x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[mister]

dnsmasq has to be enabled on the router and the device logging to dnsmasq.log for the script to work and show the domain names.

Some devices have hard coded DNS. DNS Filter will force the device to use the DNS specified on the rotuer. Do you have DNS Filter turned on under the LAN tab? This should force the phone to use dnsmasq for lookups.

View attachment 26128

Hi Xentrk,
up to now, I didn´t activated the DNS-based filtering. But I will turn it on, with Router as filter mode.
The 3 custom DNS entries I have to leave empty or should I add there quad9 as well ?

I am a little bit confused, because in the WAN section, DNS Server entries are there as well. And Entries for DoT, i filled as well.

I will put e.g. quad9 in each section (LAN, WAN, DoT), right ?

Thanks again.

 

[Adamm]

I will put e.g. quad9 in each section (LAN, WAN, DoT), right ?

No, " LAN - DHCP Server " should be left blank. You should also make sure DoH is disabled on your android device as this will bypass router DNS.

 

[Salles]

Excellent script @Xentrk
I just reset my router and needed to reinstall everything. I was used to the older version of x3mRouting and am now trying to understand the latest version.
I have a question regarding the implementation of [3] OpenVPN Event & x3mRouting Script.
I want all routing of Netflix go through WAN.
In the recent version I just copied load_DNSMASQ_ipset_iface.sh and named the copy

load_DNSMASQ_ipset_iface.sh 0 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

I also set the following in nat-start and then rebooted.

sh load_DNSMASQ_ipset_iface.sh 0 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

According to the latets method of [3] OpenVPN Event & x3mRouting Script (if I understand correctly) I should just copy x3mRouting and name it

x3mRouting ALL 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

as well as adding the following to nat-start.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

Is that correct or do I need to add (.sh) in the name x3mRouting.sh ALL 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net?

[EDIT] Never mind, it worked excellent by just naming it

x3mRouting 1 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

A question arose though: Why is it not possible to choose to bypass to WAN for all VPN Clients, i.e (ALL 0)?

 

[Xentrk]

Excellent script @Xentrk
I just reset my router and needed to reinstall everything. I was used to the older version of x3mRouting and am now trying to understand the latest version.
I have a question regarding the implementation of [3] OpenVPN Event & x3mRouting Script.
I want all routing of Netflix go through WAN.
In the recent version I just copied load_DNSMASQ_ipset_iface.sh and named the copy

load_DNSMASQ_ipset_iface.sh 0 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

I also set the following in nat-start and then rebooted.

sh load_DNSMASQ_ipset_iface.sh 0 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

According to the latets method of [3] OpenVPN Event & x3mRouting Script (if I understand correctly) I should just copy x3mRouting and name it

x3mRouting ALL 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

as well as adding the following to nat-start.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

Is that correct or do I need to add (.sh) in the name x3mRouting.sh ALL 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net?

[EDIT] Never mind, it worked excellent by just naming it

x3mRouting 1 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

A question arose though: Why is it not possible to choose to bypass to WAN for all VPN Clients, i.e (ALL 0)?

That was a change in version 2 required to automate the configuration/setup. I refer to this as VPN Bypass rule.

It is for those you have a rule in a VPN Client to route all LAN traffic to the VPN client (e.g. 192.168.1.0/24) or a streaming media device but need to make an exception for a service like Netflix which blocks known VPN servers.

In version 2.0, I eliminated manual setup and the script automates all of the configuration.
The 1 0 combination actually does force all NETFLIX traffic to use the WAN. The reason you have to specify the VPN source is so x3mRouting knows where to place the bypass rules. Each VPN Client has an associated openvpn up/down script. If the VPN client is active, the rule needs to exist to have Netflix bypass the VPN. If the VPN client is down, the rule to route Netflix to the WAN is not required since the VPN client is not active.

