x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

@Xentrk Thankyou for all the work you've done

I wonder if a split-tunneling feature could be used for an apps linked list to their apns to either vpn or wan, so basically an app list that is set to go over vpn, guess those apps traffic\data will have to be marked to be routed just no idea that would be implemented

That is beyond the scope of the project. But you could analyze dnsmasq to determine the domains the app is using. I have written how to do the analysis of dnsmasq in other posts. But I have to run to work now and can't provide the links at the moment.

 

[Burnerdroid]

You have to enable SSH access on the router. The guide is a little dated but should be of help. Then, you need to select a client to access the SSH session. I recommend you use diversion or amtm to install entware. diversion will also provide some tools if you need to troubleshoot dnsmasq.log file. I use the MobaXterm client. There are many to choose from. The SFTP gives a windows explorer type view of the file system and has a good editor built in. To use SFTP, you need to install openssh-sftp-client.

opkg install openssh-sft-client

A Google search can list out the basic linux commands you may require.

Thanks ill give it a go and let you know if I have issues -- i didnt even know where to start this is helpful. Thank you!

 

[Teymur]

I have to update the customized screen at times to conform with firmware updates. The issue is the changes may not be backward compatible with older firmware versions. I suspect that may be the case here. The last changes were made on Nov 25, 2019.

I know the current version of the screen works with 384.15 and 384.16 alpha. The good news is GitHub keeps a history of all changes. So, if you are on an earlier version, I'll need to give you a link to download the screen for an earlier version of the repository where the screen matches the firmware version. Or, updating to 384.15 may resolve the issue. What is your firmmare version and router model?

Hi Xentrk,

Router is RT-AC3200
Firmware 384.13_4


Regards

Teymur

 

[Xentrk]

Hi Xentrk,

Router is RT-AC3200
Firmware 384.13_4


Regards

Teymur

Thanks Teymur,

I went back and looked at the asuswrt-merlin change log and notice there are special builds for RT-AC3200 and RT-AC87U routers starting with 384.13 release. I may not be able to support these two models going forward if the firmware continues to lag behind the other models. Plus, I have no way of testing.

The following should allow you to download the 384.13 version of the GUI screen.

/usr/sbin/curl --retry 3 “https://raw.githubusercontent.com/Xentrk/x3mRouting/bfa728b0857cac2530072f62a637028da79832c0/Advanced_OpenVPNClient_Content.asp” –o /jffs/scripts/x3mRouting/Advanced_OpenVPNClient_Content.asp

If you still have issues, then we may have to convert you over to the script based method where you specify the interface as a parameter when running the script rather then entering the IPSET list name in the GUI. If so, I will need to send you the command to unmount the GUI and prevent it from loading at boot. Let me know how it turns out.

The problem with the GUI is one can't specify the WAN as a destination to bypass the VPN. I will need to take another look at how I can modify the screen to support the feature. Screen space very limited. So I'll need to get creative.

 

[Xentrk]

Thanks ill give it a go and let you know if I have issues -- i didnt even know where to start this is helpful. Thank you!

No worries. I was new to all of this four years ago myself. Great support on this site. Welcome to SNBForums.

 

[Teymur]

Thanks Teymur,

I went back and looked at the asuswrt-merlin change log and notice there are special builds for RT-AC3200 and RT-AC87U routers starting with 384.13 release. I may not be able to support these two models going forward if the firmware continues to lag behind the other models. Plus, I have no way of testing.

The following should allow you to download the 384.13 version of the GUI screen.

/usr/sbin/curl --retry 3 “https://raw.githubusercontent.com/Xentrk/x3mRouting/bfa728b0857cac2530072f62a637028da79832c0/Advanced_OpenVPNClient_Content.asp” –o /jffs/scripts/x3mRouting/Advanced_OpenVPNClient_Content.asp

If you still have issues, then we may have to convert you over to the script based method where you specify the interface as a parameter when running the script rather then entering the IPSET list name in the GUI. If so, I will need to send you the command to unmount the GUI and prevent it from loading at boot. Let me know how it turns out.

The problem with the GUI is one can't specify the WAN as a destination to bypass the VPN. I will need to take another look at how I can modify the screen to support the feature.

Hi Xentrk,

Thanks for the link. That's now done. But I still see "Previous" and "Next instead" of "Yes" and "No". I only need those fixed. I'm happy with the way it's working so far. Maybe in the future I'll consider upgrading my router.

 

[Xentrk]

Hi Xentrk,

Thanks for the link. That's now done. But I still see "Previous" and "Next instead" of "Yes" and "No". I only need those fixed. I'm happy with the way it's working so far. Maybe in the future I'll consider upgrading my router.

