How to bind an OpenVPN instance to an interface

Bernd · June 25, 2019, 4:56am

Hello.

Is there an easy way to bind an OpenVPN instance to an interface?

I have 2 different OpenVPN instances. Amsterdam1 and Basel1.

Amsterdam1 should use PP_VPN1 and Basel1 should use PP_VPN2.

I want to manage with VPN Policy Routing package, which personal computer uses which interface.

Everything works, but I do not know how to bind an OpenVPN instance to an interface.

trendy · June 25, 2019, 1:03pm

Try to set a specific port in the VPN configuration, e.g 1194 for Amsterdam and 1195 for Basel. Then use 127.0.0.1 as local address and the above port to classify the traffic.

Bernd · June 25, 2019, 4:27pm

I configured ports in OpenVPN configuration and VPN Policy Routing package. Different ports had no effect.

Either PP_VPN1 and PP_VPN2 use Basel1 server or PP_VPN1 and PP_VPN2 use Amsterdam1 server.

Current configuration:

root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.84.1       128.0.0.0       UG    0      0        0 tun1
0.0.0.0         10.3.2.2        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         109.91.76.1     0.0.0.0         UG    0      0        0 eth0.2
10.0.84.0       0.0.0.0         255.255.255.0   U     0      0        0 tun1
10.3.2.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
82.199.134.162  109.91.76.1     255.255.255.255 UGH   0      0        0 eth0.2
85.17.28.145    109.91.76.1     255.255.255.255 UGH   0      0        0 eth0.2
109.91.76.0     0.0.0.0         255.255.252.0   U     0      0        0 eth0.2
128.0.0.0       10.0.84.1       128.0.0.0       UG    0      0        0 tun1
128.0.0.0       10.3.2.2        128.0.0.0       UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

root@OpenWrt:~# /etc/init.d/vpn-policy-routing status
vpn-policy-routing 0.0.6-0 running on OpenWrt 18.06.2.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.0.84.1       128.0.0.0       UG    0      0        0 tun1
default         10.3.2.2        128.0.0.0       UG    0      0        0 tun0
default         ip-109-91-76-1. 0.0.0.0         UG    0      0        0 eth0.2
IPv4 Table 201: default via 109.91.76.1 dev eth0.2
IPv4 Table 201 Rules:
32753:  from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.3.2.2 dev tun0
IPv4 Table 202 Rules:
32752:  from all fwmark 0x20000 lookup 202
IPv4 Table 203: default via 10.0.84.1 dev tun1
IPv4 Table 203 Rules:
32751:  from all fwmark 0x30000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 127.0.0.1/32 -p udp -m multiport --sports 1150 -m comment --comment PC2 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s 127.0.0.1/32 -p udp -m multiport --sports 1149 -m comment --comment PC1 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -d 192.168.100.1/32 -m comment --comment TC4400 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 192.168.100.1/32 -m comment --comment TC4400 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.205/32 -m comment --comment SPA112 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.205/32 -m comment --comment SPA112 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set PP_VPN2 dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set PP_VPN1 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create PP_VPN1 hash:net family inet hashsize 1024 maxelem 65536 comment
create PP_VPN2 hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

Bernd · June 25, 2019, 10:49pm

Maybe I need to remove some OpenVPN options, like "redirect-gateway def1".

Or add some to make it work.

auth-user-pass userpass.txt
client
dev tun
hand-window 120
inactive 604800
mute-replay-warnings
nobind
persist-key
persist-remote-ip
persist-tun
ping 5
ping-restart 120
redirect-gateway def1
reneg-sec 3600
resolv-retry 60
route-delay 2
route-method exe
script-security 2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-timeout 5
verb 4

tun-ipv6
tun-mtu  1500
proto udp
fragment 1300
mssfix
comp-lzo

remote 85.17.28.145 1149 

cipher AES-256-CBC
auth SHA512
ignore-unknown-option ncp-disable
ncp-disable
remote-cert-tls server
key-direction 1

ca ca.crt
cert Amsterdam1_cl.crt
key Amsterdam1_cl.key
tls-auth Amsterdam1_ta.key 1
log /var/log/openvpn.log
log-append /var/log/openvpn.log
up up.sh
down down.sh

trendy · June 26, 2019, 7:58pm

Just to get this straight.
You have one wan interface, eth0.2 and you set up 2 VPN tunnels tun0 and tun1, that connect to the internet via your ISP over eth0.2. Is this correct so far?
Then what are these PP_VPN1 and PP_VPN2 interfaces?

Bernd · June 27, 2019, 6:02am

You have one wan interface, eth0.2 and you set up 2 VPN tunnels tun0 and tun1, that connect to the internet via your ISP over eth0.2. Is this correct so far?

