PBR and https-dns-crypt config problem

octopus · March 31, 2026, 7:49pm

I’m using ‘https-dns-crypt’ and PBR together.

Also use ‘ovpn-update-resolv-9’ to ensure use of vpn-provider dns inside tunnel.

That is working, but when start ‘https-dns-crypt’ dns traffic take that way.

How to config to use both together?

wan=https-dns-proxy (now use vpn-dns) and vpn ‘ovpn-update-resolv-9’

egc · April 1, 2026, 6:27am

The instructions already answer your question.

By using the DNS server pushed by your VPN provider you are already using a trusted DNS server and the DNS traffic is already encrypted because it is always routed via your encrypted VPN, so there is no need for other secure DNS servers.

Specifically mentioned is this:

Note: This script is not compatible with the use of Ignore resolv file (option noresolv), DNS Forwards ( list server=) or with the use of encrypted DNS e.g. unbound, dnscrypt and https-dns-proxy, but encrypted DNS is not needed as the DNS is already send encrypted via the VPN to a trusted DNS server.

What might be possible is to setup a second DNSMasq instance listening on another port e.g. 54, and redirect the DNS traffic from your lan clients to port 54, this can even be done with the PBR app.
You can then manually setup HTTPS-DNS-PROXY as upstream server for the second DNSMasq instance

octopus · April 1, 2026, 4:24pm

Okey,
PBR is working with "vpn-update-resolv-9" dns is inside vpn-client and seems working fine.

But wan clients also use dns from vpn-provider it should use dns from isp.

Is it possible to config https-dns-proxy to be used only on wan clients?

I have one wirguard client but it's not show up in "service gateway"
Do I need to set "option route_allowed_ips '0'"?

Service Gateways
wan/eth1/100.69.0.1 ✓
wan6/eth1/fe80::xxxx:xxxx:fe9e:ea01
GLMT6000/tun10/10.8.44.2
sthlm_vpn/tun11/10.129.3.114/tun11/2a07:xxxx:xxxx:1052:ccdc:49de:xxxx:4dbd/6

egc · April 2, 2026, 7:32am

I have outlined how to do that in my previous post

No route allowed IPs is not necessary, if it does not show up as Service Gateway then the interface is not up, you can check with wg show

octopus · April 2, 2026, 3:09pm

Sorry, It’s not possible to use them togeher if you not setup a second DNSMasq instance.
I have disabled https-dns-crypt for now. GOT IT

I have dns inside tunnel works with your script.

Problem is I can't get wan client to use isp-dns’s (eth1)

Wireguard client is running but still not show up in service gateway.

Service Gateways
wan/eth1/100.69.0.1 ✓
wan6/eth1/fe80::a67b:xxxx:xxxx:ea01
GLMT6000/tun10/10.8.44.2
sthlm_vpn/tun11/10.129.3.249/tun11/2a07:a880:xxxx:xxxx:200e:ab74:xxxx:54bd/64

“wg show” show it’s running.

interface: wgc_vpn10
  public key: <redacted>
  private key: (hidden)
  listening port: 9929

peer: <redacted>
  endpoint: 217.64.148.51:9929
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 48 seconds ago
  transfer: 736 B received, 2.53 KiB sent
  persistent keepalive: every 25 seconds

egc · April 2, 2026, 3:20pm

Correct to use https-dns-proxy you need a second DNSMasq instance

You can always use the PBR DNS policy to let specific clients use a DNS server of choice
In the HTTPS_DNS-PROXY you might have to set to:

Otherwise this might take precedence

You have added a listening port if you do that it is treated as a WG server.
See the PBR read.me
Either delete the listening port or add the interface to the supported interfaces

octopus · April 2, 2026, 6:35pm

I removed listen port.

Dns vpn inside tunnel working fine, useing dns from vpn-provider.

Hoever can’t dns to wan working, have both dns from isp and vpn provider.

have this setted:

config dns_policy
option name 'all-wan'
option src_addr '192.168.46.0/24'
option dest_dns '213.80.98.2 213.80.101.3 2001:9b0::53:1 2001:9b0::53:2'
option dest_dns_port '53'
option enabled '0'

config policy
option name 'Johan-PC-vpn'
option interface 'sthlm_vpn'
option src_addr '192.168.46.133'

Tested from phone to wan:

config dns_policy
option name 'JohanS24'
option src_addr '192.168.46.199/32'
option dest_dns '213.80.98.2 213.80.101.3 2001:9b0::53:1 2001:9b0::53:2'
option dest_dns_port '53'

egc · April 3, 2026, 9:52am

That is not how it works.
The underlying technology is a simple destination nat rule the same as used in DNS hijacking.
So an IPv4 source can only be routed to one IPv4 destination address
If you use both IPv4 and IPv6 in your network you have to provide a rule for ipv4 and ipv6 source address.
As IPv6 is difficult because sources can have multiple changing addresses you better use MAC address or interface address which will take care of both IPv4 and IPv6

So this is valid for an interface when you need to redirect both IPv4 and IPv6:

config dns_policy
	option name 'Redirect Local IP DNS'
	option src_addr '@br-lan'
	option dest_dns '1.1.1.1 2001:4860:4860::8888'
	option dest_dns_port '53'

You can check the rules with: nft list ruleset

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
                iifname "eth0" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
                jump pbr_dstnat
        }

        chain pbr_dstnat {
                iifname "br-lan" counter packets 0 bytes 0 meta nfproto ipv4 tcp dport 53 dnat ip to 1.1.1.1:53 comment "Redirect Local IP DNS"
                iifname "br-lan" counter packets 0 bytes 0 meta nfproto ipv6 tcp dport 53 dnat ip6 to 2001:4860:4860::8888:53 comment "Redirect Local IP DNS"
                iifname "br-lan" counter packets 0 bytes 0 meta nfproto ipv4 udp dport 53 dnat ip to 1.1.1.1:53 comment "Redirect Local IP DNS"
                iifname "br-lan" counter packets 0 bytes 0 meta nfproto ipv6 udp dport 53 dnat ip6 to 2001:4860:4860::8888:53 comment "Redirect Local IP DNS"
        }

See also : https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#split-dns

fkl7834456 · April 3, 2026, 5:21pm

PBR is a good program, but it doesn't work at all )

egc · April 3, 2026, 5:38pm

Not if you don't know how to use it

fkl7834456 · April 3, 2026, 5:49pm

I tried millions of combinations and the result is zero.

I tried scripts and everything, I couldn't even transfer an IP address through this wonderful program

I've delved so deeply into this program that it's easier to write a script that will work better .

