Menu
What's new
By:
Filters Better Search

Will Merlin FW get ability in VPN director to add rules based on domain?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

A

Agossi

New Around Here
Hi all,

I bought a AX86U because of the better VPN speed's compared to my gli.net Creta.


But I am missing some policy rule to exclude amazon and Netflix domains etc. to use the vpn, this was easily possible in the glinet Policies.

I saw some guys are using the x3m addon, but also this seems not to be maintained anymore.

Therefore I do not want to start using my new router with the not up to date addon.


Does someone have another option to route the Netflix and Amazon prime traffic to WAN instead of VPN?

It would be wonderful if domain based rules could be added to Merlin or stock firmware.


Many thanks in advance

Best regards
 
For now I have added the IPs from the nslookups :

### AMAZON EU (nslookup A Record)
amazon.de =>
52.95.120.34
54.239.39.102
176.32.108.185

fls-eu.amazon.com =>
54.76.219.206
54.154.116.139
34.242.200.19
52.212.5.217
52.209.88.240
63.35.13.25
52.213.41.84
54.171.99.121

US (optional in EU):
fls-na.amazon.com =>
107.23.46.27
52.22.100.212
52.7.58.137
52.71.69.62
54.88.72.92
3.233.204.223
3.88.189.18
35.173.106.46

This seem to work in germany, but having a domain based ruleset would be more comfortable and relyable.
I hope these IPs help also someone else.
 
No. VPN Director works at the routing table levels, which cannot do any DNS lookups.
 
But you can use dnsmasq to specify specific IPs for your domain, and then add these IPs to the VPN director.


RMerlin said:
No. VPN Director works at the routing table levels, which cannot do any DNS lookups.
Click to expand...
Maybe this is a feature request, and I know I shouldn’t raise it here. I have 5 VPN clients, each with the same VPN director configuration, but I found that such repeated operations are time-consuming when I add them, especially when there are nearly ten IPs, which means I have to repeat 5 times.

Of course, I only restore the factory settings when the router is upgraded, and then add them manually. Considering the development cost and usage requirements, I think it is not worth developing new features for it..

So I just say it casually, and I am very grateful for the VPN Director!
 
Agossi said:
Hi all,

I bought a AX86U because of the better VPN speed's compared to my gli.net Creta.


But I am missing some policy rule to exclude amazon and Netflix domains etc. to use the vpn, this was easily possible in the glinet Policies.

I saw some guys are using the x3m addon, but also this seems not to be maintained anymore.

Therefore I do not want to start using my new router with the not up to date addon.


Does someone have another option to route the Netflix and Amazon prime traffic to WAN instead of VPN?

It would be wonderful if domain based rules could be added to Merlin or stock firmware.


Many thanks in advance

Best regards
Click to expand...
I actually created a script to do exactly what you are asking for. You can find it here:
https://charleswilkinson.co.uk/2021/11/21/asus-merlin-route-via-vpn-for-specific-destination-hosts/

Let me know if it works for you :)
 
Yota said:
But you can use dnsmasq to specify specific IPs for your domain, and then add these IPs to the VPN director.
Click to expand...
Many thanks, is there a example available ?

I tried with a config file like in "/jffs/configs/dnsmasq.conf.add:
Code: 
address=/amazon.de/52.95.120.34
address=/amazon.de/54.239.39.102
address=/amazon.de/176.32.108.185

address=/fls-eu.amazon.com/54.76.219.206
address=/fls-eu.amazon.com/54.154.116.139
address=/fls-eu.amazon.com/34.242.200.19

and added these ips as remote ip with Iface WAN and blank source ip to the VPN Director.

But still blocked using the VPN router and the strange thing is using the WLAN of the default ROUTER (no VPN) now cannot connect anymore to the amazon.de domain.

Is there an example dnsmasq.conf.add available?

Many thanks in advance


Charles Wilkinson said:
I actually created a script to do exactly what you are asking for. You can find it here:
https://charleswilkinson.co.uk/2021/11/21/asus-merlin-route-via-vpn-for-specific-destination-hosts/

Let me know if it works for you :)
Click to expand...

Thanks for the hint I will try if the dnsmasq still fails after response from @Yota
 
@Charles Wilkinson

I have tried your script and it works flawless populating my VPN director rules for the domains.

In my case i routed them to WAN for amazon etc.

Only thing I had to change was set my VPNs DNS Mode to Exclusive and add the DNS in the custom configs for NordVPN:
Code: 
dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100
push "dhcp-option DNS 103.86.96.100"
push "dhcp-option DNS 103.86.99.100"


Also it was very important to route the DNS Request to WAN extract from vpndirector rules list:

Code: 
<1>ROUTER TO WAN DNS>192.168.1.1>>WAN
<1>VPNROuter>192.168.1.2>>OVPN1

Otherwise all traffic had the DNS from the WAN Page, but this shall not come into play for the VPN.

Also i modified the firewall-start to add the cron with different time (run only once a day)
Code: 
# Add crontab entry to refresh domain based rules every day at 0
cru a setup_vpn_director "0 0 * * *" /jffs/scripts/vpn_director_host_rules.sh


MY setup is:

Modem PORT TO ASUS_AX86U WAN
ASUS_AX86U LAN1 to WAN of Wireless Router "W1" (not VPN cabable by itself) => 192.168.1.2
W1 LAN 1 - LANX Clients are using VPN.

OVPN1 Client on ASUS_AX86U running Nordvpn



I will observe and check how it goes with these settings ;)


UPDATE:

I am seeing issues when your scripts are in and I do a reboot.
If i reboot I get a DNS leak for my VPN (uses WAN DNS instead of the VPN ones) and amazon bypass also does not work anymore.
Then I only went to the GUI VPN Director and just pressed apply, without changing anything and afterwards it works again like before.

