Selective routing through VPN for apps on streaming device

machinist

New Around Here
I have two streaming devices that I'm using for IPTV and Kodi.

I'm running the VPN on both of these devices locally.

However, I don't want to manually have to log onto a VPN before starting IPTV, and so I figure I need to run the VPN from the router.

Now, the issue is, on each of these devices I also have country-specific streaming apps, that should not go through the VPN.

With the VPN app installed on the streaming device, I'm able to whitelist apps. I basically need the same functionality for the router.

However, only traffic from these two streaming devices should be routed through the VPN tunnel -- not any other device on the network.

How do I do this best?

From my research, I gather I need @Xentrk's x3mRouting as it allows for "selective routing" of traffic through the VPN tunnel.

Is this correct and appropriate for this use case?

The way I understand it, is I need to find out the IP ranges to route through the selective rules.

I figure the best way to set this up, is to just route "all" traffic for the devices through the VPN except for the country-specific streaming apps. Is this feasible?

Thanks so much for any guidance here, I really appreciate any help I can get.

RT-AC86U
FW 386.3_2

EDIT: I should note, the reason why I'm suggesting running *all* traffic from the devices through the VPN except specific apps, is to get around the notion of having to specifically input IP's - that may change. Perhaps also to avoid dnsleaks. So I'm guessing it's more secure that way?
 
Last edited:

ZebMcKayhan

Senior Member
You can't differentiate, from the router, which apps on which clients to route them differently.
You CAN differentiate based on source ip, but that only gets you routing based on client to client basis.

What x3mRouting is doing is to create and manage ipset (list of ip adresses) which could (or not) be autopopulated with ipadresses by dnsmasq as specific part of names (like: netflix.com,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com).

By issuing a command like:
Code:
x3mRouting ipset_name=NETFLIX-DNS dnsmasq=netflix.com,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com
Will create the IPSET NETFLIX-DNS which will populate ips in the ipset as any of the above terms are detected during dns lookup. You could also use x3mRouting to create ipsets based on other factors. It is all in the page you are referring to.

Remember that there are some difficulties with the new VPNdirector, but I've never used it so I wouldn't know. Possibly you could make your own firewall rules to make it work.

Since you are running on ac86u and obviously need to install Entware for x3mRouting you could try using Wireguard Session Manager

I've recently made a guide for setting up Wireguard Manager to route destination IPSET out WAN when the rest of data from this computer goes out vpn:

//Zeb
 

machinist

New Around Here
@ZebMcKayhan Thank you very much for your thorough reply, much appreciated. (Had to leave for the weekend as something came up -- please excuse the delay)

You can't differentiate, from the router, which apps on which clients to route them differently.
That's what I was afraid of. I can pick and choose which apps to whitelist (split tunneling?) using the VPN provider's app, but it's not supported for the router.
Will create the IPSET NETFLIX-DNS which will populate ips in the ipset as any of the above terms are detected during dns lookup. You could also use x3mRouting to create ipsets based on other factors. It is all in the page you are referring to.
Say I need to route *all* traffic for a specific device through the VPN tunnel EXCEPT an app like BBC. Would that mean I could set up the device routing via VPNdirector and exclude IPSETS with x3mRouting?

Essentially, I'm not too worried about having to reconfigure potential new IP's for the whitelisted app, I just don't want a potential IP leak for anything else. So what that be the way to go/even possible?

Sorry for the questions, sort of new at this but trying to catch up.

Since you are running on ac86u and obviously need to install Entware for x3mRouting you could try using Wireguard Session Manager
My VPN doesn't support Wireguard yet, so I assume that excludes the use of this as well as your own script (well done, btw, and many thanks)
 

ZebMcKayhan

Senior Member
Say I need to route *all* traffic for a specific device through the VPN tunnel EXCEPT an app like BBC. Would that mean I could set up the device routing via VPNdirector and exclude IPSETS with x3mRouting?
as I said before, I'm dont know how this would work with VPNDirector. but the starting point would be to use VPNDirector to setup to route your computer (source ip) via VPN. this way VPN Director will setup so all traffic from this ip goes to VPN (dns handled separately though). then you create an higher priority rule to force IPSETs to WAN (via the mark put there by the firewall). so it would work they way you intended. X3mRouting has historically made this routing rule for you, but I dont know how it works now.
but before, I propose you start searching this forum for X3mRouting problems with VPNDirector. this may not work "out-of-the-box" since X3mRouting was developed before VPNDirector existed and has not been updated since (to my knowledge). it is still a great tool to create the IPSETs through, but you might need to put in some extra work on the routing manually.