 

[Xentrk]

x3mRouting.sh Version 2.3.2 now available (11 September 2020)

Updates to the ASN method include:

• Due to changes with ipinfo.io, https://api.hackertarget.com is the new source of IPv4 addresses used to load IPSET lists
• The IPv4 addresses for IPSET lists using the ASN method are now loaded directly into the IPSET list using the same method @Adamm uses in Skynet. Prior to this change, the IPv4 addresses were first downloaded into a file before before loading the IPSET list. As a result, save/backup files for ASN will no longer be created or required when using the ASN method.

Run option 5 from the x3mMenu to update the code.

 

[andresmorago]

hello @Xentrk
since early today, im having some issues with my vpn client 1 and the routing script. I believe this is occurring after the latest update 2.3.2 since i updated a couple days ago but only today rebooted the router.

my vpnclient1 is connected and working. router has 10.0.2.2 and vpn server is 10.0.2.1. vpn server is pingable from router and from devices connected to router.

i have the following script which i use in order to start the selective routes . i call it manually

#!/bin/sh
x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01
x3mRouting ALL 1 aws2 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_02
x3mRouting ALL 1 uic1 asnum=AS6200
x3mRouting ALL 1 uic2 asnum=AS698
#ipset add aws1 x.x.x.x

logger -st "($(basename "$0"))" $$ Applying aws routes
echo "Applying aws routes" >&2

aws_domains_XX are just plain files

pandora.com
ifconfig.io
ipinfo.io
deserve.com
imgur.com
wepanow.com

before running the script, i ping from any device on my network to the vpn server at 10.0.2.1 and i get responses
once i run the file above, 10.0.2.1 stops responding

i have to delete all the routes (i have another script for that) and then 10.0.2.1 starts responding again.

#!/bin/sh
x3mRouting ipset_name=aws1 del
x3mRouting ipset_name=aws2 del
x3mRouting ipset_name=uic1 del
x3mRouting ipset_name=uic2 del

logger -st "($(basename "$0"))" $$ Deleting aws routes
echo "Deleting aws routes" >&2

in addition to this issue, im just starting to see that, with no routes enabled, i cant ping the vpn server 10.0.2.1 from my devices (they are all in network 10.0.0.0). this happens once in a while.
10.0.2.1 is pingable from router (10.0.0.1)

so i ended up going back to zero. uninstalled your script and my vpnclient1 setup
i have again the vpn working and just reinstalled your script. i isolated only one line of my script and after running it, pings to the server stop. here are the results:

andresmorago@RT-AC3100-0548:/tmp/home/root# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1): 56 data bytes
64 bytes from 10.0.2.1: seq=0 ttl=64 time=96.664 ms
64 bytes from 10.0.2.1: seq=1 ttl=64 time=97.047 ms
64 bytes from 10.0.2.1: seq=2 ttl=64 time=98.983 ms
64 bytes from 10.0.2.1: seq=3 ttl=64 time=101.418 ms
--- 10.0.2.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 96.664/98.528/101.418 ms

andresmorago@RT-AC3100-0548:/tmp/home/root# x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01
(x3mRouting): 29475 Starting Script Execution ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01

Done.
(x3mRouting): 29475 IPSET created: aws1 hash:net family inet hashsize 1024 maxelem 65536
(x3mRouting): 29475 CRON schedule created: #aws1# '0 2 * * * ipset save aws1'
(x3mRouting): 29475 Selective Routing Rule via VPN Client 1 created for aws1 fwmark 0x1000/0x1000
(x3mRouting): 29475 iptables -t mangle -D PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 29475 iptables -t mangle -A PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 29475 iptables -t mangle -D PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-pre-down
(x3mRouting): 29475 sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01 added to /jffs/scripts/nat-start
(x3mRouting): 29475 Completed Script Execution


andresmorago@RT-AC3100-0548:/tmp/home/root# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1): 56 data bytes
--- 10.0.2.1 ping statistics ---
16 packets transmitted, 0 packets received, 100% packet loss

andresmorago@RT-AC3100-0548:/tmp/home/root# x3mRouting ALL 1 aws1 del
(x3mRouting): 30847 Starting Script Execution ALL 1 aws1 del

Done.

