garycnew
Senior Member
Works Great! Need Testers! Need more than 10K Characters per Post!
Requirements/Assumptions:
1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U)
2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19)
3. Established OpenVPN Client Connection (Force Internet traffic through tunnel: Policy Rules)
4. Formated JFFS Partition and Enabled JFFS Custom Scripts and Configs
5. Entware Installed via Asuswrt-Merlin Terminal Menu (AMTM)
6. Nginx Installation with DNSMasq and IPTables Configuration (/opt/etc/nginx/nginx.conf)
7. Capable of Editing the following User Scripts:
/jffs/configs/dnsmasq.conf.add
/jffs/scripts/lighttpd.postconf
/jffs/scripts/nat-start
/jffs/scripts/post-mount
README: Custom Domains with DNSMasq
LAN > DHCP Server > DNS and WINS Server Setting
DNS Server 1: [LAN_IP]
DNS Server 2: [EMPTY]
Advertise router's IP in addition to user-specified DNS: [No]
From a Client Machine, confirm DNSMasq is working from the Command Prompt:
NOTICE: If you appreciated this Tutorial, you might also like my Guide on [SOLVED] OpenVPN Client Split Tunnel for BitTorrent Traffic.
Requirements/Assumptions:
1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U)
2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19)
3. Established OpenVPN Client Connection (Force Internet traffic through tunnel: Policy Rules)
4. Formated JFFS Partition and Enabled JFFS Custom Scripts and Configs
5. Entware Installed via Asuswrt-Merlin Terminal Menu (AMTM)
6. Nginx Installation with DNSMasq and IPTables Configuration (/opt/etc/nginx/nginx.conf)
7. Capable of Editing the following User Scripts:
/jffs/configs/dnsmasq.conf.add
/jffs/scripts/lighttpd.postconf
/jffs/scripts/nat-start
/jffs/scripts/post-mount
Code:
# /usr/sbin/ip addr add 192.168.0.2/24 brd + dev br0:0
# /usr/sbin/ip addr add 192.168.0.3/24 brd + dev br0:1
# /usr/sbin/ip ad
11: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether c0:56:27:d1:b8:a4 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
inet 192.168.0.2/24 brd 192.168.0.255 scope global secondary br0
inet 192.168.0.3/24 brd 192.168.0.255 scope global secondary br0
LAN > DHCP Server > DNS and WINS Server Setting
DNS Server 1: [LAN_IP]
DNS Server 2: [EMPTY]
Advertise router's IP in addition to user-specified DNS: [No]
Code:
# vi /jffs/configs/dnsmasq.conf.add
address=/dnsleaktest.com/z1.fm/192.168.0.2
address=/dnsleak.com/audiobookbay.nl/192.168.0.3
Code:
# service restart_dnsmasq
Done.
From a Client Machine, confirm DNSMasq is working from the Command Prompt:
Code:
C:\Users\Name>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Name>ping dnsleaktest.com
Pinging dnsleaktest.com [192.168.0.2] with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time<1ms TTL=64
Reply from 192.168.0.2: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\Name>ping dnsleak.com
Pinging dnsleak.com [192.168.0.3] with 32 bytes of data:
Reply from 192.168.0.3: bytes=32 time<1ms TTL=64
Reply from 192.168.0.3: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.0.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Code:
# vi /jffs/scripts/lighttpd.postconf
#!/bin/sh
# Force Lighttpd (Webdav) to Reload Modified Config
/usr/bin/killall lighttpd; sed -i 's/":443"/"192.168.0.1:443"/g' /tmp/lighttpd.conf && /usr/sbin/lighttpd -f /tmp/lighttpd.conf -D &
logger "Running /jffs/scripts/lighttpd.postconf"
Code:
# vi /jffs/scripts/nat-start
#!/bin/sh
sleep 10 # During the boot process nat-start may run multiple times so this is required
# Ensure Duplicate Rules are not Created
for VPN_ID in 0 1 2 3 4 5
do
ip rule del prio 999$VPN_ID 2>/dev/null
done
# Create RPDB Rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992 # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993 # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994 # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995 # VPN 3 fwmark
# Force Lighttpd (Webdav) to Reload Modified Config
. /jffs/scripts/lighttpd.postconf
# Mark Outbound Web Services Packets from WAN to OpenVPN Client 1 and/or OpenVPN Client 2
iptables -t mangle -I OUTPUT -o vlan2 -p tcp -s 192.168.0.2/32 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -I OUTPUT -o vlan2 -p tcp -s 192.168.0.3/32 -j MARK --set-mark 0x2000/0x2000
# Mark Inbound Web Services Packets from OpenVPN Server to WAN
iptables -t mangle -I INPUT -i br0 -p tcp -d 192.168.0.2/32 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -I INPUT -i br0 -p tcp -d 192.168.0.3/32 -j MARK --set-mark 0x8000/0x8000
Code:
# service restart_webdav
Done.