Perhaps PBR was created for a specific task that no one uses, but, say, running Amneziawg is unrealistic.

egc · April 3, 2026, 6:11pm

Amneziawg is not specifically supported.
It is possible it works but not guaranteed.
Wireguard, OpenVPN, PPPTP, Netbird, Tailscale, L2TP, Openconnect and Tor are supported.
See: https://docs.openwrt.melmac.ca/pbr/

I tried to look at Amneziawg but seems not supported on Master/Snapshot builds

Anyway your remark is not related to this thread.

So please make your own thread if you have any questions

fkl7834456 · April 3, 2026, 6:16pm

I dove deep into PBR, rewrote it, and did everything I could. The thing is, Wireguard is so last century. Amneziawg is based on that, only better. It's the reality of the moment.

Have you heard about DPI blocking? It's already a reality. Maybe it hasn't affected you yet, but it won't last long; it will affect you soon. If blocking starts in one country, it means it will affect everyone, if not today, then tomorrow.

fkl7834456 · April 3, 2026, 6:45pm

and I don’t want to say that the pbr program is not good, it’s just that maybe it’s time to improve it?

After all, you all need topics for improvement, so I'm throwing them in, you could say I'm ahead of my time, like playing chess, you know where your opponent will go first, after all, you're all the best, everyone who's gathered here

octopus · April 3, 2026, 7:52pm

Thanks for your repaly!

I have added as you suggested and that itself working for wan on phone.

config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '@br-lan'
option dest_dns '213.80.98.2 2001:9b0::53:1'
option dest_dns_port '53'
option enabled '0'

When I added:

Then sthlm_vpn tun11 (vpn-isp) stop working, seems dns is missing.

config policy
option name 'Johan-PC-vpn'
option interface 'sthlm_vpn'
option src_addr '192.168.46.133'

Tried to add:

config dns_policy
option name 'vpn-dns'
option src_addr '192.168.46.133'
option dest_dns 'sthlm_vpn'
option dest_dns_port '53'
option enabled '1'

egc · April 4, 2026, 6:36am

it looks like this client option src_addr '192.168.46.133' is also part of the lan and if you have DNS Policies which target the same client then the order of policies also matters, furthermore you have specified an interface as destination instead of IP addresses which is fine if you have hard coded the DNS servers on the interface as outlined in https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#pbr-dns-policies

But perhaps we should set one step back, please tell me your current setup e.g. what VPN's you have, what default route you want to have and what clients you want to route via which VPN

It will also help if you show us your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses (192.168.X.X, 10.X.X.X and 172.16-32.X.X) as that is not needed:

ubus call system board
service pbr support
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show
cat /tmp/resolv.conf.d/resolv.conf.auto
cat /etc/config/openvpn
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
logread | grep openvpn

octopus · April 4, 2026, 2:37pm

Here is my configs:

ubus call system board

{
"kernel": "6.12.74",
"hostname": "Defcon",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.2",
"firmware_url": "``https://downloads.openwrt.org/``",
"revision": "r32802-f505120278",
"target": "mediatek/filogic",
"description": "OpenWrt 25.12.2 r32802-f505120278",
"builddate": "1774469393"
}
}

ip route show

default via 100.69.0.1 dev eth1 proto static src 100.69.117.12
10.8.42.0/24 dev tun21 proto kernel scope link src 10.8.42.1
10.8.44.0/24 dev tun10 proto kernel scope link src 10.8.44.2
10.129.0.0/22 dev tun11 proto kernel scope link src 10.129.1.112
46.227.67.134 dev tun11 scope link
100.69.0.0/17 dev eth1 proto kernel scope link src 100.69.117.12
172.22.28.0/24 dev wgserver proto kernel scope link src 172.22.28.1
172.22.28.2 dev wgserver proto static scope link
172.22.28.3 dev wgserver proto static scope link
172.22.28.4 dev wgserver proto static scope link
172.22.28.5 dev wgserver proto static scope link
172.22.28.6 dev wgserver proto static scope link
192.165.9.158 dev tun11 scope link
192.168.2.0/24 dev br-guest proto kernel scope link src 192.168.2.1
192.168.25.0/24 dev eth1 proto kernel scope link src 192.168.25.2
192.168.46.0/24 dev br-lan proto kernel scope link src 192.168.46.1
192.168.50.0/24 via 10.8.44.1 dev tun10 metric 500
217.64.148.51 via 100.69.0.1 dev eth1 proto static

ip -6 route show

default from 2001:9b0:41::5f0b:2ec5 via fe80::a67b:2cff:fe9e:ea01 dev eth1 proto static metric 512 pref medium
default from 2001:9b1:df8:eb00::/56 via fe80::a67b:2cff:fe9e:ea01 dev eth1 proto static metric 512 pref medium
2001:67c:750:1:cafe:cd45:0:1 dev tun11 metric 1024 pref medium
2001:9b1:df8:eb01::/64 dev br-lan proto static metric 1024 pref medium
2001:9b1:df8:eb02::/64 dev br-guest proto static metric 1024 pref medium
unreachable 2001:9b1:df8:eb00::/56 dev lo proto static metric 2147483647 pref medium
2a07:a880:4601:1082::/64 dev tun11 proto kernel metric 256 pref medium
2a07:a880:4601:10f0:cd45::1 dev tun11 metric 1024 pref medium
fd00:0:1337:cafe:1111:1111:505:387e dev wgc_vpn10 proto kernel metric 256 pref medium
fd42:4242:4242::/64 dev tun21 proto kernel metric 256 pref medium
fd65:35f6:a308:2::/64 dev br-guest proto static metric 1024 pref medium
unreachable fd65:35f6:a308::/48 dev lo proto static metric 2147483647 pref medium
fda9:65bd:f903::2 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::3 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::4 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::5 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::6 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::/64 dev wgserver proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev tun21 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun10 proto kernel metric 256 pref medium
fe80::/64 dev tun11 proto kernel metric 256 pref medium

