Have they? What does traceroute 8.8.8.8 show? Then nslookup medium.com.
1 Like
Are you using 'stock' OpenWRT from the official site? @ulmwind
Yes of course. I download from https://openwrt.org/toh/xiaomi/mir3g
BlockquoteYou need to circumvent DNS hijacking performed by the ISP.
Disable peer DNS and configure public resolvers:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider
Each of the configured resolves must be routed to the VPN: @vgaetera
==> I tried your solution and it is not working. (I restarted router)
Here are outputs (openvpn connected)
traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
1 192.168.255.1 (192.168.255.1) 130.532 ms 126.510 ms 121.122 ms
2 172.18.0.1 (172.18.0.1) 133.590 ms 119.632 ms 113.406 ms
3 140.91.230.13 (140.91.230.13) 110.218 ms 140.91.230.2 (140.91.230.2) 120.560 ms 140.91.230.13 (140.91.230.13) 113.652 ms
4 u2.ppp82.samsung.co.kr (157.197.82.2) 109.608 ms 113.381 ms 111.541 ms
5 u1.ppp82.samsung.co.kr (157.197.82.1) 111.632 ms 111.288 ms 114.499 ms
6 u25.ppp86.samsung.co.kr (157.197.86.25) 122.324 ms u61.ppp86.samsung.co.kr (157.197.86.61) 152.596 ms 146.427 ms
7 u170.ppp82.samsung.co.kr (157.197.82.170) 153.870 ms 155.482 ms u142.ppp82.samsung.co.kr (157.197.82.142) 167.647 ms
8 192.145.251.168 (192.145.251.168) 193.924 ms 171.603 ms 153.007 ms
9 * * *
10 dns.google (8.8.8.8) 155.654 ms 151.887 ms 147.764 ms
Summary
Server: 127.0.0.1
Address: 127.0.0.1:53
Non-authoritative answer:
Name: medium.com
Address: 127.0.0.1
Non-authoritative answer:
Name: medium.com
Address: ::1
ISP <== ISP's router <== openwrt router <=== my phone and laptop
My ISP gave me a router to connect to the internet via optical cable.
Maybe the medium.com website is blocked by the ISP'router ???
I have briefly perused a few top posts in this thread, I just wanted to point out that the policy you have in the pbr config as posted up top, does not affect the traffic from router itself and all the tests you've done seem to have been done on the router, according to screenshots.
oh my got, your solution is so simple. I can access medium now
root@OpenWrt:~# ip route get 8.8.8.8; nslookup medium.com 8.8.8.8
8.8.8.8 via 10.8.0.1 dev tun0 src 10.8.0.2 uid 0
cache
Server: 8.8.8.8
Address: 8.8.8.8:53
Non-authoritative answer:
Name: medium.com
Address: 2606:4700:7::a29f:9904
Name: medium.com
Address: 2606:4700:7::a29f:9804
Non-authoritative answer:
Name: medium.com
Address: 162.159.153.4
Name: medium.com
Address: 162.159.152.4
1 Like
Because some websites such as facebook.com binance.com will block access if I do not log in from the origin country, I want all traffic go out via wan except some blocked websites such as medium, pastebin.com.
I add route-nopull to OpenVPN client config file to switch default gateway to wan.
I added a policy
Now, I cannot access medium.com 
Here is the output log of: ip route get 8.8.8.8; nslookup medium.com 8.8.8.8
8.8.8.8 via 192.168.1.1 dev eth1 src 192.168.1.137 uid 0
cache
Server: 8.8.8.8
Address: 8.8.8.8:53
Name: medium.com
Address: 127.0.0.1
Name: medium.com
Address: ::1
How can I use normal websites via WAN and some blocked websites(medium.com, pastebin.com) via OpenVPN?