That's right.

Then what are these PP_VPN1 and PP_VPN2 interfaces?

PP_VPN1 is tun0 and PP_VPN2 is tun1.

/etc/config/Network:

config interface 'PP_VPN1'
	option proto 'none'
	option ifname 'tun0'
	option auto '1'

config interface 'PP_VPN2'
	option proto 'none'
	option ifname 'tun1'
	option auto '1'

I have created PP_VPN1 and PP_VPN2 interface, because I can not choose in VPN policy routing package tun0 and tun1. I can only choose interfaces there.

wulfy23 · June 27, 2019, 6:11am

Maybe

dev tun > dev tun0 ( tun1 in other file )

Pretty sure /etc/config/openvpn would also have a value for this.....

Bernd · June 27, 2019, 7:03am

dev tun > dev tun0 ( tun1 in other file )

I tried it. That had no effect.

PC1 and PC2 still use Amsterdam1 or Basel1.

Pretty sure /etc/config/openvpn would also have a value for this.....

My /etc/config/openvpn settings:

config openvpn 'PP_Amsterdam1'
	option config '/etc/openvpn/PP_Amsterdam1.ovpn'
	option enabled '1'

config openvpn 'PP_Basel1'
	option config '/etc/openvpn/PP_Basel1.ovpn'
	option enabled '1'

If I add option dev 'tun0' and 'tun1' there, then I have no internet connection.

trendy · June 27, 2019, 8:13am

I misunderstood what you wanted to achieve. For better understanding post here the whole configs from network, firewall, OpenVPN as well as ip -4 addr; ip -4 route; ip -4 rule; ip -4 route list table all
You are doing it correctly but most likely there is some issue with splitting the 0/0 into 0/1 and 128/1.

jow · June 27, 2019, 8:27am

Using option proto none will clear the IPs of the interfaces, I suggest to not cover the interfaces at all in /e/c/network

Bernd · June 27, 2019, 4:26pm

root@OpenWrt:~# ip -4 addr; ip -4 route; ip -4 rule; ip -4 route list table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 109.91.78.187/22 brd 109.91.79.255 scope global eth0.2
       valid_lft forever preferred_lft forever
10: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.0.80.248/24 brd 10.0.80.255 scope global tun1
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.3.5.252/24 brd 10.3.5.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.3.5.1 dev tun0
0.0.0.0/1 via 10.0.80.2 dev tun1
default via 109.91.76.1 dev eth0.2 proto static src 109.91.78.187
10.0.80.0/24 dev tun1 proto kernel scope link src 10.0.80.248
10.3.5.0/24 dev tun0 proto kernel scope link src 10.3.5.252
82.199.134.162 via 109.91.76.1 dev eth0.2
85.17.28.145 via 109.91.76.1 dev eth0.2
109.91.76.0/22 dev eth0.2 proto kernel scope link src 109.91.78.187
128.0.0.0/1 via 10.3.5.1 dev tun0
128.0.0.0/1 via 10.0.80.2 dev tun1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
0:      from all lookup local
32760:  from all fwmark 0x30000 lookup 203
32761:  from all fwmark 0x20000 lookup 202
32762:  from all fwmark 0x10000 lookup 201
32766:  from all lookup main
32767:  from all lookup default
default via 109.91.76.1 dev eth0.2 table 201
default via 10.3.5.252 dev tun0 table 202
default via 10.0.80.248 dev tun1 table 203
0.0.0.0/1 via 10.3.5.1 dev tun0
0.0.0.0/1 via 10.0.80.2 dev tun1
default via 109.91.76.1 dev eth0.2 proto static src 109.91.78.187
10.0.80.0/24 dev tun1 proto kernel scope link src 10.0.80.248
10.3.5.0/24 dev tun0 proto kernel scope link src 10.3.5.252
82.199.134.162 via 109.91.76.1 dev eth0.2
85.17.28.145 via 109.91.76.1 dev eth0.2
109.91.76.0/22 dev eth0.2 proto kernel scope link src 109.91.78.187
128.0.0.0/1 via 10.3.5.1 dev tun0
128.0.0.0/1 via 10.0.80.2 dev tun1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 10.0.80.0 dev tun1 table local proto kernel scope link src 10.0.80.248
local 10.0.80.248 dev tun1 table local proto kernel scope host src 10.0.80.248
broadcast 10.0.80.255 dev tun1 table local proto kernel scope link src 10.0.80.248
broadcast 10.3.5.0 dev tun0 table local proto kernel scope link src 10.3.5.252
local 10.3.5.252 dev tun0 table local proto kernel scope host src 10.3.5.252
broadcast 10.3.5.255 dev tun0 table local proto kernel scope link src 10.3.5.252
broadcast 109.91.76.0 dev eth0.2 table local proto kernel scope link src 109.91.78.187
local 109.91.78.187 dev eth0.2 table local proto kernel scope host src 109.91.78.187
broadcast 109.91.79.255 dev eth0.2 table local proto kernel scope link src 109.91.78.187
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1

