Exclude website from being routed to VPN (policy based routing)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Intrepid2007

Regular Contributor
Hello,

I want to exclude traffic from my IPTV provider from being routed to my VPN. So instead I want it being routed to the WAN directly.

The reason is that my VPN IP (a dedicated IP) is giving me problems and streaming won't work. Changing to another dedicated IP is not an option because my VPN provider has run out out of IP's for my country.. So I am trying to solve this at my side....


As a test, I try to re-direct the website www.iplocation.net but I have not much luck with it.

I am not sure if this is the way to do it, but I gave it a shot....

I use policy based routing, I have multiple VPN's.

My LAN client (my PC) has IP 192.168.4.10 so this particular VPN client will route it's traffic.
1618756474550.png


Accept DNS configuration is set to 'Disabled', I use custom DNS in the field above.


When watching the routing table, I see this:
1618758126503.png


I have 4 VPN clients configured, but 10.9.0.82 is the internal IP address of the VPN tunnel I use.
107.154.105.114 and 107.154.105.114 are the IP-addresses from iplocation.net.

I am not an expert in routing tables but I assume rules are processed from top->down.
It appears that the entry above with 10.9.0.82 causes the traffic to be routed to the VPN tunnel.

The other entries with IP 107.x.x.xx exist in the routing table, but it appears that they are never used...

Should/could this approach work? If so, what am I doing wrong?

If not, is there another (simple) way to realize this?
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Determine the IP address of that website, and create a policy rule with its IP as destination, and "WAN" as it's iface.
 

eibgrad

Very Senior Member
There's nothing wrong w/ using static routes (i.e., route directives in custom config) for these purposes. But realize when using the *strict* form of Routing Policy, the router will strip these out! IOW, by definition, strict means all traffic *must* use the VPN, no exceptions, not even your static routes.

And unlike Routing Policy, using static routes means you don't need to be doing your own DNS lookups for the domain name. OpenVPN will do that for you, and produce multiple static routes if that DNS lookup returns multiple IPs. And unlike Routing Policy, any change to the resolved IP(s) will be caught the next time OpenVPN is restarted.
 
Last edited:

Intrepid2007

Regular Contributor
Determine the IP address of that website, and create a policy rule with its IP as destination, and "WAN" as it's iface.

This works perfectly, thanks ! :)
 

Intrepid2007

Regular Contributor
There's nothing wrong w/ using static routes (i.e., route directives in custom config) for these purposes. But realize when using the *strict* form of Routing Policy, the router will strip these out! IOW, by definition, strict means all traffic *must* use the VPN, no exceptions, not even your static routes.

And unlike Routing Policy, using static routes means you don't need to be doing your own DNS lookups for the domain name. OpenVPN will do that for you, and produce multiple static routes if that DNS lookup returns multiple IPs. And unlike Routing Policy, any change to the resolved IP(s) will be caught the next time OpenVPN is restarted.

This method also works, thanks :)

When using the IP-address range of my IPTV provider in /24 format, it started working... Just a single IP address (domain) wasn't enough.

Happy happy :)
 

bertradio

Occasional Visitor
I am running 386.2.2 on an AC68U and have an issue with openVPN. I use PIA and for some reason Amazon.com often blocks it. So I would like to exclude Amazon.com from use of the VPN. My subnet mask is 255.255.255.0. I tried adding "route amazon.com 255.255.255.0 net_gateway" to my VPN config, but Amazon was still blocking.

Any guidance would be appreciated.

Thanks
 

eibgrad

Very Senior Member
I am running 386.2.2 on an AC68U and have an issue with openVPN. I use PIA and for some reason Amazon.com often blocks it. So I would like to exclude Amazon.com from use of the VPN. My subnet mask is 255.255.255.0. I tried adding "route amazon.com 255.255.255.0 net_gateway" to my VPN config, but Amazon was still blocking.

Any guidance would be appreciated.

Thanks

That's NOT going to work. The domain name is going to resolve to specific IPs (hosts), of the type /32 (255.255.255.255). But you're trying to force those to be class C networks, of the type /24 (255.255.255.0), which requires the last octet be 0, which is NOT the case.

Code:
[email protected]:~$ host amazon.com
amazon.com has address 54.239.28.85
amazon.com has address 176.32.103.205
amazon.com has address 205.251.242.103

IOW, when using a domain name w/ static routes in OpenVPN, you *have* to specify 255.255.255.255 for the netmask.

Code:
route amazon.com 255.255.255.255 net_gateway

If you want to convert the IPs from the resolved domain name to class C networks, you'll have to do that manually.

Code:
route 54.239.28.0 255.255.255.0 net_gateway
route 176.32.103.0 255.255.255.0 net_gateway
route 205.251.242.0 255.255.255.0 net_gateway
 
Last edited:

Intrepid2007

Regular Contributor
That's NOT going to work. The domain name is going to resolve to specific IPs (hosts), of the type /32 (255.255.255.255). But you're trying to force those to be class C networks, of the type /24 (255.255.255.0), which requires the last octet be 0, which is NOT the case.

Code:
[email protected]:~$ host amazon.com
amazon.com has address 54.239.28.85
amazon.com has address 176.32.103.205
amazon.com has address 205.251.242.103

IOW, when using a domain name w/ static routes in OpenVPN, you *have* to specify 255.255.255.255 for the netmask.

Code:
route amazon.com 255.255.255.255 net_gateway

If you want to convert the IPs from the resolved domain name to class C networks, you'll have to do that manually.

Code:
route 54.239.28.0 255.255.255.0 net_gateway
route 176.32.103.0 255.255.255.0 net_gateway
route 205.251.242.0 255.255.255.0 net_gateway

I made that very same mistake too, specifying a domain and using something like 255.255.255.0.... This does not work :-/


Since this is new to me, just one more question out of curiosity:
In the example above, the line 'route 176.32.103.0 255.255.255.0 net_gateway' routes to the WAN because of 'net_gateway'.

Is 'net_gateway' (WAN) the only gateway you can specify to route traffic to? Or is it also possible to route this IP range to another active VPN client?
 

eibgrad

Very Senior Member
Is 'net_gateway' (WAN) the only gateway you can specify to route traffic to? Or is it also possible to route this IP range to another active VPN client?

net_gateway, vpn_gateway (this VPN's gateway), and remote_host (the server IP address) are the only reserved words. Of course, you can specify any resolvable hostname or use an explicit IP too. But there's no way for one OpenVPN instance to be aware of another OpenVPN instance and its gateway IP based on a similar reserved word, if that's what you're after.
 

Intrepid2007

Regular Contributor
net_gateway, vpn_gateway (this VPN's gateway), and remote_host (the server IP address) are the only reserved words. Of course, you can specify any resolvable hostname or use an explicit IP too. But there's no way for one OpenVPN instance to be aware of another OpenVPN instance and its gateway IP based on a similar reserved word, if that's what you're after.

Yes, that was what I wanted to know, thank you for the explanation.... :)
 

Suresh

Occasional Visitor
That's NOT going to work. The domain name is going to resolve to specific IPs (hosts), of the type /32 (255.255.255.255). But you're trying to force those to be class C networks, of the type /24 (255.255.255.0), which requires the last octet be 0, which is NOT the case.

Code:
[email protected]:~$ host amazon.com
amazon.com has address 54.239.28.85
amazon.com has address 176.32.103.205
amazon.com has address 205.251.242.103

IOW, when using a domain name w/ static routes in OpenVPN, you *have* to specify 255.255.255.255 for the netmask.

Code:
route amazon.com 255.255.255.255 net_gateway

If you want to convert the IPs from the resolved domain name to class C networks, you'll have to do that manually.

Code:
route 54.239.28.0 255.255.255.0 net_gateway
route 176.32.103.0 255.255.255.0 net_gateway
route 205.251.242.0 255.255.255.0 net_gateway
I have a similar problem with hotstar.com. I added "route hotstar.com 255.255.255.255 net_gateway" but somehow the website still detects vpn and wouldn't load.

1618841363951.png

1618841909606.png


I must be missing some setting somewhere.
 

RMerlin

Asuswrt-Merlin dev
what if the site has constantly changing ip addresses? ex: hotstar.com
Then you won't find any reliable solution, since routing tables are based on IP addresses, not hostnames.
 

Xentrk

Part of the Furniture
If you have selective routing requirements, x3mRouting is your friend.
 

Xentrk

Part of the Furniture
I am running 386.2.2 on an AC68U and have an issue with openVPN. I use PIA and for some reason Amazon.com often blocks it. So I would like to exclude Amazon.com from use of the VPN. My subnet mask is 255.255.255.0. I tried adding "route amazon.com 255.255.255.0 net_gateway" to my VPN config, but Amazon was still blocking.

Any guidance would be appreciated.

Thanks

If you have x3mRouting installed, you can use x3mRouting to create a VPN Bypass Rule for Amazon. Many streaming services use AWS servers and block known VPN servers. If you have an entry in the OpenVPN Client 1 Screen to route the entire LAN or a device to the VPN, the following command will create an IPSET list called "AWS" and route that traffic to the WAN:

Code:
x3mRouting 1 0 AWS aws_region=AP,CA,CN,EU,SA,US,GV,GLOBAL
 
Last edited:

Xentrk

Part of the Furniture
Hello,

I want to exclude traffic from my IPTV provider from being routed to my VPN. So instead I want it being routed to the WAN directly.

The reason is that my VPN IP (a dedicated IP) is giving me problems and streaming won't work. Changing to another dedicated IP is not an option because my VPN provider has run out out of IP's for my country.. So I am trying to solve this at my side....


As a test, I try to re-direct the website www.iplocation.net but I have not much luck with it.

I am not sure if this is the way to do it, but I gave it a shot....

I use policy based routing, I have multiple VPN's.

My LAN client (my PC) has IP 192.168.4.10 so this particular VPN client will route it's traffic.
View attachment 33282

Accept DNS configuration is set to 'Disabled', I use custom DNS in the field above.


When watching the routing table, I see this:
View attachment 33285

I have 4 VPN clients configured, but 10.9.0.82 is the internal IP address of the VPN tunnel I use.
107.154.105.114 and 107.154.105.114 are the IP-addresses from iplocation.net.

I am not an expert in routing tables but I assume rules are processed from top->down.
It appears that the entry above with 10.9.0.82 causes the traffic to be routed to the VPN tunnel.

The other entries with IP 107.x.x.xx exist in the routing table, but it appears that they are never used...

Should/could this approach work? If so, what am I doing wrong?

If not, is there another (simple) way to realize this?
x3mRouting has several ways to route traffic for a website.

dnsmasq Method (bypass VPN for iplocation.net)

x3mRouting 1 0 IPLOCACTION dnsmasq=iplocation.net

Some sites are more complex as they may reference other domains. This requires a more detailed analysis of dnsmasq to see what domains the site is referencing. Or, view the web page source code using the browser. Netflix is a good example of this.

Route ALL Netflix traffic to VPN Client 1
Code:
x3mRouting ALL 1 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

x3mRouting has utilities to help with the analysis.

what if the site has constantly changing ip addresses? ex: hotstar.com

Use the dnsmasq method of x3mRouting.

Please use the Asuswrt-Merlin Add-Ons forum for support.
 
Last edited:

Intrepid2007

Regular Contributor
x3mRouting has several ways to route traffic for a website.

dnsmasq Method (bypass VPN for iplocation.net)

x3mRouting 1 0 IPLOCACTION dnsmasq=iplocation.net

Some sites are more complex as they may reference other domains. This requires a more detailed analysis of dnsmasq to see what domains the site is referencing. Or, view the web page source code using the browser. Netflix is a good example of this.

Route ALL Netflix traffic to VPN Client 1
Code:
x3mRouting ALL 1 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

x3mRouting has utilities to help with the analysis.



Use the dnsmasq method of x3mRouting.

Please use the Asuswrt-Merlin Add-Ons forum for support.

Hi Xentrk,

Thanks for your reply, that sounds interesting to be able to re-route traffic for streaming services like Netflix, Disney+ et cetera... Or just re-route an IP-range as I was trying to do..

Like many others I use streaming services and a VPN at the same time, it would be great to re-route these streaming services to WAN to avoid issues with VPN....

I do have everything to install X2mRouting on my router and looking at the what I read in the forum, it works great.

However I haven't done anything with this because setting it up seems complicated to me o_O. It does not have a GUI which could help a lot.
 
Last edited:

bonezy

Occasional Visitor
Hi!

I am having a similar problem on my RT-AX88U, running Merlin 386.3_2.

I run 2 different VPN Clients and both are managed through VPN director.

1 ExpressVPN for all the US Apps I run on my ATV through my US apple ID (Hulu, HBO, etc) and 1 NordVPN that connects to a local server here in Greece, which is used for all my IoT devices plus the family's everyday usage from their laptops, tablets (emails, browsing, etc). The only device that exits directly without VPN is my gaming rig.

The problems I have are 2

1. The devices that go through any VPN don't allow me to watch the Formula 1 YT channel. I always get a Video not available message. I have to switch to hotspot off my phone to be able to watch the highlights on YT.


2. The devices that go through NordVPN (which is supposed to be connected to a local server), don't connect to our local Netflix.
I don't know how they do their routing but my wife doesn't have access to local content that she watches.

I have tried both by adding the route somewebsite.com 255.255.255.255 net_gateway in the Custom Configuration of the VPN Client like @eibgrad suggested and I have also tried installing @Xentrk 's xm3 routing but I have no idea how to set it up, as my knowledge with networking is very limited.
If I remember well, I read one of @eibgrad 's post somewhere that having an exclusive setting in accept DNS configuration cancels all routing commands, so I also tried with disabled there but with no luck.

I would ideally like to route both YT and Netflix directly through the wan interface on selected devices, or at least just through the VPN I use for the non US content.

Just for the record, I also run Diversion and Skynet on the same router.

Any help would be greatly appreciated.
 

Attachments

  • Screenshot 2021-10-11 at 1.57.52 PM.png
    Screenshot 2021-10-11 at 1.57.52 PM.png
    118.8 KB · Views: 4

eibgrad

Very Senior Member
Hi!

I am having a similar problem on my RT-AX88U, running Merlin 386.3_2.

I run 2 different VPN Clients and both are managed through VPN director.

1 ExpressVPN for all the US Apps I run on my ATV through my US apple ID (Hulu, HBO, etc) and 1 NordVPN that connects to a local server here in Greece, which is used for all my IoT devices plus the family's everyday usage from their laptops, tablets (emails, browsing, etc). The only device that exits directly without VPN is my gaming rig.

The problems I have are 2

1. The devices that go through any VPN don't allow me to watch the Formula 1 YT channel. I always get a Video not available message. I have to switch to hotspot off my phone to be able to watch the highlights on YT.


2. The devices that go through NordVPN (which is supposed to be connected to a local server), don't connect to our local Netflix.
I don't know how they do their routing but my wife doesn't have access to local content that she watches.

I have tried both by adding the route somewebsite.com 255.255.255.255 net_gateway in the Custom Configuration of the VPN Client like @eibgrad suggested and I have also tried installing @Xentrk 's xm3 routing but I have no idea how to set it up, as my knowledge with networking is very limited.
If I remember well, I read one of @eibgrad 's post somewhere that having an exclusive setting in accept DNS configuration cancels all routing commands, so I also tried with disabled there but with no luck.

I would ideally like to route both YT and Netflix directly through the wan interface on selected devices, or at least just through the VPN I use for the non US content.

Just for the record, I also run Diversion and Skynet on the same router.

Any help would be greatly appreciated.

Something to be aware of.

With the new VPN Director, a few things have changed. For one thing, the router no longer allows any routing (whether that be a change in the default gateway, or route directives, whether push'd by the server or specified on the client config) to automatically be applied. The router (under the covers) uses the OpenVPN route-noexec directive to force *all* routing to be managed exclusively by the router's scripts (i.e., the ones OpenVPN calls in response to specific events). It is within these scripts where the decision is made if and when to use (or just ignore) any such directives.

As far as I can tell, using the VPN Director, the router will NOT honor any route directives bound to the WAN. Only those bound to the VPN (which iirc, is the exact opposite of the pre-VPN Director firmware). For anything regarding the WAN, you will need to use policy rules instead. Unfortunately that means you need to *manually* resolve any domain names you want routed over the WAN using nslookup, dig, whatever, in order to create those rules (something the use of route directives didn't require).
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top