/jffs/scripts/x3mRouting/vpnclient1-route-up has 1 shebang entry and 0 empty lines.
Would you like to remove /jffs/scripts/x3mRouting/vpnclient1-route-up?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted

/jffs/scripts/x3mRouting/vpnclient1-route-pre-down has 1 shebang entry and 0 empty lines.
Would you like to remove /jffs/scripts/x3mRouting/vpnclient1-route-pre-down?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted
0 2 * * * ipset save aws1 > /opt/tmp/aws1 #aws1#
(x3mRouting): 30847 IPSET aws1 deleted!
(x3mRouting): 30847 Completed Script Execution

andresmorago@RT-AC3100-0548:/tmp/home/root# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1): 56 data bytes
64 bytes from 10.0.2.1: seq=0 ttl=64 time=100.312 ms
64 bytes from 10.0.2.1: seq=1 ttl=64 time=96.339 ms
64 bytes from 10.0.2.1: seq=2 ttl=64 time=94.718 ms
64 bytes from 10.0.2.1: seq=3 ttl=64 time=102.751 ms
--- 10.0.2.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 94.718/98.530/102.751 ms

my vpn client 1

 

[Xentrk]

hello @Xentrk
since early today, im having some issues with my vpn client 1 and the routing script. I believe this is occurring after the latest update 2.3.2 since i updated a couple days ago but only today rebooted the router.

my vpnclient1 is connected and working. router has 10.0.2.2 and vpn server is 10.0.2.1. vpn server is pingable from router and from devices connected to router.

i have the following script which i use in order to start the selective routes . i call it manually

#!/bin/sh
x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01
x3mRouting ALL 1 aws2 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_02
x3mRouting ALL 1 uic1 asnum=AS6200
x3mRouting ALL 1 uic2 asnum=AS698
#ipset add aws1 x.x.x.x

logger -st "($(basename "$0"))" $$ Applying aws routes
echo "Applying aws routes" >&2

aws_domains_XX are just plain files

pandora.com
ifconfig.io
ipinfo.io
deserve.com
imgur.com
wepanow.com

before running the script, i ping from any device on my network to the vpn server at 10.0.2.1 and i get responses
once i run the file above, 10.0.2.1 stops responding

i have to delete all the routes (i have another script for that) and then 10.0.2.1 starts responding again.

#!/bin/sh
x3mRouting ipset_name=aws1 del
x3mRouting ipset_name=aws2 del
x3mRouting ipset_name=uic1 del
x3mRouting ipset_name=uic2 del

logger -st "($(basename "$0"))" $$ Deleting aws routes
echo "Deleting aws routes" >&2

in addition to this issue, im just starting to see that, with no routes enabled, i cant ping the vpn server 10.0.2.1 from my devices (they are all in network 10.0.0.0). this happens once in a while.
10.0.2.1 is pingable from router (10.0.0.1)

so i ended up going back to zero. uninstalled your script and my vpnclient1 setup
i have again the vpn working and just reinstalled your script. i isolated only one line of my script and after running it, pings to the server stop. here are the results:

andresmorago@RT-AC3100-0548:/tmp/home/root# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1): 56 data bytes
64 bytes from 10.0.2.1: seq=0 ttl=64 time=96.664 ms
64 bytes from 10.0.2.1: seq=1 ttl=64 time=97.047 ms
64 bytes from 10.0.2.1: seq=2 ttl=64 time=98.983 ms
64 bytes from 10.0.2.1: seq=3 ttl=64 time=101.418 ms
--- 10.0.2.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 96.664/98.528/101.418 ms

andresmorago@RT-AC3100-0548:/tmp/home/root# x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01
(x3mRouting): 29475 Starting Script Execution ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01

