What's new

x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

„Both” is checked,

I created two vpn servers with absolutely the same configuration( double checked).

Only vpn server with traffic directed via OpenVPN client with ipset serting enabled does not let me get in to my Lan network. Weird

But i am able to log in to my router - 192.168.1.1 adress works normally.

Edit:

Even if I change server settong to LAN only, everything behaves in the same way. I can surf the internet but no access to my home LAN nerwork. It seems to be bypassed by selective routing rule.

then i started to making another rule that force my VPN server to VPN client using ipset configuration of netflix.
Are you using one of the VPN Server to VPN Client Routing scripts included in x3mRouting e.g. route_all_vpnserver.sh and/or route_ipset_vpnserver.sh to perform the VPN server to VPN client routing? If so, if you remove the rules, can you then access your LAN devices?
 
9414253e14acb1ef8f997cdd1eac89e8.jpg


Access to my Lan Clients comes back directly after removal of marked line.
 
9414253e14acb1ef8f997cdd1eac89e8.jpg


Access to my Lan Clients comes back directly after removal of marked line.
Thank you. That gives me something to go on. My time is limited the next two days. But I will look into it.

To remove the rules, pass the "del" parameter to the script.

Code:
sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh   {[1|2] [1|2|3|4|5]} [del]

Example:
Code:
sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 5 del
 
hello @Xentrk

im having some issues lately with my website selective routing as the websites registered on my dnsmasq.conf.add wont exit through my openvpn client 1

dnsmasq.conf.add
Code:
ipset=/pandora.com/amazon_vpn
ipset=/ifconfig.io/amazon_vpn
ipset=/ford.com/amazon_vpn
ipset=/kohls.com/amazon_vpn
ipset=/starbucks.com/amazon_vpn
ipset=/app.starbucks.com/amazon_vpn
ipset=/ipinfo.io/amazon_vpn
ipset=/imgur.com/amazon_vpn
ipset=/cmyip.com/amazon_vpn
ipset=/disneyplus.com/amazon_vpn
ipset=/gfycat.com/amazon_vpn
ipset=/airbnb.com/amazon_vpn
ipset=/mediafire.com/amazon_vpn

my vpnclient1-route-up is
Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn dir=/mnt/sda1/vpn_routes
logger -st "($(basename "$0"))" $$ Ending Script Execution

when i try to access, for example, ipinf0.io, i wont get my vpn ip address but my regular wan ip address.

running
Code:
ipset -L amazon_vpn && ip rule && iptables -nvL PREROUTING -t mangle --line
shows that ipinfo.io is actually being processed by the selective routing script but when devices access to it, they will do it with the regular wan connection and not the vpn client.
Code:
andresmorago@RT-AC3100-0548:/tmp/home/root# vpncheck
Name: amazon_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 708
References: 1
Number of entries: 7
Members:
216.239.34.21
1.1.1.1
216.239.36.21
104.24.123.146
216.239.38.21
104.24.122.146
216.239.32.21
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
Chain PREROUTING (policy ACCEPT 5592 packets, 1171K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      110 10882 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set amazon_vpn dst MARK or 0x1000
andresmorago@RT-AC3100-0548:/tmp/home/root#

this is happening since some weeks ago and on all my devices. i made sure they all gett my router as dns server
Code:
nslookup
Default Server:  router.asus.com
Address:  10.0.0.1

>

i will appreciate your help
 
please dismiss my last message. im an idiot and didnt check vpnclient status. it was down
 
„Both” is checked,

I created two vpn servers with absolutely the same configuration( double checked).

Only vpn server with traffic directed via OpenVPN client with ipset serting enabled does not let me get in to my Lan network. Weird

But i am able to log in to my router - 192.168.1.1 adress works normally.


Edit:

Even if I change server settong to LAN only, everything behaves in the same way. I can surf the internet but no access to my home LAN nerwork. It seems to be bypassed by selective routing rule.
I have some free time over the holidays where I can look at the issue in more depth.

Can you ping the devices? Just wonder if it is a related issue reported in this thread?

https://www.snbforums.com/threads/openvpn-issue.60558/#post-531860

But I suspect the iptables rule to route the VPN Server to traffic to a VPN client has a higher priority than the rule to allow you to access LAN devices.
 
