x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Martineau]

Easy to overlook, but the --set-mark should be changed to --set-xmark for the PREROUTING rule.

Why?

As explained here, you potentially risk 'unsetting' the bit that you wish explicitly to be set.

 

[Xentrk]

Why?

As explained here, you potentially risk 'unsetting' the bit that you wish explicitly to be set.

Thank you! I misunderstood as the original example you posted used --set-xmark. But later on I see you recommend that @kman change the reference to --set-mark. I'll review the links and explanation you posted in more detail this upcoming weekend.

 

[Xentrk]

Updates to route_all_vpnserver.sh and route_ipset_vpnserver.sh have been pushed to the repository. Select option 4 and 5 to update.

[4]  Install route_all_vpnserver.sh
[5]  Install route_ipset_vpnserver.sh

Updates include:

• Updated some error messages
• Standardized name of parameters for VPN Server and VPN Client
• Changed how rules are deleted if the 'del' parameter is specified
• Changed --set-xmark reference to --set-mark
• Other minor updates

 

[Martineau]

Updates to route_all_vpnserver.sh and route_ipset_vpnserver.sh have been pushed to the repository. Select option 4 and 5 to update.

[4]  Install route_all_vpnserver.sh
[5]  Install route_ipset_vpnserver.sh

Updates include:

• Updated some error messages
• Standardized name of parameters for VPN Server and VPN Client
• Changed how rules are deleted if the 'del' parameter is specified
• Changed --set-xmark reference to --set-mark
• Other minor updates

[1]  Install x3mRouting for LAN Clients
[2]  Install x3mRouting OpenVPN Client GUI & IPSET Shell Scripts
[3]  Install x3mRouting IPSET Shell Scripts
[4]  Install route_all_vpnserver.sh
[5]  Install route_ipset_vpnserver.sh
[6]  Install x3mRouting OpenVPN Event
      ** Install Option 6 if you have installed Method 1 + Method 3
[7]  Check for updates to existing x3mRouting installation
[8]  Force update existing x3mRouting installation
[9]  Remove x3mRouting Repository
[e] Exit Script
Option ==> e
   https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin
                      Have a Grateful Day!
           ____        _         _                         
          |__  |      | |       | |                        
    __  __  _| |_ _ _ | |_  ___ | | __    ____ ____  _ _ _ 
    \ \/ / |_  | ` ` \  __|/ _ \| |/ /   /  _//    \| ` ` \
     /  /  __| | | | |  |_ | __/|   <   (  (_ | [] || | | |
    /_/\_\|___ |_|_|_|\___|\___||_|\_\[] \___\\____/|_|_|_|

/opt/bin/x3mRouting: line 691: syntax error: unexpected "esac"

Furthermore, you still haven't fixed the 'hard-coded' error in post #255

 

[bilboSNB]

I am in the UK and certain clients are forced to use a vpn client in the gui, with this x3m script is this the command I need to use to get bbc iplayer traffic for those certain clients to use the wan instead of the vpn ?:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net

Also for these clients I have a rule so they can only go out through the vpn, can this be modified so bbc/amazon prime etc traffic is allowed or will I have to remove it.

iptables -I FORWARD -o ppp0 -s 192.168.0.25 -j DROP

Many thanks

 

[Xentrk]

[1]  Install x3mRouting for LAN Clients
[2]  Install x3mRouting OpenVPN Client GUI & IPSET Shell Scripts
[3]  Install x3mRouting IPSET Shell Scripts
[4]  Install route_all_vpnserver.sh
[5]  Install route_ipset_vpnserver.sh
[6]  Install x3mRouting OpenVPN Event
      ** Install Option 6 if you have installed Method 1 + Method 3
[7]  Check for updates to existing x3mRouting installation
[8]  Force update existing x3mRouting installation
[9]  Remove x3mRouting Repository
[e] Exit Script
Option ==> e
   https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin
                      Have a Grateful Day!
           ____        _         _                       
          |__  |      | |       | |                      
    __  __  _| |_ _ _ | |_  ___ | | __    ____ ____  _ _ _
    \ \/ / |_  | ` ` \  __|/ _ \| |/ /   /  _//    \| ` ` \
     /  /  __| | | | |  |_ | __/|   <   (  (_ | [] || | | |
    /_/\_\|___ |_|_|_|\___|\___||_|\_\[] \___\\____/|_|_|_|

/opt/bin/x3mRouting: line 691: syntax error: unexpected "esac"

Furthermore, you still haven't fixed the 'hard-coded' error in post #255

I can't duplicate the line 691 error. Try downloading the menu using the command below and let me know if you still get the error.