# opkg install nginx-ssl
Installing nginx-ssl (1.19.2-1a) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/nginx-ssl_1.19.2-1a_armv7-2.6.ipk
Configuring nginx-ssl.
Code:
# vi /opt/etc/nginx/nginx.conf
user nobody;
worker_processes auto;
events {
worker_connections 512;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 75; # client
keepalive_requests 100; # client
server {
listen 192.168.0.2:80;
server_name $host;
root /opt/share/nginx/html;
proxy_ssl_server_name on; # sni
location / {
resolver 103.86.99.100;
proxy_bind $server_addr;
proxy_pass https://$host$request_uri;
proxy_redirect https:// http://;
proxy_set_header Accept-Encoding ""; # Needed by sub_filter to disable gzip compression
sub_filter_types text/javascript text/css text/xml;
sub_filter 'https:' 'http:';
sub_filter_once off;
}
}
server {
listen 192.168.0.3:80;
server_name $host;
root /opt/share/nginx/html;
proxy_ssl_server_name on; # sni
location / {
resolver 103.86.99.100;
proxy_bind $server_addr;
proxy_pass https://$host$request_uri;
proxy_redirect https:// http://;
proxy_set_header Accept-Encoding ""; # Needed by sub_filter to disable gzip compression
sub_filter_types text/javascript text/css text/xml;
sub_filter 'https:' 'http:';
sub_filter_once off;
}
}
# HTTPS Servers
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server {
listen 192.168.0.2:443 ssl;
server_name $host;
return 302 http://$host$request_uri; # Redirect All HTTPS Requests to Nginx HTTP Listener
ssl_certificate /etc/cert.pem;
ssl_certificate_key /etc/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
proxy_ssl_trusted_certificate /opt/etc/ssl/cert.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_server_name on; # sni
location / {
resolver 103.86.99.100;
proxy_bind $server_addr;
proxy_pass https://$host$request_uri;
proxy_redirect https:// http://;
proxy_set_header Accept-Encoding ""; # Needed by sub_filter to disable gzip compression
sub_filter_types text/javascript text/css text/xml;
sub_filter 'https:' 'http:';
sub_filter_once off;
}
}
server {
listen 192.168.0.3:443 ssl;
server_name $host;
return 302 http://$host$request_uri; # Redirect All HTTPS Requests to Nginx HTTP Listener
ssl_certificate /etc/cert.pem;
ssl_certificate_key /etc/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
proxy_ssl_trusted_certificate /opt/etc/ssl/cert.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_server_name on; # sni
location / {
resolver 103.86.99.100;
proxy_bind $server_addr;
proxy_pass https://$host$request_uri;
proxy_redirect https:// http://;
proxy_set_header Accept-Encoding ""; # Needed by sub_filter to disable gzip compression
sub_filter_types text/javascript text/css text/xml;
sub_filter 'https:' 'http:';
sub_filter_once off;
}
}
}
Code:
# /opt/etc/init.d/S80nginx start
Nginx started.
# netstat -anp|grep :80
tcp 0 0 192.168.0.3:80 0.0.0.0:* LISTEN 11919/nginx: master
tcp 0 0 192.168.0.2:80 0.0.0.0:* LISTEN 11919/nginx: master
tcp 0 0 192.168.0.1:80 0.0.0.0:* LISTEN 258/httpd
# netstat -anp|grep :443
tcp 0 0 192.168.0.3:443 0.0.0.0:* LISTEN 11919/nginx: master
tcp 0 0 192.168.0.2:443 0.0.0.0:* LISTEN 11919/nginx: master
tcp 0 0 192.168.0.1:443 0.0.0.0:* LISTEN 10157/lighttpd
Code:
# vi /jffs/scripts/post-mount
#!/bin/sh
sleep 30
# Force Lighttpd (Webdav) to Reload Modified Config
. /jffs/scripts/lighttpd.postconf
# Add Virtual IP Addresses to br0
#/sbin/ifconfig br0:0 192.168.0.2
/usr/sbin/ip addr add 192.168.0.2/24 brd + dev br0:0
/usr/sbin/ip addr add 192.168.0.3/24 brd + dev br0:1
# start all Entware services
/opt/etc/init.d/rc.unslung start
NOTICE: If you appreciated this Tutorial, you might also like my Guide on [SOLVED] OpenVPN Client Split Tunnel for BitTorrent Traffic.
Last edited: