Domain-based VPN Routing Script

[Ranger802004]

Hey, I just registered to thanks for your job. It works flawless streaming H..M.X It was more manual to config than x3mRouting, but it's working so far...

I’m planning out some future expansions to make this a little easier. I have some notes drafted and just planning to implement for next major release.

 

[Ranger802004]

***v2.0.1-beta1 Release***
Enhancements:
- Minor optimizations for performance
- The error log will explicitly state if an IPv6 route already exists when trying to create routes.

Fixes:
- Corrected issue where update process was terminating its own process during update.
- Corrected issue where IPv6 routes were attempting to be created when IPv6 Service is enabled but IPv6 wasn't available.
- Fixed issue where Dual WAN properties were not being accepted as null in a Single WAN configuration.
- Fixed issue where queried IPv6 addresses don't include complete prefix and cause an error when creating the route for them.

 

[keleko]

Hi all,

I configured the script in a way where it ensures that all the domains needed for Amazon Prime Video do not go through the VPN and it works well. The issue however is, that it is slowing down the VPN connection. Without creating a policy, my speed via VPN is around 170-180MBps. Once I add the domains, it goes down to 140-150MBps and then it goes down 10-20MBps every day or so. If I remove the policy, the speed goes back up to 170-180MBps. So it seems directly linked. How could I get to the bottom of this? Any idea on how to prevent this?

Thank you!

 

[Ranger802004]

Hi all,

I configured the script in a way where it ensures that all the domains needed for Amazon Prime Video do not go through the VPN and it works well. The issue however is, that it is slowing down the VPN connection. Without creating a policy, my speed via VPN is around 170-180MBps. Once I add the domains, it goes down to 140-150MBps and then it goes down 10-20MBps every day or so. If I remove the policy, the speed goes back up to 170-180MBps. So it seems directly linked. How could I get to the bottom of this? Any idea on how to prevent this?

Thank you!

How many domains and rules are you creating?

 

[keleko]

Thank you for your answer. 1 policy with 9 domains (all for Amazon Prime Video). I also tried 1 policy with 14 domains for Disney Plus (not in parallel), with approximately the same result.

 

[Ranger802004]

Thank you for your answer. 1 policy with 9 domains (all for Amazon Prime Video). I also tried 1 policy with 14 domains for Disney Plus (not in parallel), with approximately the same result.

Which router model do you have?

 

[keleko]

Which router model do you have?

ASUS ZenWiFi AX (XT8) running the 388.2_2_0-gnuton1 - I have two of those, connected via ethernet backhaul.

I really appreciate you taking the time to help find the issue!

 

[Ranger802004]

ASUS ZenWiFi AX (XT8) running the 388.2_2_0-gnuton1 - I have two of those, connected via ethernet backhaul.

I really appreciate you taking the time to help find the issue!

What other scripts are you running? I'm not sure about that build of the firmware, can you run this command for me as well and tell me what the output is when you have all of the rules / domains in place?
Command:

ip rule list | wc -l

Run this if you have IPv6 running:

ip -6 route list | wc -l

 

[Ranger802004]

***V2.0.1-beta2 Release***
Enhancements:
- Minor optimizations for performance
- The error log will explicitly state if an IPv6 route already exists when trying to create routes.
- Added NVRAM Checks and Process Priority configuration options to Configuration Menu.
- Major performance optimization for NVRAM Check function.

Fixes:
- Corrected issue where update process was terminating its own process during update.
- Corrected issue where IPv6 routes were attempting to be created when IPv6 Service is enabled but IPv6 wasn't available.
- Fixed issue where Dual WAN properties were not being accepted as null in a Single WAN configuration.
- Fixed issue where queried IPv6 addresses don't include complete prefix and cause an error when creating the route for them.

 

[keleko]

What other scripts are you running? I'm not sure about that build of the firmware, can you run this command for me as well and tell me what the output is when you have all of the rules / domains in place?
Command:

ip rule list | wc -l

Run this if you have IPv6 running:

ip -6 route list | wc -l

No other scripts, only reason I installed this firmware only to be able to do this...

The output of the query is 93.

 

[Ranger802004]

No other scripts, only reason I installed this firmware only to be able to do this...

The output of the query is 93.

Yea that's not very much at all, I'm not sure what's causing your bandwidth issue, do you have QoS and/or AIProtection enabled or any of the other Trend Micro based features?

 

[ugandy]

how do i switch to the beta release?

 

[Ranger802004]

how do i switch to the beta release?

Enable Dev Mode in the configuration then update

 

[keleko]

Yea that's not very much at all, I'm not sure what's causing your bandwidth issue, do you have QoS and/or AIProtection enabled or any of the other Trend Micro based features?

Thank you again for taking the time to answer. No, all disabled. Any other settings I could check?

 

[Ranger802004]

Thank you again for taking the time to answer. No, all disabled. Any other settings I could check?