ip route show table all

default via 100.69.0.1 dev eth1 proto static src 100.69.117.12
10.8.42.0/24 dev tun21 proto kernel scope link src 10.8.42.1
10.8.44.0/24 dev tun10 proto kernel scope link src 10.8.44.2
10.129.0.0/22 dev tun11 proto kernel scope link src 10.129.1.112
46.227.67.134 dev tun11 scope link
100.69.0.0/17 dev eth1 proto kernel scope link src 100.69.117.12
172.22.28.0/24 dev wgserver proto kernel scope link src 172.22.28.1
172.22.28.2 dev wgserver proto static scope link
172.22.28.3 dev wgserver proto static scope link
172.22.28.4 dev wgserver proto static scope link
172.22.28.5 dev wgserver proto static scope link
172.22.28.6 dev wgserver proto static scope link
192.165.9.158 dev tun11 scope link
192.168.2.0/24 dev br-guest proto kernel scope link src 192.168.2.1
192.168.25.0/24 dev eth1 proto kernel scope link src 192.168.25.2
192.168.46.0/24 dev br-lan proto kernel scope link src 192.168.46.1
192.168.50.0/24 via 10.8.44.1 dev tun10 metric 500
217.64.148.51 via 100.69.0.1 dev eth1 proto static
root@Defcon:~# clear screen
root@Defcon:~# ip -6 route show
default from 2001:9b0:41::5f0b:2ec5 via fe80::a67b:2cff:fe9e:ea01 dev eth1 proto static metric 512 pref medium
default from 2001:9b1:df8:eb00::/56 via fe80::a67b:2cff:fe9e:ea01 dev eth1 proto static metric 512 pref medium
2001:67c:750:1:cafe:cd45:0:1 dev tun11 metric 1024 pref medium
2001:9b1:df8:eb01::/64 dev br-lan proto static metric 1024 pref medium
2001:9b1:df8:eb02::/64 dev br-guest proto static metric 1024 pref medium
unreachable 2001:9b1:df8:eb00::/56 dev lo proto static metric 2147483647 pref medium
2a07:a880:4601:1082::/64 dev tun11 proto kernel metric 256 pref medium
2a07:a880:4601:10f0:cd45::1 dev tun11 metric 1024 pref medium
fd00:0:1337:cafe:1111:1111:505:387e dev wgc_vpn10 proto kernel metric 256 pref medium
fd42:4242:4242::/64 dev tun21 proto kernel metric 256 pref medium
fd65:35f6:a308:2::/64 dev br-guest proto static metric 1024 pref medium
unreachable fd65:35f6:a308::/48 dev lo proto static metric 2147483647 pref medium
fda9:65bd:f903::2 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::3 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::4 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::5 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::6 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::/64 dev wgserver proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev tun21 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun10 proto kernel metric 256 pref medium
fe80::/64 dev tun11 proto kernel metric 256 pref medium
root@Defcon:~# clear screen
root@Defcon:~# clear screen
root@Defcon:~# ip route show table all
default via 100.69.0.1 dev eth1 table pbr_wan
default via 10.8.44.2 dev tun10 table pbr_GLMT6000
default via 172.16.193.37 dev wgc_vpn10 table pbr_wgc_vpn10
default via 10.129.1.112 dev tun11 table pbr_sthlm_vpn
default via 100.69.0.1 dev eth1 proto static src 100.69.117.12
10.8.42.0/24 dev tun21 proto kernel scope link src 10.8.42.1
10.8.44.0/24 dev tun10 proto kernel scope link src 10.8.44.2
10.129.0.0/22 dev tun11 proto kernel scope link src 10.129.1.112
46.227.67.134 dev tun11 scope link
100.69.0.0/17 dev eth1 proto kernel scope link src 100.69.117.12
172.22.28.0/24 dev wgserver proto kernel scope link src 172.22.28.1
172.22.28.2 dev wgserver proto static scope link
172.22.28.3 dev wgserver proto static scope link
172.22.28.4 dev wgserver proto static scope link
172.22.28.5 dev wgserver proto static scope link
172.22.28.6 dev wgserver proto static scope link
192.165.9.158 dev tun11 scope link
192.168.2.0/24 dev br-guest proto kernel scope link src 192.168.2.1
192.168.25.0/24 dev eth1 proto kernel scope link src 192.168.25.2
192.168.46.0/24 dev br-lan proto kernel scope link src 192.168.46.1
192.168.50.0/24 via 10.8.44.1 dev tun10 metric 500
217.64.148.51 via 100.69.0.1 dev eth1 proto static
local 10.8.42.1 dev tun21 table local proto kernel scope host src 10.8.42.1
broadcast 10.8.42.255 dev tun21 table local proto kernel scope link src 10.8.42.1
local 10.8.44.2 dev tun10 table local proto kernel scope host src 10.8.44.2
broadcast 10.8.44.255 dev tun10 table local proto kernel scope link src 10.8.44.2
local 10.129.1.112 dev tun11 table local proto kernel scope host src 10.129.1.112
broadcast 10.129.3.255 dev tun11 table local proto kernel scope link src 10.129.1.112
local 100.69.117.12 dev eth1 table local proto kernel scope host src 100.69.117.12
broadcast 100.69.127.255 dev eth1 table local proto kernel scope link src 100.69.117.12
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.16.193.37 dev wgc_vpn10 table local proto kernel scope host src 172.16.193.37
local 172.22.28.1 dev wgserver table local proto kernel scope host src 172.22.28.1
broadcast 172.22.28.255 dev wgserver table local proto kernel scope link src 172.22.28.1
local 192.168.2.1 dev br-guest table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-guest table local proto kernel scope link src 192.168.2.1
local 192.168.25.2 dev eth1 table local proto kernel scope host src 192.168.25.2
broadcast 192.168.25.255 dev eth1 table local proto kernel scope link src 192.168.25.2
local 192.168.46.1 dev br-lan table local proto kernel scope host src 192.168.46.1
broadcast 192.168.46.255 dev br-lan table local proto kernel scope link src 192.168.46.1
default via fe80::a67b:2cff:fe9e:ea01 dev eth1 table pbr_wan metric 128 pref medium
default dev tun10 table pbr_GLMT6000 metric 128 pref medium
default dev wgc_vpn10 table pbr_wgc_vpn10 metric 128 pref medium
default dev tun11 table pbr_sthlm_vpn metric 128 pref medium
default from 2001:9b0:41::5f0b:2ec5 via fe80::a67b:2cff:fe9e:ea01 dev eth1 proto static metric 512 pref medium
default from 2001:9b1:df8:eb00::/56 via fe80::a67b:2cff:fe9e:ea01 dev eth1 proto static metric 512 pref medium
2001:67c:750:1:cafe:cd45:0:1 dev tun11 metric 1024 pref medium
2001:9b1:df8:eb01::/64 dev br-lan proto static metric 1024 pref medium
2001:9b1:df8:eb02::/64 dev br-guest proto static metric 1024 pref medium
unreachable 2001:9b1:df8:eb00::/56 dev lo proto static metric 2147483647 pref medium
2a07:a880:4601:1082::/64 dev tun11 proto kernel metric 256 pref medium
2a07:a880:4601:10f0:cd45::1 dev tun11 metric 1024 pref medium
fd00:0:1337:cafe:1111:1111:505:387e dev wgc_vpn10 proto kernel metric 256 pref medium
fd42:4242:4242::/64 dev tun21 proto kernel metric 256 pref medium
fd65:35f6:a308:2::/64 dev br-guest proto static metric 1024 pref medium
unreachable fd65:35f6:a308::/48 dev lo proto static metric 2147483647 pref medium
fda9:65bd:f903::2 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::3 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::4 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::5 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::6 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::/64 dev wgserver proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev tun21 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun10 proto kernel metric 256 pref medium
fe80::/64 dev tun11 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2001:9b0:41::5f0b:2ec5 dev eth1 table local proto kernel metric 0 pref medium
anycast 2001:9b1:df8:eb01:: dev br-lan table local proto kernel metric 0 pref medium
local 2001:9b1:df8:eb01::1 dev br-lan table local proto kernel metric 0 pref medium
anycast 2001:9b1:df8:eb02:: dev br-guest table local proto kernel metric 0 pref medium
local 2001:9b1:df8:eb02::1 dev br-guest table local proto kernel metric 0 pref medium
anycast 2a07:a880:4601:1082:: dev tun11 table local proto kernel metric 0 pref medium
local 2a07:a880:4601:1082:a5ba:e2ef:b725:826b dev tun11 table local proto kernel metric 0 pref medium
local fd00:0:1337:cafe:1111:1111:505:387e dev wgc_vpn10 table local proto kernel metric 0 pref medium
anycast fd42:4242:4242:: dev tun21 table local proto kernel metric 0 pref medium
local fd42:4242:4242::1 dev tun21 table local proto kernel metric 0 pref medium
anycast fd65:35f6:a308:2:: dev br-guest table local proto kernel metric 0 pref medium
local fd65:35f6:a308:2::1 dev br-guest table local proto kernel metric 0 pref medium
anycast fda9:65bd:f903:: dev wgserver table local proto kernel metric 0 pref medium
local fda9:65bd:f903::1 dev wgserver table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev tun21 table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun10 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun11 table local proto kernel metric 0 pref medium
local fe80::51:49ff:fe29:7066 dev ifb4eth1 table local proto kernel metric 0 pref medium
local fe80::34c1:2b4b:f86c:3048 dev tun11 table local proto kernel metric 0 pref medium
local fe80::3841:415a:b2be:e658 dev tun10 table local proto kernel metric 0 pref medium
local fe80::9483:c4ff:fea5:ff80 dev br-guest table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fea5:ff7d dev eth1 table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fea5:ff7f dev eth0 table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fea5:ff7f dev br-lan table local proto kernel metric 0 pref medium
local fe80::efe0:486a:ffdc:581b dev tun21 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-guest table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wgserver table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun21 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ifb4eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wgc_vpn10 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun10 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun11 table local proto kernel metric 256 pref medium

