x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

I'm just duplicating the script and running it without any other scripts. Using it as a standalone script.

Good news. That confirms the implementation approach I'm going to use. Since the iptables command are vpn server related, the vpn server should drive the creation of the iptable rules.

Until I write the script to automate the process, install openvpn-event script using option 4.

Then, insert iptables command in /jffs/sripts/x3mRouting/vpnserverX-up file (e.g. vpnserver1-up) and bounce VPN file. The script will run when the VPN server is started.

Similarly, a /jffs/scripts/x3mRouting/vpnserver1-down script containing the iptables command to delete the chain will be required to remove the rule when the vpn server is disabled.

 

[Kingp1n]

Good news. That confirms the implementation approach I'm going to use. Since the iptables command are vpn server related, the vpn server should drive the creation of the iptable rules.

Until I write the script to automate the process, install openvpn-event script using option 4.

Then, insert iptables command in /jffs/sripts/x3mRouting/vpnserverX-up file (e.g. vpnserver1-up) and bounce VPN file. The script will run when the VPN server is started.

Similarly, a /jffs/scripts/x3mRouting/vpnserver1-down script containing the iptables command to delete the chain will be required to remove the rule when the vpn server is disabled.

@Xentrk , this should not apply if I'm currently using option 3 of your script correct? Everything is working as expected.

 

[Martineau]

@Xentrk , this should not apply if I'm currently using option 3 of your script correct? Everything is working as expected.

Q. Do you host an OpenVPN Server?

If you don't, then the answer is NO.

 

[Xentrk]

I was able to complete the script for routing all VPN Server 1 or 2 traffic to a VPN Client (Not on GitHub yet). Stay tuned.

Route all VPN Server 1 traffic to VPN Client 5. Usage:

sh /jffs/scripts/x3mRouting/route_all_server.sh 1 5

As mentioned in previous threads, an entry is also required in the Policy Routing Section of the OpenVPN Client GUI in addition to the iptables rule:

vpnclient1 10.8.0.0/24 0.0.0.0  VPN

Where I ran into issues is the selective routing of VPN server traffic thru the VPN Client interface using an IPSET list. I thought I had it working earlier in the day. But, I think I had a routing rule for all traffic that I didn't realize which gave me a false positive. I made sure to use the --set-xmark syntax in the iptables rule. I'll take a look at it later this week.

 

[Xentrk]

What happens if you simply skip the DNS and specify the 'pandora.com' IP address 208.85.40.20?

FYI, based in the UK, I have VPN Client 3 routed via US, and the following

iptables -t mangle -A PREROUTING -i tun21 -m set --match-set PANDORA dst -j MARK --set-xmark 0x4000/0x4000

allows any inbound OpenVPN Server 1 client to be routed outbound via VPN Client 3 if the target IP is defined in the PANDORA IPSET.

Just successfully tested it.

iptables -nvL PREROUTING -t mangle --line

Chain PREROUTING (policy ACCEPT 17752 packets, 8276K bytes)
num   pkts bytes target     prot opt in     out     source               destination
   
<snip>
8     2260  149K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x4000

Also, the appropriate OpenVPN Server subnet(s) (in my case both) 10.8.0.0/24 and 10.16.0.0/24 are also included in the VPN Client 3 Selective routing table

ip route show table 113

10.10.0.61 dev tun13  proto kernel  scope link  src 10.10.0.62
10.16.0.0/24 dev tun22  scope link
10.8.0.0/24 dev tun21  scope link
10.88.8.0/24 dev br0  proto kernel  scope link  src 10.88.8.1
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.88.8.3
default via 10.10.0.61 dev tun13

Good news is I have routing of all VPN Server 1 traffic to a VPN Client tunnel with success.

I'm not able to duplicate your success with routing IPSET lists. I'm trying to route tun21 traffic to tun 115 using PANDORA ipset list using the command below:

iptables -t mangle -A PREROUTING -i tun21 -m set --match-set PANDORA dst -j MARK --set-xmark 0x3000/0x3000

What is puzzling is I see packets traversing chain 14:

iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 1649 packets, 253K bytes)
num   pkts bytes target     prot opt in     out     source               destination
<<snip>
11       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set MOVETV dst MARK or 0x3000
12       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set CBS_WEB dst MARK or 0x3000
13       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x3000
14      37  1924 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x3000

But I can't access pandora.com or any other websites from a browser. It behaves this way even if I have the VPNServer1 entry in the Policy Rules section of the VPN Client 5 screen as shown below:

I have to remove the iptables rule and the VPN Server 1 entry on the GUI to restore web browser access. I can ping 8.8.8.8. Following is my routing table:

ip route
1xx.xx.xxx.xx dev ppp0  proto kernel  scope link
10.31.0.9 dev tun13  proto kernel  scope link  src 10.31.0.10
10.24.0.17 dev tun11  proto kernel  scope link  src 10.24.0.18
10.35.0.25 dev tun15  proto kernel  scope link  src 10.35.0.26
10.37.0.5 dev tun12  proto kernel  scope link  src 10.37.0.6
192.168.22.0/24 dev br0  proto kernel  scope link  src 192.168.22.1
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
123.254.0.0/16 dev eth0  proto kernel  scope link  src 123.254.81.53
127.0.0.0/8 dev lo  scope link
default via 1xx.xx.xxx.xx dev ppp0

ip route show table 115
default via 10.35.0.25 dev tun15

Is there an ip route command I also need to enter?

 

[Kingp1n]

Xentrk, I apologize in advance for bugging you again. I just signed up for disneyplus service (similar to Netflix & Prime) but I cannot get it to load due to VPN. I tried to follow your other examples and loaded the following commands to the nat-start with no luck:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 DISNEYPLUS_WEB disneyplus.com
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 DISNEYPLUS AS16509

I'm sure I'm doing something wrong, as always. Any info is greatly appreciated.

 

[Torson]

@Kingp1n - I didn't even realize that there may be an issue with Disney+ and VPN - it just worked for me from the get go on the WAN interface. I have Amazon US:

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON_US US

and ASN16509 (which is Amazon too and you already have it)

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON_16509 AS16509

and it works well. The only other thing that I see there is Akamai at ASN20940 (which I don't need.) Good luck!

 

[Kingp1n]

@Kingp1n - I didn't even realize that there may be an issue with Disney+ and VPN - it just worked for me from the get go on the WAN interface. I have Amazon US:

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON_US US

and ASN16509 (which is Amazon too and you already have it)

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON_16509 AS16509

and it works well. The only other thing that I see there is Akamai at ASN20940 (which I don't need.) Good luck!

I noticed my amazon prime doesn't work anymore. I think this could be the issue, but I already have this line inside nat-start with no luck:

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON_US US

I'm not sure what the issue may be.

UPDATE: I restarted router and everything started working again, haha! Go figure!

 

[Xentrk]

Xentrk, I apologize in advance for bugging you again. I just signed up for disneyplus service (similar to Netflix & Prime) but I cannot get it to load due to VPN. I tried to follow your other examples and loaded the following commands to the nat-start with no luck:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 DISNEYPLUS_WEB disneyplus.com
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 DISNEYPLUS AS16509

I'm sure I'm doing something wrong, as always. Any info is greatly appreciated.

There are probably additional domain names you need to use. I also read yesterday that Disney + was crashing do to unexpected demand.

Go to the Disney + website and right click and select view source code. Search for ".net" and ".com" to see the domains they are using.

You can also use the getdomainnames.sh script as described on the https://github.com/Xentrk/netflix-vpn-bypass README page to mine domain names.

EDIT: I did an nslookup on disneyplus.com and it returned several IPv4 addresses that belong to AMAZONAWS AS16509. So the AMAZON_US ipset list should cover it. I may do a trial subscription this weekend to check it out myself.

 

[Kingp1n]

There are probably additional domain names you need to use. I also read yesterday that Disney + was crashing do to unexpected demand.

Go to the Disney + website and right click and select view source code. Search for ".net" and ".com" to see the domains they are using.

You can also use the getdomainnames.sh script as described on the https://github.com/Xentrk/netflix-vpn-bypass README page to mine domain names.

EDIT: I did an nslookup on disneyplus.com and it returned several IPv4 addresses that belong to AMAZONAWS AS16509. So the AMAZON_US ipset list should cover it. I may do a trial subscription this weekend to check it out myself.

Disney + is working as intended. For some odd reason, I cannot access letgo.com or the app after adding the rule below inside the nat start script:

Code:
sh /jffs/scripts/x3mRouting/load_DNSMASQ 0 LETGO us.letgo.com

I'll keep searching some more....

 

[Torson]

The rule should be:

 sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 LETGO us.letgo.com

...and then it works.

 

[DiFran01]

Hello All,
Having some issues with this script hoping I can get some assistance. I first set this up about 3 Months ago an have been having issues with Netflix since I set it up, fortunately Hulu and Amazon video worked well enough that my family was not complaining too much about the issues with Netflix. I recently added Disney+ to the mix and was getting a message that the content is locked by region. I added the code shared by @Kingp1n:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 DISNEYPLUS_WEB disneyplus.com
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 DISNEYPLUS AS16509

and I am now able to access the Disney+ content. Thank you @Kingp1n!!!

