[SOLVED] How to limit vpn routing to router only, or more specifically to aria2 client only which runs on router

Hello,
I apologize if this is a duplicate question, I'm running openwrt 19.07. I have installed openvpn and using my config file i'm able to connect to the server and use it.

But my aim is to limit the vpn to router itself, so that clients connected to the router stays with original IP.
Is that possible?

I'm running aria2 on the router and i want to download/upload stuff using the vpn while the devices (wired or wireless) stays without vpn.

I have tried putting below lines in the config file, this works in pc when we only need to route specified websites. The connection is established but no data flows in the tun0 interface if download/upload using aria2.

route-nopull
route <ip of router> 255.255.255.255

Or is there a way to limit the vpn to aria2 itself?
Would appreciate the help.. Thanks

Regards!

You need to do Policy Based Routing and you have 3 options:

1. mwan3 package
2. pbr package
3. a set of rules/routes for each internet connection.

Easiest option is #2

Thanks for reply.

I tried with the second option. And managed to make it work.

I didn't know about PREROUTING and FORWARD in the chain column, please do tell if they're correct.

The only problem is that, i can still download using aria2 when vpn is down, that Strict enforcement setting is not working. Or i may've done something wrong.

For the lan you have the address wrong. To include all lan hosts the address should be 192.168.1.0/24
Also for the local processes on the router, like aria2, you don't specify local address and use the OUTPUT chain.

I'm confused, if i don't specify anything, it will throw a service error. I did set the chain to OUTPUT but that didn't change anything.

Or maybe it could be something to do with how i set up openvpn.
I setup openvpn according to this guide here https://www.ovpn.com/en/guides/openwrt
There's also a guide on the official site. https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

With the only difference being in Firewall settings, one says to
Assign firewall-zone to wan. for the interface tun0. The other says to make it custom with name ovpn_fw.(I made this one)

It works either way.
Just that, aria2 keeps able to download the file, even if vpn is turned off.

You can add 0.0.0.0/0 as destination to get rid of it.

Make sure OUTPUT is ACCEPT for this zone then.

Make these corrections and post the commands mentioned here. The last 2 commands post them before and after VPN is shut.

After doing this my clients(connected to the router wired or wireless) lost access to the internet. Also vpn stops working as well. so in order to make things work again, i had to put 192.168.1.1/0. with chain to OUTPUT, but still VPN still wouldn't connect with OUTPUT chain, so i put it to FORWARD, and now it works..

OUTPUT is set ACCEPT for this firewall zone.

The below commands are executed after my clients lost internet access. But for the last two commands i had to make changes like i said above so that vpn would connect.

etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'ovpn_fw'
	list network 'OVPN'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'ACCEPT'

config forwarding
	option dest 'ovpn_fw'
	option src 'lan'

etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd36:50ab:267c::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'd4:6e:0e:xx:xx:xx'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'OVPN'
	option ifname 'tun0'
	option proto 'none'

etc/config/vpn-policy-routing

config policy
	option name 'Aria2 VPN'
	option interface 'OVPN'
	option src_addr '0.0.0.0/0'
	option chain 'OUTPUT'

config policy
	option interface 'wan'
	option name 'Lan'
	option src_addr '192.168.1.0/24'

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option dest_ipset '0'
	option resolver_ipset 'dnsmasq.ipset'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option procd_reload_delay '1'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_show_ignore_target '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option webui_chain_column '1'
	option enabled '1'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

before vpn
/etc/init.d/vpn-policy-routing support

vpn-policy-routing 0.3.2-20 running on OpenWrt 19.07.8.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         192.168.2.1     0.0.0.0         UG    0      0        0 eth0.2

IPv4 Table 201: default via 192.168.2.1 dev eth0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 Table 201 Rules:
32765:  from all fwmark 0x10000/0xff0000 lookup wan

IPv4 Table 202: unreachable default
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 Table 202 Rules:
32764:  from all fwmark 0x20000/0xff0000 lookup OVPN
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.0/24 -m comment --comment Lan -c 14047 2237166 -g VPR_MARK0x010000
============================================================
Mangle IP Table: OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m comment --comment Aria2_VPN -c 9530 2981647 -g VPR_MARK0x020000
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x010000
-N VPR_MARK0x010000
-A VPR_MARK0x010000 -c 14050 2237286 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_MARK0x010000 -c 14050 2237286 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x020000
-N VPR_MARK0x020000
-A VPR_MARK0x020000 -c 9536 2982687 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_MARK0x020000 -c 9536 2982687 -j RETURN
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. 

