openmptcprouter
openmptcprouter copied to clipboard
Ysurac
OMR-Bypass an IP address is not working
Expected Behavior
An IP address added to OMR-Bypass should bypass the MPTCP vpn and route via a WAN connection instead of through the VPS
Current Behavior
An IP address added to OMR-Bypass is still routing via the VPS server. Also, I've added the MAC address of the client also to OMR bypass too so both of these settings are not working as expected.
The client is a DHCP & DNS client of the OpenMPTCProuter.lan host. The test has been a traceroute from the client to the bypassed IP address.
I'm really just asking for help on what the next thing to check is. Logfiles etc don't seem to contain anything unusual. Since I'm not sure how OMR-Bypass works I don't know the best way to investigate it in the SSH shell on the router either.
Specifications
- OpenMPTCProuter version: v0.58.5
- OpenMPTCProuter VPS version: 0.1026 5.4.100-mptcp
- OpenMPTCProuter VPS provider: Amazon AWS EC2
- OpenMPTCProuter platform: RPI4
What do you have via SSH on the router in uci show omr-bypass, ip rule show and in iptables-save ?
I actually have a considerable number of bypasses. None of these are working as far as I can tell. The test case that we are working through is the bypass of 203.53.47.17
root@OpenMPTCProuter:~# uci show omr-bypass
omr-bypass.all=interface
omr-bypass.m6replay=proto
omr-bypass.m6replay.url='m6web.fr' '6play.fr' '6cloud.fr'
omr-bypass.mycanal=proto
omr-bypass.mycanal.url='mycanal.fr' 'canal-plus.com' 'canalplus.com' 'canalplus-cdn.net' 'canalplus.pro' 'canal-plus.net'
omr-bypass.minecraft=proto
omr-bypass.minecraft.url='authserver.mojang.com'
omr-bypass.lesnumeriques=proto
omr-bypass.lesnumeriques.url='lesnumeriques.com' 'botscorner.com' 'app.botscorner.com'
omr-bypass.disneyplus=proto
omr-bypass.disneyplus.url='bamgrid.com' 'disney-plus.net'
omr-bypass.amazonvideo=proto
omr-bypass.amazonvideo.url='cloudfront.net' 'llnw.net'
omr-bypass.lo=interface
omr-bypass.lo.id='5'
omr-bypass.eth0=interface
omr-bypass.eth0.id='6'
omr-bypass.wan1=interface
omr-bypass.wan1.id='3'
omr-bypass.wan2=interface
omr-bypass.wan2.id='4'
omr-bypass.tun0=interface
omr-bypass.tun0.id='1200'
omr-bypass.eth1=interface
omr-bypass.eth1.id='4'
omr-bypass.@domains[0]=domains
omr-bypass.@domains[0].name='revolutiontt.me'
omr-bypass.wlan0=interface
omr-bypass.wlan0.id='10'
omr-bypass.@dpis[0]=dpis
omr-bypass.@dpis[0].proto='amazonvideo'
omr-bypass.@dpis[1]=dpis
omr-bypass.@dpis[1].proto='disneyplus'
omr-bypass.@dpis[2]=dpis
omr-bypass.@dpis[2].proto='googlemaps'
omr-bypass.@dpis[3]=dpis
omr-bypass.@dpis[3].proto='hulu'
omr-bypass.@dpis[4]=dpis
omr-bypass.@dpis[4].proto='netflix'
omr-bypass.@dpis[5]=dpis
omr-bypass.@dpis[5].proto='nintendo'
omr-bypass.radio0_network1=interface
omr-bypass.radio0_network1.id='11'
omr-bypass.wan3=interface
omr-bypass.wan3.id='10'
omr-bypass.wgOptus=interface
omr-bypass.wgOptus.id='10'
omr-bypass.usb0=interface
omr-bypass.usb0.id='8'
omr-bypass.@dpis[6]=dpis
omr-bypass.@dpis[6].proto='facebook'
omr-bypass.@asns[0]=asns
omr-bypass.@asns[0].asn='2906'
omr-bypass.@asns[0].note='Netflix'
omr-bypass.@asns[1]=asns
omr-bypass.@asns[1].asn='40027'
omr-bypass.@asns[1].note='Netflix'
omr-bypass.@asns[2]=asns
omr-bypass.@asns[2].asn='55095'
omr-bypass.@asns[2].note='Netflix'
omr-bypass.@asns[3]=asns
omr-bypass.@asns[3].asn='63293'
omr-bypass.@asns[3].note='Facebook'
omr-bypass.@asns[4]=asns
omr-bypass.@asns[4].asn='32934'
omr-bypass.@asns[4].note='Facebook'
omr-bypass.@ips[0]=ips
omr-bypass.@ips[0].ip='203.53.47.17'
omr-bypass.@ips[0].note='fbcdn.net'
omr-bypass.@ips[0].interface='eth1'
omr-bypass.@asns[5]=asns
omr-bypass.@asns[5].asn='11251'
omr-bypass.@asns[5].note='Disney'
omr-bypass.@asns[6]=asns
omr-bypass.@asns[6].asn='398849'
omr-bypass.@asns[6].note='Disney'
omr-bypass.@asns[7]=asns
omr-bypass.@asns[7].asn='22604'
omr-bypass.@asns[7].note='Disney'
omr-bypass.@asns[8]=asns
omr-bypass.@asns[8].asn='23344'
omr-bypass.@asns[8].note='Disney'
omr-bypass.@asns[9]=asns
omr-bypass.@asns[9].asn='23286'
omr-bypass.@asns[9].note='Hulu'
omr-bypass.@asns[10]=asns
omr-bypass.@asns[10].asn='14618'
omr-bypass.@asns[10].note='HBOMAX'
omr-bypass.@asns[11]=asns
omr-bypass.@asns[11].asn='16509'
omr-bypass.@asns[11].note='Amazon'
omr-bypass.@asns[12]=asns
omr-bypass.@asns[12].asn='15169'
omr-bypass.@asns[12].note='Youtube'
omr-bypass.@macs[0]=macs
omr-bypass.@macs[0].mac='24:4B:FE:3D:7F:25'
omr-bypass.@macs[0].note='SPARTA'
root@OpenMPTCProuter:~# ip rule show
0: from all lookup local
0: from all fwmark 0x1 lookup 100
0: from 192.168.98.99 lookup 4
0: from 10.255.255.2 lookup 1200
0: from 192.168.97.173 lookup 8
0: from 192.168.16.26 lookup 10
0: from 100.121.109.68 lookup 3
1: from all fwmark 0x539 lookup 991337