ip rule show

0: from all lookup local
29995: from all lookup main suppress_prefixlength 1
29996: from all sport 56468 lookup pbr_wan
29997: from all fwmark 0x40000/0xff0000 lookup pbr_sthlm_vpn
29998: from all fwmark 0x30000/0xff0000 lookup pbr_wgc_vpn10
29999: from all fwmark 0x20000/0xff0000 lookup pbr_GLMT6000
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766: from all lookup main
32767: from all lookup default

wg show

interface: wgserver
public key: ldNI7Af0OjiJG0h8g2c7bBn/XIMrBmngk1M8jKqyIUU=
private key: (hidden)
listening port: 56468

peer: 9JnBH7masjvJ0tOvqFr6F2cCwvCBxTSSGyGpJrCWOnc=
preshared key: (hidden)
allowed ips: 172.22.28.2/32, fda9:65bd:f903::2/128
persistent keepalive: every 25 seconds

peer: /ascelqF6qfpE13ukKJbx/12Ip8EkPNwdFWVQeFckT0=
preshared key: (hidden)
allowed ips: 172.22.28.3/32, fda9:65bd:f903::3/128
persistent keepalive: every 25 seconds

peer: IiLtgpjPh74poGwxbVTrfnDuoluDbQR67hrLPf5CKnY=
preshared key: (hidden)
allowed ips: 172.22.28.4/32, fda9:65bd:f903::4/128
persistent keepalive: every 25 seconds

peer: 9N4fCGKg9vIGzPq5WAOLjuHCwuDQBg5WovYxwwq8EjA=
preshared key: (hidden)
allowed ips: 172.22.28.5/32, fda9:65bd:f903::5/128
persistent keepalive: every 25 seconds

peer: E9i5TAjroHcvaeO5orqGtWGnydZ5fbKRf71ULNgJaGA=
preshared key: (hidden)
allowed ips: 172.22.28.6/32, fda9:65bd:f903::6/128
persistent keepalive: every 25 seconds

interface: wgc_vpn10
public key: iv4fmvnJqzJ/2jRFeWy8OWfJpAOQHmmC2nljLSeriz0=
private key: (hidden)
listening port: 50775

peer: KKCpXL20GjRtC8ADvYna/pTsrFAtML/ndWxbVifg8Uw=
endpoint: 217.64.148.51:9929
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 1 minute, 29 seconds ago
transfer: 38.27 KiB received, 142.25 KiB sent
persistent keepalive: every 25 seconds

cat /tmp/resolv.conf.d/resolv.conf.auto

interface wan6

nameserver 2001:9b0::53:1
nameserver 2001:9b0::53:2

Interface wgc_vpn10

nameserver 46.227.67.134
nameserver 192.165.9.158
nameserver 2a07:a880:4601:10f0:cd45::1
nameserver 2001:67c:750:1:cafe:cd45:0:1

Interface wan

cat /etc/config/openvpn

config openvpn 'DefconVpnServer'
option enabled '1'
option dev 'tun21'
option proto 'udp'
option local '::'
option port '2197'
option cipher 'AES-256-GCM'
list data_ciphers 'AES-256-GCM'
list data_ciphers 'AES-128-GCM'
list data_ciphers 'CHACHA20-POLY1305'
option auth_nocache '1'
option tls_crypt_v2 '/etc/openvpn/DefconVpnServer/tls-crypt-v2-server.key'
option ca '/etc/openvpn/DefconVpnServer/ca.crt'
option cert '/etc/openvpn/DefconVpnServer/server.crt'
option key '/etc/openvpn/DefconVpnServer/server.key'
option dh '/etc/openvpn/DefconVpnServer/dh.pem'
option topology 'subnet'
option server '10.8.42.0 255.255.255.0'
option server_ipv6 'fd42:4242:4242::/64'
list push 'route 192.168.46.0 255.255.255.0'
list push 'dhcp-option DOMAIN home.lan'
list push 'dhcp-option DNS 192.168.46.1'
list push 'route-ipv6 2000::/3'
list push 'dhcp-option DNS fd42:4242:4242::1'
list push 'redirect-gateway def1 ipv6'
option client_to_client '1'
option client_config_dir '/etc/openvpn/DefconVpnServer/ccd'
option ifconfig_pool_persist '/etc/openvpn/DefconVpnServer/ipp.txt 600'
option verb '3'
option log '/var/log/openvpn-server1.log'
option status_version '2'
option keepalive '10 60'
option reneg_sec '0'
option script_security '2'
option mute_replay_warnings '1'
option fast_io '1'
option multihome '1'

