Domain VPN Routing Issue: Failed IPTables Rule Addition

[Beta-Blaze]

I tried to use your wonderful utility but ran into difficulties. When I try to run querypolicy I get the error "iptables: No chain/target/match by that name". I am using the firmware from gnuton. My router is a TUF-AX3000_V2. It has entware installed on it.

logs

routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh && sh
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# /jffs/scripts/domain_vpn_routing.sh install
# Domain VPN Routing for ASUS Routers using Merlin Firmware v386.7 or newer
# Author: Ranger802004 - https://github.com/Ranger802004/asusmerlin/
# Date: 02/26/2024
# Version: v2.1.3

  Information:
  (1)  readme            View Domain VPN Routing Readme
  (2)  showpolicy        View existing policies

  Installation/Configuration:
  (3)  install           Install Domain VPN Routing
  (4)  uninstall         Uninstall Domain VPN Routing
  (5)  config            Global Configuration Settings
  (6)  update            Check for updates for Domain VPN Routing

  Operations:
  (7)  cron              Schedule Cron Job to automate Query Policy for all policies
  (8)  querypolicy       Perform a manual query of an existing policy
  (9)  restorepolicy     Perform a restore of an existing policy
  (10) kill              Kill any running instances of Domain VPN Routing

  Policy Configuration:
  (11) createpolicy      Create Policy
  (12) editpolicy        Edit Policy
  (13) deletepolicy      Delete Policy
  (14) adddomain         Add Domain to an existing Policy
  (15) deletedomain      Delete Domain from an existing Policy
  (16) deleteip          Delete IP from an existing Policy

  (e)  exit              Exit Domain VPN Routing Menu

Make a selection:
e
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# /jffs/scripts/domain_vpn_routing.sh createpolicy
Policy Name: wgtest
Interfaces:
wgc5
wan
Select an Interface for this Policy: wgc5
Enable verbose logging for this policy? ***Enter Y for Yes or N for No*** y
Enable Private IP Addresses for this policy? ***Enter Y for Yes or N for No*** n
domain_vpn_routing: Create Policy - Creating /jffs/configs/domain_vpn_routing/policy_wgtest_domainlist
domain_vpn_routing: Create Policy - /jffs/configs/domain_vpn_routing/policy_wgtest_domainlist created
domain_vpn_routing: Create Policy - Creating /jffs/configs/domain_vpn_routing/policy_wgtest_domaintoIP
domain_vpn_routing: Create Policy - /jffs/configs/domain_vpn_routing/policy_wgtest_domaintoIP created
domain_vpn_routing: Create Policy - Adding wgtest to /jffs/configs/domain_vpn_routing/domain_vpn_routing.conf
domain_vpn_routing: Create Policy - Added wgtest to /jffs/configs/domain_vpn_routing/domain_vpn_routing.conf
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# /jffs/scripts/domain_vpn_routing.sh adddomain ipinfo.io
1: (All Policies)
2: wgtest

Select the Policy where you want to add ipinfo.io: 1
awk: /jffs/configs/domain_vpn_routing/policy_all_domainlist: No such file or directory
domain_vpn_routing: Add Domain - Adding ipinfo.io to all
domain_vpn_routing: Add Domain - Added ipinfo.io to all
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# /jffs/scripts/domain_vpn_routing.sh adddomain ipinfo.io
1: (All Policies)
2: wgtest

Select the Policy where you want to add ipinfo.io: 2
domain_vpn_routing: Add Domain - Adding ipinfo.io to wgtest
domain_vpn_routing: Add Domain - Added ipinfo.io to wgtest
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# /jffs/scripts/domain_vpn_routing.sh querypolicy wgtest
iptables: No chain/target/match by that name.les
domain_vpn_routing: Restore Policy - ***Error*** Failed to add IPTables OUTPUT rule for IPSET: DomainVPNRouting-wgtest-ipv4 FWMark: 0xe000
iptables: No chain/target/match by that name.
domain_vpn_routing: Restore Policy - ***Error*** Failed to add IPTables PREROUTING rule for IPSET: DomainVPNRouting-wgtest-ipv4 FWMark: 0xe000
iptables: No chain/target/match by that name.
domain_vpn_routing: Restore Policy - ***Error*** Failed to add IPTables rule for IPSET: DomainVPNRouting-wgtest-ipv4 Interface: wgc5 FWMark: 0xe000
Query Policy: wgtest
domain_vpn_routing: Query Policy - Policy: wgtest Querying ipinfo.io
***New IP Addresses detected for wgtest***
Updating Policy: wgtest
Updated Policy: wgtest
iptables: No chain/target/match by that name.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables OUTPUT rule for IPSET: DomainVPNRouting-wgtest-ipv4 FWMark: 0xe000
iptables: No chain/target/match by that name.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables PREROUTING rule for IPSET: DomainVPNRouting-wgtest-ipv4 FWMark: 0xe000
iptables: No chain/target/match by that name.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables rule for IPSET: DomainVPNRouting-wgtest-ipv4 Interface: wgc5 FWMark: 0xe000
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root#

