OpenVPN newbie: domain-based policy routing?

[RussellInCincinnati]

Am rapidly learning how to use the easier-than-anything-ever Merlin OpenVPN appliance options to choose which fixed-ip-address local network users do, or do not, use a given OpenVPN connection definition. And can see how to choose which "destination" public IP addresses will, or will not, be reached through the "VPN"/OpenVPN (instead of the non-encrypted "WAN") interface.

Surely there is some huge technical reason why Merlin does not give us an option to put in up to 100 "destination domain names", instead of up to 100 IP address blocks, as a policy rule for the rule's destination. Some it-would-be-an-enormous-can-of-worms-or-take-infinite-cpu-power explanation that someone could point us VPN newbies to?

 

[RMerlin]

Because my implementation relies on the Linux routing tables. A route cannot be applied to a hostname (which may potentially have multiple IPs), only to an IP address and subnet.

 

[Martineau]

Surely there is some huge technical reason why Merlin does not give us an option to put in up to 100 "destination domain names", instead of up to 100 IP address blocks, as a policy rule for the rule's destination.

VPN Selective Routing can be achieved as follows:

        via GUI
            Single source LAN IP address
            LAN subnet
            Static Internet destination IP/subnet
         
        via Advanced Scripting
            Guest WiFi interface/SSID
            Single port or range of ports
            MAC address
            Domains

Except for domains, all of the advanced scripting entities can be implemented without the use of IPSETs, but given the versatility/performance efficiency of IPSETs then (where appropriate) using IPSETs for most of the above is now the preferred method.

So for domains you can elect to have dnsmasq automaticically dynamically resolve the domain into subnets/IP addresses and gradually populate the appropriate domain IPSET over time, or initially seed the IPSET with the published subnets/IP addresses and configure dnsmasq to simply add any new domain subnets/IP address changes.

NOTE: IPSETs may contain thousands of entries and easily overcomes RMerlin's GUI/firmware NVRAM limitations.

 

[RussellInCincinnati]

VPN Selective Routing can be achieved as follows:

        via GUI
            Single source LAN IP address
            LAN subnet
            Static Internet destination IP/subnet
        
        via Advanced Scripting
            Guest WiFi interface/SSID
            Single port or range of ports
            MAC address
            Domains

Except for domains, all of the advanced scripting entities can be implemented without the use of IPSETs,...
So for domains you can elect to have dnsmasq automaticically dynamically resolve the domain into subnets/IP addresses and gradually populate the appropriate domain

Thanks much to RMerlin as usual, and Martineau thanks for such great help. You have pointed the way for further studying, wonderful.

 

[busch09]

Did you ever figure this out and care to post the solution?

 

[Xentrk]

Most of what I know about the topic is due to @Martineau mentoring. You can see two of the techniques in use at https://github.com/Xentrk/netflix-vpn-bypass.

Maybe it is time to write an ebook on the topic?

Another method that is not in the reference above is placing all of the host names in a file. Then, loop thru the file and route each host name to the fwmark/bitmask. Snip example below.

#VPN Client 2
ip rule del fwmark 0x2000/0x2000
ip rule add fwmark 0x2000/0x2000 table 112 prio 9992

ip route flush cache

# Route CBS Domain Names to VPN Client 2
for DNS in $(awk '{ print $1 }' /jffs/scripts/CBS_Domains)
    do
      iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000/0x2000
      iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000/0x2000
    done

I had to use the features of dnsmasq to mine the host names from dnsmasq.log to see what is being called. This involves going to the website or streaming media channel and selecting all of the menu options and surfing the site or media content to generate the names. Then, sorting the list to eliminate dupes. All explained in the GitHub link above.

Spoiler: Science Experiment

#!/bin/sh
set -xo
#####################################################################################################
# This program is a demo on how to route certain traffic over the WAN.
# For demo purposes, I am using the websites whatismyipaddress.com, whatismyip.com and beta.speedtest.net
# STEP 1
# copy the following line to /jffs/configs/dnsmasq.conf.add
# ipset=/whatismyipaddress.com/WHATISMYIPADDRESS
# ipset=/whatismyip.com/WHATISMYIP
# ipset=/beta.speedtest.net/SPEEDTEST
#
# Then issue the command: service restart_dnsmasq

# Note1: ipset syntax differs between version 6 and 4.5
# Syntax for ipset v6
# ipset create WAN0 list:set
# ipset add WAN0 setlist (e.g. SPEEDTEST)
# for routers running ipset v4.5 (ipset -V)
# ipset -N WAN0 setlist (e.g. SPEEDTEST)
#
# Note 2: Mining domain IP Addresses
# For the best performance install entware package whob (e.g. opkg install whob) and use the following code example
# netsv4=`whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"`
# Othwerwise, use the curl command. My brief testing has shown this to yield better results:
# netsv4=`curl http://ipinfo.io/AS16625 2>/dev/null | grep -E "a href.*AS16625\/" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'`;for net in $netsv4;do echo $net;done;unset netsv4
#
# Note 3: In the event one needs to use IPv6 in the future, the syntax is: ipset -N WHATISMYIP-v6 hash:net family ipv6
#
ipset create WAN0 list:set
ipset create WHATISMYIPADDRESS hash:net family inet hashsize 1024 maxelem 65536
ipset create WHATISMYIP hash:net family inet hashsize 1024 maxelem 65536
ipset create SPEEDTEST hash:net family inet hashsize 1024 maxelem 65536

###################################################################
# use nslookup www.website.com to find ip address. Then, go to
# https://www.ultratools.com/ to lookup ASN
#######################################################################


#Pull all IPs listed for whatismyipaddress.com on radb.net
netsv4=`whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
ipset add WHATISMYIPADDRESS $net
done
unset netsv4
#Pull all IPs listed for whatismyip.com on radb.net
netsv4=`whob -h whois.radb.net -- '-i origin AS13335' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
ipset add WHATISMYIP $net
done
unset netsv4
#Pull all IPs listed for beta.speedtest.net
netsv4=`whob -h whois.radb.net -- '-i origin AS40027' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
ipset add SPEEDTEST $net
done
unset netsv4

#########################################################################
# Add domains that you want to use WAN inteface to the WAN0 ipset list #
#########################################################################
ipset add WAN0 WHATISMYIPADDRESS
ipset add WAN0 WHATISMYIP
ipset add WAN0 SPEEDTEST

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
ip rule del prio 9990
ip rule add from 0/0 fwmark 0x7000/0x7000 table main prio 9990

iptables -D PREROUTING -t mangle -m set --match-set WAN0 dst -j MARK --set-mark 0x7000/0x7000
iptables -A PREROUTING -t mangle -m set --match-set WAN0 dst -j MARK --set-mark 0x7000/0x7000

logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."

The pfBlockerNG package in pfSense firmware makes selective routing very easy. You can create IPv4 or IPv6 lists using the pfBlockerNG console. Many options available. You can specify the AS Number, the host name, etc, and it will create the list for you. Then, you just need to add one LAN firewall rule to route the traffic to the iface of your choice.