PBR with openvpn client not working

cliffordanup · November 6, 2024, 9:12am

I just can't seem to get openvpn client with PBR to work. I have a multi-wan load balancing setup with mwan3. I do not want my openvpn client to be the default route for all my networks, so I have created a new interface called openvpnclient on the tun0 device which is connected to my Nord VPN Server.

I have 3 VLAN's in my router, VLAN 10, 20 and 30. VLAN's 10 and 20 are on the lan and guest interfaces respectively and 30 is the vpn interface. I want ONLY the clients on VLAN 30 on the vpn interface to use the openvpn client tunnel. VLAN's 10 and 20 on interfaces lan and guest must route directly on my multi-wan interface through mwan3.

On my openvpn client config file which I imported, I have the following additional lines at the end of the file to not redirect default gateway.

pull-filter ignore redirect-gateway
route-nopull

My PBR config file is as follows:

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        list resolver_instance '*'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_boot_delay '0'
        option procd_reload_delay '1'
        option webui_show_ignore_target '1'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list supported_interface 'openvpnclient'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.wg_server_and_client'
        option enabled '0'

config dns_policy
        option name 'Redirect Local IP DNS'
        option src_addr '192.168.1.5'
        option dest_dns '1.1.1.1'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'Route-vpn-to-openvpnclient'
        option src_addr '192.168.20.0/24'
        option dest_addr '0.0.0.0/0'
        option interface 'openvpnclient'

root@OpenWrt:~#

As you can see, the rule I've defined for routing my vpn interface through the openvpnclient is called 'Route-vpn-to-openvpnclient' and I've also included the 'openvpnclient' interface in the supported interface section of PBR.

Why is this config not working? I have a Wifi SSID called 'OpenWrt-VPN-5GHz' on the 5GHz radio attached to the vpn interface. When I connect to this network and check whatismyip.com, I still see the IP of my wan interfaces configured, not the Nord VPN Server IP.

pavelgl · November 6, 2024, 9:50am

Mixing mwan3 and pbr never works because the ip rules created by mwan3 have lower priority numbers than those created by pbr and take precedence.

You should try configuring mwan3 according to your needs.

https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#example_2use_openvpn_tunnels_as_virtual_wan_s_client_mode

cliffordanup · November 6, 2024, 10:35am

Disabled PBR, added openvpnclient interface, added corresponding member, policy and rule. The rule is moved to the top to match first. Still not routing through the VPN gateway.

config pbr 'config'
        option enabled '0'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        list resolver_instance '*'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_boot_delay '0'
        option procd_reload_delay '1'
        option webui_show_ignore_target '1'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list supported_interface 'openvpnclient'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.wg_server_and_client'
        option enabled '0'

config dns_policy
        option name 'Redirect Local IP DNS'
        option src_addr '192.168.1.5'
        option dest_dns '1.1.1.1'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/mwan3

config globals 'globals'
        option mmx_mask '0x3F00'

config interface 'wan'
        option enabled '1'
        list track_ip '1.0.0.1'
        list track_ip '1.1.1.1'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option family 'ipv4'
        option reliability '2'

config interface 'wan6'
        option enabled '0'
        list track_ip '2606:4700:4700::1001'
        list track_ip '2606:4700:4700::1111'
        list track_ip '2620:0:ccd::2'
        list track_ip '2620:0:ccc::2'
        option family 'ipv6'
        option reliability '2'

config interface 'wanb'
        option enabled '1'
        list track_ip '1.0.0.1'
        list track_ip '1.1.1.1'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option family 'ipv4'
        option reliability '2'
        option initial_state 'online'
        option track_method 'ping'
        option count '1'
        option size '56'
        option max_ttl '60'
        option timeout '4'
        option interval '10'
        option failure_interval '5'
        option recovery_interval '5'
        option down '5'
        option up '5'

config interface 'wanb6'
        option enabled '1'
        list track_ip '2606:4700:4700::1001'
        list track_ip '2606:4700:4700::1111'
        list track_ip '2620:0:ccd::2'
        list track_ip '2620:0:ccc::2'
        option family 'ipv6'
        option reliability '2'
        option initial_state 'online'
        option track_method 'ping'
        option count '1'
        option size '56'
        option max_ttl '60'
        option timeout '4'
        option interval '10'
        option failure_interval '5'
        option recovery_interval '5'
        option down '5'
        option up '5'

config member 'wan_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '3'

config member 'wan_m2_w3'
        option interface 'wan'
        option metric '2'
        option weight '3'

config member 'wanb_m1_w2'
        option interface 'wanb'
        option metric '1'
        option weight '2'

config member 'wanb_m1_w3'
        option interface 'wanb'
        option metric '1'
        option weight '3'

config member 'wanb_m2_w2'
        option interface 'wanb'
        option metric '2'
        option weight '2'

