Selective Routing with Asuswrt-Merlin

zperetz

New Around Here
Other AC68U users have reported the same issue when trying selective routing. I did a search and found one user added modprobe xt_set.ko and that fixed his issues. https://www.snbforums.com/threads/n...s-ipset-in-ac68u-v380-66_4.39600/#post-330072
Thank you for pushing me to the right direction! It was not the modprobe issue, as my error came from deleting old rules, but I started digging to ipset logic and finally realized that iptables rule a) works over forwarded packets only and b) traceroute is not the right way to check tcp packets. I changed the iptables chain to the one below and traceroute from remote client worked like a charm:
Code:
iptables -t mangle -A PREROUTING -i br0 -p all -m set --match-set vpn-whitelist dst -j MARK --set-mark "$FWMARK_OVPNC2"
But at the end I still cannot traceroute from router itself (I tried OUTPUT rules in all tables, it doesn't help), fortunately it's not the main problem for the moment :)

Anyway thanks a lot, and if you will have any idea how to have selective routing for requests from router - that also would be great!
 

Xentrk

Part of the Furniture
Thank you for pushing me to the right direction! It was not the modprobe issue, as my error came from deleting old rules, but I started digging to ipset logic and finally realized that iptables rule a) works over forwarded packets only and b) traceroute is not the right way to check tcp packets. I changed the iptables chain to the one below and traceroute from remote client worked like a charm:
Code:
iptables -t mangle -A PREROUTING -i br0 -p all -m set --match-set vpn-whitelist dst -j MARK --set-mark "$FWMARK_OVPNC2"
But at the end I still cannot traceroute from router itself (I tried OUTPUT rules in all tables, it doesn't help), fortunately it's not the main problem for the moment :)

Anyway thanks a lot, and if you will have any idea how to have selective routing for requests from router - that also would be great!
Try using the fwmark/bitmask and prio combo that I use in the script:

https://github.com/Xentrk/netflix-vpn-bypass/blob/master/IPSET_Netflix.sh

See the following functions in the code:
set_fwmark_parms
create_fwmarks
 

Xentrk

Part of the Furniture
If it's ok, could you be a bit more specific on the point how fwmark type can help packets from router itself to go through PREROUTING in mangle table?
Let me know if this reference answers your question:
https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html

Others
ftp://ftp.wayne.edu/ldp/en/linux-ip/ch10s02.html

Perhaps you can use the IPSET_Netflix.sh or IPSET_Netflix_Domains.sh script and see if it works for you. Others have reported success with it. Once you have it working, you can modify it for your use case.
 

zperetz

New Around Here
Let me know if this reference answers your question:
https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html

Others
ftp://ftp.wayne.edu/ldp/en/linux-ip/ch10s02.html

Perhaps you can use the IPSET_Netflix.sh or IPSET_Netflix_Domains.sh script and see if it works for you. Others have reported success with it. Once you have it working, you can modify it for your use case.

I used partly your script and it works for the directions it should, thank you for this. But PREROUTING has nothing to do with local-to-remote packets, it's OUTPUT chain (last part of Chapter 10 in your link) . And for OUTPUT fwmark doesn't work in my case, would be good to know if it works for you.
 

zperetz

New Around Here
Just to close the issue - if someone have to send packets from router itself with selective routing PREROUTING is not the right chain to use, and OUTPUT rule should be added. However, the source address in this operation is not your local ip, which was a bit confusing for me. If the packet goes from router it has wan0 address as a source. So you need to add additional POSTROUTING rule to let the packets go as planned. Something like:
Code:
iptables -t mangle -A OUTPUT -p all -m set --match-set vpn-whitelist dst -j MARK --set-mark 0xXXXX/0xXXXX
iptables -t nat -A POSTROUTING -s $(nvram get wan0_ipaddr) -o tun1X -j MASQUERADE
 

mr8

Occasional Visitor
Hello,
Would it be possible to use an OpenVPN server on the router as a reverse connection for selective routing?

I can ping and access all the IPs on the clients network, but I'm stumped on setting up the iptable on the router to forward traffic over the tun21 dev and would appreciate any help!
Would something like this work?
Code:
ip route add table MyVPNClient default dev tun21
And then the usual fwmark ip rules? Any addition iptable rules/etc to force the traffic through tun21?

Thanks!
 

