x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

Hi.
At first @Xentrk, many thanks for help.
But now I have another question:
I'm testing the vpn selective routing on one host.
So, I have a rule in vpnclient3-route-up:

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.111 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x4000/0x4000

Exvery thing is working, except error from netflix about proxy.
I tried to add:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX_DNS netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net.
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

But it doesn't help, I still received this error from netflix.
I tried to change the line with vpn mark:

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.111 -p tcp -m multiport --dport 80,443 -m set ! --match-set NETFLIX_DNS dst -m set ! --match-set NETFLIX dst -j MARK --set-mark 0x4000/0x4000

No lucky.

Can you help ?

Appears that your requirement is to route Netflix traffic to the WAN rather than thru the VPN.

I noticed a "." at the end of the first line below that may be causing the issue. It may have been a copy/paste error. Check the contents of /jffs/configs/dnsmasq.conf.add to see how the entry looks. If you have the "." at the end, you can delete it and then bounce dnsmasq using the command "service restart_dnsmasq".

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX_DNS netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net.
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

I know of one or two forum members who have had to combine the DNSMASQ and ASN method to route Netflix traffic. Where I live, I can use one or the other.

Another thing you can try is to include the domain "amazonaws.com" to the NETFLIX_DNS ipset list since Netflix hosts on Amazon server farm.

If that doesn't work, you may have to do some more analysis by mining dnsmasq.log file to see what domain names are being queried. See the thread below for tips:

https://www.snbforums.com/threads/x...swrt-merlin-firmware.57793/page-4#post-511876

 

[Martineau]

Hi and thanks for all your help.
Im trying to user @Martineau advise but i cant get it to work.
my openvpn server clients arent being selectively routed through my vpn client according to the ipset and option 3 of x3mrouting

my router lan is 10.0.0.0/24
my vpn client is 10.0.2.1/24
my router vpn server is 10.0.1.0/24

so far i already installed option 4 from the x3mrouting menu and have a script called vpnclient1-route-up with:

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution JAJA

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn
iptables -I POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE
logger -st "($(basename "$0"))" $$ Ending Script Execution

on the vpn server i have Advertise DNS to clients enabled

on the vpnclient1 gui i have the vpn server network set up this way
View attachment 19510
also, Accept DNS Configuration is OFF and Force Internet traffic through tunnel is STRICT

here are some diagnostics

andresmorago@RT-AC3100-0548:/tmp/home/root# nvram dump | grep -E "vpn_client[1-5]"_clientlist | sort
vpn_client1_clientlist=<router>10.0.0.1>0.0.0.0>WAN<vpn_clients>10.0.1.0>0.0.0.0>VPN
vpn_client2_clientlist=
vpn_client3_clientlist=
vpn_client4_clientlist=
vpn_client5_clientlist=

andresmorago@RT-AC3100-0548:/tmp/home/root# nvram dump | grep -E "vpn_server[1-2]_sn" | sort
vpn_server1_sn=10.0.1.0
vpn_server2_sn=10.16.0.0

andresmorago@RT-AC3100-0548:/tmp/home/root# iptables -nvL OVPN
Chain OVPN (2 references)
 pkts bytes target     prot opt in     out     source               destination
   84  5399 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0

andresmorago@RT-AC3100-0548:/tmp/home/root# ip rule
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:  from 10.0.0.1 lookup main
10101:  from 10.0.1.0 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

andresmorago@RT-AC3100-0548:/tmp/home/root# iptables --line -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 310 packets, 24291 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
2        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
3        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
4        4   240 MASQUERADE  all  --  *      tun11   10.0.0.0/24          0.0.0.0/0
5        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
6        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
7        0     0 MASQUERADE  all  --  *      tun11   10.0.1.0/24          0.0.0.0/0
8        0     0 ACCEPT     all  --  *      *       10.0.0.0/24          0.0.0.0/0            policy match dir out pol ipsec
9      786 51011 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
10     601 38798 MASQUERADE  all  --  *      eth0   !181.50.201.119       0.0.0.0/0
11      14  6112 MASQUERADE  all  --  *      br0     10.0.0.0/24          10.0.0.0/24
andresmorago@RT-AC3100-0548:/tmp/home/root#

