What's new

Domain VPN Routing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ranger802004

Very Senior Member
Domain VPN Routing is a tool used to route specific website domains to specific VPN tunnels or override all traffic being routed to a VPN tunnel to directly route through a WAN interface.

***v2.1.x Release****
This is the release information regarding v2.1.x, please read the notes carefully prior to installing.

Considerations ***READ CAREFULLY***:
- Due to the configuration differences between v1.x and v2.x.x there are configuration changes made during the upgrade that will not allow the script to automatically be reverted back to v1.x, a back up of the original configuration is created under /jffs/configs/domain_vpn_routing/domain_vpn_routing.conf-<Datestamp>.bak and would have to be restored to be used if Domain VPN Routing is reverted back to v1.x.
- Domain VPN Routing will now use interface friendly names instead of actual interface names. Example: tun11 will be replaced by ovpnc1, eth0 will be replaced by wan0
- There is an option to select "wan" when using Dual WAN mode, this will essentially keep the domain routing tied to the primary WAN at any given time as opposed to wan0 / wan1 keeping the traffic bound to the specific interface.
- A new global configuration will be created during the upgrade, by default Dev Mode is Disabled during the creation. To enable you can use the new SSH UI Menu to enable in the Global Configuration Menu.
- Domain VPN Routing will now be called by wan-event script in addition to openvpn-event.

Readme - https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/readme.txt

Script - https://raw.githubusercontent.com/R...main/domain_vpn_routing/domain_vpn_routing.sh

Install Command:
Code:
/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh && sh /jffs/scripts/domain_vpn_routing.sh install

Upgrade from v1.x Command:
Code:
/usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing.sh" -o "/jffs/scripts/domain_vpn_routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh && sh /jffs/scripts/domain_vpn_routing.sh

Release Notes:
v2.1.3 - 02/26/2024
Enhancements:
- Added restore policy mode that will recreate objects for policies to function without performing an active query. This will increase the time of restoration of policies during reboot or WAN failover events, restore policy mode is also called at the beginning of query policy mode.
- Simplified policy selection in menu interface where only a number has to be selected to select a policy instead of manually typing it.
- Optional configuration item added to add restorepolicy command during firewall restart events.

Fixes:
- System binaries will now be used over optional binaries installed from repos such as Entware.

v2.1.2 - 10/14/2023
Enhancements:
- The wgclient-start start up script for WireGuard clients will now be created if it doesn't exist and will call Domain VPN Routing.
- The Reverse Path Filter will now be set to Loose Filtering if set to Strict Filtering and FWMarks are being used for a policy.

Fixes:
- Fixed integration with Wireguard clients configured with IPv6.
- Fixed issue where IPv4 ipsets were not being saved under some conditions.
- Fixed issue where IPv6 addresses were not being deleted from ipsets.
- Fixed an issue that caused Domain VPN Routing to be stuck in a loop if a WireGuard Client DNS Option was null.
- Fixed integration issues with amtm.
- Fixed an issue where a failed DNS query returned 0.0.0.0 as a queried IP Address for a policy, this entry will be excluded.

v2.1.1 - 10/09/2023
Enhancements:
- Integration with amtm

v2.1.0 - 10/06/2023
Enhancements:
- DNSMasq log is now utilized if enabled to query for domain records to route. The log path will be captured from the DNSMasq Configuration.
- IPSets, IPTables Rules, and IP Rules using FWMarks have been implemented to reduce the amount of routes / rules that are created for policies.
- Added Check Interval configuration options to Configuration Menu to modify the cron job schedule between 1 - 59 minutes. Default: 15 minutes
- The current interface for a Policy will be displayed when in the Edit Policy configuration menu.
- Added default FWMark and Mask values for OpenVPN and WireGuard clients that can be changed in the configuration menu. Reboot required for changes.
- Log priority values added (Critical, Error, Warning, Notice, Informational, Debug)
- Additional logging messages have been added.
- Added Boot Delay Timer configuration setting to delay execution to wait and allow VPN tunnels to initalize during start up before querying for policies. Default: 0 Seconds
- Added Reset Default Configuration to Configuration Menu, additionally the command argument resetconfig can be used.