@vgaetera
If the issue persists, collect the updated diagnostics:
uci show network; uci show dhcp; uci show pbr
ip address show; ip route show table all; ip rule show
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
head -v -n -0 /etc/hotplug.d/openvpn/*
There are outputs
uci show network; uci show dhcp; uci show pbr
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd55:1f3e:a6cb::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.56.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='dhcp'
network.wan.dns='8.8.8.8' '1.1.1.1' '8.8.4.4' '1.0.0.1'
network.wan.peerdns='0'
network.wan6=interface
network.wan6.device='eth1'
network.wan6.proto='dhcpv6'
network.wan6.dns='2001:4860:4860::8888' '2606:4700:4700::1111' '2001:4860:4860::8844' '2606:4700:4700::1001'
network.wan6.peerdns='0'
network.openvpn=interface
network.openvpn.proto='none'
network.openvpn.device='tun0'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].filter_aaaa='0'
dhcp.@dnsmasq[0].filter_a='0'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_slaac='1'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
pbr.config=pbr
pbr.config.enabled='1'
pbr.config.verbosity='2'
pbr.config.strict_enforcement='1'
pbr.config.resolver_set='none'
pbr.config.ipv6_enabled='0'
pbr.config.ignored_interface='vpnserver' 'wgserver'
pbr.config.boot_timeout='30'
pbr.config.rule_create_option='add'
pbr.config.procd_reload_delay='1'
pbr.config.webui_show_ignore_target='0'
pbr.config.webui_supported_protocol='all' 'tcp' 'udp' 'tcp udp' 'icmp'
pbr.@include[0]=include
pbr.@include[0].path='/usr/share/pbr/pbr.user.aws'
pbr.@include[0].enabled='0'
pbr.@include[1]=include
pbr.@include[1].path='/usr/share/pbr/pbr.user.netflix'
pbr.@include[1].enabled='0'
pbr.@policy[0]=policy
pbr.@policy[0].name='Plex/Emby Local Server'
pbr.@policy[0].interface='wan'
pbr.@policy[0].src_port='8096 8920 32400'
pbr.@policy[0].enabled='0'
pbr.@policy[1]=policy
pbr.@policy[1].name='Plex/Emby Remote Servers'
pbr.@policy[1].interface='wan'
pbr.@policy[1].dest_addr='plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
pbr.@policy[1].enabled='0'
pbr.@policy[2]=policy
pbr.@policy[2].name='Domains using openvpn'
pbr.@policy[2].dest_addr='medium.com pastebin.com ipleak.net www.whatismyip.com whatismyip.com ipinfo.io'
pbr.@policy[2].interface='openvpn'
ip address show; ip route show table all; ip rule show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
link/ether 08:00:27:46:fb:b1 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:e2:1d:f5 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.137/24 brd 192.168.10.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fd35:d028:6e7f:0:a00:27ff:fee2:1df5/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fd35:d028:6e7f::1ca/128 scope global dynamic noprefixroute
valid_lft 42681sec preferred_lft 42681sec
inet6 fe80::a00:27ff:fee2:1df5/64 scope link
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 08:00:27:46:fb:b1 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.1/24 brd 192.168.56.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd35:d028:6e7f:4::1/62 scope global dynamic noprefixroute
valid_lft 42680sec preferred_lft 42680sec
inet6 fd55:1f3e:a6cb::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe46:fbb1/64 scope link
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1551 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.8.0.3/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fddd:1194:1194:1194::1001/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::536:1cf9:5312:3263/64 scope link stable-privacy
valid_lft forever preferred_lft forever
default via 192.168.10.1 dev eth1 table pbr_wan
192.168.56.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.56.1
default via 10.8.0.3 dev tun0 table pbr_openvpn
192.168.56.0/24 dev br-lan table pbr_openvpn proto kernel scope link src 192.168.56.1
default via 192.168.10.1 dev eth1 proto static src 192.168.10.137
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.3
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.137
192.168.56.0/24 dev br-lan proto kernel scope link src 192.168.56.1
local 10.8.0.3 dev tun0 table local proto kernel scope host src 10.8.0.3
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.3
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.10.137 dev eth1 table local proto kernel scope host src 192.168.10.137
broadcast 192.168.10.255 dev eth1 table local proto kernel scope link src 192.168.10.137
local 192.168.56.1 dev br-lan table local proto kernel scope host src 192.168.56.1
broadcast 192.168.56.255 dev br-lan table local proto kernel scope link src 192.168.56.1
fd35:d028:6e7f::/48 from fd35:d028:6e7f::1ca via fe80::5264:2bff:fe12:30b4 dev eth1 proto static metric 512 pref medium
fd35:d028:6e7f::/48 from fd35:d028:6e7f::/64 via fe80::5264:2bff:fe12:30b4 dev eth1 proto static metric 512 pref medium
fd35:d028:6e7f::/48 from fd35:d028:6e7f:4::/62 via fe80::5264:2bff:fe12:30b4 dev eth1 proto static metric 512 pref medium
fd35:d028:6e7f::/64 dev eth1 proto static metric 256 pref medium
unreachable fd35:d028:6e7f::/64 dev lo proto static metric 2147483647 pref medium
fd35:d028:6e7f:4::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd35:d028:6e7f:4::/62 dev lo proto static metric 2147483647 pref medium
fd55:1f3e:a6cb::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd55:1f3e:a6cb::/48 dev lo proto static metric 2147483647 pref medium
fddd:1194:1194:1194::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd35:d028:6e7f:: dev eth1 table local proto kernel metric 0 pref medium