Shouldn't the Selective Routing GUI 'vpn_clients' created NVRAM variable match the OpenVPN Server POSTROUTING 'pass-thru' rule subnet?

i.e. Try changing

nvram get vpn_client1_clientlist

vpn_client1_clientlist=<router>10.0.0.1>0.0.0.0>WAN<vpn_clients>10.0.1.0>0.0.0.0>VPN

to

nvram get vpn_client1_clientlist

vpn_client1_clientlist=<router>10.0.0.1>0.0.0.0>WAN<vpn_clients>10.0.1.0/24>0.0.0.0>VPN

Also it is prudent to prevent duplicate rules being created
e.g. vpnclient1-route-up

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution JAJA

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn

iptables -D POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE         <<== Add this
iptables -I POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE

logger -st "($(basename "$0"))" $$ Ending Script Execution

 

[PeterV]

Appears that your requirement is to route Netflix traffic to the WAN rather than thru the VPN.

I noticed a "." at the end of the first line below that may be causing the issue. It may have been a copy/paste error. Check the contents of /jffs/configs/dnsmasq.conf.add to see how the entry looks. If you have the "." at the end, you can delete it and then bounce dnsmasq using the command "service restart_dnsmasq".

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX_DNS netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net.
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

I know of one or two forum members who have had to combine the DNSMASQ and ASN method to route Netflix traffic. Where I live, I can use one or the other.

Another thing you can try is to include the domain "amazonaws.com" to the NETFLIX_DNS ipset list since Netflix hosts on Amazon server farm.

If that doesn't work, you may have to do some more analysis by mining dnsmasq.log file to see what domain names are being queried. See the thread below for tips:

https://www.snbforums.com/threads/x...swrt-merlin-firmware.57793/page-4#post-511876

Hello again.
The fixed dot is fixed the netflix for me. Thanks!

The ASN method doesn't help.

 

[andresmorago]

@Martineau thanks so much.
my vpn clients are now exiting through the vpn client 1. i still have one question:

im running option 3 of x3mrouting and my dnsmasq.conf.add file has specific websites that need to be routed through the vpnclient1. in the case of a regular lan connection to my router, only especific websites exit through openvpnclient1. this works ok.

now that i applied your recommendations above, when i remotely connect to the vpn server on my router, im seeing that all the traffic is being routed to the vpnclient1 instead of only the websites stored on dnsmasq.conf.add.

is there anything i could be missing?

 

[andresmorago]

hi @Xentrk
regarding option 4 of the script, i wanted to consult with you in which script does the vpnclient1-route-up is being called? per the logs, i think im duplicating its call on every router start but im unsure.

my /jffs/scripts/x3mRouting/vpnclient1-route-up

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution JAJA

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn

iptables -D POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE
iptables -I POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE

logger -st "($(basename "$0"))" $$ Ending Script Execution

i have this on openvpn-event. a line is commented but im unsure if it should be that way

#!/bin/sh
#sh /jffs/scripts/x3mRouting/openvpn-event $@
/jffs/scripts/x3mRouting/vpnclient1-route-up

 

[Xentrk]

hi @Xentrk
regarding option 4 of the script, i wanted to consult with you in which script does the vpnclient1-route-up is being called? per the logs, i think im duplicating its call on every router start but im unsure.

my /jffs/scripts/x3mRouting/vpnclient1-route-up

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution JAJA

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn

iptables -D POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE
iptables -I POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE

logger -st "($(basename "$0"))" $$ Ending Script Execution

i have this on openvpn-event. a line is commented but im unsure if it should be that way

#!/bin/sh
#sh /jffs/scripts/x3mRouting/openvpn-event $@
/jffs/scripts/x3mRouting/vpnclient1-route-up

Remove the comment in /jffs/scripts/openvpn-event on the second line and remove the third line so it looks like this.

