The old vpn-policy-routing thread grew too big and contains a lot of outdated information, now that pbr is available, so I've decided to start a new thread.
pbr is a next generation service supporting split-tunneling for multiple types of VPN tunnels (Openconnect, OpenVPN, PPTP and Wireguard), allowing you to create policies to use a designated VPN tunnel or WAN as a gateway. More information (requirements, full features list, etc.) on the service is available in the README.
Getting help
Check the README Getting Help section for details on what kind of information you need to provide to report bugs and/or request help troubleshooting setup.
The old thread which grew too long and has too much of the no longer relevant information is kept here.
Some news for 0.9.9-5 (I bet you can tell I'm getting ready to send PR for version 1.0.0 ;)):
Implemented (hopefully, don't have the time to set up the test and there's not much interest from other users, but I didn't want my efforts to support it with iptables to go to waste) TOR support in nft. That achieves the feature parity in the iptables and nft supporting versions.
More progress on WebUI, the initial load may take longer due to 3 RPCD calls, but then the page renders with all the information at hand.
The only issue currently is:
WebUI is not refreshed after button click. I hope to address it in the near future.
Uppercase in any interfaces is making the last few builds not function properly.
The dropdowns in the luci app forces them to lowercase. The interfaces have some uppercase letters so pbr cannot find the interface because of the case.
I wish I could paste more but I have no laptop only on my phone.
I have to edit the pbr config manually to properly set the case.
they were coming up fine on my end, unless the package was only partially updated I don't see how it could happen. I've bumped the version to 0.9.9-7 just in case, run opkg update on both packages.
I feel it's RPCD not picking up the changes. I believe I've read that sometimes it's needed to restart (not reload) RPCD when installing/updating RPCD scripts, however RPCD restart will log you out of WebUI, which is bad user experience when installing packages from WebUI.
PS. Oh, the old webui javascript may be cached in your browser!!! If using chrome, open dev tools and in the dev tools settings, check "Disable cache (while DevTools is open)". Or open a new incognito window in whatever browser you use.
I'd appreciate more testing/feedback on the nft support in the pbr. I have a handful of policies, so would like larger testing. @d3adc0d3 already spotted a bug which will be fixed in upcoming 0.9.9-9.
Yeah, I'm thinking it's more of a browser cache problem than anything else. I see why it's enabled for WebUI by default, but I don't understand why have a new file on the router doesn't trigger cache refresh.
I see in the scenario 2 wireguard example for PBR/vpn-policy-routing there are 2 interfaces, wg-server and wg-client. I am a bit confused why this is done. Can you explain a bit more about why this is necessary vs simply adding an interface with Protocol: WireGuard VPN as per docs?
You run the wg "client" on your router if you want traffic originating from your router to be encrypted/go thru the VPN tunnel.
You run the wg "server" on your router, if you want to be able to connect to your home network while away from home.
A lot of people have both and those are the scenarios where headaches occur, hence the examples.
PS. In reality, everything in wg is peers, there's no client or server, but it's way easier to use those definitions to express the intent of the peer.