Sbfnu

Regular Contributor
I need your help, please:

Using selective routing I configured my Asus router in a way that my Amazon Fire uses a VPN client (Torguard - with a dedicated IP in Germany) to trick it so that it believes it is in Germany - since I like to watch Amazon.de (using my de account that I have there) on my Fire device.

But no matter what I have no luck. Amazon.de always reports a GEO-Blocking error and plays no German movie.
VPN Client is configured with DNS as exclusive, still no luck.
ipleak.net invoked in Firefox running on that Amazon Fire device reports it is in Germany.

But still Amazon plays no movie because of that geo error...

PS: Using the Torguard VPN client and the dedicated TG IP in Germany on an iPad works fine.
SO I know that path should work, but somehow that doesn't work in my Fire device and my Merlin router.

What is wrong - and how I solve that issue?
 

Xentrk

Part of the Furniture
I need your help, please:

Using selective routing I configured my Asus router in a way that my Amazon Fire uses a VPN client (Torguard - with a dedicated IP in Germany) to trick it so that it believes it is in Germany - since I like to watch Amazon.de (using my de account that I have there) on my Fire device.

But no matter what I have no luck. Amazon.de always reports a GEO-Blocking error and plays no German movie.
VPN Client is configured with DNS as exclusive, still no luck.
ipleak.net invoked in Firefox running on that Amazon Fire device reports it is in Germany.

But still Amazon plays no movie because of that geo error...

PS: Using the Torguard VPN client and the dedicated TG IP in Germany on an iPad works fine.
SO I know that path should work, but somehow that doesn't work in my Fire device and my Merlin router.

What is wrong - and how I solve that issue?
Amazon Prime is now blocking shared VPN servers. Like you, I use the TorGuard Private IP. Netflix hosts on Amazon servers. In addition to Netflix IP addresses, Amazon AWS IP addresses in the US region must also be included. The netflix-vpn-bypass project was originally intended to have Netflix bypass the VPN tunnel. It was recently updated to allow you to redirect the traffic to a VPN tunnel. See the README.md page on
https://github.com/Xentrk/netflix-vpn-bypass for more information.
 

st3v3n

Very Senior Member
Xentrk, Great page sir. The same nasty prime bug bit so many people on the same day. As soon as we contacted Torguard, they got us up and running again. What a great bunch of folks. Cheers
 

Sbfnu

Regular Contributor
Xentrk, Great page sir. The same nasty prime bug bit so many people on the same day. As soon as we contacted Torguard, they got us up and running again. What a great bunch of folks. Cheers
What has Torguard done to get you up and running again?

Note, just checked: On m iPad the Todguard VPN to Germany work fine . But in Merlin is doesn't seem to work
 
Last edited:

st3v3n

Very Senior Member
Sbfnu, greetings; As Zentrk noted in #809, his post https://x3mtek.com/why-i-use-torguard-as-my-vpn-provider/ it's likely the Torguard Private IP option should be what you need. When Amazon instituted the blocks on our streaming IP, we contacted Torguard and and were re-provisioned , and received instructions for a different IP assignment. We only ruin our video streaming boese through the OpenVPN client on the router instead of within each device on our LAN. For us, it's much easier to deal with one config/tunnel on the router than dealing with each unit having it's own config. You should be able to assign all your devices into the correct Torguard OpenVPN client in your Asus router, that will give you the most power to run your streaming video configuration.

As soon as Torguard activated our new private IP assignment, we downloaded the new (correct) config, then uploaded it into the router client, re checked the setting, applied then turned the router config back on; it was as if nothing had happened; all was well. Don't have a clue why Merlin won't work for you if Torguard is setup correctly, unless it has a glitch or isn't loaded per their instructions. Best way to get it ironed out is to file a complete technical ticket with Torguard technical Support; give them all of the details of your setup/provisioning. Torguard can then provide you with the set up help you need to get you back up and going again. It's been our experience that they have the best service for any VPN provider we've had. Good luck:)
 

Sbfnu

Regular Contributor
st3v3n, thanks for the hint with the Torguard dedicated ip (and Xentrk's link - he seems to be a master of these VPN issues), but I am already using Torguard's dedicated IP.

With that, watching Amazon Prime movies works flawlessly on my iPad using the iOS client Torguard provides, but Torguard with the dedicated IP configured in Merlin does not work for my Amazon Fire device...