1: from all fwmark 0x5393 lookup 3
1: from all fwmark 0x5394 lookup 4
1: from all fwmark 0x5398 lookup 8
1: from all fwmark 0x5391200 lookup 1200
1: from all fwmark 0x53910 lookup 10
100: from all lookup lan
10000: from 192.168.99.1 lookup lan
20000: from all to 192.168.99.1/24 lookup lan
32766: from all lookup main
32767: from all lookup default
90002: from all iif lo lookup lan
root@OpenMPTCProuter:~# iptables-save
# Generated by iptables-save v1.8.7 on Fri Jul 29 07:28:55 2022
*raw
:PREROUTING ACCEPT [1485369:182584122]
:OUTPUT ACCEPT [1534761:140673143]
COMMIT
# Completed on Fri Jul 29 07:28:55 2022
# Generated by iptables-save v1.8.7 on Fri Jul 29 07:28:55 2022
*nat
:PREROUTING ACCEPT [125:30149]
:INPUT ACCEPT [15:1009]
:OUTPUT ACCEPT [196:14035]
:POSTROUTING ACCEPT [46:3049]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:v2r_def_dst - [0:0]
:v2r_def_forward - [0:0]
:v2r_def_local_out - [0:0]
:v2r_def_pre_src - [0:0]
:v2r_def_src - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -p tcp -j v2r_def_pre_src
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i wan1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i usb0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A OUTPUT -p tcp -j v2r_def_local_out
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wan1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o usb0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A v2r_def_dst -m mark --mark 0x539 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_dst -m set --match-set omr_dst_bypass_wlan0 dst -j MARK --set-xmark 0x53910/0xffffffff
-A v2r_def_dst -m mark --mark 0x53910 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_usb0 dst -j MARK --set-xmark 0x5398/0xffffffff
-A v2r_def_dst -m mark --mark 0x5398 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A v2r_def_dst -m mark --mark 0x5391200 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_eth1 dst -j MARK --set-xmark 0x5394/0xffffffff
-A v2r_def_dst -m mark --mark 0x5394 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_wan1 dst -j MARK --set-xmark 0x5393/0xffffffff
-A v2r_def_dst -m mark --mark 0x5393 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A v2r_def_dst -m mark --mark 0x5396 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A v2r_def_dst -m mark --mark 0x5395 -j RETURN
-A v2r_def_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_forward dst -j v2r_def_forward
-A v2r_def_dst -m comment --comment "dst_default: forward" -j v2r_def_forward
-A v2r_def_forward -p tcp -j REDIRECT --to-ports 1897
-A v2r_def_local_out -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_local_out -m mark --mark 0x539 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_wlan0 dst -j MARK --set-xmark 0x53910/0xffffffff
-A v2r_def_local_out -m mark --mark 0x53910 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_usb0 dst -j MARK --set-xmark 0x5398/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5398 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5391200 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_eth1 dst -j MARK --set-xmark 0x5394/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5394 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_wan1 dst -j MARK --set-xmark 0x5393/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5393 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5396 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5395 -j RETURN
-A v2r_def_local_out -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_local_out -m set --match-set ssr_def_dst_bypass_ dst -j RETURN
-A v2r_def_local_out -m mark --mark 0x539 -j RETURN
-A v2r_def_local_out -p tcp -m comment --comment "local_default: forward" -j v2r_def_forward
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x539 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_wlan0 dst -j MARK --set-xmark 0x53910/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x53910 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_usb0 dst -j MARK --set-xmark 0x5398/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5398 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5391200 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_eth1 dst -j MARK --set-xmark 0x5394/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5394 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_wan1 dst -j MARK --set-xmark 0x5393/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5393 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5396 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5395 -j RETURN
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass_ dst -j RETURN
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_pre_src -m mark --mark 0x539 -j RETURN