I will look at it in more detail when I get home from work. We may have to make an update just for your router model. Stay tuned.

 

[Teymur]

I will look at it in more detail when I get home from work. We may have to make an update just for your router model. Stay tuned.

Sure! Thanks a lot for your time and help!


Regards

Teymur

 

[Xentrk]

Sure! Thanks a lot for your time and help!

Regards

Teymur

I updated the radio button code. Type x3mRouting to access the menu. Select option 7 to get the updated screen. Let me know how it turns out.

 

[Teymur]

I updated the radio button code. Type x3mRouting to access the menu. Select option 7 to get the updated screen. Let me know how it turns out.

Hi Xentrk!

I did update the repository. It downloaded Advanced_OpenVPNClient_Content.asp and I can see the file under /jffs/scripts/x3mRouting, however when I load the page I still see “Previous” and “Next”. Tried 4 different browsers, with cleaning the cache. I also renamed the Advanced_OpenVPNClient_Content.asp file just to see if i get an error when opening the page. But no error. Looks like the router isn’t even reading it. Do you think I have to reboot?


Regards

Teymur

 

[Xentrk]

Hi Xentrk!

I did update the repository. It downloaded Advanced_OpenVPNClient_Content.asp and I can see the file under /jffs/scripts/x3mRouting, however when I load the page I still see “Previous” and “Next”. Tried 4 different browsers, with cleaning the cache. I also renamed the Advanced_OpenVPNClient_Content.asp file just to see if i get an error when opening the page. But no error. Looks like the router isn’t even reading it. Do you think I have to reboot?


Regards

Teymur

A refresh is all that is required. Sometimes 2 are needed. The update probably didn't work for your firmware version. Please perform the following trouble shooting:

Type

umount /www/Advanced_OpenVPNClient_Content.asp

to unmount the gui screen.

Refresh the page.
Right click on the page and select view source code.
press Ctrl-F and enter "automatic start at boot"
Take a snip of the code between the <th> block and post it in a reply. Should like similar to the code below:

<th>Automatic start at boot time</th>
                        <td>
                            <input type="radio" name="vpn_client_x_eas" class="input" value="1"><#checkbox_Yes#>
                            <input type="radio" name="vpn_client_x_eas" class="input" value="0"><#checkbox_No#>
                        </td>

To remount the gui, type sh mount_files_gui.sh

 

[Teymur]

A refresh is all that is required. Sometimes 2 are needed. The update probably didn't work for your firmware version. Please perform the following trouble shooting:

Type

umount /www/Advanced_OpenVPNClient_Content.asp

to unmount the gui screen.

Refresh the page.
Right click on the page and select view source code.
press Ctrl-F and enter "automatic start at boot"
Take a snip of the code between the <th> block and post it in a reply. Should like similar to the code below:

<th>Automatic start at boot time</th>
                        <td>
                            <input type="radio" name="vpn_client_x_eas" class="input" value="1"><#checkbox_Yes#>
                            <input type="radio" name="vpn_client_x_eas" class="input" value="0"><#checkbox_No#>
                        </td>

To remount the gui, type sh mount_files_gui.sh

Hi Xentrk,

That's what I got:

<th>Automatic start at boot time</th>
<td>
<input type="radio" name="vpn_client_x_eas" class="input" value="1">Yes
<input type="radio" name="vpn_client_x_eas" class="input" value="0">No
</td>

 

[Teymur]

Xentrk,

Thank you so much, you nailed it! It shows correctly now!

 

[Kingp1n]

There is nothing to force you to use the newer version when it comes out. But it is recommended.

The difference is I am combining all of the different scripts into one script. The source interface now has to be specified to support the new automatic configuration feature. You only have to run the script at the command line one time and all of the setup gets created automatically to support VPN up/down events and system boot up. The only other changes is you must specify the method in the command line:

dnsmasq=whatismyip.com, ip=x.x.x.x, asnum=AS2906, aws_region=US

You can also specify a src IP or src-range of IP address for exceptions. For example, if I specify that all traffic use VPN Client 1 with the entry 192.168.1.0/24 but need to create an exception for one IP address for Netflix traffic:

sh /jffs/scripts/x3mRouting/x3mRouting 1 0 NETFLIX asnum=AS2906 src=192.168.1.50

I have an idea for a script to help with the conversion.

Thanks for the response and I apologize for my ignorance. So I only use option 3 and under my nat-start script, I have the following lines for my use...what will I need to do with the new script, for my use I want all my clients to use the rule below?

