VPN selective Routing for specific Websites and Apps

[Bambino]

Hello,
After some research I do not find how I can redirect the traffic of some websites and application with a vpn on all my devices. The rest of the traffic normally goes through my local network.
I have an Asus RT-AC68U with merlin.

- If I go through the openvpn interface by selecting the selective rules ,I have to create a rule for all my devices and for each site ?
- In the IP destination, how to do if the website has several IPs ?
- For the applications how to redirect all traffic, I have to analyze the urls sent by the application and redirect them ?
- Can the x3mRouting addon facilitate this ?

Thank you in advance for your help

 

[eibgrad]

- If I go through the openvpn interface by selecting the selective rules ,I have to create a rule for all my devices and for each site ?

Yes. You can NOT directly associate the rules to an app. It's YOU that has to make the correlation and create the appropriate rules based on source and/or destination IP.

- In the IP destination, how to do if the website has several IPs ?

You need a rule for each destination/remote IP. In some cases, it's possible to gather several IPs that share the same three octets (x.x.x.y) and convert them to a class C network (x.x.x.0/24) to minimize the number of rules (this assumes the entity owns that entire class C network, which is probably true).

- For the applications how to redirect all traffic, I have to analyze the urls sent by the application and redirect them ?
- Can the x3mRouting addon facilitate this ?

Yes. Although last I heard, x3mRouting had some incompatibilities w/ the new VPN Director.

 

[Bambino]

Thank you very much for your answer, I’ll try it. But the day when the IP linked to the domain changes, you will also need to update the IP each time. In addition, does the IP of websites often change automatically?

Another solution is to switch to DD-WRT, I read that we could directly set the rules for domain names (without IP).
Knowing that I have two asus router that are connected:

The router "A" is the main router. It runs on Merlin with several plugins.​

So on router "B" I switched it to merlin but I did not install any plugin because router "A" does all the work.​

If I switch Router "B" to DD-WRT I will continue to enjoy the benefits of Router "A" plugins?

Thank you

 

[eibgrad]

Thank you very much for your answer, I’ll try it. But the day when the IP linked to the domain changes, you will also need to update the IP each time. In addition, does the IP of websites often change automatically?

Depends on the website. Those with few IPs tend to remain consistent. Larger, mega-websites (Amazon, Netflix, etc.) tend to change more often.

Another solution is to switch to DD-WRT, I read that we could directly set the rules for domain names (without IP).

I work w/ DD-WRT (and FreshTomato) on a regular basis (in fact, more often than Merlin), and routinely consult w/ one of the developers @ DD-WRT (@egc) to help maintain and enhancement it, the most recent contribution being the new OpenVPN kill switch. So I'm very familiar w/ other third-party firmware.

When it comes to destination IPs and routing policy (at least if we're talking about OpenVPN), afaik, there is no formal support for it in DD-WRT. The policy rules you're allowed to define are strictly in terms of the source ip/network, NOT the destination ip/network. Not unless something changed recently I don't know about (it's possible, I don't monitor DD-WRT changes on a daily basis). I know @egc did add some enhancements to the PBR field in the past year or so, but I don't know the full extent of it.

That's where Merlin probably has the upper hand. At least you can include the destination IP (and *only* the destination IP if you so choose) for a policy rule. But you can't use a domain name.

Even if you could use a domain name, that is typically implemented by resolving the domain name at the time the rule is added. IOW, it's static. And as long as the OpenVPN client is running w/o interruption, any underlying changes to the domain name will NOT be detected! You would have to periodically restart the OpenVPN client process to pick up any such changes.

If you *only* need to route specific destination domains through either the WAN or VPN (without concern for the source ip/network), you can always use OpenVPN's built-in routing facility to do so. You simply add appropriate route directives to the OpenVPN client's customization field.

route cnet.com 255.255.255.255 vpn_gateway
route google.com 255.255.255.255 net_gateway

vpn_gateway and net_gateway (which means WAN/ISP gateway) are reserved words. At runtime, OpenVPN will resolve those domain names (and the value of those reserved words) and add routes to direct those domains either over the VPN or WAN/ISP.

But even here, that name resolution is still static. Should the public IP(s) associated w/ those domain names change, they will NOT be detected until you restart the OpenVPN client process.

This is a common problem when dealing w/ policy based routing, regardless of the firmware. In order to *dynamically*, and in realtime, detect any changes in the IPs associated w/ a given domain, you need to use a completely different set of procedures, typically using ipset. But there is no such capability at the moment for this in Merlin. And the DD-WRT documentation only shows how YOU can set it up. The only firmware I know of that supports ipset w/ policy based routing in the GUI is FreshTomato (and has done so for YEARS).

Unfortunately, policy based routing, in all its forms, is inherently complicated. And trying to compare one implementation to another isn't as simple as it may appear at first blush. For example, although you can use route directives (as I described above) w/ Merlin, Merlin *ignores* any route directives bound to the WAN/ISP (net_gateway) whenever you use the VPN Director! Instead, you have to create policy rules to bind destination IPs to the WAN. But then you lose access to domain names for those purposes. Then again, at least you can qualify it w/ source IP if you find the need.

