Selective Routing with Asuswrt-Merlin

[Rappy]

The tuning part can take some time. For my routing, It would work most of the time. But sometimes, it would default back to another Openvpn tunnel. If I rebooted the Roku, that would fix it sometimes. I did some more mining and editing of the domain names before it was consistent. I would focus on using the domain names until you finish tuning it. Then, try the conversion to ip addresses.

For example, try removing domain names that don't have the iplayer or uk reference in them to see if that solves the problem with getting other streaming to work after you have finished watching iplayer:

guzzoni.apple.com
itunes.apple.com.edgekey.net
sylvan.apple.com

Or, try to see if the above domains are logged when navigating or watching other streaming media on the Apple TV. If you see them, then these are probably candidates for removal from selective routing and may fix your issue.

nat-start works for me. If you have to bounce a VPN client or do something other changes in the gui, then you may probably will need to rerun the script.

Hi Xentrk. I have tried to simplify my script since there wasn't really any need for the parts that showed errors consistently anyway, and only one ip was in OVPNC1

Here is my new script and it works fine, but with some issues that I will go into.
https://pastebin.com/raw/MGNdb4N0

Basically, when I load up the script it will only show about 107 lines when I test the iptables with "iptables -nvL PREROUTING --line -t mangle"
There are a few domains that return the no match/chain error. But if I run it again and again, it will eventually fill up to about 151 lines and then the script will work perfectly as all domains are covered.
What the heck could be causing this? Is it tripping over itself? Could there be a need for some delay in the script?

Also, I can't find the answer to when exactly the nat-start script is started. I thought it was only at bootup, but you seem to be saying it loads up when your VPN client connects or reconnects too.

Another also: Do you know how to wipe the iptables lines clean again without me toggling the firewall in the gui? That is slowing me down. Thanks.

 

[Xentrk]

Hi Xentrk. I have tried to simplify my script since there wasn't really any need for the parts that showed errors consistently anyway, and only one ip was in OVPNC1

Here is my new script and it works fine, but with some issues that I will go into.
https://pastebin.com/raw/MGNdb4N0

Basically, when I load up the script it will only show about 107 lines when I test the iptables with "iptables -nvL PREROUTING --line -t mangle"
There are a few domains that return the no match/chain error. But if I run it again and again, it will eventually fill up to about 151 lines and then the script will work perfectly as all domains are covered.
What the heck could be causing this? Is it tripping over itself? Could there be a need for some delay in the script?

Also, I can't find the answer to when exactly the nat-start script is started. I thought it was only at bootup, but you seem to be saying it loads up when your VPN client connects or reconnects too.

Another also: Do you know how to wipe the iptables lines clean again without me toggling the firewall in the gui? That is slowing me down. Thanks.

My suggestion to use nat-start was based on a recommendation I saw on the forum. However, I am having issues with nat-start myself. Today, I rebooted. When I did the ip rule command, I saw duplicate table entries.

I saw this in my log.

Aug  1 07:00:32 custom_script: Running /jffs/scripts/nat-start
Aug  1 07:00:32 start_nat_rules: apply the nat_rules(/tmp/nat_rules_ppp0_eth0)!
Aug  1 07:00:32 custom_script: Running /jffs/scripts/nat-start
Aug  1 07:00:32 (IPSET_VPN_Routing.sh): 1016 Starting IPSET_VPN_Routing.sh... /jffs/scripts/IPSET_VPN_Routing.sh.
Aug  1 07:00:32 (IPSET_VPN_Routing.sh): 1012 Starting IPSET_VPN_Routing.sh... /jffs/scripts/IPSET_VPN_Routing.sh.

I need to analyze why this is occurring.

I am thinking about putting it in services-start with a two or three minute sleep time to prevent it from executing too soon. It looks like the script ran before all of the openvpn clients were up and running which I dont want to happen.

Not sure about iptables question. Here is another status command you can try.

iptables --verbose -t mangle -nvL PREROUTING

The -L option lists all rules in the selected chain.