-A v2r_def_pre_src -p tcp -j v2r_def_src
-A v2r_def_src -m set --match-set ssr_def_src_bypass src -j RETURN
-A v2r_def_src -m set --match-set ssr_def_src_forward src -j v2r_def_forward
-A v2r_def_src -m set --match-set ssr_def_src_checkdst src -j v2r_def_dst
-A v2r_def_src -m comment --comment "src_default: forward" -j v2r_def_forward
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_postrouting -j MINIUPNPD-POSTROUTING
-A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_vpn_prerouting -j MINIUPNPD
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Jul 29 07:28:55 2022
# Generated by iptables-save v1.8.7 on Fri Jul 29 07:28:55 2022
*mangle
:PREROUTING ACCEPT [1889:576992]
:INPUT ACCEPT [1631:492346]
:FORWARD ACCEPT [248:92178]
:OUTPUT ACCEPT [1934:338802]
:POSTROUTING ACCEPT [2178:430808]
:dscp_mark - [0:0]
:dscp_output - [0:0]
:dscp_postrouting - [0:0]
:dscp_prerouting - [0:0]
:omr-bypass - [0:0]
:omr-bypass-local - [0:0]
:omr-gre-tunnel - [0:0]
:v2r_def_dst - [0:0]
:v2r_def_forward - [0:0]
:v2r_def_pre_src - [0:0]
:v2r_def_src - [0:0]
-A PREROUTING -m addrtype ! --dst-type LOCAL -j omr-bypass
-A PREROUTING -i eth0 -j dscp_prerouting
-A PREROUTING -m addrtype ! --dst-type LOCAL -j omr-gre-tunnel
-A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A PREROUTING -i eth0 -j dscp_mark
-A PREROUTING -p udp -j v2r_def_pre_src
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o wan1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wan1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
-A OUTPUT -j dscp_output
-A POSTROUTING -j dscp_postrouting
-A POSTROUTING -j dscp_mark
-A dscp_mark -m comment --comment cs4 -m dscp --dscp 0x20 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_mark -m comment --comment cs5 -m dscp --dscp 0x28 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_mark -m comment --comment cs6 -m dscp --dscp 0x30 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_mark -m comment --comment cs7 -m dscp --dscp 0x38 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_output -o tun0 -j DSCP --set-dscp 0x30
-A dscp_postrouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j DSCP --set-dscp 0x00
-A dscp_postrouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j DSCP --set-dscp 0x08
-A dscp_postrouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j DSCP --set-dscp 0x10
-A dscp_postrouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j DSCP --set-dscp 0x18
-A dscp_postrouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j DSCP --set-dscp 0x20
-A dscp_postrouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j DSCP --set-dscp 0x28
-A dscp_postrouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j DSCP --set-dscp 0x30
-A dscp_postrouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j DSCP --set-dscp 0x38
-A dscp_postrouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j DSCP --set-dscp 0x2e
-A dscp_postrouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j RETURN
-A dscp_postrouting -p icmp -m comment --comment ICMP -j DSCP --set-dscp 0x38
-A dscp_postrouting -p icmp -m comment --comment ICMP -j RETURN
-A dscp_postrouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j DSCP --set-dscp 0x20
-A dscp_postrouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j DSCP --set-dscp 0x20
-A dscp_postrouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j DSCP --set-dscp 0x20
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j RETURN
-A dscp_postrouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_postrouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j DSCP --set-dscp 0x30
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j DSCP --set-dscp 0x00
-A dscp_prerouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j DSCP --set-dscp 0x08
-A dscp_prerouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j DSCP --set-dscp 0x10
-A dscp_prerouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j DSCP --set-dscp 0x18
-A dscp_prerouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j DSCP --set-dscp 0x20
-A dscp_prerouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j DSCP --set-dscp 0x28
-A dscp_prerouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j DSCP --set-dscp 0x30
-A dscp_prerouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j DSCP --set-dscp 0x38
-A dscp_prerouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j DSCP --set-dscp 0x2e
-A dscp_prerouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j RETURN
-A dscp_prerouting -p icmp -m comment --comment ICMP -j DSCP --set-dscp 0x38
-A dscp_prerouting -p icmp -m comment --comment ICMP -j RETURN
-A dscp_prerouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j DSCP --set-dscp 0x20
-A dscp_prerouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j DSCP --set-dscp 0x20