config member 'wan6_m1_w3'
        option interface 'wan6'
        option metric '1'
        option weight '3'

config member 'wan6_m2_w3'
        option interface 'wan6'
        option metric '2'
        option weight '3'

config member 'wanb6_m1_w2'
        option interface 'wanb6'
        option metric '1'
        option weight '2'

config member 'wanb6_m1_w3'
        option interface 'wanb6'
        option metric '1'
        option weight '3'

config member 'wanb6_m2_w2'
        option interface 'wanb6'
        option metric '2'
        option weight '2'

config policy 'wan_only'
        list use_member 'wan_m1_w3'
        list use_member 'wan6_m1_w3'

config policy 'wanb_only'
        list use_member 'wanb_m1_w2'
        list use_member 'wanb6_m1_w2'

config policy 'balanced'
        option last_resort 'default'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m1_w3'

config policy 'wan_wanb'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m2_w2'
        list use_member 'wan6_m1_w3'
        list use_member 'wanb6_m2_w2'

config policy 'wanb_wan'
        list use_member 'wan_m2_w3'
        list use_member 'wanb_m1_w2'
        list use_member 'wan6_m2_w3'
        list use_member 'wanb6_m1_w2'

config rule 'vpn_client_rule'
        option family 'ipv4'
        option proto 'all'
        option src_ip '192.168.20.0/24'
        option dest_ip '0.0.0.0/0'
        option sticky '0'
        option use_policy 'openvpnclient_only'

config rule 'https'
        option sticky '1'
        option dest_port '443'
        option proto 'tcp'
        option use_policy 'balanced'
        option family 'ipv4'

config rule 'default_rule_v4'
        option dest_ip '0.0.0.0/0'
        option use_policy 'balanced'
        option family 'ipv4'
        option proto 'all'
        option sticky '0'

config policy 'wanb6_only'
        list use_member 'wanb6_m1_w3'
        option last_resort 'default'

config rule 'default_rule_v6'
        option family 'ipv6'
        option proto 'all'
        option sticky '0'
        option use_policy 'wanb6_only'
        option dest_ip '::/0'

config interface 'openvpnclient'
        option enabled '1'
        option initial_state 'online'
        option family 'ipv4'
        list track_ip '10.100.0.1'
        list track_ip '1.1.1.1'
        list track_ip '8.8.8.8'
        option track_method 'ping'
        option reliability '2'
        option count '1'
        option size '56'
        option max_ttl '60'
        option timeout '4'
        option interval '10'
        option failure_interval '5'
        option recovery_interval '5'
        option down '5'
        option up '5'

config member 'openvpnclient_m1_w3'
        option interface 'openvpnclient'
        option metric '1'
        option weight '3'

config policy 'openvpnclient_only'
        list use_member 'openvpnclient_m1_w3'
        option last_resort 'blackhole'

root@OpenWrt:~#

patrakov · November 6, 2024, 10:53am

For mwan3 to work, both the WAN and the VPN interface have to have a metric defined. It does not matter which metric, as long as it is unique.

Also, OpenVPN neets to be configured to actually set this metric on the default route that it creates.

To troubleshoot this further, please post the output of ip route, but with public IP addresses replaced by XXX.

pavelgl · November 6, 2024, 10:56am

The policy name is too long.

Always use mwan3 status to verify that the rules and policies are accepted and active.

You can also try another approach described here.

cliffordanup · November 6, 2024, 11:21am

Thank you so much, that seemed to have resolved it. It was the policy and rule name character length issue. After they were reduced to less than or equal to 15 characters, it seems to be working.

cliffordanup · November 6, 2024, 11:30am

Thank you for your reply and contribution! It was the policy and rule name character length issue as stated by @pavelgl .

stangri · November 7, 2024, 7:39pm

Incorrect.

pavelgl · November 8, 2024, 7:38am

OK, maybe "never" is an exaggeration, maybe I should have said "never works as expected", but either way it's a total mess:

root@MikroTik:~# ip ru
0:      from all lookup local
1001:   from all iif wan.2 lookup 1
1002:   from all iif lan5 lookup 2
2001:   from all fwmark 0x100/0x3f00 lookup 1
2002:   from all fwmark 0x200/0x3f00 lookup 2
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
3001:   from all fwmark 0x100/0x3f00 unreachable
3002:   from all fwmark 0x200/0x3f00 unreachable
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wan2
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default

Dealing with this would require a comprehensive understanding of networking.

In this particular case, several rules must be created to exclude the specific subnet from mwan3 processing so that pbr can also be used. Is it worth it?

And believe me, I always suggest pbr over mwan3 (because of the native support for nftables), but there is a load balancing requirement here...

stangri · November 8, 2024, 4:14pm

I've had multiple reports of mwan3 and the iptables version of pbr working very well together on non-nft systems.

system · November 18, 2024, 4:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.