 /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/master/x3mRouting" -o "/opt/bin/x3mRouting" && chmod 755 /opt/bin/x3mRouting && x3mRouting

What is the "hard coded" error in post #255 you are referring to? I thought it was the reference to --set-xmark and changed it to --set-mark. Thank you.

 

[Xentrk]

I am in the UK and certain clients are forced to use a vpn client in the gui, with this x3m script is this the command I need to use to get bbc iplayer traffic for those certain clients to use the wan instead of the vpn ?:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net

Also for these clients I have a rule so they can only go out through the vpn, can this be modified so bbc/amazon prime etc traffic is allowed or will I have to remove it.

iptables -I FORWARD -o ppp0 -s 192.168.0.25 -j DROP

Many thanks

The syntax for the DNSMASQ for BBC is correct.

Rather than using the iptables DROP command, use the Policy Routing feature built into the OpenVPN Client Screen.

Configure LAN to use the VPN interface and the Router to use WAN interface
A common configuration where you want your entire LAN to go through the VPN, but not the router itself.

LAN_IPs    192.168.1.0/24    0.0.0.0    VPN
Router     192.168.1.1       0.0.0.0    WAN

Amazon Prime video also blocks known VPN servers or at least limits the content they can view. You may also have to use x3mRouting to route Amazon Prime traffic to the WAN interface.

 

[Xentrk]

Fixed this one yet?

Routing_Rules() {

  VPN_SERVER_INSTANCE=$1
  IFACE=$2
  IPSET_NAME=$3
  TAG_MARK=$4
  DEL_FLAG=$5

  # Get VPN Server Subnet Mask
  VPN_SERVER_IP=$(nvram get vpn_server"$VPN_SERVER_INSTANCE"_sn)
  # POSTROUTING CHAIN
  IPTABLES_POSTROUTING_DEL_ENTRY="iptables -t nat -D POSTROUTING -s $VPN_SERVER_IP/24 -o $IFACE -j MASQUERADE 2>/dev/null"
  IPTABLES_POSTROUTING_APP_ENTRY="iptables -t nat -A POSTROUTING -s $VPN_SERVER_IP/24 -o $IFACE -j MASQUERADE"
  # PREROUTING CHAIN
  IPTABLES_PREROUTING_DEL_ENTRY="iptables -t mangle -D PREROUTING -i tun21 -m set --match-set $IPSET_NAME dst -j MARK --set-xmark $TAG_MARK 2>/dev/null"
  IPTABLES_PREROUTING_APP_ENTRY="iptables -t mangle -A PREROUTING -i tun21 -m set --match-set $IPSET_NAME dst -j MARK --set-xmark $TAG_MARK"

I spotted the hard coded reference for tun21. I'll patch and push an update.

 

[Xentrk]

Update to route_ipset_vpnserver.sh has been made to remove the hard code reference to tun21 (VPN Server 1 instance) and make it a variable based VPN Server instance (1 or 2) specified by the user when running the script. Select option 5 from the x3mRouting menu to download the update.

 

[bilboSNB]

I am not having nay luck getting iplayer working, anyone got any advice? So far

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net,bbciplayer.co.uk,bbciplayer.com

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 BBC_WEBAS2818 AS2818
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 BBC_WEBAS2313 AS2313

BBC_WEB - 75
BBC_WEBas2818 - 4
BBC_WEBas3213 - 12

edit: working now, must have been some time delay sure. Thanks!!

 

[TonyK132]

I just had a problem with Amazon Prime. It previously was working fine with those connections being routed to the WAN, but today, no go. Amazon was detecting that I was using a VPN. So I used AMTM to force an update of my x3mRouting config but still no go. So I manually deleted the Amazon ipset then reloaded it, and now it works. I would have thought forcing an update from AMTM would have accomplished the same thing. Am I missing something?

 

[Xentrk]

I am not having nay luck getting iplayer working, anyone got any advice? So far

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net,bbciplayer.co.uk,bbciplayer.com

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 BBC_WEBAS2818 AS2818
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 BBC_WEBAS2313 AS2313

BBC_WEB - 75
BBC_WEBas2818 - 4
BBC_WEBas3213 - 12

edit: working now, must have been some time delay sure. Thanks!!