Done.
(x3mRouting): 29475 IPSET created: aws1 hash:net family inet hashsize 1024 maxelem 65536
(x3mRouting): 29475 CRON schedule created: #aws1# '0 2 * * * ipset save aws1'
(x3mRouting): 29475 Selective Routing Rule via VPN Client 1 created for aws1 fwmark 0x1000/0x1000
(x3mRouting): 29475 iptables -t mangle -D PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 29475 iptables -t mangle -A PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 29475 iptables -t mangle -D PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-pre-down
(x3mRouting): 29475 sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01 added to /jffs/scripts/nat-start
(x3mRouting): 29475 Completed Script Execution


andresmorago@RT-AC3100-0548:/tmp/home/root# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1): 56 data bytes
--- 10.0.2.1 ping statistics ---
16 packets transmitted, 0 packets received, 100% packet loss

andresmorago@RT-AC3100-0548:/tmp/home/root# x3mRouting ALL 1 aws1 del
(x3mRouting): 30847 Starting Script Execution ALL 1 aws1 del

Done.

/jffs/scripts/x3mRouting/vpnclient1-route-up has 1 shebang entry and 0 empty lines.
Would you like to remove /jffs/scripts/x3mRouting/vpnclient1-route-up?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted

/jffs/scripts/x3mRouting/vpnclient1-route-pre-down has 1 shebang entry and 0 empty lines.
Would you like to remove /jffs/scripts/x3mRouting/vpnclient1-route-pre-down?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted
0 2 * * * ipset save aws1 > /opt/tmp/aws1 #aws1#
(x3mRouting): 30847 IPSET aws1 deleted!
(x3mRouting): 30847 Completed Script Execution

andresmorago@RT-AC3100-0548:/tmp/home/root# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1): 56 data bytes
64 bytes from 10.0.2.1: seq=0 ttl=64 time=100.312 ms
64 bytes from 10.0.2.1: seq=1 ttl=64 time=96.339 ms
64 bytes from 10.0.2.1: seq=2 ttl=64 time=94.718 ms
64 bytes from 10.0.2.1: seq=3 ttl=64 time=102.751 ms
--- 10.0.2.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 94.718/98.530/102.751 ms

my vpn client 1
View attachment 26223View attachment 26222

The IPv4 addresses for IPSET lists using the ASN method are now loaded directly into the IPSET list rather than first downloading the IPv4 addresses to the file in /opt/tmp before loading the IPSET list. You can view the number of entries in the IPSET lists using the liststats command. Or, use the command ipset -L <IPSET> | more to view the entries.

When you run x3mRouting from the command line or from another script, the entry gets automatically added to /jffs/scripts/nat-start so it runs at system boot. The fully qualified path is used though:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 MYLIST asnum=ASXXXX

Having the entries in another script shouldn't create an issue. But it is redundant and will cause the script to be run twice. Plus, if you use the 'del' parm, x3mRouting is not aware of the other script you created and the entry won't get deleted in the other script.

Add whatismyipaddress.com or whatismyip.com to dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01 and restart dnsmasq.

service restart_dnsmasq

Now, go to the website and it should report the IP address of your VPN Server. I've not used ping command to test connectivity to VPN server. The IP assigned is dynamic and can change when the VPN client is bounced so I would not rely on it.

Use this command to view the routing rules created by x3mRouting.

iptables -nvL PREROUTING -t mangle --line

The asuswrt-merlin firmware is creating the routes. It can be viewed using the command:

ip route

 

[andresmorago]

hello @Xentrk
so im ditching my file just for peace of mind. im still having issues as i cant connect to the vpn server after running your script.

here is what im testing. note ifconfig.io website to check my ip.
Im starting from scratch. your script was just installed and no rules are active.

dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01

pandora.com
ifconfig.io
ipinfo.io
deserve.com
imgur.com
wepanow.com

andresmorago@RT-AC3100-0548:/tmp/mnt/sda1/nsru# x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01
(x3mRouting): 18205 Starting Script Execution ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01

Done.
(x3mRouting): 18205 IPSET created: aws1 hash:net family inet hashsize 1024 maxelem 65536
(x3mRouting): 18205 CRON schedule created: #aws1# '0 2 * * * ipset save aws1'
(x3mRouting): 18205 Selective Routing Rule via VPN Client 1 created for aws1 fwmark 0x1000/0x1000
(x3mRouting): 18205 iptables -t mangle -D PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 18205 iptables -t mangle -A PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 18205 iptables -t mangle -D PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-pre-down
(x3mRouting): 18205 sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01 added to /jffs/scripts/nat-start
(x3mRouting): 18205 Completed Script Execution
andresmorago@RT-AC3100-0548:/tmp/mnt/sda1/nsru#

i try to access ifconfig.io from my network devices and its just dead. and none of the other websites included aws_domains_01 load.