config openvpn 'GLMT6000'
option enabled '1'
option client '1'
option dev 'tun10'
option proto 'udp'
list remote 'octopus.xinit.se'
option port '2196'
option nobind '1'
option float '1'
option persist_tun '1'
option fast_io '1'
option reneg_sec '3600'
option verb '3'
option mute_replay_warnings '1'
option replay_window '256'
option auth_nocache '1'
option cipher 'AES-256-GCM'
option tls_crypt_v2 '/etc/openvpn/GLMT6000/tls-crypt-v2-client.key'
option ca '/etc/openvpn/GLMT6000/gl-mt6000-ca.crt'
option cert '/etc/openvpn/GLMT6000/gl-mt6000.crt'
option key '/etc/openvpn/GLMT6000/gl-mt6000.key'
option verify_x509_name 'octopus.xinit.se name'
option remote_cert_tls 'server'
option log '/var/log/openvpn-client1.log'
option script_security '2'

config openvpn 'Sthlmovpn'
option client '1'
option dev 'tun11'
option proto 'udp'
option pull '1'
option nobind '1'
option float '1'
option persist_tun '1'
option fast_io '1'
option reneg_sec '3600'
option verb '3'
option mute_replay_warnings '1'
option replay_window '256'
option auth_nocache '1'
option cipher 'AES-256-GCM'
option tls_auth '/etc/openvpn/sthlmovpn/tlsauth.key'
option ca '/etc/openvpn/sthlmovpn/ca.crt'
option auth_user_pass '/etc/openvpn/sthlmovpn/user.pass'
option remote_cert_tls 'server'
option key_direction '1'
option log '/var/log/openvpn-client2.log'
option script_security '2'
list pull_filter 'ignore "route-ipv6"'
list pull_filter 'ignore "redirect-gateway"'
list pull_filter 'ignore "redirect-gateway ipv6"'
list data_ciphers 'AES-128-GCM'
list data_ciphers 'AES-256-GCM'
option remote_random '1'
option resolv_retry 'infinite'
option connect_retry '5'
option connect_retry_max '3'
list remote 'pool-1.prd.se.sthlm.ovpn.com 1194'
list remote 'pool-1.prd.se.sthlm.ovpn.com 1195'
list remote 'pool-2.prd.se.sthlm.ovpn.com 1194'
list remote 'pool-2.prd.se.sthlm.ovpn.com 1195'
option up /etc/openvpn/ovpn-update-resolv-9
option down /etc/openvpn/ovpn-update-resolv-9
option enabled '1'

for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done

ls: /etc/openvpn/*.ovpn: No such file or directory

for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done

/tmp/etc/openvpn-DefconVpnServer.conf
auth-nocache
client-to-client
fast-io
multihome
mute-replay-warnings
ca /etc/openvpn/DefconVpnServer/ca.crt
cert /etc/openvpn/DefconVpnServer/server.crt
cipher AES-256-GCM
client-config-dir /etc/openvpn/DefconVpnServer/ccd
dev tun21
dh /etc/openvpn/DefconVpnServer/dh.pem
ifconfig-pool-persist /etc/openvpn/DefconVpnServer/ipp.txt 600
keepalive 10 60
key /etc/openvpn/DefconVpnServer/server.key
local ::
log /var/log/openvpn-server1.log
port 2197
proto udp
push "route 192.168.46.0 255.255.255.0"
push "dhcp-option DOMAIN home.lan"
push "dhcp-option DNS 192.168.46.1"
push "route-ipv6 2000::/3"
push "dhcp-option DNS fd42:4242:4242::1"
push "redirect-gateway def1 ipv6"
reneg-sec 0
server 10.8.42.0 255.255.255.0
server-ipv6 fd42:4242:4242::/64
status-version 2
tls-crypt-v2 /etc/openvpn/DefconVpnServer/tls-crypt-v2-server.key
topology subnet
verb 3
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

/tmp/etc/openvpn-GLMT6000.conf
auth-nocache
client
fast-io
float
mute-replay-warnings
nobind
persist-tun
ca /etc/openvpn/GLMT6000/gl-mt6000-ca.crt
cert /etc/openvpn/GLMT6000/gl-mt6000.crt
cipher AES-256-GCM
dev tun10
key /etc/openvpn/GLMT6000/gl-mt6000.key
log /var/log/openvpn-client1.log
port 2196
proto udp
remote octopus.xinit.se
remote-cert-tls server
reneg-sec 3600
replay-window 256
tls-crypt-v2 /etc/openvpn/GLMT6000/tls-crypt-v2-client.key
verb 3
verify-x509-name octopus.xinit.se name

/tmp/etc/openvpn-Sthlmovpn.conf
auth-nocache
client
fast-io
float
mute-replay-warnings
nobind
persist-tun
pull
remote-random
auth-user-pass /etc/openvpn/sthlmovpn/user.pass
ca /etc/openvpn/sthlmovpn/ca.crt
cipher AES-256-GCM
connect-retry 5
connect-retry-max 3
dev tun11
key-direction 1
log /var/log/openvpn-client2.log
proto udp
pull-filter ignore "route-ipv6"
pull-filter ignore "redirect-gateway"
pull-filter ignore "redirect-gateway ipv6"
remote pool-1.prd.se.sthlm.ovpn.com 1194
remote pool-1.prd.se.sthlm.ovpn.com 1195
remote pool-2.prd.se.sthlm.ovpn.com 1194
remote pool-2.prd.se.sthlm.ovpn.com 1195
remote-cert-tls server
reneg-sec 3600
replay-window 256
resolv-retry infinite
tls-auth /etc/openvpn/sthlmovpn/tlsauth.key
verb 3
data-ciphers AES-128-GCM:AES-256-GCM

logread | grep openvpn

No output

octopus · April 4, 2026, 2:37pm

service pbr support



Setting counters and verbosity for diagnostics...

