I got this to work, and it looks quite interesting. I wanted to try this as a way to unblock bbc iplayer using a uk based vpn and route everything else through my ISP. I was able to get it to work in some hackish ways, but I'm hoping there is a better way. The problems is that routing the top level site like bbc.co.uk is not enough since it will later call several other sites for the CDN. You can create a manual list of sites and ips, but that's not very scalable. Is there a better approach ? Some form of smart recursion ? If that's not possible, is it possible to do regex in the domain list ?
You are correct. It's the same issue nart has with netflix, just doing top level doing is not enough. I had a similar thing with horizon.tv app UPC in some countries provides to watch TV on android and apple devices. I had to log DNS requests on my router for a bit to see what DNS requests the app was doing and then put all those in the config file. I don't think there is a solution to this, these DNS are hard coded in the app or web page and you can only know what they are by seeing the actual DNS requests.
By remote port and/or local IP maybe?
Regarding regex in ipset lists -- it's up to dnsmasq (or another resolver) to implement this. My service only creates the ipsets/routing, dnsmasq is resolving domains from the lists and puts their ip addresses into the ipset this service creates. My impression is that any domain entry in dnsmasq's list routes any sub-domain thru the same ipset.
There's probably a way to implement on-the-fly rerouting for a set period of time for specific IP but it would be much easier to just create a fixed policy for specific IP.
PS. Thanks for PM, I appreciate it.
Regarding the geo-blocking issue, I was wondering if it's possible to recursively tag/mark the packages going in and out of an interface like tun0. This would automatically ensure that any new requests made from the page are also routed to tun0. So in theory, you should only need a small set of domains for the top level page to be added to the list, and any new requests/responses will get automatically tagged.
I also found this https://github.com/ab77/netflix-proxy/issues/180#issuecomment-224166147 which I think does something similar ? Can this be added to this framework ?
I'm not quite sure I fully understand what do you mean/want to achieve. AFAIK packets are not nested, so what do you mean by "recursively"?
What I want to achieve is circumventing geo-blocked services without complicated manual filter lists. The ideal case scenario would be to set a small set of top level domains to be routed to the vpn, and somehow every request that my browser/device makes from those top level websites also gets routed automatically through the vpn. I'm not fully sure if this is achievable though. It seems impossible with https traffic, but even with http traffic it may be difficult. Does the previously linked github comment have any ideas that can be used ?
That can be easily done with the dedicated media device with static IP and that IP routing thru the tunnel of your preference.
At the level this service operates it's impossible, it has be to done at the higher level. You can probably write a browser extension or a proxy service to add domains/remote IPs to the ipset on the fly.
From my cursory look, it helps you add a ton of AS2906 (Netflix) IP addresses to ipset by running a special script (nfroutes.sh). You can modify and use same script to work with the ipsets this service creates (except that I couldn't find whob package for LEDE).
What I want to achieve is circumventing geo-blocked services without
complicated manual filter lists. The ideal case scenario would be to set a
small set of top level domains to be routed to the vpn, and somehow every
request that my browser/device makes from those top level websites also gets
routed automatically through the vpn. I'm not fully sure if this is achievable
though. It seems impossible with https traffic, but even with http traffic it
may be difficult. Does the previously linked github comment have any ideas
that can be used ?
The problem is that your router can't know if the other requests are from your
browser or from something else. And if they are from your browser, are they from
that website or some other website.
to do that sort of thing, you would need a mitm proxy that re-wrote all the
links on the page.
The only safe thing is that if you are trying to defeat tracking, you need to
put everything through the VPN/Tor (the recent tracking of child porn viewers
who used Tor worked because they send things to the browser that the browser
then used over non-Tor links)
David Lang
This is fantastic, I'm going to try it out right away.
Could you consider adding DSCP tag as an option?
I tag packets by based on application as to whether I want them to go over the VPN or not.
If anyone else is interested in testing DSCP, here's a copy of my PM to @bluenote:
In build 4.1.4-6 use DSCP 1 for WAN, DSCP 2 for tun0 and so on. When testing, it would be a great idea to uninstall SQM as (as you've pointed out) it might get in the way. I can experiment with other DSCP values for tunnels if this works.
The steps/requirements to install are listed in the README. Since the packages are not in the repo yet, you'd have to use command line to install them.
