What's new

Bypassing Merlin router-based VPN for specific software

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

be4con

New Around Here
I have an ASUS RT-AC68U running Merlin, and PIA VPN.

I want to run the traffic for my LG WebOS TV through the VPN and there is no way to install a VPN client on the TV locally (which would be the easiest way to switch the tunnel on/off) so my only viable solution is to run it through the router tunnel. However, that will block my access to Netflix, Prime and iPlayer. Is there a way to specify that traffic from that software does not use the tunnel? Someone has suggested I can amend the config file by adding 'block-outside-dns' but I wasn't sure where to add that, or even if that was the correct solution.

Can anyone advise, please? Can anyone also advise whether I can run 2 tunnels simultaneously with 1 routed through UK and the 2nd through Denmark with PIA?

Thanks in advance.
 
Is there a way to specify that traffic from that software does not use the tunnel?

No. The router has no way of knowing what application generated what traffic.
 
Thanks Merlin. Someone has suggested the following can be used: https://github.com/Xentrk/x3mRouting

I've yet to explore it properly but they have indicated that they use the routing script to split their traffic with their streaming services sitting outside the tunnel and their tunnelled traffic being split across 2 different VPNs (one UK based the other based in Denmark)
 
No. El enrutador no tiene forma de saber qué aplicación generó qué tráfico.
¿Se pueden filtrar los Ips que salen a través de VPN?
Con mi asus ac86u es posible, pero con ax88u no activa vpn al configurar las reglas de ip.
¿Quizás con una versión anterior de Merlin puedo hacerlo?
 
Please use English while posting on the forums. Thank you.
 
Please use English while posting on the forums. Thank you.
Sorry, I posted it with the page translator.

Can Ips that go out through VPN be filtered?
With my asus ac86u it was possible, but with ax88u it does not activate vpn when configuring the ip rules.
When applying rules sometimes it crashes.
If I activate all the traffic through vpn it does not give problems. But I need vpn only for some ip.
Can it be done through some script?
Maybe with an older version of Merlin I can do it?
I currently have the latest 386.1.2

Thanks
Greetings
 
Sorry, I posted it with the page translator.

Can Ips that go out through VPN be filtered?
With my asus ac86u it was possible, but with ax88u it does not activate vpn when configuring the ip rules.
When applying rules sometimes it crashes.
If I activate all the traffic through vpn it does not give problems. But I need vpn only for some ip.
Can it be done through some script?
Maybe with an older version of Merlin I can do it?
I currently have the latest 386.1.2

Thanks
Greetings

You need to be more specific. Which IPs? Source, destination, both?

At least using Merlin, all should be possible w/ PBR (policy based routing). Not sure why you're having problems if you have the latest Merlin. But even w/ Merlin or stock firmware, as long as there's a custom config field, you should minimally be able to control *destination* IPs using static routes (aka, OpenVPN route directives) and bind those to either the WAN or VPN, your choice.

Code:
route 199.199.199.199 255.255.255.255 net_gateway
route www.google.com 255.255.255.255 vpn_gateway

Note, net_gateway and vpn_gateway are reserved words, and will be replaced w/ the correct values at runtime by OpenVPN. Also, only issue w/ route directives is when used at the same time as the router's PBR and configured as Strict, it will strip out any static routes bound to the WAN (net_gateway).

Btw, the original poster's concern was for the router to make routing decisions based on the particular application used by the client, which is NOT possible. That information is lost by the time the router is reached. So I'm not even sure your questions belong in this thread, but perhaps a new thread.
 
You need to be more specific. Which IPs? Source, destination, both?

At least using Merlin, all should be possible w/ PBR (policy based routing). Not sure why you're having problems if you have the latest Merlin. But even w/ Merlin or stock firmware, as long as there's a custom config field, you should minimally be able to control *destination* IPs using static routes (aka, OpenVPN route directives) and bind those to either the WAN or VPN, your choice.

Code:
route 199.199.199.199 255.255.255.255 net_gateway
route www.google.com 255.255.255.255 vpn_gateway

Note, net_gateway and vpn_gateway are reserved words, and will be replaced w/ the correct values at runtime by OpenVPN. Also, only issue w/ route directives is when used at the same time as the router's PBR and configured as Strict, it will strip out any static routes bound to the WAN (net_gateway).