 

[Rappy]

In trying to simplify things more and more I have gone back to the original technique. I have taken the IP ranges that have data packets in the iptables status report, whenever the script is working and have entered them as IP ranges in the GUI policy rules. Much simpler and it works. The domain list and script doesn't fundamentally work unless repeated every few hours, because the IP's that it trawls from those domains changes morning noon and night depending. So you have to keep watching the status and then back checking what are the essential IPs. So far I have 17 rules that cover. I will gradually eliminate them until I only have the necessary ranges. Another plus is that you can use whatever protocol VPN config that you want.

 

[Rappy]

Yikes. As always with this, I spoke too soon. The ranges have changed AGAIN. I think this is going to be prohibitively difficult since it seems that iPlayer accesses Akamai CDN servers across such a broad range of IP's for different videos and at different times of the day that the only way to make this work is to send the entire Akamai network through the VPN tunnel. This would likely break other streaming apps however.

I have thought about another technique but not sure it would be possible. It would involve some kind of script that watched out for the opening of the iPlayer app (checking for access of iPlayer domains) and then switches on the VPN. However it would complicated how to then figure out when to turn off the VPN again.

 

[Rappy]

Alternatively, how would I set the routing script that uses the BBCdns list, to execute every hour (updating the list of IPs in the iptables)? I would need it to execute about 5 times consecutively and then wait an hour or so, then repeat. This repeated execution of the script seems to be the only thing that gets it working consistently.

 

[Xentrk]

Alternatively, how would I set the routing script that uses the BBCdns list, to execute every hour (updating the list of IPs in the iptables)? I would need it to execute about 5 times consecutively and then wait an hour or so, then repeat. This repeated execution of the script seems to be the only thing that gets it working consistently.

This is an example of adding a cronjob to a schedule. You can put the line in services-start so it creates the job at boot up time. The a after the cru is to append.

cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour

A cru -L will list the cron jobs.
https://github.com/RMerl/asuswrt-merlin/wiki/Scheduled-Reboot
https://github.com/RMerl/asuswrt-merlin/wiki/Scheduled-tasks-(cron-jobs)

I also had issues after awhile with my selective routing not working. Sometimes, I power cycle of the Roku would fix the issue. Or, rerunning the script. I did some more data mining and found a new domain name being called. Once I added that one in, it works most of the time. I do see signs of what I might call a stale connection or routing. And rerunning the script usually fixes it. So an hourly job might not hurt. But keep monitoring the domains some more as well.

 

[Rappy]

This is an example of adding a cronjob to a schedule. You can put the line in services-start so it creates the job at boot up time. The a after the cru is to append.

cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour

A cru -L will list the cron jobs.
https://github.com/RMerl/asuswrt-merlin/wiki/Scheduled-Reboot
https://github.com/RMerl/asuswrt-merlin/wiki/Scheduled-tasks-(cron-jobs)

I also had issues after awhile with my selective routing not working. Sometimes, I power cycle of the Roku would fix the issue. Or, rerunning the script. I did some more data mining and found a new domain name being called. Once I added that one in, it works most of the time. I do see signs of what I might call a stale connection or routing. And rerunning the script usually fixes it. So an hourly job might not hurt. But keep monitoring the domains some more as well.

Thanks.
Is there any harm in having this script execute every minute? The IP's from akamai seem to literally change on the fly.
For example, I just started up my new script which repeats the old script 5 times consecutively. It seemed to have found all the iptable rules it was going to find. So I started iPlayer but it still said you aren't in the UK. I ran the original script 1 more time and it seemed to find 10 more rules to add to iptables. Then it works. But with live broadcasts it stops mid stream as I think it cycles to a different server. So frustrating. I know this must be possible, since my VPN provider allows viewing iPlayer from any of their worldwide servers as they tunnel all iPlayer traffic through a specific node, no matter what countries servers you are using. So I know that it must be possible to find the exact list of IPs that only iPlayer uses. However it is proving to be ridiculously confusing.

I can't understand how when I do a manual scan of IP's for those BBCdns domains, it comes up with a very different list of IP ranges than what the PREROUTING script seems to add to iptables. And the fact that iptables seems to find new ones every time I run the script is bizarre, is it not?

There has to be a solution. I've got this far, I can't give up!!!

 

[Xentrk]

Thanks.
Is there any harm in having this script execute every minute? The IP's from akamai seem to literally change on the fly.
For example, I just started up my new script which repeats the old script 5 times consecutively. It seemed to have found all the iptable rules it was going to find. So I started iPlayer but it still said you aren't in the UK. I ran the original script 1 more time and it seemed to find 10 more rules to add to iptables. Then it works. But with live broadcasts it stops mid stream as I think it cycles to a different server. So frustrating. I know this must be possible, since my VPN provider allows viewing iPlayer from any of their worldwide servers as they tunnel all iPlayer traffic through a specific node, no matter what countries servers you are using. So I know that it must be possible to find the exact list of IPs that only iPlayer uses. However it is proving to be ridiculously confusing.

I can't understand how when I do a manual scan of IP's for those BBCdns domains, it comes up with a very different list of IP ranges than what the PREROUTING script seems to add to iptables. And the fact that iptables seems to find new ones every time I run the script is bizarre, is it not?

There has to be a solution. I've got this far, I can't give up!!!

You will have to test running the script with that frequency to understand impact. I've never had to do this so I can't speak to the impact.

If it was me, I would spend a day or two hitting iPlayer hard when you have the Apple TV routed to UK tunnel and tail the log file when you do. Then run the getdomainnames.sh script again just to see if you can capture all domains. I wonder if what your VPN provider is doing is causing the issue.

 

[Rappy]

You will have to test running the script with that frequency to understand impact. I've never had to do this so I can't speak to the impact.

If it was me, I would spend a day or two hitting iPlayer hard when you have the Apple TV routed to UK tunnel and tail the log file when you do. Then run the getdomainnames.sh script again just to see if you can capture all domains. I wonder if what your VPN provider is doing is causing the issue.

I have been tailing the iPlayer for a while now and something is apparent. Almost all the domains stay constant, however there is one CDN server who constantly produces new domains. If I start tailing the AppleTV log again it will always throw up new versions of these domains (Here is an example of 7 of them):

bbcfmt-ic-5896f100-0b8129-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-071d05-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-07dd83-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-090aa9-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-0e21bb-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-0fb20b-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-1353c2-vodhlsuklive.s.loris.llnwd.net

As you can see the only bit that changes is the 6 hex digits.
My question is, how do I put a general catchall term in for these domains? Could I somehow have anything with the bbcfmt-ic bit? or would I have to do it like a *.llnwd.net?

This is just the domainchecking though. There are a whole bunch of akamai IPs that change dynamically during the second part. But gotta sort this out first as you said.

 

[Rappy]

Do any other VPN wizards visit this site? It seems like you are the only one here or at least the only one who wants to help.

 

[Xentrk]

I have been tailing the iPlayer for a while now and something is apparent. Almost all the domains stay constant, however there is one CDN server who constantly produces new domains. If I start tailing the AppleTV log again it will always throw up new versions of these domains (Here is an example of 7 of them):

bbcfmt-ic-5896f100-0b8129-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-071d05-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-07dd83-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-090aa9-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-0e21bb-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-0fb20b-vodhlsuklive.s.loris.llnwd.net
bbcfmt-ic-5896f100-1353c2-vodhlsuklive.s.loris.llnwd.net

As you can see the only bit that changes is the 6 hex digits.
My question is, how do I put a general catchall term in for these domains? Could I somehow have anything with the bbcfmt-ic bit? or would I have to do it like a *.llnwd.net?

This is just the domainchecking though. There are a whole bunch of akamai IPs that change dynamically during the second part. But gotta sort this out first as you said.

