Whitelist specific websites and online games with OpenVPN ?

[swealpha]

Hello!

Do you guys know if it is possible to whitelist some specific websites and online games when using OpenVPN?

For example no need to use VPN when using netflix or playing games.


Thank you great people!!

 

[Jack Yaz]

Hello!

Do you guys know if it is possible to whitelist some specific websites and online games when using OpenVPN?

For example no need to use VPN when using netflix or playing games.


Thank you great people!!

This script should help: https://www.snbforums.com/threads/selective-routing-for-netflix.42661/
@Xentrk

 

[swealpha]

This script should help: https://www.snbforums.com/threads/selective-routing-for-netflix.42661/
@Xentrk

Oh i see, that seems to be a big project.

I wish merlin had something that is easy as dd-wrt's solution.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1158919#1158919

 

[Martineau]

Oh i see, that seems to be a big project.

I wish merlin had something that is easy as dd-wrt's solution.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1158919#1158919

If you can copy'n'paste a script to the router and make it executable, then it is not a big project at all.

RMerlin firmware allows selective routing of IPs via the GUI, but unlike your DD-WRT example it does not support URLs/Domains.

So the problem is you need to collate and enter ALL the IPs currently used by a domain, but even then you are limited to the max 100 entries.
(Netflix uses hundreds of IPs)

Using @Xentrk's script, you can easily configure the router to automatically achieve your requirements.
e.g. simply run the script to route ALL reddit.com IPs via the WAN

./Xentrk_Martineau_IPSET_Domains.sh 0 REDDIT reddit.com

(Xentrk_Martineau_IPSET_Domains.sh): 17027 Starting Script Execution
(Xentrk_Martineau_IPSET_Domains.sh): 17027 IPSET created: REDDIT hash:net family inet hashsize 1024 maxelem 65536
(Xentrk_Martineau_IPSET_Domains.sh): 17027 CRON schedule created: #REDDIT# '0 2 * * * ipset save REDDIT'
(Xentrk_Martineau_IPSET_Domains.sh): 17027 Selective Routing Rule via WAN created (TAG fwmark 0x8000/0x8000)
(Xentrk_Martineau_IPSET_Domains.sh): 17027 Completed Script Execution

At this point no further action is required,, ALL IPs associated with 'reddit.com' will automatically be routed via the WAN rather than the VPN.

….but you may wish to manually confirm the current configuration..

The number of IPs retrieved for 'reddit.com' will probably be zero at this point...​

ipset list REDDIT

Name: REDDIT
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 316
References: 1
Number of entries: 0

If you now manually force a reference to 'reddit.com', as the script has configured dnsmasq to automatically retrieve any IP address(es) associated with 'reddit.com', you can see in real-time if it works...

nslookup reddit.com
 
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name:      reddit.com
Address 1: 151.101.1.140
Address 2: 151.101.65.140
Address 3: 151.101.129.140
Address 4: 151.101.193.140

and hopefully dnsmasq has retrieved the current four IP address for routing via the WAN

ipset list REDDIT
 
Name: REDDIT
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 540
References: 1
Number of entries: 4
Members:
151.101.65.140
151.101.193.140
151.101.1.140
151.101.129.140

 

[Marin]

I have been trying to get this to work for a specific IP (dvd.netflix.com) but have not been successful. For those who have Netflix, this is the DVD section of the site. @Xentrk's Netflix script works well for streaming but for some reason it doesn't work for this particular section of the site.

Fortunately, when I use nslookup dvd.netflix.com, I only get one IP address. I tried the policy rules via and placed the IP of the above domain into the source IP (and WAN) but still can't access it.

@Martineau - I tried to use your above post to build a similar code into my /jffs/scripts/nat-start but I couldn't get it work:

./Xentrk_Martineau_IPSET_Domains.sh 0 DVDNetflix www.dvd.netlfix.com

Anything I am doing wrong?

Thank you for your help!

 

[Martineau]

I have been trying to get this to work for a specific IP (dvd.netflix.com) but have not been successful. For those who have Netflix, this is the DVD section of the site. @Xentrk's Netflix script works well for streaming but for some reason it doesn't work for this particular section of the site.

Fortunately, when I use nslookup dvd.netflix.com, I only get one IP address. I tried the policy rules via and placed the IP of the above domain into the source IP (and WAN) but still can't access it.

@Martineau - I tried to use your above post to build a similar code into my /jffs/scripts/nat-start but I couldn't get it work:

./Xentrk_Martineau_IPSET_Domains.sh 0 DVDNetflix www.dvd.netlfix.com

Anything I am doing wrong?

