Domain-based VPN Routing Script

Ranger802004

Very Senior Member
Hello, I have written a domain based VPN routing script. This is a beta release and will need testers and feedback! Please try this out and let me know if any issues or suggestions you can find, thank you much! All of the instructions are in the readme file!

Readme - https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/readme.txt

Script - https://raw.githubusercontent.com/R...main/domain_vpn_routing/domain_vpn_routing.sh

Install Command:
Code:
/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh && sh /jffs/scripts/domain_vpn_routing.sh install

Release Notes:
v1.3 - 07/24/2022
- Added Delete IP Function, this is to delete IPs not desired to be routed by the script. ***This will not prevent the IP from being queried again***
- Created routingdirector function to handle all functions determination of creating routes / IP rules for queried IPs.
- Added configuration option for including or excluding Private IP Addresses per Policy.
- If VPN Director is enabled for an OpenVPN Interface, IP Rules will be created for queried IPv4 Addresses.
- Corrected spelling error for "adddomain" in script menu.
- Decreased Cron Job frequency to every 15 minutes.
- If a Domain is not Specified when using "adddomain", an error will be generated.
- Cron Job will execute "querypolicy all" if system up time is less than 15 minutes.

v1.1 - 06/26/2022
- Added logic during install to create openvpn-event if it doesn't exist.
- Added warning message when executing querypolicy if it is already currently running.
- Support for ASUS Merlin 386.7

v1.0 - 06/17/2022
- Added option for enabling or disabling Verbose Logging for each Policy, this allows messages such as Querying Policy, etc to not be logged in System Log.
- Added option to edit an existing policy's interface or verbose logging.
- If VPN Director is enabled, routes will now be added to the main routing table.
- Added option for Query Policy All to execute during OpenVPN Events. (If Option is missing run install command again)
 
Last edited:

VIper_Rus

Regular Contributor
The idea is very good. Added ethermine to turn 15 (as I understand it, this is VPN client 5, everything is OK according to the logs, but the traffic does not go through VPN client 5 :(

After restart router
Code:
Jun 10 14:55:43 domain_vpn_routing.sh: Cron - Creating cron job
Jun 10 14:55:43 domain_vpn_routing.sh: Cron - Completed creating cron job
Jun 10 15:00:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 2606:4700:90:0:5a66:8b85:453f:4bc6 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 2606:4700:90:0:5a66:8b85:453f:4bc6 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 2606:4700::6812:d8e8 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 2606:4700::6812:d8e8 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 2606:4700::6812:d9e8 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 2606:4700::6812:d9e8 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 104.18.216.232 dev tun15 table ovpnc5
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 104.18.216.232 dev tun15 table ovpnc5
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 104.18.217.232 dev tun15 table ovpnc5
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 104.18.217.232 dev tun15 table ovpnc5
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 172.65.218.130 dev tun15 table ovpnc5
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 172.65.218.130 dev tun15 table ovpnc5
Jun 10 15:05:01 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 15:05:01 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org
Jun 10 15:10:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 15:10:01 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org
but don't work :(


p.s.
I added it to the VPN Director and everything worked right away
Code:
Jun 10 15:12:32 openvpn-routing: Routing ethermine server from any to 172.65.218.130 through ovpnc5
Jun 10 15:12:32 openvpn-routing: Routing ethermine 1 from any to 104.18.216.232 through ovpnc5
Jun 10 15:12:32 openvpn-routing: Routing ethermine 2 from any to 104.18.217.232 through ovpnc5
 
Last edited:

Ranger802004

Very Senior Member
The idea is very good. Added ethermine to turn 15 (as I understand it, this is VPN client 5, everything is OK according to the logs, but the traffic does not go through VPN client 5 :(

After restart router
Code:
Jun 10 14:55:43 domain_vpn_routing.sh: Cron - Creating cron job
Jun 10 14:55:43 domain_vpn_routing.sh: Cron - Completed creating cron job
Jun 10 15:00:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 2606:4700:90:0:5a66:8b85:453f:4bc6 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 2606:4700:90:0:5a66:8b85:453f:4bc6 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 2606:4700::6812:d8e8 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 2606:4700::6812:d8e8 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 2606:4700::6812:d9e8 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 2606:4700::6812:d9e8 dev tun15
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 104.18.216.232 dev tun15 table ovpnc5
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 104.18.216.232 dev tun15 table ovpnc5
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 104.18.217.232 dev tun15 table ovpnc5
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 104.18.217.232 dev tun15 table ovpnc5
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Adding route for 172.65.218.130 dev tun15 table ovpnc5
Jun 10 15:00:01 domain_vpn_routing.sh: Query Policy - Route added for 172.65.218.130 dev tun15 table ovpnc5
Jun 10 15:05:01 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 15:05:01 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org
Jun 10 15:10:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 15:10:01 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org
but don't work :(


p.s.
I added it to the VPN Director and everything worked right away
Code:
Jun 10 15:12:32 openvpn-routing: Routing ethermine server from any to 172.65.218.130 through ovpnc5
Jun 10 15:12:32 openvpn-routing: Routing ethermine 1 from any to 104.18.216.232 through ovpnc5
Jun 10 15:12:32 openvpn-routing: Routing ethermine 2 from any to 104.18.217.232 through ovpnc5

Try a trace route of the IP from console once the script runs and created the routes, it could be a route cache issue.
 