#!/bin/sh
sh /jffs/scripts/x3mRouting/openvpn-event $@

During an openvpn event, it will call /jffs/scripts/x3mRouting/openvpn-event script which as been modified to conform to the original script by John9527 mentioned in the post https://www.snbforums.com/threads/f...lts-releases-v39e3.18914/page-238#post-294825

If you have created the /jffs/scripts/x3mRouting/vpnclient1-route-up script, it will be executed by /jffs/scripts/openvpn-event -> /jffs/scripts/x3mRouting/openvpn-event -> /jffs/scripts/x3mRouting/vpnclient1-route-up.

 

[Martineau]

@Martineau thanks so much.
my vpn clients are now exiting through the vpn client 1. i still have one question:

im running option 3 of x3mrouting and my dnsmasq.conf.add file has specific websites that need to be routed through the vpnclient1. in the case of a regular lan connection to my router, only especific websites exit through openvpnclient1. this works ok.

now that i applied your recommendations above, when i remotely connect to the vpn server on my router, im seeing that all the traffic is being routed to the vpnclient1 instead of only the websites stored on dnsmasq.conf.add.

is there anything i could be missing?

Computers usually only do what you tell them to do, so perhaps the clue is in the title of the thread (that @Xentrk directed you to)

"Redirect all traffic of OpenVPN Server connected client to OpenVPN client"​

If you didn't want all inbound OpenVPN server client traffic to be routed outbound via the VPN Client (given in post 111 raised an issue that the "wrong" IP reported by ipinfo.io) then there is no point in including the whole OpenVPN server subnet in the Selective Routing GUI.

I'll leave it up to @Xentrk to decide if he wishes to modify his scripts to accommodate your specific edge-case requirement i.e. add say an additional interface configuration parameter, or leave you to manually add the appropriate rule in vpnclient1-route-up etc.

 

[andresmorago]

Thanks @Martineau @Xentrk

 

[Xentrk]

I'll leave it up to @Xentrk to decide if he wishes to modify his scripts to accommodate your specific edge-case requirement i.e. add say an additional interface configuration parameter, or leave you to manually add the appropriate rule in vpnclient1-route-up etc.

Thank you for helping @andresmorago. I will go ahead and add the edge-case for vpn server routing feature and also for the edge-case requirement to route traffic to the WAN1 interface. I'll start with the vpn server routing requirement first as I can test that one with my current setup. I'll need a volunteer to test the WAN1 interface code once I get it done since I don't have dual WAN interfaces.

 

[Laxarus]

I dont know if x3mrouting will do the job for me but I would like to ask anyway.
I dont necessarily need amazon or netflix, what I have a problem is with my ISP due to internet browsing regulations. Many websites are blocked by ISP and they have also blocked many known and popular VPNs too. All ISPs in this country like that. It is like a sub-China firewall.
Anyway, in the end I got a VPN provider that actually fools my ISP. I set-up cloudfare DNS over TLS. I set up the VPN with Exclusive DNS configuration and policy rules (strict) for the blocked websites. I dont want my whole internet go through the VPN as this will slow down the speed too much affecting gaming, streaming, etc performance.

But it is very impractical to add these.
Let me give you the rundown.
When I am browsing, I come across some websites that returns "Secure Connection Failed" with PR_CONNECT_RESET_ERROR
Then I check these websites with https://www.isitdownrightnow.com/ to see if they are actually offline or I am being duped by my ISP. Most of the time, the issue is with the ISP.
I try to find the IP address of that website by using online ip finders. This is not very efficient because sometimes some ips are not listed or outdated.
After that, I manually enter these IP addresses to the policy rules.

It is time consuming and overly impractical. Can I simplify this process using x3mrouting and some scripts?

Best practice for me to automate this whole process in the router. Even semi-automating will do.

i.e
when a normal connection is not established, router can try to use VPN to subvert restriction.
or
entering domain names or some other easier way instead of finding every ip a website uses.