here is the diags from the ipset

andresmorago@RT-AC3100-0548:/tmp/mnt/sda1/nsru#  iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 21431 packets, 19M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       32  2271 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set aws1 dst MARK or 0x1000
andresmorago@RT-AC3100-0548:/tmp/mnt/sda1/nsru# ipset -L aws1
Name: aws1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 484
References: 1
Number of entries: 3
Members:
104.24.122.146
172.67.189.102
104.24.123.146
andresmorago@RT-AC3100-0548:/tmp/mnt/sda1/nsru#

andresmorago@RT-AC3100-0548:/tmp/mnt/sda1/nsru# ip route
181.52.250.1 dev eth0  proto kernel  scope link
181.52.xxx.0/24 dev eth0  proto kernel  scope link  src 181.52.xxx.xxx
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
10.0.1.0/24 dev tun21  proto kernel  scope link  src 10.0.1.1
10.0.2.0/24 dev tun11  proto kernel  scope link  src 10.0.2.2
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.0.0.6
127.0.0.0/8 dev lo  scope link
default via 181.52.250.1 dev eth0

regarding this

I've not used ping command to test connectivity to VPN server. The IP assigned is dynamic and can change when the VPN client is bounced so I would not rely on it.

the ip server is always on the same address 10.0.2.1 and pings had always worked no matter the client. pings stop working after running x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01


doing some more digging, the tun11 interface is just dead after running x3mRouting script and just i delete the ipset, it comes back to life

andresmorago@RT-AC3100-0548:/tmp/mnt/sda1/nsru# curl ifconfig.io --interface eth0
181.52.xxx.xxx
andresmorago@RT-AC3100-0548:/tmp/mnt/sda1/nsru# curl ifconfig.io --interface tun11
^C


andresmorago@RT-AC3100-0548:/tmp/mnt/sda1/nsru#

 

[Xentrk]

@andresmorago

It looks like the IP addresses are getting added to the IPSET list and traffic is traversing the iptables rule.

I created the setup you have on my router and it works. I tested with both VPN Bypass and forcing all the sites to use VPN Client 5.

The ip addresses get added to the IPSET list when I accessed the domain and the sites reported the correct IP.

This method requires the features of dnsmasq. Take a look at dnsmasq to make sure it's working or enabled. I use dnsmasq as setup by Diversion.

 

[andresmorago]

thanks for your help
im giving up on this this time. the client 1 works well until i run the script. i dont blame the script at all but i dont know what else to do

vpn dies a couple seconds later after restarting vpn

andresmorago@RT-AC3100-0548:/jffs/scripts/x3mRouting# service restart_dnsmasq && service restart_vpnclient1

Done.

Done.
andresmorago@RT-AC3100-0548:/jffs/scripts/x3mRouting# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1): 56 data bytes
64 bytes from 10.0.2.1: seq=4 ttl=64 time=321.436 ms
64 bytes from 10.0.2.1: seq=5 ttl=64 time=101.486 ms
^C
--- 10.0.2.1 ping statistics ---
22 packets transmitted, 2 packets received, 90% packet loss
round-trip min/avg/max = 101.486/211.461/321.436 ms

vpn comes back into life after i delete the only selective route i have x3mRouting ALL 1 aws1 del

 

[andresmorago]

im getting into something.
im looking at the openvpn log whenever i run your script. by this time, i know that the vpnclient dies.

take a look at 22:11:04. the vpn comes back to life. this occurs exactly after i run x3mRouting ALL 1 aws1 del