I have removed "option proto 'none'" from both interfaces. Problem is still unchanged.

trendy · June 28, 2019, 8:51am

Gateway addresses don't seem right. They should be 10.3.5.1 and 10.0.80.2
Try to delete these routes,add them manually correctly and try again.
If it works we can see what can be done to fix it permanently.

Bernd · June 28, 2019, 9:45am

OK. How do I do that?

trendy · June 28, 2019, 10:31am

# ip ro del default via 10... table 202
# ip ro add default via 10... table 202

Bernd · June 29, 2019, 12:18am

Before:

root@OpenWrt:~# ip -4 addr; ip -4 route; ip -4 rule; ip -4 route list table all
.
.
.
default via 10.3.6.243 dev tun0 table 202
default via 10.0.82.23 dev tun1 table 203
0.0.0.0/1 via 10.0.82.2 dev tun1
0.0.0.0/1 via 10.3.6.1 dev tun0

root@OpenWrt:~# ip ro del default via 10.3.6.243 table 202
root@OpenWrt:~# ip ro add default via 10.3.6.1 table 202
root@OpenWrt:~# ip ro del default via 10.0.82.23 table 203
root@OpenWrt:~# ip ro add default via 10.0.82.2 table 203

After that:

root@OpenWrt:~# ip -4 addr; ip -4 route; ip -4 rule; ip -4 route list table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 109.91.78.187/22 brd 109.91.79.255 scope global eth0.2
       valid_lft forever preferred_lft forever
10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.3.6.243/24 brd 10.3.6.255 scope global tun0
       valid_lft forever preferred_lft forever
11: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.0.82.23/24 brd 10.0.82.255 scope global tun1
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.0.82.2 dev tun1
0.0.0.0/1 via 10.3.6.1 dev tun0
default via 109.91.76.1 dev eth0.2 proto static src 109.91.78.187
10.0.82.0/24 dev tun1 proto kernel scope link src 10.0.82.23
10.3.6.0/24 dev tun0 proto kernel scope link src 10.3.6.243
82.199.134.162 via 109.91.76.1 dev eth0.2
85.17.28.145 via 109.91.76.1 dev eth0.2
109.91.76.0/22 dev eth0.2 proto kernel scope link src 109.91.78.187
128.0.0.0/1 via 10.0.82.2 dev tun1
128.0.0.0/1 via 10.3.6.1 dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
0:      from all lookup local
32760:  from all fwmark 0x30000 lookup 203
32761:  from all fwmark 0x20000 lookup 202
32762:  from all fwmark 0x10000 lookup 201
32766:  from all lookup main
32767:  from all lookup default
default via 109.91.76.1 dev eth0.2 table 201
default via 10.3.6.1 dev tun0 table 202
default via 10.0.82.2 dev tun1 table 203
0.0.0.0/1 via 10.0.82.2 dev tun1
0.0.0.0/1 via 10.3.6.1 dev tun0
default via 109.91.76.1 dev eth0.2 proto static src 109.91.78.187
10.0.82.0/24 dev tun1 proto kernel scope link src 10.0.82.23
10.3.6.0/24 dev tun0 proto kernel scope link src 10.3.6.243
82.199.134.162 via 109.91.76.1 dev eth0.2
85.17.28.145 via 109.91.76.1 dev eth0.2
109.91.76.0/22 dev eth0.2 proto kernel scope link src 109.91.78.187
128.0.0.0/1 via 10.0.82.2 dev tun1
128.0.0.0/1 via 10.3.6.1 dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 10.0.82.0 dev tun1 table local proto kernel scope link src 10.0.82.23
local 10.0.82.23 dev tun1 table local proto kernel scope host src 10.0.82.23
broadcast 10.0.82.255 dev tun1 table local proto kernel scope link src 10.0.82.23
broadcast 10.3.6.0 dev tun0 table local proto kernel scope link src 10.3.6.243
local 10.3.6.243 dev tun0 table local proto kernel scope host src 10.3.6.243
broadcast 10.3.6.255 dev tun0 table local proto kernel scope link src 10.3.6.243
broadcast 109.91.76.0 dev eth0.2 table local proto kernel scope link src 109.91.78.187
local 109.91.78.187 dev eth0.2 table local proto kernel scope host src 109.91.78.187
broadcast 109.91.79.255 dev eth0.2 table local proto kernel scope link src 109.91.78.187
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1

Problem still unchanged.