Fixes:
- Fixed an issue where adding a domain with the same partial name as an existing in a policy prevented it from being added.
- Fixed an issue that causes the update function to hang when complete as well as when terminating Domain VPN Routing.
- Fixed an issue preventing installation where Domain VPN Routing was trying to access the global configuration before it was created.
- Fixed an issue where the alias "domain_vpn_routing" was not being deleted during uninstallation.
- Fixed an issue where changing the Check Interval causes the Domain VPN Routing to hang on Query Policy screen instead of returning to Configuration Menu.
- Fixed an issue when editing a policy and changing the interface would cause a parameter not set error.
- Fixed an issue that wouldn't allow FWMark and Mask settings in the configuration to be null.
- Fixed an issue that caused uninstallation to prompt multiple times for confirmation during uninstall process.
- Fixed an issue that prevented the menu from loading when Domain VPN Routing was not installed.
 
Last edited:
***v2.1.3-beta1 Released***
Note: Dev Mode in the configuration menu must be enabled to receive beta updates.

Release Notes:

v2.1.3-beta1 - 01/22/2024
Enhancements:
- Added restore policy mode that will recreate objects for policies to function without performing an active query. This will increase the time of restoration of policies during reboot or WAN failover events, restore policy mode is also called at the beginning of query policy mode.
 
@Ranger802004 Just wanted to say thanks for this add-on. Have been using it for the last 3 months after discovering it. Has been working flawlessly for me to route certain traffic through my VPN clients. While I haven't used the Beta, look forward to it when it is released.

Feature request - would it be possible to have an option to disable (not delete) a Policy? Sometimes I need to allow some traffic through the WAN, and being able to temporarily disable/re-enable a policy would be very helpful.

Again, just wanted to say thanks!
 
@Ranger802004 Just wanted to say thanks for this add-on. Have been using it for the last 3 months after discovering it. Has been working flawlessly for me to route certain traffic through my VPN clients. While I haven't used the Beta, look forward to it when it is released.

Feature request - would it be possible to have an option to disable (not delete) a Policy? Sometimes I need to allow some traffic through the WAN, and being able to temporarily disable/re-enable a policy would be very helpful.

Again, just wanted to say thanks!
Please make a request via GitHub support request and I will look into it, I do like the idea.
 
Options 8 and 9 seem to be the same thing atm?
No, Restore Policy only restores existing policies and is a lot quicker than query policy, query policy will do the same tasks but it also includes querying all of the domains which takes up significant amount of time in large policies. You can use Restore Policy to quickly restore policies after a firewall restart, etc.
 
Hi All,

I added a policy name, added a domain : whatismyipaddress.com
Did action to load but then visit the domain I still see my own external IP

In the router Gui there is a device using same VPN and it show the IP from the outside if VPN when visit : whatismyipaddress.com

I also added ipinfo.io and when I do a curl ipinfo.io/ip then I get the IP of the VPN...

How can I be use when I add domains and I visit them using my browser that they using the VPN.
 
Last edited:
Hi All,

I added a policy name, added a domain : whatismyipaddress.com
Did action to load but then visit the domain I still see my own external IP

In the router Gui there is a device using same VPN and it show the IP from the outside if VPN when visit : whatismyipaddress.com
Looks like the ipset names are too long, try and reduce your policy name to something maybe like WG. I’ll look into this for a future release.
 
I did a dns flush on my iMac and when I visit now the website: whatismyipaddress.com it shows me also the VPN external IP.
So its important when you add a domain you have to flush DNS on computer.
 
***v2.1.3-beta2 Released***

Release Notes:

Enhancements:
- Added restore policy mode that will recreate objects for policies to function without performing an active query. This will increase the time of restoration of policies during reboot or WAN failover events, restore policy mode is also called at the beginning of query policy mode.

Fixes:
- System binaries will now be used over optional binaries installed from repos such as Entware.
 
***v2.1.3-beta3 Released***

Release Notes:

Enhancements:
- Added restore policy mode that will recreate objects for policies to function without performing an active query. This will increase the time of restoration of policies during reboot or WAN failover events, restore policy mode is also called at the beginning of query policy mode.
- Simplified policy selection in menu interface where only a number has to be selected to select a policy instead of manually typing it.
- Optional configuration item added to add restorepolicy command during firewall restart events.

Fixes:
- System binaries will now be used over optional binaries installed from repos such as Entware.
 
Last edited:
***v2.1.3 Released***

Release Notes:

Enhancements:
- Added restore policy mode that will recreate objects for policies to function without performing an active query. This will increase the time of restoration of policies during reboot or WAN failover events, restore policy mode is also called at the beginning of query policy mode.
- Simplified policy selection in menu interface where only a number has to be selected to select a policy instead of manually typing it.
- Optional configuration item added to add restorepolicy command during firewall restart events.

Fixes:
- System binaries will now be used over optional binaries installed from repos such as Entware.
 
Hello! Thanks for your script!
1. Can I add a network 31.13.24.0/21 example
2. Can I add a list of network at a time, or tell me which file to edit for this.

Thanks!
 
Hello! Thanks for your script!
1. Can I add a network 31.13.24.0/21 example
2. Can I add a list of network at a time, or tell me which file to edit for this.

Thanks!
You can do that with traditional routing and VPN Director.
 
Hello. I'm using last (not beta) version of script. It works fine for me with some extesions.
VPN is configured by OpenVPN with "Redirect Internet traffic through tunnel" to VPN Director.
VPN Director has no rules but without it script has no effect for me.
Added dnsmasq logs
Code:
log-queries
log-facility=/var/log/dnsmasq.log

My policy domain are

instagram.com
cdninstagram.com
facebook.com
facebook.net
fbcdn.net
fbsbx.com
ads-twitter.com
periscope.tv
pscp.tv
t.co
abs.twimg.com
pbs.twimg.com
tweetdeck.com
twimg.com
twitpic.com
twitter.co
twitter.com
twitterinc.com
twitteroauth.com
twitterstat.us
twtrdns.net
twttr.com
x.com
abtest-sg-tiktok.byteoversea.com
abtest-va-tiktok.byteoversea.com
byteglb.com
gts.byteoversea.net
isnssdk.com
lf1-ttcdn-tos.pstatp.com
muscdn.com
musemuse.cn
musical.ly
p16-ad-sg.ibyteimg.com
p16-tiktok-sg.ibyteimg.com
p16-tiktok-sign-va-h2.ibyteimg.com
p16-tiktok-va-h2.ibyteimg.com
p16-tiktok-va.ibyteimg.com
p16-va-tiktok.ibyteimg.com
p1-tt.byteimg.com
p1-tt-ipv6.byteimg.com
p26-tt.byteimg.com
p3-tt-ipv6.byteimg.com
p9-tt.byteimg.com
pull-f3-hs.pstatp.com
pull-f5-hs.flive.pstatp.com
pull-f5-hs.pstatp.com
pull-f5-mus.pstatp.com
pull-flv-f1-hs.pstatp.com
pull-flv-f6-hs.pstatp.com
pull-flv-l1-hs.pstatp.com
pull-flv-l1-mus.pstatp.com
pull-flv-l6-hs.pstatp.com
pull-hls-l1-mus.pstatp.com
pull-l3-hs.pstatp.com
pull-rtmp-f1-hs.pstatp.com
pull-rtmp-f6-hs.pstatp.com
pull-rtmp-l1-hs.pstatp.com
pull-rtmp-l1-mus.pstatp.com
pull-rtmp-l6-hs.pstatp.com
quic-tiktok-core-proxy-i18n-gcpva.byteoversea.net
quic-tiktok-proxy-i18n-gcpva.byteoversea.net
sf16-ttcdn-tos.ipstatp.com
sf1-ttcdn-tos.pstatp.com
sf6-ttcdn-tos.pstatp.com
sgsnssdk.com
tiktokcdn.com
tiktokcdn.com.atomile.com
tiktokcdn.com.c.bytefcdn-oversea.com
tiktokcdn.com.c.bytefcdn-ttpeu.com
tiktokcdn.com.c.bytetcdn.com
tiktokcdn.com.c.worldfcdn.com
tiktokcdn.com.qlivecdn.com
tiktokcdn.com.rocket-cdn.com
tiktokcdn.com.tlivepush.com
tiktokcdn-eu.com
tiktokcdn-eu.net
tiktokcdn-in.com
tiktokcdn-us.com
tiktokcdn-us.com.atomile.com
tiktokcdn-us.com.c.worldfcdn2.com
tiktok.com
tiktokd.org
tiktokglobalshop.com
tiktokglobalshopv.com
tiktok.in
tiktok-lb-alisg.byteoversea.net
tiktok-lb-maliva.byteoversea.net
tiktok-lb-texas.useast5.byteoversea.net.byteigtm.com
tiktokmusic.app
tiktok-platform-lb-alisg.byteoversea.net
tiktok-platform-lb-maliva.byteoversea.net
tiktokshop.com
tiktokstaticb.com
tiktokv.com
tiktokv.com.c.bytefcdn-oversea.com
tiktokv.com.c.worldfcdn2.com
tiktokv.com.c.worldfcdn.com
tiktokv.eu
tiktokv.us
tiktokw.us
tlivecdn.com
ttapis.com
ttdns2.com
ttlivecdn.com
ttlivecdn.com.c.bytefcdn-oversea.com
ttlivecdn.com.c.worldfcdn.com
ttoversea.net
ttoverseaus.net
ttwstatic.com
kinozal-tv.appspot.com