Perhaps you can do nslookup on the domains and see if you can spot a pattern with the ip addresses. If so, you can use CIDR notation to address this issue. I did the first three and see a pattern with the second and third in that they both start with 68.142.105.

nslookup bbcfmt-ic-5896f100-071d05-vodhlsuklive.s.loris.llnwd.net
Server:  UnKnown
Address:  fe80::e695:6eff:fe42:448

Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    bbcfmt-ic-5896f100-071d05-vodhlsuklive.s.loris.llnwd.net
Address:  68.142.105.34


nslookup bbcfmt-ic-5896f100-07dd83-vodhlsuklive.s.loris.llnwd.net
Server:  UnKnown
Address:  fe80::e695:6eff:fe42:448

Non-authoritative answer:
Name:    bbcfmt-ic-5896f100-07dd83-vodhlsuklive.s.loris.llnwd.net
Address:  68.142.105.22

One of the earlier script examples mined the ip addresses of the domains and determined the CIDR range to use. Then, put the values in an ipset. Perhaps you can do this with the domains that you have captured so far. And keep your fingers crossed that you mined enough to get the IP addresses and subnets to solve the issue!

 

[Xentrk]

Do any other VPN wizards visit this site? It seems like you are the only one here or at least the only one who wants to help.

I wondered that too. I know they are around. Probably lurking.

 

[Xentrk]

@Rappy
Another forum member posted some more BBC domains. I think they are in the UK. I will try on my end with kodi to see if I can get that to work. The iPlayer website selective routing has been working great. See this post for the list:

https://www.snbforums.com/threads/a...ing-solution-v3-9-2.37511/page-88#post-356712

The domains with an asterik are domains I already had identified. The domains with no asterik are new ones.

I block sb.scorecardresearch.com since it serves up advertisements!

Spoiler: bbc domains

bbc01.sitestat.com
*cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk
*e3891.dscf.akamaiedge.net
edigitalsurvey.com
*ichef.bbci.co.uk
*iplayer-web.files.bbci.co.uk
*mvt.api.bbc.com
*mybbc.files.bbci.co.uk
*nav.files.bbci.co.uk
*polling.bbc.co.uk
*sa.bbc.co.uk
*sb.scorecardresearch.com
*search.files.bbci.co.uk
*ssl.bbc.co.uk
*ssl.bbc.net.uk
static.bbc.co.uk
static.bbci.co.uk

 

[DrakeRGS]

Hello guys!

I tried a lot of different options that was posted here without success, and believe me, I really tried.

I want a simple script to set only torrent range ports to use VPN, someone can help me? I have the latest asus-merlin firmware in my Asus AC66U B1.

The thing is that I don't want to specify a machine/IP, but if it's the only way then I want to set the router.

Thanks

 

[Martineau]

I want a simple script to set only torrent range ports to use VPN, someone can help me? I have the latest asus-merlin firmware in my Asus AC66U B1.

The thing is that I don't want to specify a machine/IP, but if it's the only way then I want to set the route

I wrote this script to Selectively route ports via the VPN (usually) from a specific device but I have tweaked the script to meet your requirement.

Whilst I have not used Torrenting, if you are willing to be a beta tester, you may try to see if my 'simple' script achieves your requirements.

