x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

Hi.
Please froward me in right direction, or say what I did wrong.

1. router rt-ac86u
2. firmware -384.12.0
3. two vpn clients PureVPN configured with Redirect Internet traffic: Policy Rules
4. your script installed today from https://github.com/Xentrk/x3mRouting
5. Selected options 1 & 3, & 4
6. Created vpnclient1-route-up
   

   sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US

7. Created vpnclient2-route-up
   

   sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 2 AMAZON-EU EU

8. iptables -t mangle -vL
   

   Chain PREROUTING (policy ACCEPT 99 packets, 10662 bytes)
    pkts bytes target     prot opt in     out     source               destination
       1    60 MARK       all  --  tun12  any     anywhere             anywhere             MARK xset 0x1/0x7
      12   604 MARK       all  --  tun11  any     anywhere             anywhere             MARK xset 0x1/0x7
     828 54815 MARK       all  --  br0    any     anywhere             anywhere             match-set AMAZON-US dst MARK or 0x1000
      50  2969 MARK       all  --  br0    any     anywhere             anywhere             match-set AMAZON-EU dst MARK or 0x2000
   
   Chain INPUT (policy ACCEPT 94 packets, 10251 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain FORWARD (policy ACCEPT 2 packets, 168 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain OUTPUT (policy ACCEPT 97 packets, 11808 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain POSTROUTING (policy ACCEPT 99 packets, 11976 bytes)
    pkts bytes target     prot opt in     out     source               destination

9. ip rule
   

   0:      from all lookup local
   9990:   from all fwmark 0x8000/0x8000 lookup main
   9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
   9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
   32766:  from all lookup main
   32767:  from all lookup default

10. liststats
    
    

    AMAZON-EU - 277
    AMAZON-US - 407
    Skynet-Blacklist - 143700
    Skynet-BlockedRanges - 1593
    Skynet-IOT - 0
    Skynet-Master - 2
    Skynet-Whitelist - 2031

And when I try to do from the lan host
traceroute 54.239.106.252 (54.239.106.252 is in AMAZON-EU)
it's going thru wan, not ovpnc2.

Is it wrong method to check ?
Is something another wrong?

-------------------------update------------------------------------
I found the reason:
Tables for both vpnc was empty.

root# ip route show table 111
root# ip route show table 112
root# ip route show table opvnc1
root# ip route show table opvnc2

The reason is simple - due to no any ip-s is set via web-interface, the default routes wasn't created for them.
After adding the any record (including dumb one) for 127.127.127.127 - everything is ok

root# ip route show table ovpnc1
default via 172.94.11.129 dev tun11
root# ip route show table ovpnc2
default via 45.74.60.141 dev tun12

And everything is routed as it has to be.
The reason is line 429 in vpnrouting.sh (marked by me by >>>)

  # Setup table default route
>>>  if [ "$VPN_IP_LIST" != "" ]; then
    if [ "$VPN_FORCE" -eq 1 ]; then
      /usr/bin/logger -t "openvpn-routing" "Tunnel re-established, restoring WAN access to clients"
    fi
    if [ "$route_net_gateway" != "" ]; then
      ip route del default table "$VPN_TBL"
      ip route add default via "$route_vpn_gateway" table "$VPN_TBL"

I recommend you upgrade to 384.13. Sometimes there is changes in releases. x3mRouting code had to be updated for 384.13 to accommodate the changes to dhcp_staticlist and dhcp_hostnames which only impacts you if you use opiton 1 - x3mRouting for LAN Clients. I did not make the code backward compatible with 384.12 but I probably should have. Sorry about that. Appears that all of your LAN clients default to the WAN interface. I would recommend you upgrade to 384.13. Then, run option 1 again. When done, edit the file /jffs/configs/x3mRouting_client_rules to assign the interface for LAN Clients.

Based on my testing, you should not have had to create the dummy IP entry for the route to be created. Did you see a message like the one below in the system log?