One more thing to enable dscp you'd have to run:
uci set openvpn-policy-routing.config.set_dscp=1
uci commit openvpn-policy-routing
/etc/init.d/openvpn-policy-routing reload
You can then run /etc/init.d/openvpn-policy-routing support and you should see stuff like:
-A OVPBR_MARK -m set --match-set wanroute dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OVPBR_MARK -m dscp --dscp 0x01 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OVPBR_MARK -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OVPBR_MARK -m dscp --dscp 0x02 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
the -m dscp lines indicate dscp-based matching is on.
I only started using lede recently, so I'm timid about upgrading 
but I will work on it.
In the meantime if anyone is interested in testing DSCP on windows, I'm happy to lend advice about setting that part of it up, as mine is tested and working.
This allows, for example, tagging chrome traffic to go through the vpn, or not, or tag your torrent program, etc, while not having all your traffic on the box go through the tunnel.
I can't wait to try this out as this is the cadillac solution
4.1.4-7 should be fully IPv6-compatible (and Web UI lets you add IPv6 rules too). Would appreciate feedback.
PS. I've also fixed an ugly gap between tabs (IPv4/IPv6-policies) and their content for theme-material. It's actually a bug in theme-material, but I don't have the skills to hunt it down and fix it, so I've made a work-around. From my testing, it doesn't affect theme-bootstrap (neither the bug nor my fix).
@bluenote's reports helped me discover and fix a number of bugs in both the main app and web ui, please update to the latest versions from github if you're experiencing any issues.
4.1.4-10 and -4 luci app support assigning DSCP tags for specific gateways (WAN/OpenVPN tunnels).
Can be used to tag specific app/program traffic for specific gateway. @bluenote if you could link a good manual on how to tag specific app traffic on Windows 10, I'd be grateful.
I am new to LEDE and linux so forgive me if I am bringing up basic operator problems.
I got OPENVPN Routing working on "LEDE-STABLE Reboot 17.01-SNAPSHOT r3267-f4fc12f / LuCI lede-17.01 branch (git-17.061.45451-2fe510b)" by doing the following:
Via GUI Software I installed or checked the packages were installed:
bind-host
ip-full
iptables
Remove dnsmasq
Manual install (--force-depends)
dnsmasq-full (Base system)
ipset (Network)
Copied IPKs from: "https://downloads.lede-project.org/releases/packages-17.01/arm_cortex-a9_vfpv3/base/"
Copy to /tmp and install: opkg --force-depends install /tmp/ and file name
(I forced the install to ignore the dependencies warnings.)
dnsmasq-full_2.76-6_arm_cortex-a9_vfpv3.ipk
ipset_6.30-1_arm_cortex-a9_vfpv3.ipk
Copied from this site's download links to /tmp and installed: opkg install /tmp/ and file name
openvpn-policy-routing.ipk
luci-app-openvpn-policy-routing.ipk
I setup what I wanted using the Open Routing LUCI App.
OpenVPN Routing seems to work fine but I get the following errors in the System Log:
Thu Mar 9 16:03:53 2017 user.notice openvpn-policy-routing [14002]: ERROR: service failed to find any gateway!
Thu Mar 9 16:03:54 2017 daemon.err modprobe: failed to find a module named xt_set
Thu Mar 9 16:03:54 2017 daemon.err modprobe: failed to find a module named ip_set
Thu Mar 9 16:03:54 2017 daemon.err modprobe: failed to find a module named ip_set_hash_ip
What can I do to eliminate these errors? Can I just ignore them?
I think it's a bad idea -- you're on a 17.01-snapshot version and you force-installed packages from the 17.01-release.
The errors you get are an indication of things not working. Likely from you force-installing mismatched version packages.
If I were you, I'd flash the router with the 17.01-release and start clean.
Even though this isn't a guide, it functions as one, surprisingly, there aren't any step by step guides that are easy to find. But, having done this successfully, I can confirm this is all you need to do to tag packets on Windows 10.
I'll be trying updated version shortly, thanks stangri for all your work on this!
I am confused. Isn't 17.01 the same from snapshot or a 17.01 release?
No it isn't.
Ok.
Down to the basic problem, how do I add your OpenVPN Routing application to "LEDE-STABLE Reboot 17.01-SNAPSHOT r3267-f4fc12f / LuCI lede-17.01 branch (git-17.061.45451-2fe510b" without errors or dependencies problems when installing the support packages (i.e. dnsmasq-full) required for your application?