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON_US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 HULU_WEB hulu.com,hulustream.com,akamaihd.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 COMCAST comcast.net,comcast.com,xfinity.com
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 COMCAST AS7922
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 COMCAST AS7016
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 LETGO letgo.com,us.letgo.com,akamaiedge.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 DISNEYPLUS_WEB disneyplus.com
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 PIZZAHUT pizzahut.com
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 DISNEYPLUS AS16509
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AKAMAI ASN20940
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON_16509 AS16509
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 FUNIMATION funimation.com
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 HONEY joinhoney.com
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 HBOGO hbogo.com,play.hbogo.com
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 PAPAJOHNS papajohns.net,papajohns.com

 

[Xentrk]

Thanks for the response and I apologize for my ignorance. So I only use option 3 and under my nat-start script, I have the following lines for my use...what will I need to do with the new script, for my use I want all my clients to use the rule below?

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON_US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 HULU_WEB hulu.com,hulustream.com,akamaihd.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 COMCAST comcast.net,comcast.com,xfinity.com
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 COMCAST AS7922
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 COMCAST AS7016
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 LETGO letgo.com,us.letgo.com,akamaiedge.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 DISNEYPLUS_WEB disneyplus.com
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 PIZZAHUT pizzahut.com
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 DISNEYPLUS AS16509
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AKAMAI ASN20940
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON_16509 AS16509
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 FUNIMATION funimation.com
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 HONEY joinhoney.com
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 HBOGO hbogo.com,play.hbogo.com
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 PAPAJOHNS papajohns.net,papajohns.com

In the new version, there will only be one script rather than a script for each method. The method will be passed as a parameter on the command line.

Most people have a rule to force all LAN clients to use a VPN Client with an entry in the Policy Rule Routing section as follows:

LAN_IPs    192.168.1.0/24    0.0.0.0    VPN

I will use the second entry above as an example. The entry below is used to bypass Netflix traffic for a VPN client:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

In the new version, you have to specify the VPN Client you want to bypass as the source interface:

 sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX asnum=AS2906

Usage: Source_Iface Destination_Iface IPSET_name method=

Method is asnum=, dnsmasq=, aws_region= or ip=. If no method is specified, the manual method is used as the default.

Specifying the source interface tells the x3mRouting script where to place the configuration so the rules are applied when the VPN client is started. If one specifies 1 as the Source interface, the script will place the line above in /jffs/scripts/x3mRouting/vpnclient1-route-up file. Likewise, it will place a rule in /jffs/scripts/x3mRouting/vpnclient1-route-pre-down to remove the routing rule when the VPN client goes down. The entries in nat-start should no longer be required.

Similarly, if you have specified all LAN traffic to use VPN Client 1, but for LAN client 192.168.1.50, you need to route Netflix traffic to the WAN.

 sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX asnum=AS2906 src=192.168.1.50

Or, you can specify a range of IP address:

 sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX asnum=AS2906 src-range=192.168.1.50-192.168.1.60

 

[Xentrk]

Xentrk,

Thank you so much, you nailed it! It shows correctly now!

That is good news. Maybe the process of unmounting and remounting the updated code was the trick to make the update stick. There is still one minor bug with the screen I need to fix. I noticed last night that the ability to populate the Description and Source IP from the drop down is broken. If I can't figure it out, I will ask @Jack Yaz to help me out as I am still learning how the the asp code works.

 

[Teymur]

That is good news. Maybe the process of unmounting and remounting the updated code was the trick to make the update stick. There is still one minor bug with the screen I need to fix. I noticed last night that the ability to populate the Description and Source IP from the drop down is broken. If I can't figure it out, I will ask @Jack Yaz to help me out as I am still learning how the the asp code works.

Xentrk Actually I've been looking and noticed something: the page title says English - OpenVPN Client Setting. I think it should be just OpenVPN Client Setting. The title doesn't change when you change the language. Please take a look

 

[Xentrk]

Xentrk Actually I've been looking and noticed something: the page title says English - OpenVPN Client Setting. I think it should be just OpenVPN Client Setting. The title doesn't change when you change the language. Please take a look

I see that as well. I just pushed an update.

 

[Teymur]

I see that as well. I just pushed an update.

Thanks man! That fixed it! Good job!


Regards

Teymur

 

[Teymur]

Xentrk,
After the last update I don't seem to be able to change "Block routed clients if tunnel goes down" setting. I've always had it on "Yes" , but now it's on "No". Puting it to yes and Applying it takes 15 seconds and still shows "No"