Exclude website from being routed to VPN (policy based routing)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Intrepid2007

Regular Contributor
Hello,

I want to exclude traffic from my IPTV provider from being routed to my VPN. So instead I want it being routed to the WAN directly.

The reason is that my VPN IP (a dedicated IP) is giving me problems and streaming won't work. Changing to another dedicated IP is not an option because my VPN provider has run out out of IP's for my country.. So I am trying to solve this at my side....


As a test, I try to re-direct the website www.iplocation.net but I have not much luck with it.

I am not sure if this is the way to do it, but I gave it a shot....

I use policy based routing, I have multiple VPN's.

My LAN client (my PC) has IP 192.168.4.10 so this particular VPN client will route it's traffic.
1618756474550.png


Accept DNS configuration is set to 'Disabled', I use custom DNS in the field above.


When watching the routing table, I see this:
1618758126503.png


I have 4 VPN clients configured, but 10.9.0.82 is the internal IP address of the VPN tunnel I use.
107.154.105.114 and 107.154.105.114 are the IP-addresses from iplocation.net.

I am not an expert in routing tables but I assume rules are processed from top->down.
It appears that the entry above with 10.9.0.82 causes the traffic to be routed to the VPN tunnel.

The other entries with IP 107.x.x.xx exist in the routing table, but it appears that they are never used...

Should/could this approach work? If so, what am I doing wrong?

If not, is there another (simple) way to realize this?
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Determine the IP address of that website, and create a policy rule with its IP as destination, and "WAN" as it's iface.
 

eibgrad

Very Senior Member
There's nothing wrong w/ using static routes (i.e., route directives in custom config) for these purposes. But realize when using the *strict* form of Routing Policy, the router will strip these out! IOW, by definition, strict means all traffic *must* use the VPN, no exceptions, not even your static routes.

And unlike Routing Policy, using static routes means you don't need to be doing your own DNS lookups for the domain name. OpenVPN will do that for you, and produce multiple static routes if that DNS lookup returns multiple IPs. And unlike Routing Policy, any change to the resolved IP(s) will be caught the next time OpenVPN is restarted.
 
Last edited:

Intrepid2007

Regular Contributor
Determine the IP address of that website, and create a policy rule with its IP as destination, and "WAN" as it's iface.

This works perfectly, thanks ! :)
 

Intrepid2007

Regular Contributor
There's nothing wrong w/ using static routes (i.e., route directives in custom config) for these purposes. But realize when using the *strict* form of Routing Policy, the router will strip these out! IOW, by definition, strict means all traffic *must* use the VPN, no exceptions, not even your static routes.

And unlike Routing Policy, using static routes means you don't need to be doing your own DNS lookups for the domain name. OpenVPN will do that for you, and produce multiple static routes if that DNS lookup returns multiple IPs. And unlike Routing Policy, any change to the resolved IP(s) will be caught the next time OpenVPN is restarted.

This method also works, thanks :)

When using the IP-address range of my IPTV provider in /24 format, it started working... Just a single IP address (domain) wasn't enough.

Happy happy :)
 

bertradio

Occasional Visitor
I am running 386.2.2 on an AC68U and have an issue with openVPN. I use PIA and for some reason Amazon.com often blocks it. So I would like to exclude Amazon.com from use of the VPN. My subnet mask is 255.255.255.0. I tried adding "route amazon.com 255.255.255.0 net_gateway" to my VPN config, but Amazon was still blocking.

Any guidance would be appreciated.

Thanks
 

eibgrad

Very Senior Member
I am running 386.2.2 on an AC68U and have an issue with openVPN. I use PIA and for some reason Amazon.com often blocks it. So I would like to exclude Amazon.com from use of the VPN. My subnet mask is 255.255.255.0. I tried adding "route amazon.com 255.255.255.0 net_gateway" to my VPN config, but Amazon was still blocking.

Any guidance would be appreciated.

Thanks

That's NOT going to work. The domain name is going to resolve to specific IPs (hosts), of the type /32 (255.255.255.255). But you're trying to force those to be class C networks, of the type /24 (255.255.255.0), which requires the last octet be 0, which is NOT the case.

