OpenVPN PBR missing tun0 interface

I have a mental block sometimes when it comes to networking, so if anyone could please help me, I would greatly appreciate it. I'm sure I'm missing some secret setting that I know nothing about.

I'm trying to get pbr working where default traffic goes out the wan interface, but certain sites go out the vpn.

I'm running 23.05 on a Raspberry Pi4. Everything seems to be ok. I have an OpenVPN client working. It starts up and connects. It creates a tun0 device. I've tried following a few different guides for getting that working. I created a new interface named OpenVPN, unmanaged protocol on device tun0. (I can only post 1 screenshot )

As part of the openvpn config, I disabled the default route. I also have not set up the kill-switch yet. (Maybe that's what I'm missing but I didn't think it was required.)

I tried some things on the firewall page, even creating a new zone, but nothing seemed to help there so I have just the 2 "normal" zones.

I'm trying to setup the pbr and am using the luci UI. On this page, I see my default route is indeed the wan, and the ovpn looks to be available and has an IP address (OpenVPN/tun0/10.x.x.x).

So, I jump to create a new policy, and this is my dilemma: the OpenVPN(tun0) interface is not an option:

I have tried a lot of different things like adding the interface to the firewall, adding a new zone to the firewall, some settings in the interface itself related to the firewall, and maybe a few others that I can't remember. I'm pretty sure I've backed them all out and have a fairly clean config right now, but nothing gives me the option to select the vpn interface for a policy.

I'm pretty much out of ideas of where to look. I don't know enough about routing and nft to really figure this out. I have it working in dd-wrt but that device is slowly failing and I really want to drop dd-wrt and move to OpenWRT!

Any help is appreciated, and I can post more screenshots of pages if needed. Thanks!

PBR needs to see a default gateway via the OpenVPN interface to allow traffic. What you can do is to enable the default route on the tun0 and assign a high metric to it to make it less preferred.

Where do I set the metric for the routes? Will it be possible to essentially route all traffic to the wan and just the pbr policies to the vpn?

I watched this video https://www.youtube.com/watch?v=FN2qfxNIs2g and at 6:39 he's got the default set to his wan, but yet, when he adds a policy, the vpn is an option.

Under Interfaces>Edit OpenVPN>Advanced tab, there is Use gateway metric
Yes, you can route all to wan and pbr to vpn.

I'm not familiar with a gateway metric. What do I set them to?

You might be able to do the same thing (i.e. default routing via the WAN) by adding to the openvpn config: pull-filter ignore "redirect-gateway def1"

The PBR package needs that you have defined an interface in the interface section, this looks like you did that

but otherwise you have to post using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button::

cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/pbr

I haven't tried the metric suggestion yet. I did have pull-filter ignore "redirect-gateway" in the ovpn config. That was how I avoided having it be the default. I just tried adding the def1 to it as you have it above, but that didn't make any difference.

Here's the output of those commands:

network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd74:9741:5acb::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'

config device
        option name 'eth1'

config interface 'OpenVPN'
        option proto 'none'
        option device 'tun0'
        option auto '0'

firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'OpenVPN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option dest 'OpenVPN'
        option src 'lan'

pbr:

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

Well, I decided to switch out the sd card and start over with a fresh install. Went through the basics of installing openvpn and pbr. Got the same results.

But, I think I finally found the problem: on the vpn interface, I did not check the "Start on boot" option. When I enabled this on the new install, the vpn route became available in pbr.

So I went back to the original sd card version, enabled that option, and now the vpn route is available to select!

So, maybe the user guide could have a little note added to it that if you want to use that interface for pbr, that option needs to be checked. Or, maybe the pbr service needs to ignore that option and then operate on its "Strict enforcement" setting if the interface is not brought up at boot?

Anyway, thanks for the help everyone!

Been there, indeed a note could be added to the wiki

I just fired up my test router which has PBR and checked that in my setup adding pull-filter ignore "redirect-gateway def 1" (the def 1 is not necessary) will have my main table routing via the WAN

One other note, the following seems redundant, I do not see an OpenVPN zone and you have added the OpenVPN interface to the WAN zone which is the prudent thing to do for a vpn client:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.