x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Zacco]

Keep in mind that using the "amazonaws.com" domain will force Amazon Prime streaming to get routed thru the tunnel. The "dvd.netflix.com" isn't reqired as the "netflix.com" entry will capture the IPv4 address for that domain.

Use the command below to see if packets are traversing the iptables chain.

iptables -nvL PREROUTING -t mangle --line

Its almost working now. IOS, Android, webb, Kodi and newer webos. On my older LG it has no effect and if i send my Kodi device through vpn 2 everything goes there

 

[Luizlp10]

Everything is fine after setting NETFLIX and GLOBO using the ASN method. I am getting a more smooth streaming quality from netflix and now I am able to access GLOBO(brazilian TV) even with a USA located vpn server(wasnt able before using your script). Also I'm not having dns leaks, which I thought would be the case since I am sending this specific traffic through WAN. Is that normal behavior?

 

[Xentrk]

Everything is fine after setting NETFLIX and GLOBO using the ASN method. I am getting a more smooth streaming quality from netflix and now I am able to access GLOBO(brazilian TV) even with a USA located vpn server(wasnt able before using your script). Also I'm not having dns leaks, which I thought would be the case since I am sending this specific traffic through WAN. Is that normal behavior?

The routing scripts don't touch the DNS rules. That is controlled by the Accept DNS Configuration setting in the OpenVPN Client. Make sure the client you are testing dns leak from is using the same rules as NETFLIX and GLOBO. If you have Accept DNS Configuration set to Exclusive, you need to the DummyVPN entry.

 

[maghuro]

Feature suggestion for new version (or the next one ) :
A place where we can have user-friendly list of what's activated right now.
For example:
"1 - Routing ASNXXXX (Netflix) from Vpn client 4 to WAN;
2 - Routing VPNSrver 1 traffic to VPN Client 2;
etc..."
And from there, possibility to choose the corresponding option for delete. If, for example, we chose option 2, it will delete the file that routes vpn server traffic to vpn client 2.

 

[maghuro]

I just installed NG repository. Let's give it a try!
Fresh install, no old scripts.
At a first glance, when selection option 3 it doesn't install x3mRouting.sh. I have to press option u, even if I'm not updating from old version.
Edit: another think. I created the Netflix asn rule. However when I start vpn client, the rule tries to be created and it hangs forever (and I lost internet connection). It only completes when I manually stop vpn client.
Log

Apr 19 12:32:19 custom_script: Running /jffs/scripts/openvpn-event (args: tun14 1500 1553 10.7.128.14 255.255.255.0 init)
Apr 19 12:32:19 openvpn-event[32713]: Script not defined for event: vpnclient4-up
Apr 19 12:32:24 openvpn-routing: Configuring policy rules for client 4
Apr 19 12:32:24 custom_script: Running /jffs/scripts/openvpn-event (args: tun14 1500 1553 10.7.128.14 )
Apr 19 12:32:24 openvpn-event[521]: Running /jffs/scripts/x3mRouting/vpnclient4-route-up tun14 1500 1553 10.7.128.14
Apr 19 12:32:24 (x3mRouting.sh): 530 Starting Script Execution
#then I manually stop vpn client
Apr 19 12:33:01 rc_service: httpd 29294:notify_rc stop_vpnclient4
Apr 19 12:33:01 custom_script: Running /jffs/scripts/service-event (args: stop vpnclient4)
Apr 19 12:33:28 (x3mRouting.sh): 530 Selective Routing Rule via WAN deleted for NETFLIX TAG fwmark 0x8000/0x8000
Apr 19 12:33:28 (x3mRouting.sh): 530 Selective Routing Rule via WAN created for NETFLIX TAG fwmark 0x8000/0x8000
Apr 19 12:33:28 (x3mRouting.sh): 530 Completed Script Execution

 

[Xentrk]

I just installed NG repository. Let's give it a try!
Fresh install, no old scripts.
At a first glance, when selection option 3 it doesn't install x3mRouting.sh. I have to press option u, even if I'm not updating from old version.
Edit: another think. I created the Netflix asn rule. However when I start vpn client, the rule tries to be created and it hangs forever (and I lost internet connection). It only completes when I manually stop vpn client.
Log

Apr 19 12:32:19 custom_script: Running /jffs/scripts/openvpn-event (args: tun14 1500 1553 10.7.128.14 255.255.255.0 init)
Apr 19 12:32:19 openvpn-event[32713]: Script not defined for event: vpnclient4-up
Apr 19 12:32:24 openvpn-routing: Configuring policy rules for client 4
Apr 19 12:32:24 custom_script: Running /jffs/scripts/openvpn-event (args: tun14 1500 1553 10.7.128.14 )
Apr 19 12:32:24 openvpn-event[521]: Running /jffs/scripts/x3mRouting/vpnclient4-route-up tun14 1500 1553 10.7.128.14
Apr 19 12:32:24 (x3mRouting.sh): 530 Starting Script Execution
#then I manually stop vpn client
Apr 19 12:33:01 rc_service: httpd 29294:notify_rc stop_vpnclient4
Apr 19 12:33:01 custom_script: Running /jffs/scripts/service-event (args: stop vpnclient4)
Apr 19 12:33:28 (x3mRouting.sh): 530 Selective Routing Rule via WAN deleted for NETFLIX TAG fwmark 0x8000/0x8000
Apr 19 12:33:28 (x3mRouting.sh): 530 Selective Routing Rule via WAN created for NETFLIX TAG fwmark 0x8000/0x8000
Apr 19 12:33:28 (x3mRouting.sh): 530 Completed Script Execution

I experienced that earlier today but think I resolved it. But I will double check to make sure. The x3mRouting.sh script has been final for a few weeks now. But today, I made a lot of updates to accommodate the request you made to not hard code the VPN Server IP and moved the rules from the vpnserverX-up to the vpnclientX-route-up script. I also wrote a conversion function for those who have VPN Server to VPN Client and VPN Server to IPSET list rules in the vpnclientX-up script. The README updates have been grueling.

That branch is not ready for use yet and I just removed it! I'll put a **DO NOT USE** disclaimer on it next time I post it for testing. I am still putting the final touches on it and still need to do final testing. I had to post it so I can test the update and conversion process. But my weekend is nearly over and I ran out of time. I will work on it some more during the week.

Once I feel it's ready, I will solicit testers before I merge it to the master branch and create a private chat group for the testers and I to discuss issues. I want to keep this thread focused on the current version until the new one is released. Thanks for understanding.

 

[maghuro]

I experienced that earlier today but think I resolved it. But I will double check to make sure. The x3mRouting.sh script has been final for a few weeks now. But today, I made a lot of updates to accommodate the request you made to not hard code the VPN Server IP and moved the rules from the vpnserverX-up to the vpnclientX-route-up script. I also wrote a conversion function for those who have VPN Server to VPN Client and VPN Server to IPSET list rules in the vpnclientX-up script. The README updates have been grueling.

That branch is not ready for use yet and I just removed it! I'll put a **DO NOT USE** disclaimer on it next time I post it for testing. I am still putting the final touches on it and still need to do final testing. I had to post it so I can test the update and conversion process. But my weekend is nearly over and I ran out of time. I will work on it some more during the week.

Once I feel it's ready, I will solicit testers before I merge it to the master branch and create a private chat group for the testers and I to discuss issues. I want to keep this thread focused on the current version until the new one is released. Thanks for understanding.

After all I rebooted router after install the script and started working perfectly! The problem, I think, was that I was loading a bunch of ASNs and it was very slow
I just found a bug in Amazon lists, making them unusable. You are calling somewhere "ipranges.json" and you should call "ip-ranges.json"

/jffs/scripts/x3mRouting/x3mRouting.sh: line 1271: can't open /opt/tmp/ipranges.json: no such file

You can put the repo online with the disclaimer, I'm testing it the best I can

 

[Xentrk]

After all I rebooted router after install the script and started working perfectly! The problem, I think, was that I was loading a bunch of ASNs and it was very slow
I just found a bug in Amazon lists, making them unusable. You are calling somewhere "ipranges.json" and you should call "ip-ranges.json"

/jffs/scripts/x3mRouting/x3mRouting.sh: line 1271: can't open /opt/tmp/ipranges.json: no such file

You can put the repo online with the disclaimer, I'm testing it the best I can

Thanks!! I thought I had fixed all of those references earlier.

I confirmed that x3mRouting.sh is not hanging like it was earlier in the day. I rebooted and restarted manually a few times and so far so good. So you must have downloaded the version that had the issue.

 

[maghuro]

Thanks!! I thought I had fixed all of those references earlier.

I confirmed that x3mRouting.sh is not hanging like it was earlier in the day. I rebooted and restarted manually a few times and so far so good. So you must have downloaded the version that had the issue.

Well, I was using amtm and forgot and press update, and now i've lost the script, as the branch is down So I have to wait to further investigate some problem I'm having:
When using ASN for netflix and Amazon_EU, netflix stops working. I can only play some videos (and I think I can only play the videos which are using Netflix ASN. Those who are using AMAZON ASN aren't loading). Oh I manually did the ip-ranges.json change on script, so the IPs were parsed correctly.
And i tried with all Amazon locations (including globe), no success.

 

[Luizlp10]

The routing scripts don't touch the DNS rules. That is controlled by the Accept DNS Configuration setting in the OpenVPN Client. Make sure the client you are testing dns leak from is using the same rules as NETFLIX and GLOBO. If you have Accept DNS Configuration set to Exclusive, you need to the DummyVPN entry.

I was using method 3 but will try the method 2 with the DummyVpn entry. I think that my vpn provider(PIA) does not allow me to use another dns because I've tried every other "Accept Dns Configuration" and the result is always my vpn dns(checked this extensively).

 

[Xentrk]

Well, I was using amtm and forgot and press update, and now i've lost the script, as the branch is down So I have to wait to further investigate some problem I'm having:
When using ASN for netflix and Amazon_EU, netflix stops working. I can only play some videos (and I think I can only play the videos which are using Netflix ASN. Those who are using AMAZON ASN aren't loading). Oh I manually did the ip-ranges.json change on script, so the IPs were parsed correctly.
And i tried with all Amazon locations (including globe), no success.

I'll PM you a link to the one that is working for me when I get home from work. I should have put a disclaimer on the branch but I was hoping no one would notice.

There is good and bad to combining all of the functions in one script. By doing so, I am able to elminate the same code functions being in multiple scripts. But when I make a change to a feature, I have to go back and test all of the other features to make sure they didn't break. The last two weekends have been spent writing the conversion code to convert the current version of x3mRouting script entries in nat-start and vpnxlientX-route-up scripts to the new version. For the VPN server routing, I am converting the entries and migrating from the vpnserverX-up scripts to the appropriate vpnclientX-route-up script.

I am going to do another round of testing on the x3mRouting.sh functions. Then do a final round of testing on the update and conversion process. When done, I will be ready to open it up. I hope I can complete next weekend.

 

[Xentrk]

I was using method 3 but will try the method 2 with the DummyVpn entry. I think that my vpn provider(PIA) does not allow me to use another dns because I've tried every other "Accept Dns Configuration" and the result is always my vpn dns(checked this extensively).

NordVPN and Express VPN require the use of their DNS to get around vpn blocks by some streaming services. That may be your situation.

 

[maghuro]

I'll PM you a link to the one that is working for me when I get home from work. I should have put a disclaimer on the branch but I was hoping no one would notice.

There is good and bad to combining all of the functions in one script. By doing so, I am able to elminate the same code functions being in multiple scripts. But when I make a change to a feature, I have to go back and test all of the other features to make sure they didn't break. The last two weekends have been spent writing the conversion code to convert the current version of x3mRouting script entries in nat-start and vpnxlientX-route-up scripts to the new version. For the VPN server routing, I am converting the entries and migrating from the vpnserverX-up scripts to the appropriate vpnclientX-route-up script.

I am going to do another round of testing on the x3mRouting.sh functions. Then do a final round of testing on the update and conversion process. When done, I will be ready to open it up. I hope I can complete next weekend.

Amazing job!
However if you allow me, I think it'd be better to invest your efforts in cleaning, debugging and optimizing the v2 code instead of making the conversion code.
I know for users it's so much work to configure everything manually again (and I know some things gives us many headaches to set up), but I think it's always better to do a clean setup rather than converting things that possibly will cause more headaches than configuring from scratch. Just my 2 cents and personal opinion.
Although I appreciate VERY MUCH your altruistic efforts to create the conversion script. In my particular case, as an user I prefer to configure everything from scratch, just to make sure everything be ok!

(I don't know if you noticed, but a couple of posts above I mentioned that option 3 does not install x3mRouting.sh file, which I think it's a bug).

Thanks once again, have a good work time, and thanks in advance for the link.