Code:
[email protected]:~$ host amazon.com
amazon.com has address 54.239.28.85
amazon.com has address 176.32.103.205
amazon.com has address 205.251.242.103

IOW, when using a domain name w/ static routes in OpenVPN, you *have* to specify 255.255.255.255 for the netmask.

Code:
route amazon.com 255.255.255.255 net_gateway

If you want to convert the IPs from the resolved domain name to class C networks, you'll have to do that manually.

Code:
route 54.239.28.0 255.255.255.0 net_gateway
route 176.32.103.0 255.255.255.0 net_gateway
route 205.251.242.0 255.255.255.0 net_gateway
 
Last edited:

Intrepid2007

Regular Contributor
That's NOT going to work. The domain name is going to resolve to specific IPs (hosts), of the type /32 (255.255.255.255). But you're trying to force those to be class C networks, of the type /24 (255.255.255.0), which requires the last octet be 0, which is NOT the case.

Code:
[email protected]:~$ host amazon.com
amazon.com has address 54.239.28.85
amazon.com has address 176.32.103.205
amazon.com has address 205.251.242.103

IOW, when using a domain name w/ static routes in OpenVPN, you *have* to specify 255.255.255.255 for the netmask.

Code:
route amazon.com 255.255.255.255 net_gateway

If you want to convert the IPs from the resolved domain name to class C networks, you'll have to do that manually.

Code:
route 54.239.28.0 255.255.255.0 net_gateway
route 176.32.103.0 255.255.255.0 net_gateway
route 205.251.242.0 255.255.255.0 net_gateway

I made that very same mistake too, specifying a domain and using something like 255.255.255.0.... This does not work :-/


Since this is new to me, just one more question out of curiosity:
In the example above, the line 'route 176.32.103.0 255.255.255.0 net_gateway' routes to the WAN because of 'net_gateway'.

Is 'net_gateway' (WAN) the only gateway you can specify to route traffic to? Or is it also possible to route this IP range to another active VPN client?
 

eibgrad

Very Senior Member
Is 'net_gateway' (WAN) the only gateway you can specify to route traffic to? Or is it also possible to route this IP range to another active VPN client?

net_gateway, vpn_gateway (this VPN's gateway), and remote_host (the server IP address) are the only reserved words. Of course, you can specify any resolvable hostname or use an explicit IP too. But there's no way for one OpenVPN instance to be aware of another OpenVPN instance and its gateway IP based on a similar reserved word, if that's what you're after.
 

Intrepid2007

Regular Contributor
net_gateway, vpn_gateway (this VPN's gateway), and remote_host (the server IP address) are the only reserved words. Of course, you can specify any resolvable hostname or use an explicit IP too. But there's no way for one OpenVPN instance to be aware of another OpenVPN instance and its gateway IP based on a similar reserved word, if that's what you're after.

Yes, that was what I wanted to know, thank you for the explanation.... :)
 

Suresh

Occasional Visitor
That's NOT going to work. The domain name is going to resolve to specific IPs (hosts), of the type /32 (255.255.255.255). But you're trying to force those to be class C networks, of the type /24 (255.255.255.0), which requires the last octet be 0, which is NOT the case.

Code:
[email protected]:~$ host amazon.com
amazon.com has address 54.239.28.85
amazon.com has address 176.32.103.205
amazon.com has address 205.251.242.103

IOW, when using a domain name w/ static routes in OpenVPN, you *have* to specify 255.255.255.255 for the netmask.

Code:
route amazon.com 255.255.255.255 net_gateway

If you want to convert the IPs from the resolved domain name to class C networks, you'll have to do that manually.

Code:
route 54.239.28.0 255.255.255.0 net_gateway
route 176.32.103.0 255.255.255.0 net_gateway
route 205.251.242.0 255.255.255.0 net_gateway
I have a similar problem with hotstar.com. I added "route hotstar.com 255.255.255.255 net_gateway" but somehow the website still detects vpn and wouldn't load.

1618841363951.png

1618841909606.png


I must be missing some setting somewhere.
 

RMerlin

Asuswrt-Merlin dev
what if the site has constantly changing ip addresses? ex: hotstar.com
Then you won't find any reliable solution, since routing tables are based on IP addresses, not hostnames.
 

Xentrk

Part of the Furniture
If you have selective routing requirements, x3mRouting is your friend.
 