"openvpn-routing" "WARNING: no VPN gateway provided, routing might not work properly!"

The other item I noticed is you have no entries in the iptables FORWARD Chain. Following is how mine looks:

Chain FORWARD (policy ACCEPT 2725K packets, 2879M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       udp  --  any    any     anywhere             anywhere             udp dpt:5060 MARK xset 0x1/0x7
    0     0 MARK       tcp  --  any    any     anywhere             anywhere             tcp dpt:5060 MARK xset 0x1/0x7
    0     0 MARK       all  --  any    br0     192.168.1.0/24      192.168.1.0/24      MARK xset 0x1/0x7

If you can, upgrade to 384.13 and retest. Then we can do some more troubleshooting if things are still awry.

 

[Xentrk]

Sorry for a late response. I have found this intriguing and performed the test. What I have noticed is that after changing my VPNClient DNS to String and following your recommendation setting dhcp-option DNS x.x.x.x I check run the iptables -nvL PREROUTING -t nat --line command and here is the result.

1 0 0 VSERVER all -- * * 0.0.0.0/0 192.168.0.4
2 74 5201 DNSFILTER udp -- * * 192.168.50.0/24 0.0.0.0/0 udp dpt:53
3 5 312 DNSFILTER tcp -- * * 192.168.50.0/24 0.0.0.0/0 tcp dpt:53


It is obvious that VPN DNS is not listed and I can confirm performing a dnsleak test. After checking resolve.conf and dnsmasq.conf I can see that VPN servers are listed properly. It seams that if the router has DNSSec and/or DoT enabled in WAN section these DNS servers will be used first, unless you configure OpenVPN client DNS to Exclusive. This behaviour has been changed from previous versions of the firmware.
Is that going to be reverted in the next version - that I would like to find out. Configuring OpenVPN to Strict (with DoT and DNSSec) should not make a difference and VPN DNS being the first in the list should be used. However, this is not the case in 384.12. I don't think I am doing anything wrong from configuring the router.
Do I understand it correctly?

For services like NordVPN and Express, you will need to set Accept DNS Configuration = Exclusive. Accept DNS Configuration = Exclusive will override DNS in the WAN page for clients using the tunnel.

If you don't specify any clients on the OpenVPN Client screen, then you need to add a “dummy” VPN Client entry if you require the ability to exploit the Accept DNS Configuration=Exclusive option that only creates the appropriate DNSVPN iptable chain if the table isn't empty. Use a valid IPv4 address for the DummyVPN entry that differs from your LAN IPv4 address range. I recommend using a bogon IP addres for this purpose.

I don't recommend the use of "Strict" as the DNS they push may be dynamic and change periodically. You can see the DNS they push by looking for the entry "dhcp-option DNS" in the system log. You will then see the IP address of the DNS pushed by the provider.

 

[PeterV]

If you don't specify any clients on the OpenVPN Client screen, then you need to add a “dummy” VPN Client entry if you require the ability to exploit the Accept DNS Configuration=Exclusive option that only creates the appropriate DNSVPN iptable chain if the table isn't empty. Use a valid IPv4 address for the DummyVPN entry that differs from your LAN IPv4 address range. I recommend using a bogon IP addres for this purpose.

View attachment 19436

Hi. This quotation of your answer can solve of the my issue too.
There is two possibility tot solve it:
To put a dummy records in the vpn routing rules, like on your image.
Or to exclude the check of it existence in the script vpnrouting.sh , i.e - to remove :

  # Setup table default route
  if [ "$VPN_IP_LIST" != "" ]; then

At least, please mention this dummy record creation in readme on github.

 

[Xentrk]

Hi. This quotation of your answer can solve of the my issue too.
There is two possibility tot solve it:
To put a dummy records in the vpn routing rules, like on your image.
Or to exclude the check of it existence in the script vpnrouting.sh , i.e - to remove :

  # Setup table default route
  if [ "$VPN_IP_LIST" != "" ]; then

At least, please mention this dummy record creation in readme on github.

After I wrote the reply you referenced, I had the feeling that it was probably why you had an issue too.
I already documented the DummyVPN in the README.md. But it is easy to miss as there is a ton of information on the README.md page.

Thanks for using the x3mRouting project and let me know if I can be of further assistance. I appreciate the feedback.

 

[Deleted member 62525]

For services like NordVPN and Express, you will need to set Accept DNS Configuration = Exclusive. Accept DNS Configuration = Exclusive will override DNS in the WAN page for clients using the tunnel.

If you don't specify any clients on the OpenVPN Client screen, then you need to add a “dummy” VPN Client entry if you require the ability to exploit the Accept DNS Configuration=Exclusive option that only creates the appropriate DNSVPN iptable chain if the table isn't empty. Use a valid IPv4 address for the DummyVPN entry that differs from your LAN IPv4 address range. I recommend using a bogon IP addres for this purpose.

View attachment 19436

I don't recommend the use of "Strict" as the DNS they push may be dynamic and change periodically. You can see the DNS they push by looking for the entry "dhcp-option DNS" in the system log. You will then see the IP address of the DNS pushed by the provider.

Well, that is the problem since setting DNS Exclusive, Diversion Blocker will not work. It used to work just fine in Strict mode - NordVPN and other VPN providers recommend to set DNS to Strict for Marlin firmware. NordVPN DNS IP does not change.

The setup was really reliable and obeyed pushed VPN DNS config. Policy routing configuration worked. It makes me wonder why we took this direction forward.

Can I configure dnsmasq.conf.add and force clients to use specific DNS? In this case I would configure all VPN clients (from my VPN Policy config) to use NordVPN DNS and others to use DoT DNS. I tried and this did not work. It should but it did not.

 

[diyguy]

I tried running method one, and I got this error

Unexpected error condition dhcp_staticlist and dhcp_hostnames don't match
[: bad number
[: bad number


Looks like its due to unknown, or black hostnames in the Static DHCP entries ? Any ideas on how to fix this?

 

[Xentrk]

I tried running method one, and I got this error

Unexpected error condition dhcp_staticlist and dhcp_hostnames don't match
[: bad number
[: bad number


Looks like its due to unknown, or black hostnames in the Static DHCP entries ? Any ideas on how to fix this?

Use this thread instead! I did patch the bug on Sep 22. So make sure you have a newer copy. But it will still fail with a friendly error message. There is a lot of slicing and dicing of data going on to create the dhcp_staticlist and dhcp_hostnames in dnsmasq.conf.add format due to changes in these two nvram variables in the 384.12 release. I added a check to make sure there was a word match between dhcp_staticlist using the format <mac_address><IP_address and dhcp_hostnames using the <mac_address><hostname format. Some people were seeing a parameter called <undefined in the dhcp_staticlist nvram variable. After that was patched, the bad number error appeared again for some users. I then discovered that entering the hostname when making dhcp_staticlist reservations is optional. I then fell ill for a week and couldn't work on it. Now that I have recovered, I plan to update the code to accommodate no entry for hostnames.

So, for those that did not enter hostnames, this option won't work. If you have entered hostnames for all of the dhcp reservations, it will work.

 

[Xentrk]

Well, that is the problem since setting DNS Exclusive, Diversion Blocker will not work. It used to work just fine in Strict mode - NordVPN and other VPN providers recommend to set DNS to Strict for Marlin firmware. NordVPN DNS IP does not change.

The setup was really reliable and obeyed pushed VPN DNS config. Policy routing configuration worked. It makes me wonder why we took this direction forward.

Can I configure dnsmasq.conf.add and force clients to use specific DNS? In this case I would configure all VPN clients (from my VPN Policy config) to use NordVPN DNS and others to use DoT DNS. I tried and this did not work. It should but it did not.

