Skynet Best practice for unblocking limitless hosts on a domain

Viktor Jaep

Very Senior Member
Hi everyone... I had an issue with Skynet blocking one of my NordVPN servers this morning. I went ahead and just whitelisted the IP/24 range, but would normally just unblock a single IP as I always do when I come across a rogue IP that we need to be able to access. My question is, when it comes to NordVPN... they have a *slew* of servers... all in the form of us####.nordvpn.com (for the United States). I'm talking hundreds, perhaps thousands of servers... with IPs that constantly shift and change with their hostnames on a daily basis.

What is the best practice in this case, to ensure I can always access *.nordvpn.com VPN servers? Whitelisting the domain "nordvpn.com" just seems to add a single IP to the whitelist. Is there a good way to configure skynet to ensure it's able to whitelist all us####.nordvpn.com servers without manually needing to provide a slew of ranges for whitelisting purposes?

Thank you in advance!
 

Viktor Jaep

Very Senior Member
Thank you in advance!
Anyone? Or do I just deal with having to keep manually adding IP ranges as they come up? Wish there was a way to whitelist something like "us*.nordvpn.com" or something of the sort?
 

faria

Senior Member
Hi everyone... I had an issue with Skynet blocking one of my NordVPN servers this morning. I went ahead and just whitelisted the IP/24 range, but would normally just unblock a single IP as I always do when I come across a rogue IP that we need to be able to access. My question is, when it comes to NordVPN... they have a *slew* of servers... all in the form of us####.nordvpn.com (for the United States). I'm talking hundreds, perhaps thousands of servers... with IPs that constantly shift and change with their hostnames on a daily basis.

What is the best practice in this case, to ensure I can always access *.nordvpn.com VPN servers? Whitelisting the domain "nordvpn.com" just seems to add a single IP to the whitelist. Is there a good way to configure skynet to ensure it's able to whitelist all us####.nordvpn.com servers without manually needing to provide a slew of ranges for whitelisting purposes?

Thank you in advance!

Code:
[email protected]:/tmp/home/root# nslookup nordvpn.com
Server:    127.0.0.1
Address 1: 127.0.0.1

Name:      nordvpn.com
Address 1: 104.17.49.74
Address 2: 104.17.50.74
[email protected]:/tmp/home/root# whob 104.17.49.74
IP: 104.17.49.74
Origin-AS: 13335
Prefix: 104.17.48.0/20
AS-Path: 293 2914 13335
AS-Org-Name: Cloudflare, Inc.
Org-Name: Cloudflare, Inc.
Net-Name: CLOUDFLARENET
Cache-Date: 1641274267
Latitude: 37.775700
Longitude: -122.395200
City: San Francisco
Region: California
Country: United States of America
Country-Code: US
Route-Originated-Date: Dec 20 2021 12:25:41
Route-Originated-TS: 1640003141
[email protected]:/tmp/home/root# whob 104.17.50.74
IP: 104.17.50.74
Origin-AS: 13335
Prefix: 104.17.48.0/20
AS-Path: 293 2914 13335
AS-Org-Name: Cloudflare, Inc.
Org-Name: Cloudflare, Inc.
Net-Name: CLOUDFLARENET
Cache-Date: 1641274267
Latitude: 37.775700
Longitude: -122.395200
City: San Francisco
Region: California
Country: United States of America
Country-Code: US
Route-Originated-Date: Dec 20 2021 12:25:41
Route-Originated-TS: 1640003141
[email protected]:/tmp/home/root#

some examples:
firewall unban domain nordvpn.com
firewall whitelist nordvpn.com
or
firewall whitelist asn 13335 #This Whitelists the ASN Specified
or
firewall whitelist range 104.17.48.0/20 # This Whitelists cdir range

then:
firewall whitelist vpn #Refresh VPN Whitelist
and finally:
firewall whitelist refresh# Regenerate Shared Whitelist Files
 
Last edited:

Viktor Jaep

Very Senior Member
some examples:
Thanks @faria ... however, this is the point I was making. I can whitelist nordvpn.com all day long, and it just whitelists 104.17.48.0/20... however, this doesn't address figuring out a way to whitelist all "us####.nordvpn.com" hosts sitting out there that are scattered across the country/world... for instance,

Name: us6126.nordvpn.com (location Miami)
Address: 185.245.86.243

Name: us8030.nordvpn.com (location Atlanta)
Address: 92.119.17.9

Etc...