May be your router not liking the rules, I am looking into moving to ipsets where possible to help clean up this in the future.

 

[Ranger802004]

***v2.0.1 Release***
Enhancements:
- Minor optimizations for performance
- The error log will explicitly state if an IPv6 route already exists when trying to create routes.
- Added NVRAM Checks and Process Priority configuration options to Configuration Menu.
- Major performance optimization for NVRAM Check function.

Fixes:
- Corrected issue where update process was terminating its own process during update.
- Corrected issue where IPv6 routes were attempting to be created when IPv6 Service is enabled but IPv6 wasn't available.
- Fixed issue where Dual WAN properties were not being accepted as null in a Single WAN configuration.
- Fixed issue where queried IPv6 addresses don't include complete prefix and cause an error when creating the route for them.

 

[Ranger802004]

Just a quick update for everyone, I'm currently working on v2.1.0 which will utilize dnsmasq logging if enabled, ipsets (where possible), fwmark rules, and etc. I'm not sure what the fwmark values should be or should I make the configurable? I see the below are commonly used for OpenVPN and the custom Wireguard Manager but they can't be the same for both at the same time. Thanks for the help, looking forward to getting this released soon.

VPNC1="0x1000/0x1000"
VPNC2="0x2000/0x2000"
VPNC3="0x4000/0x4000"
VPNC4="0x7000/0x7000"
VPNC5="0x3000/0x3000"

 

[Ranger802004]

***v2.1.0-beta1 Release***
Enhancements:
- DNSMasq log is now utilized if enabled to query for domain records to route. The log path will be captured from the DNSMasq Configuration.
- IPSets, IPTables Rules, and IP Rules using FWMarks have been implemented to reduce the amount of routes / rules that are created for policies.
- Added Check Interval configuration options to Configuration Menu to modify the cron job schedule between 1 - 59 minutes. Default: 15 minutes
- The current interface for a Policy will be displayed when in the Edit Policy configuration menu.
- Added default FWMark and Mask values for OpenVPN and WireGuard clients that can be changed in the configuration menu. Reboot required for changes.
- Log priority values added (Critical, Error, Warning, Notice, Informational, Debug)
- Additional logging messages have been added.

Fixes:
- Fixed issue where adding a domain with the same partial name as an existing in a policy prevented it from being added.

Note: This is a major release and has significant changes in optimization of the functionality of Domain VPN Routing

EDIT: Had to upload a minor revision at 09/29/2023 12:15AM CDT

 

[Ranger802004]

***v2.1.0-beta1 Release***
Enhancements:
- DNSMasq log is now utilized if enabled to query for domain records to route. The log path will be captured from the DNSMasq Configuration.
- IPSets, IPTables Rules, and IP Rules using FWMarks have been implemented to reduce the amount of routes / rules that are created for policies.
- Added Check Interval configuration options to Configuration Menu to modify the cron job schedule between 1 - 59 minutes. Default: 15 minutes
- The current interface for a Policy will be displayed when in the Edit Policy configuration menu.
- Added default FWMark and Mask values for OpenVPN and WireGuard clients that can be changed in the configuration menu. Reboot required for changes.
- Log priority values added (Critical, Error, Warning, Notice, Informational, Debug)
- Additional logging messages have been added.

Fixes:
- Fixed issue where adding a domain with the same partial name as an existing in a policy prevented it from being added.

Note: This is a major release and has significant changes in optimization of the functionality of Domain VPN Routing

EDIT: Had to upload a minor revision at 09/29/2023 12:15AM CDT

I reuploaded v2.1.0-beta1, there was a small minor reference incorrectly mapped to ipv6 for ipv4 ipset restore that only causes an issue on reboot or when restoring policies / rules. Please reinstall if you have already updated, thank you.

 

[Ranger802004]

***v2.1.0-beta3 Release***
Enhancements:
- DNSMasq log is now utilized if enabled to query for domain records to route. The log path will be captured from the DNSMasq Configuration.
- IPSets, IPTables Rules, and IP Rules using FWMarks have been implemented to reduce the amount of routes / rules that are created for policies.
- Added Check Interval configuration options to Configuration Menu to modify the cron job schedule between 1 - 59 minutes. Default: 15 minutes
- The current interface for a Policy will be displayed when in the Edit Policy configuration menu.
- Added default FWMark and Mask values for OpenVPN and WireGuard clients that can be changed in the configuration menu. Reboot required for changes.
- Log priority values added (Critical, Error, Warning, Notice, Informational, Debug)
- Additional logging messages have been added.
- Added Boot Delay Timer configuration setting to delay execution to wait and allow VPN tunnels to initalize during start up before querying for policies. Default: 0 Seconds

Fixes:
- Fixed issue where adding a domain with the same partial name as an existing in a policy prevented it from being added.
- Fixed an issue that causes the update function to hang when complete as well as when terminating Domain VPN Routing.