-A dscp_prerouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j DSCP --set-dscp 0x20
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j RETURN
-A dscp_prerouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_prerouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j DSCP --set-dscp 0x30
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_wlan0 dst -j MARK --set-xmark 0x53910/0xffffffff
-A omr-bypass -m set --match-set omr_dst_bypass_usb0 dst -j MARK --set-xmark 0x5398/0xffffffff
-A omr-bypass -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A omr-bypass -m set --match-set omr_dst_bypass_eth1 dst -j MARK --set-xmark 0x5394/0xffffffff
-A omr-bypass -m set --match-set omr_dst_bypass_wan1 dst -j MARK --set-xmark 0x5393/0xffffffff
-A omr-bypass -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A omr-bypass -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A omr-bypass -m mac --mac-source 24:4b:fe:3d:7f:25 -j MARK --set-xmark 0x539/0xffffffff
-A omr-bypass-local -m set --match-set omr_dst_bypass_wlan0 dst -j MARK --set-xmark 0x53910/0xffffffff
-A omr-bypass-local -m set --match-set omr_dst_bypass_usb0 dst -j MARK --set-xmark 0x5398/0xffffffff
-A omr-bypass-local -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A omr-bypass-local -m set --match-set omr_dst_bypass_eth1 dst -j MARK --set-xmark 0x5394/0xffffffff
-A omr-bypass-local -m set --match-set omr_dst_bypass_wan1 dst -j MARK --set-xmark 0x5393/0xffffffff
-A omr-bypass-local -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A omr-bypass-local -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A v2r_def_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_forward dst -j v2r_def_forward
-A v2r_def_dst -m comment --comment "dst_default: forward" -j v2r_def_forward
-A v2r_def_forward -p udp -j TPROXY --on-port 1897 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass_ dst -j RETURN
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_pre_src -m mark --mark 0x539 -j RETURN
-A v2r_def_pre_src -p udp -j v2r_def_src
-A v2r_def_src -m set --match-set ssr_def_src_bypass src -j RETURN
-A v2r_def_src -m set --match-set ssr_def_src_forward src -j v2r_def_forward
-A v2r_def_src -m set --match-set ssr_def_src_checkdst src -j v2r_def_dst
-A v2r_def_src -m comment --comment "src_default: forward" -j v2r_def_forward
COMMIT
# Completed on Fri Jul 29 07:28:55 2022
# Generated by iptables-save v1.8.7 on Fri Jul 29 07:28:55 2022
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wan1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i usb0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -m comment --comment "!fw3" -j reject
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-All-Ping" -j ACCEPT
-A FORWARD -p udp -m udp --dport 443 -m comment --comment "!fw3: Block QUIC All" -j DROP
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wan1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i usb0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wan1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o usb0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -m comment --comment "!fw3" -j reject
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -p tcp -m comment --comment "!fw3: Allow-All-LAN-to-VPN" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -p udp -m comment --comment "!fw3: Allow-All-LAN-to-VPN" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -p tcp -m comment --comment "!fw3: Allow-Lan-to-Wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -p udp -m comment --comment "!fw3: Allow-Lan-to-Wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -p udp -m udp --dport 443 -m comment --comment "!fw3: Block QUIC Proxy" -j DROP
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -j MINIUPNPD
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -p icmp -m comment --comment "!fw3: Allow-VPN-ICMP" -j ACCEPT
-A zone_vpn_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Request-VPN" -j ACCEPT
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -j MINIUPNPD
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_REJECT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o wan1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wan1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o usb0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o usb0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o wan1 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o usb0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i wan1 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i usb0 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i wlan0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jul 29 07:28:55 2022
Thank you.
