Exclude website from being routed to VPN (policy based routing)

[eibgrad]

Hi, @eibgrad
Is it possible to make a alternative script to include specific website only being routed to vpn?
Thank You!

Domain-based VPN Routing Script

Domain VPN Routing is a tool used to route specific website domains to specific VPN tunnels or override all traffic being routed to a VPN tunnel to directly route through a WAN interface. ***v2.1.0 Release**** This is the release information regarding v2.1.0, please read the notes carefully...

www.snbforums.com

 

[ZebMcKayhan]

@eibgrad or whomever it may concern, I did manage to find some time to work on this and it is possible to keep rp_filter in strict mode while using ipsets and fwmarks for routing:

My previous setup (excluding route tables and routing rules):

#mark matching packages with fwmark:
iptables -t mangle -I PREROUTING -m set --match-set MYIP dst -j MARK --set-mark 0x8000/0x8000

#set rp_filter to loose
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Now rp_filter needs to be set to '2' (loose) for this to work as only outgoing packages are marked.

For the sake of the test, lets set rp_filter to strict:

#set rp_filter to strict
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

now my connection to domains in MYIP are broken because of rp_filter blocking.

Now if we instead marked with connmark and restored it to fwmark all packages in this connection will get this mark (both ways):

iptables -t mangle -I PREROUTING -m state --state new -m set --match-set MYIP dst -j CONNMARK --set-mark 0x8000/0x8000

#restore connmark to fwmark:
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

Now I can see packages and connections are marked but connection still broken. Still blocked by rp_filter as it doesnt account for fwmarks in its lookup.

So as a final touch:

#enable rp_filter to use fwmark:
echo 1 > /proc/sys/net/ipv4/conf/eth0/src_valid_mark

Now connection works and domains included in MYIP is connecting over WAN instead of VPN as normal routing would have put it. And rp_filter is still in strict mode.

Dont know if this adds any value to anyone but I thought I'd post it.

 

[Medrey]

@eibgrad thank you for making this script! I was worried that my little guest network/VPN project was doomed to fail after I found out that x3mRouting didn't get updated for VPN director, but yours works perfectly. Plus, I can actually understand it; the narrower scope really helps.

I'm using it to skip the VPN for some streaming sites + sites that throw tons of captchas when they detect a VPN (looking at you, Google).