I hope that marking the input we can affect the output with conntrack:
1 Like
added the following
config policy
option interface 'wan'
option name 'vpn server 3'
option local_port '1194'
option chain 'INPUT'
option proto 'tcp udp'
logread -e iptables:.*:INPUT | tail
Wed Jul 10 10:01:09 2019 kern.warn kernel: [ 711.758741] iptables:mangle:INPUT: IN=eth0 OUT= MAC=18:03:73:ce:8d:19:30:4b:07:85:7a:2f:08:00 SRC=192.168.0.196 DST=192.168.0.1 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=47409 DF PROTO=UDP SPT=45663 DPT=1194 LEN=62
Wed Jul 10 10:01:09 2019 kern.warn kernel: [ 711.777579] iptables:filter:INPUT: IN=eth0 OUT= MAC=18:03:73:ce:8d:19:30:4b:07:85:7a:2f:08:00 SRC=192.168.0.196 DST=192.168.0.1 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=47409 DF PROTO=UDP SPT=45663 DPT=1194 LEN=62
Wed Jul 10 10:01:11 2019 kern.warn kernel: [ 712.942048] iptables:mangle:INPUT: IN=eth0 OUT= MAC=18:03:73:ce:8d:19:30:4b:07:85:7a:2f:08:00 SRC=192.168.0.196 DST=192.168.0.1 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=47597 DF PROTO=UDP SPT=45663 DPT=1194 LEN=62
Wed Jul 10 10:01:11 2019 kern.warn kernel: [ 712.960884] iptables:filter:INPUT: IN=eth0 OUT= MAC=18:03:73:ce:8d:19:30:4b:07:85:7a:2f:08:00 SRC=192.168.0.196 DST=192.168.0.1 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=47597 DF PROTO=UDP SPT=45663 DPT=1194 LEN=62
Wed Jul 10 10:01:15 2019 kern.warn kernel: [ 717.553331] iptables:mangle:INPUT: IN=eth0 OUT= MAC=18:03:73:ce:8d:19:30:4b:07:85:7a:2f:08:00 SRC=192.168.0.196 DST=192.168.0.1 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=48479 DF PROTO=UDP SPT=45663 DPT=1194 LEN=62
Wed Jul 10 10:01:15 2019 kern.warn kernel: [ 717.572167] iptables:filter:INPUT: IN=eth0 OUT= MAC=18:03:73:ce:8d:19:30:4b:07:85:7a:2f:08:00 SRC=192.168.0.196 DST=192.168.0.1 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=48479 DF PROTO=UDP SPT=45663 DPT=1194 LEN=62
Wed Jul 10 10:01:23 2019 kern.warn kernel: [ 725.405377] iptables:mangle:INPUT: IN=eth0 OUT= MAC=18:03:73:ce:8d:19:30:4b:07:85:7a:2f:08:00 SRC=192.168.0.196 DST=192.168.0.1 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=48695 DF PROTO=UDP SPT=45663 DPT=1194 LEN=62
Wed Jul 10 10:01:23 2019 kern.warn kernel: [ 725.424208] iptables:filter:INPUT: IN=eth0 OUT= MAC=18:03:73:ce:8d:19:30:4b:07:85:7a:2f:08:00 SRC=192.168.0.196 DST=192.168.0.1 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=48695 DF PROTO=UDP SPT=45663 DPT=1194 LEN=62
logread -e iptables:.*:OUTPUT | tail