What about IPv6 routes?

Bernd · June 29, 2019, 1:19am

Another remark:

I still use this script with kmod-ipt-nat6 package:

cat << EOF > /etc/firewall.nat6
iptables-save --table="nat" \
| sed -e "/\s[DS]NAT\s/d" \
| ip6tables-restore --table="nat"
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall restart

If PC1 and PC2 use Amsterdam1 IPv4, then I have a Basel1 IPv6 on both sides.
If PC1 and PC2 use Basel1 IPv4, then I have a Amsterdam1 IPv6 on both sides.

trendy · June 29, 2019, 5:32pm

Does your VPN provider allocate some IPv6 addresses?
The way it is should work. Tables 203 and 202 have precedence over the 201 and the main, so if you successfully classify something into these tables it is going only to the specific VPN tunnel. Show us once again the policy routing status you had in the beginning.

Bernd · June 29, 2019, 7:34pm

Does your VPN provider allocate some IPv6 addresses?

Yes, but wrong IPv6 addresses with multiple clients. I think it's because of the script:

cat << EOF > /etc/firewall.nat6
iptables-save --table="nat" \
| sed -e "/\s[DS]NAT\s/d" \
| ip6tables-restore --table="nat"
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall restart

IPv4 and IPv6 should be Amsterdam1 or Basel1. But I have that:

vpn-policy-routing status:

root@OpenWrt:~# /etc/init.d/vpn-policy-routing status
vpn-policy-routing 0.0.6-0 running on OpenWrt 18.06.2.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.3.3.2        128.0.0.0       UG    0      0        0 tun0
default         10.0.87.1       128.0.0.0       UG    0      0        0 tun1
default         ip-109-91-76-1. 0.0.0.0         UG    0      0        0 eth0.2
IPv4 Table 201: default via 109.91.76.1 dev eth0.2
IPv4 Table 201 Rules:
32762:  from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.3.3.2 dev tun0
IPv4 Table 202 Rules:
32761:  from all fwmark 0x20000 lookup 202
IPv4 Table 203: default via 10.0.87.1 dev tun1
IPv4 Table 203 Rules:
32760:  from all fwmark 0x30000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 127.0.0.1/32 -m comment --comment PC2 -c 958 87088 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 127.0.0.1/32 -m comment --comment PC1 -c 958 87088 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.138/32 -m comment --comment Fritzbox -c 3 194 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.138/32 -m comment --comment Fritzbox -c 3 194 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 192.168.100.1/32 -m comment --comment TC4400 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 192.168.100.1/32 -m comment --comment TC4400 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set PP_VPN2 dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set PP_VPN1 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create PP_VPN1 hash:net family inet hashsize 1024 maxelem 65536 comment
create PP_VPN2 hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

Bernd · June 29, 2019, 8:40pm

I forgot to enter Port 1149 and 1150.

Here again the vpn-policy-routing status:

root@OpenWrt:~# /etc/init.d/vpn-policy-routing status
vpn-policy-routing 0.0.6-0 running on OpenWrt 18.06.2.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.3.7.1        128.0.0.0       UG    0      0        0 tun0
default         10.0.85.1       128.0.0.0       UG    0      0        0 tun1
default         ip-109-91-76-1. 0.0.0.0         UG    0      0        0 eth0.2
IPv4 Table 201: default via 109.91.76.1 dev eth0.2
IPv4 Table 201 Rules:
32756:  from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.3.7.1 dev tun0
IPv4 Table 202 Rules:
32755:  from all fwmark 0x20000 lookup 202
IPv4 Table 203: default via 10.0.85.1 dev tun1
IPv4 Table 203 Rules:
32754:  from all fwmark 0x30000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 127.0.0.1/32 -p udp -m multiport --sports 1150 -m comment --comment PC2 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s 127.0.0.1/32 -p udp -m multiport --sports 1149 -m comment --comment PC1 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -s 192.168.1.138/32 -m comment --comment Fritzbox -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.138/32 -m comment --comment Fritzbox -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 192.168.100.1/32 -m comment --comment TC4400 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 192.168.100.1/32 -m comment --comment TC4400 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set PP_VPN2 dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set PP_VPN1 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create PP_VPN1 hash:net family inet hashsize 1024 maxelem 65536 comment
create PP_VPN2 hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

Bernd · June 29, 2019, 9:37pm

Maybe I can apply some of this guide: Link

But which steps would be useful?