So now that I had a little spare time I decided to work on my Netflix issue to see if I could not get that working as well.

When I first set the script up I used Method 3, and I attempted the ASN configuration for Netflix with the following code:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

This did not work for me, While going through this forum and the previous forum that @Xentrk had set up I found a thread that said that some people were having trouble with the ASN method and it was recommended to try the DNSMASQ method, and some people needed both the DNSMASQ and ASN method to get Netflix to work. At the time I was a little pressed for time so I skipped deleting the ASN code and just added the DNSMASQ code by adding the following line of code:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

After adding this Netflix somewhat worked, some things would play, and some things I would get a message that I was behind a Proxy or VPN Message, sometimes things would start to play and then in the middle of them I would get the Proxy or VPN Message. This morning as I stated since I had some more time I started working on Netflix a little more with the Hopes of resolving the issues. I started by running the following commands to delete all IPsets and Routing entries for Netflix:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906 del
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net del

I then went and confirmed that this was deleted by attempting to view Netflix content on my FireTV and got the Proxy or VPN message on every show that I attempted. I then reran the DNSMASQ code to test that method alone with the following code:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

This yielded the Same result, some things played others kicked the Proxy or VPN error message, that said it seems that far more things work now then did before deleting the Netflix IPsets and Routing table entries.

I then removed the DNSMASQ configuration by again running the del or the above line of code and attempted to put the ASN method back in. When I did that the following text came up in the console:

-AC88U-1300:/jffs/scripts/x3mRouting# sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX A
S2906
(load_ASN_ipset_iface.sh): 10145 Starting Script Execution
(load_ASN_ipset_iface.sh): 10145 IPSET created: NETFLIX hash:net family inet hashsize 1024 maxelem 65536
ipset v6.32: Error in line 1: Syntax error: cannot parse create: resolving to IPv4 address failed
(load_ASN_ipset_iface.sh): 10145 Selective Routing Rule via WAN created for NETFLIX (TAG fwmark 0x8000/0x8000)
(load_ASN_ipset_iface.sh): 10145 Ending Script Execution

I am far from an expert in this stuff, infact I am very new this, it is my first time using 3rd party firmware and adding 3rd party scripts to my router, but it looks like there is a syntax error in the code that is preventing it from parsing the ipset and it can not resolve the IPv4 addresses. After running this I again tested Netflix and nothing would play I got the VPN / Proxy error message for everything. for the time being I ran the del command on the ASN and reconfigured the DNSMASQ method and am running it that way but would like to resolve the issues with the items that will not play as some of them are family favorites any assistance with getting this issue resolved is GREATLY appreciated.

 

[Torson]

@DiFran01, I run x3mRouting at 2 different geographic locations with different Internet providers. The outcome is based on location and Internet provider, so my limited exposure tells me that there is no one size fits all solution for this.

What seems to have helped during the initial setup process was starting with known working rules and figuring out what's missing. For that part, @Xentrk's write-ups are the essence:
1. https://github.com/Xentrk/netflix-vpn-bypass
2. https://github.com/Xentrk/x3mRouting - Helpful Tips, Validation and Troubleshooting section.

For me at one location Netflix works reliably with only the AS2906 rule. At the other one I needed to add the Internet provider's specific ASN and ASN40027 which contains a subset of the 45.57.x.x range not included in ASN2906:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX_40027 AS40027

Good luck!

 

[DiFran01]

@Torson Thank you for the reply, I was able to use the Helpful Tips, Validation and Troubleshooting section of @Xentrks write up to determine the ASN numbers for Netflix, I then Added them one at a time until all the Netflix shows played. Everything is working now.

Thank you everyone for all your hard work and outstanding support with this script!!!

 

[Xentrk]

I then removed the DNSMASQ configuration by again running the del or the above line of code and attempted to put the ASN method back in. When I did that the following text came up in the console:

-AC88U-1300:/jffs/scripts/x3mRouting# sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX A
S2906
(load_ASN_ipset_iface.sh): 10145 Starting Script Execution
(load_ASN_ipset_iface.sh): 10145 IPSET created: NETFLIX hash:net family inet hashsize 1024 maxelem 65536
ipset v6.32: Error in line 1: Syntax error: cannot parse create: resolving to IPv4 address failed
(load_ASN_ipset_iface.sh): 10145 Selective Routing Rule via WAN created for NETFLIX (TAG fwmark 0x8000/0x8000)
(load_ASN_ipset_iface.sh): 10145 Ending Script Execution

I have not seen anyone else report the ipset error before. I did a search and found a thread from 2012 where someone reported the issue when the domain had a dash in it. If you get the error in the future, please turn on debug mode by removing the comment (#) on the line that says "set -x" and copy/paste the output several lines before and after the error.