local fd35:d028:6e7f::1ca dev eth1 table local proto kernel metric 0 pref medium
local fd35:d028:6e7f:0:a00:27ff:fee2:1df5 dev eth1 table local proto kernel metric 0 pref medium
anycast fd35:d028:6e7f:4:: dev br-lan table local proto kernel metric 0 pref medium
local fd35:d028:6e7f:4::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fd55:1f3e:a6cb:: dev br-lan table local proto kernel metric 0 pref medium
local fd55:1f3e:a6cb::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fddd:1194:1194:1194:: dev tun0 table local proto kernel metric 0 pref medium
local fddd:1194:1194:1194::1001 dev tun0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
local fe80::536:1cf9:5312:3263 dev tun0 table local proto kernel metric 0 pref medium
local fe80::a00:27ff:fe46:fbb1 dev br-lan table local proto kernel metric 0 pref medium
local fe80::a00:27ff:fee2:1df5 dev eth1 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
0: from all lookup local
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001: from all fwmark 0x20000/0xff0000 lookup pbr_openvpn
32766: from all lookup main
32767: from all lookup default
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 8.8.8.8
nameserver 1.1.1.1
nameserver 8.8.4.4
nameserver 1.0.0.1
# Interface wan6
nameserver 2001:4860:4860::8888
nameserver 2606:4700:4700::1111
nameserver 2001:4860:4860::8844
nameserver 2606:4700:4700::1001
head -v -n -0 /etc/hotplug.d/openvpn/*
==> /etc/hotplug.d/openvpn/01-user <==
#!/bin/sh
[ -e "/etc/openvpn.user" ] && {
env -i ACTION="$ACTION" INSTANCE="$INSTANCE" \
/bin/sh \
/etc/openvpn.user \
$*
}
# Wrap user defined scripts on up/down events
case "$ACTION" in
up) command=$user_up ;;
down) command=$user_down ;;
*) command= ;;
esac
if [ -n "$command" ]; then
shift
exec /bin/sh -c "$command $*"
fi
exit 0
==> /etc/hotplug.d/openvpn/10-pbr <==
case ${ACTION} in
(route-up) service pbr restart ;;
esac
Using route-nopull is not the best way to deal with this, use pull-filter ignore "redirect-gateway" instead.
I have an idea how to deal with this but not tested so could be nonsense.
if you need to do a DNS lookup for some sites via the VPN (e.g. medium.com) and for other sites via the WAN you can instruct DNSMasq to use a different DNS server for different domains.
If you keep everything like it is now and have your default routing via the WAN (with the use of pull-filter ignore "redirect-gateway") then you need a DNS server which you do not use for your current setup.
You are now using 8.8.8.8.
So for the VPN lookup I will choose 1.1.1.1
First make a route for that DNS server via the VPN by adding to your OpenVPN config:
route 1.1.1.1 255.255.255.255 vpn_gateway
When the VPN is up there will be a route for that DNS server via the VPN.
Next step is to instruct DNSMasq to use 1.1.1.1 for specific Domains which are routed via the VPN (e.g. medium.com)
In /etc/config/dhcp you can add:
list server '/medium.com/1.1.1.1'
This will instruct DNSMAsq to use 1.1.1.1 to resolve medium.com and as there should be a route for 1.1.1.1 via the VPN it could work.
Be sure to disable the DNSMasq cache as instructed earlier
1 Like
uci set dhcp.@dnsmasq[0].cachesize="0"
uci commit dhcp
service dnsmasq restart
cat << "EOF" > /etc/hotplug.d/openvpn/10-pbr
DNS="$(uci -q get network.wan.dns)"
DNS6="$(uci -q get network.wan6.dns)"
case ${ACTION} in
(route-up) for DNS in ${DNS} ${DNS6}
do ip route add ${DNS} dev ${dev}
done
service pbr restart ;;
esac
EOF
service openvpn restart
1 Like
Thank everyone for helping me solve this issue.
His solution is working now, I can access medium.com now 
1 Like
@vgaetera I don't know if should I open a new topic or not.
When I use public free openVPN, It works as expected.
Today I set up my own OpenVPN using docker https://hub.docker.com/r/kylemanna/openvpn/tags with default openvpn.conf as below, It has errors.
openvpn.conf on my own server
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/my_public_ip.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/my_public_ip.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log
user nobody
group nogroup
comp-lzo no
### Route Configurations Below
route 192.168.254.0 255.255.255.0
### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"
and here is my config client on router (error)
client_conf
client
nobind
dev tun
remote-cert-tls server
remote ${MY_PUBLIC_IP} udp
pull-filter ignore "redirect-gateway"
route-noexec
# route-nopull
<key>
-----BEGIN PRIVATE KEY-----
${MY_KEY}
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
${MY_CERT}
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
${MY_CERT}
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
${MY_KEY}
-----END OpenVPN Static key V1-----
</tls-auth>
redirect-gateway def1
and here is the public OpenVPN profile (it working now)
public_openvpn_profile_working
client
dev tun
proto udp
remote sg11.vpnjantit.com 2500
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
link-mtu 1603
auth-nocache
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
pull-filter ignore "redirect-gateway"
<ca>
-----BEGIN CERTIFICATE-----
${CERT}
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
${CERT}
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
${PRIVATE_KEY}
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
${KEY}
-----END OpenVPN Static key V1-----
</tls-crypt>
Here is the error
what am I doing wrong?
Does it work really? Try to ping 8.8.8.8
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.