Domain-based VPN Routing Script

Ranger802004

Very Senior Member
v1.4-beta1 Release: To use the beta use the following command to replace your production version of the script.
Code:
/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing_v1.4-beta1.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh

To revert back to production release:
Code:
/jffs/scripts/domain_vpn_routing.sh update

Release Notes:
v1.4-beta1
Enhancements:
- General optimization
- Added the ability to select WAN0 or WAN1 interfaces for a policy
- Added Alias as domain_vpn_routing (For initial load on terminals open during upgrade, execute ". /jffs/configs/profile.add" to load new alias)
 

kuki68ster

Occasional Visitor
Hello,

First, thanks for this script...

Secondly, i followed the instructions, but i am not having sucess...Hulu, Sling, etc are detecting the vpn...Can anyone help me solve this issue?

I have Nord VPN, that when used with VPN Director (exclusive) and a device like Apple TV, those streaming services work with no problem.

Any help would be appreciated...
 

Ranger802004

Very Senior Member
Hello,

First, thanks for this script...

Secondly, i followed the instructions, but i am not having sucess...Hulu, Sling, etc are detecting the vpn...Can anyone help me solve this issue?

I have Nord VPN, that when used with VPN Director (exclusive) and a device like Apple TV, those streaming services work with no problem.

Any help would be appreciated...
Try getting the underlying domains/addresses for the service and adding those to your policy. You’ll need things like CDN networks routed as well not just the base domain for the service.
 

kuki68ster

Occasional Visitor
Try getting the underlying domains/addresses for the service and adding those to your policy. You’ll need things like CDN networks routed as well not just the base domain for the service.
Can you point me to a guide, so i can learn how to get the domains/adresses, etc? I am a novice in these stuff...Any help will be appreciated...
 

Charles Wilkinson

Occasional Visitor
Hey @Ranger802004
I've built something very similar myself and found a limitation that I think your excellent script also suffers from and so I thought I would share.

Basically, it stems from the limitation of using nslookup to get a list of IPs from a domain name. Some big sites (like netflix.com) use DNS-level load balancing and so nslookup WILL return a different set of IPs within minutes or even seconds.

Here's an example using the command copied directly from your script:
Code:
nslookup netflix.com | awk '(NR>2) && /^Address/ {print $3}' | sort
18.200.8.190
2a05:d018:76c:b683:e1fe:9fbf:c403:57f1
2a05:d018:76c:b684:b233:ac1f:be1f:7
2a05:d018:76c:b685:c898:aa3a:42c7:9d21
54.155.246.232
54.73.148.110

nslookup netflix.com | awk '(NR>2) && /^Address/ {print $3}' | sort
2a05:d018:76c:b683:e1fe:9fbf:c403:57f1
2a05:d018:76c:b684:b233:ac1f:be1f:7
2a05:d018:76c:b685:c898:aa3a:42c7:9d21
3.251.50.149
54.155.178.5
54.74.73.31
The command was executed twice, only a few seconds apart in this case. You can see that nslookup has returned different results in each case.

This issue has some pretty big implications since the IPs in the policy are extremely unlikely to be the same as the ones currently in use by LAN clients (depending on TTLs). I personally can't think of any way around this issue and so have concluded that my script (and I suspect yours too) is only useful for rules where the domain has a small set of IPs that don't change very often.

If you want to see my effort (not quite as slick as yours) you can find it here: https://github.com/kabadisha/host-based-vpn-routing

Charlie
 

Ranger802004

Very Senior Member
Hey @Ranger802004
I've built something very similar myself and found a limitation that I think your excellent script also suffers from and so I thought I would share.

Basically, it stems from the limitation of using nslookup to get a list of IPs from a domain name. Some big sites (like netflix.com) use DNS-level load balancing and so nslookup WILL return a different set of IPs within minutes or even seconds.

Here's an example using the command copied directly from your script:
Code:
nslookup netflix.com | awk '(NR>2) && /^Address/ {print $3}' | sort
18.200.8.190
2a05:d018:76c:b683:e1fe:9fbf:c403:57f1
2a05:d018:76c:b684:b233:ac1f:be1f:7
2a05:d018:76c:b685:c898:aa3a:42c7:9d21
54.155.246.232
54.73.148.110

nslookup netflix.com | awk '(NR>2) && /^Address/ {print $3}' | sort
2a05:d018:76c:b683:e1fe:9fbf:c403:57f1
2a05:d018:76c:b684:b233:ac1f:be1f:7
2a05:d018:76c:b685:c898:aa3a:42c7:9d21
3.251.50.149
54.155.178.5
54.74.73.31
The command was executed twice, only a few seconds apart in this case. You can see that nslookup has returned different results in each case.

This issue has some pretty big implications since the IPs in the policy are extremely unlikely to be the same as the ones currently in use by LAN clients (depending on TTLs). I personally can't think of any way around this issue and so have concluded that my script (and I suspect yours too) is only useful for rules where the domain has a small set of IPs that don't change very often.

If you want to see my effort (not quite as slick as yours) you can find it here: https://github.com/kabadisha/host-based-vpn-routing

Charlie
I was aware of that issue from the beginning and that’s why the policies build a permanent list of queried IPs for retention and building the IP rules with them. Over time it collects all of the IP addresses and begins to resolve that problem. That is the purpose of my cron job to continue to query and collect addresses. I have personal use cases this applies to and works perfect.
 

Charles Wilkinson

Occasional Visitor
I was aware of that issue from the beginning and that’s why the policies build a permanent list of queried IPs for retention and building the IP rules with them. Over time it collects all of the IP addresses and begins to resolve that problem. That is the purpose of my cron job to continue to query and collect addresses. I have personal use cases this applies to and works perfect.
Ah, that makes sense. Apologies, I couldn't follow the whole flow of your approach from reading the code for only an hour or so, so wasn't sure how you were handling the IPs once collected.

I considered doing something similar, but since my approach creates VPN Director rules, I have a hard limit on number of IPs supported and even if I didn't it would get pretty ungainly very quickly.

How many IPs are you collecting after some time? I would imagine the list could get really rather large quite quickly...
Does your script ever disassociate an IP from a domain once it has been captured? Do you have a TTL or anything like that?
 

Ranger802004

Very Senior Member
Ah, that makes sense. Apologies, I couldn't follow the whole flow of your approach from reading the code for only an hour or so, so wasn't sure how you were handling the IPs once collected.

I considered doing something similar, but since my approach creates VPN Director rules, I have a hard limit on number of IPs supported and even if I didn't it would get pretty ungainly very quickly.

How many IPs are you collecting after some time? I would imagine the list could get really rather large quite quickly...
Does your script ever disassociate an IP from a domain once it has been captured? Do you have a TTL or anything like that?
I think one of my policies that has about 30 domains has collected 1400+ IPs but that is IPv6 and IPv4. No TTL I’m just building IP policy rules directly.
 

Ranger802004

Very Senior Member
Can you point me to a guide, so i can learn how to get the domains/adresses, etc? I am a novice in these stuff...Any help will be appreciated...
You can install the browser add on for Chrome called IPvFoo and connect to your streaming service and start streaming and it will show all of the web domains being used at that given moment.
 

kuki68ster

Occasional Visitor
You can install the browser add on for Chrome called IPvFoo and connect to your streaming service and start streaming and it will show all of the web domains being used at that given moment.
Done, in this case for Youtube, i should add all domains i see in the screenshot, right?
 

Attachments

  • Captura de ecrã 2022-09-04, às 10.06.56.png
    Captura de ecrã 2022-09-04, às 10.06.56.png
    214.2 KB · Views: 43

Darkje

Regular Contributor
So after playing around with de dual wan script. i thought to try this one. All seems to work. But DNS is leaking as far as i can tell. If i add something like dnsleaktest to the site i get different dns's.
So am i being a idiot or do you guys see the same?
 

Ranger802004

Very Senior Member
Done, in this case for Youtube, i should add all domains i see in the screenshot, right?
Not necessarily all of them, some of those are for ads so not necessary.
 

Ranger802004

Very Senior Member
So after playing around with de dual wan script. i thought to try this one. All seems to work. But DNS is leaking as far as i can tell. If i add something like dnsleaktest to the site i get different dns's.
So am i being a idiot or do you guys see the same?
Depending on the service you may have to allow time for the script to query all of the IPs to be rerouted.
 

Darkje

Regular Contributor
Depending on the service you may have to allow time for the script to query all of the IPs to be rerouted.
I hope so but i dont thinks so, if you tell it to use the domain IP, so it should use VPN XX then it should use its DNS as well, right ?
 

Ranger802004

Very Senior Member
I hope so but i dont thinks so, if you tell it to use the domain IP, so it should use VPN XX then it should use its DNS as well, right ?
Ah wait, I think I know what you are saying, you may need to set up some DNSMasq rules for those domains to use a specific DNS Server and then create a route/IP Rule for that DNS Server to go over your VPN.
 

Ranger802004

Very Senior Member
Quick question, would this work with the astrill vpn applet?
Negative, it only works with OpenVPN and WAN interfaces at this time.
 

Laxarus

Regular Contributor
Is it possible to use a file containing domain lists per line for this script instead of entering them 1 by 1?

Edit: manually editing policy_{name}_domainlist file works
 
Last edited:

Ranger802004

Very Senior Member
Is it possible to use a file containing domain lists per line for this script instead of entering them 1 by 1?

Edit: manually editing policy_{name}_domainlist file works
I see you answered this already, yea there's a generated domain list file you can manually edit and it's called out in the readme for doing so.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top