What's new

x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

It works! Thanks for that!

Is it possible to route only when connecting to certain IP?

Say for example route to PPTP only when a local client is connecting to a specific outside IP 192.10.100.20. But when connecting to other sites, use WAN.
If you issue
Code:
ip rule
you will see the RPDB rules for Selective Routing and the order in which they are processed.

You can manually issue
Code:
ip rule add to 192.10.100.20 table 99 prio 8000
so that the explicit destination RPDB rules take precedence.

P.S. Probably best to continue this in the L2TP thread!
 
Last edited:
Okay, so I think I have x3mRouting working on my setup, but I have a question, I understand that this script selectively routes traffic between the VPN and the WAN based on the IP that it is going to. After getting my VPN set up and getting these scripts working I ran a DNS Leak Test and found that I am not connecting to my VPNs DNS server if I change the Force Internet Traffic through tunnel setting from Policy Rules (Strict) to No, my DNS Leak goes away, but the Selective routing scripts do not work, but if I set it to Policy Rules (Strict) then the Selective routing script works but my DNS Leak comes back. Below are the Policy rules that I have set, am I missing something?

upload_2019-11-24_17-38-39.png


Any assistance resolving this DNS Leak is greatly appreciated.
 
Okay, so I think I have x3mRouting working on my setup, but I have a question, I understand that this script selectively routes traffic between the VPN and the WAN based on the IP that it is going to. After getting my VPN set up and getting these scripts working I ran a DNS Leak Test and found that I am not connecting to my VPNs DNS server if I change the Force Internet Traffic through tunnel setting from Policy Rules (Strict) to No, my DNS Leak goes away, but the Selective routing scripts do not work, but if I set it to Policy Rules (Strict) then the Selective routing script works but my DNS Leak comes back. Below are the Policy rules that I have set, am I missing something?

View attachment 20006

Any assistance resolving this DNS Leak is greatly appreciated.
You need to also set Accept DNS Configuration = Exclusive with Policy Rules (Strict) enabled to force clients connected to the VPN Client to exclusively use the DNS pushed by the VPN server.
 
I finished testing the script to route VPN Server traffic to IPSET lists last night and everything is working. For next steps, I need to update the x3mRouting menu to add the option to install the script and document the instructions on the README page. My goal is to complete the tasks in the next day or two.
 
You need to also set Accept DNS Configuration = Exclusive with Policy Rules (Strict) enabled to force clients connected to the VPN Client to exclusively use the DNS pushed by the VPN server.
What if you're using diversion? Will changing it to Exclusive will make diversion not work correct?
 
You need to also set Accept DNS Configuration = Exclusive with Policy Rules (Strict) enabled to force clients connected to the VPN Client to exclusively use the DNS pushed by the VPN server.
@Xentrk, Accept DNS Configuration is set to Exclusive still not working.
 
What if you're using diversion? Will changing it to Exclusive will make diversion not work correct?
Correct. DNSMASQ is bypassed when using Accept DNS Configuration = Exclusive + Policy Rules.
 
@Kingp1n I am not using diversion but good point for people that may be.
The other point I forgot to mention is my provider recently started using Cloudflare DNS in the same geo location as the VPN server. As a result, the DNS leak test sites show my DNS is leaking even though it is using the DNS specified by the VPN server.

I mention the two work around solutions on the Selective Routing blog post.
 
New Update: Route OpenVPN Server traffic to an OpenVPN Client via an IPSET list.

You must update the menu to get the new option.. You can selection Option 9 (now option 10 with the new menu) to update the menu or issue the command below in an SSH session.
Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/master/x3mRouting" -o "/opt/bin/x3mRouting" && chmod 755 /opt/bin/x3mRouting && x3mRouting

I also pushed an update to option 4 - route_all_vpnserver.sh. Select option 4 to get the updated script.

[5] ~ Install route_ipset_vpnserver.sh

Provides the ability to route VPN Server traffic to one of the VPN Clients via an IPSET list. You must pass the VPN Server interface number as the first parameter and the IPSET list name as the second parameter. You can also specify an optional third parameter to delete the rule. You only have to run the script one time as the rules will automatically start at system boot.

Prerequisite

The route_ipset_vpnserver.sh script requires that the openvpn-event script included in the x3mRouting project also be installed. The installation script will check if openvpn-event is installed and prompt you to install it if does not exist.

