Domain-based VPN Routing Script

JAX1337

Regular Contributor
Ok try adding this IP Rule:
Code:
ip rule add from 192.168.1.3 to 103.86.96.100 table ovpnc3

If that works, add this to a startup script somewhere so it will add every time a service restart or reboot occurs.
Code:
if [ -z "$(ip rule list from 192.168.1.3 to 103.86.96.100 table ovpnc3)" ] >/dev/null;then
   ip rule add from 192.168.1.3 to 103.86.96.100 table ovpnc3
fi
If it doesn't work, how do I remove it ? And do I need to run this after enabling vpn director routing
since my network would go down, thought I would clarify this first :)
 

Ranger802004

Very Senior Member
If it doesn't work, how do I remove it ? And do I need to run this after enableing vpn director routing
Yes, I am using the IP Rule because you have VPN Director enabled for that interface currently so leave that the same.

To delete:
Code:
ip rule del from 192.168.1.3 to 103.86.96.100 table ovpnc3
 

JAX1337

Regular Contributor
Yes, I am using the IP Rule because you have VPN Director enabled for that interface currently so leave that the same.

To delete:
Code:
ip rule del from 192.168.1.3 to 103.86.96.100 table ovpnc3
wow! it worked.

Now 2 things,
1. I am running vpnmon r2, so the vpn will keep switching, so can we do anything to reroute the same according to the currently running VPN
2. can I add this code to "services-start"


Edit:

it looks like only cached sites are resolving
 

Ranger802004

Very Senior Member
wow! it worked.

Now 2 things,
1. I am running vpnmon r2, so the vpn will keep switching, so can we do anything to reroute the same according to the currently running VPN
2. can I add this code to "services-start"


Edit:

it looks like only cached sites are resolving
Is there some kind of variable or setting that can be used to monitor the "active" VPN you need? I'd recommend adding to wan-event or firewall-start maybe.
 

JAX1337

Regular Contributor
Is there some kind of variable or setting that can be used to monitor the "active" VPN you need? I'd recommend adding to wan-event or firewall-start maybe.
1656696811357.png


I tv'ed into the Raspi and inside it all sites work
 

Attachments

  • 1656696785019.png
    1656696785019.png
    54.8 KB · Views: 47

Ranger802004

Very Senior Member
wow! it worked.

Now 2 things,
1. I am running vpnmon r2, so the vpn will keep switching, so can we do anything to reroute the same according to the currently running VPN
2. can I add this code to "services-start"


Edit:

it looks like only cached sites are resolving
Allow it time to continue querying the domains to collect all of the resolvable addresses, also sometimes you may have to add subdomains as well to a policy.

Does your VPN Tunnel have IPV6 enabled?
 

JAX1337

Regular Contributor
Allow it time to continue querying the domains to collect all of the resolvable addresses, also sometimes you may have to add subdomains as well to a policy.

Does your VPN Tunnel have IPV6 enabled?
I think so, it's not disabled in custom configuration
 

Attachments

  • 1656697242114.png
    1656697242114.png
    98.8 KB · Views: 57

JAX1337

Regular Contributor
Allow it time to continue querying the domains to collect all of the resolvable addresses, also sometimes you may have to add subdomains as well to a policy.

Does your VPN Tunnel have IPV6 enabled?
The website resolves inside the pi but not outside

I don't have ip6 enabled in pihole and unbound
 

Ranger802004

Very Senior Member
The website resolves inside the pi but not outside

I don't have ip6 enabled in pihole and unbound
That may be something going on within the pihole set up? Double check your set up.
 

JAX1337

Regular Contributor
That may be something going on within the pihole set up? Double check your set up.

Everything looks fine, I tried switching up the interface but no good,
could this have anything to do with unbound ?

Screenshot 2022-07-01 233016.jpg
 

Ranger802004

Very Senior Member

Ranger802004

Very Senior Member
v1.2-beta Release: To use the beta use the following command to replace your production version of the script.
Code:
/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing_v1.2-beta.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh

To revert back to production release:
Code:
/jffs/scripts/domain_vpn_routing.sh update

To use new functions:
Use parameter "deleteip" for new Delete IP Function. Example: /jffs/scripts/domain_vpn_routing.sh deleteip 192.168.1.1
To configure new Private IP Address exclusion/inclusion setting for a policy, use the Edit Policy parameter "editpolicy". ***NOTE: Default behavior will include Private IPs***

Release Notes:
v1.2-beta
- Added Delete IP Function, this is to delete IPs not desired to be routed by the script. ***This will not prevent the IP from being queried again***
- Created routingdirector function to handle all functions determination of creating routes for queried IPs.
- Added configuration option for including or excluding Private IP Addresses per Policy.
 
Last edited:

Ranger802004

Very Senior Member

Pak Kriss

Regular Contributor
Thanks for your feedback @Ranger802004

Another, maybe more easier (interims) option might be, if external files e.g. /tmp/mnt/usbstick/ipv4-aggregated.txt can be included to an specific policy route.

Code:
170.10.143.0/24
170.10.222.0/24
170.176.240.0/21
172.102.8.0/21
172.110.32.0/21
172.217.0.0/16
172.253.0.0/16
173.194.0.0/16
173.255.112.0/20
176.126.58.0/24
179.61.76.0/24
223.29.216.0/22

That would be an idea as the automatically generated file has about 300 networks in the list.
 

lbtboy

Regular Contributor
Hello. The task is this: there are two tunnels tun 11 and tun12. The traffic of a local network device with the address 192.168.1.33 via VPN Director goes completely through tun12, but for example the site google.com I need to let through tun11. The question is whether the traffic of the 192.168.1.33 c device will be your script to google.com go through tun11 or will continue to go through tun12?

Does your script work according to the VPN Director principle?

VPN Director allows you to direct LAN traffic through specific OpenVPN tunnels.
  • OpenVPN clients set to redirect all traffic have the highest priority
  • WAN rules will have priority over OpenVPN rules
  • OpenVPN 1 rules have higher priority than OpenVPN 5 rules
  • Rules can be individually enabled or disabled by clicking on the first column
 

JAX1337

Regular Contributor

Ranger802004

Very Senior Member
Hello. The task is this: there are two tunnels tun 11 and tun12. The traffic of a local network device with the address 192.168.1.33 via VPN Director goes completely through tun12, but for example the site google.com I need to let through tun11. The question is whether the traffic of the 192.168.1.33 c device will be your script to google.com go through tun11 or will continue to go through tun12?

Does your script work according to the VPN Director principle?

VPN Director allows you to direct LAN traffic through specific OpenVPN tunnels.
  • OpenVPN clients set to redirect all traffic have the highest priority
  • WAN rules will have priority over OpenVPN rules
  • OpenVPN 1 rules have higher priority than OpenVPN 5 rules
  • Rules can be individually enabled or disabled by clicking on the first column
I am going to retool some of the backend of this tool after I finish working on WAN Failover script and getting the latest update to full release but test it out and give me some feedback if you have time, please?
 

Ranger802004

Very Senior Member

lbtboy

Regular Contributor
I am going to retool some of the backend of this tool after I finish working on WAN Failover script and getting the latest update to full release but test it out and give me some feedback if you have time, please?
What exactly to test Domain-based VPN Routing or Dual WAN Failover?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top