===== dhcp config =====

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'network.lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1280'
list server '/use-application-dns.net/'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '127.0.0.1#5053'
list server '127.0.0.1#5054'
option resolvfile '/tmp/resolv_conf.vpn'
list addnmount '/var/run/pbr.dnsmasq'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '2h'
option dhcpv4 'server'
option ra 'server'
option force '1'
option dhcpv6 'server'
list ra_flags 'other-config'
option ra_default '1'
option ra_preference 'medium'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'

config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '2h'
option ra 'server'
option dhcpv6 'server'
option ra_flags 'other-config'
option ra_default '1'
option ra_management '0'
option ra_preference 'medium'
option force '1'

config host
option name 'Testing'
list mac '***'

config host
option name 'JohanS24'
list mac '***'

config host
option name 'Johan-PC'
list mac '***'

config host
option name 'Chromecast'
list mac '***'

config host
option name 'Samsung-TV'
list mac '***'

config host
option name 'Johan-AX210'
list mac '***'

config host
option name 'TRB-140'
list mac '***'

===== firewall config =====

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun21'
list network 'lan'

config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq6 '0'
list masq_src '***::0/64'
option masq '1'
list network 'USBWAN'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'

config forwarding
option src 'guest'
option dest 'wan'

config rule
option src 'guest'
option name 'Allow-DNS-Guest'
option dest_port '53'
option target 'ACCEPT'

config rule
option src 'guest'
option name 'Allow-DHCP-Guest'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'

config rule
option src 'lan'
option dest 'wan'
option name 'Block-...'
option target 'REJECT'
option family 'ipv4'
list dest_ip '...'
option enabled '0'

config rule
option src 'lan'
option dest 'wan'
option name 'Block-...'
option target 'REJECT'
option family 'ipv4'
list dest_ip '...'
option enabled '0'

config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option proto 'udp'
option dest_port '2197'
option target 'ACCEPT'

config rule
option name 'Allow-VPN-to-LAN'
option src 'vpnclient'
option dest 'lan'
option proto 'all'
option target 'ACCEPT'
option enabled '0'

config rule
option src 'wan'
option name 'Allow-Wireguard'
list proto 'udp'
option dest_port '56468'
option target 'ACCEPT'

config rule
option src 'lan'
option dest '*'
option name 'Allow-WSD-TCP'
list proto 'tcp'
option dest_port '5357'
option target 'ACCEPT'

config zone
option name 'wgserver'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wgserver'

config forwarding
option src 'wgserver'
option dest 'lan'

config forwarding
option src 'wgserver'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'wgserver'

config zone
option name 'vpnclient'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list network 'GLMT6000'

config forwarding
option src 'vpnclient'
option dest 'lan'

config forwarding
option src 'lan'
option dest 'vpnclient'

config zone
option name 'wgc_vpn10'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option masq6 '1'
list network 'wgc_vpn10'

config forwarding
option src 'lan'
option dest 'wgc_vpn10'

config forwarding
option src 'wgc_vpn10'
option dest 'lan'

config zone
option name 'sthlm_vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'sthlm_vpn'

config forwarding
option src 'sthlm_vpn'
option dest 'lan'

config forwarding
option src 'lan'
option dest 'sthlm_vpn'

config rule
option name 'Allow-ICMPv6-Guest'
option src 'guest'
option proto 'icmp'
option family 'ipv6'
option target 'ACCEPT'

===== network config =====

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '...'

config globals 'globals'
option ula_prefix '***::/48'
option packet_steering '2'
option steering_flows '128'
option dhcp_default_duid '00042dd21d271f624cdbbda4fb3ba54dd3a4'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.46.1'
option netmask '..**.'
option ip6assign '64'
option multipath 'off'
list ip6class 'wan6'
option ip6hint '1'

config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option ipv6 '1'
option dns_metric '10'
option multipath 'off'
option peerdns '0'

config interface 'wan6'
option device '
'
option proto 'dhcpv6'
option reqaddress 'force'
option reqprefix 'auto'
option multipath 'off'
option norelease '0'

config interface 'TRB140'
option proto 'static'
option device '
'
option ipaddr '192.168.25.2'
option netmask '..**.'

config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'

config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '..**.'
option multipath 'off'
option ip6assign '64'
option ip6hint '2'

config interface 'tun21'
option proto 'none'
option device 'tun21'

config interface 'wgserver'
option proto 'wireguard'
option private_key '*****************************************'
option listen_port '56468'
list addresses '172.22.28.1/24'
list addresses '::1/64'
option multipath 'off'

config wireguard_wgserver
option description 'johan24'
option public_key ''
option private_key ''
option preshared_key '*****************************************'
list allowed_ips '172.22.28.2/32'
list allowed_ips '::2/128'
option endpoint_port '56468'
option persistent_keepalive '25'
option route_allowed_ips '1'

config wireguard_wgserver
option description 'johanlaptop'
option public_key ''
option private_key ''
option preshared_key '*****************************************'
list allowed_ips '172.22.28.3/32'
list allowed_ips '::3/128'
option route_allowed_ips '1'
option endpoint_port '56468'
option persistent_keepalive '25'

config wireguard_wgserver
option description 'johanpc'
option public_key ''
option private_key ''
option preshared_key '*****************************************'
option route_allowed_ips '1'
option endpoint_port '56468'
option persistent_keepalive '25'
list allowed_ips '172.22.28.4/32'
list allowed_ips '::4/128'

config wireguard_wgserver
option description 'rt-ax86u'
option public_key ''
option private_key ''
option preshared_key '*****************************************'
list allowed_ips '172.22.28.5/32'
list allowed_ips '::5/128'
option route_allowed_ips '1'
option endpoint_port '56468'
option persistent_keepalive '25'

config wireguard_wgserver
option description 'reserv1'
option public_key ''
option private_key ''
option preshared_key '*****************************************'
list allowed_ips '172.22.28.6/32'
list allowed_ips '::6/128'
option route_allowed_ips '1'
option endpoint_port '56468'
option persistent_keepalive '25'

config interface 'USBWAN'
option proto 'dhcp'
option device 'usb0'
option dns_metric '40'
option multipath 'off'
option auto '0'

config interface 'GLMT6000'
option proto 'none'
option device 'tun10'

config interface 'wgc_vpn10'
option proto 'wireguard'
option private_key '*****************'
list addresses '172.16.193.37/32'
list addresses '/128'
list dns '...'
list dns '...'
list dns '::1'
list dns '::1'
option multipath 'off'

config wireguard_wgc_vpn10
option description 'wireguard_vpn10'
option public_key ''
option private_key ''
option endpoint_host '..***.*.'
option endpoint_port '9929'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option route_allowed_ips '0'

config interface 'sthlm_vpn'
option proto 'none'
option device 'tun11'

config route
option interface 'lan'
option type 'local'
option target '192.168.50.0/24'
option gateway '10.8.44.1'