I tested a reboot without your scripts beeing active and after the system was up again it had directly the correct DNS settings etc. and no leakage.

Is there some restart missing in your script?
 
Last edited:
Agossi said:
@Charles Wilkinson

I have tried your script and it works flawless populating my VPN director rules for the domains.

In my case i routed them to WAN for amazon etc.

Only thing I had to change was set my VPNs DNS Mode to Exclusive and add the DNS in the custom configs for NordVPN:
Code: 
dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100
push "dhcp-option DNS 103.86.96.100"
push "dhcp-option DNS 103.86.99.100"


Also it was very important to route the DNS Request to WAN extract from vpndirector rules list:

Code: 
<1>ROUTER TO WAN DNS>192.168.1.1>>WAN
<1>VPNROuter>192.168.1.2>>OVPN1

Otherwise all traffic had the DNS from the WAN Page, but this shall not come into play for the VPN.

Also i modified the firewall-start to add the cron with different time (run only once a day)
Code: 
# Add crontab entry to refresh domain based rules every day at 0
cru a setup_vpn_director "0 0 * * *" /jffs/scripts/vpn_director_host_rules.sh


MY setup is:

Modem PORT TO ASUS_AX86U WAN
ASUS_AX86U LAN1 to WAN of Wireless Router "W1" (not VPN cabable by itself) => 192.168.1.2
W1 LAN 1 - LANX Clients are using VPN.

OVPN1 Client on ASUS_AX86U running Nordvpn



I will observe and check how it goes with these settings ;)


UPDATE:

I am seeing issues when your scripts are in and I do a reboot.
If i reboot I get a DNS leak for my VPN (uses WAN DNS instead of the VPN ones) and amazon bypass also does not work anymore.
Then I only went to the GUI VPN Director and just pressed apply, without changing anything and afterwards it works again like before.

I tested a reboot without your scripts beeing active and after the system was up again it had directly the correct DNS settings etc. and no leakage.

Is there some restart missing in your script?
Click to expand...
Hmm. The script only restarts the VPN routing if it detects a change. Perhaps on reboot we need to force it to.
Try adding service restart_vpnrouting0 to the firewall-start script after /jffs/scripts/vpn_director_host_rules.sh and see if that works.
 
Agossi said:
Many thanks, is there a example available ?
I tried with a config file like in "/jffs/configs/dnsmasq.conf.add:
Code: 
address=/amazon.de/52.95.120.34
address=/amazon.de/54.239.39.102
address=/amazon.de/176.32.108.185
address=/fls-eu.amazon.com/54.76.219.206
address=/fls-eu.amazon.com/54.154.116.139
address=/fls-eu.amazon.com/34.242.200.19
and added these ips as remote ip with Iface WAN and blank source ip to the VPN Director.
But still blocked using the VPN router and the strange thing is using the WLAN of the default ROUTER (no VPN) now cannot connect anymore to the amazon.de domain.
Is there an example dnsmasq.conf.add available?
Many thanks in advance
Thanks for the hint I will try if the dnsmasq still fails after response from @Yota
Click to expand...
First, make sure that the Accept DNS Configuration on your VPN client page is not set to Exclusive, because dnsmasq will be bypassed after the setting becomes Exclusive, which is not what we want to see.

Then add the domain name you need in /jffs/configs/dnsmasq.conf.add. Of course, you need to get the correct IP address through nslookup in advance.

Your "address=/amazon.de/52.95.120.34" is correct.
Usually only one IP is needed for a domain, and the remaining IPs is used as redundancy, you only need to add one to dnsmasq.

Then added the IP to VPN Director, I think it should work normally.

But I must agree that @eibgrad's scripting scheme is more suitable for you, because it can reduce the time you need to configure and test.
 
www.snbforums.com

Domain-based VPN Routing Script

Domain VPN Routing is a tool used to route specific website domains to specific VPN tunnels or override all traffic being routed to a VPN tunnel to directly route through a WAN interface. ***v2.1.0 Release**** This is the release information regarding v2.1.0, please read the notes carefully...
www.snbforums.com www.snbforums.com
 
You must log in or register to reply here.

Similar threads

J
Use OpenVPN on a GliNET device to VPN into Merlin Router as Server?
Replies
6
Views
2K
jksmurf
J
B
VPN Director: Prioritize Site-to-Site VPN over WAN
Replies
4
Views
783
benih
B
fsb
Upgrading, possible to export OpenVPN settings?
Replies
2
Views
899
fsb
fsb
P
VPN Director rules and WAN
Replies
2
Views
1K
propofol
P
G
How to VPN Direct Smart TV to Different VPN Tunnel to Rest of Devices
Replies
1
Views
1K
Gizmo2035
G
Similar threads
Thread starter Title Forum Replies Date
S Use Zram in Merlin Asuswrt-Merlin 4
PaulA Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP Asuswrt-Merlin 1
T Asus RT-AX86U vs RT-AX68U (with Merlin cake SQM) Asuswrt-Merlin 9
Coldblackice Does ASUS Merlin's QoS consider DSCP? Asuswrt-Merlin 3
H Solved xbox one not able to sign in when connected through router running asuswrt-merlin on an rt-ac5300. Asuswrt-Merlin 5
JA93 iVentoy on Asus Merlin Asuswrt-Merlin 1
M [🙏 Feature request For Asus Merlin] Add Public WiFi Mode for GT-AX11000 Asuswrt-Merlin 7
T ControlD with Merlin Asuswrt-Merlin 25
RMerlin Release Asuswrt-Merlin 386.13 is now available for AC models Asuswrt-Merlin 38
David Cavalli Merlin "End of Life" for 386.x firmware implications Asuswrt-Merlin 20

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 774 (members: 14, guests: 760)
Top