Domain-based VPN Routing Script

[kuki68ster]

Hello,

Does anyone have a file or excel with all the domains and subdomains for sites like youtube, hulu, disney, Pluto, Amazon, that can share with me? I am trying use the script, but i am unable to get it to work, i believe that there are some domains that i am missing....

Thanks

 

[ZebMcKayhan]

IPSets, IPTables Rules, and IP Rules using FWMarks have been implemented to reduce the amount of routes / rules that are created for policies.

Just fyi, there are known conflicts between using fwmarks and TrendMicro. Perhaps it would be good to check if the user has "withdrawn" or else display adequate warning?

It should be noted that the marks used are conflicting with TrendMicro/Aiprotect that are using all bits in fwmark, so you probably shouldnt use this with trendmicro stuff enabled. Or atleast be observant: https://www.snbforums.com/threads/asuswrt-merlin-netflix-through-vpn-settings.41047/post-349109

Im not sure if there are more up to date information on this but there have been quite recent warning from @RMerlin that TrendMicro are using these bits.

Edit: found one more recent: https://www.snbforums.com/threads/potential-bug-with-udp-nat-loopback-hairpinning.70892/post-670363

 

[Ranger802004]

I just come upon your script this weekend.. it's an great script! Its working frictionless. Im ad work right now. but does your script also add ASN numbers? Tnx!

No I haven’t added ASNs as something you can add to a policy.

 

[Ranger802004]

Hello,

Does anyone have a file or excel with all the domains and subdomains for sites like youtube, hulu, disney, Pluto, Amazon, that can share with me? I am trying use the script, but i am unable to get it to work, i believe that there are some domains that i am missing....

Thanks

Personally i use the IPFoo browser extension and load sites and discover what domains load when i use the site and services within it.

 

[Ranger802004]

Just fyi, there are known conflicts between using fwmarks and TrendMicro. Perhaps it would be good to check if the user has "withdrawn" or else display adequate warning?



Im not sure if there are more up to date information on this but there have been quite recent warning from @RMerlin that TrendMicro are using these bits.

Edit: found one more recent: https://www.snbforums.com/threads/potential-bug-with-udp-nat-loopback-hairpinning.70892/post-670363

I don’t know about AiProtect because after extensive testing I decided it not worth using and disabled it but I have looked at the bits used by the QoS engine and the mark / masks used by FlexQoS and they do not overlap with the 17-20th bits masked by default with Domain VPN Routing. FWMarks are customizable for specific needs and if you can’t use a FWMark because of conflicts the policy will create traditional IP Rules although not good for a large policy it will work.

 

[privacyguy123]

Got this output today while manually querying a a policy (option 8)

"ip rule show" does not take any arguments.
"ip rule show" does not take any arguments.
"ip rule show" does not take any arguments.
"ip rule show" does not take any arguments.
"ip rule show" does not take any arguments.
"ip rule show" does not take any arguments.
"ip rule show" does not take any arguments.
"ip rule show" does not take any arguments.
"ip rule show" does not take any arguments.
"ip rule show" does not take any arguments.

 

[Ranger802004]

Got this output today while manually querying a a policy (option 8)

Do you have custom package for IP installed from Entware?

 

[privacyguy123]

Do you have custom package for IP installed from Entware?

I think something (newer wireguard-tools/wg-quick) might have installed "ip-full" yes - should I get rid of it or is there another workaround?

 

[Ranger802004]

I think something (newer wireguard-tools/wg-quick) might have installed "ip-full" yes - should I get rid of it or is there another workaround?

Yea if it’s the package from Entware then delete it, it’s older than what you get with the firmware now. I can also add a function to force the script to use system paths for binaries but would require a patch.

 

[privacyguy123]

If it's older I'd be happy to remove it. Strange that wireguard-tools doesn't pick up on ip already being installed.

 

[Ranger802004]

If it's older I'd be happy to remove it. Strange that wireguard-tools doesn't pick up on ip already being installed.

I've seen it a lot from people using Entware...not sure why they have an older package in that repo still and haven't upgraded it.

 

[privacyguy123]

Is it possible to add wildcard or even regex in domain whitelist? Something like *.website.com to catch everything?

I have a program that connects to many servers on start up, I imagine some sort of load balancer type thing and it picks the fastest to stay connected to of course. How would I catch all of these without having to play whackamole with like 50 ips? All of the addresses it contacts are like this: x1.website.com, x2.website.com etc. I've seen up to 54 of these with all different IPs.

