Any beginners guides for Policy Based Routing with Commercial VPN and keeping non-VPN WAN as primary routing?

My goals:

  • I want to set up a streaming media player, an Amazon Firestick as a cheap option, with a VPN for bypassing geoblocked content and content that may not have been properly licensed. For a tech illiterate family, I don't want them to have to remember to turn on the VPN with every boot of the device. Could I set this all up with a VPN client (sideloaded) on the stick? Maybe so, but I'd love to get it done via Policy Based Routing.

  • I want to keep most other devices not using the VPN. For kids schoolwork and for my gaming, and for a plex server, I don't want the VPN becoming an obstacle.

  • I would love to set up a guest network that funnels through the VPN. This is optional. (But I could use it as an alternative to the first goal; just have the firestick connect to the guest network.)

What I am asking is any recommendation for text or video based tutorials that will help me achieve these goals.

First few YT videos I found skip several steps and say "I'm going to skip this part. You can watch other videos that have covered this. Leave a like, comment, and subscribe if you'd like me to make a video dedicated to this."

A lot of the docs/wiki here are very brief and don't teach me enough on what it is I'm reading. Like am I reading how to set up a VPN server when what I really want is setting up a VPN client for split tunneling? It's all been confusing.

I had a setup of OpenWRT but I nuked it as it got terribly put together. DNS leaks out the wazoo. IDK, I just installed pbr, luci-app-pbr, openvpn-openssl, and luci-app-openvpn if I remember those package names correctly. One of them would not install due to conflicts, and I had to check the box for letting it overwrite any conflicting files which may well have broken the other package.

It seems that the GUI is lacking for a lot of options, and I need to figure out terminal commands, but again those docs are not written for newbies. This is the first project I've worked on that required SSH for instance, so I had to google how to do that, and then return to the docs.

Have a look here:

1 Like

That's the one I tried to follow. So the guide just has a note at the top about different names for packages now, but the rest of the guide still uses old names, and the gui experience doesn't seem to match up with the guide. A lot of the thread that I read was comments discussing bugs, nothing useful to a first timer.

An example of a point of confusing as a newbie is that dnsmasq or something is said to not be supported in the GUI, with the only value it can be set to is "Disabled" but in one of the first comments in the thread you liked it is "added".

"If you're using pbr on an x86_64 system, you can install the dnsmasq 2.87 from this post 37 and test the pbr in the nft mode."

So is nft good? Should I be forcing everything through iptables? What is the upside or downside? What stops DNS leaks?

Besides that post, it escapes me why the gui (nor commandline) isn't intuitive. If I designed a gui for policy based routing, what I would do is pick a style of rule (device, domain, etc.), ask what the default route should be, and then ask for devices or domains that should go through the other route (or even same as default for redundancy). That isn't something I'm seeing. And I have managed to set up, pripr to nuking, a vpn instance where PBR should have been capturing anything connected to funnel through VPN and the iptrst/dnslesktest sites would basically be a coinflip if it was "real" IP or VPN IP shown.. I'll read that thrrad again, but definitely didn't catch my eye the first time anything of immediate use for a newbie.

Edit: Policy-Based-Routing (pbr) package discussion - #140 by AlexK

An example of elusiveness. AlexK missed something, segrin says read the readme (which readme? A newbie may never know, there were only 4 linked at the top of discussion; and what part of the readme? A newbie may never know, there is only a dozen sections with many subsections in some readmes.) Then AlexK just follows up to say he figured it out, to no aid for a newbie.

I might have stumbled upon the readme and section that is useful, but it sure is confusing.

"Each package of the service has its own dependencies, so only pbr-iptables can be installed on OpenWrt 21.02 and earlier, but either pbr or pbr-iptables can be installed on OpenWrt 22.03. It is recommended to install pbr on OpenWrt 22.03 and if you want to use use dnsmasq ipset support, install dnsmasq-full, also install legacy iptables/ipset packages and then change resolver_set option to dnsmasq.ipset to force iptables/ipset mode."

That's my guess to where AlexK got their answer, but I do not recall seeing anything about resolver_set. Is that command line only? Is there a place in the GUI to flip that? And if we are trying to revert back to iptables, what then is the benefit of nftables?

So I ran through the set up again.

All the guides I've found missed a step somewhere.

So ProtonVPN may be setting me up in a way that is not compatible with PBR. Sadly, there is no other guide I have found yet that gets me closer. If anyone can share that, great.

ProtonVPN guide for a router based .opvn file and setting credentials,etc: https://protonvpn.com/support/how-to-set-up-protonvpn-on-openwrt-routers/

Their guide works in isolation. I can confirm every device in the household appears to be from a different country.

But that is where it gets confusing with PBR.

Because when I set up PBR (it seems I can just install luci-app-pbr as a dependency of it is pbr itself), i don't have a VPN interface. The VPN is apparently put into WAN. So how can PBR differentiate non-VPN WAN from VPN WAN when it's all WAN?

So that is where I think ProtonVPN's guide is not great as I should be setting up a network or interface for the VPN independently. But how? I can't find anything in https://docs.openwrt.melmac.net/pbr/#Howtouse as it skips that step and just assumes I have all the interfaces premade.

This guide is also sparse on details: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

So I actually want a firewall interface called tun+ ? Because once I did that step and checked by on the GUI, it told me tun+ was an absent interface. I figured I'd want tun0, like protonVPN guide had. As at least tun0 exists?

Edit 2: Further questions arise about the accuracy of docs. I figure that the luci gui is insufficient for setting things up. (I installed nano-full package as I am more familiar with that than vi. Just throwing that out there for any future newbies.) Anyway, I am at this part of the tutorial https://docs.openwrt.melmac.net/pbr/#Howtouse section 8.3.7

Such a line as "config zone" does not exist. There is "config zone 'lan'" and "config zone 'wan'", where each has a following line that says "option name '[lan|wan]'" respectively.

So what I find in here is

 15 config zone 'wan'
 16         option name 'wan'
 17         option input 'REJECT'
 18         option output 'ACCEPT'
 19         option forward 'REJECT'
 20         option masq '1'
 21         option mtu_fix '1'
 22         list network 'wan'
 23         list network 'wan6'
 24         list network 'vpnclient'
 25 

Where line 24 is what I added myself. Just a guess because the docs are definitely not explicit.

Am I doing things right? Who knows!

Edit 3 or 4, whatever I'm up to: Nope, I've broken it and now I have DNS leaks out the wazoo, again. Yay. Love this game. Here is my step by step (until I forgot to keep writing down some steps, intermingled with updating this post).

Given that I am doing something out of order, what am I supposed to do??

I will nuke the router again. I'll try installing just luci-app-pbr (and nano-full) and see what happens if I follow the "steps" as vague as they are in 8.3.7 of the guide referenced above?

Edit 170000: Maybe I had it set up right and misunderstood. Well, kind of sort of. I think I have things set up successfully and wrote this guide as I tried to figure out all the steps. It apparently cannot be done with GUI only.

My biggest confusion was understanding ipleak.net. As long as I didn't see Comcast or my ISP by name on there, I was good. When I was doing "failsafe" configurations via quad9, I was getting some USA results. Notably for WoodyNet, but that's normal for quad9 use; I misunderstood them as leaks because they weren't in Germany like I had expected.

My questions then are: What is the best way to prevent leaks and how do I let ProtonVPN be in charge of the DNS queries?

I've apparently created race conditions having set up custom DNS's to quad9, which ultimately I don't mind, but I'd love to let ProtonVPN handle all the DNS queries via VPN. (And quad9 to handle all the queries via regular WAN.)