I suspect the reason some people have to expand the ASN for Netflix is due to Netflix CDN or Open Connect network where content is cached on servers closer to the user. There are some articles on the web about it. Here is one example:

https://media.netflix.com/en/compan...e-globe-to-deliver-a-great-viewing-experience

 

[SomeWhereOverTheRainBow]

I have not seen anyone else report the ipset error before. I did a search and found a thread from 2012 where someone reported the issue when the domain had a dash in it. If you get the error in the future, please turn on debug mode by removing the comment (#) on the line that says "set -x" and copy/paste the output several lines before and after the error.

I suspect the reason some people have to expand the ASN for Netflix is due to Netflix CDN or Open Connect network where content is cached on servers closer to the user. There are some articles on the web about it. Here is one example:

https://media.netflix.com/en/compan...e-globe-to-deliver-a-great-viewing-experience

Wanted to bring this to your attention on your new version when you exit the menu, this line is presented as arguement.

/opt/bin/x3mRouting: line 674: syntax error: unterminated quoted string

 

[Xentrk]

Wanted to bring this to your attention on your new version when you exit the menu, this line is presented as arguement.

/opt/bin/x3mRouting: line 674: syntax error: unterminated quoted string

I fixed that a few minutes ago. I discovered that error too when I tested some updates I am making. You should see an option to update the x3mRouting menu. The error will appear when you exit the menu after making the update but you shouldn't get it again after that.

 

[Xentrk]

A new update has been added to x3mRouting

[4] ~ Install route_all_vpnserver.sh
Provides the ability to route all VPN Server traffic to one of the VPN Clients. You must pass the VPN Server interface number as the first parameter and the VPN Client interface as the second parameter. You can also specify an optional third parameter to delete the rule. You only have to run the script one time as the rules will automatically start at system boot.

Prerequisite
The route_all_vpnserver script requires that the openvpn-event script included in the x3mRouting project also be installed. The installation script will check if openvpn-event is installed and prompt you to install it if does not exist.

It is also required that you manually enter the VPN Server IP address in CIDR format in the OpenVPN Client Screen in the Policy Routing section and route the traffic to the VPN Client. Following is an example for VPN Server 1:

Usage example:

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh   {[1|2] [1|2|3|4|5]} [del]

Route VPN Server 1 traffic to VPN Client 5

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 5

Delete rules to route VPN Server 1 traffic to VPN Client 5

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 5 del

IMPORTANT!
You must also delete the VPN Server entry from the OpenVPN Client Screen in the Policy Routing section or you will have problems accessing websites.

GitHub Link:
https://github.com/Xentrk/x3mRouting#4--install-route_all_vpnserversh

To update, type x3mRouting at the prompt and select option 9 to update the menu. The script will be option #4.

 

[Torson]

@Xentrk, 2 observation on version 1.0.2:
- the route_all_vpnserver.sh script is downloaded under option 5 of the menu (not 4 as indicated)

Option ==> 4
openvpn-event downloaded successfully

Installation of x3mRouting OpenVPN Event completed
Press enter to continue

and

Option ==> 5
route_all_vpnserver.sh downloaded successfully

Press enter to continue

- I try to route VPNServer 1 traffic to VPNClient 1; here is the outcome:

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 1
Error! Expecting a 1 thru 5 for VPN Client Instance\n

However, that works for VPNClient 2:

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 2

Done.

 

[Xentrk]

@Xentrk, 2 observation on version 1.0.2:
- the route_all_vpnserver.sh script is downloaded under option 5 of the menu (not 4 as indicated)

Option ==> 4
openvpn-event downloaded successfully

Installation of x3mRouting OpenVPN Event completed
Press enter to continue

and

Option ==> 5
route_all_vpnserver.sh downloaded successfully

Press enter to continue

- I try to route VPNServer 1 traffic to VPNClient 1; here is the outcome:

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 1
Error! Expecting a 1 thru 5 for VPN Client Instance\n

However, that works for VPNClient 2:

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 2

Done.

Thanks. It should be a quick fix. I broke it during an update.

EDIT: Fixed the menu & route_all_vpnserver error checking!