before vpn
/etc/init.d/vpn-policy-routing reload

Creating table 'wan/eth0.2/192.168.2.1' [✓]
Creating table 'OVPN/tun0/0.0.0.0' [✓]
Routing 'Aria2 VPN' via OVPN [✓]
Routing 'Lan' via wan [✓]
vpn-policy-routing 0.3.2-20 monitoring interfaces: wan OVPN [✓]
vpn-policy-routing 0.3.2-20 started with gateways:
wan/eth0.2/192.168.2.1 [✓]
OVPN/tun0/0.0.0.0

after vpn
/etc/init.d/vpn-policy-routing support

vpn-policy-routing 0.3.2-20 running on OpenWrt 19.07.8.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         1-186-109-91.dy 128.0.0.0       UG    0      0        0 tun0
default         192.168.2.1     0.0.0.0         UG    0      0        0 eth0.2

IPv4 Table 201: default via 192.168.2.1 dev eth0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 Table 201 Rules:
32763:  from all fwmark 0x10000/0xff0000 lookup wan

IPv4 Table 202: default via 91.109.xx.xx dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 Table 202 Rules:
32762:  from all fwmark 0x20000/0xff0000 lookup OVPN
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.0/24 -m comment --comment Lan -c 2561 378782 -g VPR_MARK0x010000
============================================================
Mangle IP Table: FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m comment --comment Aria2_VPN -c 1476 1260197 -g VPR_MARK0x020000
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x010000
-N VPR_MARK0x010000
-A VPR_MARK0x010000 -c 2564 378902 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_MARK0x010000 -c 2564 378902 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x020000
-N VPR_MARK0x020000
-A VPR_MARK0x020000 -c 1476 1260197 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_MARK0x020000 -c 1476 1260197 -j RETURN
============================================================
Current ipsets
============================================================

after vpn
/etc/init.d/vpn-policy-routing reload

Creating table 'wan/eth0.2/192.168.2.1' [✓]
Creating table 'OVPN/tun0/91.109.xx.xx' [✓]
Routing 'Aria2 VPN' via OVPN [✓]
Routing 'Lan' via wan [✓]
vpn-policy-routing 0.3.2-20 monitoring interfaces: wan OVPN [✓]
vpn-policy-routing 0.3.2-20 started with gateways:
wan/eth0.2/192.168.2.1
OVPN/tun0/91.109.xx.xx [✓]

With current setting like i mentioned above, everything works as intended except, when i turn off vpn, aria2 can still download files. When VPN works, it downloads over VPN interface but when VPN is down , it downloads over WAN interface.

The 0.0.0.0/0 as destination goes to the aria2 policy, not the lan. One more thing I forgot to mention is that since you are redirecting all the router traffic to the vpn, you need to make an exception policy for the vpn provider, or you need to narrow down the matching conditions for aria2.
From the Lan policy the chain PREROUTING is missing. Does it appear in Luci page?

Yes, i did put this in aria2 policy not the lan, and it caused no internet for the clients.. weird..

Yes, PREROUTING appears in the luci page for Lan..

There's a simpler method which doesn't need to mess with iptables:

/etc/init.d/vpn-policy-routing disable
/etc/init.d/vpn-policy-routing stop
uci del_list firewall.@zone[1].network="wan4"
uci add_list firewall.@zone[1].network="wan4"
uci commit firewall
/etc/init.d/firewall restart
uci set network.lan.ip4table="1"
uci -q delete network.wan4
uci set network.wan4="interface"
uci set network.wan4.ifname="@wan"
uci set network.wan4.proto="dhcp"
uci set network.wan4.ip4table="2"
uci -q delete network.lan_wan
uci set network.lan_wan="rule"
uci set network.lan_wan.in="lan"
uci set network.lan_wan.lookup="2"
uci set network.lan_wan.priority="30000"
uci commit network
/etc/init.d/network restart
sed -i -e "/^pull-filter/s/^/#/" /etc/openvpn/*
/etc/init.d/openvpn restart

Thanks for the reply... I will take a note of this. But I think I'm gonna stick with current settings for now.. I feel it's not so bad either for my purpose.. It works so i don't wanna changing it further.

Regards!

If you stick with vpn-pbr a couple of things to suggest.
A global policy to route all local traffic of the router via VPN to accomondate aria2 will affect the vpn itself. Therefore you either need to narrow down the ports and protocols used by aria2, or create an exception for the vpn endpoints to use the wan.

Thanks for your reply, would you please share how do I do that? Although I'm not facing any issues but I still wanna make sure the settings are proper.

Add an OUTPUT policy to use wan interface for the IP or hostname of the VPN server.

I have made the changes, is this correct?

The address 192.168.1.1/0 is invalid. It can be 192.168.1.1/32. If you are trying to match the traffic originating from the router, the chain should be OUTPUT. FORWARD is for traffic traversing the router.
The ovpn address is a remote one. Also move this policy to the top of the list. Other than that it looks fine.

OK, thanks for the corrections.

and I believe I need to enter the ovpn remote address in the remote addresses field along with the UDP port it connects to? Or should i keep it like it is now?

Yes, it is remote.

OK Thanks... Here's after changed.

Looks good now!