Sep 14 22:10:56 RT-AC3100-0548 ovpn-client1[9961]: Restart pause, 40 second(s)
Sep 14 22:10:59 RT-AC3100-0548 ovpn-client3[32270]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 14 22:10:59 RT-AC3100-0548 ovpn-client3[32270]: TLS Error: TLS handshake failed
Sep 14 22:10:59 RT-AC3100-0548 ovpn-client3[32270]: SIGUSR1[soft,tls-error] received, process restarting
Sep 14 22:10:59 RT-AC3100-0548 ovpn-client3[32270]: Restart pause, 5 second(s)
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: TCP/UDP: Preserving recently used remote address: [AF_INET]3.xx.xxx.xx:443
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: UDP link local: (not bound)
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: UDP link remote: [AF_INET]3.xx.xxx.xx:443
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: TLS: Initial packet from [AF_INET]3.xx.xxx.xx:443, sid=2bf317a1 e1786870
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: VERIFY OK: depth=1, CN=ChangeMe
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: VERIFY KU OK
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: Validating certificate extended key usage
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: VERIFY EKU OK
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: VERIFY OK: depth=0, CN=server
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: [server] Peer Connection Initiated with [AF_INET]3.xx.xxx.xx:443
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 127.0.0.1,dhcp-option DNS 172.26.0.2,sndbuf 393216,rcvbuf 393216,route-gateway 10.0.8.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.8.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: timers and/or timeouts modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Socket Buffers: R=[245760->245760] S=[245760->245760]
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: --ifconfig/up options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: route options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: route-related options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: peer-id set
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: adjusting link_mtu to 1624
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: data channel crypto options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Preserving previous TUN/TAP instance: tun13
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Initialization Sequence Completed

take a look at 22:15:38. the vpn dies exactly when i run x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01

Sep 14 22:15:38 RT-AC3100-0548 ovpn-client1[9961]: [server] Inactivity timeout (--ping-restart), restarting
Sep 14 22:15:38 RT-AC3100-0548 ovpn-client1[9961]: SIGUSR1[soft,ping-restart] received, process restarting
Sep 14 22:15:38 RT-AC3100-0548 ovpn-client1[9961]: Restart pause, 5 second(s)
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: TCP/UDP: Preserving recently used remote address: [AF_INET]3.xx.xxx.xx:443
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: UDP link local: (not bound)
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: UDP link remote: [AF_INET]3.xx.xxx.xx:443

 

[Xentrk]

im getting into something.
im looking at the openvpn log whenever i run your script. by this time, i know that the vpnclient dies.

take a look at 22:11:04. the vpn comes back to life. this occurs exactly after i run x3mRouting ALL 1 aws1 del

Sep 14 22:10:56 RT-AC3100-0548 ovpn-client1[9961]: Restart pause, 40 second(s)
Sep 14 22:10:59 RT-AC3100-0548 ovpn-client3[32270]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 14 22:10:59 RT-AC3100-0548 ovpn-client3[32270]: TLS Error: TLS handshake failed
Sep 14 22:10:59 RT-AC3100-0548 ovpn-client3[32270]: SIGUSR1[soft,tls-error] received, process restarting
Sep 14 22:10:59 RT-AC3100-0548 ovpn-client3[32270]: Restart pause, 5 second(s)
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: TCP/UDP: Preserving recently used remote address: [AF_INET]3.xx.xxx.xx:443
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: UDP link local: (not bound)
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: UDP link remote: [AF_INET]3.xx.xxx.xx:443
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: TLS: Initial packet from [AF_INET]3.xx.xxx.xx:443, sid=2bf317a1 e1786870
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: VERIFY OK: depth=1, CN=ChangeMe
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: VERIFY KU OK
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: Validating certificate extended key usage
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: VERIFY EKU OK
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: VERIFY OK: depth=0, CN=server
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sep 14 22:11:04 RT-AC3100-0548 ovpn-client3[32270]: [server] Peer Connection Initiated with [AF_INET]3.xx.xxx.xx:443
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 127.0.0.1,dhcp-option DNS 172.26.0.2,sndbuf 393216,rcvbuf 393216,route-gateway 10.0.8.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.8.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: timers and/or timeouts modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Socket Buffers: R=[245760->245760] S=[245760->245760]
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: --ifconfig/up options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: route options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: route-related options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: peer-id set
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: adjusting link_mtu to 1624
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: OPTIONS IMPORT: data channel crypto options modified
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Preserving previous TUN/TAP instance: tun13
Sep 14 22:11:05 RT-AC3100-0548 ovpn-client3[32270]: Initialization Sequence Completed

take a look at 22:15:38. the vpn dies exactly when i run x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01