./VPN_PortSelect.sh -h

#======================================================================================================= © 2016-2017 Martineau, v01.01
# Selective PORT routing to VPN (will use VPN DNS if VPN Client is in DNS 'Exclusive' mode)
#                        or WAN if say a NAS is forced out via the VPN
#
#   e.g.   VPN_PortSelect   [status|status full] | [help|-h] |
#                           { 0 | 1 | 2 | 3 | 4 | 5 | 9} { IP_Address_list | host_name_list | all | mac_address} { [!]port1[,port2] [logfwmark]} [src|dst] [del|test|nodns]
#
#          VPN_PortSelect   2 hp-envy14 80,443
#                           Ports 80 and 443 for the HP-Envy14 device will be routed via VPN Client 2 and HP-Envy14 device will now use VPN DNS
#                           Check using https://ipleak.net/ or http://whatismyipaddress.com/ or issue 'curl "http://ipecho.net/plain";echo'
#          VPN_PortSelect   2 hp-envy14 80,443 del
#                           Ports 80 and 443 for the HP-Envy14 device will be no longer be routed via VPN Client 2
#          VPN_PortSelect   2 hp-envy14 80,443 nodns
#                           Ports 80 and 443 for the HP-Envy14 device will be routed via VPN Client 2 and HP-Envy14 device will continue to use WAN DNS
#          VPN_PortSelect   1 12:34:de:ad 80,443
#                           Ports 80 and 443 for the device with MAC address 12:34:de:ad will be routed via VPN Client 1
#          VPN_PortSelect   1 12:34:de:ad 80,443 logfwmark
#                           Ports 80 and 443 for the device with MAC address 12:34:de:ad will be routed via VPN Client 1 and iptable LOG messages sent to Syslog
#          VPN_PortSelect   2 hp-envy13,hpenvy14 !80,443
#                           ALL Ports except ports 80 and 443 for both the HP-Envy13 and HP-Envy14 devices will be routed via VPN Client 2
#          VPN_PortSelect   2 10.88.8.66 22,9001:9005
#                           Ports 22 and 9001 thru 9005 for the 10.88.8.66 device will be routed via VPN Client 2
#          VPN_PortSelect   0 all 80,443
#                           Ports 80 and 443 for all devices will be routed via WAN
#                           (Assumes that ALL traffic is via the VPN!!!)
#          VPN_PortSelect   0 all 5000,5001 src
#                           Ports 5000 and 5001 will be routed IN via WAN assuming Port Forwarding is also configured!
#                           (Assumes that ALL outbound traffic from the NAS is via the VPN!!!)
#          VPN_PortSelect   1 cameras 80,8080
#                           Ports 80 and 8080 for the 'cameras' device group will be routed via VPN Client 1
#                           (Assumes /jffs/configs/IPGroups exists with valid pair entry - Uppercase text!)
#                                    e.g. CAMERAS  10.88.8.11:10.88.8.13
#                                         or
#                                         PHONES   10.88.8.156,10.88.8.172
#
#

 

[DrakeRGS]

I wrote this script to Selectively route ports via the VPN (usually) from a specific device.

Whilst I have not used Torrenting, if you are willing to be a beta tester, you may try to see if my 'simple' script achieves your requirements.

That is awesome! And of course doesn't look like 'simple'.

I'll try later today and let you know the results.

Thank you!

 

[DrakeRGS]

Hi @Martineau

I've done some tests without success.

A little explanation of my environment:

I'm running my router Asus RT-AC66U_B1 with double-NAT because I'm not able to put my modem into bridge mode. I managed to have a DDNS working with this way:

https://imgur.com/hTo5ifo

Anyway, I put your script in my '/jffs/scripts' folder and run it, then I got this:

https://imgur.com/xITkH60

As you can see, I tried to set my router IP through VPN only in a specific port range (torrent). I do some torrent tests with ipleak.net but I got my modem IP instead of VPN.

Here is my current VPN configuration:

https://imgur.com/DiHpzY9

Am I doing something wrong?

Thanks

 

[Martineau]

​

Hi @Martineau

I've done some tests without success.

A little explanation of my environment:

I'm running my router Asus RT-AC66U_B1 with double-NAT because I'm not able to put my modem into bridge mode. I managed to have a DDNS working with this way:

https://imgur.com/hTo5ifo

Anyway, I put your script in my '/jffs/scripts' folder and run it, then I got this:

https://imgur.com/xITkH60

As you can see, I tried to set my router IP through VPN only in a specific port range (torrent). I do some torrent tests with ipleak.net but I got my modem IP instead of VPN.

Here is my current VPN configuration:

https://imgur.com/DiHpzY9

Am I doing something wrong?

