@eibgrad and others who have contributed to this thread, thanks! it's been informative and quite helpful :)
this is the first time posting to this forum. i know shell scripting from a couple of decades ago, and remember enough of it to follow the general trend of logic and to do easy edits, but not enough to more moderate/complex edits.
eibgrad, i successfully loaded your
http://pastebin.com/D96qMp5k
startup script for dd-wrt and got it working for a list of domains. it took a while, but i got there. thanks!
i opted for this script instead of your other one that loads in the firewall because i think the load balancing was causing problems with bypassing the vpn. however, there was one aspect of that firewall script that i would like to utilize in the startup script: bypassing a source MAC. i tried simply adding the ip to the PBR but it didn't work, asi figured from reading other posts, here.
in your firewall script, the syntax is
add_rule_lan -m mac --mac-source xx:xx:xx:xx:xx:xx
and i can sort of piece together enough of the variables, along with other stuff i have read elsewhere.
what i can't figure out and have tried various ways of just hard coding without variable into the starup script, is how to make it work there. i tried using ip rule add and iptables -mangle.
hard coding, because i don't remember enough to work it in with your dynamic script. and because it's only one MAC that i want to bypass.
the code i tried was just a copy paste of something i saw elsewhere, and since it looked like your line above i gave it a shot.
i tried putting it before and after the while loop in the startup script since it only needed to run once.
and lastly, like i said, this is my first time posting here. and i don't post much on forums in general. if i've violated protocol or whatever apologies.
:)
edit: i had posted a followup post to this one, which i have since deleted since the things i pondered in that didn't pan out for me, and why leave things that didn't work out?
additionally, i think i have succeeded. and the answer was in this thread, all along. i noticed that eibgrad had posted some code that looked for table 10 (the table created by openvpn GUI client PBR) and said to post it before the domain lookup and route add. i haven't taken the time to learn how to box quote, but the code that eibgrad posted is on page 2 of this thread, Tue Mar 15, 2016 19:27
so i first assigned a static ip for the MAC i wanted to exclude. i then added the source ip addresses to the openvpn PBR that i wanted to use vpn, but not the ip for the device i wanted to exclude.
the included ips go through the vpn, but, as far i can tell so far, the pastebin script excludes the list of destination domains.
i then inserted, as suggested, and adapted eibgrad's code for table 10 into the pastebin script, mentioned above.
i think it is working, so far.
this has been a learning experience...thanks to everyone for their input, and to eibgrad for his scripting!
Hi thanks for sharing the script first of all, this gives me an idea for solving a problem I've been having but I'm not sure of the best way to go about achieving my goal(to adapt this script or add a different one after it).
Okay so the problem is connecting to a certain server(for a TV service)over openVPN works but the performance isn't great and sometimes causes pauses and glitches which annoys the viewer. So maybe OpenVPN isn't ideal for this service(I've tried everything to tweak it) but I'd rather not connect via my isp, I'd like to bypass the VPN for this address as in your example BUT connect via a socks5 proxy provided by my VPN service instead which should hopefully be much faster/lower latency.
Any ideas on the cleanest way I would go about that?
Also I have a firewall script that routes my PC's IP around the VPN already which I need to keep:
Code:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
ip route flush cache
iptables -t mangle -I PREROUTING -i br0 -s 192.168...
eibgrad, I have added your script to my jffs dir and even added a few extra domains. I've verified everything is working. There are close to 150 routes being pushed to my wan. The issue is that netflix is still saying I'm using a proxy/vpn and not allowing me to watch a video. The goal of course was to route all traffic on my network over the VPN except netflix which was blocking me and this is sadly become more difficult than I thought it would be. If anyone has any fixes or any ideas I can try I would greatly appreciate it.
As I mentioned on the tomato forums over at LinksysInfo.org, there's a fatal flaw in basing this solution on domain names. What if Netflix isn't always using domain names, but instead explicit IPs?!
This is the piece most ppl are missing. Even the users who switched to tomato so they could use ipset and make this process more effective and efficient face the same problem. There's no guarantee that Netflix isn't using explicit IPs, if not to get the process started, perhaps once they've gotten the process started. And if that happens, banking your solution on static routes discovered through domain name resolution will ultimately fail.