Sep 14 22:15:38 RT-AC3100-0548 ovpn-client1[9961]: [server] Inactivity timeout (--ping-restart), restarting
Sep 14 22:15:38 RT-AC3100-0548 ovpn-client1[9961]: SIGUSR1[soft,ping-restart] received, process restarting
Sep 14 22:15:38 RT-AC3100-0548 ovpn-client1[9961]: Restart pause, 5 second(s)
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: TCP/UDP: Preserving recently used remote address: [AF_INET]3.xx.xxx.xx:443
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: UDP link local: (not bound)
Sep 14 22:15:43 RT-AC3100-0548 ovpn-client1[9961]: UDP link remote: [AF_INET]3.xx.xxx.xx:443

Those system log messages are from the firmware and not from x3mRouting. It looks like the certificates are missing. Probably from the 384.19 upgrade. If they exist, they will be located in /jffs/openvpn/ folder. Click the edit button on the OpenVPN Client Screen to update or reimport the ovpn.config file.

 

[andresmorago]

hi again @Xentrk
ive been burning my eyelashes with this.

im finally getting into something. when i run your script, i notice 2 things happening when i run the script

my dnsmasq.conf.add gets modified and this specific line disappears

address=/aws1.yyyyyy.com/3.xxx.xxx.xxx

therefore, the vpn client on the router gui will lose connectivity since it doesnt understands what is aws1.yyyyyy.com.
i can temporarily fix this by just using the ip address on the openvpn client but i would like to use the dns name instead of the ip address

in addition, and i believe this is where my error is, i get this specific message on the vpn log right after i run your script and this is when i lose connectivity to the vpn server. 3.xx.xxx.xx:443 is my vpn server
im pinging @Martineau in case he might light my path also

Sep 16 12:07:23 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:23 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:25 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:26 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:26 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:27 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:28 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:29 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:29 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:31 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:32 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:33 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:34 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:37 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 16 12:07:38 RT-AC3100-0548 ovpn-client1[26738]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443

PROGRESS 1
so i found this line on my vpn server config and deleted it push "redirect-gateway def1 bypass-dhcp". i believe that deleting this will not make the vpn clients use the vpn as a default gateway.
interestengly, after removing this line, now the vpn connection stays alive after running x3mrouting! and no more "Recursive routing detected" messages on the log.
but the specific websites arent being routed through the vpn client.

 

[Xentrk]

hi again @Xentrk
ive been burning my eyelashes with this.

im finally getting into something. when i run your script, i notice 2 things happening when i run the script

my dnsmasq.conf.add gets modified and this specific line disappears

address=/aws1.yyyyyy.com/3.xxx.xxx.xxx

therefore, the vpn client on the router gui will lose connectivity since it doesnt understands what is aws1.yyyyyy.com.
i can temporarily fix this by just using the ip address on the openvpn client but i would like to use the dns name instead of the ip address

Everytime you run x3mRouting using the dnsmasq_file= parm, it will delete any old references in dnsmasq.conf.add first before adding the new entry. It uses the IPSET name to find a match.

The line that is getting removed probably contains the same characters as the IPSET name which is why it gets deleted. I suspect it is the "aws1" reference. Can you rename the IPSET or address= reference so it does not contain the same name?

In the mean time, I will look into how I can tighten the code to prevent the issue.

 

[andresmorago]

Everytime you run x3mRouting using the dnsmasq_file= parm, it will delete any old references in dnsmasq.conf.add first before adding the new entry. It uses the IPSET name to find a match.