[Beta-Blaze]

BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# ipset list
Name: DomainVPNRouting-wgtest-ipv6
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536 comment
Size in memory: 68
References: 0
Number of entries: 0
Members:

Name: DomainVPNRouting-wgtest-ipv4
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 275
References: 0
Number of entries: 3
Members:
192.186.117.34 comment "ipinfo.io"
34.117.186.192 comment "ipinfo.io"

[Ranger802004]

Run the following command and show me the output. I suspect the ip binary version your firmware has isn't compatible.

ip -V

[Beta-Blaze]

@Ranger802004

BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# ip -V
ip utility, iproute2-5.11.0

[Ranger802004]

Does your router not support FWMarking?

[Beta-Blaze]

How can I check this?

[Beta-Blaze]

BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# fw

*** Usage:
 dw/dh/db <physical address in hex> <number>
 dw/dh/db <-k> <virtual address in hex> <number>
 sw/sh/sb <physical address in hex> <data value1> <data value2> ..<data valueN>
 sw/sh/sb <-k> <virtual address in hex> <data value1> <data value2> ..<data valueN>
 fw/fh/fb  <physical address in hex> <data value> <length>
 fw/fh/fb <-k> <virtual address in hex> <data value> <length>
  -s (currently works with physical addresses for d*/s*/f* commands
and virtual addresses for s*/f* commands)

BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# ip rule add from 192.168.1.20 table 120
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# ip rule add fwmark 0x2/0x2 lookup 102
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root#

[Beta-Blaze]

@Ranger802004 If I understand correctly, FWMarking works....

BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# ip rule list
0:      from all lookup local
9998:   from all fwmark 0x2/0x2 lookup 102
9999:   from 192.168.1.20 lookup wgc5
10000:  from all fwmark 0xe000/0xf000 lookup wgc5
11810:  from 192.168.1.249 lookup wgc4
32766:  from all lookup main
32767:  from all lookup default

[Ranger802004]

The errors on your logs for the following are because the MARK target doesn't exist for FWMarking rules.

iptables: No chain/target/match by that name.

[Beta-Blaze]

What can I do to create a MARK target? Or is it due to a missing package? What should I do, I'm stuck(

[Ranger802004]

Send me the output of the following command

iptables -t mangle -nvL

[Beta-Blaze]

@Ranger802004

BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 205M packets, 154G bytes)
 pkts bytes target     prot opt in     out     source               destination
  62M   59G MARK       all  --  wgc4   *       0.0.0.0/0            0.0.0.0/0            MARK or 0x1
51577 6882K MARK       all  --  wgc5   *       0.0.0.0/0            0.0.0.0/0            MARK or 0x1

Chain INPUT (policy ACCEPT 69M packets, 63G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 136M packets, 91G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 48M packets, 8371M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 184M packets, 99G bytes)
 pkts bytes target     prot opt in     out     source               destination
  46M 5146M MARK       all  --  *      wgc4    0.0.0.0/0            0.0.0.0/0            MARK or 0x1
53850 3274K MARK       all  --  *      wgc5    0.0.0.0/0            0.0.0.0/0            MARK or 0x1
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root#

[Ranger802004]

It does appear your router is using the MARK target so it does exist...try uninstalling Entware (specifically the ip binary if it is installed from Entware).

[Beta-Blaze]

@Ranger802004

 List of installed Entware packages (22)

 column - 2.39.3-1               entware-release - 2024.02-1     libc - 2.27-11                  librt - 2.27-11                 locales - 2.27-9                zoneinfo-core - 2024a-1
 coreutils - 9.3-1               entware-upgrade - 1.0-1         libgcc - 8.4.0-11               libsmartcols - 2.39.3-1         opkg - 2022-02-24-d038e5b6-2    zoneinfo-europe - 2024a-1
 coreutils-dd - 9.3-1            findutils - 4.9.0-1a            libpcre2 - 10.42-1              libssp - 8.4.0-11               terminfo - 6.4-2a
 entware-opt - 227000-3          grep - 3.11-1                   libpthread - 2.27-11            libstdcpp - 8.4.0-11            zoneinfo-asia - 2024a-1

 Entware Apps installed in /opt/bin/ (12)

 ash             column          dd              egrep           fgrep           find            grep            locale.new      localedef.new   netstat         sh              xargs

 Entware Apps installed in /opt/sbin/ (2)

 ifconfig        route

I deleted Entware and all the scripts. I reinstalled domain_vpn_routing.

