Can someone correct my PBR? Tailscale

AHthishurts · October 12, 2023, 5:48am

The goal is to route your LAN traffic through Mullvad VPN while allowing Tailscale to bypass the VPN.

I was reading another post about tailscale and PBR which mentioned:
https://openwrt.org/docs/guide-user/network/routing/pbr_app#support_tailscale
and trying to combine it with:
https://docs.openwrt.melmac.net/pbr/#LocalWireguardServerAnotherVPNClientScenario1

I am not sure if my PBR config is correct (making it hard to really test).
In the /etc/config/network should I turn off
option route_allowed_ips '1'

Here is the pbr config:

config policy
option name 'Ignore Tailscale'
option src_addr '100.64.0.0/10' # Replace with your Tailscale subnet
option interface 'ignore'

config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
option ipv6_enabled '0'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option enabled '1'
list supported_interface 'tailscale*'
list supported_interface 'mullvad'
option wan_ip_rules_priority '1'

config policy
option name 'Route LAN to Mullvad'
option src_addr '192.168.3.0/24'
option interface 'mullvad'

stangri · October 12, 2023, 8:26pm

move ignore policy up.

AHthishurts · October 13, 2023, 4:42am

Thank you. I tried to move it to the very top (will make changes in original post). Still routing through mullvad.

AHthishurts · October 13, 2023, 6:47am

Got it working. For anyone that wants to know:

For the vpn in the /etc/config/network make sure you turn off (0)

route_allowed_ips="0"

If you are a noob like me, make sure your lan can directly connect to the wan. Not just your vpn
/etc/config/network

config forwarding
	option src 'lan'
	option dest 'wan'

I have updated my PBR BELOW to what is now my working config.

UPDATED TO WORKING CONFIG: Here is the pbr config:
/etc/config/pbr

config policy
    option name 'Ignore Tailscale'
    option src_addr '100.64.0.0/10' # Default Tailscale Subnet Range
    option interface 'ignore'

config pbr 'config'
    option verbosity '2'
    option strict_enforcement '1'
    option resolver_set 'none'
    option ipv6_enabled '0'
    option boot_timeout '30'
    option rule_create_option 'add'
    option procd_reload_delay '1'
    option webui_show_ignore_target '0'
    list webui_supported_protocol 'all'
    list webui_supported_protocol 'tcp'
    list webui_supported_protocol 'udp'
    list webui_supported_protocol 'tcp udp'
    list webui_supported_protocol 'icmp'
    option enabled '1'
    list supported_interface 'tailscale*'
    list supported_interface 'mullvad'
    option wan_ip_rules_priority '1'

config policy
    option name 'Route LAN to Mullvad'
    option src_addr '192.168.x.0/24'
    option interface 'mullvad'

config policy
    option name 'Route Tailscale through WAN'
    option src_addr '100.64.0.0/10'  # Default Tailscale Subnet Range
    option interface 'wan'

system · October 23, 2023, 6:47am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.