===== pbr config =====

config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'dnsmasq.nftset'
list resolver_instance '*'
option ipv6_enabled '1'
option rule_create_option 'add'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '1'
option nft_set_auto_merge '1'
option nft_set_counter '1'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option config_compat '25'
option config_version '1.2.2-r12'
option uplink_ip_rules_priority '30000'
list ignored_interface 'tun21'

config include
option path '/usr/share/pbr/pbr.user.dnsprefetch'
option enabled '0'

config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'

config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'

config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '192.168.1.5'
option dest_dns '...'
option enabled '0'

config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'

config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'

config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'

config policy
option name 'Johan-PC-vpn'
option interface 'sthlm_vpn'
option src_addr '192.168.46.133'

config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '@br-lan'
option dest_dns '..*.* ***:1'
option dest_dns_port '53'
option enabled '0'

config dns_policy
option name 'vpn-dns'
option src_addr '***'
option dest_dns 'sthlm_vpn'
option dest_dns_port '53'
option enabled '0'

===== ubus call system board =====
{
"kernel": "6.12.74",
"hostname": "Defcon",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.2",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32802-f505120278",
"target": "mediatek/filogic",
"description": "OpenWrt 25.12.2 r32802-f505120278",
"builddate": "1774469393"
}
}

===== /etc/init.d/pbr restart =====
Forwarding is disabled
Resetting routing [✓]
Resetting resolver [✓]
pbr 1.2.2-r12 (fw4 nft file mode) stopped [✓]
Processing environment (on_start) [✓]
Setting up routing for 'wan/eth1/100.69.0.1/fe80::a67b:2cff:fe9e:ea01' [✓]
Setting up routing for 'wan6/100.69.117.12
192.168.25.2/fe80::a67b:2cff:fe9e:ea01' [✓]
Setting up routing for 'GLMT6000/tun10/10.8.44.2/::/0' [✓]
Setting up routing for 'wgc_vpn10/172.16.193.37/fd00:0:1337:cafe:1111:1111:505:387e/128' [✓]
Setting up routing for 'sthlm_vpn/tun11/10.129.1.112/2a07:a880:4601:1082:a5ba:e2ef:b725:826b/64' [✓]
Routing 'Johan-PC-vpn' via sthlm_vpn [✓]
Installing fw4 nft file [✓]
Setting interface trigger for wan [✓]
Setting interface trigger for wan6 [✓]
Setting interface trigger for GLMT6000 [✓]
Setting interface trigger for wgc_vpn10 [✓]
Setting interface trigger for sthlm_vpn [✓]
pbr 1.2.2-r12 monitoring interfaces: wan wan6 GLMT6000 wgc_vpn10 sthlm_vpn
Forwarding is enabled
pbr 1.2.2-r12 started with gateways:
wan/eth1/100.69.0.1/fe80::a67b:2cff:fe9e:ea01 [✓]
wan6/100.69.117.12
192.168.25.2/fe80::a67b:2cff:fe9e:ea01
GLMT6000/tun10/10.8.44.2/::/0
wgc_vpn10/172.16.193.37/fd00:0:1337:cafe:1111:1111:505:387e/128
sthlm_vpn/tun11/10.129.1.112/2a07:a880:4601:1082:a5ba:e2ef:b725:826b/64

===== /etc/init.d/pbr status (after restart) =====

pbr - environment
pbr 1.2.2-r12 on OpenWrt 25.12.2 r32802-f505120278.
Uplink (IPv4): wan/eth1/100.69.0.1.
Uplink (IPv6): wan6/eth1/fe80::a67b:2cff:fe9e:ea01.

Dnsmasq version 2.91  Copyright (c) 2000-2025 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_dstnat {}
add chain inet fw4 pbr_forward {}
add chain inet fw4 pbr_output {}
add chain inet fw4 pbr_prerouting {}

add rule inet fw4 dstnat jump pbr_dstnat
add rule inet fw4 mangle_prerouting jump pbr_prerouting
add rule inet fw4 mangle_output jump pbr_output
add rule inet fw4 mangle_forward jump pbr_forward

add rule inet fw4 pbr_forward counter meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_output counter meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_prerouting counter meta mark & 0x00ff0000 != 0 return
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 counter meta mark set (meta mark & 0xff00ffff) | 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 counter meta mark set (meta mark & 0xff00ffff) | 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add chain inet fw4 pbr_mark_0x030000
add rule inet fw4 pbr_mark_0x030000 counter meta mark set (meta mark & 0xff00ffff) | 0x030000
add rule inet fw4 pbr_mark_0x030000 return
add chain inet fw4 pbr_mark_0x040000
add rule inet fw4 pbr_mark_0x040000 counter meta mark set (meta mark & 0xff00ffff) | 0x040000
add rule inet fw4 pbr_mark_0x040000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.46.133 } counter goto pbr_mark_0x040000 comment "Johan-PC-vpn"

pbr chains - policies
chain pbr_forward { # handle 867
counter packets 33 bytes 15971 meta mark & 0x00ff0000 != 0x00000000 return # handle 2359
}
chain pbr_output { # handle 868
counter packets 53 bytes 8229 meta mark & 0x00ff0000 != 0x00000000 return # handle 2360
}
chain pbr_prerouting { # handle 869
counter packets 44 bytes 16411 meta mark & 0x00ff0000 != 0x00000000 return # handle 2361
ip saddr 192.168.46.133 counter packets 11 bytes 440 goto pbr_mark_0x040000 comment "Johan-PC-vpn" # handle 2370
}
chain pbr_dstnat { # handle 866
}

pbr chains - marking
chain pbr_mark_0x010000 { # handle 877
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2362
return # handle 2363
}
chain pbr_mark_0x020000 { # handle 880
counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2364
return # handle 2365
}
chain pbr_mark_0x030000 { # handle 883
counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 2366
return # handle 2367
}
chain pbr_mark_0x040000 { # handle 886
counter packets 14 bytes 560 meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 2368
return # handle 2369
}

pbr nft sets

pbr tables & routing
IPv4 table main routes:
default via 100.69.0.1 dev eth1 proto static src 100.69.117.12
10.8.42.0/24 dev tun21 proto kernel scope link src 10.8.42.1
10.8.44.0/24 dev tun10 proto kernel scope link src 10.8.44.2
10.129.0.0/22 dev tun11 proto kernel scope link src 10.129.1.112
46.227.67.134 dev tun11 scope link
100.69.0.0/17 dev eth1 proto kernel scope link src 100.69.117.12
172.22.28.0/24 dev wgserver proto kernel scope link src 172.22.28.1
172.22.28.2 dev wgserver proto static scope link
172.22.28.3 dev wgserver proto static scope link
172.22.28.4 dev wgserver proto static scope link
172.22.28.5 dev wgserver proto static scope link
172.22.28.6 dev wgserver proto static scope link
192.165.9.158 dev tun11 scope link
192.168.2.0/24 dev br-guest proto kernel scope link src 192.168.2.1
192.168.25.0/24 dev eth1 proto kernel scope link src 192.168.25.2
192.168.46.0/24 dev br-lan proto kernel scope link src 192.168.46.1
192.168.50.0/24 via 10.8.44.1 dev tun10 metric 500
217.64.148.51 via 100.69.0.1 dev eth1 proto static
IPv4 table main rules:
29995:      from all lookup main suppress_prefixlength 1
32766:      from all lookup main

