x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

Here is a sample of the use case examples of the new version.

#### Routing traffic to a VPN Client #####
#======================= ASN Method
# route all traffic matching IPSET list NETFLIX created from AS2906 to VPN Client1    
x3mRouting.sh ALL 1 NETFLIX asnum=AS2906

# route all traffic matching IPSET list NETFLIX created from AS2906 to VPN Client1 from LAN device 192.168.22.152    
x3mRouting.sh ALL 1 NETFLIX asnum=AS2906 src=192.168.22.152

#======================= Amazon AWS Region Method
# route all traffic matching IPSET list AMAZON_US to VPN Client 1
x3mRouting.sh ALL 1 AMAZON_US aws_region=US

# route all traffic matching IPSET list AMAZON_US from IP address ranges 192.168.22.152-192.168.22.157 created from Amazon US region to VPN Client 1
x3mRouting.sh ALL 1 AMAZON_US aws_region=US src_range=192.168.22.152-192.168.22.157

#======================= dnsmasq Method
# route all traffic matching IPSET list NETFLIX created from domain names to VPN Client1
x3mRouting.sh ALL 1 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

# Search dnsmasq.log file for domains that contain the keyword "amazon" and create the IPSET list AMAZON using the dnsmasq metho d
x3mRouting.sh ALL 1 AMAZON autoscan=amazon

# Search dnsmasq.log file for domains that contain the keywords "amazonaws,netflix,nflx" and create the IPSET list AMZ_NFLX using the dnsmasq method
x3mRouting.sh ALL 1 AMZ_NFLX autoscan=amazonaws,netflix,nflx

#======================= Manual Method
# route all traffic matching IPSET list WIMIPCOM to VPN Client 1 (x3mRouting.shly created list)
x3mRouting.sh ALL 1 WIMIPCOM

# route all VPN Client 1 traffic matching IPSET list WIMIPCOM created from the IPv4 addresses provided
x3mRouting.sh ALL 1 WIMIPCOM ip=104.27.198.90,104.27.199.90

#### VPN Client Bypass Routing #####

#======================= ASN Method
# VPN Client Bypass: route VPN Client 1 traffic matching IPSET list NETFLIX to WAN
x3mRouting.sh 1 0 NETFLIX asnum=AS2906

# VPN Client Bypass: route VPN Client 1 traffic from 192.168.22.152 matching IPSET list NETFLIX to WAN
x3mRouting.sh 1 0 NETFLIX asnum=AS2906 src=192.168.22.152

#======================= Amazon AWS Region Method
# VPN Client Bypass: route VPN Client 1 traffic matching IPSET list AMAZON_US to WAN
x3mRouting.sh 1 0 AMAZON_US aws_region=US

# VPN Client Bypass: route VPN Client 1 traffic from 192.168.22.152-192.168.22.157 matching IPSET list AMAZON_US to WAN
x3mRouting.sh 1 0 AMAZON_US aws_region=US src_range=192.168.22.152-192.168.22.157

#======================= dnsmasq Method
# VPN Client Bypass: route all VPN Client 1 traffic matching IPSET list WIMIPCOM to the WAN (x3mRouting.shly created list)
x3mRouting.sh 1 0 WIMIPCOM dnsmasq=whatismyip.com

# VPN Client Bypass: route all VPN Client 1 traffic matching IPSET list NETFLIX to the WAN        
x3mRouting.sh 1 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

# VPN Client Bypass: route VPN Client 1 traffic from 192.168.22.152 matching IPSET list NETFLIX to WAN
x3mRouting.sh 1 0 NETFLIX domain=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net src=192.168.22.152

#======================= Manual Method
# VPN Client Bypass: route all VPN Client 1 traffic matching IPSET list WIMIPCOM to the WAN
x3mRouting.sh 1 0 WIMIPCOM

# VPN Client Bypass: route all VPN Client 1 traffic matching IPSET list WIMIPCOM created from the IPv4 addresses provided to the WAN
x3mRouting.sh 1 0 WIMIPCOM ip=104.27.198.90,104.27.199.90

# VPN Client Bypass: route VPN Client 1 traffic from 192.168.22.152 matching IPSET list WIMIPCOM to the WAN
x3mRouting.sh 1 0 WIMIPCOM src=192.168.22.152