Essentially, I'm not too worried about having to reconfigure potential new IP's for the whitelisted app, I just don't want a potential IP leak for anything else. So what that be the way to go/even possible?
using auto-populated IPSETs there will always be a risk. I would at least consider it less safe then having all data from this source ip routed the same way. there is the risk of some application using other domains that you thought and some information going "the wrong way". also the opposite that some site/service using a domain in your whitelist. There is an elevated risk that you will have to account for.

Try to start with something less mission-critical and try to get it to work with an experimental computer go out VPN and try to exclude something easy to check, like whatsmyip.com or similar...

//Zeb
 
Last edited:

machinist

New Around Here
as I said before, I'm dont know how this would work with VPNDirector. but the starting point would be to use VPNDirector to setup to route your computer (source ip) via VPN. this way VPN Director will setup so all traffic from this ip goes to VPN (dns handled separately though). then you create an higher priority rule to force IPSETs to WAN (via the mark put there by the firewall). so it would work they way you intended. X3mRouting has historically made this routing rule for you, but I dont know how it works now.

Try to start with something less mission-critical and try to get it to work with an experimental computer go out VPN and try to exclude something easy to check, like whatsmyip.com or similar...
Thanks again, and this is a good idea. I'll try to set up a few tests to begin with.

I have a couple of more general questions- hoping you can help with:

1) How do I gather IP's a specific app stream from? I reckon it isn't as simple as "ping [domain]" in cmd from the PC, as that only returns the webserver, I suppose?

2) When I pick a "device" that is assigned an internal IP, how robust is that? Would that device IP ever change as long as the network stays "untouched"? Sorry, I don't know how much Merlin per se has to do with this or not.

3) If I set "Accept DNS Configuration" to "Exclusive", would that prevent DNS from *ever* leaking, i.e. would the connection simply shut down if something goes wrong? And would that, in any way, interfere if rules were set to funnel traffic through WAN for select destination IPs?

Thanks again for your help. I know some of these questions are all over the place, but trying to understand how it all connects.
 

ZebMcKayhan

Senior Member
1) How do I gather IP's a specific app stream from? I reckon it isn't as simple as "ping [domain]" in cmd from the PC, as that only returns the webserver, I suppose?
there are any numbers of way. but @Xentrk has already provided the tools needed in his package. I would recommend to not use IPs you gather yourself (using ping, wireshark or whatever) since they could change over time... use "getdomainnames.sh" on the router to find domain names used when you are using the app and/or use "ASN Lookup Tool" to look up the organization number and owner. whenever you have this you could use this information in X3MRouting (https://github.com/Xentrk/x3mRouting#create-an-ipset-list-with-no-routing-rules-usage-examples). again, this is all in the link YOU applied.

2) When I pick a "device" that is assigned an internal IP, how robust is that? Would that device IP ever change as long as the network stays "untouched"? Sorry, I don't know how much Merlin per se has to do with this or not.
you will have to setup your router to assign this device the same ip every time (LAN tab, Static DHCP assignment). no comment on how robust that is. I've using this on at least 2 devices at my home and it has always worked.

3) If I set "Accept DNS Configuration" to "Exclusive", would that prevent DNS from *ever* leaking, i.e. would the connection simply shut down if something goes wrong? And would that, in any way, interfere if rules were set to funnel traffic through WAN for select destination IPs?
I dont know, I have never used it. but as far as I understand it, X3mRouting is using dnsmasq to autopopulate ipsets, which means it works best if you actually use dnsmasq. the best way to guarantee that you are not leaking any data *ever* is to unplug all WAN cords from your router :)

as you talk a lot about the "risks" it is not something that I can assess. you need to figure out how YOU can feel comfortable with YOUR risks. but regardless on how you choose to do this, there will ALWAYS be a risk. start experiment with your system and learn how it works and behaves and go live when YOU feel comfortable that the "risk" is acceptable, by your means.

//Zeb
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top