Thank you for your help!

If the domain 'www.dvd.netflix.com' truly resolves to a single IP address

nslookup www.dvd.netflix.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name:      www.dvd.netflix.com
Address 1: 207.45.72.201

nslookup dvd.netflix.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name:      dvd.netflix.com
Address 1: 207.45.72.201

then if manually adding the single IP to the Selective routing GUI doesn't work, then presumably the IP address probably isn't a single entity or you are missing another associated URL/domain?

If however you are concerned that your IPSET DVDNetflix apparently isn't being populated, then this is probably because there may already be an existing dnsmasq directive that extracts any '*.netflix.com' ?
e.g. on my system it appears I already have:

ipset=/netflix.com/NETFLIX

entry...as shown by the following entry found in 'dnsmasq.log'

Mar 10 21:48:32 dnsmasq[32249]: ipset add NETFLIX 207.45.72.201 www.dvd.netflix.com

 

[Xentrk]

@Marin, what script are you using?

In the IPSET_Netflix.sh script, I am pulling down AS2906 for Netflix IPv4 addresses. dvd.netflix.com belongs to another AS Number - AS394406. So, it is not included.

You can manually add it to the x3mRouting_NETFLIX ipset list using the syntax @Martineau posts above. e.g. ipset add x3mRouting_NETFLIX 207.45.72.201

However, the IPv4 address will get wiped out during a refresh.

In IPSET_Netflix_Domains.sh, lines with the reference

ipset=/amazonaws.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/x3mRouting_NETFLIX_DNSMASQ

would need to be modified to include the dvd.netflix.com domain:

ipset=/amazonaws.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/dvd.netflix.com/x3mRouting_NETFLIX_DNSMASQ

If you manually update the ipset list domain names in dnsmasq.conf.add to include dvd.netflix.com, remember to bounce dnsmasq so it takes affect.

service restart_dnsmasq

Those are the work arounds for now. I have to fix one issue with the code. While in there, I can look into including dvd.netflix.com.

 

[Marin]

If the domain 'www.dvd.netflix.com' truly resolves to a single IP address

nslookup www.dvd.netflix.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name:      www.dvd.netflix.com
Address 1: 207.45.72.201

nslookup dvd.netflix.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name:      dvd.netflix.com
Address 1: 207.45.72.201

then if manually adding the single IP to the Selective routing GUI doesn't work, then presumably the IP address probably isn't a single entity or you are missing another associated URL/domain?

If however you are concerned that your IPSET DVDNetflix apparently isn't being populated, then this is probably because there may already be an existing dnsmasq directive that extracts any '*.netflix.com' ?
e.g. on my system it appears I already have:

ipset=/netflix.com/NETFLIX

entry...as shown by the following entry found in 'dnsmasq.log'

Mar 10 21:48:32 dnsmasq[32249]: ipset add NETFLIX 207.45.72.201 www.dvd.netflix.com

Thank you for your reply. It is interesting that I am able to access Netflix main site and stream movies using the Selective Routing for Netflix script but when I try to access this particular category on the same site, I can’t. When I off the VPN, I am able to without any issues.



Sent from my iPhone using Tapatalk

 

[Marin]

@Marin, what script are you using?

In the IPSET_Netflix.sh script, I am pulling down AS2906 for Netflix IPv4 addresses. dvd.netflix.com belongs to another AS Number - AS394406. So, it is not included.
View attachment 16518
You can manually add it to the x3mRouting_NETFLIX ipset list using the syntax @Martineau posts above. e.g. ipset add x3mRouting_NETFLIX 207.45.72.201

However, the IPv4 address will get wiped out during a refresh.

In IPSET_Netflix_Domains.sh, lines with the reference

ipset=/amazonaws.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/x3mRouting_NETFLIX_DNSMASQ

would need to be modified to include the dvd.netflix.com domain:

ipset=/amazonaws.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/dvd.netflix.com/x3mRouting_NETFLIX_DNSMASQ

If you manually update the ipset list domain names in dnsmasq.conf.add to include dvd.netflix.com, remember to bounce dnsmasq so it takes affect.

service restart_dnsmasq

Those are the work arounds for now. I have to fix one issue with the code. While in there, I can look into including dvd.netflix.com.

Hi @Xentrk,

I have only used the IPSET_Netflix.sh script and it has worked really well for me.

I will try what you advice and see if it works. This is all very good info, I really appreciate it!!

Thank you to both!!


Sent from my iPhone using Tapatalk

 

[Marin]

posting more info on this on the Selective Netflix Routing thread