Selective Routing with Asuswrt-Merlin

[alexandro]

How I can route by VPN only abroad traffic, except home country traffic?

 

[Martineau]

How I can route by VPN only abroad traffic, except home country traffic?

It is trivial to selectively route countries as you can use the same IPSET technique used for selectively routing specific domains such as Netflix.
i.e. Create the IPSET for the WAN

IPSET ViaWAN                 <- this IPSET group contains separate IPSETs e.g.
      IPSET Bermuda          <- this IPSET contains ALL of the Bermuda CIDR ranges
      IPSET Bahamas          <- this IPSET contains ALL of the Bahamas CIDR ranges

then if the target I/P is in any of the IPSETs ViaWAN then it can be tagged to use the WAN interface otherwise everything else would be routed via say VPN Client 1 etc.

NOTE: You could also create explicit country VPN IPSETs and explicitly tag them as required:

IPSET ViaVPN1                <- this IPSET group contains separate IPSETs e.g.
      IPSET Japan            <- this IPSET contains ALL of the Japan CIDR ranges
IPSET ViaVPN2                <- this IPSET group contains separate IPSETs e.g.
      IPSET Australia        <- this IPSET contains ALL of the Australia CIDR ranges

The main problem would be to correctly populate the IPSETs.
You could use the Country CIDR ranges provided by http://www.ipdeny.com/ as a starting point to initially setup the IPSET(s) and then fine-tune the entries by hand.

e.g. Suppose in this silly example I want to ensure I always use the Sony site in Japan...is the following correct? (I'm in the UK)

nslookup www.sony.co.jp

Name:      www.sony.co.jp
Address 1: 2a02:26f0:ec:48b::2542 g2a02-26f0-00ec-048b-0000-0000-0000-2542.deploy.static.akamaitechnologies.com
Address 2: 184.87.184.111 a184-87-184-111.deploy.static.akamaitechnologies.com

wget  -q -O - 'https://api.ipdata.co/184.87.184.111' | grep -E "country"
    "country_name": "Netherlands",
    "country_code": "NL",

Clearly whilst the URL may imply Japan, actually it is hosted in Europe!

So whilst the country routing RPDB/iptables rules are simple, ensuring that the country IPSET is correctly populated isn't quite so simple.

 

[Xentrk]

@Martineau brings up a good point about list accuracy. From https://iplists.firehol.org/

Each time an ipset is updated we check it against the MaxMind GeoLite2 country, the IPDeny.com country, the IP2Location.com Lite country and the IPIP.net country databases, to find the list's unique IPs per country.

If you are going to install this IP list as a blocklist / blacklist at a firewall, it is important to know which countries will be mainly affected, since you are going to block access from/to these IPs.

All lists suffer from false positives to some degree, so using this IP list at your firewall might block some of your users or customers.

@Adamm is using the ipdeny.com list for country blocking in Skynet, the Asus Firewall Addition.

 

[Adamm]

@Martineau brings up a good point about list accuracy. From https://iplists.firehol.org/


@Adamm is using the ipdeny.com list for country blocking in Skynet, the Asus Firewall Addition.

Fwiw while Martineau has a valid point, it was probably a bad example as the host isn't static (or maybe that makes it a great example ). The website he listed is hosted on a CDN so he is being served content from a local server. But yes, just because a domain has a specific countries TLD, it doesn't mean the content is hosted there.

 

[frustin]

RTFM ?
Finally, you should save the IPSETs at regular intervals (using a cru aka cron schedule), then you can restore the populated IPSETs from say firewall-start when the router is rebooted.

Please can you tell me how this would look?

 

[Xentrk]

Please can you tell me how this would look?

Some references

https://github.com/RMerl/asuswrt-merlin/wiki/Scheduled-Reboot

https://www.cyberciti.biz/faq/how-to-add-cron-job-on-asuswrt-merlin-wifi-router/

http://ipset.netfilter.org/ipset.man.html

 

[frustin]

Some references

https://github.com/RMerl/asuswrt-merlin/wiki/Scheduled-Reboot

https://www.cyberciti.biz/faq/how-to-add-cron-job-on-asuswrt-merlin-wifi-router/

http://ipset.netfilter.org/ipset.man.html

ah ok so i can put a ipset create and ipset save in the cron. I was wondering how to make the ipset persistent after reboot.

what are you doing to ensure that old IPs are being cleaned up?

 

[Xentrk]

I also have some ipset scripts that I need to update to make them more efficient, such as restoring at boot rather than performing a lookup on the domain names and loading into the ipset list at boot time.

To save ipset rules to other file
ipset save > /jffs/config/ipset.list

To restore ipset rules
ipset restore -! < /jffs/config/ipset.list

To clean up IPs, you could have a script that runs daily during off hours. The script will destroy the current list, then update the list by performing nslookup on the domain names. There are some code samples buried in this thread on looping thru the IPv4 addresses returned from an nslookup and loading into the list.

Here is some sample code that performs a restore of the ipset lists.
https://www.centos.org/forums/viewtopic.php?t=47247

ipset performance
https://blog.n0dy.radio/2013/05/19/faster-ipset-loading/

 

[frustin]

I also have some ipset scripts that I need to update to make them more efficient, such as restoring at boot rather than performing a lookup on the domain names and loading into the ipset list at boot time.

To save ipset rules to other file
ipset save > /jffs/config/ipset.list

To restore ipset rules
ipset restore -! < /jffs/config/ipset.list

To clean up IPs, you could have a script that runs daily during off hours. The script will destroy the current list, then update the list by performing nslookup on the domain names. There are some code samples buried in this thread on looping thru the IPv4 addresses returned from an nslookup and loading into the list.

Here is some sample code that performs a restore of the ipset lists.
https://www.centos.org/forums/viewtopic.php?t=47247

ipset performance
https://blog.n0dy.radio/2013/05/19/faster-ipset-loading/

thanks!

i've bought a usb flash drive to store the ipset.list, to avoid the constant writes to the router's flash.

what does the -! do in the restore?

did you have any issue with using the VPN's DNS servers with netflix? I read that adding server=/netflix.com/<your dns e.g. google> would be solve this? i tried with my Dyn DNS server but it didnt work.

 

[Xentrk]

thanks!

i've bought a usb flash drive to store the ipset.list, to avoid the constant writes to the router's flash.

what does the -! do in the restore?

did you have any issue with using the VPN's DNS servers with netflix? I read that adding server=/netflix.com/<your dns e.g. google> would be solve this? i tried with my Dyn DNS server but it didnt work.

You can use the -! or -exist flag. From the ipset man page:
-!, -exist
Ignore errors when exactly the same set is to be created or already added entry is added or missing entry is deleted.
Netflix does not care what DNS you use. They do block known VPN providers by detecting connections from the same source IP address. This flags the IP as a shared proxy or VPN server. You then get the proxy error in NF.

A service that offers a private streaming IP is the workaround. Please see my post here for more explanation. https://x3mtek.com/why-i-use-torguard-as-my-vpn-provider/

 

[frustin]

You can use the -! or -exist flag. From the ipset man page:
-!, -exist
Ignore errors when exactly the same set is to be created or already added entry is added or missing entry is deleted.
Netflix does not care what DNS you use. They do block known VPN providers by detecting connections from the same source IP address. This flags the IP as a shared proxy or VPN server. You then get the proxy error in NF.

A service that offers a private streaming IP is the workaround. Please see my post here for more explanation. https://x3mtek.com/why-i-use-torguard-as-my-vpn-provider/

NordVPN offers private IPs as a service, i might look at that if all else fails but it turns out that i have:

ip rule del prio 9990
ip rule add fwmark $TAG_MARK table main prio 9990

which is wrong. I need a routing table that points to the WAN/ISP as the default gateway.

i thought the reason i couldnt connect to netflix and was because my i was using my vpn's dns.

 

[Martineau]

.....it turns out that i have:

ip rule del prio 9990
ip rule add fwmark $TAG_MARK table main prio 9990

which is wrong. I need a routing table that points to the WAN/ISP as the default gateway

The title of the thread is Selective Routing !!!

So if you enable Selective Routing....

(adjusting for your LAN subnet if it isn't 192.168.1.1) then hit Apply.

The firmware will create separate routing tables for the appropriate VPN Client connection, and will leave table 'main (254)' untouched to allow the 0x7000 fwmark tagging via the WAN to work correctly:
e.g.