# VPN Client Bypass: route VPN Client 1 traffic from 192.168.22.152-192.168.22.157 matching IPSET list WIMIPCOM to WAN        
x3mRouting.sh 1 0 WIMIPCOM src_range=192.168.22.152-192.168.22.157

#________________________________________________________________________________________________
#
#### Delete an IPSET list and all routing rules and cru jobs ####
# Either option will work. There is no requirement to specify the method
x3mRouting.sh ipset_name=MYIPSET del
x3mRouting.sh ALL 1 NETFLIX del

#________________________________________________________________________________________________
#
#====================== IPSET list creation only - no routing rules

#====================== ASN Method
# Create IPSET list NETFLIX from AS2906
x3mRouting.sh ipset_name=NETFLIX asnum=AS2906  # create IPSET list using AS2906 as the source

#====================== Amazon AWS Region Method
# Create IPSET list AMAZON_US created from Amazon US region
x3mRouting.sh ipset_name=AMAZON_US aws_region=US

#======================= dnsmasq Method
# Create IPSET list NETFLIX using dnsmasq method
x3mRouting.sh ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

#====================== Manual Method
#Create IPSET list BBC using manual method
x3mRouting.sh ipset_name=BBC

# Create IPSET list BBC using manual method. Use 'dir' location as the backup/restore location
x3mRouting.sh ipset_name=BBC dir=/tmp/mnt/RT-AC88U/mylists

#________________________________________________________________________________________________
#

####### VPN Server to VPN Client Routing:

# route from server 1,2 or both to VPN client 1,2,3,4,5
x3mRouting.sh server=1 client=1
x3mRouting.sh server=2 client=1
x3mRouting.sh server=both client=1

#________________________________________________________________________________________________

####### VPN Server to existing LAN routing rules for an IPSET list

# route from server 1,2 or both to use same LAN rules for IPSET list PANDORA

x3mRouting.sh server=1 ipset_name=PANDORA
x3mRouting.sh server=2 ipset_name=PANDORA
x3mRouting.sh server=both ipset_name=PANDORA

I will focus the next few days on changes to the installation menu for the new version and a utility to help with the conversion from the current to the new version.

 

[Xentrk]

Here is the other teaser. The update process will scan /jffs/scripts/nat-start and any vpnclientX-route-up files in the /jffs/scripts/x3mRouting directory for any existing x3mRouting entries and create a conversion file as shown below. This approach gives you the opportunity to review the original script entry next to the new script entry to validate. If all is good, run the script and your done. All of the setup will be performed so the IPSET list and routing rules are created at system boot or whenever the VPN client has an up/down event.

For WAN entries that bypass traffic for a VPN, I need to know the VPN Client that requires the bypass. Since this information is not provided in the current version, I default to VPN Client 1 and provide a message that the entry requires review. Identifying the VPN Client informs x3mRouting where to add the entry so the script runs at boot or VPN Client up/down events. This use case is for those who have a streaming media or LAN device rule to route thru a VPN Client and need to bypass the VPN Client for a service like NF.

#!/bin/sh/
# If the source VPN Client you want to bypass is '1', then no changes are required.
# Otherwise, edit the '1' to be a valid VPN Client number '1-5'
# Original Entry=> sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON_US US
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON_US aws_region=US

# Original Entry=> sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIX asnum=AS2906

Feedback appreciated.

 

[TechTinkerer]

@Xentrk awesome work, can't wait to test this out p.s. add disney please

 

[vertigo888]

Correct. But a few members had issues with getting NF routing to work. The suspect root cause is the way Neftlix may be using CDN at the ISP. Some have found that routing the ISP ASN to the WAN was the solution to work around the issue.

I'll provide a detailed reply another time but I didn't need to add my ISP ASN and also, I changed to TorGuard Streaming Bundle with 2 dedicated IPs. Works perfectly!

 

[box4m]

So i just wanted to mention.
I discovered x3mrouting today, absolutely glorious, Xentrk deserves nobel price.

Ive been at it for like 10hours now lol, in the end it seems that adding my ISP ASN fixed it.

So i wanted everything EXCEPT netflix and amazon to go through vpn.

Im not sure what helped the most but here is the commands i think i need (i used only step 3 in this guide https://github.com/Xentrk/x3mRouting):

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX-ISPNAME ASxxxxx
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-EU EU
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-GLOBAL GLOBAL
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON-16509 AS16509
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com,www.geo.netflix.com

"iptables -nvL PREROUTING -t mangle --line" gave the following after abit of trying
num pkts bytes target prot opt in out source destination
1 6048 4796K MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 497 53736 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX dst MARK or 0x8000
3 925 118K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-16509 dst MARK or 0x8000
4 518 59490 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-GLOBAL dst MARK or 0x8000
5 351 53373 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x8000
6 1195 101K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX-ISPNAME dst MARK or 0x8000

I guess i will discover if it really works

EDIT: I was wondering, when adding ISP ASN, doesnt that mean everything goes to ISP and not VPN?

Im not savvy enough to understand how you make this persist through reboot though.
Someone wanna explain?

Thx

 

[box4m]

I also wonder, did anyone try/get this working together with YazFi?
All i want is Netflix / Amazon to go through WAN regardless if youre on YazFi subnet/guest or not, possible?

 

[Xentrk]

I also wonder, did anyone try/get this working together with YazFi?
All i want is Netflix / Amazon to go through WAN regardless if youre on YazFi subnet/guest or not, possible?

See this post for the instructions. You can get the IP address associated with the YazFi Guest network interface name by issuing the command:
ip route

 

[Xentrk]

So i just wanted to mention.
I discovered x3mrouting today, absolutely glorious, Xentrk deserves nobel price.

Ive been at it for like 10hours now lol, in the end it seems that adding my ISP ASN fixed it.

So i wanted everything EXCEPT netflix and amazon to go through vpn.

Im not sure what helped the most but here is the commands i think i need (i used only step 3 in this guide https://github.com/Xentrk/x3mRouting):

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX-ISPNAME ASxxxxx
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-EU EU
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-GLOBAL GLOBAL
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON-16509 AS16509
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com,www.geo.netflix.com

"iptables -nvL PREROUTING -t mangle --line" gave the following after abit of trying
num pkts bytes target prot opt in out source destination
1 6048 4796K MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 497 53736 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX dst MARK or 0x8000
3 925 118K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-16509 dst MARK or 0x8000
4 518 59490 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-GLOBAL dst MARK or 0x8000
5 351 53373 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x8000
6 1195 101K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX-ISPNAME dst MARK or 0x8000

I guess i will discover if it really works

EDIT: I was wondering, when adding ISP ASN, doesnt that mean everything goes to ISP and not VPN?

Im not savvy enough to understand how you make this persist through reboot though.
Someone wanna explain?

Thx

It has only been a few ppl that have needed to route their ISP services to the WAN. For the question, you can test by entering your computer in the Policy Routing table to have it routed to the VPN. Then, go to a site like whatismyipaddress.com and check that the IP is the VPN server.

In order to have the IPSET lists restored at boot, execute the scripts from /jffs/scripts/nat-start. Refer to the Wiki for instructions on how to configure nat-start.

/jffs/scripts/nat-start example

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset.sh AMAZON-US US

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset.sh BBC

sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh HULU AS23286
sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh NETFLIX AS2906

All scripts require a shebang (#!/bin/sh) and you must set the permission to be executable (chmod 755 /jffs/scripts/natstart)

You should not require the www.geo.netflix.com entry. The netflix.com entry will cover it.

 

[Xentrk]

@Xentrk awesome work, can't wait to test this out p.s. add disney please

Sorry, I no longer have the domains I mined during my trial subscription. But doing the following shows that AS16509 should work, the same one used by NF.

# nslookup disneyplus.com
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      disneyplus.com
Address 1: 54.218.188.255 ec2-54-218-188-255.us-west-2.compute.amazonaws.com
Address 2: 34.218.145.143 ec2-34-218-145-143.us-west-2.compute.amazonaws.com
Address 3: 54.71.61.241 ec2-54-71-61-241.us-west-2.compute.amazonaws.com

# whob 54.218.188.255 | grep AS
Origin-AS: 16509
AS-Path: 54728 20130 6939 3356 16509
AS-Org-Name: Amazon.com, Inc.

Mining dnsmasq.log file or looking at the source code on the webpage are the other ways to collect the domain names.

