Will Merlin FW get ability in VPN director to add rules based on domain?

Agossi

New Around Here
Hi all,

I bought a AX86U because of the better VPN speed's compared to my gli.net Creta.


But I am missing some policy rule to exclude amazon and Netflix domains etc. to use the vpn, this was easily possible in the glinet Policies.

I saw some guys are using the x3m addon, but also this seems not to be maintained anymore.

Therefore I do not want to start using my new router with the not up to date addon.


Does someone have another option to route the Netflix and Amazon prime traffic to WAN instead of VPN?

It would be wonderful if domain based rules could be added to Merlin or stock firmware.


Many thanks in advance

Best regards
 

Agossi

New Around Here
For now I have added the IPs from the nslookups :

### AMAZON EU (nslookup A Record)
amazon.de =>
52.95.120.34
54.239.39.102
176.32.108.185

fls-eu.amazon.com =>
54.76.219.206
54.154.116.139
34.242.200.19
52.212.5.217
52.209.88.240
63.35.13.25
52.213.41.84
54.171.99.121

US (optional in EU):
fls-na.amazon.com =>
107.23.46.27
52.22.100.212
52.7.58.137
52.71.69.62
54.88.72.92
3.233.204.223
3.88.189.18
35.173.106.46

This seem to work in germany, but having a domain based ruleset would be more comfortable and relyable.
I hope these IPs help also someone else.
 

RMerlin

Asuswrt-Merlin dev
No. VPN Director works at the routing table levels, which cannot do any DNS lookups.
 

Yota

Senior Member
But you can use dnsmasq to specify specific IPs for your domain, and then add these IPs to the VPN director.


No. VPN Director works at the routing table levels, which cannot do any DNS lookups.
Maybe this is a feature request, and I know I shouldn’t raise it here. I have 5 VPN clients, each with the same VPN director configuration, but I found that such repeated operations are time-consuming when I add them, especially when there are nearly ten IPs, which means I have to repeat 5 times.

Of course, I only restore the factory settings when the router is upgraded, and then add them manually. Considering the development cost and usage requirements, I think it is not worth developing new features for it..

So I just say it casually, and I am very grateful for the VPN Director!
 

Charles Wilkinson

Occasional Visitor
Hi all,

I bought a AX86U because of the better VPN speed's compared to my gli.net Creta.


But I am missing some policy rule to exclude amazon and Netflix domains etc. to use the vpn, this was easily possible in the glinet Policies.

I saw some guys are using the x3m addon, but also this seems not to be maintained anymore.

Therefore I do not want to start using my new router with the not up to date addon.


Does someone have another option to route the Netflix and Amazon prime traffic to WAN instead of VPN?

It would be wonderful if domain based rules could be added to Merlin or stock firmware.


Many thanks in advance

Best regards
I actually created a script to do exactly what you are asking for. You can find it here:
https://charleswilkinson.co.uk/2021/11/21/asus-merlin-route-via-vpn-for-specific-destination-hosts/

Let me know if it works for you :)
 

Agossi

New Around Here
But you can use dnsmasq to specify specific IPs for your domain, and then add these IPs to the VPN director.
Many thanks, is there a example available ?

I tried with a config file like in "/jffs/configs/dnsmasq.conf.add:
Code:
address=/amazon.de/52.95.120.34
address=/amazon.de/54.239.39.102
address=/amazon.de/176.32.108.185

address=/fls-eu.amazon.com/54.76.219.206
address=/fls-eu.amazon.com/54.154.116.139
address=/fls-eu.amazon.com/34.242.200.19

and added these ips as remote ip with Iface WAN and blank source ip to the VPN Director.

But still blocked using the VPN router and the strange thing is using the WLAN of the default ROUTER (no VPN) now cannot connect anymore to the amazon.de domain.

Is there an example dnsmasq.conf.add available?

Many thanks in advance


I actually created a script to do exactly what you are asking for. You can find it here:
https://charleswilkinson.co.uk/2021/11/21/asus-merlin-route-via-vpn-for-specific-destination-hosts/

Let me know if it works for you :)

Thanks for the hint I will try if the dnsmasq still fails after response from @Yota
 

Agossi

New Around Here
@Charles Wilkinson

I have tried your script and it works flawless populating my VPN director rules for the domains.

In my case i routed them to WAN for amazon etc.

Only thing I had to change was set my VPNs DNS Mode to Exclusive and add the DNS in the custom configs for NordVPN:
Code:
dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100
push "dhcp-option DNS 103.86.96.100"
push "dhcp-option DNS 103.86.99.100"


Also it was very important to route the DNS Request to WAN extract from vpndirector rules list:

Code:
<1>ROUTER TO WAN DNS>192.168.1.1>>WAN
<1>VPNROuter>192.168.1.2>>OVPN1

Otherwise all traffic had the DNS from the WAN Page, but this shall not come into play for the VPN.