I am not sure why Strict is no longer working for you. Check that you have the right IP address specified in the custom config section. You can check the system log for "dhcp-option DNS" to find the DNS pushed by the provider. x3mRouting doesn't alter the way firmware handles DNS. Also, some streaming devices have google DNS hard coded in their firmware. Use the DNS Filter feature of Merlin to force all clients to use the DNS specified by the router.

Not having Diversion work when setting Accept DNS Configuration = Exclusive when using Policy Rules is a known concern that comes up frequently. Note: if you don't use Policy Rules and route All Traffic thru the tunnel, Diversion will work when you have Accept DNS Configuration = Exclusive! What?!?!

I have long promoted the use of the Strict setting as a workaround solution. But with the launch of DoT, I also recommend setting Accept DNS Configuration = Disabled as an option. The VPN tunnel will use the DNS specified on the WAN page. The DNS traffic will be encrypted with DoT. I cover the issue in detail in my blog post policy-rule-routing-on-asuswrt-merlin-firmware

On my test router, I have DoT enabled to Cloudflare and have accept DNS Configuration = Disabled with no issues. Streaming services that block known VPN providers don't care what DNS I use. I use a TorGuard dedicated VPN IP addresss. On another tunnel, I have Accept DNS Configuration = Exclusive. So you can spin up a second VPN client and route your streaming devices over one tunnel and the other devices to other tunnel and have the DNS configured differently. But for NordVPN or Express, you must use their DNS over the VPN tunnel to stream from paid subscription services that block VPNs as they are using a DNS proxy service similar to https://www.smartdnsproxy.com/.

There are no other options available that I am aware of other than what I listed above. I've played with some iptables rules. But I bailed after digging into how the firmware is coded and saw all of the hooks in other places in of code. FYI, you can specify the DNS server in dnsmasq.conf.add by adding the server entry e.g. server=1.1.1.1.

 

[Deleted member 62525]

I am not sure why Strict is no longer working for you. Check that you have the right IP address specified in the custom config section. You can check the system log for "dhcp-option DNS" to find the DNS pushed by the provider. x3mRouting doesn't alter the way firmware handles DNS. Also, some streaming devices have google DNS hard coded in their firmware. Use the DNS Filter feature of Merlin to force all clients to use the DNS specified by the router.

Not having Diversion work when setting Accept DNS Configuration = Exclusive when using Policy Rules is a known concern that comes up frequently. Note: if you don't use Policy Rules and route All Traffic thru the tunnel, Diversion will work when you have Accept DNS Configuration = Exclusive! What?!?!

I have long promoted the use of the Strict setting as a workaround solution. But with the launch of DoT, I also recommend setting Accept DNS Configuration = Disabled as an option. The VPN tunnel will use the DNS specified on the WAN page. The DNS traffic will be encrypted with DoT. I cover the issue in detail in my blog post policy-rule-routing-on-asuswrt-merlin-firmware

On my test router, I have DoT enabled to Cloudflare and have accept DNS Configuration = Disabled with no issues. Streaming services that block known VPN providers don't care what DNS I use. I use a TorGuard dedicated VPN IP addresss. On another tunnel, I have Accept DNS Configuration = Exclusive. So you can spin up a second VPN client and route your streaming devices over one tunnel and the other devices to other tunnel and have the DNS configured differently. But for NordVPN or Express, you must use their DNS over the VPN tunnel to stream from paid subscription services that block VPNs as they are using a DNS proxy service similar to https://www.smartdnsproxy.com/.

There are no other options available that I am aware of other than what I listed above. I've played with some iptables rules. But I bailed after digging into how the firmware is coded and saw all of the hooks in other places in of code. FYI, you can specify the DNS server in dnsmasq.conf.add by adding the server entry e.g. server=1.1.1.1.

thanks for the response. All I wanted from the setup is the following
1. Force selected VPN clients to use VPN pushed dns servers
2. Diversion should work with All clients
3. Non VPN clients to use DoT and DNSEC

I had this configuration working before before we included DoT and DNSEC into the firmware. You are correct that with current code this is not possible. In 384.9 or 384.10 I used Stubby and I was able to accomplish all my 3 requirements and VPN client dns set to Strict with firmware setting DNS for VPN tunnel properly obeying dns strict rule. That is not the case anymore. In current version VON client DNS must be set to exclusive if one wants to use VPN DNS servers. Anything different would not work and the firmware would pick WAN DNS DoT servers. I don’t know if it was intensional by design or we missed it during testing and nobody brought this up.