So the issue.
In home there are several Macs and Windows laptops and phones. With script enabled Wi-Fi connection is not perfect (sometimes it interrupts).
But two LG TVs cannot connect to home network.
I see that connect is success but devices cannot obtain IP.
In Wi-Fi log I see this (device has not IP)
1711470540531.png


Looks like this is kind of DNS issue but I don't know where to research next.
Router AX6000, latest Merlin firmware
Maybe someone could help with that?
 
Firstly, thank you very much for this, im just entering the world of this router and merlin, so far so good.

Ive setup wire guard to run all traffic through my mullvad VPN account, and still have access to my local LAN devices using the allowed IPs function. That works all OK.

I tested this domain based routing, and it works OK / correctly with whatismyipaddress.com, i created a policy with this domain (when i select the WG interface, I get my mullvad IP, when i select the WAN interface, i get my ISPs ip address on the website)

The issue i have is when i create a policy for both BBC and disney plus (so i can use streaming services on my home devices), for some reason, the site / service still recognises that my IP is a VPN base done, and doesn't see / recognise my WAN IP from my ISP.

Is there something else i need to do to get these services working, or, its this simply down to the controls / check BBC / Disney have in place?

Thanks again.
 
Hello. I'm using last (not beta) version of script. It works fine for me with some extesions.
VPN is configured by OpenVPN with "Redirect Internet traffic through tunnel" to VPN Director.
VPN Director has no rules but without it script has no effect for me.
Added dnsmasq logs
Code:
log-queries
log-facility=/var/log/dnsmasq.log