root@OpenMPTCProuter:~# ipset list omr_dst_bypass_eth1
Name: omr_dst_bypass_eth1
Type: hash:net
Revision: 6
Header: family inet hashsize 64 maxelem 65536
Size in memory: 520
References: 5
Number of entries: 1
Members:
203.53.47.17
@Ysurac any update on this? I'm seeing the same behavior across the board for omr-bypass with the 0.59 release. I can get dns entries for these now but traceroute shows they aren't bypassing the VPS.
@kevinh-csalabs Seems to be working on 0.59. Are you using as proxy shadowsocks (default) or v2ray ? and glorytun-tcp as VPN (default) ?
@Ysurac I was using v2ray + glorytun-tcp but tried switching to shadowsocks + glorytun-tcp with the same result.
Example: delta.com blocks VPS ip range, so excluding delta.com and running traceroute:
Actual: 1 <1 ms 1 ms <1 ms 192.168.172.1 2 1 ms 1 ms <1 ms OpenMPTCProuter.lan [192.168.x.x] 3 74 ms 70 ms 87 ms 10.255.255.1 4 80 ms 61 ms 70 ms 45.61.x.x (VPS) 5 82 ms 75 ms 64 ms ae23-205.cr7-mia1.ip4.gtt.net [76.74.x.x] 6 66 ms 79 ms 79 ms ae6.cr9-mia1.ip4.gtt.net [213.200.113.205] 7 80 ms 136 ms 65 ms ip4.gtt.net [98.124.172.178] 8 69 ms 62 ms 61 ms 204.74.99.103
Expected (connected directly to default master): 1 1 ms <1 ms <1 ms StarlinkRouter.lan [192.168.x.x] 2 54 ms 49 ms 35 ms 100.64.0.1 3 305 ms 206 ms 200 ms 172.16.x.x 4 39 ms 43 ms 37 ms 149.19.108.85 5 95 ms 63 ms 53 ms atl-b2-link.ip.twelve99.net [62.115.146.54] 6 131 ms * 95 ms atl-bb1-link.ip.twelve99.net [62.115.140.6] 7 62 ms 45 ms 98 ms rest-bb1-link.ip.twelve99.net [62.115.138.70] 8 * 62 ms 58 ms 204.74.99.103
@Ysurac Interestingly this brings up an interesting related issue.... I confirmed you are right by running a tcp trace, but I'm still getting blocked on www.delta.com (they are using akamai) despite the bypass, but if I connect directly to the master connection it works, so they are using some other method of ip detection. I noticed that if I create a bypass for akamai.com and www.akamai.com and visit https://www.akamai.com/us/en/clientrep-lookup/ I still see the VPS address. Any thoughts on how to get them to see the master interface instead? It looks like they are using google or some other service to identify the ip and comparing that to what they see directly.
@Ysurac I haven't narrowed down what set is needed, but some combination of akamai and google and gstatic domains allows that check to return the master connection's ip, but this still hasn't resolved delta.com which just closes the connection immediate when connecting via openmtcprouter. I'm kind of at a loss on how they would even be able to tell the difference between the two connections.
@kevinh-csalabs it's not the same problem. To bypass *.delta.com you only need to set delta.com as domain. But to really check why you can't connect you need to use your browser developers tools to find what is the site answer and what is the domain answering.
@Ysurac so it seems the issue may actually be omr-bypass routing related. I'm seeing some very strange behavior.
Here is what I'm seeing: normal settings on openmtcprouter: access denied (ok this makes sense, they blocked the vps) website added to omr-bypass with ipv6 enabled: if ipv6 is involved it looks to still be going through the VPS (maybe because there is no otehr ipv6 routes as direct providers have only ipv4)? website added to omr-bypass ipv4 only: with ipv6 turned off there is a connection error - nothing loads at all in browser devtools, and curl just shows it redirecting then resetting the connection but the cause is obtuse:
curl -k -I https://www.delta.com/
HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: https://www.delta.com/content/www/en_US/system-unavailable1.html
Date: Thu, 25 Aug 2022 21:08:33 GMT
Connection: keep-alive
curl -k -I https://www.delta.com/content/www/en_US/system-unavailable1.html
curl: (56) Send failure: Connection was reset
Trying again I get a different route:
tracetcp www.delta.com:443
Tracing route to 104.65.249.23 [a104-65-249-23.deploy.static.akamaitechnologies.com] on port 443
Over a maximum of 30 hops.