Downloaded the correct config: I entered everything manually in Merlin, but from the router web config VPN page I can see it is working.
Tools running on that Fire device - like Firefox - show me that this device now is in Germany, and visiting ipleak.net from that device with the Firefox running on it confirmed that.

But still, the attempt to watch an Amazon Prime move with that Fire device fails. Instead I get the "wrong geo" error.

What else can I do to get rid of that error and successfully watch Amazon Prime movies?
 

st3v3n

Very Senior Member
sbfnu, Best advice this day is to do what everyone else who has been struck by the latest vicious prime blocking attack against valiant streamers has been forced to do; simply log into your Torguard account and request assistance (as mentioned above). Tell Torguard what's happening in detail. If there's anything that can be done, then they're the only blokes who can do it for you. While it's quite true that Xentrk and many other super senior members of the forums are expert in their art and craft, there's no shame at all if you file a Torguard support ticket, an option that's always there for you within your Torguard account; it's secure, private, and no one will get snarky with you. After all, you're paying for the best support your money can buy; it comes with your service and no one knows their network like Torguard does.

Legitimate streaming always has been and remains an epic struggle, but take heart. The evil corporate streaming empire's forces are at your gate now, so make haste; get thee hence, to file your Torguard support ticket and you should receive prompt technical service. The Force may be with us all, but good luck anyway:)
 

Sbfnu

Regular Contributor
Problem solved: I somehow managed to get a random German IP in my VPN client configuration in Merlin, but not my own Torguard Dedicated IP. As soon as that was in, movie streaming on my Fire device was working ;-)
 

st3v3n

Very Senior Member
Sbfnu; excellent, and glad you're back up and viewing. TG will always be there if you need them, we'd be all for the worse without them (and Merlin) The jest was only meant to lighten the frustration level. Cheers:)
 

Terence Chan

New Around Here
I am fighting with my dual wan configure.
What's the mode of your duan wan? Failover or Loadbalance?

If you are using failover, and primary wan is down. Does it mean the policy routing will fail?

The default Selective Routing/Dual-WAN interfaces ovpnc1,ovpnc2 etc. are defined in

/etc/iproute2/rt_tables

and the entries are used by '/usr/sbin/vpnrouting.sh' to create the necessary Selective Routing environment (apart from fwmark based Selective Routing for ports,MACs,IPSETs etc.)

I prefer to customise the entries so I have renamed 'ovpnc1' to 'NewYork' and 'ovpnc5' to 'UK' etc. to make it visually more human friendly when tinkering with the configs, and to reduce the possibility of typo errors when I start to tinker with Selective Routing.
i.e. it is far less likely I would confuse NewYorK with UK whereas ovpnc1/ovpnc2 etc. could easily be incorrectly used by mistake because of a stupid 1 char typo etc.:rolleyes:
Code:
ip rule

0:  from all lookup local
10000:  from all fwmark 0x7000/0x7000 lookup main
10100:  from all fwmark 0x1000/0x1000 lookup NewYork
10101:  from 172.16.1.1 lookup NewYork
10901:  from 172.16.5.5 lookup UK
20100:  from 10.88.101.0/24 lookup NewYork
32766:  from all lookup main
32767:  from all lookup default

ip route show table NewYork

10.16.0.0/24 dev tun22  scope link
10.88.101.0/24 dev br1  scope link
10.8.0.0/24 dev tun21  scope link
10.88.8.0/24 dev br0  proto kernel  scope link  src 10.88.8.1
100.120.242.0/23 dev tun11  proto kernel  scope link  src 100.120.243.15
default via 100.120.242.1 dev tun11
rather than
Code:
ip rule

0:  from all lookup local
10000:  from all fwmark 0x7000/0x7000 lookup main
10100:  from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:  from 172.16.1.1 lookup ovpnc1
10901:  from 172.16.5.5 lookup ovpnc5
20100:  from 10.88.101.0/24 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

ip route show table ovpnc1

10.16.0.0/24 dev tun22  scope link
10.88.101.0/24 dev br1  scope link
10.8.0.0/24 dev tun21  scope link
10.88.8.0/24 dev br0  proto kernel  scope link  src 10.88.8.1
100.120.242.0/23 dev tun11  proto kernel  scope link  src 100.120.243.15
default via 100.120.242.1 dev tun11
However, unless you have a very advanced need, then I would recommend you stick with the default ovpncX tables i.e. why (re)write scripts if all the work has already been done for you? ;) - especially if you want quicker support from the forum. :)
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top