• ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Ciccio

Occasional Visitor
Hi folks,
I have an IPTV service that allows one connection for account. If i change public IP address, the IPTV not work for about ten minutes, then working again.
I would like setup the connection to IPTV by VPN, but It work only if I set destination IP to 0.0.0.0. In this case, same service like Amazon Prime Video not working because "country".
If I set destination IP to myIPTVdomain, not working.
I try to adding IP addresses from traceroute to myIPTVdomain in policy based routing tables, and this solution not working.
Maybe some DNS problem?
Anyone can help me to setup policy based routing only for myIPTVdomain for going to VPN?
Sorry for my english.
Many Thanks.
 

Xentrk

Part of the Furniture
Hi folks,
I have an IPTV service that allows one connection for account. If i change public IP address, the IPTV not work for about ten minutes, then working again.
I would like setup the connection to IPTV by VPN, but It work only if I set destination IP to 0.0.0.0. In this case, same service like Amazon Prime Video not working because "country".
If I set destination IP to myIPTVdomain, not working.
I try to adding IP addresses from traceroute to myIPTVdomain in policy based routing tables, and this solution not working.
Maybe some DNS problem?
Anyone can help me to setup policy based routing only for myIPTVdomain for going to VPN?
Sorry for my english.
Many Thanks.
Here is an example of how to configure in the Policy Routing section of the OpenVPN Client Screen:

Route All LAN Clients to a destination IP Block
Direct all LAN Clients to use the VPN tunnel when accessing an IP block that belongs to Google:

Code:
RouteGoogle    0.0.0.0    74.125.0.0/16    VPN

If the IPTV service has just one or a handful of IP addresses, you can enter them in the destination field and route to the VPN tunnel.

https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/
 

Ciccio

Occasional Visitor
Here is an example of how to configure in the Policy Routing section of the OpenVPN Client Screen:

Route All LAN Clients to a destination IP Block
Direct all LAN Clients to use the VPN tunnel when accessing an IP block that belongs to Google:

Code:
RouteGoogle    0.0.0.0    74.125.0.0/16    VPN

If the IPTV service has just one or a handful of IP addresses, you can enter them in the destination field and route to the VPN tunnel.

https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

Thanks for your reply, but this is the solution that i tried and not working for me. Suppose i know iptvdomain, i search the Ip address by dns lookup, so i have for example a.b.c.d, i put in destination field of policy table a.b.c.0/24 and this not working. If i put in destination 0.0.0.0 working perfectly.
Thanks again.
 

Martineau

Part of the Furniture
If i put in destination 0.0.0.0 working perfectly.

I search the Ip address by dns lookup, so i have for example a.b.c.d, i put in destination field of policy table a.b.c.0/24 and this not working.

So clearly the nslookup method is not capturing all of the IPs/subnets that are used by your IPTV service.

Perhaps you should could try advanced Selective Routing, either by Domain or Port?

i.e. if the IPTV is using a unique Port that is not used by any other program on the LAN, then you don't need to know any of the remote IPs used.
 

Ciccio

Occasional Visitor
i.e. if the IPTV is using a unique Port that is not used by any other program on the LAN, then you don't need to know any of the remote IPs used.
Yes, iptv is using unique Port that is not used by any other program on the LAN. How i setup policy based routing by port number?
Thanks
 

Ciccio

Occasional Visitor
I follow the Policy-based port routing guide, so I create the /jffs/scripts/nat-start file
Code:
nano /jfss/scripts/nat-start
Code:
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
Code:
chmod +x /jfss/scripts/nat-start
The VPN client is #1, the ipaddress range that i want to use via VPN is 192.168.1.8-192.168.1.15, the remote port of IPTV servive is 2300 (i suppose because the link are http://IPTVdomain.tv:2300/xyz).
I insert the ports 80 and 443 for test public ip address in any site whatsmyip.com, and i see that when i execute nat-start, the public IP of devices is public IP of VPN client.
Two questions:
  1. How nat-start launch at boot? (i run manually for working)
  2. How i can verify that devices really connected to IPTV via VPN?
Again, many thanks for help
 

