I would be interested in your work as I am currently experiencing problems trying to get multiple ASNs to work using multiple ".user" files.
My understanding is that your script could be used as a "master" ".user" file in a "one file does all scenario". Is this understanding correct?
If so, some simple instructions on what to adjust in your script would be appreciated, as I really am a newbie when it come to reading these script languages and am not really sure what is it doing.
1 Like
i'd made a few improvements and added comments but had to revert to the original version without comments...
handle_ipset_names() {
cat <<'TTT'
netflix vpn_a asn 2906
disney vpn_b asn 8137
disney2 vpn_b asn 30224
TTT
}
in the above change feild2 to your vpn-logical-interface-name and the asn-number to whatever you need... remove or add more lines for what you do or do not need
Ok sound easy, will try it this weekend.
For confirmation, I save this as a script file with ".user" extension and it will be run by VBR app as the other ".user" files?
1 Like
yup... actual name does not matter afaik... so long as it matches the section in the config file
config include
option path '/etc/SCRIPTNAME'
option enabled '1'
1 Like
stangri
1507
I'm not going to touch VPR anymore, but I was thinking that for PBR I want to modify the user scripts to save the downloaded file so that even if you have 2 or 3 scripts, after 2 or 3 delayed restarts/reloads all the files end up downloaded and you'll get a properly working setup (until reboot).
1 Like
techel
1508
Tried on VPR 0.2.1-13, but no luck. Can you have a look and let me know what's wrong?
Output of /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.1.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default edge.lan 0.0.0.0 UG 0 0 0 eth0.2
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -d 37.1.202.102/32 -m comment --comment BTDIG_btdig_com -c 0 0 -g VPR_MARK0x040000
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
Output of /etc/init.d/vpn-policy-routing reload:
Creating table 'wan/eth0.2/192.168.1.2' ip: invalid argument '0x010000/0xff0000' to 'fwmark'
[✗]
Creating table 'Wireguard/192.168.3.1' ip: invalid argument '0x020000/0xff0000' to 'fwmark'
[✗]
Creating table 'ERX/eth0.2/192.168.1.1' ip: invalid argument '0x030000/0xff0000' to 'fwmark'
[✗]
Creating table 'Cloudflare/172.16.0.2' ip: invalid argument '0x040000/0xff0000' to 'fwmark'
[✗]
Routing 'BTDIG' via Cloudflare [✓]
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan Wireguard ERX Cloudflare [✓]
ERROR: Failed to set up 'wan/eth0.2/192.168.1.2 [✓]'
ERROR: Failed to set up 'Wireguard/192.168.3.1'
ERROR: Failed to set up 'ERX/eth0.2/192.168.1.1 [✓]'
ERROR: Failed to set up 'Cloudflare/172.16.0.2'
ERROR: failed to set up any gateway!
WARNING: The 'resolver_ipset' is set to 'dnsmasq.ipset', but DNSMASQ ipsets are not supported on this system!
earth08
1509
I have configured my getflix vpn under openvpn which I have configured through luci.
Thanks
Is anyone else having problems with the Netflix.user file?
I get the error "Error running custom user file '/etc/vpn-policy-routing.netflix.user'!" on reboot or restart VBR.
When I check the website BGPView - BGP Toolkit and BGP ASN Routing Lookup Tool and do a manual lookup of an ASN I get the error " Whoops, looks like something went wrong."
This is the site used in the NetFlix .user file for ASN lookup.
Is this site down or is it my setup?
this is the same output that was shown on two consecutive lookups... so probably a tmp ban/limit at their end...
1 Like
So will it clear at some point or do I need to adjust the NetFlix.user file to use the
#DB_SOURCE='ipinfo.io'
instead of the
DB_SOURCE='api.bgpview.io'
?
you can try it... in my case simply sleeping 2 seconds before the 'get' command stopped all issues...
(but I only triggered their rate limiter 2-3 times... its possible many frequent queries might have triggered a longer duration)
notes
ideally... the script should validate addresses recieved and incorporate a retry loop with backoff... but that has implications on startup time... so kind of needs to be forked and a backup list of ip's available...
I am a bit confused.
When I got the VBR error I went to the actual website via MS Edge BGPView - BGP Toolkit and BGP ASN Routing Lookup Tool and got the "whoops" error. I retried about an hour later and same problem.
I think your answer above was what I was working on last week with multiple .user files. Thanks, will try it once this is straightened out.