 

[vertigo888]

So to reply onto this thread - I did not need to

Packets are traversing the IPTABLES chain. But I I still don't see the WAN routing rule for the ISP AS Number you listed in a prior post.

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 STARHUB-55430 AS55430

You can use the "ip rule del prio xxxx" command to delete the RPDB rules above the RPDB rules for the fwmark/bitmask to see if those rules are causing a conflict. If so, we'll have to make an edit to the script to have the priority numbers listed higher so it works for your use case.

I agree with @Torson tips about trying to find the root cause. Please try to turn off dual WAN and route all traffic thru the VPN. If it works, then we can eliminate the VPN as an issue. Then, turn Policy Routing rules back on and see if it works. After that, turn dual WAN back on and test again.

My solution for my Dual WAN setup was simply to subscribe to TorGuard Streaming Bundle. I then did not need to do anything different except not add the ISP ASN and add an ip rule for the devices I want to go through my VPN with prio 15. All thanks to
@Martineau !

nat-start script for BBC iPlayer and Netflix is as follows:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 BBC-AS2818 AS2818
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 BBC-AS31459 AS31459
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-AS812 AS812
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-AS2906 AS2906
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX_AS14618 AS14618
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 AMAZON-16509 AS16509
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-GLOBAL GLOBAL
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 BBC_WEB1 bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 NETFLIX_WEB1 amazonaws.com,netflix.com,netflix.net,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,dvd.netflix.com

DNS over TLS is enabled in my setup, so "Accept DNS Configuration" for my VPN Client is set to Strict rather than Exclusive. I then added the below to my configuration

dhcp-option DNS 1.1.1.1

My VPN client has this configuration:

DummyVPN    192.0.2.0    0.0.0.0    VPN
Router    192.168.1.1    0.0.0.0    WAN
Device1    192.168.1.10    0.0.0.0    VPN
Device2    192.168.1.6    0.0.0.0    VPN

For my Dual WAN scenario, I did what I have in my other thread to enable automatic adding of rules at prio 15 to my clients going through a specific VPN client.
https://www.snbforums.com/threads/openvpn-server-and-dual-wan.62826/

"vpnclientX-route-up"

I coded this

#!/bin/sh

VPN_ID=1 #ID of the VPN Client
ip rule | grep "10$((VPN_ID*2-1))" | tr '\t' ' ' | awk -v x="${VPN_ID}" '{ $1=""; print $0" prio "x"5"}' \
  | while read RULE ; do
      ip rule add $RULE
 done

"vpnclientX-down"

I coded this

#!/bin/sh

VPN_ID=1 #ID of the VPN Client
ip rule | grep "10$((VPN_ID*2-1))" | tr '\t' ' ' | awk -v x="${VPN_ID}" '{ $1=""; print $0" prio "x"5"}' \
  | while read RULE ; do
      ip rule del $RULE
 done

 

[TechTinkerer]

Sorry, I no longer have the domains I mined during my trial subscription. But doing the following shows that AS16509 should work, the same one used by NF.

# nslookup disneyplus.com
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      disneyplus.com
Address 1: 54.218.188.255 ec2-54-218-188-255.us-west-2.compute.amazonaws.com
Address 2: 34.218.145.143 ec2-34-218-145-143.us-west-2.compute.amazonaws.com
Address 3: 54.71.61.241 ec2-54-71-61-241.us-west-2.compute.amazonaws.com

# whob 54.218.188.255 | grep AS
Origin-AS: 16509
AS-Path: 54728 20130 6939 3356 16509
AS-Org-Name: Amazon.com, Inc.

Mining dnsmasq.log file or looking at the source code on the webpage are the other ways to collect the domain names.

got the domains from the website source looks right, not tested though ....1 is vpnclient (usa)

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 DISNEY disneyplus.com, disney-plus.net,thewaltdisneycompany.com dir=/mnt/USBHDD/ipset-backups

 

[Xentrk]

got the domains from the website source looks right, not tested though ....1 is vpnclient (usa)

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 DISNEY disneyplus.com, disney-plus.net, thewaltdisneycompany.com dir=/mnt/USBHDD/ipset-backups

Appears to be okay. I will try to write some code to screen scrap a site for domains. You need to remove the space after the comma though.

Another validation is to mine dnsmasq using getdomainnames.sh. I will include it in the new version of x3mRouting. I just pushed an update to the repo where I first created it and added a help function and additional error handling for output file, valid IPv4 address and missing parameters:

sh getdomainnames.sh help

#_______________________________________________________________________________________________________________
#
# This script will format the output stored in 'myfile' created using the command: tail -f dnsmasq.log > myfile
# and save the output to myfile_domains. The file name 'myfile' is an example. You can enter any name.
#
# Usage Instructions:
#  1. Navigate to the log file directory /opt/var/log
#  2. Enter the command: tail -f dnsmasq.log > myfile
#  3. Access the streaming service and watch some videos for a few seconds and select each menu option to generate
#     domain names.
#  4. Type 'Ctrl-C' to exit
#  5. Navigate to /jffs/scripts
#  6. Run getdomainnames.sh
#  7. The domains collected will be stored in /opt/var/log/ directory using the same name as the output file
#     with '_domains' concatenated at the end of the file name (e.g myfile_domains)
#
# Parameters Passed
# $1 = provide the name of the source file when running the script
# $2 = IPv4 address of client device that was used to query domains
# Usage Example:
#   sh getdomainnames.sh myfile 192.168.1.50
#_______________________________________________________________________________________________________________

Installation.

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/master/getdomainnames.sh" -o /jffs/scripts/getdomainnames.sh && chmod 755 /jffs/scripts/getdomainnames.sh

You will need to route all traffic to the VPN tunnel while collecting the domain names. Once done, you can re-enable Policy Routing.

 

[Xentrk]

My solution for my Dual WAN setup was simply to subscribe to TorGuard Streaming Bundle. I then did not need to do anything different except not add the ISP ASN and add an ip rule for the devices I want to go through my VPN with prio 15.

I hope you used the link on my blog article about TorGuard when you purchased your subscription and used the 50% discount code I provide. The small amount I get helps support the development of x3mRouting.

 

[TechTinkerer]

Appears to be okay. I will try to write some code to screen scrap a site for domains. You need to remove the space after the comma though.

Another validation is to mine dnsmasq using getdomainnames.sh. I will include it in the new version of x3mRouting. I just pushed an update to the repo where I first created it and added a help function and additional error handling for output file, valid IPv4 address and missing parameters:

sh getdomainnames.sh help

#_______________________________________________________________________________________________________________
#
# This script will format the output stored in 'myfile' created using the command: tail -f dnsmasq.log > myfile
# and save the output to myfile_domains. The file name 'myfile' is an example. You can enter any name.
#
# Usage Instructions:
#  1. Navigate to the log file directory /opt/var/log
#  2. Enter the command: tail -f dnsmasq.log > myfile
#  3. Access the streaming service and watch some videos for a few seconds and select each menu option to generate
#     domain names.
#  4. Type 'Ctrl-C' to exit
#  5. Navigate to /jffs/scripts
#  6. Run getdomainnames.sh
#  7. The domains collected will be stored in /opt/var/log/ directory using the same name as the output file
#     with '_domains' concatenated at the end of the file name (e.g myfile_domains)
#
# Parameters Passed
# $1 = provide the name of the source file when running the script
# $2 = IPv4 address of client device that was used to query domains
# Usage Example:
#   sh getdomainnames.sh myfile 192.168.1.50
#_______________________________________________________________________________________________________________

Installation.

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/master/getdomainnames.sh" -o /jffs/scripts/getdomainnames.sh && chmod 755 /jffs/scripts/getdomainnames.sh

You will need to route all traffic to the VPN tunnel while collecting the domain names. Once done, you can re-enable Policy Routing.

Do i actually need the ipset backup dir if i am passing the domains to the script?

for the policy routing would all traffic to vpn be the best option on media streamer like the nvidia shield?

 

[Xentrk]

Do i actually need the ipset backup dir if i am passing the domains to the script?

for the policy routing would all traffic to vpn be the best option on media streamer like the nvidia shield?

The selective routing scripts will default to /opt/tmp as the save/restore location unless you specify another location.

Don't provide the backup directory where you store the IPSET lists when using getdomainnames. It expects that you are creating the output file in the log directory /opt/var/log.

Any device will work. I found that some devices, like an iPad, may use domains that differ from what you will collect with a streaming media device like FireTV or Nvida Shield. You may not be able to spoof your location on Nvida Shield for some streaming services though. See my blog post for more info.

 

[TechTinkerer]

The selective routing scripts will default to /opt/tmp as the save/restore location unless you specify another location.

Don't provide the backup directory where you store the IPSET lists when using getdomainnames. It expects that you are creating the output file in the log directory /opt/var/log.

Any device will work. I found that some devices, like an iPad, may use domains that differ from what you will collect with a streaming media device like FireTV or Nvida Shield. You may not be able to spoof your location on Nvida Shield for some streaming services though. See my blog post for more info.

As i use windscribe the android app does location spoofing maybe that is the best device to capture domains as i can pretty much get all the main streaming services on android.....i can just pass all the phones device traffic through the vpn on router or other option use the android client on phone, static device ip and run the getdomains.sh hopefully that will work

 

[Xentrk]

As i use windscribe the android app does location spoofing maybe that is the best device to capture domains as i can pretty much get all the main streaming services on android.....i can just pass all the phones device traffic through the vpn on router or other option use the android client on phone, static device ip and run the getdomains.sh hopefully that will work

From what I've seen, only the streaming services that offer live TV, like CBS All Access, are the one's that want to know the location so they know what local channels to display.

 

[TechTinkerer]

The selective routing scripts will default to /opt/tmp as the save/restore location unless you specify another location.

Don't provide the backup directory where you store the IPSET lists when using getdomainnames. It expects that you are creating the output file in the log directory /opt/var/log.

Any device will work. I found that some devices, like an iPad, may use domains that differ from what you will collect with a streaming media device like FireTV or Nvida Shield. You may not be able to spoof your location on Nvida Shield for some streaming services though. See my blog post for more info.

Think i'm ready and at the point to capture domains, have passed all traffic from device to vpn client setup on router, location shows as vpn location no leak etc and can access rouer landing page normally if i need to troubleshoot or check status etc

so i will run getdomains.sh and test capture....

 

[box4m]

It has only been a few ppl that have needed to route their ISP services to the WAN. For the question, you can test by entering your computer in the Policy Routing table to have it routed to the VPN. Then, go to a site like whatismyipaddress.com and check that the IP is the VPN server.

I get the IP of the VPN, but i like to understand stuff, and i dont understand WHY i dont get the ISP IP when the command basically says, route everything going to ISP through WAN, which should be everything?

Or does the ISP ip show because only traffic that has destination "ISP gateway / ISP ASN" goes through WAN, and that should only be NETFLIX/AMAZON traffic or whatever, because of caching?
Sorry understanding what im doing is good

I wanna underline again, x3mrouting = amazing

Thanks

 

[Xentrk]

I get the IP of the VPN, but i like to understand stuff, and i dont understand WHY i dont get the ISP IP when the command basically says, route everything going to ISP through WAN, which should be everything?

Or does the ISP ip show because only traffic that has destination "ISP gateway / ISP ASN" goes through WAN, and that should only be NETFLIX/AMAZON traffic or whatever, because of caching?
Sorry understanding what im doing is good

I wanna underline again, x3mrouting = amazing

Thanks

I think only two to three ppl that have had to define a rule to route ISP to the WAN. Most ppl just put the router IP address in the Policy Routing GUI so services on the router, like NTP, can still work and get data even if the OpenVPN client goes down and one has "Block traffic if the tunnel goes down" button checked that is shown when Policy Rules is enabled.

The ISP is the backbone to the WWW and will direct traffic where you want it. It is not necessarily the endpoint.

One person had Xfinity Internet Service Provider and there was a feature that did work with the Xfinity unless they routed the ISP ASN to the WAN. This makes sense since Xfinity is the ISP and is expecting you to be coming fro the IP address they assign you.

The other reason that was provided for routing ISP ASN to the WAN is that many streaming services use a Content Delivery Service or CDN. They cache content locally to reduce buffering and provide faster response times. For reasons unknown, the person had issues with a streaming service unless they routed the ISP to the WAN. There are many variables involved such as VPN Provider, DNS Settings on the WAN and OpenVPN Client Page, Policy Rules or RPDB priorities that come into play. This is an outlier use case that only a few ppl have reported as being necessary.

See the Policy Rule Routing post for a basic overview of selective routing and use case examples.