 

[andresmorago]

Thank you for helping @andresmorago. I will go ahead and add the edge-case for vpn server routing feature and also for the edge-case requirement to route traffic to the WAN1 interface. I'll start with the vpn server routing requirement first as I can test that one with my current setup. I'll need a volunteer to test the WAN1 interface code once I get it done since I don't have dual WAN interfaces.

hi @Xentrk
thanks for your feedback. let me know if i can help you with testing. im available

 

[mister]

When the issue occurs, go to a site like whatismyipaddress.com or whatismyip.com to make sure the vpn end point of the device is what you intend. You can temporarily disable diversion and/or skynet when the problem occurs to see if they may be blocking an address your IP requires. The follow the log file option in Diversion can help you identify

I had a problem with one streaming device for Sling TV. It is my Roku player. On my pfSense appliance, I block all DNS requests other than the DNS specified by the router. Roku has Google DNS 8.8.8.8 hard coded and when it couldn't talk to it, it would not get hung up. It works okay on my Asus router and I also have firewall rules to block client device DNS but it works okay there. So I have to look at my firewall rules and make some modifications.

I would look at the system log file for clues when it occurs. Use the timestamp entry to narrow down the messages you need to look at. Let me know if you figure it out.

Thanks a lot for your reply and sorry for my late answer. I will take a deeper look at the weekend. in the normal system log of my asus router, there is nothing obious.

i made the check with the ip adress in the browser using ipleak.net and it is routed via vpn that is normal, because I just want to use wan for amazon prime as described few posts before as you described it in your wiki with disabled dns settings.
the strange thing is, that it the vpn appointment is only related to the ipad and not at other devices and also not all the time.

maybe it is related to skynet or diversion but why does this only happen to this special device if the ip would be blocked in general?

where do i find the log files for skynet and diversion for checking?

Thanks a lot for your support

 

[Xentrk]

Thanks a lot for your reply and sorry for my late answer. I will take a deeper look at the weekend. in the normal system log of my asus router, there is nothing obious.

i made the check with the ip adress in the browser using ipleak.net and it is routed via vpn that is normal, because I just want to use wan for amazon prime as described few posts before as you described it in your wiki with disabled dns settings.
the strange thing is, that it the vpn appointment is only related to the ipad and not at other devices and also not all the time.

maybe it is related to skynet or diversion but why does this only happen to this special device if the ip would be blocked in general?

where do i find the log files for skynet and diversion for checking?

Thanks a lot for your support

Diversion does not have a log. It does record dns query entries in /opt/var/log/dnsmasq.log file. The other option is the follow the log file option.

Skynet has a stats function that will list information.

You could install my /jffs/configs/profile.add file and use the MatchIP command to see if an IP address resides in a IPSET list. Here is an example:

# MatchIP 78.189.207.47
78.189.207.47 not found in AMAZON_US
78.189.207.47 not found in NETFLIX
78.189.207.47 not found in BBC_WEB
78.189.207.47 not found in HULU_WEB
78.189.207.47 not found in Skynet-Whitelist
78.189.207.47 found in Skynet-Blacklist
78.189.207.47 not found in Skynet-BlockedRanges
78.189.207.47 not found in Skynet-IOT
78.189.207.47 not found in CBS_WEB
78.189.207.47 not found in MOVETV
78.189.207.47 not found in Skynet-Master

To determine if Skynet or Diversion are blocking a domain, disable Skynet and see if anything changes. If you still have an issue, disable Diversion and test again.

Also, check that your VPN clients are still running and that the routing rules are still in place by issuing the commands ip rule and iptables -nvL PREROUTING -t mangle --line

 

[Xentrk]

I dont know if x3mrouting will do the job for me but I would like to ask anyway.
I dont necessarily need amazon or netflix, what I have a problem is with my ISP due to internet browsing regulations. Many websites are blocked by ISP and they have also blocked many known and popular VPNs too. All ISPs in this country like that. It is like a sub-China firewall.
Anyway, in the end I got a VPN provider that actually fools my ISP. I set-up cloudfare DNS over TLS. I set up the VPN with Exclusive DNS configuration and policy rules (strict) for the blocked websites. I dont want my whole internet go through the VPN as this will slow down the speed too much affecting gaming, streaming, etc performance.

