折腾了一下,最后搞定了基于域名的路由分流。大致思路是在路由器上利用dnsmasq指定特定域名的解析dns server,然后用iptables PREROUTING,把这些ip都打上标记;修改路由表,让所有打上标记的ip都走vpn就行了。可以参考这个帖子:
http://marcschwieterman.com/blog/bypass-vpn-by-hostname/我的路由器的wanup脚本大概是这样:
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
ip route add 8.8.8.8 dev tun11
ip route add 208.67.222.222 dev tun11
ip route add default dev tun11 table 100
ip rule add fwmark 1 table 100
ip route flush cache
# Default: MARK = 0, bypass vpn
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0
# MARK = 1; go VPN for go_vpn ipset
iptables -t mangle -A PREROUTING -i br0 -m set --set go_vpn dst -j MARK --set-mark 1