x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

„Both” is checked,

I created two vpn servers with absolutely the same configuration( double checked).

Only vpn server with traffic directed via OpenVPN client with ipset serting enabled does not let me get in to my Lan network. Weird

But i am able to log in to my router - 192.168.1.1 adress works normally.

Edit:

Even if I change server settong to LAN only, everything behaves in the same way. I can surf the internet but no access to my home LAN nerwork. It seems to be bypassed by selective routing rule.

then i started to making another rule that force my VPN server to VPN client using ipset configuration of netflix.

Are you using one of the VPN Server to VPN Client Routing scripts included in x3mRouting e.g. route_all_vpnserver.sh and/or route_ipset_vpnserver.sh to perform the VPN server to VPN client routing? If so, if you remove the rules, can you then access your LAN devices?

 

[lukaszzsch]

I am using both rules. After Coming back Home i will remove the rules. Could you send me appropriate command?

 

[lukaszzsch]

Access to my Lan Clients comes back directly after removal of marked line.

 

[Xentrk]

Access to my Lan Clients comes back directly after removal of marked line.

Thank you. That gives me something to go on. My time is limited the next two days. But I will look into it.

To remove the rules, pass the "del" parameter to the script.

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh   {[1|2] [1|2|3|4|5]} [del]

Example:

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 5 del

 

[andresmorago]

hello @Xentrk

im having some issues lately with my website selective routing as the websites registered on my dnsmasq.conf.add wont exit through my openvpn client 1

dnsmasq.conf.add

ipset=/pandora.com/amazon_vpn
ipset=/ifconfig.io/amazon_vpn
ipset=/ford.com/amazon_vpn
ipset=/kohls.com/amazon_vpn
ipset=/starbucks.com/amazon_vpn
ipset=/app.starbucks.com/amazon_vpn
ipset=/ipinfo.io/amazon_vpn
ipset=/imgur.com/amazon_vpn
ipset=/cmyip.com/amazon_vpn
ipset=/disneyplus.com/amazon_vpn
ipset=/gfycat.com/amazon_vpn
ipset=/airbnb.com/amazon_vpn
ipset=/mediafire.com/amazon_vpn

my vpnclient1-route-up is

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn dir=/mnt/sda1/vpn_routes
logger -st "($(basename "$0"))" $$ Ending Script Execution

when i try to access, for example, ipinf0.io, i wont get my vpn ip address but my regular wan ip address.

running

ipset -L amazon_vpn && ip rule && iptables -nvL PREROUTING -t mangle --line

shows that ipinfo.io is actually being processed by the selective routing script but when devices access to it, they will do it with the regular wan connection and not the vpn client.

andresmorago@RT-AC3100-0548:/tmp/home/root# vpncheck
Name: amazon_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 708
References: 1
Number of entries: 7
Members:
216.239.34.21
1.1.1.1
216.239.36.21
104.24.123.146
216.239.38.21
104.24.122.146
216.239.32.21
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
Chain PREROUTING (policy ACCEPT 5592 packets, 1171K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      110 10882 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set amazon_vpn dst MARK or 0x1000
andresmorago@RT-AC3100-0548:/tmp/home/root#

this is happening since some weeks ago and on all my devices. i made sure they all gett my router as dns server

nslookup
Default Server:  router.asus.com
Address:  10.0.0.1

>

i will appreciate your help

 

[andresmorago]

please dismiss my last message. im an idiot and didnt check vpnclient status. it was down

 

[Xentrk]

„Both” is checked,

I created two vpn servers with absolutely the same configuration( double checked).

Only vpn server with traffic directed via OpenVPN client with ipset serting enabled does not let me get in to my Lan network. Weird

But i am able to log in to my router - 192.168.1.1 adress works normally.


Edit:

Even if I change server settong to LAN only, everything behaves in the same way. I can surf the internet but no access to my home LAN nerwork. It seems to be bypassed by selective routing rule.

I have some free time over the holidays where I can look at the issue in more depth.

Can you ping the devices? Just wonder if it is a related issue reported in this thread?

https://www.snbforums.com/threads/openvpn-issue.60558/#post-531860

But I suspect the iptables rule to route the VPN Server to traffic to a VPN client has a higher priority than the rule to allow you to access LAN devices.

 

[Hexadismal]

Hi,

The OpenVPN Client GUI is exhibiting some strange behaviors. Installed via amtm on an RT-AC68U running Merlin 384.14

All command line and script options work fine however.

 

[Xentrk]

Access to my Lan Clients comes back directly after removal of marked line.

