How to Get Policy Based Routing (PBR) to Work with OpenVPN Which is Firewalled for Kill Switch

crazyflx · February 15, 2023, 5:40pm

So I have (finally lol) gotten OpenVPN up and running on OpenWRT 22.03. I wanted the OpenVPN setup to function with a kill switch so that I don't accidentally leak my IP (I've got qbBittorrent running as a service on the only PC connected to this router).

To get the kill switch working, I setup my firewall so there is no lan -> wan, only lan ->VPN and VPN to wan. So when VPN is disconnected, no traffic can hit WAN.

Now, I've got Plex running on the server as well (the only PC connected to the router), and I'd like for Plex to bypass the VPN (it becomes virtually unusable behind a VPN). After a bunch of effort, I managed to get Policy Based Routing setup/configured on the router, but now instead of the urls/IP's I input to route outside of the VPN and bypass it straight to WAN, they simply don't resolve...as if there is no internet at all.

My network configuration is:

"ISP modem" (in bridge mode, so no routing functionality) -> wired to internet port of "Primary router" (192.168.0.1) -> wired to the internet port of "OpenWRT router" (192.168.2.1) -> Media Server connected wirelessly to OpenWRT router

I can't for the life of me figure out how to ensure that I don't ever accidentally leak my IP if my VPN goes down, while simultaneously bypassing the VPN for Plex usage.

Any ideas?

trendy · February 15, 2023, 6:14pm

This is not needed.
Other than that, PBR has an option for strict enforcement, so even if the vpn goes down, it won't route packets to wan.

crazyflx · February 15, 2023, 6:38pm

Oh, my apologies, I didn't mean I literally created the "VPN -> WAN" firewall rule. I was just using that as a means to explain that there is no LAN -> WAN option, and that all traffic must be routed through the VPN according to the rules.

There are only two rules showing in the "firewall" section of Luci:

LAN -> VPN
Wan ->

So I'm not sure what I've done wrong, but as an example (and I did this strictly for testing purposes) within the PBR interface, I added "ipaddress.com" and "google.com" as URLs that should bypass the VPN and be routed straight to WAN. Now when I attempt to visit either of those websites, they don't load. Chrome just says "there is a problem with your internet connection" as though I have no connectivity. Everything else/all other websites load correctly/normally, but are being routed through the VPN.

With PBR turned off, everything loads fine of course (including the two aforementioned test sites), but all traffic is going through the VPN at that point. So I'm not sure where I've gone wrong exactly.

stangri · February 16, 2023, 12:57am

You can't block unencrypted traffic from escaping thru WAN and have split routing.

Like @trendy said you need to reconfigure/disable killswitch and set strict enforcement in pbr.

dairymilkbatman1 · April 19, 2024, 9:00am

Did you solve this crazyflx?