1 3 ms 2 ms 3 ms 192.168.172.1
2 2 ms 2 ms 2 ms 192.168.42.1 [OpenMPTCProuter.lan]
3 4 ms 2 ms 2 ms 192.168.1.1
4 31 ms 39 ms 38 ms 100.64.0.1
5 34 ms 35 ms 41 ms 172.16.249.10
6 31 ms 36 ms 38 ms 149.19.108.83
7 44 ms 38 ms 33 ms 62.115.146.54 [atl-b2-link.ip.twelve99.net]
8 * 41 ms * 62.115.114.32 [atl-b24-link.ip.twelve99.net]
9 57 ms 67 ms 52 ms 4.15.155.98
10 * 53 ms * 80.239.194.181 [akamai-svc074345-lag003632.ip.twelve99-cust.net]
11 * * * Request timed out.
12 * * * Request timed out.
13 * * Destination Reached in 41 ms. Connection established to 104.65.249.23
Trace Complete.
and going to the main delta page resets the connection instantly:
curl -k -I https://www.delta.com/
curl: (56) Send failure: Connection was reset
Trying www.google.com on omr-bypass is even more bizarre - the routing seems to be wrong AND inconsistent:
First try:
tracetcp www.google.com:443
Tracing route to 172.217.3.68 [mia07s54-in-f4.1e100.net] on port 443
Over a maximum of 30 hops.
1 2 ms 2 ms 2 ms 192.168.172.1
2 Destination Reached in 4 ms. Connection established to 172.217.3.68
but I can still load google via browser and it shows my ip as the VPS.
Second try:
tracetcp www.google.com:443
Tracing route to 172.217.2.196 [mia09s02-in-f4.1e100.net] on port 443
Over a maximum of 30 hops.
1 2 ms 2 ms 2 ms 192.168.172.1
2 2 ms 2 ms 5 ms 192.168.42.1 [OpenMPTCProuter.lan]
3 4 ms 3 ms 4 ms 192.168.1.1
4 39 ms 74 ms 73 ms 100.64.0.1
5 38 ms 35 ms 35 ms 172.16.249.10
6 44 ms 46 ms 36 ms 149.19.108.83
7 44 ms 39 ms 41 ms 62.115.146.54 [atl-b2-link.ip.twelve99.net]
8 53 ms 39 ms 44 ms 4.69.219.146
9 35 ms 35 ms 46 ms 142.250.165.178
10 32 ms 40 ms 43 ms 108.170.249.35
11 54 ms 30 ms 63 ms 142.251.51.16
12 65 ms 44 ms 86 ms 142.251.51.23
13 111 ms 75 ms 73 ms 216.239.54.70
14 58 ms 78 ms 49 ms 108.170.253.1
15 57 ms 51 ms 78 ms 216.239.50.109
16 Destination Reached in 58 ms. Connection established to 172.217.2.196
This time I can't load the page and get
curl -k -I --retry-all-errors https://www.google.com/
curl: (56) Send failure: Connection was reset
@Ysurac you can ignore my last comment - the last issue was due to downstream equipment not the router. So to summarize: -Non-TCP traffic ignores bypass -IPv6 may be problematic if individual connections don't have IPv6
I'm trying to pass UDP OpenVPN thru OpenMPTCPRouter, so it doesn't work. Bypass with UDP also doesn't work) @Ysurac have you any plans to fix Bypass UDP?