Wed Jul 10 10:01:09 2019 kern.warn kernel: [ 711.796797] iptables:mangle:OUTPUT: IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.196 LEN=94 TOS=0x00 PREC=0x00 TTL=64 ID=60474 DF PROTO=UDP SPT=1194 DPT=45663 LEN=74 MARK=0x10000
Wed Jul 10 10:01:09 2019 kern.warn kernel: [ 711.812844] iptables:filter:OUTPUT: IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.196 LEN=94 TOS=0x00 PREC=0x00 TTL=64 ID=60474 DF PROTO=UDP SPT=1194 DPT=45663 LEN=74 MARK=0x10000
Wed Jul 10 10:01:11 2019 kern.warn kernel: [ 712.979800] iptables:mangle:OUTPUT: IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.196 LEN=94 TOS=0x00 PREC=0x00 TTL=64 ID=60524 DF PROTO=UDP SPT=1194 DPT=45663 LEN=74 MARK=0x10000
Wed Jul 10 10:01:11 2019 kern.warn kernel: [ 712.995859] iptables:filter:OUTPUT: IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.196 LEN=94 TOS=0x00 PREC=0x00 TTL=64 ID=60524 DF PROTO=UDP SPT=1194 DPT=45663 LEN=74 MARK=0x10000
Wed Jul 10 10:01:15 2019 kern.warn kernel: [ 717.591088] iptables:mangle:OUTPUT: IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.196 LEN=94 TOS=0x00 PREC=0x00 TTL=64 ID=60622 DF PROTO=UDP SPT=1194 DPT=45663 LEN=74 MARK=0x10000
Wed Jul 10 10:01:15 2019 kern.warn kernel: [ 717.607148] iptables:filter:OUTPUT: IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.196 LEN=94 TOS=0x00 PREC=0x00 TTL=64 ID=60622 DF PROTO=UDP SPT=1194 DPT=45663 LEN=74 MARK=0x10000
Wed Jul 10 10:01:23 2019 kern.warn kernel: [ 725.443100] iptables:mangle:OUTPUT: IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.196 LEN=94 TOS=0x00 PREC=0x00 TTL=64 ID=60931 DF PROTO=UDP SPT=1194 DPT=45663 LEN=74 MARK=0x10000
Wed Jul 10 10:01:23 2019 kern.warn kernel: [ 725.459143] iptables:filter:OUTPUT: IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.196 LEN=94 TOS=0x00 PREC=0x00 TTL=64 ID=60931 DF PROTO=UDP SPT=1194 DPT=45663 LEN=74 MARK=0x10000
Wed Jul 10 10:01:39 2019 kern.warn kernel: [ 741.497538] iptables:mangle:OUTPUT: IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.196 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=62295 DF PROTO=UDP SPT=1194 DPT=45663 LEN=62 MARK=0x10000
Wed Jul 10 10:01:39 2019 kern.warn kernel: [ 741.513589] iptables:filter:OUTPUT: IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.196 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=62295 DF PROTO=UDP SPT=1194 DPT=45663 LEN=62 MARK=0x10000
i've installed both kmod packages
Looks like you connected from inside the LAN.
1 Like
Whoops, looks like i forgot to turn of my phone's wifi 
let my try that again
So if im reading this correctly, input marking is not working?
logread -e iptables:.*:INPUT | tail
Wed Jul 10 14:37:00 2019 kern.warn kernel: [ 3787.655674] iptables:mangle:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=89.205.129.99 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=50430 DF PROTO=UDP SPT=62293 DPT=1194 LEN=62
Wed Jul 10 14:37:00 2019 kern.warn kernel: [ 3787.675024] iptables:filter:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=89.205.129.99 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=50430 DF PROTO=UDP SPT=62293 DPT=1194 LEN=62
Wed Jul 10 14:37:02 2019 kern.warn kernel: [ 3789.831379] iptables:mangle:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=89.205.129.99 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=50517 DF PROTO=UDP SPT=62293 DPT=1194 LEN=62
Wed Jul 10 14:37:02 2019 kern.warn kernel: [ 3789.850730] iptables:filter:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=89.205.129.99 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=50517 DF PROTO=UDP SPT=62293 DPT=1194 LEN=62
Wed Jul 10 14:37:06 2019 kern.warn kernel: [ 3794.177322] iptables:mangle:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=89.205.129.99 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=50585 DF PROTO=UDP SPT=62293 DPT=1194 LEN=62
Wed Jul 10 14:37:06 2019 kern.warn kernel: [ 3794.196671] iptables:filter:INPUT: IN=eth0.2 OUT= MAC=18:03:73:ce:8d:19:a2:de:48:00:01:02:08:00 SRC=89.205.129.99 DST=163.158.129.181 LEN=82 TOS=0x00 PREC=0x00 TTL=52 ID=50585 DF PROTO=UDP SPT=62293 DPT=1194 LEN=62
logread -e iptables:.*:OUTPUT | tail
Wed Jul 10 14:37:02 2019 kern.warn kernel: [ 3789.870147] iptables:mangle:OUTPUT: IN= OUT=tun0 SRC=10.27.10.6 DST=89.205.129.99 LEN=94 TOS=0x00 PREC=0x00 TTL=64 ID=16593 DF PROTO=UDP SPT=1194 DPT=62293 LEN=74
Wed Jul 10 14:37:02 2019 kern.warn kernel: [ 3789.884945] iptables:filter:OUTPUT: IN= OUT=tun0 SRC=10.27.10.6 DST=89.205.129.99 LEN=94 TOS=0x00 PREC=0x00 TTL=64 ID=16593 DF PROTO=UDP SPT=1194 DPT=62293 LEN=74 MARK=0x10000
Wed Jul 10 14:37:06 2019 kern.warn kernel: [ 3793.579552] iptables:mangle:OUTPUT: IN= OUT=tun0 SRC=10.27.10.6 DST=89.205.129.99 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=16664 DF PROTO=UDP SPT=1194 DPT=62293 LEN=62
Wed Jul 10 14:37:06 2019 kern.warn kernel: [ 3793.594367] iptables:filter:OUTPUT: IN= OUT=tun0 SRC=10.27.10.6 DST=89.205.129.99 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=16664 DF PROTO=UDP SPT=1194 DPT=62293 LEN=62 MARK=0x10000
Wed Jul 10 14:37:06 2019 kern.warn kernel: [ 3794.216082] iptables:mangle:OUTPUT: IN= OUT=tun0 SRC=10.27.10.6 DST=89.205.129.99 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=16725 DF PROTO=UDP SPT=1194 DPT=62293 LEN=70
Wed Jul 10 14:37:06 2019 kern.warn kernel: [ 3794.230863] iptables:filter:OUTPUT: IN= OUT=tun0 SRC=10.27.10.6 DST=89.205.129.99 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=16725 DF PROTO=UDP SPT=1194 DPT=62293 LEN=70 MARK=0x10000
Wed Jul 10 14:37:14 2019 kern.warn kernel: [ 3801.975179] iptables:mangle:OUTPUT: IN= OUT=tun0 SRC=10.27.10.6 DST=89.205.129.99 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=16867 DF PROTO=UDP SPT=1194 DPT=62293 LEN=62
Wed Jul 10 14:37:14 2019 kern.warn kernel: [ 3801.989991] iptables:filter:OUTPUT: IN= OUT=tun0 SRC=10.27.10.6 DST=89.205.129.99 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=16867 DF PROTO=UDP SPT=1194 DPT=62293 LEN=62 MARK=0x10000
Wed Jul 10 14:37:30 2019 kern.warn kernel: [ 3817.967856] iptables:mangle:OUTPUT: IN= OUT=tun0 SRC=10.27.10.6 DST=89.205.129.99 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=17844 DF PROTO=UDP SPT=1194 DPT=62293 LEN=62
Wed Jul 10 14:37:30 2019 kern.warn kernel: [ 3817.982676] iptables:filter:OUTPUT: IN= OUT=tun0 SRC=10.27.10.6 DST=89.205.129.99 LEN=82 TOS=0x00 PREC=0x00 TTL=64 ID=17844 DF PROTO=UDP SPT=1194 DPT=62293 LEN=62 MARK=0x10000
Right, it keeps sending out the replies from tunnel instead of wan.
@stangri maybe you can help us? Configs are here and SPOooON has added a rule for INPUT as well, apart from the append_local_rules option.
Sorry, my support ability is severely limited now. I myself use the VPN server & client at the same time and I use the config posted in the README.
If we want to utilize conntrack, I expect to see the traffic marked in the filter/INPUT, but it is still not marked.
uci show vpn-policy-routing
iptables-save -t mangle
uci show vpn-policy-routing
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].chain='PREROUTING'
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].name='netflix'
vpn-policy-routing.@policy[0].remote_address='netflix.com nflxext.com nflxvideo.net nflximg.com'
vpn-policy-routing.@policy[0].proto='tcp udp'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.output_chain_enabled='1'
vpn-policy-routing.config.dnsmasq_enabled='1'
vpn-policy-routing.config.proto_control='1'
vpn-policy-routing.config.chain_control='1'
vpn-policy-routing.config.ignored_interface='VPN_SERVER'
vpn-policy-routing.config.append_local_rules='! -d 192.168.8.0/24'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].interface='wan'
vpn-policy-routing.@policy[1].local_port='1194'
vpn-policy-routing.@policy[1].name='vpn server'
vpn-policy-routing.@policy[1].chain='OUTPUT'
vpn-policy-routing.@policy[1].proto='tcp udp'
vpn-policy-routing.@policy[2]=policy
vpn-policy-routing.@policy[2].interface='wan'
vpn-policy-routing.@policy[2].name='vpn server 2'
vpn-policy-routing.@policy[2].local_port='1194'
vpn-policy-routing.@policy[2].proto='tcp udp'
vpn-policy-routing.@policy[2].chain='PREROUTING'
vpn-policy-routing.@policy[3]=policy
vpn-policy-routing.@policy[3].interface='wan'
vpn-policy-routing.@policy[3].name='vpn server 3'
vpn-policy-routing.@policy[3].local_port='1194'
vpn-policy-routing.@policy[3].chain='INPUT'
vpn-policy-routing.@policy[3].proto='tcp udp'
iptables-save -t mangle
# Generated by iptables-save v1.6.2 on Thu Jul 11 17:32:22 2019
*mangle
:PREROUTING ACCEPT [1165497:1271262189]
:INPUT ACCEPT [513055:676564160]
:FORWARD ACCEPT [652441:594696764]
:OUTPUT ACCEPT [198522:28874582]
:POSTROUTING ACCEPT [850958:623570962]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A VPR_INPUT -p udp -m multiport --sports 1194 -m comment --comment vpn_server_3 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_INPUT -p tcp -m multiport --sports 1194 -m comment --comment vpn_server_3 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_OUTPUT -p udp -m multiport --sports 1194 -m comment --comment vpn_server -j MARK --set-xmark 0x10000/0xff0000
-A VPR_OUTPUT -p tcp -m multiport --sports 1194 -m comment --comment vpn_server -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p udp -m multiport --sports 1194 -m comment --comment vpn_server_2 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p tcp -m multiport --sports 1194 -m comment --comment vpn_server_2 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflximg_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflximg_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.89.245.208/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.89.245.208/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 184.73.192.76/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 184.73.192.76/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.140.41/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.140.41/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.78.165/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.78.165/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.18.140.121/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.18.140.121/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 50.17.247.31/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 50.17.247.31/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.240.186/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.32.240.186/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.16.244.17/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.16.244.17/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.17.14.207/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.17.14.207/32 -m comment --comment netflix_nflxvideo_net -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflxext_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 207.45.72.215/32 -m comment --comment netflix_nflxext_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.77.143.196/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 54.77.143.196/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.51.252.111/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.51.252.111/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.208.245.169/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.208.245.169/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 34.242.59.189/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 34.242.59.189/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.17.219.77/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.17.219.77/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.18.15.9/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.18.15.9/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.30.103.23/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.30.103.23/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.31.109.246/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 52.31.109.246/32 -m comment --comment netflix_netflix_com -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set PIA_VPN dst -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Thu Jul 11 17:32:22 2019
I tried it myself. It is not working for me either. I normally don't use the VPN connection for the whole internet, but for the scope of this experiment I pushed 0.0.0.0/1 and 128.0.0.0/0 over my vpn.
First of all I noticed that the append_local_rules option is not added in any rule.
Second I can see all the packets coming from my phone over the 4G mobile internet to the WAN of the router, but nothing returning back.
Third, I tried pinging the phone from the router, I can see the packets going out over the correct interface, but with wrong source address!
14:13:15.250309 IP (tos 0x88, ttl 64, id 42621, offset 0, flags [none], proto UDP (17), length 176)
10.0.20.2.1200 > 666.666.666.208.25697: [udp sum ok] UDP, length 148
10.0.20.2 is the address of the vps interface, while it should be 10.0.10.1 the address of the roadwarrior.
network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.ip6addr='::1/128'
network.lan=interface
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='10.0.2.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6ifaceid='::1'
network.lan.force_link='0'
network.lan.ip6assign='64'
network.lan.dns='10.0.2.3 10.0.2.2 10.0.20.1'
network.wan=interface
network.wan.proto='pppoe'
network.wan.ifname='eth1'
network.wan.username='user'
network.wan.password='pass'
network.wan.mtu='1492'
network.wan.peerdns='0'
network.wan.ipv6='auto'
network.wan.keepalive='10 30'
network.vps=interface
network.vps.ifname='tun0'
network.vps.proto='static'
network.vps.ipaddr='10.0.20.2'
network.vps.netmask='255.255.255.252'
network.roadwarrior=interface
network.roadwarrior.proto='wireguard'
network.roadwarrior.private_key='kregergergergergergerger='
network.roadwarrior.listen_port='1200'
network.roadwarrior.addresses='10.0.10.1/28'
network.@wireguard_roadwarrior[0]=wireguard_roadwarrior
network.@wireguard_roadwarrior[0].persistent_keepalive='25'
network.@wireguard_roadwarrior[0].public_key='rgertgertgertgertgerQC1fjxmE='
network.@wireguard_roadwarrior[0].description='Redmi Note4 trendy'
network.@wireguard_roadwarrior[0].allowed_ips='10.0.10.2/32'
network.globals=globals
network.globals.ula_prefix='fd00:bbbb::/48'
network.@route[0]=route
network.@route[0].interface='wan'
network.@route[0].target='37.666.11.666'
uci show vpn-policy-routing
root@xeli:~# uci show vpn-policy-routing
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.dnsmasq_enabled='0'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.proto_control='1'
vpn-policy-routing.config.chain_control='1'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.config.append_remote_rules='! -d 10.0.10.0/28'
vpn-policy-routing.config.ignored_interface='roadwarrior' 'elvetias'
vpn-policy-routing.config.supported_interface='wan' 'vps'
vpn-policy-routing.config.wan_dscp='' ''
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].name='Wireguard'
vpn-policy-routing.@policy[0].local_port='1200'
vpn-policy-routing.@policy[0].proto='udp'
vpn-policy-routing.@policy[0].chain='OUTPUT'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].interface='wan'
vpn-policy-routing.@policy[1].name='Wireguard2'
vpn-policy-routing.@policy[1].local_port='1200'
vpn-policy-routing.@policy[1].proto='udp'
vpn-policy-routing.@policy[1].chain='INPUT'
vpn-policy-routing.@policy[2]=policy
vpn-policy-routing.@policy[2].chain='PREROUTING'
vpn-policy-routing.@policy[2].interface='wan'
vpn-policy-routing.@policy[2].name='Wireguard3'
vpn-policy-routing.@policy[2].local_port='1200'
vpn-policy-routing.@policy[2].proto='udp'
vpn-policy-routing.@policy[3]=policy
vpn-policy-routing.@policy[3].interface='wan'
vpn-policy-routing.@policy[3].name='Wireguard4'
vpn-policy-routing.@policy[3].local_port='1200'
vpn-policy-routing.@policy[3].proto='udp'
vpn-policy-routing.@policy[3].chain='FORWARD'
vpn-policy-routing support
vpn-policy-routing 0.0.6-0 running on OpenWrt 18.06.4.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default vps.mrv 128.0.0.0 UG 0 0 0 tun0
default mil.mora 0.0.0.0 UG 0 0 0 pppoe-wan
IPv4 Table 201: default via 95.99.211.999 dev pppoe-wan
IPv4 Table 201 Rules:
32699: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.0.20.1 dev tun0
