatically added when the VPN Client connection is established, install @john9527's /jffs/scripts/openvpn-event script:

https://www.snbforums.com/threads/f...lts-releases-v27e5.18914/page-240#post-294825

and create custom script (assuming you are using VPN Client 1):

/jffs/scripts/vpnclient1-route-up

#!/bin/sh
ip rule del prio 9998 2> /dev/null > /dev/null
ip rule del prio 9999 2> /dev/null > /dev/null

ip rule add from 192.168.1.10 to 2.2.2.2 table main prio 9998
ip rule add from 192.168.1.10 to 2.2.2.3 table main prio 9999

ip route flush cache

and to be 'tidy'; remove the rules when the VPN Client connection is terminated... so create custom script:

/jffs/scripts/vpnclient1-down

#!/bin/sh
ip rule del prio 9998 2> /dev/null > /dev/null
ip rule del prio 9999 2> /dev/null > /dev/null

ip route flush cache

 

[Xentrk]

You will have to add the required Selective routing RPDB WAN rules manually:

Issue:

ip rule add from 192.168.1.10 to 2.2.2.2  table main prio 9998
ip rule add from 192.168.1.10 to 2.2.2.3  table main prio 9999

To have these RPDB rules automatically added when the VPN Client connection is established, install @john9527's /jffs/scripts/openvpn-event script:

https://www.snbforums.com/threads/f...lts-releases-v27e5.18914/page-240#post-294825

and create custom script (assuming you are using VPN Client 1):

/jffs/scripts/vpnclient1-route-up

#!/bin/sh
ip rule del prio 9998 2> /dev/null > /dev/null
ip rule del prio 9999 2> /dev/null > /dev/null

ip rule add from 192.168.1.10 to 2.2.2.2 table main prio 9998
ip rule add from 192.168.1.10 to 2.2.2.3 table main prio 9999

ip route flush cache

and to be 'tidy'; remove the rules when the VPN Client connection is terminated... so create custom script:

/jffs/scripts/vpnclient1-down

#!/bin/sh
ip rule del prio 9998 2> /dev/null > /dev/null
ip rule del prio 9999 2> /dev/null > /dev/null

ip route flush cache

I bow down to your jedi master vpn script routing mastery.

I need to start documenting your tips in a central location for future reference.

 

[Xentrk]

Xentrk - your talk of checking for DNS leaks eventually lead me to changing the DNS mode to exclusive. And... it worked! So, thank you. BUT.... this leads me to another problem where you may be able to help or point me in the right direction.

Requirement: From one client in my network I want to route some destination IPs to go via the VPN and other destinations to bypass the VPN and use the 'normal' WAN path. Unfortunately, one of these services insists on using the DNS server of my VPN provider. The others aren't fussy what they use.

With exclusive DNS mode enabled:

192.168.1.10 (my client) ---> destination 1.1.1.1 ---> use VPN
192.168.1.10 (my client) ---> destination 1.1.1.2 ---> use VPN

All works fine. BUT.... when I then set an additional policy like this, for the same client:

192.168.1.10 (my client) ---> destination 2.2.2.2 ---> use WAN
192.168.1.10 (my client) ---> destination 2.2.2.3 ---> use WAN

it breaks the connection to 1.1.1.1/2 above. Why? Because when adding a second set of policies going out of the WAN port it stops the exclusive DNS usage :-( Extract from log:

<snip>
Sep 6 12:06:57 openvpn-updown: Forcing 192.168.1.10 to use DNS server 198.x.x.x <-- my VPN DNS Server
Sep 6 12:06:57 openvpn-updown: Excluding 192.168.1.10 from forced DNS routing <--- immediately removed when it reads the policy to send certain destinations out of the WAN port, thus killing my service that requires the VPN DNS.
<snip>

Question - would you know is there any way to avoid this disabling of the forced DNS routing in this scenario?

Thanks for any tips or pointers.

Just to add a note of interest regarding DNS. With policy rules, I have to use Accept DNS Configuration = Strict so the AB-Solution ad blocking works over the VPN tunnel. Otherwise, it only works for WAN traffic. In addition, I have to add the following dhcp DNS option to Custom Configuration to avoid routing issues over the VPN tunnel. Without this, I was unable to get updates from the AB-Solution servers. These are the DNS servers for my VPN provider TorGuard

dhcp-option DNS 104.223.91.194
dhcp-option DNS 104.223.91.210

There was a recent discussion about this in the AB-Solution thread and it has to do with the way Merlin implements OpenVPN and dnsmasq. John9527 fork does it a little different.

 

[Bob Sapp]

You will have to add the required Selective routing RPDB WAN rules manually:

Issue:

ip rule add from 192.168.1.10 to 2.2.2.2  table main prio 9998
ip rule add from 192.168.1.10 to 2.2.2.3  table main prio 9999

To have these RPDB rules automatically added when the VPN Client connection is established, install @john9527's /jffs/scripts/openvpn-event script:

https://www.snbforums.com/threads/f...lts-releases-v27e5.18914/page-240#post-294825

and create custom script (assuming you are using VPN Client 1):

/jffs/scripts/vpnclient1-route-up

#!/bin/sh
ip rule del prio 9998 2> /dev/null > /dev/null
ip rule del prio 9999 2> /dev/null > /dev/null

ip rule add from 192.168.1.10 to 2.2.2.2 table main prio 9998
ip rule add from 192.168.1.10 to 2.2.2.3 table main prio 9999

ip route flush cache

and to be 'tidy'; remove the rules when the VPN Client connection is terminated... so create custom script:

/jffs/scripts/vpnclient1-down

#!/bin/sh
ip rule del prio 9998 2> /dev/null > /dev/null
ip rule del prio 9999 2> /dev/null > /dev/null

ip route flush cache

Many thanks Martineau - I will take a look at this solution and report back!

 

[Bob Sapp]

Hi Martineau - your solution above works a charm! Many thanks !