Xentrk

Part of the Furniture
I follow the Policy-based port routing guide, so I create the /jffs/scripts/nat-start file
Code:
nano /jfss/scripts/nat-start
Code:
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
Code:
chmod +x /jfss/scripts/nat-start
The VPN client is #1, the ipaddress range that i want to use via VPN is 192.168.1.8-192.168.1.15, the remote port of IPTV servive is 2300 (i suppose because the link are http://IPTVdomain.tv:2300/xyz).
I insert the ports 80 and 443 for test public ip address in any site whatsmyip.com, and i see that when i execute nat-start, the public IP of devices is public IP of VPN client.
Two questions:
  1. How nat-start launch at boot? (i run manually for working)
  2. How i can verify that devices really connected to IPTV via VPN?
Again, many thanks for help
1. nat-start automatically runs at boot.
2. This command should show the iptables chain and the number of packets and bytes traversing the chain. If the number increases, then traffic is passing thru the chain:
Code:
iptables -nvL PREROUTING -t mangle --line
 

Martineau

Part of the Furniture
I follow the Policy-based port routing guide, so I create the /jffs/scripts/nat-start file

Code:
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000

How i can verify that devices really connected to IPTV via VPN?

As per post #8 by @Xentrk, this is normally the only visible diagnostic, but if the RPDB fwmark rule is missing/invalid and/or its target downstream ovpnc1 routing table is incorrect, then it won't work.

However, even if the three Selective Port Routing elements are indeed configured correctly, you can install Entware utility tcpdump, to check if there is any WAN leak.....
Code:
tcpdump -tttt -n -i $(nvram get wan0_gw_ifname) port 2300
which hopefully should not show any traffic data, but monitoring VPN Client 1
Code:
tcpdump -tttt -n -i tun11 port 2300
should show traffic data.

P.S. If there is a WAN leak, then you may need to add a WAN BLOCK rule for Port 2300 for the 8 LAN devices
Code:
iptables -I FORWARD -i br0 -s 192.168.1.8/29 -o $(nvram get wan0_gw_ifname) -p tcp --dport 2300 -j DROP
until you diagnose why the Selective Port 2300 routing is broken.
 
Last edited:

Ciccio

Occasional Visitor
1. nat-start automatically runs at boot.
It's strange because nat-start runs at boot ( i have added logger line and can see message in log), but pubblic ipaddress of devices are wan Ip address. If i run nat-start manually
Code:
cd /jffs/script/
./nat-start
public ipaddress of devices is my VPN ipaddress.
 

Martineau

Part of the Furniture
It's strange because nat-start runs at boot ( i have added logger line and can see message in log), but pubblic ipaddress of devices are wan Ip address. If i run nat-start manually
Code:
cd /jffs/script/
./nat-start
public ipaddress of devices is my VPN ipaddress.

Sorry I should add this to the Wiki entry.
EDIT: Wiki updated - see post #6

Add the following to nat-start before adding the RPDB rules
Code:
sleep 10
 
Last edited:

Ciccio

Occasional Visitor
Sorry I should add this to the Wiki entry.
EDIT: Wiki updated - see post #6

Add the following to nat-start before adding the RPDB rules
Code:
sleep 10
Perfect, now nat-start working.
Now i run twice
Code:
iptables -nvL PREROUTING -t mangle --line
while watching IPTV and i have
Code:
Chain PREROUTING (policy ACCEPT 1141K packets, 1214M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     440K  588M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3     224K 8982K MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.1.8-192.168.1.15 multiport dports 2300 MARK or 0x1000
Code:
iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 1155K packets, 1230M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     446K  596M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3     227K 9094K MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.1.8-192.168.1.15 multiport dports 2300 MARK or 0x1000
Number of packets increases, so is It working?
If yes, many thanks guys, you are awesome
 

Martineau

Part of the Furniture
while watching IPTV and i have Number of packets increases,

so is It working?
Well..... if you have the KILL switch enabled for VPN Client 1, if you manually stop VPN Client 1, your streaming should stop and if you check the RPDB rules and VPN Client 1 routing table
Code:
ip rule

ip route show table ovpnc1
the ovpnc1 table should contain 'prohibit default' although the Number of packets in the iptables rule will continue to increase as the device continues to try and reach the server.