Whoot! My first attempt I had close to 100 domain names I harvested but was able to get it down the eight I have posted on the GitHub page.

 

[Xentrk]

I just had a problem with Amazon Prime. It previously was working fine with those connections being routed to the WAN, but today, no go. Amazon was detecting that I was using a VPN. So I used AMTM to force an update of my x3mRouting config but still no go. So I manually deleted the Amazon ipset then reloaded it, and now it works. I would have thought forcing an update from AMTM would have accomplished the same thing. Am I missing something?

Once you download the IPSET list, the backup copy gets stored in /opt/tmp or the directory you specify. I went for more than one year with requiring any updates to the IPSET lists. So when I rolled out the project, I selected a 7 day interval for a forced update to take place whenever the script runs.

Running the script and specifying the "del" parameter and running the script again will give you an updated copy. If others have issues, I could change from 7 days to 24 hours. Another idea is to add a user parameter, such as the word "force", that will force a refresh if you specify the parameter when running the script. I'll chew on it for awhile.

 

[Martineau]

Another idea is to add a user parameter, such as the word "force", that will force a refresh if you specify the parameter when running the script. I'll chew on it for awhile.

A further consideration... I'm not sure why you feel the need to have separate scripts with unnecessarily long names?

For all of your scripts, the first two args - the interface and IPSET name are mandatory, so passing directives to a single script should hopefully reduce the confusion for users as to which script they should be using, but more importantly you would save time by not having to maintain several very similar scripts.

e.g. Pseudo code logic for script - i.e. simply need to differentiate how the routed IPSET is populated:

IPSET_Select_Route.sh {interface} {ipset_name} ['ip='file_name | ip[,ip]...] ['dnsmasq='file_name | domain[,domain]...] ['asnum='file_name | asnum[,asnum]...] ['srcip='file_name | ip_or_cidr[,ip_or_cidr]...] ['dir='save_restore_location] ['server='n | 'both'] ['del'] ['new']

Manage_IPSET()     - If IPSET doesn't exist, then restore it if possible from 'dir=' location (unless 'new' provided) else create empty IPSET.
Manage_IPLIST()    - If 'ip=' provided, add IPs to IPSET.
Manage_dnsmasq()   - If 'dnsmasq=' provided, update /jffs/configs/dnsmasq.conf.add and restart dnsmasq.
Manage_ASNUM()     - If 'asnum=' provided, add retrieved ASNUMs to IPSET.
Manage_PASSTHRU()  - If 'server=' provided, then add/del MASQUERADE rule(s).
Manage_Firewall()  - Add/del firewall rule(s) and include '-s xxx.xxx.xxx.xxx' if 'srcip=' provided.

If IPSET updated, save backup to 'dir=' location.

Just a suggestion.

 

[Xentrk]

A further consideration... I'm not sure why you feel the need to have separate scripts with unnecessarily long names?

For all of your scripts, the first two args - the interface and IPSET name are mandatory, so passing directives to a single script should hopefully reduce the confusion for users as to which script they should be using, but more importantly you would save time by not having to maintain several very similar scripts.

e.g. Pseudo code logic for script - i.e. simply need to differentiate how the routed IPSET is populated:

IPSET_Select_Route.sh {interface} {ipset_name} ['ip='file_name | ip[,ip]...] ['dnsmasq='file_name | domain[,domain]...] ['asnum='file_name | asnum[,asnum]...] ['srcip='file_name | ip_or_cidr[,ip_or_cidr]...] ['dir='save_restore_location] ['server='n | 'both'] ['del'] ['new']

Manage_IPSET()     - If IPSET doesn't exist, then restore it if possible from 'dir=' location (unless 'new' provided) else create empty IPSET.
Manage_IPLIST()    - If 'ip=' provided, add IPs to IPSET.
Manage_dnsmasq()   - If 'dnsmasq=' provided, update /jffs/configs/dnsmasq.conf.add and restart dnsmasq.
Manage_ASNUM()     - If 'asnum=' provided, add retrieved ASNUMs to IPSET.
Manage_PASSTHRU()  - If 'server=' provided, then add/del MASQUERADE rule(s).
Manage_Firewall()  - Add/del firewall rule(s) and include '-s xxx.xxx.xxx.xxx' if 'srcip=' provided.

If IPSET updated, save backup to 'dir=' location.

Just a suggestion.