 

[Ranger802004]

Is it possible to add wildcard or even regex in domain whitelist? Something like *.website.com to catch everything?

I have a program that connects to many servers on start up, I imagine some sort of load balancer type thing and it picks the fastest to stay connected to of course. How would I catch all of these without having to play whackamole with like 50 ips? All of the addresses it contacts are like this: x1.website.com, x2.website.com etc. I've seen up to 54 of these with all different IPs.

If you have the DNS Logging enabled it should capture everything with the root domain if you add it like “domain.com”. As far as multiple IPs the policy should continue to collect all of the IPs over time to add to the ipsets / policy files.

 

[Kyjiep]

If you have the DNS Logging enabled it should capture everything with the root domain if you add it like “domain.com”. As far as multiple IPs the policy should continue to collect all of the IPs over time to add to the ipsets / policy files.

Very interesting. Where and how to enable DNS Logging?

 

[i5Js]

Very interesting. Where and how to enable DNS Logging?

Add the following lines to /jffs/configs/dnsmasq.conf.add and restart the dnsmasq service

log-queries
log-facility=/var/log/dnsmasq.log

 

[Kyjiep]

Add the following lines to /jffs/configs/dnsmasq.conf.add and restart the dnsmasq service

log-queries
log-facility=/var/log/dnsmasq.log

It works. But, only if I uninstall Adguard Home. With Adguard Home installed, the router's processor goes crazy, all installed addons and DDNS do not work. Is it possible to somehow connect this with Adguard Home?

 

[Ranger802004]

It works. But, only if I uninstall Adguard Home. With Adguard Home installed, the router's processor goes crazy, all installed addons and DDNS do not work. Is it possible to somehow connect this with Adguard Home?

I’m going to refer you to @SomeWhereOverTheRainBow on that one.

 

[SomeWhereOverTheRainBow]

It works. But, only if I uninstall Adguard Home. With Adguard Home installed, the router's processor goes crazy, all installed addons and DDNS do not work. Is it possible to somehow connect this with Adguard Home?

I have no solution for DNSMASQ log breaking everything. DNSMASQ log requires abit of memory resources. Overall, I cannot control the amount of resources used by AdGuardHome. It is a single GO binary that uses what is required to run all of its blocklists and intricate features. Unfortunately, this also may require a bit of memory resources. I have included all of the "memory" optimizations or suggestions recommended by the AdGuardHome Dev team for running AdGuardHome on routers (or memory constrained devices), but unfortunately using AdGuardHome might not be the recommended route for everyone who is trying to run all "addons" known to man on their memory constrained, resource confined home router.

 

[Kyjiep]

I have no solution for DNSMASQ log breaking everything. DNSMASQ log requires abit of memory resources. Overall, I cannot control the amount of resources used by AdGuardHome. It is a single GO binary that uses what is required to run all of its blocklists. Unfortunately, this also may require a bit of memory resources.

There is enough memory for everything, and there is plenty left.
After I uninstalled AdGuardHome and rebooted the router, everything returned to normal and works as I need it to. But I wouldn’t want to give up AdGuardHome, I got used to it and fell in love with it). But even more, I don’t want to give up the opportunities that enabling DNSMASQ log in combination with Domain-based VPN Routing Script provides.

 

[SomeWhereOverTheRainBow]

There is enough memory for everything, and there is plenty left.
After I uninstalled AdGuardHome and rebooted the router, everything returned to normal and works as I need it to. But I wouldn’t want to give up AdGuardHome, I got used to it and fell in love with it). But even more, I don’t want to give up the opportunities that enabling DNSMASQ log in combination with Domain-based VPN Routing Script provides.

It is hard to say. I would need you to provide full memory specs. while you are in the thick of all of it for me to warrant the idea that it wasn't memory related. While there may be the presence of available memory, it does not necessarily mean there is enough for the initial launching of everything. AdGuardHome requires atleast 50mb of free ram. which typically is fine for our routers. However DNSMASQ log has been known to have buggy memory issues lately. Particularly around startup and spikes in memory usage.

take a look at this post:

Dnsmasq-full gets killed by out of memory on 21.02 (64 MB RAM)

Hi, I see dnsmasq causing OOM and getting killed at least once a day after upgrading to 21.02 from 19.07. Sometimes I see multiple OOM messages in a row (with the same timestamp) but different dnsmasq PID. My router is Asus N14U with MT7620/64 MB RAM/16 MB flash. I have dnsmasq-full which is...

forum.openwrt.org