NOTE: Without the KILL switch, the streaming will probably switch to the WAN, unless you added the WAN BLOCK rule from post #9
 
Last edited:

Ciccio

Occasional Visitor
With kill switch you mean "Block routed clients if tunnel goes down", it enabled.
When i turn off vpn client1, streaming blocking, and with
Code:
ip route show table ovpnc1
i see prohibit default.
Well, this is what i wanted, many thanks!!!

P.S. In WAN setting i have manually entered Google's DNS.
In VPN Client setting i have Accept DNS Configuration to exclusive.
The devices setted to use VPN via RPDB fwmark rule, which DNS use?
Anyway, thanks a lot friends!
 

Martineau

Part of the Furniture
In WAN setting i have manually entered Google's DNS.
In VPN Client setting i have Accept DNS Configuration to exclusive.

The devices setted to use VPN via RPDB fwmark rule, which DNS use?
If the Selective Routing table is devoid of VPN target entries, everything (by default) will normally use the WAN ISP DNS, unless manually overridden (DoT etc.) or you have enabled DNS Filtering.

So you have choices

1. Range 192.168.1.8-192.168.1.15 use the WAN DNS and send ALL traffic via the WAN - but Port 2300 traffic via VPN
or
2. Range 192.168.1.8-192.168.1.15 use the VPN DNS and send ALL traffic via the VPN - and Port 2300 traffic via VPN
or
3. Range 192.168.1.8-192.168.1.15 use the VPN DNS but send ALL traffic via the WAN - but Port 2300 traffic via VPN
 

Ciccio

Occasional Visitor
So you have choices

1. Range 192.168.1.8-192.168.1.15 use the WAN DNS and send ALL traffic via the WAN - but Port 2300 traffic via VPN
or
2. Range 192.168.1.8-192.168.1.15 use the VPN DNS and send ALL traffic via the VPN - and Port 2300 traffic via VPN
or
3. Range 192.168.1.8-192.168.1.15 use the VPN DNS but send ALL traffic via the WAN - but Port 2300 traffic via VPN
Ok, so:
choice 1 is actually how It work.
With choice 2 some services like Netflix or PrimeVideo not working via VPN.
Choice 3 is what i wanted, is how it should work if dns filtering is enabled using the DNS of the vpn provider, even if as it says (the IPVanish DNS IP addresses of 198.18.0.1 and 198.18.0.2 will only function while connected to our VPN service), and when i added in dns filtering the DNS server of VPN service nothing work (no WAN connection and no IPTV via port 2300 connection).
Anyway, for security reasons, is It safe to use Google DNS rather than ISP DNS since VPN DNS does not working in DNS filtering?
 

Martineau

Part of the Furniture
Anyway, for security reasons, is It safe to use Google DNS rather than ISP DNS since VPN DNS does not working in DNS filtering?
It depends if you trust Google etc., but unless it is absolutely necessary (e.g. to prevent old-skool 'DNS Leaks')

'Accept DNS configuration=EXCLUSIVE'

is now superceded by WAN DoT, or even manually using the OpenVPN directive to explicitly override the VPN DNS (e.g. use OpenDNS 'dhcp-option DNS 208.67.222.222') etc.

see @Xentrk's blog entry DNS behaviour - Accept DNS Configuration explained for an in-depth tutorial.
It says (the IPVanish DNS IP addresses of 198.18.0.1 and 198.18.0.2 will only function while connected to our VPN service
OK, I do know that this restriction is sometimes enforced by the VPN ISP, i.e. 10.xxx.xxx.xxx as used by my VPN ISP.
Choice 3 is what i wanted
OK, there is no guarantee that we can achieve Option 3
Code:
192.168.1.8-192.168.1.15 use the VPN DNS but send ALL traffic via the WAN - but Port 2300 traffic via VPN is forced to use VPN DNS
but if you are willing to test....