Btw, the original poster's concern was for the router to make routing decisions based on the particular application used by the client, which is NOT possible. That information is lost by the time the router is reached. So I'm not even sure your questions belong in this thread, but perhaps a new thread.
Sorry, maybe I strayed from the initial topic.
I am new to this type of forum.
I will try to create a thread with my problem.
My problem is related to applying the strict rules so that vpn only acts on 3 computers, the rest of the computers I want them to go abroad without using vpn.
But I will create a thread and restate my doubts.
Thanks for answering.
 
You need to be more specific. Which IPs? Source, destination, both?

At least using Merlin, all should be possible w/ PBR (policy based routing). Not sure why you're having problems if you have the latest Merlin. But even w/ Merlin or stock firmware, as long as there's a custom config field, you should minimally be able to control *destination* IPs using static routes (aka, OpenVPN route directives) and bind those to either the WAN or VPN, your choice.

Code:
route 199.199.199.199 255.255.255.255 net_gateway
route www.google.com 255.255.255.255 vpn_gateway

Note, net_gateway and vpn_gateway are reserved words, and will be replaced w/ the correct values at runtime by OpenVPN. Also, only issue w/ route directives is when used at the same time as the router's PBR and configured as Strict, it will strip out any static routes bound to the WAN (net_gateway).

Btw, the original poster's concern was for the router to make routing decisions based on the particular application used by the client, which is NOT possible. That information is lost by the time the router is reached. So I'm not even sure your questions belong in this thread, but perhaps a new thread.
I have NordVPN(OpenVPN Client) setup on my AX68U. One of the app(hotstar) is very tricky to get past VPN, can I use custom config to route traffic from this app to bypass VPN?
 
I have NordVPN(OpenVPN Client) setup on my AX68U. One of the app(hotstar) is very tricky to get past VPN, can I use custom config to route traffic from this app to bypass VPN?

Neither PBR nor static routing works at the app level. IOW, it can't uniquely identify traffic coming from a specific app. It's all based on source and/or destination IP. To the extent YOU can draw a correlation between that app and those elements, you can control its behavior. Sometimes that's easy, sometimes difficult, sometimes impossible. Just depends on the app and what it does. In some cases, you may need to use a different form of PBR based on other criteria (e.g., ports), so you can uniquely identify the traffic from that app. You often see that done w/ Plex.
 
You can certainly route the public IP(s) associated w/ that domain name through the WAN using static routes. And the easiest way to do that is to define them using the route directive in the custom config field of the OpenVPN client.

Code:
route www.hotstar.com 255.255.255.255 net_gateway

Just remember, if you're using PBR, you can NOT use the strict version, or these will get stripped out at runtime.

Whether that's going to be sufficient for the needs of your *app*, I have no idea. IOW, it's one thing to reroute access to the hotstar website to the WAN. But that doesn't necessarily mean their app is going to use that same server. In fact, it's highly unlikely. For example, I can route all requests to speedtest.net to the WAN using the above technique, but when the actual speed test is conducted, it's using servers w/ different IP addresses, so the speed test is over the VPN!
 
I don't use PBR.

I just tried route www.hotstar.com 255.255.255.255 net_gateway in the custom config field and that didn't work even from a browser when accessing www.hotstar.com. I must be doing something wrong.

1616530052990.png
 
Dump the routing table to make sure the www.hotstar.com public IPs got added.

Code:
ip route

FWIW, when I did a lookup for that domain name, I go the following list of public IPs.

Code:
owner@msig3258:~$ host www.hotstar.com
www.hotstar.com is an alias for www.hotstar.com-sni.edgekey.net.
www.hotstar.com-sni.edgekey.net is an alias for e35862.dscj.akamaiedge.net.
e35862.dscj.akamaiedge.net has address 23.53.34.50
e35862.dscj.akamaiedge.net has address 23.53.34.24
e35862.dscj.akamaiedge.net has address 23.53.34.11
e35862.dscj.akamaiedge.net has address 23.53.34.10
e35862.dscj.akamaiedge.net has address 23.53.34.26
e35862.dscj.akamaiedge.net has address 23.53.34.9
e35862.dscj.akamaiedge.net has address 23.53.34.32
e35862.dscj.akamaiedge.net has address 23.53.34.49
e35862.dscj.akamaiedge.net has address 23.53.34.56
 
I get different IP every time I ping that site. This site is owned by Disney, I have a paid subscription to this service. It doesn't even let me login as soon as it "detects" VPN somehow.

1616531513660.png
 
Looks right, although you're getting a different set of IPs. Probably because we're resolving the domain name from different VPN providers and servers. And that can be a problem. What the router resolves over the VPN might not be what the client resolves. For example, some browsers now call their own DNS servers using DoT/DoH, resulting in different IPs.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top