But it is very impractical to add these.
Let me give you the rundown.
When I am browsing, I come across some websites that returns "Secure Connection Failed" with PR_CONNECT_RESET_ERROR
Then I check these websites with https://www.isitdownrightnow.com/ to see if they are actually offline or I am being duped by my ISP. Most of the time, the issue is with the ISP.
I try to find the IP address of that website by using online ip finders. This is not very efficient because sometimes some ips are not listed or outdated.
After that, I manually enter these IP addresses to the policy rules.

It is time consuming and overly impractical. Can I simplify this process using x3mrouting and some scripts?

Best practice for me to automate this whole process in the router. Even semi-automating will do.

i.e
when a normal connection is not established, router can try to use VPN to subvert restriction.
or
entering domain names or some other easier way instead of finding every ip a website uses.

Did you try using another browser. I found a recent reference about the error online. https://superuser.com/questions/148...-pr-connect-reset-error-in-firefoxs-incognito

If there are sites you want to access over the VPN that your ISP is blocking, find out the IP address of the domain using the nslookup command. You can create a manual IPSET list in /opt/tmp directory. Open the file in an editor and enter the ip addresses. Then, use the MANUAL script script to route the traffic:

sh load_MANUAL_ipset_iface.sh 3 BBC

 

[andresmorago]

hello @Xentrk
im having issues when trying to run openvpn-event as i always get this error. even after having deleted the route ipset rule with

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn del

i get this on log

Oct 10 23:52:43 RT-AC3100-0548 openvpn-event[18037]: VPN script vpn- already run

this isnt letting your vpn script run when a change on router is performed. i have to manually run

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn

can you please advise?

openvpn-event

#!/bin/sh
sh /jffs/scripts/x3mRouting/openvpn-event $@
#/jffs/scripts/x3mRouting/vpnclient1-route-up

vpnclient1-route-up

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution JAJA

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn

iptables -D POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE
iptables -I POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE

logger -st "($(basename "$0"))" $$ Ending Script Execution

 

[Xentrk]

hello @Xentrk
im having issues when trying to run openvpn-event as i always get this error. even after having deleted the route ipset rule with

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn del

i get this on log

Oct 10 23:52:43 RT-AC3100-0548 openvpn-event[18037]: VPN script vpn- already run

this isnt letting your vpn script run when a change on router is performed. i have to manually run

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn

can you please advise?

openvpn-event

#!/bin/sh
sh /jffs/scripts/x3mRouting/openvpn-event $@
#/jffs/scripts/x3mRouting/vpnclient1-route-up

vpnclient1-route-up

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution JAJA

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn

iptables -D POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE
iptables -I POSTROUTING -t nat -s 10.0.1.0/24 -o tun11 -j MASQUERADE

logger -st "($(basename "$0"))" $$ Ending Script Execution

I am running /jffs/scripts/x3mRouting/vpnclientX-route-up script for three clients - 1, 3 and 5 without any issues. /jffs/scripts/openvpn-event:

#!/bin/sh
sh /jffs/scripts/x3mRouting/openvpn-event $@

Are you not seeing the message Starting Script Execution JAJA in the system log?

