OpenVPN on OpenWrt on router behind ISP router

Hi Trendy,

Below is the output you requested.

I am a little confused as I have had problems with my network since I made the dns changes you suggested. For some reason the ipv4 gateway had disappeared from the LAN settings and I tried to reinstate it as 10.0.0.1 being the default for the router that manages the LAN and the gateway I use on every machine that is added to the network. However Openwrt would not accept it and I have had to change it to 192.168.1.1 (not sure but I assume I could have also used 192.168.0.1?).

However this is where I am confused as I am trying to load balance the two WANs and if I send the LAN packets via 192.168.1.1 how does it then balance and use(share) the 192.168 .0.1 gateway? Are the packets somehow redirected through the mwan3 policies before finally going out to the internet?

Sorry to ask such basic stuff.

Still cannot see 192.168.0.1 from the LAN 10.0.0.0/24.

Geoff


root@OpenWrt:~# uci export mwan3
package mwan3

config globals 'globals'
	option mmx_mask '0x3F00'

config rule 'https'
	option sticky '1'
	option dest_port '443'
	option proto 'tcp'
	option use_policy 'load_bal_gjj'

config rule 'default_rule_v4'
	option dest_ip '0.0.0.0/0'
	option family 'ipv4'
	option proto 'all'
	option sticky '0'
	option use_policy 'load_bal_gjj'

config rule 'default_rule_v6'
	option dest_ip '::/0'
	option family 'ipv6'
	option proto 'all'
	option sticky '0'
	option use_policy 'load_bal_gjj'

config interface 'wan_free'
	option enabled '1'
	option initial_state 'online'
	option family 'ipv4'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	list track_ip '1.1.1.1'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option check_quality '0'
	option timeout '4'
	option failure_interval '5'
	option recovery_interval '5'
	option interval '5'
	option down '3'
	option up '3'

config interface 'wan_sfr'
	option enabled '1'
	option initial_state 'online'
	option family 'ipv4'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	list track_ip '1.1.1.1'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option check_quality '0'
	option timeout '4'
	option interval '5'
	option failure_interval '5'
	option recovery_interval '5'
	option down '3'
	option up '3'

config member 'wan_sfr_m1_w1'
	option interface 'wan_sfr'
	option metric '1'
	option weight '1'

config member 'wan_free_m1_w1'
	option interface 'wan_free'
	option metric '1'
	option weight '1'

config policy 'load_bal_gjj'
	option last_resort 'default'
	list use_member 'wan_sfr_m1_w1'
	list use_member 'wan_free_m1_w1'

root@OpenWrt:~# 

Hi Trendy,

I have been having all sort of problems since making the changes to the network LAN interface. I have now finally removed all custom DNS entries from the LAN and left the public DNS entries on the two WANs (8.8.8.8 and 8.8.4.4) and that appears to be working again.

However, my policyy page on the OpenVPN is now reporting the following Service Error:

Service Gateways

tun0/10.8.0.6
wan_free/wan/192.168.1.1 ✓
wan_sfr/lan4/192.168.0.1

The indicates default gateway. See the README for details.

Service Errors

Failed to set up 'lan/br-lan/192.168.1.1'

Can you see why this has happened?

Geoff

From mwan3 configuration the tun0 is missing.
In the next post you are showing some output from vpn-policy-routing?
You should not be using both, as they are doing the same thing and their operations can conflict.

Hi Trendy,

I thought mwan3 was for load balancing on the WAN side? I am using vpn-policy-routing to direct selected devices to the tun0 interface. Can I do this via mwan3? It seems to work OK as I have it setup so am reluctant to change it.

I think you are saying that I need to add the tun0 into my wan3 setup but then how do I direct individual devices to only use that route?

I have restarted the interfaces a couple of times and now the service error has disappeared so I do not know what was causing it.

Geoff

Both mwan3 and pbr do the same thing in a slightly different way. Therefore trying to combine them doesn't guarantee to work.
You can add the tun0 interface to mwan3 as well. Make a rule for the individual devices to use the tun0 only policy which will contain the tun0 member interface only.

Thanks Trendy,

I did take a look at it but could not work out how to get it to work but will have another go over the weekend.

It is not the pbr software I am using but the following:

openvpn-openssl	2.5.3-3
openwrt-keyring	2021-02-20-49283916-2	
libopenssl1.1	1.1.1q-1
luci-app-openvpn

It is the luck app that manages the routing.

Geoff

This is a luci frontend to manage the OpenVPN configuration. It is not dealing with routing in any way other than installing the default or any static routes.
Can we have a look at the whole list?
opkg list-installed

Here is the output

BusyBox v1.33.2 (2022-02-16 20:29:10 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02.2, r16495-bf0c965af0
 -----------------------------------------------------
root@OpenWrt:~# opkg list-installed
base-files - 1439-r16495-bf0c965af0
busybox - 1.33.2-2
ca-bundle - 20210119-1
cgi-io - 2021-09-08-98cef9dd-20
dnsmasq - 2.85-8
dropbear - 2020.81-2
firewall - 2021-03-23-61db17ed-1
fstools - 2021-01-04-c53b1882-1
fwtool - 2019-11-12-8f7fe925-1
getrandom - 2020-10-25-9ef88681-2
hostapd-common - 2020-06-08-5a8b3662-39
ip-full - 5.11.0-3
ip6tables - 1.8.7-1
ipset - 7.6-1
iptables - 1.8.7-1
iptables-mod-conntrack-extra - 1.8.7-1
iptables-mod-ipopt - 1.8.7-1
iw - 5.9-8fab0c9e-3
iwinfo - 2021-04-30-c45f0b58-2.1
jshn - 2021-05-16-b14c4688-2
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 5.4.179-1-613e7cb33f069740a878d322bb79ae77
kmod-cfg80211 - 5.4.179+5.10.85-1-1
kmod-gpio-button-hotplug - 5.4.179-3
kmod-ip6tables - 5.4.179-1
kmod-ipt-conntrack - 5.4.179-1
kmod-ipt-conntrack-extra - 5.4.179-1
kmod-ipt-core - 5.4.179-1
kmod-ipt-ipopt - 5.4.179-1
kmod-ipt-ipset - 5.4.179-1
kmod-ipt-nat - 5.4.179-1
kmod-ipt-offload - 5.4.179-1
kmod-ipt-raw - 5.4.179-1
kmod-leds-gpio - 5.4.179-1
kmod-lib-crc-ccitt - 5.4.179-1
kmod-mac80211 - 5.4.179+5.10.85-1-1
kmod-mt76-core - 5.4.179+2021-12-03-678071ef-4
kmod-mt7603 - 5.4.179+2021-12-03-678071ef-4
kmod-mt76x02-common - 5.4.179+2021-12-03-678071ef-4
kmod-mt76x2 - 5.4.179+2021-12-03-678071ef-4
kmod-mt76x2-common - 5.4.179+2021-12-03-678071ef-4
kmod-nf-conntrack - 5.4.179-1
kmod-nf-conntrack6 - 5.4.179-1
kmod-nf-flow - 5.4.179-1
kmod-nf-ipt - 5.4.179-1
kmod-nf-ipt6 - 5.4.179-1
kmod-nf-nat - 5.4.179-1
kmod-nf-reject - 5.4.179-1
kmod-nf-reject6 - 5.4.179-1
kmod-nfnetlink - 5.4.179-1
kmod-nls-base - 5.4.179-1
kmod-ppp - 5.4.179-1
kmod-pppoe - 5.4.179-1
kmod-pppox - 5.4.179-1
kmod-slhc - 5.4.179-1
kmod-tun - 5.4.179-1
kmod-usb-core - 5.4.179-1
kmod-usb-ledtrig-usbport - 5.4.179-1
kmod-usb3 - 5.4.179-1
libblobmsg-json20210516 - 2021-05-16-b14c4688-2
libbpf0 - 5.10.10-2
libc - 1.1.24-3
libelf1 - 0.180-1
libgcc1 - 8.4.0-3
libip4tc2 - 1.8.7-1
libip6tc2 - 1.8.7-1
libipset13 - 7.6-1
libiwinfo-data - 2021-04-30-c45f0b58-2.1
libiwinfo-lua - 2021-04-30-c45f0b58-2.1
libiwinfo20210430 - 2021-04-30-c45f0b58-2.1
libjson-c5 - 0.15-2
libjson-script20210516 - 2021-05-16-b14c4688-2
liblua5.1.5 - 5.1.5-9
liblucihttp-lua - 2021-06-11-3dc89af4-1
liblucihttp0 - 2021-06-11-3dc89af4-1
liblzo2 - 2.10-4
libmnl0 - 1.0.4-2
libnl-tiny1 - 2020-08-05-c291088f-2
libopenssl1.1 - 1.1.1q-1
libpthread - 1.1.24-3
libubox20210516 - 2021-05-16-b14c4688-2
libubus-lua - 2021-06-30-4fc532c8-2
libubus20210630 - 2021-06-30-4fc532c8-2
libuci-lua - 2021-04-14-4b3db117-5
libuci20130104 - 2021-04-14-4b3db117-5
libuclient20201210 - 2021-05-14-6a6011df-1
libustream-wolfssl20201210 - 2022-01-16-868fd881-1
libwolfssl5.1.1.99a5b54a - 5.1.1-stable-1
libxtables12 - 1.8.7-1
logd - 2020-10-25-9ef88681-2
lua - 5.1.5-9
luci - git-20.074.84698-ead5e81
luci-app-firewall - git-22.046.85957-59c3392
luci-app-mwan3 - git-21.126.37401-0ddb72d
luci-app-openvpn - git-22.025.78298-e927a11
luci-app-opkg - git-21.312.69848-4745991
luci-app-vpn-policy-routing - 0.3.4-8
luci-base - git-22.046.85957-59c3392
luci-compat - git-22.046.85744-f08a0f6
luci-i18n-base-fr - git-21.124.26231-942288b
luci-lib-base - git-20.232.39649-1f6dc29
luci-lib-ip - git-20.250.76529-62505bd
luci-lib-jsonc - git-19.317.29469-8da8f38
luci-lib-nixio - git-20.234.06894-c4a4e43
luci-mod-admin-full - git-19.253.48496-3f93650
luci-mod-network - git-22.046.85061-dd54dce
luci-mod-status - git-22.046.85784-0ac2542
luci-mod-system - git-22.019.40321-7a37d02
luci-proto-ipv6 - git-21.148.49484-14511e5
luci-proto-ppp - git-21.163.64918-6c6559a
luci-ssl - git-20.244.36115-e10f954
luci-theme-bootstrap - git-22.047.35373-cc582eb
mtd - 26
mwan3 - 2.10.13-1
netifd - 2021-10-30-8f82742c-1
odhcp6c - 2021-01-09-53f07e90-16
odhcpd-ipv6only - 2021-07-18-bc9d317f-3
openvpn-openssl - 2.5.3-3
openwrt-keyring - 2021-02-20-49283916-2
opkg - 2021-06-13-1bf042dd-1
ppp - 2.4.8.git-2020-10-03-3
ppp-mod-pppoe - 2.4.8.git-2020-10-03-3
procd - 2021-03-08-2cfc26f8-1
px5g-wolfssl - 3
resolveip - 2
rpcd - 2021-03-11-ccb75178-1
rpcd-mod-file - 2021-03-11-ccb75178-1
rpcd-mod-iwinfo - 2021-03-11-ccb75178-1
rpcd-mod-luci - 20210614
rpcd-mod-rrdns - 20170710
ubi-utils - 2.1.2-1
ubox - 2020-10-25-9ef88681-2
ubus - 2021-06-30-4fc532c8-2
ubusd - 2021-06-30-4fc532c8-2
uci - 2021-04-14-4b3db117-5
uclient-fetch - 2021-05-14-6a6011df-1
uhttpd - 2021-03-21-15346de8-2
uhttpd-mod-ubus - 2021-03-21-15346de8-2
urandom-seed - 3
urngd - 2020-01-21-c7f7b6b6-1
usign - 2020-05-23-f1f65026-1
vpn-policy-routing - 0.3.4-8
wireless-regdb - 2021.08.28-1
wpad-basic-wolfssl - 2020-06-08-5a8b3662-39
zlib - 1.2.11-6
root@OpenWrt:~# 

For the VPN, the gateways are:

VPN and WAN Policy-Based Routing
Service Status [vpn-policy-routing 0.3.4-8]
Service Status
Running
Service Gateways

lan/br-lan/192.168.1.1
tun0/10.8.0.6
wan_free/wan/192.168.1.1 ✓
wan_sfr/lan4/192.168.0.1

The tick refers to the default for the VPN

Under policies (cannot copy and paste them) I have five items listed. Four go to tun0, one is my iMac that is usually pointing at WAN but which I use to check by changing to tun0 then back again.

You are running them both, so decide which one you want to keep and remove the other.

Hi Trendy,

Happy New Year to you and your family.

I have looked at this again (your quote above) but I am sorry to say I do not understand what I have to do to get it to work.

I have removed my entry for my machine (10.0.040) from the VPN Policy Routing listing so it is acting as a normal LAN member.

I have set up a tun0 interface with a metric of 30. The metric is present in /etc/config/network but it does not show up on the MWAN Interfaces listing as shown below:

However, I do not know how to make a rule for the individual devices. I can see I have to insert the source address (which I assume is the device) but what do I enter for the destination address so that it is redirected to go to tun0? You will see below that I have tried to use a default destination and made it the first rule to be applied (I also tried it as the last rule).

I have generated a tun0 MWAN Member as shown below:

And then set a policy as shown below (I do not know if the order matters in this listing?):

However when I then test the VPN from 10.0.0.40, it does not work. If I turn the VPN on locally on the machine, it works again.

What am I doing wrong please?

Geoff

Hello and happy new year as well!
For a start the tun interface in mwan3 configuration is not correct. It must have the same name as in network configuration.

Sorry for being so stupid!

BTW I have disabled the VPN policy routing while trying to get mwan3 to work.

Well I deleted the old tun0 reference and added a new one that is correctly named and the metric (30) is now present and correct but it tells me that tun0 has no default route in the main routing table:

but the interface is showing as online again:

although under Detail it is still showing error 16:

When I try to ping tun0 I get:

but I cannot see how to invoke a gateway for tun0. The interface edit page shows that "use default gateway" is ticked but it is not apparently finding the gateway. I do not think I have ever had to enter a gateway for the tun devices before and I cannot see where to do it on the interface setting (is it because it is listed as unmanaged?).

Also on reading up I saw that someone had generated two VPN tun interfaces, one for each WAN interface. Is this what I have to do and then balance the two to get a balanced VPN?

Lost and clutching at straws here.

Geoff

Can you post again the ip -4 ro list table all ?

Thanks Trendy,


root@OpenWrt:~# ip -4 ro list table all
default via 192.168.1.1 dev wan table 1 proto static metric 10 
10.0.0.0/24 dev br-lan table 1 proto kernel scope link src 10.0.0.1 
192.168.1.0/24 dev wan table 1 proto static scope link metric 10 
default via 192.168.0.1 dev lan4 table 2 proto static metric 20 
10.0.0.0/24 dev br-lan table 2 proto kernel scope link src 10.0.0.1 
192.168.0.0/24 dev lan4 table 2 proto kernel scope link src 192.168.0.20 
192.168.0.0/24 dev lan4 table 2 proto static scope link metric 20 
10.0.0.0/24 dev br-lan table 3 proto kernel scope link src 10.0.0.1 
10.8.0.0/24 dev tun0 table 3 proto kernel scope link src 10.8.0.6 
default via 10.8.0.6 dev tun0 table tun0 
default via 192.168.1.1 dev wan table wan_free 
default via 192.168.0.1 dev lan4 table wan_sfr 
default via 192.168.1.1 dev wan proto static metric 10 
default via 192.168.0.1 dev lan4 proto static metric 20 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.6 
192.168.0.0/24 dev lan4 proto static scope link metric 20 
192.168.1.0/24 dev wan proto static scope link metric 10 
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1 
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1 
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.6 
local 10.8.0.6 dev tun0 table local proto kernel scope host src 10.8.0.6 
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.6 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.0.0 dev lan4 table local proto kernel scope link src 192.168.0.20 
local 192.168.0.20 dev lan4 table local proto kernel scope host src 192.168.0.20 
broadcast 192.168.0.255 dev lan4 table local proto kernel scope link src 192.168.0.20 
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.20 
local 192.168.1.20 dev wan table local proto kernel scope host src 192.168.1.20 
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.20 
root@OpenWrt:~# 

First thing I notice is that the tun0 metric (30) is not listed. The rest is out of my scope!

Geoff

Why is the route assigned to table tun0?
Can you confirm that nothing else except mwan3 is running?

Apologies Trendy,

I forgot I had the VPN policy routing running as we were using the VPN on the TV.

I have disabled it again and here is the revised output.

G

root@OpenWrt:~# ip -4 ro list table all
default via 192.168.1.1 dev wan table 1 proto static metric 10 
10.0.0.0/24 dev br-lan table 1 proto kernel scope link src 10.0.0.1 
192.168.1.0/24 dev wan table 1 proto kernel scope link src 192.168.1.20 
192.168.1.0/24 dev wan table 1 proto static scope link metric 10 
default via 192.168.0.1 dev lan4 table 2 proto static metric 20 
10.0.0.0/24 dev br-lan table 2 proto kernel scope link src 10.0.0.1 
192.168.0.0/24 dev lan4 table 2 proto static scope link metric 20 
10.0.0.0/24 dev br-lan table 3 proto kernel scope link src 10.0.0.1 
10.8.0.0/24 dev tun0 table 3 proto kernel scope link src 10.8.0.6 
unreachable default table tun0 
default via 192.168.1.1 dev wan table wan_free 
default via 192.168.0.1 dev lan4 table wan_sfr 
default via 192.168.1.1 dev wan proto static metric 10 
default via 192.168.0.1 dev lan4 proto static metric 20 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.6 
192.168.0.0/24 dev lan4 proto static scope link metric 20 
192.168.1.0/24 dev wan proto static scope link metric 10 
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1 
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1 
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.6 
local 10.8.0.6 dev tun0 table local proto kernel scope host src 10.8.0.6 
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.6 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.0.0 dev lan4 table local proto kernel scope link src 192.168.0.20 
local 192.168.0.20 dev lan4 table local proto kernel scope host src 192.168.0.20 
broadcast 192.168.0.255 dev lan4 table local proto kernel scope link src 192.168.0.20 
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.20 
local 192.168.1.20 dev wan table local proto kernel scope host src 192.168.1.20 
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.20 
root@OpenWrt:~# 

OpenVPN is still running but the policy based routing is disabled.

Try the following:

service vpn-policy-routing stop
service vpn-policy-routing disable
reboot

Then after the router is back up check the ip -4 ro list table all

Trendy,

No idea what I have done but my iMac is simply not connecting to the internet. I was rebooting the opnwrt server (which restarted the VPN pbr) to get it going again but now, no matter what I do the machine will not connect to the internet. I have rebooted and restarted everything in the chain but it is the same. I must have accidentally changed something but no idea what. I am using a portable at the moment to respond to you.

Despite disabling in luci service vpn-policy-routing status shows it is still running so I have used the stop command to close it off. Disabled it then rebooted. Here is the requested output. I have also appended the "service vpn-policy-routing status" output for your information.

I have then stopped the VPN server and run the command again and that is at the end of the listing with no tun entries.

My apologies for wasting your time.

Geoff

 OpenWrt 21.02.2, r16495-bf0c965af0
 -----------------------------------------------------
root@OpenWrt:~# ip -4 ro list table all
default via 192.168.1.1 dev wan table 1 proto static metric 10 
10.0.0.0/24 dev br-lan table 1 proto kernel scope link src 10.0.0.1 
192.168.1.0/24 dev wan table 1 proto kernel scope link src 192.168.1.20 
192.168.1.0/24 dev wan table 1 proto static scope link metric 10 
default via 192.168.0.1 dev lan4 table 2 proto static metric 20 
10.0.0.0/24 dev br-lan table 2 proto kernel scope link src 10.0.0.1 
192.168.0.0/24 dev lan4 table 2 proto static scope link metric 20 
10.0.0.0/24 dev br-lan table 3 proto kernel scope link src 10.0.0.1 
10.8.0.0/24 dev tun0 table 3 proto kernel scope link src 10.8.0.6 
default via 192.168.1.1 dev wan proto static metric 10 
default via 192.168.0.1 dev lan4 proto static metric 20 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.6 
192.168.0.0/24 dev lan4 proto static scope link metric 20 
192.168.1.0/24 dev wan proto static scope link metric 10 
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1 
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1 
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.6 
local 10.8.0.6 dev tun0 table local proto kernel scope host src 10.8.0.6 
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.6 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.0.0 dev lan4 table local proto kernel scope link src 192.168.0.20 
local 192.168.0.20 dev lan4 table local proto kernel scope host src 192.168.0.20 
broadcast 192.168.0.255 dev lan4 table local proto kernel scope link src 192.168.0.20 
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.20 
local 192.168.1.20 dev wan table local proto kernel scope host src 192.168.1.20 
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.20 






root@OpenWrt:~# service vpn-policy-routing status
vpn-policy-routing 0.3.4-8 running on OpenWrt 21.02.2.
============================================================
Dnsmasq version 2.85  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         192.168.1.1     0.0.0.0         UG    10     0        0 wan
default         192.168.0.1     0.0.0.0         UG    20     0        0 lan4

Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 201: 
IPv4 Table 201 Rules:

Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 202: 
IPv4 Table 202 Rules:

Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 203: 
IPv4 Table 203 Rules:

Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 204: 
IPv4 Table 204 Rules:

Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 205: 
IPv4 Table 205 Rules:

Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 206: 
IPv4 Table 206 Rules:

Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 207: 
IPv4 Table 207 Rules:

Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 208: 
IPv4 Table 208 Rules:
============================================================
Current ipsets
create mwan3_dynamic_v4 hash:net family inet hashsize 1024 maxelem 65536
create mwan3_dynamic_v6 hash:net family inet6 hashsize 1024 maxelem 65536
create mwan3_custom_v4 hash:net family inet hashsize 1024 maxelem 65536
create mwan3_custom_v6 hash:net family inet6 hashsize 1024 maxelem 65536
create mwan3_sticky_v4_https hash:ip,mark family inet markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600
add mwan3_sticky_v4_https 10.0.0.50,0x00000100 timeout 427
add mwan3_sticky_v4_https 10.0.0.158,0x00000200 timeout 420
add mwan3_sticky_v4_https 10.0.0.153,0x00000100 timeout 462
add mwan3_sticky_v4_https 10.0.0.163,0x00000200 timeout 478
add mwan3_sticky_v4_https 10.0.0.169,0x00000100 timeout 409
add mwan3_sticky_v4_https 10.0.0.170,0x00000200 timeout 423
add mwan3_sticky_v4_https 10.0.0.201,0x00000100 timeout 404
add mwan3_sticky_v4_https 10.0.0.152,0x00000200 timeout 476
add mwan3_sticky_v4_https 10.0.0.202,0x00000100 timeout 442
add mwan3_sticky_v4_https 192.168.1.20,0x00000200 timeout 459
add mwan3_sticky_v4_https 192.168.1.20,0x00000100 timeout 483
add mwan3_sticky_v4_https 10.0.0.158,0x00000100 timeout 463
add mwan3_sticky_v4_https 192.168.0.20,0x00000100 timeout 514
add mwan3_sticky_v4_https 192.168.0.20,0x00000200 timeout 407
add mwan3_sticky_v4_https 10.0.0.201,0x00000200 timeout 511
add mwan3_sticky_v4_https 10.0.0.50,0x00000200 timeout 419
create mwan3_sticky_v6_https hash:ip,mark family inet6 markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600
create mwan3_connected_v4 hash:net family inet hashsize 1024 maxelem 65536
add mwan3_connected_v4 192.168.0.0/24
add mwan3_connected_v4 127.0.0.0/8
add mwan3_connected_v4 10.8.0.0/24
add mwan3_connected_v4 192.168.1.0/24
add mwan3_connected_v4 224.0.0.0/3
add mwan3_connected_v4 10.0.0.0/24
create mwan3_connected_v6 hash:net family inet6 hashsize 1024 maxelem 65536
add mwan3_connected_v6 fe80::/64
add mwan3_connected_v6 fd33:1ec6:a8::/64
create mwan3_connected list:set size 8
add mwan3_connected mwan3_dynamic_v4
add mwan3_connected mwan3_dynamic_v6
add mwan3_connected mwan3_custom_v4
add mwan3_connected mwan3_custom_v6
add mwan3_connected mwan3_connected_v6
add mwan3_connected mwan3_connected_v4
create mwan3_sticky_https list:set size 8
add mwan3_sticky_https mwan3_sticky_v4_https
add mwan3_sticky_https mwan3_sticky_v6_https
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~# 










root@OpenWrt:~# ip -4 ro list table all
default via 192.168.1.1 dev wan table 1 proto static metric 10 
10.0.0.0/24 dev br-lan table 1 proto kernel scope link src 10.0.0.1 
192.168.1.0/24 dev wan table 1 proto kernel scope link src 192.168.1.20 
192.168.1.0/24 dev wan table 1 proto static scope link metric 10 
default via 192.168.0.1 dev lan4 table 2 proto static metric 20 
10.0.0.0/24 dev br-lan table 2 proto kernel scope link src 10.0.0.1 
192.168.0.0/24 dev lan4 table 2 proto static scope link metric 20 
default via 192.168.1.1 dev wan proto static metric 10 
default via 192.168.0.1 dev lan4 proto static metric 20 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
192.168.0.0/24 dev lan4 proto static scope link metric 20 
192.168.1.0/24 dev wan proto static scope link metric 10 
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1 
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.0.0 dev lan4 table local proto kernel scope link src 192.168.0.20 
local 192.168.0.20 dev lan4 table local proto kernel scope host src 192.168.0.20 
broadcast 192.168.0.255 dev lan4 table local proto kernel scope link src 192.168.0.20 
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.20 
local 192.168.1.20 dev wan table local proto kernel scope host src 192.168.1.20 
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.20 
root@OpenWrt:~#