As I said, it's complicated. It's taken me YEARS to learn and appreciate all the subtle differences between the various firmwares. They all have advantages and disadvantages. And it's VERY difficult to explain all those differences within a few paragraphs of this forum.

So be careful about any assumptions you may have drawn about whether one or the other firmware is better for policy based routing or the handling of domain names. One of the reasons I use/recommend different third-party firmware w/ different customers is precisely because every customer's needs can't be met w/ just one of them. Some are better than others depending on the specific requirements. I find they *all* can be awesome given the right conditions. But they all have serious limitations too. The trick (and what takes experience) is learning which is better suited to a given set of conditions.

Knowing that I have two asus router that are connected:

The router "A" is the main router. It runs on Merlin with several plugins.​

So on router "B" I switched it to merlin but I did not install any plugin because router "A" does all the work.​

If I switch Router "B" to DD-WRT I will continue to enjoy the benefits of Router "A" plugins?

I assume router B is connected to router A, WAN to LAN respectively. IOW, router B and A maintain their own separate IP networks. That's good for isolation purposes (e.g., a guest or IOT network) on router B. But the amount of benefit that router B's network will gain from Router A's services/features is questionable, since from router A's perspective, there's only one IP on its network associated w/ router B's network, and that's the WAN ip of router B. If some AddOn (or built-in feature) is offering QoS, for example, you can't distinguish individual clients of router B for the purposes of prioritization. You'd probably have to change router B from Gateway to Router mode (to disable NAT). And that can present its own set of issues.

In short, you will probably derive *some* benefit w/ that arrangement, but just how much compared to using router A as your primary local network is hard to say. It just depends on the feature or AddOn. Something you'll have to determine on a case by case basis. In general, I don't recommend this type of configuration when router B ends up being your primary, private network. It works better when router B is truly secondary, such as guest or IOT network. But that's your call.

 

[Bambino]

Depends on the website. Those with few IPs tend to remain consistent. Larger, mega-websites (Amazon, Netflix, etc.) tend to change more often.

Thank you very much for those valuable explanations. I was able to do my rules properly. But I have a problem that you have already had (I saw it after researching the forum). Using policy rules + Vpn leaked my dns address, while if all the traffic goes through the vpn, I have the dns of the vpn.
I didn’t find a solution. I use Unbound on the main router, and my vpn on the second router. Any idea?
Best regards

 

[eibgrad]

If you use policy rules, that necessarily takes the router itself off the VPN. It's just a side-effect of how that feature is implemented. As a result, it's likely any services being offered by the router are now bound to the WAN, at least by default (e.g., DNSMasq). For that reason, you need to make sure you specify Exclusive (preferred) or Strict for "Accept DNS configuration" on the OpenVPN client. This forces the router to use the DNS server(s) push'd by the OpenVPN server, which normally is/are bound to the VPN (if only because the DNS server's IP address normally falls within the same IP scope as the tunnel).

 

[HappyJuicy]

@eibgrad Thank you for your explanation. I have learned. I was also wandering why Dev isn<t implanting routing by domain name. I know why now.

for my part im trying to redirect tv.bell.ca to wan to bypass there restriction

cmd ping tv.bell.ca
got the ip
23.43.243.0/24 to wan via VPN director to get it work 90% of the time
anyway I can do it more effectively?

 

[eibgrad]

@eibgrad Thank you for your explanation. I have learned. I was also wandering why Dev isn<t implanting routing by domain name. I know why now.

for my part im trying to redirect tv.bell.ca to wan to bypass there restriction

cmd ping tv.bell.ca
got the ip
23.43.243.0/24 to wan via VPN director to get it work 90% of the time
anyway I can do it more effectively?

I recently developed a script for just that purpose. It was for another member who (apparently) lost interest. But I decided to see the development of the script to the end, and it's working quite well (if Netflix is any measure).

Exclude website from being routed to VPN (policy based routing)

Something to be aware of. With the new VPN Director, a few things have changed. For one thing, the router no longer allows any routing (whether that be a change in the default gateway, or route directives, whether push'd by the server or specified on the client config) to automatically be...

www.snbforums.com

 

[HappyJuicy]

I recently developed a script for just that purpose. It was for another member who (apparently) lost interest. But I decided to see the development of the script to the end, and it's working quite well (if Netflix is any measure).

Exclude website from being routed to VPN (policy based routing)

Something to be aware of. With the new VPN Director, a few things have changed. For one thing, the router no longer allows any routing (whether that be a change in the default gateway, or route directives, whether push'd by the server or specified on the client config) to automatically be...

www.snbforums.com

Thank you, will have to take a look to it next week.
Bookmarked

 

[Charles Wilkinson]

Hello,
After some research I do not find how I can redirect the traffic of some websites and application with a vpn on all my devices. The rest of the traffic normally goes through my local network.
I have an Asus RT-AC68U with merlin.

- If I go through the openvpn interface by selecting the selective rules ,I have to create a rule for all my devices and for each site ?
- In the IP destination, how to do if the website has several IPs ?
- For the applications how to redirect all traffic, I have to analyze the urls sent by the application and redirect them ?
- Can the x3mRouting addon facilitate this ?