Thanks

Your OP stated you did not wish to actually associate/restrict the Selective port VPN routing from a particular LAN device?
e.g. rather than issue:

./VPN_PortSelect.sh 1 192.168.50.1 49160:65534

you would issue

./VPN_PortSelect.sh 1 all 49160:65534

which is the code that needs to be beta-tested ... i.e. any LAN device using destination ports in the range 49160:65534 would be redirected via VPN Client 1

However, the warning message:

**Warning VPN Client 1 DNS '-t nat' chain DNSVPN1 does not exist? - 192.168.50.1 potential DNS leak via WAN

​

is 'normal' because of the brain-dead firmware implementation for 'Accept DNS Configuration=Exclusive'

Although you have correctly set 'Accept DNS Configuration=Exclusive', unfortunately, without an entry in the VPN Client list, then '-t nat' DNSVPNx chains are not created!!

So my script is constructively making you aware that 'Exclusive' use of the VPN DNS isn't actually implemented and WAN DNS leaks probably isn't what you actually want!

To fix this exposure, I always create a dummy entry using a non-existent LAN address to ensure the required DNSVPNx chain is always created/available.

e.g. For VPN Client 1 insert the dummy entry

DummyVPN1   172.16.1.1   0.0.0.0   VPN

Now if you issue

./VPN_PortSelect.sh 1 192.168.50.1 49160:65534

​

The warning message should not be issued, and if you check

./VPN_PortSelect.sh status

you should see 192.168.50.1 appears in the '-t nat' DNSVPN1 chain for the VPN Client 1 DNS forcing 192.168.50.1 to 'exclusively' use the VPN DNS.

Having stated all this, I believe you may need to use the alias technique where you assign the router a separate IP address, then bind this alias IP to Transmission etc. rather than explicitly continuing to use 192.168.50.1 (router.asus.com).

​

 

[DrakeRGS]

Your OP stated you did not wish to actually associate/restrict the Selective port VPN routing from a particular LAN device?
e.g. rather than issue:

./VPN_PortSelect.sh 1 192.168.50.1 49160:65534

you would issue

./VPN_PortSelect.sh 1 all 49160:65534

which is the code that needs to be beta-tested ... i.e. any LAN device using destination ports in the range 49160:65534 would be redirected via VPN Client 1

However, the warning message:

**Warning VPN Client 1 DNS '-t nat' chain DNSVPN1 does not exist? - 192.168.50.1 potential DNS leak via WAN

​

is 'normal' because of the brain-dead firmware implementation for 'Accept DNS Configuration=Exclusive'

Although you have correctly set 'Accept DNS Configuration=Exclusive', unfortunately, without an entry in the VPN Client list, then '-t nat' DNSVPNx chains are not created!!

So my script is constructively making you aware that 'Exclusive' use of the VPN DNS isn't actually implemented and WAN DNS leaks probably isn't what you actually want!

To fix this exposure, I always create a dummy entry using a non-existent LAN address to ensure the required DNSVPNx chain is always created/available.

e.g. For VPN Client 1 insert the dummy entry

DummyVPN1   172.16.1.1   0.0.0.0   VPN

Now if you issue

./VPN_PortSelect.sh 1 192.168.50.1 49160:65534

​

The warning message should not be issued, and if you check

./VPN_PortSelect.sh status

you should see 192.168.50.1 appears in the '-t nat' DNSVPN1 chain for the VPN Client 1 DNS forcing 192.168.50.1 to 'exclusively' use the VPN DNS.

Having stated all this, I believe you may need to use the alias technique where you assign the router a separate IP address, then bind this alias IP to Transmission etc. rather than explicitly continuing to use 192.168.50.1 (router.asus.com).

​

I added a dummy entry and the warning message disappears.

I misunderstanding your script and tried again setting to 'all' instead of my router's IP.

When I tried to set ports range for all devices I got the message:

./VPN_PortSelect.sh 1 all 49160:65534

(VPN_PortSelect.sh): 1361 VPN Client Selective PORT routing.....[1 all 49160:65534]
(VPN_PortSelect.sh): 1361 Adding VPN1 RPDB fwmark rule 0x1000/0x1000 prio 10100
(VPN_PortSelect.sh): 1361 Selective Port 49160:65534 routing (ANY LAN host) via VPN Client 1 using fwmark 0x1000 now enabled
(VPN_PortSelect.sh): 1361 **Manual override: (ANY LAN host) will use WAN DNS rather than use VPN Client 1 DNS (198.18.0.1)

And my wan IP was leaked while testing torrent (port 51121).