Usage example:

Code:
sh /jffs/scripts/x3mRouting/route_ipset_vpnserver.sh {[1|2]} [IPSET_LIST] [del]

Route VPN Server 1 traffic to the VPN Client specified by the existing x3mRouting rule for PANDORA IPSET list:

Code:
sh /jffs/scripts/x3mRouting/route_ipset_vpnserver.sh 1 PANDORA

Delete rules to route VPN Server 1 traffic to VPN Client specified by the existing x3mRouting rule for the PANDORA IPSET list:
Code:
sh /jffs/scripts/x3mRouting/route_ipset_vpnserver.sh 1 PANDORA del
Requirements
  1. The IPSET list must exist!
  2. A PREROUTING rule must currently exist so the script can determine the VPN Client to route to!
 
Last edited:
New Update: Route OpenVPN Server traffic to an OpenVPN Client via an IPSET list.

You must update the menu to get the new option. I also pushed an update to option 4 - route_all_vpnserver.sh. Select option 4 to get the updated script.

[5] ~ Install route_ipset_vpnserver.sh

Provides the ability to route VPN Server traffic to one of the VPN Clients via an IPSET list. You must pass the VPN Server interface number as the first parameter and the IPSET list name as the second parameter. You can also specify an optional third parameter to delete the rule. You only have to run the script one time as the rules will automatically start at system boot.

Prerequisite

The route_ipset_vpnserver.sh script requires that the openvpn-event script included in the x3mRouting project also be installed. The installation script will check if openvpn-event is installed and prompt you to install it if does not exist.

Usage example:

Code:
sh /jffs/scripts/x3mRouting/route_ipset_vpnserver.sh {[1|2]} [IPSET_LIST] [del]

Route VPN Server 1 traffic to the VPN Client specified by the existing x3mRouting rule for PANDORA IPSET list:

Code:
sh /jffs/scripts/x3mRouting/route_ipset_vpnserver.sh 1 PANDORA

Delete rules to route VPN Server 1 traffic to VPN Client specified by the existing x3mRouting rule for the PANDORA IPSET list:
Code:
sh /jffs/scripts/x3mRouting/route_ipset_vpnserver.sh 1 PANDORA del
Requirements
  1. The IPSET list must exist!
  2. A PREROUTING rule must currently exist so the script can determine the VPN Client to route to!

Code:
[1]  Install x3mRouting for LAN Clients
[2]  Install x3mRouting OpenVPN Client GUI & IPSET Shell Scripts
[3]  Install x3mRouting IPSET Shell Scripts
[4]  Install route_all_vpnserver.sh
[5]  Install route_ipset_vpnserver.sh
[6]  Install x3mRouting OpenVPN Event
      ** Install Option 6 if you have installed Method 1 + Method 3
[7]  Check for updates to existing x3mRouting installation
[8]  Force update existing x3mRouting installation
[9]  Remove x3mRouting Repository
[e] Exit Script
Option ==> 5
/opt/bin/x3mRouting: line 690: Install_Route_IPSET_Vpnserver: not found

/openvpn-event file was not found.

The openvpn-event file is required for route_all_server.sh script to work.
Would you like to download openvpn-event now?
[1]  --> Yes
[2]  --> No

[1-2]: 1
openvpn-event downloaded successfully
Update Complete!
/opt/bin/x3mRouting: line 658: syntax error: unexpected "}"
 
Code:
[1]  Install x3mRouting for LAN Clients
[2]  Install x3mRouting OpenVPN Client GUI & IPSET Shell Scripts
[3]  Install x3mRouting IPSET Shell Scripts
[4]  Install route_all_vpnserver.sh
[5]  Install route_ipset_vpnserver.sh
[6]  Install x3mRouting OpenVPN Event
      ** Install Option 6 if you have installed Method 1 + Method 3
[7]  Check for updates to existing x3mRouting installation
[8]  Force update existing x3mRouting installation
[9]  Remove x3mRouting Repository
[e] Exit Script
Option ==> 5
/opt/bin/x3mRouting: line 690: Install_Route_IPSET_Vpnserver: not found

/openvpn-event file was not found.

The openvpn-event file is required for route_all_server.sh script to work.
Would you like to download openvpn-event now?
[1]  --> Yes
[2]  --> No

[1-2]: 1
openvpn-event downloaded successfully
Update Complete!
/opt/bin/x3mRouting: line 658: syntax error: unexpected "}"
I fixed it a few minutes ago.
 
I fixed it a few minutes ago.
Fixed this one yet?

