Local Credit Union will not render my Accounts page with VPN active.
Add pbr entry to route through WAN using the two CU domains and it still won't render unless I remove the domains in pbr and set my local IP to bypass VPN by default (no IPs or domains).
So I assume it's not processing the domains to bypass VPN and go to WAN.
Before I can help please sent the output of the following commands:
PBR:
cat /etc/config/pbr
/etc/init.d/pbr version
Network:
cat /etc/config/network
System board:
ubus call system board
Make sure that you use the main routers ip as dns, and also make sure the browser does not have a internal resolver with DoH, they also call this secure dns, turn it off.
pbr 1.2.0-r6
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.110",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.4",
"revision": "r28959-29397011cc",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.4 r28959-29397011cc",
"builddate": "1760891865"
}
}
pbr:
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option rule_create_option 'add'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
config policy
option name 'ecu'
option src_addr '192.168.1.10'
option interface 'wan'
option enabled '1'
option dest_addr 'www.creditunion.org www.cu.org'
network config works fine even with WireGuard
I'm using podkop VLESS for VPN, can access other URLs no problem just online banking fails with local CU my other CU online banking also works using Proxy (VPN) with no pbr bypass.
This can be a issue, if you remove www in front, pbr will auto wildcard also to all subdomains, www is actually a subdomain from itself and will fail if you visit these sites without it.
if done, please try on windows:
ipconfig /flushdns
On browser/chromium:
chrome://net-internals/ click on dns and click on the button to reset dns.
To test do a traceroute creditunion.org from the routers command line to see if it goes via the wan instead of the VPN if it goes via the WAN but it still does not display that could be because the DNS origin is still from the VPN
Traceroute shows going through the WAN. What's strange is if I change pbr policy and remove dest_addr so that 192.168.1.10 goes to WAN for everything, the CU page works. It's only when I try to set the policy to go to specific domains that it fails.
I've tried with and without www and have left it without the subdomain.
No that is not strange it could be because the DNS is still using the VPN and they check the geographical origin of the DNS request and see that that is coming from another region.
You can have DNS resolving for those domains via another DNS server which you need to route also via the wan see for an example:
Thanks for the advice. I tried the dns forward using 8.8.8.8 and set a pbr policy to output that to wan. Flushed DNS (dnsmasq restart) and waited a few minutes. No joy, CU still fails to render account page.
I'm thinking to just enable a prb policy to bypass VPN whenever I need to to access CU as the DNS Forward and pbr domain policy don't seem to work.
Must have something to do with VLESS Proxy (sing-box). If I disable podkop and enable WireGuard on wg interface (end-point server in Tampa) I can access the CU and everything works going through VPN without any dns forwarding or pbr policies.