VIper_Rus

Regular Contributor
Try a trace route of the IP from console once the script runs and created the routes, it could be a route cache issue.
I performed routing from the router and from a computer connected to the router, the route goes without a VPN if I turn off this site in VPN director. I'll wait for someone else to unsubscribe, maybe it's my problem.
Is there any command to check all the current routes?

In fact, it is very easy for me to check whether the script is working or not, if the script does not work, then I cannot connect to ethermine due to their restriction on my main (non-VPN) ip.

And another question, how will it be possible to remove the message from the log every 5 minutes?
Code:
Jun 10 15:50:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 15:50:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org
Jun 10 15:55:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 15:55:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org
Jun 10 16:00:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 16:00:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org

p.s. By the way, the dual WAN script works perfectly, I forgot to report after the beta version test ;)
 
Last edited:

Ranger802004

Very Senior Member
I performed routing from the router and from a computer connected to the router, the route goes without a VPN if I turn off this site in VPN director. I'll wait for someone else to unsubscribe, maybe it's my problem.
Is there any command to check all the current routes?

In fact, it is very easy for me to check whether the script is working or not, if the script does not work, then I cannot connect to ethermine due to their restriction on my main (non-VPN) ip.

And another question, how will it be possible to remove the message from the log every 5 minutes?
Code:
Jun 10 15:50:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 15:50:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org
Jun 10 15:55:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 15:55:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org
Jun 10 16:00:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying ethermine.org
Jun 10 16:00:00 domain_vpn_routing.sh: Query Policy - Policy: ethermine Querying eu1.ethermine.org

p.s. By the way, the dual WAN script works perfectly, I forgot to report after the beta version test ;)

I need you to do some testing and log gathering for me so we can see what is going wrong :)

Also I published v1.4.6 as non beta version so you can run an update for Dual WAN Failover script to get the official release.
 
Last edited:

VIper_Rus

Regular Contributor
I need you to do some testing and log gathering for me so we can see what is going wrong :)

Also I published v1.4.6 as non beta version so you can run an update for Dual WAN Failover script to get the official release.
I have already upgraded to 1.4.6 ;)

If you write me what to do and what logs to send, I will do it without any problems.
 

Ranger802004

Very Senior Member
I have already upgraded to 1.4.6 ;)

If you write me what to do and what logs to send, I will do it without any problems.

Let’s start with logs, traceroute tests, and also send me the routing table for ovpnc5
 

Ranger802004

Very Senior Member
I will be grateful if you write to me in more detail what to do. :)

As a last resort, I am ready to give access to the router from wan

Send the output of the following commands after you have set up the domain vpn routing script.

EDIT: Also, if you tested right after a reboot, allow the router a few minutes, the cache can sometimes make it seem like it's not working.

Code:
nvram show | grep "wan"

Code:
ip route list table ovpnc5

Code:
traceroute ethermine.org
 
Last edited:

VIper_Rus

Regular Contributor
Send the output of the following commands after you have set up the domain vpn routing script.

EDIT: Also, if you tested right after a reboot, allow the router a few minutes, the cache can sometimes make it seem like it's not working.

Code:
nvram show | grep "wan"

Code:
ip route list table ovpnc5

Code:
traceroute ethermine.org
send pm
 

Ranger802004

Very Senior Member
Thanks to @VIper_Rus we were able to patch the script to resolve this issue.

v0.91-beta has been published.

Release Notes:
v0.91-beta - 06/11/2022
- If VPN Director is enabled, routes will now be added to the main routing table.
- Added option for Query Policy All to execute during OpenVPN Events. (If Option is missing run install command again)
 

amigohd

Regular Contributor
@Ranger802004 Could you also include not only the openvpn interfaces but also the wireguard (e.g. wg11) ones? Would this work?
 

Ranger802004

Very Senior Member
@Ranger802004 Could you also include not only the openvpn interfaces but also the wireguard (e.g. wg11) ones? Would this work?
I will try expanding after I get the bugs worked out of the initial build.
 

JAX1337

Regular Contributor
another thing i noticed is if the domain being added is already blocked by your isp , policy update doesn't get the ips (obliviously lol) how to get the domain running in this case

For ex: in my case a torrent site is blocked by my isp
i have a nord vpn server running on my router where its unblocked
but i cant update the policy since console runs through my isp
 

Ranger802004

Very Senior Member
another thing i noticed is if the domain being added is already blocked by your isp , policy update doesn't get the ips (obliviously lol) how to get the domain running in this case

For ex: in my case a torrent site is blocked by my isp
i have a nord vpn server running on my router where its unblocked
but i cant update the policy since console runs through my isp
You could create a dnsmasq entry for the domain to use a specific DNS Server that is not your ISP DNS Server.
 

JAX1337

Regular Contributor
You could create a dnsmasq entry for the domain to use a specific DNS Server that is not your ISP DNS Server.
I'm running a pihole as dns resolver , and this site blocked except through vpn
 

Ranger802004

Very Senior Member
I'm running a pihole as dns resolver , and this site blocked except through vpn
You still should be able to make an entry in the dnsmasq.conf add on file that will override DNS queries to the specified DNS Server you want per domain.

EDIT: If you have to, you can designate the IP of a DNS Server to go over your VPN using VPN Director or OVPN config and then specify that DNS Server in dnsmasq.conf for that particular domain.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top