I first connected to the router via VPN Server and was able to ping my Samsung TV. I ran the route_all_vpnserver.sh script to route all VPN Server traffic to the VPN Client 5 tunnel. I was unable to ping the Samsung TV. I was able to successfully ping it after I added another routing rule to give VPN Server traffic access to the router IP address.

Please test and see if that fixes the issue for you.

 

[Xentrk]

If you use the x3mRouting OpenVPN Client Screen & IPSET Shell Scripts Method, an update to the OpenVPN Client screen is required after performing an update to firmware version 384.14. To update, type x3mRouting at the command prompt and select option:

[7] Check for updates to existing x3mRouting installation.

 

[lukaszzsch]

I’ll check it out later.

Now i am preparing myself to The „newyear road bike tour”.

Hopefully i will survive. We have 1 celsius degree outside[emoji16]

 

[Hexadismal]

If you use the x3mRouting OpenVPN Client Screen & IPSET Shell Scripts Method, an update to the OpenVPN Client screen is required after performing an update to firmware version 384.14. To update, type x3mRouting at the command prompt and select option:

[7] Check for updates to existing x3mRouting installation.

Is this in reply to my GUI issue? If so I'll update and report back.

EDIT: Worked with an update. Thanks

 

[Xentrk]

Is this in reply to my GUI issue? If so I'll update and report back.

Yes. I also discovered this morning that the two buttons on the bottom of the Certificates pop-up page need updating too. I will work on it this evening after work.

 

[lukaszzsch]

I first connected to the router via VPN Server and was able to ping my Samsung TV. I ran the route_all_vpnserver.sh script to route all VPN Server traffic to the VPN Client 5 tunnel. I was unable to ping the Samsung TV. I was able to successfully ping it after I added another routing rule to give VPN Server traffic access to the router IP address.

View attachment 20587
Please test and see if that fixes the issue for you.

I added just one line as below and checked again:

It does work! I have No idea why, but recently i re-routed vpn traffic to client2, now to Client 1 - may it be The reason?

 

[lukaszzsch]

Just checked the same configuration with Client 2 and it also works. Thank you

 

[Xentrk]

Is this in reply to my GUI issue? If so I'll update and report back.

EDIT: Worked with an update. Thanks

I just patched the OpenVPN Client GUI to fix the Cancel and Save buttons issue on the Keys and Certificates pop-up screen. Please rerun option 7 from the x3mRouting menu to pull the update.

 

[Xentrk]

Just checked the same configuration with Client 2 and it also works. Thank you

Good news - Thank you for the update!

 

[Xentrk]

I just noticed that jq package is not working for me:

# jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json
jq: error while loading shared libraries: libonig.so: cannot open shared object file: No such file or directory
# jq
jq: error while loading shared libraries: libonig.so: cannot open shared object file: No such file or directory
# echo $PATH
/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/wizard:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin
# find / -name libonig.so

#

The jq package is required by the Amazon Selective routing scripts.

I reported the issue: https://github.com/Entware/Entware/issues/391

You can test by typing jq on the command line. Let me know if you have the same issue. The router in question is a RT-AC88U on 384.14_2 test release. I will update to 3894.14_2 final ASAP.

You should save off a copy of any Amazon IPSET lists using a different file name so you can use it as a restore file until jq is fixed. The default location is /opt/tmp. Alternatively, you can use the ASN method e.g. AS16509, AS14618, etc for Amazon.

To see if your Amazon IPSET list is empty, type liststats at the command line.

# liststats
AMAZON-EU - 0
AMAZON_US - 0
BBC_WEB - 260
CBS_WEB - 434
HULU_WEB - 171
MOVETV - 561
NETFLIX - 152
PANDORA - 14
Skynet-Blacklist - 146896
Skynet-BlockedRanges - 1597
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 5948

Edit: I will enhance the code to check the outcome of jq command prevent the program from updating the IPSET save/restore file if there is an issue.

 

[TheChez]

This is such a cool idea to get around the blocking of VPNs.
I tried method 1 but it didn't create any of the files it was supposed to in the /jffs/configs folder so there was nothing I could edit.
I also tried method 3 but it's definitely above my pay grade. I'm not entirely understanding all of the steps on that one. I would really just like if option 1 worked for me but it's not creating the files.

I've not had much luck routing between VPN and WAN with my 3100 router. I'm starting to think I have a dud and just need to sell it. Any help?

 

[Torson]

...@TheChez - what are you trying to achieve, what are your expectations and what is not working for your use case?