Can you search an ASN such as Netflix 2906 on the bgpview website without getting the error I noted before?
Where do I place
sleep 2
in the below script?
TARGET_IPSET='wan'
TARGET_ASN='2906'
TARGET_FNAME="/var/vpn-policy-routing_tmp_AS${TARGET_ASN}"
#DB_SOURCE='ipinfo.io'
#DB_SOURCE='api.hackertarget.com'
DB_SOURCE='api.bgpview.io'
_ret=1
if [ ! -s "$TARGET_FNAME" ]; then
if [ "$DB_SOURCE" = "ipinfo.io" ]; then
TARGET_URL="https://ipinfo.io/AS${TARGET_ASN}"
curl "$TARGET_URL" 2>/dev/null | grep -E "a href.*${TARGET_ASN}\/" | grep -v ":" | sed "s/^.*<a href=\"\/AS${TARGET_ASN}\///; s/\" >//" > "$TARGET_FNAME"
fi
if [ "$DB_SOURCE" = "api.hackertarget.com" ]; then
TARGET_URL="https://api.hackertarget.com/aslookup/?q=AS${TARGET_ASN}"
curl "$TARGET_URL" 2>/dev/null | sed '1d' > "$TARGET_FNAME"
fi
if [ "$DB_SOURCE" = "api.bgpview.io" ]; then
TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
curl -s "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_FNAME"
fi
fi
if [ -s "$TARGET_FNAME" ]; then
awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
fi
rm -f "$TARGET_FNAME"
return $_ret
good question... looks like they've beefed up blockages... just got hit with a captcha
<div class="cf-column">
<h2 data-translate="why_captcha_headline">Why do I have to complete a CAPTCHA?</h2>
<p data-translate="why_captcha_detail">Completing the CAPTCHA proves you are a human and gives you temporary access to the web property.</p>
</div>
above curl... but given the above... seems a much more robust method is going to be needed across the board...
try another provider bgpview looks pretty muffed
1 Like
Thanks for the confirmation that it is not just my setup. Way above my capabilities so will wait until you or others much more knowledgeable than I are able to figure out a fix.
1 Like
this will get you by for a day or three (place above the curl command);
TARGET_URL="https://raw.githubusercontent.com/wulfy23/rpi4/master/misc/asn/netflix.txt"
FYI - I tried the https://bgpview.io/ website just now and it is back to working when I search the NetFlix ASN 2906. It was not working yesterday. I cannot at the moment test if the .user file will work but will try in a couple of days.
1 Like
Smim0
1520
Hi,
I am running a wireguard client and server on my openwrt 21.02.1, using the exact same configuration proposed in the readme documentation.
When I setup scenario 2 from the documentation (wireguard NOT as default routing), everything WORKS just perfect.
When I setup scenario 1 from the documentation (wireguard as default routing) , the tunnel connection is NOT established. Running a quick tcpdump I found out that my wireguard server receives the packets from the client successfully to port 61820 BUT the asnwer packets are sent back to the client from a random port and NOT from the 61820.
Example of tcpdump
21:42:21.082994 PPPoE [ses 0x1018] IP <clientip>.38371 > <serverip>.61820: UDP, length 148
21:42:21.093490 PPPoE [ses 0x1018] IP <serverip>.12717 > clientip.38371: UDP, length 92
As you can see the server is sending back the packets from the port 12717 in this case.
Anyone having a similar issue?
Smim0
1521
I think the issue is related to the UDP protocol
When I setup a openvpn server/client, if I run the server with TCP protocol everything works just perfect. But if I set up UDP I get this messages
<clientip>:58382 TLS Error: tls-crypt unwrapping failed from [AF_INET]<clientip>:58382
Running tcpdump I got the exact same issue:
10:19:49.008927 PPPoE [ses 0xf6c] IP <clientip>.63216 > <serverip>.49114: UDP, length 353
10:19:49.011629 PPPoE [ses 0xf6c] IP <serverip>.43644 > <clientip>: UDP, length 66
I am running the ovpn server in port 49114, as you can see my server responds back using a different random port.
Thanks
@anon50098793
Had a chance to revert to "api.bgpview.io" in the .user files and it works fine again.
I also added sleep 2 before the CURL commands and now I can have multiple ASNs brought in to the tables. It does not seem to be delayed too much as far as I can notice and, in any case, is OK for my setup.
Thanks for the help.
1 Like
