Tutorial [TUTORIAL] Domain (Policy) based routing with ipset and dnsmaq

[mkaand]

Hi Everyone,

This is my first post in this forum but I am actively developing some shell scripts for DD-WRT at their forum since 2006 with same username. I bought ASUS RT-AX86U a week ago and I flashed with Merlin's firmware. I have a little bit complex system first I will explain my network and I will share my experience about domain based (policy based) routing. I use following sources to achieve this. Many thanks for all community.

Sources:

• https://github.com/RMerl/asuswrt-merlin.ng/wiki/Custom-domains-with-dnsmasq
• https://www.snbforums.com/threads/route-certain-domains-through-client-vpn.49451/#post-439430
• https://www.snbforums.com/threads/using-ipset-to-selectively-route-domains-to-a-vpn-client.41560/
• https://www.snbforums.com/threads/how-to-make-dnsmasq-and-ipset-affect-router.59872/
• https://www.snbforums.com/threads/s...affic-using-nginx-dnsmasq-and-iptables.67546/

My network has two routers:

Main Router ASUS RT-AX86U with Merlin's firmware and second router TP-Link WR1043ND V2. DDWRT (192.168.50.2 WAN) on it. DDWRT broadcasting VPN HUB and VPNBook [USA] SSIDs. If I connect to VPN HUB (192.168.1.1) only selective domains redirects to OpenVPN (Free VPNBook Service), If I connect to VPNBook [USA] (192.168.2.1) all traffic goes to VPNBook VPN Service. Let's talk about main router ASUS RT-AX86U:

Main router has 192.168.50.1 and JFFS enabled. I added some static routes like:

I followed above sources first DHCP clients should get main router IP as DNS (192.168.50.1). I created /jffs/configs/dnsmasq.conf.add file and of course I did chmod a+rx /jffs/configs/* dos2unix /jffs/configs/*
Here is the content of dnsmasq.conf.add

ipset=/planetdp.org/whatismyip.org/pandora.com/paypal.com/pastebin.com/tunein.com/snbforums.com/ipset_V4
address=/test.com/192.168.0.1

I added test.com just for testing purpose. I want to make sure dnsmasq working or not. As you can see I created ipset_V4 for all traffic I want to redirect to VPN. If dnsmasq is working correctly while you are pinging you should see 192.168.0.1

Second I added firewall script. I created /jffs/scripts/firewall-start file with following content:

#!/bin/sh
touch  /tmp/000firewall-start
logger "Applying firewall-start rules."

ipset create ipset_V4 hash:net family inet hashsize 1024 maxelem 65536
iptables -I PREROUTING -t mangle -m set --match-set ipset_V4 dst -j MARK --set-mark 10012
ip rule add prio 100 fwmark 10012 lookup 100
ip route add table 100 default via 192.168.50.2
touch /tmp/000firewall-stop

After startup, ipset and dnsmasq is working perfectly. I had some minor issues about static DHCP clients. You should make sure all clients should get 192.168.50.1 as a DNS not 1.1.1.1 or other public DNS. I am sending this post via VPN. I need your advice for improvment:

I have another VPN Server in Scaleway Amsterdam. I can easily make connection with secret.key Point to Point. Server is 10.10.3.1 and ASUS Router will gets 10.10.3.2. They can ping each other. But I want to create another virtual WLAN and lets say VPN [Amsterdam]. If I connect this SSID all traffic should goes via 10.10.3.1. How can I do that? I already did that on DDWRT but I want to that at Asus Merlin. Thanks in advance.

 

[eibgrad]

I just want to be sure I fully understand this config (esp. given its relative complexity), because sometimes users leave out important details that might influence my recommendations.

I assume the two OpenVPN clients are running on the primary router (Merlin, 192.168.50.1), and NOT the dd-wrt router (if only because I know dd-wrt only supports a single instance of the OpenVPN client in the GUI). And therefore I assume that you've configured the WAN of dd-wrt in Router mode (rather than the default Gateway mode), which disables NAT across its WAN and exposes the two networks behind the dd-wrt router (192.168.1.x and 192.168.2.x) to the Merlin router. In that way, you can use PBR (policy based routing) w/ the Merlin OpenVPN clients to dictate how those two networks behave in the presence of those VPNs. And finally, the static routes are necessary in order for traffic from 192.168.1.1.x and 192.168.2.x to be routed back to the dd-wrt's WAN (192.168.50.2).

Assuming all the above is correct, your static routes should be as follows:

192.168.1.0 255.255.255.0 192.168.50.2 ...
192.168.2.0 255.255.255.0 192.168.50.2 ...

This probably has no direct impact on your immediate questions, but I find it best to first correct obvious mistakes, *just* in case it does.

You then mention this PTP (point-to-point) VPN you've established w/ your VPS (Scaleway). And want to bind it to a VAP on the Merlin router. One of Merlin's limitations (by design) is that you can only add VAPs as guest networks. And those guest networks share the same local IP network as the private network. What separation exists is presumably managed through a combination of AP isolation and/or level-2 firewall (ebtables). And because of that, and afaik, you can't readily distinguish guests from the private network, at least not strictly based on source IP, which is required in order for PBR to work.

IOW, Merlin is NOT like what you've come to expect w/ dd-wrt (or tomato for that matter), where you create a new VAP, with its own unique IP network (e.g., 192.168.3.0/24), its own DHCP server, etc, and which makes PBR possible based on that network. Such distinctions are not possible. Not unless you're prepared to define static leases in DHCP which bind specific devices intended for this new VPN based on their MAC address. So you now have assurance about which IPs are associated w/ the guest network. But that seems like it might be a hassle to maintain.

Because of these design limitations in Merlin, other members have developed scripts to add more traditional VLANs, VAP, etc., to enhance its capabilities (can't recall specifically off-hand, but I'm sure others will provide specifics regarding these scripts). But like anything outside the immediate scope of the firmware, just how well these scripts work, how reliable they are, or how easy they are to manage, is just something you'd need to investigate. It's for these reasons that whenever I need VLANs and VAPs, I usually revert back to dd-wrt or tomato (preferred) since these capabilities are *native* to those firmwares.

 

[mkaand]

Hi eibgrad,

Thank you very much for your comments. First I need to correct some information:
I assume the two OpenVPN clients are running on the primary router (Merlin, 192.168.50.1),
No, I draw my network scheme to easy understand. Only one VPN client running on Asus Merlin (to Scaleway Point to Point). VPNBook OpenVPN client is running on DDWRT. Because I wrote some advanced rules. DDWRT every 30 minutes checks VPNBook connection, If connection dropped, restarts to DDWRT router and also it checks actual password via VPNBook twitter account. If password change, I set new password on nvram and reboot. I automatized everything

My issue mainly related with Scaleway (my OpenVPN Server). I have solid connection point to point 10.10.3.1 and 10.10.3.2. As you said not easy to create VPAs on Merlin, but I can create many of them on DDWRT. If you can help me I can create new isolated unbridged VAP on DDWRT let's say VPN [Scaleway] 192.168.3.1. If you can tell me correct routes and iptables rules, I can redirect all traffic from 192.168.3.0/24 to 10.10.3.1. This is what I want now.

I found out my above code needs a little bit improve. If no body checks DNS query for selective domains, It seems like routing doesn't work. Maybe at the beginning I should auto nslookup for these domains.

Here is the my network layout:

 

[mkaand]

Hi Everyone,

I need help for my Point to Point OpenVPN policy based route. My first VPN on DDWRT working perfectly and I can send selective traffic to DDWRT router from Main ASUS Merlin router. Problem between my ASUS router (OpenVPN Client) and my Scaleway (VPS). I use secret key and create connection between ASUS router and my remote server no problem. If I choose redirect all traffic, my all traffic from home goes to Scaleway. I want to selective routing for this connection. I tried to do same think for my other VPN (VPNBook) but it doesn't work. What I did:

Here is the my dnsmasq.postconf file:

#!/bin/sh
VAR1="ipset=/"

for DOMAIN in `cat /jffs/scripts/ipset.txt`
    do 
        VAR1="$VAR1${DOMAIN}/"
    done

echo "${VAR1}ipset_V4">> /etc/dnsmasq.conf

VAR2="ipset=/"

for DOMAIN in `cat /jffs/scripts/scaleway.txt`
    do 
        VAR2="$VAR2${DOMAIN}/"
    done

echo "${VAR2}scaleway_V4">> /etc/dnsmasq.conf
echo "address=/doubleclick.net/ads.youtube.com/adserver.yahoo.com/iobit.com/apowersoft.com/tonec.com/registeridm.com/internetdownloadmanager.com/imazing.com/127.0.0.1">> /etc/dnsmasq.conf

ipset.txt includes domain names that will be redirect to VPNBook (USA). It works perfectly but scaleway.txt which includes domain names for redirect to my VPNServer at Scaleway doesn't work. This file alters dnsmasq.conf.
and my firewall-start file is:

#!/bin/sh
touch  /tmp/000firewall-start
sleep 5
logger "Applying firewall-start rules."
iptables -I INPUT -i `nvram get wan0_ifname` -s 51.15.79.80/32 -p ICMP --icmp-type 8 -j logaccept

ipset create ipset_V4 hash:net family inet hashsize 1024 maxelem 65536
ipset create scaleway_V4 hash:net family inet hashsize 1024 maxelem 65536

iptables -I PREROUTING -t mangle -m set --match-set ipset_V4 dst -j MARK --set-mark 10011
ip rule add prio 101 fwmark 10011 lookup 101
ip route add table 101 default via 192.168.50.2

iptables -I PREROUTING -t mangle -m set --match-set scaleway_V4 dst -j MARK --set-mark 10012
ip rule add prio 102 fwmark 10012 lookup 102
ip route add table 102 default via 10.10.3.1 dev tun11

# Do nslookup for all lines in ipset_V4.txt
for LINE in `cat /jffs/scripts/ipset.txt`
do
      nslookup $LINE
done

# Do nslookup for all lines in scaleway.txt
for LINE in `cat /jffs/scripts/scaleway.txt`
do
      nslookup $LINE
done


touch /tmp/000firewall-stop

Problem is on scaleway_V4. I changed following line, couple of times but it didn't work:
ip route add table 102 default via 10.10.3.1 dev tun11

I fixed this issue with changing OpenVPN client custom config (see below). But I don't like this solution. How can I fix this issue with ip set - ip route?

allow-pull-fqdn
route snbforums.com 255.255.255.255 vpn_gateway
route planetdp.org 255.255.255.255 vpn_gateway
route pastebin.com 255.255.255.255 vpn_gateway
route ipnedir.com 255.255.255.255 vpn_gateway
route tunein.com 255.255.255.255 vpn_gateway

 

[mkaand]

Hi Guys,

Can anyone help me for above issue? Thanks.