Domain-based VPN Routing Script

[Ranger802004]

***v2.0.0-beta5 Release****
v2.0.0-beta5 - 06/04/2023
Enhancements:
- SSH UI
- Interfaces will now list the friendly name of the interface instead of the tunnel / physical interface name.
- Querying policies will take low CPU priority automatically.
- Cron Jobs will now be added to wan-event.
- NVRAM Checks have been integrated to prevent lock ups.
- Domain VPN Routing will now be called from wan-event in addition to openvpn-event.
- Global Configuration Menu.
- Developer Mode available for testing beta releases.
- Enhanced update function.
- If the IPV6 Service is disabled, IPV6 IP Addresses will not be queried or added to policies. In addition, existing IPv6 IP Addresses in policy files will be removed for optimization.
- Added WireGuard VPN Clients for support
- Changed dark blue text prompts to light cyan for easier reading.
- NVRAM variables are now synchronized with error checking during initial load of Domain VPN Routing in order to reduce nvram calls and reduce potential failures during operation.
- General optimization.

Fixes:
- Visual errors when domain fails to perform DNS lookup.
- Visual bugs when Query Policy was executing domain queries.
- Fixed bug introducted in earlier beta for deleting old routes when WAN interface was selected.
- False positive errors stating IP routes failed to create.
- Fixed issue with Edit Policy Mode erroring out due to unset parameters.

 

[Kyjiep]

Two days ago I deleted the openvpn client, and then the openvpn-event file in the scripts folder, because it still does not work without the openvpn client. Everything continues to work normally with the wireguard, including after updating to v2.0.0-beta5.

 

[Ranger802004]

Two days ago I deleted the openvpn client, and then the openvpn-event file in the scripts folder, because it still does not work without the openvpn client. Everything continues to work normally with the wireguard, including after updating to v2.0.0-beta5.

Yea it will still work without it. It will execute from wan-event still to create the initial cron job that executes every 15 minutes.

 

[ComputerSteve]

That is more of a function for VPNMON then it would be this script, I am in talks with @Viktor Jaep about this.

Any progress on that @Viktor Jaep =)

 

[Olivier L]

I have tried beta 5. Now It shows "wan" but still not the wireguard interfaces, as shown with wg or ifconfig. wireguard connections managed by wireguard manager by @Martineau .

 

[Viktor Jaep]

Any progress on that @Viktor Jaep =)

I believe @Ranger802004 will be adding it to this script...

 

[Ranger802004]

I have tried beta 5. Now It shows "wan" but still not the wireguard interfaces, as shown with wg or ifconfig. wireguard connections managed by wireguard manager by @Martineau .

As I previously stated I have only added support for the built in Wireguard clients, I haven’t looked at the script to support it.

 

[Olivier L]

Hello, I tried with the built in wireguard clients but i got the following error

***Error*** Unable to add IP Rule for XXXXXXXXXXXX table wgc1 priority 6000

 

[Ranger802004]

Hello, I tried with the built in wireguard clients but i got the following error

***Error*** Unable to add IP Rule for XXXXXXXXXXXX table wgc1 priority 6000

Some of these are false positives and still creating the IP rules. I’m working to fix them.

 

[Olivier L]

In that case, no rules

 

[ComputerSteve]

So i'm noticing something. I thought this script could be used as an alternative for x3mrouting. However it doesn't seem to be working while x3mrouting does work. So for example... I stream through Directv Stream and with my VPN on I used x3mrouting to route these domains: att.com,oidc.idp.clogin.att.com,cloauthaccess.att.com,login-sp.att.net,api.cld.dtvce.com,www.att.tv,att.tv,ngc.cld.dtvce.com,dtvce.com,llnwi.net,bulk-collect.cld.dtvce.com,bamgrid.com,smetrics.att.com,strem.io,rollout.io... If I do that using your script by creating a policy for OpenVpn client 1 and then name it directv and add those domains then query it says it added IPs but the service is still blocked and not bypassing the vpn and being routed to wan. Am I doing this wrong?

 

[Ranger802004]

So i'm noticing something. I thought this script could be used as an alternative for x3mrouting. However it doesn't seem to be working while x3mrouting does work. So for example... I stream through Directv Stream and with my VPN on I used x3mrouting to route these domains: att.com,oidc.idp.clogin.att.com,cloauthaccess.att.com,login-sp.att.net,api.cld.dtvce.com,www.att.tv,att.tv,ngc.cld.dtvce.com,dtvce.com,llnwi.net,bulk-collect.cld.dtvce.com,bamgrid.com,smetrics.att.com,strem.io,rollout.io... If I do that using your script by creating a policy for OpenVpn client 1 and then name it directv and add those domains then query it says it added IPs but the service is still blocked and not bypassing the vpn and being routed to wan. Am I doing this wrong?

I would suggest to look for any subdomains the service is using and add to the policy. I have to do this and I use IPFoo in my browser for this.

 

[ComputerSteve]

I would suggest to look for any subdomains the service is using and add to the policy. I have to do this and I use IPFoo in my browser for this.

I guess what i'm saying is why is x3mrouting working using the DNSmasq method with just those domains and this script isn't bypassing ??? Isn't it supposed to do the same thing?

 

[Ranger802004]

I guess what i'm saying is why is x3mrouting working using the DNSmasq method with just those domains and this script isn't bypassing ??? Isn't it supposed to do the same thing?

I’m not familiar with x3m

 

[ComputerSteve]

I’m not familiar with x3m

So what i'm using x3mrouting for is to bypass the vpn for certain domains using dnsmasq method... It then creates ipsets based on those domains. The thing that i'm not getting is that using the same domains one is bypassing (x3m) while your script isn't. Am I right that your script is designed to bypass the vpn for the domains specified and direct the traffic to wan instead??

 

[Ranger802004]

So what i'm using x3mrouting for is to bypass the vpn for certain domains using dnsmasq method... It then creates ipsets based on those domains. The thing that i'm not getting is that using the same domains one is bypassing (x3m) while your script isn't. Am I right that your script is designed to bypass the vpn for the domains specified and direct the traffic to wan instead??

It can be created to do that or vice versa (bypass WAN via VPN). My only suggestion is to find the subdomains that need to be routed part of the underlying service. I have about 8 policies and have to do this for all of them. Things like CDN networks and etc have different domains than the base domain the site uses.

 

[lbtboy]

Hi everybody. Why do I display three wan interfaces (wan, wan0, wan1) when creating a new policy? One primary (wan0), the other secondary-backup (wan1), and what is just a wan?

 

[Olivier L]

beta5 ?

 

[lbtboy]

beta5 ?

Yes

 

[Olivier L]

Ouch. Was the same for me but fixed with 2.beta5