IPv4 Table 202 Rules:
32698: from all fwmark 0x20000 lookup 202
IPv4 Table 203: default via 10.0.20.5 dev elvetias
IPv4 Table 203 Rules:
32718: from all fwmark 0x30000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -p udp -m multiport --sports 1200 -m comment --comment Wireguard3 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set vps dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -p udp -m multiport --sports 1200 -m comment --comment Wireguard4 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -p udp -m multiport --sports 1200 -m comment --comment Wireguard2 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -p udp -m multiport --sports 1200 -m comment --comment Wireguard -c 197 31480 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Last, I think there should be some cleaning up of the rules applied from the vpn-policy-routing because on every reload of the service another line is added and I end up with a bunch of the same rules slowing down the router.
iptables-save mangle
*mangle
:PREROUTING ACCEPT [1254507:1329220764]
:INPUT ACCEPT [490977:676220802]
:FORWARD ACCEPT [749174:651966423]
:OUTPUT ACCEPT [289273:47698190]
:POSTROUTING ACCEPT [1033045:699357055]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -o pppoe-wan -j qos_Default
-A FORWARD -o 6in4-HEnet -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A OUTPUT -o pppoe-wan -j qos_Default
-A VPR_FORWARD -p udp -m multiport --sports 1200 -m comment --comment Wireguard4 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_INPUT -p udp -m multiport --sports 1200 -m comment --comment Wireguard2 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_OUTPUT -p udp -m multiport --sports 1200 -m comment --comment Wireguard -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p udp -m multiport --sports 1200 -m comment --comment Wireguard3 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set vps dst -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
-A qos_Default_ct -s 10.0.2.31/32 -m mark --mark 0x0/0xf -m comment --comment spa941 -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -s 10.0.2.32/32 -m mark --mark 0x0/0xf -m comment --comment gigaset-c530 -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p icmp -m mark --mark 0x0/0xf -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,143,443,465,993,995 -m comment --comment "ftp, smtp, http(s), imap, pop" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -m mark --mark 0x0/0xf -j MARK --set-xmark 0x44/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
@stangri I understand that you are short on help cycles, but could you help us a bit here? Since you have the same setup maybe you could paste here your configuration?
1 Like
According to your VPR settings you don't have that option in your config. You have append_remote_rules='! -d 10.0.10.0/28'. Also, it is only added to the policies with the local_address set.
For cleaning up -- there was a bug in one of the more recent versions which prevented clean ups, I hope to have fixed it in 0.0.6-1 (which I will push to repo after local testing). After reboot it should start cleaning up.
I haven't tested Wireguard/UDP for the local VPN server, I'll first retest the OpenVPN/TCP in a few different scenarios within a few days and get back to you.
I may have to revise the README example and split it into two:
- VPN client connection used as default
- VPN client connection is not default and used just by some local devices
2 Likes
DF
dont fragment?
status update: I've given up on getting openwrt to do what i want. opnsense got me a working client and server without too much fuss, but had weird dns timeout issues running openvpn. currently running pfsense, everything working great, no issues so far.
thanks everyone for your help, catch you on the flip side
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.