That is a very good suggestion! Great idea. It will greatly reduce the code footprint since many of the same functions are in many of the scripts and simplify the README instructions. I like it!

 

[TonyK132]

Once you download the IPSET list, the backup copy gets stored in /opt/tmp or the directory you specify. I went for more than one year with requiring any updates to the IPSET lists. So when I rolled out the project, I selected a 7 day interval for a forced update to take place whenever the script runs.

Running the script and specifying the "del" parameter and running the script again will give you an updated copy. If others have issues, I could change from 7 days to 24 hours. Another idea is to add a user parameter, such as the word "force", that will force a refresh if you specify the parameter when running the script. I'll chew on it for awhile.

I just rebooted the router, verified that the VPN was up, updated the script to 6.9.2, then tried to play an Amazon video, and it said it detected that I was using a VPN. So I again tried to update the config in AMTM by doing a Force Update, tried Amazon, and it was still failed. I then deleted the Amazon-US ipset, then reloaded it, and now Amazon plays. If I do a Force Update in AMTM, shouldn't that restore the config including updating the backup copies? For the reboot, I have the configs in the NAT-START script in case that matters.

 

[Kingp1n]

The syntax for the DNSMASQ for BBC is correct.

Rather than using the iptables DROP command, use the Policy Routing feature built into the OpenVPN Client Screen.

Configure LAN to use the VPN interface and the Router to use WAN interface
A common configuration where you want your entire LAN to go through the VPN, but not the router itself.

LAN_IPs    192.168.1.0/24    0.0.0.0    VPN
Router     192.168.1.1       0.0.0.0    WAN

Amazon Prime video also blocks known VPN servers or at least limits the content they can view. You may also have to use x3mRouting to route Amazon Prime traffic to the WAN interface.

@Xentrk, if I'm using an Asus node and give it static IP address (i.e. 192.168.1.2), would you recommend having the node going thru LAN as well vs VPN? I'm not sure if it matters but I'm curious if the node should fall under LAN or a VPN, or if it matters at all. Thanks!

 

[Xentrk]

I just rebooted the router, verified that the VPN was up, updated the script to 6.9.2, then tried to play an Amazon video, and it said it detected that I was using a VPN. So I again tried to update the config in AMTM by doing a Force Update, tried Amazon, and it was still failed. I then deleted the Amazon-US ipset, then reloaded it, and now Amazon plays. If I do a Force Update in AMTM, shouldn't that restore the config including updating the backup copies? For the reboot, I have the configs in the NAT-START script in case that matters.

The force update via AMTM will only update the x3mRouting menu. You have to update the scripts using the Option 7 - Check for updates or Option 8 - Force update existing x3mRouting installation.

When specifying the "del" parm to remove the routing for the IPSET list does not delete the backup/restore file. So when you delete and rerun the script, it still checks if the backup/restore file exists and will only update the ASN or Amazon IPSET list if it is more than 7 days old. As a result, to do a complete wipe, you will need to delete the backup/restore file from /opt/tmp or the directory you specified for the backup/restore location.

The reason I don't remove the backup/restore files is for the situation where the user wants to change the routing from one interface to another. I can add a feature to prompt the user if they also want to delete the backup/restore file.

 

[Xentrk]

@Xentrk, if I'm using an Asus node and give it static IP address (i.e. 192.168.1.2), would you recommend having the node going thru LAN as well vs VPN? I'm not sure if it matters but I'm curious if the node should fall under LAN or a VPN, or if it matters at all. Thanks!

I don't have any Asus mesh node setup. But my guess is that you would configure it as the default which I believe is the LAN. Any device connected to the node would follow the routing rules on the primary router.

 

[TonyK132]

The force update via AMTM will only update the x3mRouting menu. You have to update the scripts using the Option 7 - Check for updates or Option 8 - Force update existing x3mRouting installation.

When specifying the "del" parm to remove the routing for the IPSET list does not delete the backup/restore file. So when you delete and rerun the script, it still checks if the backup/restore file exists and will only update the ASN or Amazon IPSET list if it is more than 7 days old. As a result, to do a complete wipe, you will need to delete the backup/restore file from /opt/tmp or the directory you specified for the backup/restore location.

The reason I don't remove the backup/restore files is for the situation where the user wants to change the routing from one interface to another. I can add a feature to prompt the user if they also want to delete the backup/restore file.

Sorry, I should have specified that I used option 8 to do the Force update. It did not fix my situation until I did the del cmd.