Do I know for a fact this is the problem? No. But it seems obvious to me this is at least one possible explanation. And unless someone is willing to make the effort to sit there and track every single public IP coming from the Netflix app, this is never going to be 100% reliable. Even then, nothing says the next time you use Netflix, or use Netflix on some other platform, those IPs might not change again.
The only real solution (imo) is to use policy based routing to take the source IP of the device running Netflix off the VPN. And you can do that using the policy based routing field of the OpenVPN client GUI. Any IPs listed there use the VPN, all other use the WAN.
Granted, you can't split tunneling within that one device (i.e., have some apps use the WAN, others use the VPN), but at least by taking everything for that device off the VPN, it takes the Netflix app off the VPN as well.
But if ppl insist on keeping the VPN as the default gateway, and try to reroute based on destination IP over the WAN, I think you're going to have nothing but problems, because that's only going to work well to the extent you can identify ***all*** those destination IPs. And that could prove a bridge too far, esp. given how many public IPs these mega sites use.
This is a important factor to highlight for all that read this. You are correct, Netflix requests can be raw IPv4 only. Real example I noticed more recently.
This is a request made to a local Netflix CDN within my ISPs network, but it isn't domain based and hence not captured by any ipset magic.
Fortunately in conjunction with split tunnelling via DNS based rules, I also run a local proxy server within my LAN and use WPAD with various rules, so I could write a bypass rule to tag these requests.
Code:
if (shExpMatch(url, "http://*/range/0-*"))
return "DIRECT";
However, this is yet just another avenue of setup you have to do to make Netflix work. At some point you have to ask yourself, how worth it is it and do you want to be responsible for maintaining such solutions when they break or need updating?
Food for thought. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
Before trying eibgrad's scripts, I already noticed that domains listed in dnsmasq additional config will succesfully be marked, related ips being dropped in ipset bins...but when trying to browse them browser will just try loading the page forever without result.
Could that be related to my double nat configuration, and wan ip of dd-wrt being a local and not public address? My main router is a Fritzbox 7590 with 192.168.178.0 subnet, dd-wrt R9000 modem wan is 192.168.178.30 with wan automatic/dhcp configuration and being marked as exposed host on Fritzbox (similar to dmz, all ipv4 and ipv6 ports opened).
I then tried many firewall scripts, with same result: I cannot browse websites listed in dnsmasq additional config.
BTW: I managed to use last eibgrad script for Tomato (based on ipset and dnsmasq) with same network scheme (Fritzbox 7590 as main router, an R7000 with Tomato as secondary router). Is there any ipset+dnsmasq script version working for dd-wrt?
Any help? Did someone had and solved this issue of not being able to browse websites specified in dnsmasq additional config (ipset=/domain.com/ipset_name)?
# dd-wrt selective domain routing
WAN_GW="$(nvram get wan_gateway)"
# list domains for selective routing
for domain in \
"in.alice.it" \
"whatsmyip.org"
do
# extract ip addresses
for ip in $(nslookup $domain | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
# add class c route for each ip address to wan gateway
ip route add `echo $ip | cut -d . -f 1,2`.0.0/16 via $WAN_GW
done
done
# flush cache
ip route flush cache
EOF
chmod +x $SCRIPT
sleep 60
$SCRIPT
The configured domain is related to an IMAP server which allows connection only from the ISP connection itself and not other sources (this is very uncomfortable and bad...). This is why I need to exclude this particular domain from VPN.
As IMAP server, I tried manually with "telnet in.alice.it 143" and server replies fine, so I think the provided script is working fine (configured as STARTUP SCRIPT).
My router is NETGEAR WNDR3700 with DD-WRT v3.0-r36006 std (05/23/18 )
I just installed your dd-wrt-startup-script today and it worked great with my VPN and opened up Netflix but my Amazon Prime Videos are still blocked. Is there a way that I can find the URLs that Amazon is using to steam their videos to my location so I can add those URLs to your script.