OpenVPN routing policy issues (with SurfShark VPN)

Hi all,

Today morning I wanted to configure my VPN provider on my router (TPLink C6 with OpenWRT 19.07.) - as till now I've been using my VPN's (SurfShark) own client to connect - using the instructions on the provider's website: https://support.surfshark.com/hc/en-us/articles/360010347939-How-to-set-up-a-router-with-OpenWRT
I've set up properly everything, as it was written, up until the page's "(Optional)" part, as I wanted to use OpenVPN's policy based routing option (+ not to mention that I've got no clue what the part at the "optional" section does, as it doesn't really give much explanation, but as i understood, it is sort of killswitch (?) option..but by the end I got completely confused.. anyhow -->
I've managed to get the VPN working, BUT:
- the VPN only works if I delete the forwarding from LAN to WAN (leaving only the LAN to VPN), but in this case the VPN Routing policy doesn't do anything
- If i keep the 'lan to wan' forwarding: on checking the current IP address (on whatsmyip or whichever one) it still shows my IPv6 address (???) not the IPv4 address (though my provider doesn't provide IPv6 IP address) moreover if i try to use the VPN Routing policy (I set the device ip address to use VPN - in OpenWRT) the internet simply disconnects.

What I want is simple:

  • Set and use the VPN on the router, but only by the specified IP addresses/devices (through VPN Routing policy)
  • Set a sort of 'killswitch', if the VPN is down, cut the net for the devices which are using the VPN (but only for those devices).

Any help appreciated..

Thanks in advance

Just an addendum, my settings:

/etc/config/network:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd83:36bb:699e::/48'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	option peerdns '0'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config interface 'surfsharktun'
	option proto 'none'
	option ifname 'tun0'


/etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'surfsharktun'

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'

/etc/config/vpn-policy-routing


config vpn-policy-routing 'config'
	option verbosity '2'
	option src_ipset '0'
	option dest_ipset '0'
	option resolver_ipset 'dnsmasq.ipset'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option procd_reload_delay '1'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_chain_column '0'
	option webui_show_ignore_target '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option strict_enforcement '1'
	option ipv6_enabled '0'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option name 'Libreelec'
	option src_addr '192.168.1.116'
	option interface 'surfsharktun'

1 Like

A separate vpn zone then forward lan to vpn is what you want. This has an inherent kill switch since should the vpn interface go down, lan users can't forward anywhere--they will have no Internet.

The basic "whole house VPN" described here, where you just let the VPN take over all routes, does not require policy based or other special routing setup.

Did You mean to set up a 4th zone (next to the already existing 'lan' , 'wan' and 'vpnfirewall' ?

https://docs.openwrt.melmac.net/vpn-policy-routing/#strict-enforcement

Yes..that makes sense..though sadly it still doesn't solve the problem..

https://docs.openwrt.melmac.net/vpn-policy-routing/#a-word-about-default-routing

:thinking::thinking:..does this applies with or without the 'lan - wan' routing setting present in the config file - next to the 'lan - vpn'? (The question might be a bit stupid, I know :confounded::confounded:)

The VPN-PBR app has a built-in kill-switch that is enabled by default.
Thus, there's no need for other kill-switches, or firewall zones, or extra forwardings.
Just assign the VPN interface to the WAN zone and enable the LAN to WAN forwarding.

1 Like

Thanks for the suggestion..At least I had some progress, though now I'm facing an another issue.

I presume You meant the settings something like this:

Untitled

and the forwarding like this:

With these setting in PBR:

And it gives me the first one (Libreelec) to work just fine (It's a Raspberry Pi 4): if I set in PBR to SURFSHARK, it'll pass the data through the VPN and if I set it to WAN it'll pass through without VPN (checked the VPN statuses on Raspberry, that's how i know).

BUT on the Dell other hand it doesn't pass it through VPN in any case: with or without SURFSHARKTUN it gives me this on a IP lookup:

What is extremely strange, is why it shows me an IPv6 IP address as hostname/expanded? Sky doesn't provide me with IPv6 address (afaik).

Also I've tried to bring in to PBR my phone (to test if it is ok) and the result was the same as with the Dell. In that case the IP look-up also came back with an IPv6 address.

:thinking: :thinking: :thinking:

https://openwrt.org/docs/guide-user/network/ipv6/ipv6_extras#disabling_gua_prefix

Thanks for the tip..now - hopefully - it won't announce IPv6 on checkup (sadly i can't check it, as i'm still struggling with this VPN issue :cry:

RIght..after experimenting with different settings, this is what I've found:

  • Installed the VPN Bypass on OpenWRT and specified 2 ip addresses, which should get direct access: didn't work: the specified IP addresses were cut off of the internet

  • tried to adding back the lan - wan forwarding (next tot lan - vpn) and tried to set a rule in VPN Routing Policy - even tried to not force the strict policy if vpn goes down: didn't work: either all of the home devices have vpn or no internet on any

  • tried the different firewall rules (with turned off VPN Routing Policy, but with vpn running) nothing; same as before: either all of the devices have VPN or no internet at all

  • conclusion:

    • Can't bypass the VPN
    • Can't route the vpn to specific devices only
    • Either I've VPN on all devices (which i don't want) or no internet at all

At the moment I'm completely clueless. :worried: :worried: :confounded: :confused:

Edit: What I might will try is to create a rule manually to route/bypass the VPN and not relying on the GUI (though I don't think it'd make any difference).

Collect the output and post it to pastebin.com redacting the private parts:

uci show network; uci show firewall; uci show dhcp; \
uci show vpn-policy-routing; /etc/init.d/vpn-policy-routing support; \
ip address show; ip route show table all; \
ip rule show; ip -6 rule show; iptables-save; ip6tables-save; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

I hope i haven't deleted (XXXXX-ed actually) any crucial data (I've X-ed out: IPv6, MAC addresses and IPv4 adresses). If any data is missing, I can pastebin the original log (unedited). This is the currently working config (all devices have VPN, which causes some serious lags :confounded: )

The link: https://pastebin.com/5FkY0Y8f

Thanks in Advance!

uci -q delete firewall.@zone[2]
uci add_list firewall.@zone[1].network="surfsharktun"
uci set firewall.@forwarding[0].dest="wan"
uci commit firewall
/etc/init.d/firewall restart
1 Like

I know that this could sound stupid: but what it does exactly?

Edit:
the first line I presume deletes the VPN zone
The second and the 3rd line?

Already explained above:

Ok..will try soon! Will report back!

1 Like

Thank You so much!
With Your suggestion and settings everything is working as it should!!
I don't know why the VPN provider's website has so overcomplicated settings (for the OpenWRT itself) :thinking:

But anyway, it's working now!! :+1:

Thanks again vgaetera! :+1: :+1:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.