What is the result of a traceroute to VPN IP (traceroute -I or traceroute -U under Linux) ? To bypass, use IP or domain, service bypass doesn't always work.
semenov_e@SEMENOV-E-UB:~$ traceroute -I location-pub-kl--germany-frankfurt.aura-servers.com traceroute to location-pub-kl--germany-frankfurt.aura-servers.com (178.162.198.111), 30 hops max, 60 byte packets 1 _gateway (192.168.100.1) 4.164 ms 4.124 ms 4.116 ms 2 192.168.8.1 (192.168.8.1) 28.049 ms 28.043 ms 28.037 ms 3 178.162.198.111 (178.162.198.111) 91.322 ms 91.318 ms 91.311 ms
192.168.8.1 is a right interface
root@OpenMPTCProuter:~# uci show omr-bypass omr-bypass.all=interface omr-bypass.m6replay=proto omr-bypass.m6replay.url='m6web.fr' '6play.fr' '6cloud.fr' omr-bypass.mycanal=proto omr-bypass.mycanal.url='mycanal.fr' 'canal-plus.com' 'canalplus.com' 'canalplus-cdn.net' 'canalplus.pro' 'canal-plus.net' omr-bypass.minecraft=proto omr-bypass.minecraft.url='authserver.mojang.com' omr-bypass.lesnumeriques=proto omr-bypass.lesnumeriques.url='lesnumeriques.com' 'botscorner.com' 'app.botscorner.com' omr-bypass.disneyplus=proto omr-bypass.disneyplus.url='bamgrid.com' 'disney-plus.net' omr-bypass.amazonvideo=proto omr-bypass.amazonvideo.url='cloudfront.net' 'llnw.net' omr-bypass.lo=interface omr-bypass.lo.id='5' omr-bypass.eth0=interface omr-bypass.eth0.id='6' omr-bypass.wan1=interface omr-bypass.wan1.id='3' omr-bypass.wan2=interface omr-bypass.wan2.id='4' omr-bypass.tun0=interface omr-bypass.tun0.id='1200' omr-bypass.wan3=interface omr-bypass.wan3.id='8' omr-bypass.wan4=interface omr-bypass.wan4.id='9' omr-bypass.wan5=interface omr-bypass.wan5.id='11' omr-bypass.wgwan5=interface omr-bypass.wgwan5.id='12' omr-bypass.eth1=interface omr-bypass.eth1.id='13' omr-bypass.tun1=interface omr-bypass.tun1.id='15' omr-bypass.@domains[0]=domains omr-bypass.@domains[0].name='location-pub-kl--germany-frankfurt.aura-servers.com ' omr-bypass.@domains[0].interface='eth1'
root@OpenMPTCProuter:~# ipset list omr_dst_bypass_eth1 Name: omr_dst_bypass_eth1 Type: hash:net Revision: 6 Header: family inet hashsize 64 maxelem 65536 Size in memory: 576 References: 5 Number of entries: 2 Members: 46.165.225.3 178.162.198.111
I see udp trafic on eth0(local) interface, but can't see on eth1(bypass) interface
All seems to be ok here. Can you try a traceroute -U to check if you have same result ? You should try a tcpdump to check why traffic is not using eth1.
semenov_e@SEMENOV-E-UB:~$ traceroute -U location-pub-kl--germany-frankfurt.aura-servers.com traceroute to location-pub-kl--germany-frankfurt.aura-servers.com (178.162.202.15), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
root@OpenMPTCProuter:~# tcpdump -i eth0 host 192.168.100.2 and udp 20:58:53.209550 IP 192.168.100.2.38890 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.209607 IP 192.168.100.2.36795 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.209630 IP 192.168.100.2.53458 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.209656 IP 192.168.100.2.44037 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.209678 IP 192.168.100.2.56796 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.209697 IP 192.168.100.2.34072 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.210076 IP 192.168.100.2.40646 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.210107 IP 192.168.100.2.51414 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.210117 IP 192.168.100.2.42032 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.210141 IP 192.168.100.2.36113 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.210142 IP 192.168.100.2.53771 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.210164 IP 192.168.100.2.54006 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.210194 IP 192.168.100.2.55799 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.210218 IP 192.168.100.2.37477 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.210262 IP 192.168.100.2.46313 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:53.210289 IP 192.168.100.2.47861 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215321 IP 192.168.100.2.53487 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215355 IP 192.168.100.2.57699 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215411 IP 192.168.100.2.41030 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215412 IP 192.168.100.2.35675 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215435 IP 192.168.100.2.60489 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215444 IP 192.168.100.2.60925 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215457 IP 192.168.100.2.36159 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215478 IP 192.168.100.2.34665 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215491 IP 192.168.100.2.59903 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215499 IP 192.168.100.2.43516 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215514 IP 192.168.100.2.57641 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215534 IP 192.168.100.2.58132 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215569 IP 192.168.100.2.50635 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215590 IP 192.168.100.2.41955 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215612 IP 192.168.100.2.57811 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain] 20:58:58.215636 IP 192.168.100.2.35575 > 178.162.202.15.53: 16449 op8 [b2&3=0x4243] [17991a] [17477q] [18505n] [19019au][|domain]
root@OpenMPTCProuter:~# tcpdump -i eth1 udp
This doesn't resolve to same IP as before. You may have a cache DNS somewhere so this ip may be not available in ipset.