My choice was to set VPN DNS to Disabled and with this all net clients use WAN DoT DNS servers. Thanks again for your input. Greatly appreciated your feedback and all your work.

 

[Tatankov]

Hi Xentrk,

Just wanted to share that it worked like a charm.
The thing that consumed more time on the process, was to find a USB pen on my messy room, in order to install Entware ;-)

Just one question, I had a script on my jffs scripts dir running from my crontab.
Both the script and the crontab entry were erased. Not a big problem, since it was a tiny script to WOL a PC. But I am just curious, who removed the script and the crontab entry...

Thanks one more time!

 

[andresmorago]

Hi.
Im having the following situation

My router is connected to a openvpn server (with ovpn client 1) but its also acting as a openvpn server. I have x3mRouting IPSET Shell Scripts (option 3) installed and running the script

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn

my dnsmasq.conf.add file has

ipset=/ifconfig.io/amazon_vpn

running ipset command returns:

andresmorago@RT-AC3100-0548:/tmp/home/root# ipset -L amazon_vpn
Name: amazon_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 484
References: 1
Number of entries: 3
Members:
104.24.123.146
104.24.122.146

If im connected directly to the router and i access ifconfig.io, i can see the main openvpn server wan ip which the router is connected to (with client 1). if im connected remotely to my router and access ifconfig.io i will see the routers wan ip address instead

am i missing something in order to have the routers ovpn clients get the same dns policies than the routers clients?


thanks

 

[mister]

I observed a strange behaviour on my ipad as well. I used the configuration described some posts before. Amazon prime video routed via wan, tv broadcasts on vpn 1 and the rest on vpn4. I am using VPN-Failover script, skynet and diversion.
No special rules are created for the ip of my ipad.


This configuration works well with all my devices, even with my iPhone and my ipad. But after a while (I think 2 days) amazon and the tv broadcasts give an error, but ONLY on my ipad. Amazon & broadcasts on the other devices are working without any problems. It seems to me, that all the traffic of the ipad is routed via vpn4, but only on the ipad this behaviour is observed.

The problem can be solved by rebooting the router. Any idea, what and why that could happen?

 

[Xentrk]

Hi Xentrk,

Just wanted to share that it worked like a charm.
The thing that consumed more time on the process, was to find a USB pen on my messy room, in order to install Entware ;-)

Just one question, I had a script on my jffs scripts dir running from my crontab.
Both the script and the crontab entry were erased. Not a big problem, since it was a tiny script to WOL a PC. But I am just curious, who removed the script and the crontab entry...

Thanks one more time!

A format of the /jffs partition or the delete command would have been required to delete the script. Can you recover the script from a jffs backup? crontab entries don't survive a reboot. You have to have a script create the crontab entry. I take care of this for the dnsmasq method scripts used by x3mRouting to take backups of the ipset lists.

 

[Xentrk]

I observed a strange behaviour on my ipad as well. I used the configuration described some posts before. Amazon prime video routed via wan, tv broadcasts on vpn 1 and the rest on vpn4. I am using VPN-Failover script, skynet and diversion.
No special rules are created for the ip of my ipad.


This configuration works well with all my devices, even with my iPhone and my ipad. But after a while (I think 2 days) amazon and the tv broadcasts give an error, but ONLY on my ipad. Amazon & broadcasts on the other devices are working without any problems. It seems to me, that all the traffic of the ipad is routed via vpn4, but only on the ipad this behaviour is observed.

The problem can be solved by rebooting the router. Any idea, what and why that could happen?