 

[Xentrk]

Amazing job!
However if you allow me, I think it'd be better to invest your efforts in cleaning, debugging and optimizing the v2 code instead of making the conversion code.
I know for users it's so much work to configure everything manually again (and I know some things gives us many headaches to set up), but I think it's always better to do a clean setup rather than converting things that possibly will cause more headaches than configuring from scratch. Just my 2 cents and personal opinion.
Although I appreciate VERY MUCH your altruistic efforts to create the conversion script. In my particular case, as an user I prefer to configure everything from scratch, just to make sure everything be ok!

Thanks once again, have a good work time, and thanks in advance for the link.

Others requested that the update handle the conversion which is why I went down the rabbit hole, which added nearly a 1000 lines of code and several weekends of effort to the project. Whereas doing it manually would just take someone 3 to 5 minutes. But automating the conversion as much as possible is something us script writers must do if possible, even it means a few weeks of additional effort.

 

[maghuro]

Others requested that the update handle the conversion which is why I went down the rabbit hole, which added nearly a 1000 lines of code and several weekends of effort to the project. Whereas doing it manually would just take someone 3 to 5 minutes. But automating the conversion as much as possible is something us script writers must do if possible, even it means a few weeks of additional effort.

Many thanks for that. Praying on you that's the kind of people that the world needs !

 

[TechTinkerer]

@Xentrk if you need testers add me to that group happy to help

 

[Xentrk]

@Xentrk if you need testers add me to that group happy to help

Thank you! Those who have shown a keen interest in the new version and "liking" the posts lately will be the first ones I reach out to.

 

[maghuro]

Thank you! Those who have shown a keen interest in the new version and "liking" the posts lately will be the first ones I reach out to.

Good! Let me just like all of them

There's a problem that I can't debug, and it's not because of your script, but maybe something it's interfering.
When routing the traffic between vpn server to vpn client, all works good! However, after a few time (can't say how much. It can be 5 minutes or 24h), it's like the rules are deleted and when accessing via vpn server I can only access lan. To make it work I've to force a vpn client restart (maybe to make the rules being applied again).
It may be something, dont know what, that is deleting the rules, or something even weird that I cannot imagine.

My question/suggestion is - in this particular case, route vpn server to vpn client, is it possible to create a script that runs on cron each maybe 10-20 minutes, to check if the rules are there, or at least if the server->client route is working, and if not, apply the rules again?

It's weird and I tried everything to understand what's happening and I can't figure it out.

What's the command to check if the rules are there? Because they maybe are, but the route stops working? Or they maybe are gone and I don't know how to check.

Thanks!

 

[TechTinkerer]

Thank you! Those who have shown a keen interest in the new version and "liking" the posts lately will be the first ones I reach out to.

No problem, i won't need to do conversions as it will be from fresh install as held back from using it prior knowing you would be updating the code.

maybe Discord invites for testers might be the way to go to keep this thread clean until it gets properly released

my Discord name is MenacingGrimmace

 

[maghuro]

Good! Let me just like all of them

There's a problem that I can't debug, and it's not because of your script, but maybe something it's interfering.
When routing the traffic between vpn server to vpn client, all works good! However, after a few time (can't say how much. It can be 5 minutes or 24h), it's like the rules are deleted and when accessing via vpn server I can only access lan. To make it work I've to force a vpn client restart (maybe to make the rules being applied again).
It may be something, dont know what, that is deleting the rules, or something even weird that I cannot imagine.

My question/suggestion is - in this particular case, route vpn server to vpn client, is it possible to create a script that runs on cron each maybe 10-20 minutes, to check if the rules are there, or at least if the server->client route is working, and if not, apply the rules again?

It's weird and I tried everything to understand what's happening and I can't figure it out.

What's the command to check if the rules are there? Because they maybe are, but the route stops working? Or they maybe are gone and I don't know how to check.

Thanks!

IT'S FRESHJR_QOS FAULT!!!

If I apply or restart freshjr qos when the iptables rules for vpn server -> client are on, for some reason they're deleted/bypassed/something.

Can you look at this? Any way to prevent x3mRouting roules being deleted? For what I've seen it's out of my compreension range

Or... I have an idea... A script that runs WHEN someone connects to vpn server that checks if the rules are Applied, or simply re apply them!
I don't know however if vpn server has a when-user-connects event.