root@OpenMPTCProuter:~# ipset list omr_dst_bypass_eth1 Name: omr_dst_bypass_eth1 Type: hash:net Revision: 6 Header: family inet hashsize 64 maxelem 65536 Size in memory: 896 References: 5 Number of entries: 7 Members: 91.207.172.202 46.165.225.3 178.162.198.111 77.243.181.6 91.207.172.13 178.162.202.15 78.159.101.93
It present in ipset, sure.
If possible, can you try another port than 53 UDP ? And try a tcpdump -i any host 178.162.202.15
semenov_e@SEMENOV-E-UB:~$ traceroute -U -p 1194 location-pub-kl--germany-frankfurt.aura-servers.com traceroute to location-pub-kl--germany-frankfurt.aura-servers.com (37.120.129.18), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
root@OpenMPTCProuter:~# tcpdump -n -i any host 37.120.129.18 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes 21:24:41.907340 IP 192.168.100.2.42488 > 37.120.129.18.1194: UDP, length 32 21:24:41.907341 IP 192.168.100.2.58315 > 37.120.129.18.1194: UDP, length 32 21:24:41.907810 IP 192.168.100.2.54610 > 37.120.129.18.1194: UDP, length 32 21:24:41.907812 IP 192.168.100.2.48274 > 37.120.129.18.1194: UDP, length 32 21:24:41.907813 IP 192.168.100.2.38691 > 37.120.129.18.1194: UDP, length 32 21:24:41.907813 IP 192.168.100.2.43833 > 37.120.129.18.1194: UDP, length 32 21:24:41.907982 IP 192.168.100.2.37801 > 37.120.129.18.1194: UDP, length 32 21:24:41.907984 IP 192.168.100.2.50136 > 37.120.129.18.1194: UDP, length 32 21:24:41.907985 IP 192.168.100.2.44402 > 37.120.129.18.1194: UDP, length 32 21:24:41.907987 IP 192.168.100.2.59119 > 37.120.129.18.1194: UDP, length 32 21:24:41.907988 IP 192.168.100.2.41531 > 37.120.129.18.1194: UDP, length 32 21:24:41.907988 IP 192.168.100.2.45654 > 37.120.129.18.1194: UDP, length 32 21:24:41.908132 IP 192.168.100.2.50930 > 37.120.129.18.1194: UDP, length 32 21:24:41.907990 IP 192.168.100.2.38394 > 37.120.129.18.1194: UDP, length 32 21:24:41.907991 IP 192.168.100.2.44939 > 37.120.129.18.1194: UDP, length 32 21:24:41.907992 IP 192.168.100.2.51194 > 37.120.129.18.1194: UDP, length 32 21:24:46.912621 IP 192.168.100.2.46779 > 37.120.129.18.1194: UDP, length 32 21:24:46.913609 IP 192.168.100.2.39608 > 37.120.129.18.1194: UDP, length 32 21:24:46.913611 IP 192.168.100.2.54762 > 37.120.129.18.1194: UDP, length 32 21:24:46.913838 IP 192.168.100.2.58240 > 37.120.129.18.1194: UDP, length 32 21:24:46.913840 IP 192.168.100.2.37033 > 37.120.129.18.1194: UDP, length 32 21:24:46.913891 IP 192.168.100.2.44184 > 37.120.129.18.1194: UDP, length 32 21:24:46.913841 IP 192.168.100.2.50692 > 37.120.129.18.1194: UDP, length 32 21:24:46.913893 IP 192.168.100.2.53652 > 37.120.129.18.1194: UDP, length 32 21:24:46.913842 IP 192.168.100.2.37248 > 37.120.129.18.1194: UDP, length 32 21:24:46.913894 IP 192.168.100.2.52425 > 37.120.129.18.1194: UDP, length 32
root@OpenMPTCProuter:~# ipset list omr_dst_bypass_eth1 Name: omr_dst_bypass_eth1 Type: hash:net Revision: 6 Header: family inet hashsize 64 maxelem 65536 Size in memory: 640 References: 5 Number of entries: 3 Members: 46.165.225.3 146.70.36.194 37.120.129.18
traceroute should give you a result... and tcpdump another result. It's like if UDP output is blocked. Did you modify router firewall config ?