Selective Routing with Asuswrt-Merlin

[janosek]

Hello,

I successfully set up an OpenVPN connection to the PIA VPN. However, I would like to set up selective routing for Netflix, Hulu and various other TV network sites. I tried to followthe post under:
http://www.linksysinfo.org/index.php?threads/any-way-to-bypass-vpn-selectively.33468/#post-164693

But it doesn't seem to work. I created a vpn_route.sh file under /root, set it to chmod 755
run the following two commands on the command line:
nvram setfile2nvram /root/vpn_route.sh
nvram commit


add to the custom configuration:
script-security 2
route-up /root/vpn_route.sh
down /root/vpn_route.sh


then run:
nvram set vpn_client1_ip_list="192.168.1.10" (my PS3 IP)
nvram commit

I get the following error:

Jan 8 00:32:38 openvpn[728]: WARNING: Failed running command (--route-up): could not execute external program

Also, when I reboot, the /root/vpn_route.sh file disappears. Is that supposed to happen?

My setup:

RT-AC66U running 3.0.0.4.266.23b
PC
Nexus 10
PS3
Laptop


I would like the PS3 to completely go through the VPN, whereas my PC, Nexus 10 and Laptop to only have Netflix, Hulu and the other TV sites only, the rest through ISP.

Is this possible?

Thank you very much for your hard work rmerlin, Your firmware is amazing.

 

[janosek]

custom scripts

Hello,

I found RMerlin's wiki post here:
https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

I believe need to set up /jffs/scripts

I am going to try the WAN-start script as well.

 

[janosek]

Hello,

I was able to get the selective routing to work. Thanks RMerlin for the excellent wiki page. That made the difference.

 

[maupicc]

Hi Janosek,

I click on your provided link but couldn't find the script on that page.

Would you be so kind to paste what you have done to get selective routing working?

Thanks a lot,

Mau

 

[janosek]

Phase 1 selective routing script

Hello,

Here is my script. I originally planned to learn how to do this in 3 phases.

phase 1: selectively route PS3, Nexus 10 and Laptop over US VPN, but keep VOIP and desktop PC on WAN

phase 2: create up and down scripts to prevent leakages for phase 3

phase 3: set up a second Swiss VPN and selectively route P2P communication from PC over Swiss VPN.

Suffice to say, I am stuck on phase 1. My wife doesn't like the internet to go down for extended periods of time, so I cannot tinker.



Anyway, format your JFFS partition and create "wan-start" script under /jffs/scripts


I TAKE NO CREDIT FOR THIS SCRIPT. THIS IS ENTIRELY THE WORK OF OTHERS. I TAKE NO RESPONSIBILITY FOR IT DOING ANY NASTY THINGS.



**************************************************

#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
#ip route show table main | grep -Ev ^default | grep -Ev tun11 \
# | while read ROUTE ; do
# ip route add table 100 $ROUTE
# done



ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#



# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1




# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1



exit 0

 

[hiliter]

Here is my script. I originally planned to learn how to do this in 3 phases.

phase 1: selectively route PS3, Nexus 10 and Laptop over US VPN, but keep VOIP and desktop PC on WAN

phase 2: create up and down scripts to prevent leakages for phase 3

phase 3: set up a second Swiss VPN and selectively route P2P communication from PC over Swiss VPN.

First of all, thanks for the great work you did with the connection script! For others reading this post, some troubleshoot regarding the connection script is discussed here: http://forums.smallnetbuilder.com/showthread.php?t=10263

I was wondering if you got anywhere with the kill switch (phase 3)? Maybe this might help: https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=4287&Itemid=142#4287

 

[janosek]

To be honest, I got lazy.

RMerlin helped me get selective routing working reliably. I tried routing P2P over a swiss vpn, but the performance wasn't that great. Besides, now with US Netflix and Hulu Plus, I get most of what I watch, so no real need for P2P

 

[wizin]

tx to janosek who helped me out

Got it working

I have Roku Device where I want Wired IP > US, Wireless IP - UK ( so I could enjoy different netflix )

 

[janosek]

tx to janosek who helped me out

Got it working

I have Roku Device where I want Wired IP > US, Wireless IP - UK ( so I could enjoy different netflix )

Great!

I need to put together some documentation on the wiki

 

[Sky1111]

Great!

I need to put together some documentation on the wiki

Please do so... thanks in advance!

 

[wizin]

Will wait for Janoesk to make a proper wiki but for extreme novice users like me - got it working with the help of Janosek and here are the steps

THE CODE

#!/bin/sh


sleep 2

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
 done



ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#




#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

   iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
 


# All traffic from[B] Roku Wireless [/B]will use the UK VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.103 -j MARK --set-mark 0




exit 0

If you notice the code, I only have 1 device configured to use VPN ( Roku Wireless )
Rest is all via regular LAN Speed

Save the above as "openvpn-event" ( without the quotes and NO FILE EXTENSION at all )

1) Assuming you have VPN Account and have it already working with OpenVPN in your Asus-Merlin Router ( test manually if VPN works first )
2) So make sure its ON and Start with WAN option
3) Goto to Administration > System

• Enable JFFS partition = YES
• Format JFFS partition at next boot = YES

REBOOT ROUTER
4) Download a Software like WinSCP
File Protocoal - SCP
Hostname: 192.168.1.1
Username/Password: Whatever you use to login to the router
Port 22
5) Need to go upto the root folder where you see jffs folder
6) Go Inside Folder then Go Inside Scripts Folder
7) Place the code openvpn-event you made above in this folder, right click > Properties > Change Octal to 0777

Thats it

Close WinSCP
Reboot Router

GOOD TO GO

 

[Sky1111]

thanks a lot for the guide, there are missing steps: before you even try to login with WinSCP, you need to enable SSH (was not obvious to me)

I got stuck once I connected to the router via WinSCP: navigated to jffs folder, but there is no Scripts folder there; and I could not create one:

Error creating folder "Scripts"
Command "mkdir 'Scripts""
failed with return code 1 and error message
mdir: can't create directory "Scripts". Read-only file system

jffs folder Octal: 0755

 

[wizin]

Coz u missed step 3, formatting and enabling jffs, put the scripts folder, you dont create it

 

[Sky1111]

Coz u missed step 3, formatting and enabling jffs, put the scripts folder, you dont create it

No I did not - by default jffs is off, so I enabled it, formatted and then tried to access it... the jffs folder is there, but nothing inside.

will try again tonight.

 

[RMerlin]

No I did not - by default jffs is off, so I enabled it, formatted and then tried to access it... the jffs folder is there, but nothing inside.

will try again tonight.

Have to reboot after setting the option to format it.

 

[wizin]

Janosek and Rmelrin

So I ran into an issue, not sure what happened but this worked for 1st day

So I have a VPN Service which is 2 features
1) They give you DNS Servers where you insert in Router and you can enjoy US Netflix, Hulu etc - just like unblockus service
2) Traditional VPN

Before this setup of mine, all devices connected to Router ( PC, Roku etc ) showed US Netflix

But now, it reverts to Canadian and whenever I check status of this unblocking service, it says I am not unblocked
As soon as I stop this script, then its all good

So is it bypassing the DNS I provide manually? is there an extra line of code which is needed here

Any clue

 

[Sky1111]

Have to reboot after setting the option to format it.

Confirming: re-formatted and rebooted - jffs folder is still empty!

is it possible that there is (as unlikely as it seems) a bug in 3.0.0.4_374.33_beta1?

 

[RMerlin]

Confirming: re-formatted and rebooted - jffs folder is still empty!

is it possible that there is (as unlikely as it seems) a bug in 3.0.0.4_374.33_beta1?

I have no problem with the JFFS partition getting mounted on all three routers I tested it on. Check the System Log to see if there's any error referring to JFFS.

Also, make sure JFFS is indeed enabled:

nvram get jffs2_on

It should return 1.

If enabling it on the webui still leaves it set to "0" then it's possible you have nvram corruption preventing values from properly saving. This can happen if restoring an old (corrupted) backup, or if you haven't re-saved your OpenVPN keys after the 374.32 update. Go to each OpenVPN key pages (if you have more than one instance configured), then press Apply to re-save them in the new format.

 

[Sky1111]

I have no problem with the JFFS partition getting mounted on all three routers I tested it on. Check the System Log to see if there's any error referring to JFFS.

Also, make sure JFFS is indeed enabled:

nvram get jffs2_on

It should return 1.

If enabling it on the webui still leaves it set to "0" then it's possible you have nvram corruption preventing values from properly saving. This can happen if restoring an old (corrupted) backup, or if you haven't re-saved your OpenVPN keys after the 374.32 update. Go to each OpenVPN key pages (if you have more than one instance configured), then press Apply to re-save them in the new format.

Yeap, it does return 1.
When I connect to the router with WinSCP, it shows in the root folder jffs folder with the following rights: rwxr-xr-x, and under the properties the Octal is 0755

 

[Sky1111]

and yes - I did try to format/reboot multiple times... what am I missing?