After that, I decided to test again using my router's IP so I rebooted my router because I didn't find a way to clear the rules (I was getting error messages saying 'Selective port routing ALREADY exists') then I got this:

./VPN_PortSelect.sh 1 192.168.50.1 49160:65534

(VPN_PortSelect.sh): 1386 VPN Client Selective PORT routing.....[1 192.168.50.1 49160:65534]
(VPN_PortSelect.sh): 1386 Adding VPN1 RPDB fwmark rule 0x1000/0x1000 prio 10100
(VPN_PortSelect.sh): 1386 Selective Port 49160:65534 routing 192.168.50.1 (router.asus.com) via VPN Client 1 using fwmark 0x1000 now enabled
(VPN_PortSelect.sh): 1386 Added 192.168.50.1 to '-t nat' chain DNSVPN1, (router.asus.com) will use VPN Client 1 DNS (198.18.0.1)

And after that, for some reason, I think the port 80 got blocked and any website that I tried to reach my browser got stuck in 'resolving host'.

Anyway, would be great if I can still beta-testing rules for all devices. Specifying my router's IP will be my plan B. About this alias technique, can you show me how to do it? Just in case.

Thanks!

 

[Martineau]

When I tried to set ports range for all devices I got the message:

./VPN_PortSelect.sh 1 all 49160:65534

(VPN_PortSelect.sh): 1361 VPN Client Selective PORT routing.....[1 all 49160:65534]
(VPN_PortSelect.sh): 1361 Adding VPN1 RPDB fwmark rule 0x1000/0x1000 prio 10100
(VPN_PortSelect.sh): 1361 Selective Port 49160:65534 routing (ANY LAN host) via VPN Client 1 using fwmark 0x1000 now enabled
(VPN_PortSelect.sh): 1361 **Manual override: (ANY LAN host) will use WAN DNS rather than use VPN Client 1 DNS (198.18.0.1)

And my wan IP was leaked while testing torrent (port 51121).

Working as designed, (as per the beta) since the script currently deems it silly to arbitrarily force ALL DNS requests via the VPN if no source LAN device is specified.

I rebooted my router because I didn't find a way to clear the rules (I was getting error messages saying 'Selective port routing ALREADY exists')

Err read the help?
e.g. use the 'del' directive to remove the previous matching Selective port routing you implemented:

./VPN_PortSelect.sh 1 all 49160:65534
./VPN_PortSelect.sh 1 all 49160:65534 del

And after that, for some reason, I think the port 80 got blocked and any website that I tried to reach my browser got stuck in 'resolving host'.

(VPN_PortSelect.sh): 1386 Added 192.168.50.1 to '-t nat' chain DNSVPN1, (router.asus.com) will use VPN Client 1 DNS (198.18.0.1)

Port 80 isn't blocked... it's the fact that that you have forced the router to use the VPN's DNS server (198.18.0.1) so (weirdly ) no hostnames can be resolved (you can override this behaviour by using the 'nodns' directive for a true LAN device that isn't the router!). Sometimes 'private' VPN ISP DNS servers can be the issue but you can override the DNS servers pushed by the VPN ISP, and configure the OpenVPN Client to use say a third-party's DNS servers such as FreeDNS,OpenNIC,Comodo Secure DNS etc.

Clearly it really depends on your definition of 'DNS leak' prevention and your required level of obfuscating possibly dubious torrent traffic.

My old-skool script (using multiple iptable rules rather than a single IPSETs based rule) was originally written to allow (non-technical) users to implement advanced Selective routing by enhancing the limited GUI options, so sadly I don't think it will (ever) meet your requirements using the router's IP address rather than the alias torrent IP.