The line that is getting removed probably contains the same characters as the IPSET name which is why it gets deleted. I suspect it is the "aws1" reference. Can you rename the IPSET or address= reference so it does not contain the same name?

In the mean time, I will look into how I can tighten the code to prevent the issue.

thanks. i can try that and report back.

regarding my second issue, do you have any advise on it for me? maybe im doing something wrong on the vpn conf?

 

[Xentrk]

x3mRouting.sh Version 2.3.3 17-September-2020

x3mRouting.sh script has been updated to also check for 'ipset=' reference at the start of the line, in addition to the IPSET name, to prevent deletion of other lines in dnsmasq.conf.add that contain the same characters as the IPSET name.

 

[Xentrk]

thanks. i can try that and report back.

regarding my second issue, do you have any advise on it for me? maybe im doing something wrong on the vpn conf?

I just pushed an update to fix the issue you reported. Let's get that working first as the address= line getting deleted may be causing the issue.

 

[andresmorago]

hello @Xentrk
i just updated to 2.3.3
the issue with the dnsmasq.conf.add is now fixed as the line isnt getting erased anymore. i can call this as fixed!

still, im unable to access my vpn server after running x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01. pings to my vpn server in 10.0.2.1 timeout and the vpn log populates with routing errors

Sep 16 21:14:15 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx
Sep 16 21:14:19 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx
Sep 16 21:14:20 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx
Sep 16 21:14:25 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx
Sep 16 21:14:30 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx
Sep 16 21:14:35 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx
Sep 16 21:14:40 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx

these errors will stop showing after i cancel the selective routing with x3mRouting ALL 1 aws1 del
and vpn connection comes back to life (pings to vpn server in 10.0.2.1 are ok)

 

[Xentrk]

hello @Xentrk
i just updated to 2.3.3
the issue with the dnsmasq.conf.add is now fixed as the line isnt getting erased anymore. i can call this as fixed!

still, im unable to access my vpn server after running x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01. pings to my vpn server in 10.0.2.1 timeout and the vpn log populates with routing errors

Sep 16 21:14:15 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.16.174.94:443
Sep 16 21:14:19 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.x.x.x:443
Sep 16 21:14:20 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.x.x.x:443
Sep 16 21:14:25 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.x.x.x:443
Sep 16 21:14:30 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.x.x.x:443
Sep 16 21:14:35 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.x.x.x:443
Sep 16 21:14:40 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.x.x.x:443

these errors will stop showing after i cancel the selective routing with x3mRouting ALL 1 aws1 del
and vpn connection comes back to life (pings to vpn server in 10.0.2.1 are ok)

The message is coming from the forward.c code

* drop packets with same dest addr as gateway */
        if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
        {
            drop = true;
        }

* drop packets with same dest addr as gateway */
        pip6 = (struct openvpn_ipv6hdr *) (BPTR(buf) + ip_hdr_offset);
        if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr))
        {
            drop = true;
        }

if (drop)
    {
        struct gc_arena gc = gc_new();

        c->c2.buf.len = 0;

        msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
            print_link_socket_actual(c->c2.to_link_addr, &gc));
        gc_free(&gc);
    }

Under Advanced Settings section, set Log verbosity =4 and apply to get additional debugging in the system log. There may be a conflict with the server= reference in dnsmasq.conf.add?

 

[andresmorago]

hello @Xentrk
i have always had log verbosity 4. thats how im getting the Sep 16 21:14:25 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx messages. no other messages show up as i believe that the vpn connection stays alive but the routing gets damaged some how.

my dnsmasq.conf.add is as simplest as it can be now

strict-order
dhcp-option=lan,42,10.0.0.1 # ntpMerlin

server=/use-application-dns.net/
server=/pool.ntp.org/8.8.8.8

my openvpn client custom conf is

mssfix 1430
resolv-retry infinite
tls-client
remote-cert-tls server
#ignore-unknown-option block-outside-dns
#block-outside-dns
setenv opt block-outside-dns
auth-nocache

theres something on the selective routing that messes up the vpn connection and drops all packages to the vpn server