Questions about bypassing VPN

[ComputerSteve]

I'm trying to bypass the VPN and make certain websites go straight to the WAN connection. So far using DNSmasq logging i've determined the app I use connects to omtrdc.net,alticeusa.net,optimum.net .. Thing is these domains dont work. So meaning if I ping the domain alticeusa.net it comes back with Unknown host. I have tried to use
route optimum.net 255.255.255.255 net_gateway
route alticeusa.net 255.255.255.255 net_gateway
route omtrdc.net 255.255.255.255 net_gateway
route optonline.net 255.255.255.255 net_gateway

With no success. I've tried x3mRouting ipset_name=ALTICE dnsmasq=omtrdc.net,alticeusa.net,optimum.net with no success. The only way I can bypass is now manually getting a list of all the ips from https://bgp.he.net/AS6128#_prefixes and pasting them into a myips file. I'd like a more automated thing. Is there any easy way to bypass these domains to my wan?

 

[eibgrad]

I assume you're using the VPN Director. IIRC, the router handles ALL routes and will strip out any bound specifically to the WAN. In order to do what you want, you either need to configure these destination IPs using the VPN Director, or a utility like x3mRouting which uses ipset to dynamically resolve those domains names into a hash table which is then searched during packet inspection to route them to the WAN. I even have my own version of such a script.

merlin-ovpn-lan2wan-by-domain.sh - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

However, the catch w/ anything based on ipset is that the client is actually using DNSMasq for name resolution. These days, that's NOT necessarily the case. Between DoT and DoH solutions implemented by the browser, or third-party DNS servers (Unbound, AdGuard, pihole, etc.), or even the use of Exclusive on the OpenVPN client, it's entirely possible DNSMasq is being bypassed, making the use of ipset pointless.

 

[ComputerSteve]

I assume you're using the VPN Director. IIRC, the router handles ALL routes and will strip out any bound specifically to the WAN. In order to do what you want, you either need to configure these destination IPs using the VPN Director, or a utility like x3mRouting which uses ipset to dynamically resolve those domains names into a hash table which is then searched during packet inspection to route them to the WAN. I even have my own version of such a script.

merlin-ovpn-lan2wan-by-domain.sh - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

However, the catch w/ anything based on ipset is that the client is actually using DNSMasq for name resolution. These days, that's NOT necessarily the case. Between DoT and DoH solutions implemented by the browser, or third-party DNS servers (Unbound, AdGuard, pihole, etc.), or even the use of Exclusive on the OpenVPN client, it's entirely possible DNSMasq is being bypassed, making the use of ipset pointless.

So up until two days ago I was able to use this command it would work - sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ALTICE asnum=AS6128 # Route-Altice-One traffic via Wan ---

Now I can't. It seems to only create an IPSET of 30 meanwhile it was creating one of like 75 / 80. Now I need to go to the website https://bgp.he.net/ and copy all the IPS from https://bgp.he.net/AS6128#_prefixes into a file called myips and run this command
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 myips ip=/opt/tmp/myips

Why did this happen? is something wrong with x3mRouting?

 

[eibgrad]

So up until two days ago I was able to use this command it would work - sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ALTICE asnum=AS6128 # Route-Altice-One traffic via Wan ---

Now I can't. It seems to only create an IPSET of 30 meanwhile it was creating one of like 75 / 80. Now I need to go to the website https://bgp.he.net/ and copy all the IPS from https://bgp.he.net/AS6128#_prefixes into a file called myips and run this command
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 myips ip=/opt/tmp/myips

Why did this happen? is something wrong with x3mRouting?

I don't know anything about using x3mRouting specifically, other than it exists and has been used by other members. Just beware, it's author has NOT been seen on these forums for over a year, and is NOT even listed as a user on the forum anymore. Why that it is, I'm not sure. But for all intents and purposes, I consider x3mRouting to be abandoned and no longer supported. It could very well be incompatible w/ more recents changes to the firmware. So use it at your own risk.

 

[ComputerSteve]

I don't know anything about using x3mRouting specifically, other than it exists and has been used by other members. Just beware, it's author has NOT been seen on these forums for over a year, and is NOT even listed as a user on the forum anymore. Why that it is, I'm not sure. But for all intents and purposes, I consider x3mRouting to be abandoned and no longer supported. It could very well be incompatible w/ more recents changes to the firmware. So use it at your own risk.

Can I use your script with x3mRouting?

 

[eibgrad]

Can I use your script with x3mRouting?

You wouldn't typically use my script *with* x3mRouting. Instead, my script is a functional replacement, at least as far as support for ipset. My script is much simpler and narrower in scope than x3mRouting.

 

[eibgrad]

P.S. @Ranger802004 also has his own ipset script as well.

Domain-based VPN Routing Script

Domain VPN Routing is a tool used to route specific website domains to specific VPN tunnels or override all traffic being routed to a VPN tunnel to directly route through a WAN interface. ***v2.1.0 Release**** This is the release information regarding v2.1.0, please read the notes carefully...

www.snbforums.com

 

[ComputerSteve]

I don't know anything about using x3mRouting specifically, other than it exists and has been used by other members. Just beware, it's author has NOT been seen on these forums for over a year, and is NOT even listed as a user on the forum anymore. Why that it is, I'm not sure. But for all intents and purposes, I consider x3mRouting to be abandoned and no longer supported. It could very well be incompatible w/ more recents changes to the firmware. So use it at your own risk.

So your script seems to work but I can't get it to work when i'm using Diversion and DNS Filtering for the exclusion list feature of diversion.. I have tried setting the default to ROUTER / NO FILTERING but the only option that works is off meaning turning dns filtering off. Is there a way to fix that ?

 

[ComputerSteve]

OH maybe it takes time for it to work.. So meaning right after reboot i'm noticing it isn't working then I wait a few minutes and it bypasses the VPN. Is it populating IPs?

 

[eibgrad]

If it's working, the ipset hash table should show entries. You can dump it w/ the following command from ssh.

ipset -L ovpnc_resolved_domains