Xentrk

Part of the Furniture
I am running 386.2.2 on an AC68U and have an issue with openVPN. I use PIA and for some reason Amazon.com often blocks it. So I would like to exclude Amazon.com from use of the VPN. My subnet mask is 255.255.255.0. I tried adding "route amazon.com 255.255.255.0 net_gateway" to my VPN config, but Amazon was still blocking.

Any guidance would be appreciated.

Thanks

If you have x3mRouting installed, you can use x3mRouting to create a VPN Bypass Rule for Amazon. Many streaming services use AWS servers and block known VPN servers. If you have an entry in the OpenVPN Client 1 Screen to route the entire LAN or a device to the VPN, the following command will create an IPSET list called "AWS" and route that traffic to the WAN:

Code:
x3mRouting 1 0 AWS aws_region=AP,CA,CN,EU,SA,US,GV,GLOBAL
 
Last edited:

Xentrk

Part of the Furniture
Hello,

I want to exclude traffic from my IPTV provider from being routed to my VPN. So instead I want it being routed to the WAN directly.

The reason is that my VPN IP (a dedicated IP) is giving me problems and streaming won't work. Changing to another dedicated IP is not an option because my VPN provider has run out out of IP's for my country.. So I am trying to solve this at my side....


As a test, I try to re-direct the website www.iplocation.net but I have not much luck with it.

I am not sure if this is the way to do it, but I gave it a shot....

I use policy based routing, I have multiple VPN's.

My LAN client (my PC) has IP 192.168.4.10 so this particular VPN client will route it's traffic.
View attachment 33282

Accept DNS configuration is set to 'Disabled', I use custom DNS in the field above.


When watching the routing table, I see this:
View attachment 33285

I have 4 VPN clients configured, but 10.9.0.82 is the internal IP address of the VPN tunnel I use.
107.154.105.114 and 107.154.105.114 are the IP-addresses from iplocation.net.

I am not an expert in routing tables but I assume rules are processed from top->down.
It appears that the entry above with 10.9.0.82 causes the traffic to be routed to the VPN tunnel.

The other entries with IP 107.x.x.xx exist in the routing table, but it appears that they are never used...

Should/could this approach work? If so, what am I doing wrong?

If not, is there another (simple) way to realize this?
x3mRouting has several ways to route traffic for a website.

dnsmasq Method (bypass VPN for iplocation.net)

x3mRouting 1 0 IPLOCACTION dnsmasq=iplocation.net

Some sites are more complex as they may reference other domains. This requires a more detailed analysis of dnsmasq to see what domains the site is referencing. Or, view the web page source code using the browser. Netflix is a good example of this.

Route ALL Netflix traffic to VPN Client 1
Code:
x3mRouting ALL 1 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

x3mRouting has utilities to help with the analysis.

what if the site has constantly changing ip addresses? ex: hotstar.com

Use the dnsmasq method of x3mRouting.

Please use the Asuswrt-Merlin Add-Ons forum for support.
 
Last edited:

Intrepid2007

Regular Contributor
x3mRouting has several ways to route traffic for a website.

dnsmasq Method (bypass VPN for iplocation.net)

x3mRouting 1 0 IPLOCACTION dnsmasq=iplocation.net

Some sites are more complex as they may reference other domains. This requires a more detailed analysis of dnsmasq to see what domains the site is referencing. Or, view the web page source code using the browser. Netflix is a good example of this.

Route ALL Netflix traffic to VPN Client 1
Code:
x3mRouting ALL 1 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

x3mRouting has utilities to help with the analysis.



Use the dnsmasq method of x3mRouting.

Please use the Asuswrt-Merlin Add-Ons forum for support.

Hi Xentrk,

Thanks for your reply, that sounds interesting to be able to re-route traffic for streaming services like Netflix, Disney+ et cetera... Or just re-route an IP-range as I was trying to do..

Like many others I use streaming services and a VPN at the same time, it would be great to re-route these streaming services to WAN to avoid issues with VPN....

I do have everything to install X2mRouting on my router and looking at the what I read in the forum, it works great.

However I haven't done anything with this because setting it up seems complicated to me o_O. It does not have a GUI which could help a lot.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top