I am also confused by the error "grep: /jffs/scripts/firewall-start: No such file or directory"

BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# /usr/sbin/curl -s "https://raw.githubusercontent.com/Ranger802004/asusmerlin/main/domain_vpn_routing/domain_vpn_routing.sh" -o "/jffs/scripts/domain_vpn_
routing.sh" && chmod 755 /jffs/scripts/domain_vpn_routing.sh && sh
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# /jffs/scripts/domain_vpn_routing.sh install
domain_vpn_routing: Install - Creating /jffs/configs/domain_vpn_routing
domain_vpn_routing: Install - /jffs/configs/domain_vpn_routing created
domain_vpn_routing: Install - Creating /jffs/configs/domain_vpn_routing/global.conf
domain_vpn_routing: Install - /jffs/configs/domain_vpn_routing/global.conf created
domain_vpn_routing: Install - Creating /jffs/configs/domain_vpn_routing/domain_vpn_routing.conf
domain_vpn_routing: Install - /jffs/configs/domain_vpn_routing/domain_vpn_routing.conf created
domain_vpn_routing: Install - Creating wan-event script
domain_vpn_routing: Install - wan-event script has been created
domain_vpn_routing: Install - Adding domain_vpn_routing cron job to wan-event
domain_vpn_routing: Install - domain_vpn_routing cron job added to wan-event
domain_vpn_routing: Install - domain_vpn_routing added to wan-event
domain_vpn_routing: Install - Creating openvpn-event
domain_vpn_routing: Install - openvpn-event has been created
domain_vpn_routing: Install - Adding domain_vpn_routing cron job to openvpn-event
domain_vpn_routing: Install - domain_vpn_routing cron job added to openvpn-event
domain_vpn_routing: Install - Adding domain_vpn_routing to openvpn-event
domain_vpn_routing: Install - domain_vpn_routing added to openvpn-event
domain_vpn_routing: Install - Creating wgclient-start script
domain_vpn_routing: Install - wgclient-start script has been created
domain_vpn_routing: Install - Adding domain_vpn_routing Cron Job to wgclient-start
domain_vpn_routing: Install - domain_vpn_routing Cron Job added to wgclient-start
domain_vpn_routing: Install - Adding domain_vpn_routing Query Policy All to wgclient-start
domain_vpn_routing: Install - domain_vpn_routing Query Policy All added to wgclient-start
domain_vpn_routing: Alias Check - Creating /jffs/configs/profile.add
domain_vpn_routing: Alias Check - Created /jffs/configs/profile.add
domain_vpn_routing: Alias Check - Creating Alias for /jffs/scripts/domain_vpn_routing.sh as domain_vpn_routing
domain_vpn_routing: Alias Check - Created Alias for /jffs/scripts/domain_vpn_routing.sh as domain_vpn_routing
domain_vpn_routing: Cron - Checking if Cron Job is Scheduled
domain_vpn_routing: Cron - Creating Cron Job
domain_vpn_routing: Cron - Created Cron Job
Created Cron Job
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# /jffs/scripts/domain_vpn_routing.sh update

grep: /jffs/scripts/firewall-start: No such file or directory
domain_vpn_routing is up to date. Do you want to reinstall domain_vpn_routing Version: v2.1.3? ***Enter Y for Yes or N for No***
> Invalid Selection!!! ***Enter Y for Yes or N for No***
domain_vpn_routing is up to date. Do you want to reinstall domain_vpn_routing Version: v2.1.3? ***Enter Y for Yes or N for No***
> n
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# /jffs/scripts/domain_vpn_routing.sh createpolicy
grep: /jffs/scripts/firewall-start: No such file or directory
Policy Name: wg
Interfaces:
wgc4
wgc5
wan
Select an Interface for this Policy: wgc5
Enable verbose logging for this policy? ***Enter Y for Yes or N for No*** Y
Enable Private IP Addresses for this policy? ***Enter Y for Yes or N for No*** N
domain_vpn_routing: Create Policy - Creating /jffs/configs/domain_vpn_routing/policy_wg_domainlist
domain_vpn_routing: Create Policy - /jffs/configs/domain_vpn_routing/policy_wg_domainlist created
domain_vpn_routing: Create Policy - Creating /jffs/configs/domain_vpn_routing/policy_wg_domaintoIP
domain_vpn_routing: Create Policy - /jffs/configs/domain_vpn_routing/policy_wg_domaintoIP created
domain_vpn_routing: Create Policy - Adding wg to /jffs/configs/domain_vpn_routing/domain_vpn_routing.conf
domain_vpn_routing: Create Policy - Added wg to /jffs/configs/domain_vpn_routing/domain_vpn_routing.conf
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# /jffs/scripts/domain_vpn_routing.sh adddomain ipinfo.io
grep: /jffs/scripts/firewall-start: No such file or directory
1: (All Policies)
2: wg

