OpenVPN routing policy issues

Hi,

I wondered if anyone could be kind enough to offer some advice as I'm losing the will after all night all week trying to figure this out...

I have a 3200ACM running openwrt - OpenVPN and vpn-policy-routing.

I nearly have it all setup how i'd like, essentially, I'm looking to do the below:

By default all traffic goes out the VPN, except select IP's I select in PBR and certain ranges (using some custom user files for a few ASNs and also some domains in the list above) - all works fine

Now..

What I'd like to happen, is if the TUN dropped, I would like it to still route the traffic selected off the VPN as normal, but any DEST that should be routed through, to either drop or reject.

I think I have figured out how to achieve this at device level e.g. if the device is set to go VPN and TUN stops, drop - Although I can't seem to get it more granular based on the traffic (that is working when all on), is this achievable?

Any help would be greatly appreciated.

1 Like

Strict enforcement is enabled by default.
Add an explicit policy to route the LAN subnet to the VPN.
Arrange this policy as the final.

Thanks so much for the reply.

I had tried to do this, I think I must be doing it wrong, I added a policy at the bottom as thought it would hit the policies in order, but it ignored the ones above.. How can I ensure it's the final policy and explicit?

Sorry for more questions:

Check the output when the VPN is down:

ubus call system board; uci show vpn-policy-routing; \
/etc/init.d/vpn-policy-routing support

Thanks, I've stopped the VPN and ran the above (had to remove some of the 'add wan' for the custom asn files as hit post limit) -

root@OpenWrt:~# ubus call system board;

{

"kernel": "5.4.143",

"hostname": "OpenWrt",

"system": "ARMv7 Processor rev 1 (v7l)",

"model": "Linksys WRT3200ACM",

"board_name": "linksys,wrt3200acm",

"release": {

"distribution": "OpenWrt",

"version": "21.02.0",

"revision": "r16279-5cc0535800",

"target": "mvebu/cortexa9",

"description": "OpenWrt 21.02.0 r16279-5cc0535800"

}

}

root@OpenWrt:~# uci show vpn-policy-routing;

vpn-policy-routing.@policy[0]=policy

vpn-policy-routing.@policy[0].interface='wan'

vpn-policy-routing.@policy[0].name='pi'

vpn-policy-routing.@policy[0].src_addr='192.168.1.30'

vpn-policy-routing.@policy[1]=policy

vpn-policy-routing.@policy[1].interface='wan'

vpn-policy-routing.@policy[1].name='mbp'

vpn-policy-routing.@policy[1].src_addr='192.168.1.172'

vpn-policy-routing.@policy[2]=policy

vpn-policy-routing.@policy[2].interface='wan'

vpn-policy-routing.@policy[2].name='Ashphone'

vpn-policy-routing.@policy[2].src_addr='192.168.1.210'

vpn-policy-routing.@policy[3]=policy

vpn-policy-routing.@policy[3].interface='wan'

vpn-policy-routing.@policy[3].name='TVQled'

vpn-policy-routing.@policy[3].src_addr='192.168.1.212'

vpn-policy-routing.@policy[4]=policy

vpn-policy-routing.@policy[4].interface='wan'

vpn-policy-routing.@policy[4].name='NowTV'

vpn-policy-routing.@policy[4].src_addr='192.168.1.0/24'

vpn-policy-routing.@policy[4].dest_addr='154.16.65.143'

vpn-policy-routing.@policy[5]=policy

vpn-policy-routing.@policy[5].interface='wan'

vpn-policy-routing.@policy[5].name='Now2'

vpn-policy-routing.@policy[5].src_addr='192.168.1.0/24'

vpn-policy-routing.@policy[5].dest_addr='nowtv.com'

vpn-policy-routing.@policy[6]=policy

vpn-policy-routing.@policy[6].interface='wan'

vpn-policy-routing.@policy[6].name='Gphone'

vpn-policy-routing.@policy[6].src_addr='192.168.1.239'

vpn-policy-routing.@policy[7]=policy

vpn-policy-routing.@policy[7].interface='wan'

vpn-policy-routing.@policy[7].name='Workphone'

vpn-policy-routing.@policy[7].src_addr='192.168.1.244'

vpn-policy-routing.config=vpn-policy-routing

vpn-policy-routing.config.verbosity='2'

vpn-policy-routing.config.strict_enforcement='1'

vpn-policy-routing.config.resolver_ipset='dnsmasq.ipset'

vpn-policy-routing.config.ipv6_enabled='0'

vpn-policy-routing.config.ignored_interface='vpnserver wgserver'

vpn-policy-routing.config.boot_timeout='30'

vpn-policy-routing.config.iptables_rule_option='append'

vpn-policy-routing.config.procd_reload_delay='1'

vpn-policy-routing.config.webui_enable_column='0'

vpn-policy-routing.config.webui_protocol_column='0'

vpn-policy-routing.config.webui_chain_column='0'

vpn-policy-routing.config.webui_show_ignore_target='0'

vpn-policy-routing.config.webui_sorting='1'

vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'

vpn-policy-routing.config.enabled='1'

vpn-policy-routing.config.dest_ipset='1'

vpn-policy-routing.config.src_ipset='1'

vpn-policy-routing.@include[0]=include

vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'

vpn-policy-routing.@include[1]=include

vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'

vpn-policy-routing.@include[2]=include

vpn-policy-routing.@include[2].path='/etc/vpn-policy-routing.sky.user'

vpn-policy-routing.@include[3]=include

vpn-policy-routing.@include[3].path='/etc/vpn-policy-routing.now.user'

vpn-policy-routing.@policy[8]=policy

vpn-policy-routing.@policy[8].name='VPN'

vpn-policy-routing.@policy[8].src_addr='192.168.1.0/24'

vpn-policy-routing.@policy[8].interface='expressvpntun'

root@OpenWrt:~# \

> /etc/init.d/vpn-policy-routing support

vpn-policy-routing 0.3.5-1 running on OpenWrt 21.02.0.

============================================================

Dnsmasq version 2.85 Copyright (c) 2000-2021 Simon Kelley

Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

============================================================

Routes/IP Rules

default 192.168.2.1 0.0.0.0 UG 0 0 0 wan

IPv4 Table 201: default via 192.168.2.1 dev wan

192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

IPv4 Table 201 Rules:

32765: from all fwmark 0x10000/0xff0000 lookup wan

IPv4 Table 202: unreachable default

192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

IPv4 Table 202 Rules:

32764: from all fwmark 0x20000/0xff0000 lookup expressvpntun

============================================================

Mangle IP Table: PREROUTING

-N VPR_PREROUTING

-A VPR_PREROUTING -m set --match-set expressvpntun_mac src -c 0 0 -g VPR_MARK0x020000

-A VPR_PREROUTING -m set --match-set expressvpntun_ip src -c 1194 107599 -g VPR_MARK0x020000

-A VPR_PREROUTING -m set --match-set expressvpntun dst -c 0 0 -g VPR_MARK0x020000

-A VPR_PREROUTING -m set --match-set wan_mac src -c 0 0 -g VPR_MARK0x010000

-A VPR_PREROUTING -m set --match-set wan_ip src -c 1 40 -g VPR_MARK0x010000

-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -g VPR_MARK0x010000

-A VPR_PREROUTING -s 192.168.1.0/24 -d 154.16.65.143/32 -m comment --comment NowTV -c 0 0 -g VPR_MARK0x010000

-A VPR_PREROUTING -s 192.168.1.0/24 -d 90.216.151.68/32 -m comment --comment Now2 -c 0 0 -g VPR_MARK0x010000

============================================================

Mangle IP Table MARK Chain: VPR_MARK0x010000

-N VPR_MARK0x010000

-A VPR_MARK0x010000 -c 1 40 -j MARK --set-xmark 0x10000/0xff0000

-A VPR_MARK0x010000 -c 1 40 -j RETURN

============================================================

Mangle IP Table MARK Chain: VPR_MARK0x020000

-N VPR_MARK0x020000

-A VPR_MARK0x020000 -c 1201 107987 -j MARK --set-xmark 0x20000/0xff0000

-A VPR_MARK0x020000 -c 1201 107987 -j RETURN

============================================================

Current ipsets

create wan hash:net family inet hashsize 4096 maxelem 65536 comment

add wan 52.82.184.0/23

add wan 3.239.157.32/27

add wan 2.19.16.0/24

add wan 23.60.160.0/22

add wan 96.7.220.0/23

add wan 104.122.222.0/23

create wan_ip hash:net family inet hashsize 1024 maxelem 65536 comment

add wan_ip 192.168.1.239 comment "Gphone: 192.168.1.239"

add wan_ip 192.168.1.210 comment "Ashphone: 192.168.1.210"

add wan_ip 192.168.1.30 comment "pi: 192.168.1.30"

add wan_ip 192.168.1.244 comment "Workphone: 192.168.1.244"

add wan_ip 192.168.1.172 comment "mbp: 192.168.1.172"

add wan_ip 192.168.1.212 comment "TVQled: 192.168.1.212"

create wan_mac hash:mac hashsize 1024 maxelem 65536 comment

create expressvpntun hash:net family inet hashsize 1024 maxelem 65536 comment

create expressvpntun_ip hash:net family inet hashsize 1024 maxelem 65536 comment

add expressvpntun_ip 192.168.1.0/24 comment "VPN: 192.168.1.0/24"

create expressvpntun_mac hash:mac hashsize 1024 maxelem 65536 comment

============================================================

Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

Looks like the necessary iptables rules are missing.
Perhaps you shouldn't use unstable version of VPR.

Ah ok thank you for looking, it's much appreciated :blush: what version is suggested currently, I just did the opkg install?

Try to reinstall the VPR packages.

You are a gent and a squire my friend, had not even seen that :slight_smile:

Thank you very much, all working after downgrading, sent you a small something for a coffee/beer, whichever you prefer :smiley:

1 Like

I also figured something else out... I reinstalled the VPR packages from scratch rm the folders in conf, and did the basic config one device > WAN - Subnet > VPN and all was working.

When re-enabling IPSET for the custom user files, it started to push all traffic back through VPN, regardless of rules order, so I guess it may be one or the other :frowning:

Sratch that, left ipset for remote and disabled for local and all working again as intended, thanks so much again for your advice! :slight_smile:

1 Like

Great! :smiley: :+1:
Thanks for your support.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.