My policy domain are

instagram.com
cdninstagram.com
facebook.com
facebook.net
fbcdn.net
fbsbx.com
ads-twitter.com
periscope.tv
pscp.tv
t.co
abs.twimg.com
pbs.twimg.com
tweetdeck.com
twimg.com
twitpic.com
twitter.co
twitter.com
twitterinc.com
twitteroauth.com
twitterstat.us
twtrdns.net
twttr.com
x.com
abtest-sg-tiktok.byteoversea.com
abtest-va-tiktok.byteoversea.com
byteglb.com
gts.byteoversea.net
isnssdk.com
lf1-ttcdn-tos.pstatp.com
muscdn.com
musemuse.cn
musical.ly
p16-ad-sg.ibyteimg.com
p16-tiktok-sg.ibyteimg.com
p16-tiktok-sign-va-h2.ibyteimg.com
p16-tiktok-va-h2.ibyteimg.com
p16-tiktok-va.ibyteimg.com
p16-va-tiktok.ibyteimg.com
p1-tt.byteimg.com
p1-tt-ipv6.byteimg.com
p26-tt.byteimg.com
p3-tt-ipv6.byteimg.com
p9-tt.byteimg.com
pull-f3-hs.pstatp.com
pull-f5-hs.flive.pstatp.com
pull-f5-hs.pstatp.com
pull-f5-mus.pstatp.com
pull-flv-f1-hs.pstatp.com
pull-flv-f6-hs.pstatp.com
pull-flv-l1-hs.pstatp.com
pull-flv-l1-mus.pstatp.com
pull-flv-l6-hs.pstatp.com
pull-hls-l1-mus.pstatp.com
pull-l3-hs.pstatp.com
pull-rtmp-f1-hs.pstatp.com
pull-rtmp-f6-hs.pstatp.com
pull-rtmp-l1-hs.pstatp.com
pull-rtmp-l1-mus.pstatp.com
pull-rtmp-l6-hs.pstatp.com
quic-tiktok-core-proxy-i18n-gcpva.byteoversea.net
quic-tiktok-proxy-i18n-gcpva.byteoversea.net
sf16-ttcdn-tos.ipstatp.com
sf1-ttcdn-tos.pstatp.com
sf6-ttcdn-tos.pstatp.com
sgsnssdk.com
tiktokcdn.com
tiktokcdn.com.atomile.com
tiktokcdn.com.c.bytefcdn-oversea.com
tiktokcdn.com.c.bytefcdn-ttpeu.com
tiktokcdn.com.c.bytetcdn.com
tiktokcdn.com.c.worldfcdn.com
tiktokcdn.com.qlivecdn.com
tiktokcdn.com.rocket-cdn.com
tiktokcdn.com.tlivepush.com
tiktokcdn-eu.com
tiktokcdn-eu.net
tiktokcdn-in.com
tiktokcdn-us.com
tiktokcdn-us.com.atomile.com
tiktokcdn-us.com.c.worldfcdn2.com
tiktok.com
tiktokd.org
tiktokglobalshop.com
tiktokglobalshopv.com
tiktok.in
tiktok-lb-alisg.byteoversea.net
tiktok-lb-maliva.byteoversea.net
tiktok-lb-texas.useast5.byteoversea.net.byteigtm.com
tiktokmusic.app
tiktok-platform-lb-alisg.byteoversea.net
tiktok-platform-lb-maliva.byteoversea.net
tiktokshop.com
tiktokstaticb.com
tiktokv.com
tiktokv.com.c.bytefcdn-oversea.com
tiktokv.com.c.worldfcdn2.com
tiktokv.com.c.worldfcdn.com
tiktokv.eu
tiktokv.us
tiktokw.us
tlivecdn.com
ttapis.com
ttdns2.com
ttlivecdn.com
ttlivecdn.com.c.bytefcdn-oversea.com
ttlivecdn.com.c.worldfcdn.com
ttoversea.net
ttoverseaus.net
ttwstatic.com
kinozal-tv.appspot.com

So the issue.
In home there are several Macs and Windows laptops and phones. With script enabled Wi-Fi connection is not perfect (sometimes it interrupts).
But two LG TVs cannot connect to home network.
I see that connect is success but devices cannot obtain IP.
In Wi-Fi log I see this (device has not IP)
View attachment 57463

Looks like this is kind of DNS issue but I don't know where to research next.
Router AX6000, latest Merlin firmware
Maybe someone could help with that?
That's very strange behavior and sounds to be DHCP related....maybe review other items you have in your dnsmasq configuration.
 
Firstly, thank you very much for this, im just entering the world of this router and merlin, so far so good.

Ive setup wire guard to run all traffic through my mullvad VPN account, and still have access to my local LAN devices using the allowed IPs function. That works all OK.

I tested this domain based routing, and it works OK / correctly with whatismyipaddress.com, i created a policy with this domain (when i select the WG interface, I get my mullvad IP, when i select the WAN interface, i get my ISPs ip address on the website)

The issue i have is when i create a policy for both BBC and disney plus (so i can use streaming services on my home devices), for some reason, the site / service still recognises that my IP is a VPN base done, and doesn't see / recognise my WAN IP from my ISP.

Is there something else i need to do to get these services working, or, its this simply down to the controls / check BBC / Disney have in place?

Thanks again.
Probably need to do more research on what CDN URLs and etc you need to add to your policy, I have to do this for several of my personal policies as well.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top