Also i modified the firewall-start to add the cron with different time (run only once a day)
Code:
# Add crontab entry to refresh domain based rules every day at 0
cru a setup_vpn_director "0 0 * * *" /jffs/scripts/vpn_director_host_rules.sh


MY setup is:

Modem PORT TO ASUS_AX86U WAN
ASUS_AX86U LAN1 to WAN of Wireless Router "W1" (not VPN cabable by itself) => 192.168.1.2
W1 LAN 1 - LANX Clients are using VPN.

OVPN1 Client on ASUS_AX86U running Nordvpn



I will observe and check how it goes with these settings ;)


UPDATE:

I am seeing issues when your scripts are in and I do a reboot.
If i reboot I get a DNS leak for my VPN (uses WAN DNS instead of the VPN ones) and amazon bypass also does not work anymore.
Then I only went to the GUI VPN Director and just pressed apply, without changing anything and afterwards it works again like before.

I tested a reboot without your scripts beeing active and after the system was up again it had directly the correct DNS settings etc. and no leakage.

Is there some restart missing in your script?
 
Last edited:

Charles Wilkinson

Occasional Visitor
@Charles Wilkinson

I have tried your script and it works flawless populating my VPN director rules for the domains.

In my case i routed them to WAN for amazon etc.

Only thing I had to change was set my VPNs DNS Mode to Exclusive and add the DNS in the custom configs for NordVPN:
Code:
dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100
push "dhcp-option DNS 103.86.96.100"
push "dhcp-option DNS 103.86.99.100"


Also it was very important to route the DNS Request to WAN extract from vpndirector rules list:

Code:
<1>ROUTER TO WAN DNS>192.168.1.1>>WAN
<1>VPNROuter>192.168.1.2>>OVPN1

Otherwise all traffic had the DNS from the WAN Page, but this shall not come into play for the VPN.

Also i modified the firewall-start to add the cron with different time (run only once a day)
Code:
# Add crontab entry to refresh domain based rules every day at 0
cru a setup_vpn_director "0 0 * * *" /jffs/scripts/vpn_director_host_rules.sh


MY setup is:

Modem PORT TO ASUS_AX86U WAN
ASUS_AX86U LAN1 to WAN of Wireless Router "W1" (not VPN cabable by itself) => 192.168.1.2
W1 LAN 1 - LANX Clients are using VPN.

OVPN1 Client on ASUS_AX86U running Nordvpn



I will observe and check how it goes with these settings ;)


UPDATE:

I am seeing issues when your scripts are in and I do a reboot.
If i reboot I get a DNS leak for my VPN (uses WAN DNS instead of the VPN ones) and amazon bypass also does not work anymore.
Then I only went to the GUI VPN Director and just pressed apply, without changing anything and afterwards it works again like before.

I tested a reboot without your scripts beeing active and after the system was up again it had directly the correct DNS settings etc. and no leakage.

Is there some restart missing in your script?
Hmm. The script only restarts the VPN routing if it detects a change. Perhaps on reboot we need to force it to.
Try adding service restart_vpnrouting0 to the firewall-start script after /jffs/scripts/vpn_director_host_rules.sh and see if that works.
 

Yota

Senior Member
Many thanks, is there a example available ?
I tried with a config file like in "/jffs/configs/dnsmasq.conf.add:
Code:
address=/amazon.de/52.95.120.34
address=/amazon.de/54.239.39.102
address=/amazon.de/176.32.108.185
address=/fls-eu.amazon.com/54.76.219.206
address=/fls-eu.amazon.com/54.154.116.139
address=/fls-eu.amazon.com/34.242.200.19
and added these ips as remote ip with Iface WAN and blank source ip to the VPN Director.
But still blocked using the VPN router and the strange thing is using the WLAN of the default ROUTER (no VPN) now cannot connect anymore to the amazon.de domain.
Is there an example dnsmasq.conf.add available?
Many thanks in advance
Thanks for the hint I will try if the dnsmasq still fails after response from @Yota
First, make sure that the Accept DNS Configuration on your VPN client page is not set to Exclusive, because dnsmasq will be bypassed after the setting becomes Exclusive, which is not what we want to see.

Then add the domain name you need in /jffs/configs/dnsmasq.conf.add. Of course, you need to get the correct IP address through nslookup in advance.

Your "address=/amazon.de/52.95.120.34" is correct.
Usually only one IP is needed for a domain, and the remaining IPs is used as redundancy, you only need to add one to dnsmasq.

Then added the IP to VPN Director, I think it should work normally.

But I must agree that @eibgrad's scripting scheme is more suitable for you, because it can reduce the time you need to configure and test.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top