Simply add the following entry to the Selective Routing GUI table for VPN Client 1

upload_2019-5-17_9-59-13.png


and if VPN Client 1 doesn't automatically restart, then stop/start it manually.

Now we should be able to check if the IP range 192.168.1.8-192.168.1.15 is being forced to use the VPN DNS, but ALL traffic will be via the WAN except Port 2300 traffic via the VPN!
Code:
iptables  --line -t nat -nvL PREROUTING;iptables --line -t nat -nvL DNSVPN1
NOTE: If the VPN Client 1 GUI 'Log verbosity=4', then there will be a confirmation message in Syslog - where xxx.xxx.xxx.xxx matches the VPN DNS in the DNSVPN1 chain above.
Code:
openvpn-updown: Forcing 192.168.1.8/29 to use DNS server xxx.xxx.xxx.xxx
 
Last edited:

Ciccio

Occasional Visitor
I'm sorry, actually choice 3 isn't exactly what I wanted.
What I really want is
Code:
192.168.1.8-192.168.1.15 use the WAN DNS and send ALL traffic via the WAN - but Port 2300 traffic via VPN is forced to use VPN DNS
However, I did the following:
  1. Setted log verbosity = 4 in VPN client1 GUI
  2. Adding rule in policy-based routing table - UseDNSonly 192.168.1.8/29 0.255.255.255 VPN
  3. Adding in VPN Client 1 custom config "dhcp-option DNS 208.67.222.222"
and now i have:
  • Devices not in 192.168.1.8/29 have WAN public IP and use Google's DNS
  • Devices in 192.168.1.8/29 have VPN public IP and use OpenDNS server
In system log I have entry
Code:
May 17 18:03:27 openvpn-updown: Forcing 192.168.1.8/29 to use DNS server 208.67.222.222
Launching command
Code:
iptables  --line -t nat -nvL PREROUTING;iptables --line -t nat -nvL DNSVPN1
i have

Chain PREROUTING (policy ACCEPT 294 packets, 29479 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNSVPN1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
2 25 1775 DNSVPN1 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
4 115 9895 VSERVER all -- * * 0.0.0.0/0 2.45.107.118
5 0 0 VSERVER all -- * * 0.0.0.0/0 169.254.114.109
Chain DNSVPN1 (2 references)
num pkts bytes target prot opt in out source destination
1 20 1478 DNAT all -- * * 192.168.1.8/29 0.0.0.0/0 to:208.67.222.222

Everything work properly, though dnsleak.com says "Looks like your DNS might be leaking...".

If i change the OpenDNS server to VPN DNS server 198.18.0.1 in VPN Client 1 custom config dhcp-option DNS i can see in log
Code:
May 17 18:08:28 openvpn-updown: Forcing 192.168.1.8/29 to use DNS server 198.18.0.1
but internet not working for devices in 192.168.1.8/29.
 
Last edited:

Martineau

Part of the Furniture
If i change the OpenDNS server to VPN DNS server 198.18.0.1 in VPN Client 1 custom config dhcp-option DNS i can see in log "Forcing 192.168.1.8/29 to use DNS server 198.18.0.1"

but internet not working for devices in 192.168.1.8/29.
Perhaps adding an RPDB rule for the VPN DNS is explicitly required?

So make sure that IP range 192.168.1.8-192.168.1.15 is forced to use VPN DNS 198.18.0.1 then issue:
Code:
ip rule add from 192.168.1.8/29 to 198.18.0.1 table ovpnc1 prio 8001
and test to see if the IP range 192.168.1.8-192.168.1.15 now has internet access.
 

Ciccio

Occasional Visitor
Working.
I have added rule
Code:
ip rule add from 192.168.1.8/29 to 198.18.0.1 table ovpnc1 prio 8001
in nat-start, and now
Code:
Range 192.168.1.8-192.168.1.15 use the VPN DNS but send ALL traffic via the WAN - but Port 2300 traffic via VPN


Thanks!
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top