Check the contents of /jffs/scripts/x3mRouting/openvpn-event. It should look like the code below:

#!/bin/sh
###########################################################################################################
# Script: openvpn-event
# Author: Xentrk
# Last Updated Date: 3-June-2019
#
# Description:
#   Original Script by John9527:
#   https://www.snbforums.com/threads/fork-asuswrt-merlin-374-43-lts-releases-v39e3.18914/page-238#post-294825
#
#   Modified by Xentrk for x3mRouting project
############################################################################################################
# shellcheck disable=SC2154
PROJECT_REPO="/jffs/scripts/x3mRouting"

scr_name="$(basename "$0")[$$]"

case "$1" in
"tun11")
  vpn_name="client1"
  ;;
"tun12")
  vpn_name="client2"
  ;;
"tun13")
  vpn_name="client3"
  ;;
"tun14")
  vpn_name="client4"
  ;;
"tun15")
  vpn_name="client5"
  ;;
"tun21")
  vpn_name="server1"
  ;;
"tun22")
  vpn_name="server2"
  ;;
*)
  vpn_name=""
  ;;
esac

# Call appropriate script based on script_type
vpn_script_name=vpn"$vpn_name"-"$script_type"

# Check script state/use nvram to save last script run
vpn_script_state=$(nvram get vpn_script_state)
nvram set vpn_script_state="$vpn_script_name"
if [ "$vpn_script_name" = "$vpn_script_state" ]; then
  echo "VPN script" "$vpn_script_name" "already run" | logger -t "$scr_name"
  exit 0
fi

if [ -f "$PROJECT_REPO/$vpn_script_name" ]; then
  echo "Running $PROJECT_REPO/$vpn_script_name $*" | logger -t "$scr_name"
  sh $PROJECT_REPO/"$vpn_script_name" "$*"
else
  echo "Script not defined for event: ""$vpn_script_name" | logger -t "$scr_name"
  exit 0
fi

exit 0

 

[Martineau]

I am running /jffs/scripts/x3mRouting/vpnclientX-route-up script for three clients - 1, 3 and 5 without any issues. /jffs/scripts/openvpn-event:

#!/bin/sh
sh /jffs/scripts/x3mRouting/openvpn-event $@

Are you not seeing the message Starting Script Execution JAJA in the system log?

Check the contents of /jffs/scripts/x3mRouting/openvpn-event. It should look like the code below:

#!/bin/sh
###########################################################################################################
# Script: openvpn-event
# Author: Xentrk
# Last Updated Date: 3-June-2019
#
# Description:
#   Original Script by John9527:
#   https://www.snbforums.com/threads/fork-asuswrt-merlin-374-43-lts-releases-v39e3.18914/page-238#post-294825
#
#   Modified by Xentrk for x3mRouting project
############################################################################################################
# shellcheck disable=SC2154
PROJECT_REPO="/jffs/scripts/x3mRouting"

scr_name="$(basename "$0")[$$]"

case "$1" in
"tun11")
  vpn_name="client1"
  ;;
"tun12")
  vpn_name="client2"
  ;;
"tun13")
  vpn_name="client3"
  ;;
"tun14")
  vpn_name="client4"
  ;;
"tun15")
  vpn_name="client5"
  ;;
"tun21")
  vpn_name="server1"
  ;;
"tun22")
  vpn_name="server2"
  ;;
*)
  vpn_name=""
  ;;
esac

# Call appropriate script based on script_type
vpn_script_name=vpn"$vpn_name"-"$script_type"

# Check script state/use nvram to save last script run
vpn_script_state=$(nvram get vpn_script_state)
nvram set vpn_script_state="$vpn_script_name"
if [ "$vpn_script_name" = "$vpn_script_state" ]; then
  echo "VPN script" "$vpn_script_name" "already run" | logger -t "$scr_name"
  exit 0
fi

if [ -f "$PROJECT_REPO/$vpn_script_name" ]; then
  echo "Running $PROJECT_REPO/$vpn_script_name $*" | logger -t "$scr_name"
  sh $PROJECT_REPO/"$vpn_script_name" "$*"
else
  echo "Script not defined for event: ""$vpn_script_name" | logger -t "$scr_name"
  exit 0
fi

exit 0

FYI, the use of NVRAM for 'state' tracking was/is potentially flawed? see this and a revised version was subsequently released: improved script

However, the current tracking of the trigger scripts is still flawed - i.e. the intention is to prevent the openvpn-event trigger from firing 'back-to-back', but if there is only one custom trigger event, then the logic error experienced by @andresmorago in post #135 will occur.

