Im trying to use my vpn to use on only certain devices but cant seem to figure out how to do it. If anyone could please help me i would greatly appreciate it.
Policy Based Routing (PBR) is the magic word see:
What VPN are you using OpenVPN, WireGuard?
1 Like
Im using openvpn and ive currently got that pbr installed but i don't understand how to use it
Each WAN interface becomes a gateway, that can be selected to be used based on criteria.
You can set a policy up that would only send traffic out over the vpn interface if the local device has a specific IP (or CIDR range), amongst other criteria.
Here's one I have that would send all traffic from one of my streamer boxes out over my VPN tunnel, if the traffic is not meant for the local LAN:
config policy
option name 'aTV-MasterBed'
option interface 'wg0'
option src_addr '10.19.76.74'
option dest_addr '!10.19.76.0/24'
option enabled '0'
Here's one that sends all local devices trying to get to ipinfo.io to go through my VPN:
config policy
option interface 'wg0'
option name 'ipinfo'
option dest_addr 'ipinfo.io'
option dest_port '443'
option src_addr '10.19.76.0/24'
option enabled '0'
How does PBR work in terms of domain targets like your example above? Will that work if the domain uses dynamic IP addresses (CloudFlare, for example)?
When I read up on it about a year ago, my (quite possibly wrong) understanding was that it used ipsets and that made it "static" when using domain policies.
Some clarification on that would be awesome.
Ive tried to set tgese configs up but i just cant seem to figure it out, I also cant figure out how to switch tge default gateway of pbr it keeps setting it to my openvpn, im a noob at this if you cant tell lol heres some screenshots of config. Im honestly not sure what ik doing wrong
I feel like my firewall rules/interface isnt setup correctly but im not sure
When using ipset/nftset it is dynamic and adapts to newly found ip addresses.
The guide has some instructions about it
Im honestly about to just give up on this because ive been trying for hours and cant figure it out
Thanks. The guide doesn't make clear whether it will also retire previous addresses automatically.
The scenario I'm thinking of has a site behind dynamic CloudFlare IPs, where I don't want potential leakage across policies if those IPs are shared amongst other domains over time. So updating for new addresses is only half the battle, it also needs to flush previous addresses for a given domain. Maybe that's implied or obvious for more advanced users; it isn't clear to me.
@David1010, I'm sorry to keep hijacking your thread. For my own purposes, with pretty simple requirements, I ended up skipping PBR and just setting up a VPN bypass manually. If you could explain in a little more detail exactly what you need to keep in the VPN and what you want outside of it, maybe that's an option for you too.
Im just want two android streaming boxes connected to the vpn and thats about it honestly and everything else like my pc and otger things nit connected to the vpn
Can you set static LAN IPs for the streaming boxes?
If so, then I think all you need to do is create a custom routing table and a rule for each streaming box, unless there's a significant difference in how OpenVPN works compared to WireGuard.
To make the custom routing table in LuCI, go to Network -> Routing and click "Add" in the "Static IPv4 Routes" tab. Select "OPENVPN" as the interface, "unicast" as the route type, "0.0.0.0/0" as the target, and "<OpenVPNgatewayIP>" as the gateway under "General Settings". Then set a new table number under "Advanced Settings", say "100" for example, and leave everything else alone, then hit "Save".
Then go to the "IPv4 Rules" tab and "Add" a new rule. Rule type "unicast", incoming interface "lan" (assuming the streaming boxes are just on your main LAN), source "<StreamingBoxIP>/32", and table "100" (or whatever number you used above). Leave everything else alone and hit "Save".
Make another rule for the other streaming box, exactly the same except for the source IP address.
Save and apply all of that. I don't actually know if it's necessary to reboot the router to make those routes take effect, but may as well.
If you want to play it safe, wait for one of the gurus here to read my suggestion and approve or correct it before giving it a try.
EDIT: Fixed I think.
For some reason it says net work device is not present on my interface for openvpn and also tgeres not an option to select openvpn as the interface. Do i need to setup any firewall rules?
Your VPN tunnel doesn't seem to be configured properly in the first place. That might be the source of all your problems right from the start.
Did you follow a detailed guide for setting up OpenVPN? You might need to go back through that first and make sure the tunnel connects.
Unfortunately I can't really help with that part; I only know how to work with WireGuard.
Im actually currently switching to wireguard right now, open vpn seems to be much more complicated to setup and so far wireguard is going very well
Better performance, too.
I just got wireguard setup, I cant tell if its working or not because none of my devices public ip have changed and also I followed your guide and tested it on one of my streaming devices and the ip is still the same. I tried tge changing the netric value as well but it still doesn't change my public ip
I have everything working great currently, your guide was spot on! I sure appreciate you taking the time out of your day to help me.
Glad I could help!
Seems like you figured out whatever was going wrong in your earlier reply...
1 Like
What vpn do you use if you dont mind me asking? I got a trial for one called purevpn and it definitely has latency issues