Select the Policy where you want to add ipinfo.io: 2
domain_vpn_routing: Add Domain - Adding ipinfo.io to wg
domain_vpn_routing: Add Domain - Added ipinfo.io to wg
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# cdd /jffs/scripts/
sh: cdd: not found
BetaBlaze@TUF-AX3000_V2-3F88:/tmp/home/root# cd /jffs/scripts/

BetaBlaze@TUF-AX3000_V2-3F88:/jffs/scripts# ls
domain_vpn_routing.sh  openvpn-event          post-mount             unmount                wan-event              wgclient-start

BetaBlaze@TUF-AX3000_V2-3F88:/jffs/scripts# /jffs/scripts/domain_vpn_routing.sh querypolicy wg
grep: /jffs/scripts/firewall-start: No such file or directory
iptables: No chain/target/match by that name.les
domain_vpn_routing: Restore Policy - ***Error*** Failed to add IPTables OUTPUT rule for IPSET: DomainVPNRouting-wg-ipv4 FWMark: 0xe000
iptables: No chain/target/match by that name.
domain_vpn_routing: Restore Policy - ***Error*** Failed to add IPTables PREROUTING rule for IPSET: DomainVPNRouting-wg-ipv4 FWMark: 0xe000
iptables: No chain/target/match by that name.
domain_vpn_routing: Restore Policy - ***Error*** Failed to add IPTables rule for IPSET: DomainVPNRouting-wg-ipv4 Interface: wgc5 FWMark: 0xe000
Query Policy: wg
domain_vpn_routing: Query Policy - Policy: wg Querying ipinfo.io
***New IP Addresses detected for wg***
Updating Policy: wg
Updated Policy: wg
iptables: No chain/target/match by that name.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables OUTPUT rule for IPSET: DomainVPNRouting-wg-ipv4 FWMark: 0xe000
iptables: No chain/target/match by that name.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables PREROUTING rule for IPSET: DomainVPNRouting-wg-ipv4 FWMark: 0xe000
iptables: No chain/target/match by that name.
domain_vpn_routing: Query Policy - ***Error*** Failed to add IPTables rule for IPSET: DomainVPNRouting-wg-ipv4 Interface: wgc5 FWMark: 0xe000
BetaBlaze@TUF-AX3000_V2-3F88:/jffs/scripts#

[Ranger802004]

Definitely some strange behavior occurring...I don't have any devices to load the gnuton firmware on to test this with but I suspect there's something different in that firmware causing this behavior. Would you be available to do a Teamviewer session with me?

[Beta-Blaze]

Yeah, I can do a Teamviewer session tomorrow (16.04). My time zone is UTC +3. I will be home from 17:00 UTC +3. What time would be convenient for you? And maybe we can find a more convenient way of communication than github?

[Ranger802004]

Sorry for the delay, it's been a busy week for me. What other times are you available?

[Beta-Blaze]

I'm available all day today, tomorrow from 17:00 UTC +3.

[Ranger802004]

I apologize for the delays I'm having a crazy week, what times next week will be good for you?

[Ranger802004]

Hello Beta, I'm more available this week.

[Beta-Blaze]

Hi! Let me know when you're free.

[Ranger802004]

What availability do you have tomorrow? I'm in UTC-5 timezone (US Central)

[Beta-Blaze]

Tomorrow I am free from 7:50 AM to 5:00 PM in the UTC-5 timezone. An 8-hour time difference is quite significant)

[Ranger802004]

Yea the time zone difference is making this harder to do for sure, sorry. I'm going to come up with some test commands for you to send and have you return me the output.

[Beta-Blaze]

That would be awesome!

[Ranger802004]

Hey Blaze, sorry for the delay. I've been away from home on last minute business. I'd like to pick this back up with you.

[Beta-Blaze]

Hi, last week I found a problem, it was missing xt_set and xt_MARK (part of ipset). Gnuton added them to the firmware and your script worked! I also implemented similar functionality myself, using dnsmasq. 1) Dnsmasq "sees" the domain in the configuration file, resolves as usual and puts the IP address(es) in the ipset table with the name VIAVPN. 2) By iptables rule, packets with the corresponding ipset "tag" - VIAVPN - are marked with mark 1 (-set-mark 1). 3) In the routing table, all packets with mark 1 are sent through the VPN interface.

But there is a problem, required use of dns router.

I am new to networking and am not sure if my way is optimal. Using your script some sites that have a bunch of subdomains with different ip worked strangely (like x.com, instagram.com). Either I did something wrong. As I understand, your script resolves addresses via nslookup and proxies them. And nslookup cannot know about all subdomains of sites.

[Ranger802004]

You would need to investigate the service/site and add the subdomains to your policy as well. A lot of users on snbforums.com and myself use the IPFoo browser plugin to do this.