IPv6 table main routes:
default from 2001:9b0:41::5f0b:2ec5 via fe80::a67b:2cff:fe9e:ea01 dev eth1 proto static metric 512 pref medium
default from 2001:9b1:df8:eb00::/56 via fe80::a67b:2cff:fe9e:ea01 dev eth1 proto static metric 512 pref medium
2001:67c:750:1:cafe:cd45:0:1 dev tun11 metric 1024 pref medium
2001:9b1:df8:eb01::/64 dev br-lan proto static metric 1024 pref medium
2001:9b1:df8:eb02::/64 dev br-guest proto static metric 1024 pref medium
unreachable 2001:9b1:df8:eb00::/56 dev lo proto static metric 2147483647 pref medium
2a07:a880:4601:1082::/64 dev tun11 proto kernel metric 256 pref medium
2a07:a880:4601:10f0:cd45::1 dev tun11 metric 1024 pref medium
fd00:0:1337:cafe:1111:1111:505:387e dev wgc_vpn10 proto kernel metric 256 pref medium
fd42:4242:4242::/64 dev tun21 proto kernel metric 256 pref medium
fd65:35f6:a308:2::/64 dev br-guest proto static metric 1024 pref medium
unreachable fd65:35f6:a308::/48 dev lo proto static metric 2147483647 pref medium
fda9:65bd:f903::2 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::3 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::4 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::5 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::6 dev wgserver proto static metric 1024 pref medium
fda9:65bd:f903::/64 dev wgserver proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev tun21 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth1 proto kernel metric 256 pref medium
fe80::/64 dev tun10 proto kernel metric 256 pref medium
fe80::/64 dev tun11 proto kernel metric 256 pref medium
IPv6 table main rules:
29995:      from all lookup main suppress_prefixlength 1
32766:      from all lookup main

IPv4 table 256 (pbr_wan) routes:
default via 100.69.0.1 dev eth1
IPv4 table 256 (pbr_wan) rules:
29996:      from all sport 56468 lookup pbr_wan
30000:      from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv6 table 256 routes:
default via fe80::a67b:2cff:fe9e:ea01 dev eth1 metric 128 pref medium
IPv6 table 256 rules:
29996:      from all sport 56468 lookup pbr_wan
30000:      from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv4 table 257 (pbr_GLMT6000) routes:
default via 10.8.44.2 dev tun10
IPv4 table 257 (pbr_GLMT6000) rules:
29999:      from all fwmark 0x20000/0xff0000 lookup pbr_GLMT6000

IPv6 table 257 routes:
default dev tun10 metric 128 pref medium
IPv6 table 257 rules:
29999:      from all fwmark 0x20000/0xff0000 lookup pbr_GLMT6000

IPv4 table 258 (pbr_wgc_vpn10) routes:
default via 172.16.193.37 dev wgc_vpn10
IPv4 table 258 (pbr_wgc_vpn10) rules:
29998:      from all fwmark 0x30000/0xff0000 lookup pbr_wgc_vpn10

IPv6 table 258 routes:
default dev wgc_vpn10 metric 128 pref medium
IPv6 table 258 rules:
29998:      from all fwmark 0x30000/0xff0000 lookup pbr_wgc_vpn10

IPv4 table 259 (pbr_sthlm_vpn) routes:
default via 10.129.1.112 dev tun11
IPv4 table 259 (pbr_sthlm_vpn) rules:
29997:      from all fwmark 0x40000/0xff0000 lookup pbr_sthlm_vpn

IPv6 table 259 routes:
default dev tun11 metric 128 pref medium
IPv6 table 259 rules:
29997:      from all fwmark 0x40000/0xff0000 lookup pbr_sthlm_vpn

egc · April 4, 2026, 3:28pm

octopus:

config policy
option name 'Johan-PC-vpn'
option interface 'sthlm_vpn'
option src_addr '192.168.46.133'

config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '@br-lan'
option dest_dns '..*.* ***:1'
option dest_dns_port '53'
option enabled '0'

config dns_policy
option name 'vpn-dns'
option src_addr '***'
option dest_dns 'sthlm_vpn'
option dest_dns_port '53'
option enabled '0'

Correct me if I am wrong but it looks like this
Your default route is via the WAN but your default DNS is via the the VPN with DNS server 192.165.9.158

You want your LAN (br-lan) to have DNS server via your wan and therefore have a DNS policy for that and that looks OK

You have one LAN client 192.168.46.133 which you want to use the VPN ( Sthlmovpn/tun11)
that also looks OK

You want this same LAN client to use the VPN DNS server and that is not OK.
You set the interface as DNS server option dest_dns 'sthlm_vpn' but there is no DNS server added to the interface so that is not working.
You can add the DNS server to the interface as outlined in my earlier instructions but better is to just specify its IP address so as destination use 192.165.9.158 instead of sthlm_vpn

Furthermore the lan client is part of br-lan and as already earlier outlined the order of the rules matter, the first rule wins so you have to move the vpn-dns rule up ( in the GUI you can move the rule)

So the rule should look like this and must come as first DNS policy:

config dns_policy
option name 'vpn-dns'
option src_addr '192.168.46.133'
option dest_dns '192.165.9.158'
option dest_dns_port '53'
option enabled '1'

Edit: as you only use IPv4 you might have IPv6 leakage test with ipleak.net , if you have a leak use the MAC address of 192..168.46.133 instead of that IP address

octopus · April 4, 2026, 5:12pm

Sorry not get it.

I have PC 192.168.46.133 on vpn ( Sthlmovpn/tun11) and use DNS from vpn-provider (46.227.67.134 192.165.9.158
2a07:a880:4601:10f0:cd45::1
2001:67c:750:1:cafe:cd45::1) throu (ovpn-update-resolv-9) script.

Then my phone 192.168.46.199 should use dns from isp-provider (213.80.98.2 213.80.101.3 2001:9b0::53:1 2001:9b0::53:2)

I'm using both ipv4 and ipv6.

Then if new clients connet to wifi/lan should give wan address.

Problem seems to be cant have vpn and wan on same subnet 192.168.46.xxx