When the issue occurs, go to a site like whatismyipaddress.com or whatismyip.com to make sure the vpn end point of the device is what you intend. You can temporarily disable diversion and/or skynet when the problem occurs to see if they may be blocking an address your IP requires. The follow the log file option in Diversion can help you identify

I had a problem with one streaming device for Sling TV. It is my Roku player. On my pfSense appliance, I block all DNS requests other than the DNS specified by the router. Roku has Google DNS 8.8.8.8 hard coded and when it couldn't talk to it, it would not get hung up. It works okay on my Asus router and I also have firewall rules to block client device DNS but it works okay there. So I have to look at my firewall rules and make some modifications.

I would look at the system log file for clues when it occurs. Use the timestamp entry to narrow down the messages you need to look at. Let me know if you figure it out.

 

[Xentrk]

Hi.
Im having the following situation

My router is connected to a openvpn server (with ovpn client 1) but its also acting as a openvpn server. I have x3mRouting IPSET Shell Scripts (option 3) installed and running the script

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn

my dnsmasq.conf.add file has

ipset=/ifconfig.io/amazon_vpn

running ipset command returns:

andresmorago@RT-AC3100-0548:/tmp/home/root# ipset -L amazon_vpn
Name: amazon_vpn
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 484
References: 1
Number of entries: 3
Members:
104.24.123.146
104.24.122.146

If im connected directly to the router and i access ifconfig.io, i can see the main openvpn server wan ip which the router is connected to (with client 1). if im connected remotely to my router and access ifconfig.io i will see the routers wan ip address instead

am i missing something in order to have the routers ovpn clients get the same dns policies than the routers clients?


thanks

Do you have Advertise DNS to Clients set to Yes on the OpenVPN Server running on the router?
https://diversion.ch/faq-reader/openvpn-server-how-to-block-ads-for-connected-clients.html

When debugging, I sometimes add a site like whatismyipaddress.com or whatismyip.com to the ipset list. This allows me to go to those sites and check my IP end point address to make sure the routing rules are working as expected.

 

[andresmorago]

Hi @Xentrk

Do you have Advertise DNS to Clients set to Yes on the OpenVPN Server running on the router?
https://diversion.ch/faq-reader/openvpn-server-how-to-block-ads-for-connected-clients.html
Yes I do. As a matter of fact, vpn clients connected to the router get the diversion treatment.

When debugging, I sometimes add a site like whatismyipaddress.com or whatismyip.com to the ipset list. This allows me to go to those sites and check my IP end point address to make sure the routing rules are working as expected.

I have ifconfig.io which does the same. If I’m connected directly To my routers Wi-Fi, I will get my USA vpn wan ip (since the router is acting as a openvpn client).
If I’m connected to the router vpn server, i will see the routers wan ip instead.

from iPhone connected to router vpn server
I get router wan ip


From iPad directly connected to router Wi-Fi
I get USA vpn wan

 

[Xentrk]

Hi @Xentrk



I have ifconfig.io which does the same. If I’m connected directly To my routers Wi-Fi, I will get my USA vpn wan ip (since the router is acting as a openvpn client).
If I’m connected to the router vpn server, i will see the routers wan ip instead.

from iPhone connected to router vpn server
I get router wan ip
View attachment 19487

From iPad directly connected to router Wi-Fi
I get USA vpn wan
View attachment 19488

What may be occurring is the iPad gets a different subnet address (e.g. 10.8.0.1) when connected to the router over the VPN Server interface. As a result, the LAN routing rules are not applied when connected to the router over a VPN connection because the the ipad is now being seen as another IP address. The fix will be an iptables rules to route subnet addresses to the appropriate interface. I vaguely recall this being mentioned in the forum. I'll have to do some searching.

 

[Xentrk]

@andresmorago

I think I found the solution. Please see the thread redirect-all-traffic-of-openvpn-server-connected-client-to-openvpn-client and the solution posted by @Martineau.

