Automated Custom Policy Routing - v1.3

Discussion in 'Tomato Firmware' started by rs232, Dec 18, 2018.

  1. rs232

    rs232 Network Guru Member

    I have started to use Policy routing more and more. I have noticed though that the current implementation relies heavily on NVRAM. Nothing wrong with the NVRAM but if you have lots of domains/IP you want to selective transfer via VPN connectivity the GUI doesn't scale very well. Also you might have a "list" of domains you just want to paste somewhere rather than add them manually one by one.

    At voila' ACPR does this for you. Just change the path on the first command here below

    Code:
    cd /mnt/usb/
    wget https://pastebin.com/raw/iUaFvRPx -O ./acpr.sh
    chmod 777 ./acpr.sh
    
    It is a self-contained script you just need to add IPs and/or domains to the CustomPolicyRouting variable at the very top of the script and run it. What it does is very trivial, it adds IPs to the ipset- vpnrouting311. Giving you have policy routing enabled on the GUI this script will work out of the box.


    ScreenShot017.png

    To verify:

    ScreenShot016.png

    Ideally you would add something like this this at the very bottom of you firewall script:
    Code:
    sleep 5 && /mnt/usb/acpr.sh
    Changelog:

    v1.3 removed reference to uniq and respect DNS resolver IP if already present in policyrouting
    v1.2 Ensure nslookup resolution are performed via VPN
    v1.1 Running from the console will display full verbose logging but only start/stop/exceptions are now recorded in the syslog
    v1.0 Initial release

    Merry Christmas :)
     
    Last edited: Jan 10, 2019
  2. Jason Meudt

    Jason Meudt Serious Server Member

  3. rs232

    rs232 Network Guru Member

    I haven't see this before so take my comments not too seriously.
    I think his (very well written btw) goes down to low level and somehow replaces the policy routing implementation of tomato. read this comment:

    # - this script is NOT compatible w/ the routing policy tab of the
    # openvpn client gui

    This script of mine instead is way simpler and definitely unpretentious but it does integrate (and actually needs) the OpenVPN Policy Routing GUI.
     
  4. Edrikk

    Edrikk Network Guru Member

    Just a heads-up that the VPN ARM (r7000 in this case) build seems to not contain the "uniq" command, so this throws a uniq not found error as part of the grep...
     
  5. rs232

    rs232 Network Guru Member

    Well spotted! this is what happens when you write scripts with entwere enabled. Try v1.3 I have just uploaded.
     
    Last edited: Jan 10, 2019
  6. Edrikk

    Edrikk Network Guru Member

    Perfect yup all good.
    Final thing... Both the last version and this one have windows line endings... since this would be used not in Windows you may want to clean that up... :)

    sed -i 's/\r//g' acpr.sh

     
    rs232 likes this.
  7. rs232

    rs232 Network Guru Member

    Ok well spotted it must be because I use notepad++ on windows I'll correct immediately. Thanks for the feedback!
     
    Last edited: Jan 12, 2019
    Edrikk likes this.
  8. Edrikk

    Edrikk Network Guru Member

    Really good job with this!

    Out of curiosity, with the knowledge you have (gained?) with this, do you think you can decipher why the “built-in” functionality doesn’t work for domains?

    Yours works perfectly. :)
     
  9. rs232

    rs232 Network Guru Member

    Ah Thanks :) AFAIK the internal routing policy does work with domains. I've been using Freshtomato for sometime with policy routing set. It's just that via the GUI you have to add record manually and you have a long list it just doesn't scale. And BTW you can mix and match this script with the GUI they both achieve the same result which essentially is: adding IPs into the ipset vpnrouting311.

    One thing you might want to try based on your setting is to compare how your LAN client, Tomato Router and online DNS resolution resolve the very same domain. There might be an issue there but it's a pure guess.

    Finally as I personally have 2xVPN connections (3 with tinc actually but this latter is not in scope here) I have 2x ACPR scripts, one pointing to vpnrouting311 (Policy Routing for VPN Client 1) and one for vpnrouting312 (Policy Routing for VPN Client2). Each script has the ipsetpolicy variable set accordingly. I might release another version to have multiple clients in one script although this is rare AFAIK
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice