First things first: thank you for this amazing tool!!! I'been trying to make selective routing work for ages without success. However, I cannot get VPN Bypass to work just yet.
My goal is to have all traffic go through the VPN at all times but for specified domains. At the minute Netflix is the only one I would like/need to work.
Now, I can traceroute and see that the traffic toward Netflix is correctly going out of the VPN tunnel BUT Netflix somehow still complains about proxy error when I try to play something. I'm not sure what Netflix catches to see my traffic still as a VPN when it is actually going via my ISP. I'd be grateful if you could help me
Here's my config:
Luci App VPN Bypass is basically emtpy but for the domain field:
Here's DNSMasq config. External DNS per domain was setup just in case Netflix would complain about the VPN just because of the Mullvad DNS IP. No luck; the other two sites are to check data of the traffic. I'll remove them eventually.
root@lede-wyn:config# cat dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option nonwildcard '0'
option localservice '1'
option dnssec '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
list ipset '/ipleak.net/ipx.ac/netflix.com/vpnbypass'
list server '/ipleak.net/37.235.1.174'
list server '/ipx.ac/37.235.1.174'
list server '/netflix.com/37.235.1.174'
list server '/ipleak.net/37.235.1.177'
list server '/ipx.ac/37.235.1.177'
list server '/netflix.com/37.235.1.177'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
option dhcpv6 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
I use Mullvad VPN and it forces the DNS to be the one provided by them within their VPN network/tunnel. The way it does this, is by a vpn.up script that moves /tmp/resolv.con.auto and replaces it with one containing their DNS only:
root@lede-wyn:config# for i in $(ls /tmp/resolv.conf*); do echo $i; cat $i; echo; done
/tmp/resolv.conf.auto
nameserver 10.8.0.1
/tmp/resolv.conf.auto.hold
# Interface wan
nameserver 37.235.1.174
nameserver 37.235.1.177
Also, firewall routing is: lan -->> vpn -->> wan.
I tried to solve this mystery by myself without luck. I hope the forum would enlighten me
Maybe that's how Netflix is figuring you're using VPN. If the ipx.ac reports you real WAN IP address instead of the public VPN IP address, the vpnbypass service is working. As to why it's still not fooling Netflix, I have no idea.
The port forwarding works fine when openvpn and vpnbypass are off, but not when they are on. Things I've already tried: Configuring the port forwarding a different way (using iptables entries in /etc/firewall.user), adding port 22 to vpnbypass's list of local and remote trigger ports. No joy yet.
Please, how does one setup port forwarding from ISP's public IP to a device on vpnbypass subnet?
I discovered something new: While I cannot connect to the laptop at 192.168.10.61 from any machine in my home network (regardless of whether the machine is on vpnbypass or not), I am able connect to that laptop from an outside network. I hadn't tried connecting remotely because I usually test things out at home first.
I'm a total networking noob, but shouldn't port forwarding work regardless of where the ssh client is connecting from? Maybe this is a routing issue, which at this point is way beyond my ability diagnose and troubleshoot.
There's some preliminary wg support code in VPNBypass'es older brother -- OpenVPN Policy Routing. If you set your wg routing correctly so that it doesn't become the default route (and hence OPR unable to tell what the true WAN is), it should work.
I've been using vpnbypass for a few months and have really liked it, but for some reason I have never been able to get domain based rules working. I followed some of the advice in this thread and I think for some reason the "ipset save" command isn't behaving how it's supposed to. Here is a relevant excerpt from /etc/config/dhcp:
option port '54'
option nonwildcard '0'
list ipset '/whatsmyip.org/www.whatsmyip.org/vpnbypass'
config dhcp 'lan'
And the output from ipset save:
root@LEDE:/etc/config# ipset save
create vpnbypass hash:ip family inet hashsize 1024 maxelem 65536
Other users reported some output such as "add vpnbypass ipaddr" should follow that command but I'm not seeing it. Additionally the IP isn't appended in /etc/config/dhcp.
The only thing I can think of that makes my system unique is that I have unbound running on port 53 and dnsmasq on port 54, with dnsmasq forwarding DNS lookups to unbound. dnsmasq is mainly there to provide dhcp while unbound handles domain name resolution. Could this cause issues with the domain routing functionality?
Yes, that's the reason. If you want domain-based rules to work properly, you need dnsmasq-full working as name resolver.
PS. vpn-policy-routing has finer settings and you can set it to create ipsets without dnsmasq, however it will only resolve the domain provided at run time and it won't then (without dnsmasq) work on the sub-domains.
Thanks a lot for the quick response. I'm fairly new to dnsmasq and unbound--could I skirt this issue by letting dnsmasq resolve domain names and just setting an unbound instance as the upstream DNS server? Or would that not work for some reason? If that'd work, I'm not really sure why I'm not doing that presently.
Yes, if dnsmasq-full (yes, you need the dnsmasq-full and not just dnsmasq) is resolving domain names, it should be adding domain names to ipsets on first use/when idle. The scenario you described above should work.
Thanks so much for your help @stangri! I reconfigured dnsmasq and unbound so that dnsmasq handles queries from the LAN and forwards external domain queries to unbound, rather than having unbound handle queries and then pass local domain names back to dnsmasq. This fixed the issue.
I upgraded to the latest LEDE firmware for my Linksys 1900ACS and I'm having troubles adding your repo to my router with this command. Do you know what might be going on? Thanks,