Code:
Routing_Rules() {

  VPN_SERVER_INSTANCE=$1
  IFACE=$2
  IPSET_NAME=$3
  TAG_MARK=$4
  DEL_FLAG=$5

  # Get VPN Server Subnet Mask
  VPN_SERVER_IP=$(nvram get vpn_server"$VPN_SERVER_INSTANCE"_sn)
  # POSTROUTING CHAIN
  IPTABLES_POSTROUTING_DEL_ENTRY="iptables -t nat -D POSTROUTING -s $VPN_SERVER_IP/24 -o $IFACE -j MASQUERADE 2>/dev/null"
  IPTABLES_POSTROUTING_APP_ENTRY="iptables -t nat -A POSTROUTING -s $VPN_SERVER_IP/24 -o $IFACE -j MASQUERADE"
  # PREROUTING CHAIN
  IPTABLES_PREROUTING_DEL_ENTRY="iptables -t mangle -D PREROUTING -i tun21 -m set --match-set $IPSET_NAME dst -j MARK --set-xmark $TAG_MARK 2>/dev/null"
  IPTABLES_PREROUTING_APP_ENTRY="iptables -t mangle -A PREROUTING -i tun21 -m set --match-set $IPSET_NAME dst -j MARK --set-xmark $TAG_MARK"
 
New Update: Route OpenVPN Server traffic to an OpenVPN Client via an IPSET list.

You must update the menu to get the new option.. You can selection Option 9 (now option 10 with the new menu) to update the menu or issue the command below in an SSH session.
Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/master/x3mRouting" -o "/opt/bin/x3mRouting" && chmod 755 /opt/bin/x3mRouting && x3mRouting

I also pushed an update to option 4 - route_all_vpnserver.sh. Select option 4 to get the updated script.

[5] ~ Install route_ipset_vpnserver.sh

Provides the ability to route VPN Server traffic to one of the VPN Clients via an IPSET list. You must pass the VPN Server interface number as the first parameter and the IPSET list name as the second parameter. You can also specify an optional third parameter to delete the rule. You only have to run the script one time as the rules will automatically start at system boot.

Prerequisite

The route_ipset_vpnserver.sh script requires that the openvpn-event script included in the x3mRouting project also be installed. The installation script will check if openvpn-event is installed and prompt you to install it if does not exist.

Usage example:

Code:
sh /jffs/scripts/x3mRouting/route_ipset_vpnserver.sh {[1|2]} [IPSET_LIST] [del]

Route VPN Server 1 traffic to the VPN Client specified by the existing x3mRouting rule for PANDORA IPSET list:

Code:
sh /jffs/scripts/x3mRouting/route_ipset_vpnserver.sh 1 PANDORA

Delete rules to route VPN Server 1 traffic to VPN Client specified by the existing x3mRouting rule for the PANDORA IPSET list:
Code:
sh /jffs/scripts/x3mRouting/route_ipset_vpnserver.sh 1 PANDORA del
Requirements
  1. The IPSET list must exist!
  2. A PREROUTING rule must currently exist so the script can determine the VPN Client to route to!

Amazing, can't wait to test it! Few questions tho

Requirements
The IPSET list must exist!

>> Do we have public repo that keeps track of all necessary domains we need to use for IPSETs?

A PREROUTING rule must currently exist so the script can determine the VPN Client to route to!

>> Is this referring to the Policy Based Routing options via the GUI? Or do we need to manually create the rule?

ELI5/Very Advanced VPN routing for dummies example would be needed
 
Fixed this one yet?

Code:
Routing_Rules() {

  VPN_SERVER_INSTANCE=$1
  IFACE=$2
  IPSET_NAME=$3
  TAG_MARK=$4
  DEL_FLAG=$5

  # Get VPN Server Subnet Mask
  VPN_SERVER_IP=$(nvram get vpn_server"$VPN_SERVER_INSTANCE"_sn)
  # POSTROUTING CHAIN
  IPTABLES_POSTROUTING_DEL_ENTRY="iptables -t nat -D POSTROUTING -s $VPN_SERVER_IP/24 -o $IFACE -j MASQUERADE 2>/dev/null"
  IPTABLES_POSTROUTING_APP_ENTRY="iptables -t nat -A POSTROUTING -s $VPN_SERVER_IP/24 -o $IFACE -j MASQUERADE"
  # PREROUTING CHAIN
  IPTABLES_PREROUTING_DEL_ENTRY="iptables -t mangle -D PREROUTING -i tun21 -m set --match-set $IPSET_NAME dst -j MARK --set-xmark $TAG_MARK 2>/dev/null"
  IPTABLES_PREROUTING_APP_ENTRY="iptables -t mangle -A PREROUTING -i tun21 -m set --match-set $IPSET_NAME dst -j MARK --set-xmark $TAG_MARK"
Yikes! I was not aware there was an issue with the code since it is working for me. Please let me know what the issue is and I'll fix it when I get home from work tonight.