If you install option 4 from the x3mRouting menu, it will create the openvpn-event script for you in /jffs/scripts/x3mRouting directory. Then, create a script in /jffs/scripts/x3mRouting called vpnserver1-up. Place the firewall rules in this script. Read the section https://github.com/Xentrk/x3mRouting#run-scripts-at-system-boot for the write-up on openvpn-event script.

 

[PeterV]

Hi.
At first @Xentrk, many thanks for help.
But now I have another question:
I'm testing the vpn selective routing on one host.
So, I have a rule in vpnclient3-route-up:

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.111 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x4000/0x4000

Exvery thing is working, except error from netflix about proxy.
I tried to add:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX_DNS netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net.
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

But it doesn't help, I still received this error from netflix.
I tried to change the line with vpn mark:

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.111 -p tcp -m multiport --dport 80,443 -m set ! --match-set NETFLIX_DNS dst -m set ! --match-set NETFLIX dst -j MARK --set-mark 0x4000/0x4000

No lucky.

Can you help ?

 

[andresmorago]

@andresmorago

I think I found the solution. Please see the thread redirect-all-traffic-of-openvpn-server-connected-client-to-openvpn-client and the solution posted by @Martineau.

If you install option 4 from the x3mRouting menu, it will create the openvpn-event script for you in /jffs/scripts/x3mRouting directory. Then, create a script in /jffs/scripts/x3mRouting called vpnserver1-up. Place the firewall rules in this script. Read the section https://github.com/Xentrk/x3mRouting#run-scripts-at-system-boot for the write-up on openvpn-event script.

Hi and thanks for all your help.
Im trying to user @Martineau advise but i cant get it to work.
my openvpn server clients arent being selectively routed through my vpn client according to the ipset and option 3 of x3mrouting

my router lan is 10.0.0.0/24
my vpn client is 10.0.2.1/24
my router vpn server is 10.0.1.0/24

so far i already installed option 4 from the x3mrouting menu and have a script called vpnclient1-route-up with:

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution JAJA

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn
iptables -I POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE
logger -st "($(basename "$0"))" $$ Ending Script Execution

on the vpn server i have Advertise DNS to clients enabled

on the vpnclient1 gui i have the vpn server network set up this way

also, Accept DNS Configuration is OFF and Force Internet traffic through tunnel is STRICT

here are some diagnostics

andresmorago@RT-AC3100-0548:/tmp/home/root# nvram dump | grep -E "vpn_client[1-5]"_clientlist | sort
vpn_client1_clientlist=<router>10.0.0.1>0.0.0.0>WAN<vpn_clients>10.0.1.0>0.0.0.0>VPN
vpn_client2_clientlist=
vpn_client3_clientlist=
vpn_client4_clientlist=
vpn_client5_clientlist=

andresmorago@RT-AC3100-0548:/tmp/home/root# nvram dump | grep -E "vpn_server[1-2]_sn" | sort
vpn_server1_sn=10.0.1.0
vpn_server2_sn=10.16.0.0

andresmorago@RT-AC3100-0548:/tmp/home/root# iptables -nvL OVPN
Chain OVPN (2 references)
 pkts bytes target     prot opt in     out     source               destination
   84  5399 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0

andresmorago@RT-AC3100-0548:/tmp/home/root# ip rule
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:  from 10.0.0.1 lookup main
10101:  from 10.0.1.0 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

andresmorago@RT-AC3100-0548:/tmp/home/root# iptables --line -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 310 packets, 24291 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
2        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
3        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
4        4   240 MASQUERADE  all  --  *      tun11   10.0.0.0/24          0.0.0.0/0
5        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
6        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
7        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
8        0     0 ACCEPT     all  --  *      *       10.0.0.0/24          0.0.0.0/0            policy match dir out pol ipsec
9      786 51011 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
10     601 38798 MASQUERADE  all  --  *      eth0   !181.50.201.119       0.0.0.0/0
11      14  6112 MASQUERADE  all  --  *      br0     10.0.0.0/24          10.0.0.0/24
andresmorago@RT-AC3100-0548:/tmp/home/root#