0x7000 - WAN
0x1000 - VPN Client #1
0x2000 - VPN Client #2
0x3000 - VPN Client #3
0x4000 - VPN Client #4
0x5000 - VPN Client #5

 

[frustin]

thank you for the explanation!

i wasnt joining up the selective routing with the policy rules, on the router.

My i ask how you know that the fwmark's are correct? e.g. 0x7000 == wan etc. is it written somewhere?

 

[Martineau]

thank you for the explanation!

i wasnt joining up the selective routing with the policy rules, on the router.

No problem.

99% of users want to route either ALL LAN traffic via the VPN, or selectively route LAN devices/subnets to target IPs/subnets via the VPN (with ALL LAN traffic via the WAN by default).

You are in the 1% that wants a non-intuitive reverse solution - hence the need for the two explicit rules.

My i ask how you know that the fwmark's are correct?

I don't

e.g. 0x7000 == wan etc. is it written somewhere?

No
​

Asus reserved fwmarks are not fully documented/disclosed but developers @john9527 / @RMerlin picked their own, so I chose these fwmarks, and although not a formal standard, I see other script writers have adopted my numbering scheme.

Whilst these informal fwmarks have successfully worked for years, clearly Broadcom/Asus may decide to use these fwmarks for their own upurposes in the future, and the Selective Routing of IPSets,Ports and MACs that rely on these unofficial fwmarks will fail.

However you are fee to choose your own, providing they do not conflict with current/future reserved fwmarks.

 

[frustin]

To be clear, I do want to route all traffic to the VPN, and only by exception route via WAN e.g. netflix/amazon.

It's sort of working. When VPN (Client #1) is enabled i can now browse to netflix.com and amazon.co.uk (prime) and can look at the film listings, but i cant play the films. It still says i'm using a proxy for netflix.com while Amazon.co.uk (UK prime) does work.

looks like netflix block for UK NordVPN address ranges

 

[Xentrk]

To be clear, I do want to route all traffic to the VPN, and only by exception route via WAN e.g. netflix/amazon.

It's sort of working. When VPN (Client #1) is enabled i can now browse to netflix.com and amazon.co.uk (prime) and can look at the film listings, but i cant play the films. It still says i'm using a proxy for netflix.com while Amazon.co.uk (UK prime) does work.

looks like netflix block for UK NordVPN address ranges

Change the setting to route all traffic over the tunnel and try NF again. If you get the proxy error, then it will confirm that your provider does not work with NF.

If it does work, then it points to a issue with your selective routing script.

More info about Netflix in this thread that may be of help.

https://www.snbforums.com/threads/selective-routing-for-netflix.42661/

 

[zperetz]

Hi, I've finally lost my hope to solve by myself the issue of my RT-AC68U with 384.7-0 onboard, and can't get ipset routing working.

I'm trying to have selective routing over VPN just on the base of ipset with number of IPs. However, even this simple task has no solution for me for the moment.

I live in 192.168.1.0/24, my VPN Client2 setup:

..and I'm trying to use modified script from this thread:

admin@RT-AC68U:/jffs/scripts# cat vpn-route-nat
#!/bin/sh

sleep 5

logger -t "($(basename $0))" $$ Starting vpn-route-nat..." $0${*:+ $*}."
# Uncomment the line below for debugging

set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536

# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)

# ipset VPNTEST is created outside and checked

# WAN ip rule
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

# VPN Client 2 ip rule
ip rule del fwmark 0x2000
ip rule add fwmark 0x2000 table ovpnc2 prio 9991

ip route flush cache

###########################################################
# LAN to WAN devices
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

# LAN to VPN Client 2 ip's
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000

logger -t "($(basename $0))" $$ Ending vpn-route-nat..." $0${*:+ $*}."

