I have an OpenVPN interface "vpn" on a device "tun0". It sits inside a firewall zone named "vpn" (copy of "wan"). Firewall zone "lan" is forwarded to both "vpn" and "wan". This allows me to rout all traffic to OpenVPN connection and it works.
I want to setup a local proxy on my router* so I could forward only proxy clients to OpenVPN. Everything else should go to wan. This will allow me to use a VPN only on specific browsers or apps in general.
Proxy clients -> OpenVPN connections
Other traffic -> wan
I thought that proxy could be an easy way of separating VPN traffic from regular WAN traffic. If this is possible, I will be able to setup separate browsers for VPN on multiple devices. But I couldn’t figure out how to set things up. So proxy is mandatory, but for me there is no need to distinguishing the clients (it could be one login/password for all of them).
This can be done relatively easy using tinyproxy.
The basic idea is described here.
Since your case is different, use this example to create the required static route.
I installed tinyproxy and was able to connect to it (port 8888, user proxy_vpn). I have separate firewall zones for WAN and VPN and LAN can go to both zones. I could reach WAN with both proxy and normal connection, but couldn’t figure out how to actually redirect tinyproxy to VPN firewall zone OR interface. VPN is running with disabled “redirect-gateway def1” so it doesn’t take priority over WAN. I even tried policy based routing again with a policy for port 8888 redirect to vpn interface, but failed (local port 8888, chain forward and interface vpn). Could you please tell me more about routing part of the equation? I was unable to find anything useful on the Internet.
tinyproxy runs as user nobody and you can create an ip rule using the uid (65534) as selector. The combination of that rule and a default route through the VPN interface created in a custom routing table (100) should do what you need.
Disable and stop pbr, remove everything you added to /etc/config/network and run the following commands:
uci add network rule
uci set network.@rule[-1].lookup='100'
uci set network.@rule[-1].uidrange='65534'
uci add network route
uci set network.@route[-1].interface='vpn'
uci set network.@route[-1].target='0.0.0.0/0'
uci set network.@route[-1].table='100'
uci commit network
service network restart
I assume the logical interface name is vpn as mentioned in your OP.
My notes on how to do the thing. Using tinyproxy to segregate VPN traffic from regular WAN traffic.
Install "openvpn-openssl" and "luci-app-openvpn".
Upload and apply a config file for a VPN connection.
Disable in the config "redirect-gateway" by adding "#" and save.
#redirect-gateway def1
Reboot for "tun0" device to appear.
Create a new interface with name: "vpn" protocol: "Unmanaged" device: "tun0". Add it to "WAN" firewall zone.
Install "tinyproxy" and "luci-app-tinyproxy".
Enable tinyproxy and add allowed clients "192.168.1.0/24".
Connect to the router using SSH and run commands:
uci add network rule
uci set network.@rule[-1].lookup='100'
uci set network.@rule[-1].uidrange='65534'
uci add network route
uci set network.@route[-1].interface='vpn'
uci set network.@route[-1].target='0.0.0.0/0'
uci set network.@route[-1].table='100'
uci commit network
service network restart
Reboot for a good measure.
Use curl to test if a proxy is running and reachable. Both curl commands should display different IPs.