One solution is to reset the 'vpn_script_state' tracking by exploiting the 'start_vpnclientX' script (if supported) to delete '/tmp/vpnxxxxxxx_state' (or nvram unset vpn_script_state).

Possibly it is simpler if the script simply issues a WARNING that the openvpn-event trigger script is seemingly about to run twice rather than terminate the openvpn-event script prematurely, or alternatively always update 'vpn_script_state'

e.g. change

echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
exit 0

to

echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
echo "${vpn_script_name}-NOSCRIPT" > $vpn_script_log  # (or nvram set vpn_script_state="${vpn_script_name}-NOSCRIPT"")
exit 0

 

[Xentrk]

FYI, the use of NVRAM for 'state' tracking was/is potentially flawed? see this and a revised version was subsequently released: improved script

However, the current tracking of the trigger scripts is still flawed - i.e. the intention is to prevent the openvpn-event trigger from firing 'back-to-back', but if there is only one custom trigger event, then the logic error experienced by @andresmorago in post #135 will occur.

One solution is to reset the 'vpn_script_state' tracking by exploiting the 'start_vpnclientX' script (if supported) to delete '/tmp/vpnxxxxxxx_state' (or nvram unset vpn_script_state).

Possibly it is simpler if the script simply issues a WARNING that the openvpn-event trigger script is seemingly about to run twice rather than terminate the openvpn-event script prematurely, or alternatively always update 'vpn_script_state'

e.g. change

echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
exit 0

to

echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
echo "${vpn_script_name}-NOSCRIPT" > $vpn_script_log  # (or nvram set vpn_script_state="${vpn_script_name}-NOSCRIPT"")
exit 0

Thank you for pointing out the updated code @Martineau

I incorporated your suggested changes as listed below:

# Description:
#   Original Script by John9527:
#   https://www.snbforums.com/threads/fork-asuswrt-merlin-374-43-lts-releases-v39e3.18914/page-238#post-294825
#
#   Updated Script by John9527
#   https://www.snbforums.com/threads/solved-protocol-based-vpn-port-5060-blocked.41585/page-2#post-352772
#
#   Implemented additional patches suggested by Martineau
#   https://www.snbforums.com/threads/solved-protocol-based-vpn-port-5060-blocked.41585/page-2#post-352834
#   https://www.snbforums.com/threads/x3mrouting-selective-routing-for-asuswrt-merlin-firmware.57793/page-7#post-520433
#

andresmorago Please run option [5] = Check for updates to existing x3mRouting installation to pull the updated openvpn-event code.

 

[PeterV]

Hi.
I found incompatibility of selective routing with SkyNet.
SkyNet during update process did a firewall restart.
It is clear any selective routing rules ...

2019-10-14T01:25:01+03:00 192.168.99.1 Skynet: [%] New Version Detected - Updating To v6.8.8 (fc4a4faf0394ad20cac1efed649caad7)
2019-10-14T01:25:03+03:00 192.168.99.1 Skynet: [%] Restarting Firewall Service
2019-10-14T01:25:03+03:00 192.168.99.1 rc_service: service 6334:notify_rc restart_firewall
2019-10-14T01:25:03+03:00 192.168.99.1 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
2019-10-14T01:25:03+03:00 192.168.99.1 service-event: Started for event restart of service firewall
2019-10-14T01:25:04+03:00 192.168.99.1 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
2019-10-14T01:25:04+03:00 192.168.99.1 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)

After that I have the next result of iptables -t mangle -L PREROUTING

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK xset 0x1/0x7

 

[Chrisgtl]

I have a problem trying to install this.

Option ==> 2
Installing jq (1.6-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/jq_1.6-1_aarch64-3.10.ipk
Collected errors:
* opkg_install_pkg: Package size mismatch: jq is 109237 bytes, expecting 10923s
* opkg_install_cmd: Cannot install package jq.
An error occurred installing jq