Last edited:
Hi,

The OpenVPN Client GUI is exhibiting some strange behaviors. Installed via amtm on an RT-AC68U running Merlin 384.14

All command line and script options work fine however.

screenshot.1.jpg screenshot.2.jpg
 
9414253e14acb1ef8f997cdd1eac89e8.jpg


Access to my Lan Clients comes back directly after removal of marked line.
I first connected to the router via VPN Server and was able to ping my Samsung TV. I ran the route_all_vpnserver.sh script to route all VPN Server traffic to the VPN Client 5 tunnel. I was unable to ping the Samsung TV. I was able to successfully ping it after I added another routing rule to give VPN Server traffic access to the router IP address.

upload_2020-1-1_16-52-52.png

Please test and see if that fixes the issue for you.
 

Attachments

  • upload_2020-1-1_16-52-26.png
    upload_2020-1-1_16-52-26.png
    131.8 KB · Views: 225
If you use the x3mRouting OpenVPN Client Screen & IPSET Shell Scripts Method, an update to the OpenVPN Client screen is required after performing an update to firmware version 384.14. To update, type x3mRouting at the command prompt and select option:

[7] Check for updates to existing x3mRouting installation.
 
Last edited:
I’ll check it out later.

Now i am preparing myself to The „newyear road bike tour”.

Hopefully i will survive. We have 1 celsius degree outside[emoji16]
 
Last edited:
Is this in reply to my GUI issue? If so I'll update and report back.
Yes. I also discovered this morning that the two buttons on the bottom of the Certificates pop-up page need updating too. I will work on it this evening after work.
 
I first connected to the router via VPN Server and was able to ping my Samsung TV. I ran the route_all_vpnserver.sh script to route all VPN Server traffic to the VPN Client 5 tunnel. I was unable to ping the Samsung TV. I was able to successfully ping it after I added another routing rule to give VPN Server traffic access to the router IP address.

View attachment 20587
Please test and see if that fixes the issue for you.

I added just one line as below and checked again:
62d7fa0601f7c6bacc8c8c01ff59a448.jpg


It does work! I have No idea why, but recently i re-routed vpn traffic to client2, now to Client 1 - may it be The reason?
 
Is this in reply to my GUI issue? If so I'll update and report back.

EDIT: Worked with an update. Thanks
I just patched the OpenVPN Client GUI to fix the Cancel and Save buttons issue on the Keys and Certificates pop-up screen. Please rerun option 7 from the x3mRouting menu to pull the update.
 
I just noticed that jq package is not working for me:
Code:
# jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json
jq: error while loading shared libraries: libonig.so: cannot open shared object file: No such file or directory
# jq
jq: error while loading shared libraries: libonig.so: cannot open shared object file: No such file or directory
# echo $PATH
/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/wizard:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin
# find / -name libonig.so

#
The jq package is required by the Amazon Selective routing scripts.

I reported the issue: https://github.com/Entware/Entware/issues/391

You can test by typing jq on the command line. Let me know if you have the same issue. The router in question is a RT-AC88U on 384.14_2 test release. I will update to 3894.14_2 final ASAP.

You should save off a copy of any Amazon IPSET lists using a different file name so you can use it as a restore file until jq is fixed. The default location is /opt/tmp. Alternatively, you can use the ASN method e.g. AS16509, AS14618, etc for Amazon.

To see if your Amazon IPSET list is empty, type liststats at the command line.

Code:
# liststats
AMAZON-EU - 0
AMAZON_US - 0
BBC_WEB - 260
CBS_WEB - 434
HULU_WEB - 171
MOVETV - 561
NETFLIX - 152
PANDORA - 14
Skynet-Blacklist - 146896
Skynet-BlockedRanges - 1597
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 5948

Edit: I will enhance the code to check the outcome of jq command prevent the program from updating the IPSET save/restore file if there is an issue.
 
Last edited:
This is such a cool idea to get around the blocking of VPNs.
I tried method 1 but it didn't create any of the files it was supposed to in the /jffs/configs folder so there was nothing I could edit.
I also tried method 3 but it's definitely above my pay grade. I'm not entirely understanding all of the steps on that one. I would really just like if option 1 worked for me but it's not creating the files.

I've not had much luck routing between VPN and WAN with my 3100 router. I'm starting to think I have a dud and just need to sell it. Any help?
 
...@TheChez - what are you trying to achieve, what are your expectations and what is not working for your use case?
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top