Following are the chains created by the code (included existing PREROUTING rule used by LAN clients for PANDORA):
Code:
# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 13213 packets, 16M bytes)
num   pkts bytes target     prot opt in     out     source               destination
<snip>
13       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x3000
14       0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x3000
Code:
# iptables -nvL POSTROUTING -t nat --line
Chain POSTROUTING (policy ACCEPT 3 packets, 718 bytes)
num   pkts bytes target     prot opt in     out     source               destination
<snip>
10       0     0 MASQUERADE  all  --  *      tun15   10.8.0.0/24          0.0.0.0/0
 
Last edited:
Amazing, can't wait to test it! Few questions tho

Requirements
The IPSET list must exist!

>> Do we have public repo that keeps track of all necessary domains we need to use for IPSETs?
I only have them listed on the README for the ones I personally use. Mining dnsmasq is the primary technique I use. Looking at the website source code is another. If people want to share domains for lists they have created, I can create a Wiki on the project to document them.

A PREROUTING rule must currently exist so the script can determine the VPN Client to route to!
It was my understanding that users wanted to selectively route VPN Server traffic to a rule already setup for an IPSET list for LAN clients. As a result, you must have first create the routing rule for LAN clients for the IPSET list using one of the built in x3mRouting scripts. e.g. sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 5 PANDORA pandora.com. The route_ipset_server.sh script will use the same VPN Client specified by the existing LAN rule to create the routing rule for VPN Server clients. In the development, I routed PANDORA traffic to VPN Client 5. The route_ipset_vpnserver.sh script will then query the existing rule to get the VPN Client and use the same VPN Client for VPN Server traffic. I will need to update the code for the user to specify the VPN Client instance if you want to specify a different VPN Client for VPN Server traffic vs. LAN traffic.

ELI5/Very Advanced VPN routing for dummies example would be needed
I am currently collaborating with @Martineau to update the nvram backup and restore utility and am close to completing it. Once done, my plan is to devote more time to writing content for my blog site. First on the list is to write a Part 2 particle to the Policy Rule Routing on Asuswrt-Merlin Firmware and explain about ipset lists. Unfortunately, my time is very limited these days as I work full time. But I am committed to completing it as I do have some of it already started. There is some good information buried on the forum but a search is required to find the posts. The goal of developing the x3mRouting project was to remove much of the technical information required by the user and simplify things.
 
Last edited:
Ping @kman, you got it to work right? Can you share all your steps and scripts so @Xentrk could do he's magic

Not sure if this is still required, but I used load_DNSMASQ_ipset_iface.sh as standalone script in the
/jffs/scripts/x3mRouting/ and added it to nat-start.

I updated Create_Routing_Rules() in load_DNSMASQ_ipset_iface.sh to include the rules.

# Route IPSET to target WAN or VPN
Create_Routing_Rules() {

IPSET_NAME=$1

iptables -t mangle -D PREROUTING -i br0 -m set --match-set "$IPSET_NAME" dst -j MARK --set-mark "$TAG_MARK" >/dev/null 2>&1
#VPN Server 1
iptables -t mangle -D PREROUTING -i tun21 -m set --match-set "$IPSET_NAME" dst -j MARK --set-mark "$TAG_MARK" >/dev/null 2>&1
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE >/dev/null 2>&1

if [ "$2" != "del" ]; then
iptables -t mangle -A PREROUTING -i br0 -m set --match-set "$IPSET_NAME" dst -j MARK --set-mark "$TAG_MARK"
#VPN Server 1
iptables -t mangle -A PREROUTING -i tun21 -m set --match-set "$IPSET_NAME" dst -j MARK --set-mark "$TAG_MARK"
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE

logger -st "($(basename "$0"))" $$ Selective Routing Rule via "$TARGET_DESC" created for "$IPSET_NAME" TAG fwmark "$TAG_MARK"
else
logger -st "($(basename "$0"))" $$ Selective Routing Rule via "$TARGET_DESC" deleted for "$IPSET_NAME" TAG fwmark "$TAG_MARK"
fi
}
 
Not sure if this is still required, but I used load_DNSMASQ_ipset_iface.sh as standalone script in the
/jffs/scripts/x3mRouting/ and added it to nat-start.

I updated Create_Routing_Rules() in load_DNSMASQ_ipset_iface.sh to include the rules.
The route_ipset_vpnserver.sh script puts the -D and -A rules in the /jffs/scripts/x3mRouting/vpnserverX-up file and the -D rules in the /jffs/scripts/x3mRouting/vpnserverX-down file. This way, the rules will get created when the VPN server is started and deleted when the VPN server goes down.

Easy to overlook, but the --set-mark should be changed to --set-xmark for the PREROUTING rule. Anyway, you can use the script I wrote instead and remove the hacks from the load_DNSMASQ_ipset_iface.sh script or do a force update to revert back.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top