See the dilemma?
 

faria

Senior Member
Thanks @faria ... however, this is the point I was making. I can whitelist nordvpn.com all day long, and it just whitelists 104.17.48.0/20... however, this doesn't address figuring out a way to whitelist all "us####.nordvpn.com" hosts sitting out there that are scattered across the country/world... for instance,

Name: us6126.nordvpn.com (location Miami)
Address: 185.245.86.243

Name: us8030.nordvpn.com (location Atlanta)
Address: 92.119.17.9

Etc...

See the dilemma?
i see, i misunderstood. I though that just using the top domain (nordvpn.com) would do.
then what you need is a script that combs the dnsmasq.log and extracts the domains periodically and then ad them to /jffs/addons/shared-whitelists/nordvpn.whitelist , you need to create the (nordvpn.whitelist) file.


i use a feature of x3mRouting to extract domains that i need, netflix as an example:
Code:
/jffs/scripts/x3mRouting/autoscan.sh scan= netflix


IPSET Format
-------------------------------------
netflix.com
netflix.net




FQDN Format
-------------------------------------
android-appboot.netflix.com
android.prod.cloud.netflix.com
android.prod.dradis.netflix.com
android.prod.ftl.netflix.com
api-global.netflix.com
appboot.netflix.com
ichnaea.netflix.com
nrdp.nccp.netflix.com
nrdp.prod.cloud.netflix.com
nrdp.prod.ftl.netflix.com
nrdp52-appboot.netflix.com
preapp.prod.partner.netflix.net
push.prod.netflix.com
secure.netflix.com
uiboot.netflix.com
www.netflix.com
 

Viktor Jaep

Very Senior Member
i see, i misunderstood. I though that just using the top domain (nordvpn.com) would do.
then what you need is a script that combs the dnsmasq.log and extracts the domains periodically and then ad them to /jffs/addons/shared-whitelists/nordvpn.whitelist , you need to create the (nordvpn.whitelist) file.

i use a feature of x3mRouting to extract domains that i need, netflix as an example:
Code:
/jffs/scripts/x3mRouting/autoscan.sh scan= netflix

IPSET Format
-------------------------------------
netflix.com
netflix.net

FQDN Format
-------------------------------------
android-appboot.netflix.com
android.prod.cloud.netflix.com
android.prod.dradis.netflix.com
android.prod.ftl.netflix.com
api-global.netflix.com
appboot.netflix.com
ichnaea.netflix.com
nrdp.nccp.netflix.com
nrdp.prod.cloud.netflix.com
nrdp.prod.ftl.netflix.com
nrdp52-appboot.netflix.com
preapp.prod.partner.netflix.net
push.prod.netflix.com
secure.netflix.com
uiboot.netflix.com
www.netflix.com

My VPN endpoints literally change every single day. Could be us3949.nordvpn.com one day, the next, us9931.nordvpn.com... and I would figure their IPs could be changing/rotating as well. I guess I could create a list with 10,000 entries, ranging from us0000.nordvpn.com to us9999.nordvpn.com... but what a PITA.
 

faria

Senior Member
My VPN endpoints literally change every single day. Could be us3949.nordvpn.com one day, the next, us9931.nordvpn.com... and I would figure their IPs could be changing/rotating as well. I guess I could create a list with 10,000 entries, ranging from us0000.nordvpn.com to us9999.nordvpn.com... but what a PITA.
I'm sure there is a way of doing it automatically I just don't have the skills to help you I'm afraid.
lets wait and see if someone chimes in.
 

dave14305

Part of the Furniture
It may not work 100% reliably, but consider using dnsmasq to update the Skynet-Whitelist ipset.

Add to /jffs/configs/dnsmasq.conf.add:
Code:
ipset=/nordvpn.com/Skynet-Whitelist
Then restart dnsmasq with service restart_dnsmasq

But for it to work from the router's VPN client, the router must use its own dnsmasq (enable "Wan: Use local caching DNS server as system resolver" on Tools - Other Settings).
 

Viktor Jaep

Very Senior Member
It may not work 100% reliably, but consider using dnsmasq to update the Skynet-Whitelist ipset.

Add to /jffs/configs/dnsmasq.conf.add:
Code:
ipset=/nordvpn.com/Skynet-Whitelist
Then restart dnsmasq with service restart_dnsmasq

But for it to work from the router's VPN client, the router must use its own dnsmasq (enable "Wan: Use local caching DNS server as system resolver" on Tools - Other Settings).

Thanks for this interesting approach, @dave14305! I'll give it a shot. I'm not too worried about the vpn clients needing to get to this... it's mainly the router itself through the WAN connection that would be doing the initiating and resolving.
 

dave14305

Part of the Furniture
Thanks for this interesting approach, @dave14305! I'll give it a shot. I'm not too worried about the vpn clients needing to get to this... it's mainly the router itself through the WAN connection that would be doing the initiating and resolving.
If the DNS lookup is done by the router, it won’t use dnsmasq, and therefore the whitelist won’t be updated. That’s why Tools / Other Settings page “Wan: Use local caching DNS server as system resolver” would need to be enabled.

Is this a VPN on the router, or on a LAN machine?
 

Viktor Jaep

Very Senior Member
If the DNS lookup is done by the router, it won’t use dnsmasq, and therefore the whitelist won’t be updated. That’s why Tools / Other Settings page “Wan: Use local caching DNS server as system resolver” would need to be enabled.

Is this a VPN on the router, or on a LAN machine?
This is running on the router
 

Viktor Jaep

Very Senior Member
If the DNS lookup is done by the router, it won’t use dnsmasq, and therefore the whitelist won’t be updated. That’s why Tools / Other Settings page “Wan: Use local caching DNS server as system resolver” would need to be enabled.

Is this a VPN on the router, or on a LAN machine?
So a quick question about impact of doing this. Currently, I have my router set to use Quad9 for DNS resolution, and have configured DoT. Would enabling something like this bypass these capabilities?
 

ColDen

Regular Contributor
It may not work 100% reliably, but consider using dnsmasq to update the Skynet-Whitelist ipset.

Add to /jffs/configs/dnsmasq.conf.add:
Code:
ipset=/nordvpn.com/Skynet-Whitelist
Then restart dnsmasq with service restart_dnsmasq

But for it to work from the router's VPN client, the router must use its own dnsmasq (enable "Wan: Use local caching DNS server as system resolver" on Tools - Other Settings).
I'm relieved to see that Adamm is still reading posts about Skynet:

1641420362429.png
 

dave14305

Part of the Furniture
So a quick question about impact of doing this. Currently, I have my router set to use Quad9 for DNS resolution, and have configured DoT. Would enabling something like this bypass these capabilities?
No, but if you were to experience any side effects, it would after a reboot. I think it’s OK though.
 

Viktor Jaep

Very Senior Member
No, but if you were to experience any side effects, it would after a reboot. I think it’s OK though.
Thanks @dave14305 ... I've made the change and will see if I see any improvement. Thanks for the great tip on how to do this... will need to document. ;)
 

Spud

Occasional Visitor
No, but if you were to experience any side effects, it would after a reboot. I think it’s OK though.
Dave, many thanks for putting this together. Is there an easy way to see which entries are being whitelisted via this method?
 

dave14305

Part of the Furniture
Dave, many thanks for putting this together. Is there an easy way to see which entries are being whitelisted via this method?
The least ambiguous method is to check dnsmasq.log if you run Diversion with logging.
Bash:
grep Skynet-Whitelist /opt/var/log/dnsmasq.log*
Otherwise, you could look at entries in the whitelist without comments.
Code:
ipset list Skynet-Whitelist | grep -v comment
 

Viktor Jaep

Very Senior Member
Code:
ipset list Skynet-Whitelist | grep -v comment
Running this, I only see 4 entries listed... and 2 of them were from whitelisting nordvpn.com... Does not seem like it's accumulating any ranges of VPN servers?
 

dave14305

Part of the Furniture
Running this, I only see 4 entries listed... and 2 of them were from whitelisting nordvpn.com... Does not seem like it's accumulating any ranges of VPN servers?
It depends on how often the machine running the vpn client makes a dns query for the nordvpn hostname to dnsmasq.
 

Spud

Occasional Visitor
The least ambiguous method is to check dnsmasq.log if you run Diversion with logging.
Bash:
grep Skynet-Whitelist /opt/var/log/dnsmasq.log*
Otherwise, you could look at entries in the whitelist without comments.
Code:
ipset list Skynet-Whitelist | grep -v comment
Running this, I only see 4 entries listed... and 2 of them were from whitelisting nordvpn.com... Does not seem like it's accumulating any ranges of VPN servers?

Could it be that only the NordVPN IPs currently in use are being whitelisted?

I'm running two OpenVPN clients and I also see four entries: two Amazon AWS cloud servers and two Cloudflare content delivery servers.

Digging around, all appear under "Networks and IPs" on this Netify page, attributed to NordVPN - https://www.netify.ai/resources/applications/nordvpn. These aren't the IPs that appear in my OpenVPN clients (maybe to do with NordVPN's IP sharing?).

@dave14305, thanks for the tips earlier, and I suspect your method is working.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top