x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

It is working for me now. I believe I got a temporary ban from ipinfo as I was experimenting with things and therefore I was making too many API requests.

In testing the new version of x3mRouting, I also got banned temporarily for making to many downloads using curl. In the new version, I added a check for failure for ipinfo.io, and if it fails, it will use another website that has the IPv4 addresses.

 

[maghuro]

How to make route all vpn server persist toa reboot?
Supposedly it survives to a reboot. But isn't working, as soon as I reboot the device, I'll have to go to ssh and write again
sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 4

Edit: after reboot, I can only remotely access lan. To fully access internet remotely via openvpn server, I have to manually run the script again.
Any thoughts?

Edit2: for temporary solving, I'm calling the script on services-event, but I think that's not the way it should work. Or is it?

Edit3: I think it's an incompatibility with nextdns script!
Because nextdns script is run after your VPN server. If it is run before your script, everything works....

 

[Xentrk]

How to make route all vpn server persist toa reboot?
Supposedly it survives to a reboot. But isn't working, as soon as I reboot the device, I'll have to go to ssh and write again
sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 4

Edit: after reboot, I can only remotely access lan. To fully access internet remotely via openvpn server, I have to manually run the script again.
Any thoughts?

Edit2: for temporary solving, I'm calling the script on services-event, but I think that's not the way it should work. Or is it?

Edit3: I think it's an incompatibility with nextdns script!
Because nextdns script is run after your VPN server. If it is run before your script, everything works....

You shouldn't have to do anything after running the script. You only have to run the script one time. It creates the required iptables entry in the vpnserverX-up and vpnserverX-down file in the /jffs/scripts/x3mRouting directory.

 

[maghuro]

You shouldn't have to do anything after running the script. You only have to run the script one time. It creates the required iptables entry in the vpnserverX-up and vpnserverX-down file in the /jffs/scripts/x3mRouting directory.

The problem is after your script runs, nextdns script runs and after that, when I remotely connect to router vpn server, I can only access lan (if I have vpn client activated). Then Ive to manually call x3m script so it can properly configure everything again.

 

[Xentrk]

The problem is after your script runs, nextdns script runs and after that, when I remotely connect to router vpn server, I can only access lan (if I have vpn client activated). Then Ive to manually call x3m script so it can properly configure everything again.

I'll have to look at NEXTDNS script to see why you should have to do that. Doesn't make sense that it would touch the iptables rules. You can issue this command to see if the rules are still in place:

iptables -nvL POSTROUTING -t mangle --line

The "ip rule" command shoud show the RPDB rule to route the VPN server instance to the VPN client.

 

[maghuro]

I'll have to look at NEXTDNS script to see why you should have to do that. Doesn't make sense that it would touch the iptables rules. You can issue this command to see if the rules are still in place:

iptables -nvL POSTROUTING -t mangle --line

The "ip rule" command shoud show the RPDB rule to route the VPN server instance to the VPN client.

That's odd, because that command exports exact the same thing.
Steps to reproduce:
Reboot
Wait that everything settles.
Access router via vpn server - can only access to lan (router page). Can't access to internet (neither via vpn client or directly to wan).
Manually run "sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 4"
Now I can access both lan and vpn client via vpn server..

Strange, because I think that before and after your command gives me the same output.

PS- you can figure which is before and after by the phone clock at the top left side.

 

[Xentrk]

That's odd, because that command exports exact the same thing.
Steps to reproduce:
Reboot
Wait that everything settles.
Access router via vpn server - can only access to lan (router page). Can't access to internet (neither via vpn client or directly to wan).
Manually run "sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 4"
Now I can access both lan and vpn client via vpn server..

Strange, because I think that before and after your command gives me the same output.

PS- you can figure which is before and after by the phone clock at the top left side.

I don't see the iptables rules in the output. Let's start with reviewing that the setup got created correctly.

1. On the VPN Server, access is both LAN and WAN.

2. Add the VPN Server subnet address to the Policy Routing Rules for VPN Client 4.

confirm using the command "ip rule | grep ovpnc4"

#ip rule | grep ovpnc4

9992:   from all fwmark 0x7000/0x7000 lookup ovpnc4
10701:  from 10.8.0.0/24 lookup ovpnc4

3. Run the script

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 4

4. Verify iptables

#iptables -nvL POSTROUTING -t nat --line | grep tun14

1        0     0 MASQUERADE  all  --  *      tun14   192.168.22.0/24      0.0.0.0/0
11       0     0 MASQUERADE  all  --  *      tun14   10.8.0.0/24          0.0.0.0/0

#iptables -nvL PREROUTING -t mangle --line | grep tun14

1        1    60 MARK       all  --  tun14  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7

5. Verify the VPN Server up/down scripts got created and are executable.

# cd /jffs/scripts/x3mRouting

ls -al | grep vpnserver1
-rwxr-xr-x    1 wizard   root            91 Apr  1 18:41 vpnserver1-down
-rwxr-xr-x    1 wizard   root           160 Apr  1 18:41 vpnserver1-up

6. Connect over VPN Server and run commands to see if the rules are still in place.

Thanks for doing this steps as it will help me narrow down where to look.

 

[TechTinkerer]

@Xentrk do you need tester for update?

 

[maghuro]

I don't see the iptables rules in the output. Let's start with reviewing that the setup got created correctly.

1. On the VPN Server, access is both LAN and WAN.

View attachment 22309

2. Add the VPN Server subnet address to the Policy Routing Rules for VPN Client 4.

View attachment 22310

confirm using the command "ip rule | grep ovpnc4"

#ip rule | grep ovpnc4

9992:   from all fwmark 0x7000/0x7000 lookup ovpnc4
10701:  from 10.8.0.0/24 lookup ovpnc4

3. Run the script

sh /jffs/scripts/x3mRouting/route_all_vpnserver.sh 1 4

4. Verify iptables

#iptables -nvL POSTROUTING -t nat --line | grep tun14

1        0     0 MASQUERADE  all  --  *      tun14   192.168.22.0/24      0.0.0.0/0
11       0     0 MASQUERADE  all  --  *      tun14   10.8.0.0/24          0.0.0.0/0

#iptables -nvL PREROUTING -t mangle --line | grep tun14

1        1    60 MARK       all  --  tun14  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7

5. Verify the VPN Server up/down scripts got created and are executable.

# cd /jffs/scripts/x3mRouting

ls -al | grep vpnserver1
-rwxr-xr-x    1 wizard   root            91 Apr  1 18:41 vpnserver1-down
-rwxr-xr-x    1 wizard   root           160 Apr  1 18:41 vpnserver1-up

6. Connect over VPN Server and run commands to see if the rules are still in place.

Thanks for doing this steps as it will help me narrow down where to look.

Please look at the issue I opened on GitHub.

I think the problem of all of this is the misplace of openvpn-event script location.

 

[Xentrk]

Please look at the issue I opened on GitHub.

I think the problem of all of this is the misplace of openvpn-event script location.

I forgot to add openvpn-event to the list of items to check. I think I know what the issue is but can't verify until later this evening. Looks like the script does not create the /jffs/scripts/openvpn-event file but does create the /jffs/scripts/x3mRouting/openvpn-event file. The work around solution is to install Option 6 - Install OpenVPN Event. What the install program should be doing is create /jffs/scripts/openvpn-event if it does not exist. If it exists, it will and add a line to execute "sh /jffs/scripts/x3mRouting/openvpn-event $@".

 

[maghuro]

I forgot to add openvpn-event to the list of items to check. I think I know what the issue is but can't verify until later this evening. Looks like the script does not create the /jffs/scripts/openvpn-event file but does create the /jffs/scripts/x3mRouting/openvpn-event file. The work around solution is to install Option 6 - Install OpenVPN Event. What the install program should be doing is create /jffs/scripts/openvpn-event if it does not exist. If it exists, it will and add a line to execute "sh /jffs/scripts/x3mRouting/openvpn-event $@".

You are absolutely correct, that's what I understood by reading the code.
Openvpn-event should go to /jffs/scripts and not to /jffs/scripts/x3mRouting
And also, I think that is a good practice that even with server1-up script created, before the server is up the script should check if the IP range is the same (10.8.0.0). Or it should have "
$(nvram get vpn_server1_sn)" instead of the hardcoded IP.
Because if I change the script range, I'll have to manually go del the script and create it again.

Edit: manually installed option 6, and now all is working as expected

 

[Xentrk]

You are absolutely correct, that's what I understood by reading the code.
Openvpn-event should go to /jffs/scripts and not to /jffs/scripts/x3mRouting
And also, I think that is a good practice that even with server1-up script created, before the server is up the script should check if the IP range is the same (10.8.0.0). Or it should have "
$(nvram get vpn_server1_sn)" instead of the hardcoded IP.
Because if I change the script range, I'll have to manually go del the script and create it again.

Edit: manually installed option 6, and now all is working as expected

Glad the work around got you up and running. The x3mRouting install script has been patched to add the /jffs/scripts/openvpn-event file and the required entry if it does not exist.

Good suggestion on the code update to use nvram for the iptables when it writes to the vpnserverX file. I'll make the update this weekend.

 

[maghuro]

Glad the work around got you up and running. The x3mRouting install script has been patched to add the /jffs/scripts/openvpn-event file and the required entry if it does not exist.

Good suggestion on the code update to use nvram for the iptables when it writes to the vpnserverX file. I'll make the update this weekend.

Thanks friend!
Just to make it more user-friendly and derp proof

 

[Xentrk]

@Xentrk do you need tester for update?

I will do another round of testing tomorrow. If all good, I will document the new instructions. I also want to see what I can do to automate the migration from the old to the new. I have some ideas, but just need to think it through some more. Once done, I can then open it up to a test group who can also be advocates for the new version and help others with the transition. I’m one of the few ppl who must still report to work during these times. But we have two three day weekends coming up which I plan to use to wrap things up. All of the setup is automated which will help simplify things.

 

[Kingp1n]

amtm shows there's a v1.0.5 available for update, anyone update the script yet?

 

[BMac13]

I need a little help if possible please? I've managed to get so far but just have one issue that is holding me up. I am using x3mRouting option 3 with asn policy routing for amazon and some Netflix connections and dnsmasq routing for ITV3, CH4, BBC, and Disney. the problem lies with Netflix CDN servers hosted by BT on the subnet 109.159.158.0. In order to stop receiveing the VPN error message i have to create a blanket rule allowing all traffic to 109.159.158.0 which i dont think is best practice. I could create a ipset list by the ASN AS2856 but again i do not know what other data might be hosted. Anyhelp would be great. let me know what more info you might need to continue?

Asus RT-AC86U Merlin custom F/W Ver: 384.15 X3mRouting NordVPN

 

[Xentrk]

amtm shows there's a v1.0.5 available for update, anyone update the script yet?

Not yet. Stay tuned though. I put in production on my router yesterday and found one issue I need to work out

 

[Xentrk]

I need a little help if possible please? I've managed to get so far but just have one issue that is holding me up. I am using x3mRouting option 3 with asn policy routing for amazon and some Netflix connections and dnsmasq routing for ITV3, CH4, BBC, and Disney. the problem lies with Netflix CDN servers hosted by BT on the subnet 109.159.158.0. In order to stop receiveing the VPN error message i have to create a blanket rule allowing all traffic to 109.159.158.0 which i dont think is best practice. I could create a ipset list by the ASN AS2856 but again i do not know what other data might be hosted. Anyhelp would be great. let me know what more info you might need to continue?

Asus RT-AC86U Merlin custom F/W Ver: 384.15 X3mRouting NordVPN

There are two methods that work for me with NF - the dnsmasq and ASN methods. The AS2906 routes to NF servers in US. One person in the EU had to use both methods together. My guess is the dnsmasq method would work best for CDNs.

@Kingp1n had a similar issue with Comast and routed the ISP ASN to the WAN to get around it. AS2856 is the ASN for BT. Try routing AS2856 to the WAN iface and see if it works.

 

[BMac13]

There are two methods that work for me with NF - the dnsmasq and ASN methods. The AS2906 routes to NF servers in US. One person in the EU had to use both methods together. My guess is the dnsmasq method would work best for CDNs.

@Kingp1n had a similar issue with Comast and routed the ISP ASN to the WAN to get around it. AS2856 is the ASN for BT. Try routing AS2856 to the WAN iface and see if it works.

Thanks have added an ASN method for this and seems to work.

 

[vertigo888]

Hi - I'm having issues with BBC iPlayer but not Netflix. Any ideas? Config is as follows (I'm using option 2 - GUI and IPSET):

sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh NETFLIX AS2906 dir=/tmp/mnt/Transfer01/Backups

dnsmasq.conf.add
ipset=/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/NETFLIX

sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh BBC_WEBAS2818 AS2818 dir=/tmp/mnt/Transfer01/Backups
sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh BBC_WEBAS31459 AS31459 dir=/tmp/mnt/Transfer01/Backups

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net,bbciplayer.co.uk,bbciplayer.com,live.bbc.co.uk,api.bbc.co.uk