Thank you in advance for your help

Hey Bambino,
I found this thread when doing my own research and so thought I would come back and share the solution I have whipped up. It's not perfect, but I think it does just what you want. It lets you route traffic to certain domains over the VPN exclusively. I run the same hardware as you and it seems to be working rather well so far:
https://charleswilkinson.co.uk/2021/11/21/asus-merlin-route-via-vpn-for-specific-destination-hosts/

Let me know if you try it

 

[steef84]

I've tried your script Charles Wilkinson, and its working for me.
However one drawback for me is that my own rules in VPN Director are removed after running the new rules are applied by your script.
Is this supposed to happen or it happens by error? As far as I understand your script only the different rules should be applied.
I applied about 6 custom rules in my network. Are the possibilities to exclude some rules to be deleted?

 

[Charles Wilkinson]

I've tried your script Charles Wilkinson, and its working for me.
However one drawback for me is that my own rules in VPN Director are removed after running the new rules are applied by your script.
Is this supposed to happen or it happens by error? As far as I understand your script only the different rules should be applied.
I applied about 6 custom rules in my network. Are the possibilities to exclude some rules to be deleted?

Yes, sorry - I should have been clear that it would replace any manually created rules. Maybe this weekend I will try to make it preserve them.

 

[Charles Wilkinson]

I've tried your script Charles Wilkinson, and its working for me.
However one drawback for me is that my own rules in VPN Director are removed after running the new rules are applied by your script.
Is this supposed to happen or it happens by error? As far as I understand your script only the different rules should be applied.
I applied about 6 custom rules in my network. Are the possibilities to exclude some rules to be deleted?

Ok, so I think I have fixed it. I have done limited testing, so let me know if it works ok for you
All generated rules get the prefix 'AUTO-DNS-' so the script can separate them from manually created rules.

 

[Charles Wilkinson]

Ok, so I think I have fixed it. I have done limited testing, so let me know if it works ok for you
All generated rules get the prefix 'AUTO-DNS-' so the script can separate them from manually created rules.

Ok, so NOW it’s working. Was fighting a weird bug where the manually created rules were being deleted only when the job ran in cron, not when run manually. Turned out to be a different PATH invoking different versions of grep. I thought I was going mad.

 

[steef84]

Nice to see you work so fast on it, thanks for that.
Just tried the adapted script. Script hangs for me at

/jffs/scripts/vpn_director_host_rules.sh: line 46: RULES: parameter not set

Only thing I configured is the domain nslookup needs to check. As far as I understand your script thats the only thing needs to be adjusted. According to your blog and 8-1-2022 update I can configure interface for each domain. I don't see how?
Got 2 VPN clients running, #3 and #1. Goal is to let your script leads traffic from specified domain run over client #1 only. Nicest would be specific internal IP client too. Can you clarify a bit more for me?

 

[kernol]

Ok, so NOW it’s working. Was fighting a weird bug where the manually created rules were being deleted only when the job ran in cron, not when run manually. Turned out to be a different PATH invoking different versions of grep. I thought I was going mad.

Suggest you open your own thread in the Merlin-Addons Forum [if not done already],
There are MANY folk seeking the exact solution you have now provided - several of them were using x3mRouting by Xentrk [who has "left the building"].

 

[Charles Wilkinson]

Nice to see you work so fast on it, thanks for that.
Just tried the adapted script. Script hangs for me at

/jffs/scripts/vpn_director_host_rules.sh: line 46: RULES: parameter not set

Only thing I configured is the domain nslookup needs to check. As far as I understand your script thats the only thing needs to be adjusted. According to your blog and 8-1-2022 update I can configure interface for each domain. I don't see how?
Got 2 VPN clients running, #3 and #1. Goal is to let your script leads traffic from specified domain run over client #1 only. Nicest would be specific internal IP client too. Can you clarify a bit more for me?

Sorry - I made a silly copy/paste error when updating my blog. Go fetch the script again and it should work.

I've replaced the list of hosts at the top with a list of 'rules'. A 'rule' is a hostname and an interface separated by '|' e.g. netflix.com|OVPN1

At the moment, you can't restrict to a specific client IP, but if I get some free time I may add that feature. You can always add a manual rule to send all traffic from a specific client over the VPN though.

 

[Charles Wilkinson]

Suggest you open your own thread in the Merlin-Addons Forum [if not done already],
There are MANY folk seeking the exact solution you have now provided - several of them were using x3mRouting by Xentrk [who has "left the building"].

I may do that
I was actually thinking of turning this into a proper addon with a GUI if I can find the time to learn how. Merlin's docs look pretty good, so I may give it a go.

 

[ComputerSteve]

I may do that
I was actually thinking of turning this into a proper addon with a GUI if I can find the time to learn how. Merlin's docs look pretty good, so I may give it a go.

why don't you just take over the x3mrouting script & build off that. I mean either would be good but doesn't that already have most of the work done. I just think it needs updating for VPN Director.

 

[steef84]

Fetched your script again, and now working as expected Charles. Nice job and thank you. Will keep an eye on your work on your blog and this forum for enhancements or anything. Will report if anything is found