OK, let's start from scratch - VPN is down. Check ipset, routing rules and mangle table. Traceroute shows the normal way over my ISP:

ASUSWRT-Merlin RT-AC68U 384.7-0 Sun Oct  7 16:42:19 UTC 2018
admin@RT-AC68U:/jffs/scripts# ipset list VPNTEST
Name: VPNTEST
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 262144
Size in memory: 428
References: 0
Number of entries: 2
Members:
103.216.218.144
195.82.146.214
admin@RT-AC68U:/jffs/scripts# ipset test VPNTEST 103.216.218.144
103.216.218.144 is in set VPNTEST.
admin@RT-AC68U:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  6.324 ms  4.531 ms  13.241 ms
 2^C
admin@RT-AC68U:/jffs/scripts# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U:/jffs/scripts# ip route show table ovpnc2
admin@RT-AC68U:/jffs/scripts# iptables -t mangle -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 4651K packets, 3407M bytes)
 pkts bytes target     prot opt in     out     source               destination
admin@RT-AC68U:/jffs/scripts#

Starting VPN on Client 2 and testing if it works (all tests are done with ip from VPNTEST):

admin@RT-AC68U:/jffs/scripts# service start_vpnclient2

Done.
admin@RT-AC68U:/jffs/scripts# ifconfig tun12
tun12     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100 errors:0 dropped:213 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:120468 (117.6 KiB)
admin@RT-AC68U:/jffs/scripts# ip route show table ovpnc2
107.173.80.33 via 95.220.192.1 dev eth0
95.220.192.1 dev eth0  proto kernel  scope link
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
10.8.0.0/24 dev tun12  proto kernel  scope link  src 10.8.0.2
95.220.192.0/19 dev eth0  proto kernel  scope link  src 95.220.207.238
127.0.0.0/8 dev lo  scope link
0.0.0.0/1 via 10.8.0.1 dev tun12
128.0.0.0/1 via 10.8.0.1 dev tun12
default via 95.220.192.1 dev eth0
admin@RT-AC68U:/jffs/scripts# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  3.062 ms  5.708 ms  19.245 ms
 2  *^C
admin@RT-AC68U:/jffs/scripts# ip route add 103.216.218.144 dev tun12
admin@RT-AC68U:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  10.8.0.1 (10.8.0.1)  138.710 ms  138.701 ms  138.344 ms
 2  107-175-92-130-host.colocrossing.com (107.175.92.130)  138.450 ms  138.589 ms  140.468 ms
 3  10.8.28.85 (10.8.28.85)  139.191 ms  10.8.21.101 (10.8.21.101)  139.137 ms  10.8.28.85 (10.8.28.85)  139.198 ms
 4  10.8.12.33 (10.8.12.33)  138.868 ms  10.8.12.21 (10.8.12.21)  159.795 ms  10.8.12.33 (10.8.12.33)  170.771 ms
 5  10.8.25.141 (10.8.25.141)  138.635 ms  10.8.24.73 (10.8.24.73)  138.914 ms  10.8.25.141 (10.8.25.141)  139.010 ms
 6  78.152.61.30 (78.152.61.30)  138.974 ms^C
admin@RT-AC68U:/jffs/scripts# ip route del 103.216.218.144 dev tun12
admin@RT-AC68U:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  3.062 ms  5.708 ms  19.245 ms
 2  *^C

So, everything is checked and work just fine. Time to apply the script manually (before I tried it in nat-start) and see that ipset based routing is not working:

admin@RT-AC68U:/jffs/scripts# ./vpn-route-nat
errexit         off
noglob          off
ignoreeof       off
interactive     off
monitor         off
noexec          off
stdin           off
xtrace          on
verbose         off
noclobber       off
allexport       off
notify          off
nounset         off
vi              off
pipefail        off
+ ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset v6.32: Set cannot be created: set with the same name already exists
+ nvram get lan_ipaddr
+ ipset add LAN_GW 192.168.1.1
ipset v6.32: Element cannot be added to the set: it's already added
+ ip rule del fwmark 0x7000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x7000 table 254 prio 9990
+ ip rule del fwmark 0x2000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x2000 table ovpnc2 prio 9991
+ ip route flush cache
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
+ basename ./vpn-route-nat
+ logger -t (vpn-route-nat) 25729 Ending vpn-route-nat... ./vpn-route-nat.
admin@RT-AC68U:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  1.185 ms  1.194 ms  1.230 ms
 2^C

Soooo, nothing. No ipset, routing just standard rules are applied.
Few checks to see that script applied the rules:

admin@RT-AC68U:/jffs/scripts# ip rule
0:      from all lookup local
9990:   from all fwmark 0x7000 lookup main
9991:   from all fwmark 0x2000 lookup ovpnc2
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U:/jffs/scripts# iptables -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 477K packets, 344M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set LAN_GW src,dst MARK or 0x7000
    0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPNTEST dst,dst MARK or 0x2000

Dear Masters of selective routing on WRT Merlin, any of your ideas would be very welcome. Thank you in advance!

 

[Xentrk]

Hi, I've finally lost my hope to solve by myself the issue of my RT-AC68U with 384.7-0 onboard, and can't get ipset routing working.

Dear Masters of selective routing on WRT Merlin, any of your ideas would be very welcome. Thank you in advance!

From a glance, I see you are missing the bitmask when creating the fwmark. Syntax is fwmark/bitmask e.g. 0x7000/0x7000

I fixed it in the code snip below

# WAN ip rule
ip rule del fwmark 0x7000/0x7000
ip rule add fwmark 0x7000/0x7000 table 254 prio 9990

# VPN Client 2 ip rule
ip rule del fwmark 0x2000/0x2000
ip rule add fwmark 0x2000/0x2000 table ovpnc2 prio 9991

ip route flush cache

###########################################################
# LAN to WAN devices
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

# LAN to VPN Client 2 ip's
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000

This should be of help to you. Two different selective routing methods are used on the GitHub repo: https://github.com/Xentrk/netflix-vpn-bypass

 

[zperetz]

From a glance, I see you are missing the bitmask when creating the fwmark. Syntax is fwmark/bitmask e.g. 0x7000/0x7000

This should be of help to you. Two different selective routing methods are used on the GitHub repo: https://github.com/Xentrk/netflix-vpn-bypass

Xentrk, thank you for trying to help.
Change of fwmark doesn't help:

admin@RT-AC68U:/jffs/scripts# ./vpn-route-nat                                                                                                     errexit         off
noglob          off
ignoreeof       off
interactive     off
monitor         off
noexec          off
stdin           off
xtrace          on
verbose         off
noclobber       off
allexport       off
notify          off
nounset         off
vi              off
pipefail        off
+ ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset v6.32: Set cannot be created: set with the same name already exists
+ nvram get lan_ipaddr
+ ipset add LAN_GW 192.168.1.1
ipset v6.32: Element cannot be added to the set: it's already added
+ ip rule del fwmark 0x7000/0x7000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x7000/0x7000 table 254 prio 9990
+ ip rule del fwmark 0x2000/0x2000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x2000/0x2000 table ovpnc2 prio 9991
+ ip route flush cache
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
+ basename ./vpn-route-nat
+ logger -t (vpn-route-nat) 5594 Ending vpn-route-nat... ./vpn-route-nat.
admin@RT-AC68U:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  1.597 ms  2.769 ms  2.246 ms
 2  *^C

I didn't get what are 2 different methods, actually. But thank you for link, I understood that no need to have additional WAN rules if they are ok. So I've simplified the script:

admin@RT-AC68U:/jffs/scripts# cat vpn-route-nat-v2
#!/bin/sh

sleep 5

logger -t "($(basename $0))" $$ Starting vpn-route-nat..." $0${*:+ $*}."
# Uncomment the line below for debugging

set -xo

# vpn-whitelist is extracted in firewall-start
# test VPNTEST to check routing is created

# VPN Client 2 ip rule
FWMARK_OVPNC2="0x2000/0x2000"

ip rule del fwmark "$FWMARK_OVPNC2"
ip rule add from 0/0 fwmark "$FWMARK_OVPNC2" table ovpnc2 prio 9991

ip route flush cache

# LAN to VPN Client 2 ip's
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark "$FWMARK_OVPNC2"
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark "$FWMARK_OVPNC2"

logger -t "($(basename $0))" $$ Ending vpn-route-nat..." $0${*:+ $*}."

And you know what? Nothing has changed

admin@RT-AC68U:/jffs/scripts# ./vpn-route-nat-v2
errexit         off
noglob          off
ignoreeof       off
interactive     off
monitor         off
noexec          off
stdin           off
xtrace          on
verbose         off
noclobber       off
allexport       off
notify          off
nounset         off
vi              off
pipefail        off
+ FWMARK_OVPNC2=0x2000/0x2000
+ ip rule del fwmark 0x2000/0x2000
RTNETLINK answers: No such file or directory
+ ip rule add from 0/0 fwmark 0x2000/0x2000 table ovpnc2 prio 9991
+ ip route flush cache
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark 0x2000/0x2000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark 0x2000/0x2000
+ basename ./vpn-route-nat-v2
+ logger -t (vpn-route-nat-v2) 6809 Ending vpn-route-nat... ./vpn-route-nat-v2.
admin@RT-AC68U:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  1.368 ms  1.195 ms  1.202 ms
 2  *  *^C

I really can't get the source of the issue

 

[Xentrk]

Xentrk, thank you for trying to help.
Change of fwmark doesn't help:

admin@RT-AC68U:/jffs/scripts# ./vpn-route-nat                                                                                                     errexit         off
noglob          off
ignoreeof       off
interactive     off
monitor         off
noexec          off
stdin           off
xtrace          on
verbose         off
noclobber       off
allexport       off
notify          off
nounset         off
vi              off
pipefail        off
+ ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset v6.32: Set cannot be created: set with the same name already exists
+ nvram get lan_ipaddr
+ ipset add LAN_GW 192.168.1.1
ipset v6.32: Element cannot be added to the set: it's already added
+ ip rule del fwmark 0x7000/0x7000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x7000/0x7000 table 254 prio 9990
+ ip rule del fwmark 0x2000/0x2000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x2000/0x2000 table ovpnc2 prio 9991
+ ip route flush cache
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
+ basename ./vpn-route-nat
+ logger -t (vpn-route-nat) 5594 Ending vpn-route-nat... ./vpn-route-nat.
admin@RT-AC68U:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  1.597 ms  2.769 ms  2.246 ms
 2  *^C

I didn't get what are 2 different methods, actually. But thank you for link, I understood that no need to have additional WAN rules if they are ok. So I've simplified the script:

admin@RT-AC68U:/jffs/scripts# cat vpn-route-nat-v2
#!/bin/sh

sleep 5

logger -t "($(basename $0))" $$ Starting vpn-route-nat..." $0${*:+ $*}."
# Uncomment the line below for debugging

set -xo

# vpn-whitelist is extracted in firewall-start
# test VPNTEST to check routing is created

# VPN Client 2 ip rule
FWMARK_OVPNC2="0x2000/0x2000"

ip rule del fwmark "$FWMARK_OVPNC2"
ip rule add from 0/0 fwmark "$FWMARK_OVPNC2" table ovpnc2 prio 9991

ip route flush cache

# LAN to VPN Client 2 ip's
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark "$FWMARK_OVPNC2"
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark "$FWMARK_OVPNC2"

logger -t "($(basename $0))" $$ Ending vpn-route-nat..." $0${*:+ $*}."

And you know what? Nothing has changed

admin@RT-AC68U:/jffs/scripts# ./vpn-route-nat-v2
errexit         off
noglob          off
ignoreeof       off
interactive     off
monitor         off
noexec          off
stdin           off
xtrace          on
verbose         off
noclobber       off
allexport       off
notify          off
nounset         off
vi              off
pipefail        off
+ FWMARK_OVPNC2=0x2000/0x2000
+ ip rule del fwmark 0x2000/0x2000
RTNETLINK answers: No such file or directory
+ ip rule add from 0/0 fwmark 0x2000/0x2000 table ovpnc2 prio 9991
+ ip route flush cache
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark 0x2000/0x2000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark 0x2000/0x2000
+ basename ./vpn-route-nat-v2
+ logger -t (vpn-route-nat-v2) 6809 Ending vpn-route-nat... ./vpn-route-nat-v2.
admin@RT-AC68U:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  1.368 ms  1.195 ms  1.202 ms
 2  *  *^C

I really can't get the source of the issue

I see the error message: iptables: No chain/target/match by that name.
Other AC68U users have reported the same issue when trying selective routing. I did a search and found one user added modprobe xt_set.ko and that fixed his issues. https://www.snbforums.com/threads/n...s-ipset-in-ac68u-v380-66_4.39600/#post-330072