Policy-Based-Routing (pbr) package discussion

The old vpn-policy-routing thread grew too big and contains a lot of outdated information, now that pbr is available, so I've decided to start a new thread.

pbr is a next generation service supporting split-tunneling for multiple types of VPN tunnels (Openconnect, OpenVPN, PPTP and Wireguard), allowing you to create policies to use a designated VPN tunnel or WAN as a gateway. More information (requirements, full features list, etc.) on the service is available in the README.

Differences between pbr and vpn-policy-routing
Check the README Differences section.

Status of pbr on OpenWrt 23.05
Check the README OpenWrt 23.05-related section.

Status of pbr on OpenWrt 22.03
Check the README OpenWrt 22.03-related section.

How to install
Check README How To Install section.

Getting help
Check the README Getting Help section for details on what kind of information you need to provide to report bugs and/or request help troubleshooting setup.

The old thread which grew too long and has too much of the no longer relevant information is kept here.


With update to version pbr 0.9.9-1, the new luci-app-pbr 0.9.9-1 is required!

If you're using pbr on an x86_64 system, you can install the dnsmasq 2.87 from this post and test the pbr in the nft mode.

1 Like

The WebUI app (luci-app-pbr) version 0.9.9-3 has been converted to javascript.

Here's the current list of TODOs for the new luci app, so don't report these issues:

  1. Gateways are not shown at the top.
  2. If there were any errors during pbr last run, they are not shown at the top.
  3. Same goes for any warnings.
  4. The option to select resolver set support for domains is missing descriptions for options which are unavailable on the platform.

Made some progress in WebUI development in 0.9.9-4. The current issues are:

  • WebUI is not refreshed after button click. I hope to address it in the near future.
  • The option to select resolver set support for domains is missing descriptions for options which are unavailable on the platform.

Both pbr and luci-app-pbr have to be updated together for 0.9.9-4.


Some news for 0.9.9-5 (I bet you can tell I'm getting ready to send PR for version 1.0.0 ;)):

  • Implemented (hopefully, don't have the time to set up the test and there's not much interest from other users, but I didn't want my efforts to support it with iptables to go to waste) TOR support in nft. That achieves the feature parity in the iptables and nft supporting versions.
  • More progress on WebUI, the initial load may take longer due to 3 RPCD calls, but then the page renders with all the information at hand.

The only issue currently is:

  • WebUI is not refreshed after button click. I hope to address it in the near future.

Works like a charme, no issues what so ever. Update from version 0.9.9-2 to
On Openwrt 22.03.2

1 Like

Uppercase in any interfaces is making the last few builds not function properly.

The dropdowns in the luci app forces them to lowercase. The interfaces have some uppercase letters so pbr cannot find the interface because of the case.

I wish I could paste more but I have no laptop only on my phone.

I have to edit the pbr config manually to properly set the case.

Fixed in 0.9.9-6.

1 Like

they're all coming up as undefined now

all my tunnel interfaces are named like this



they were coming up fine on my end, unless the package was only partially updated I don't see how it could happen. I've bumped the version to 0.9.9-7 just in case, run opkg update on both packages.

Same problem here, when making a rule, al options are ' undefined'
Existing rules are fine, only happens on a new rule.

version 0.9.9-8

When I make the config in cli, it's fine. Shows ok in luci also after refresh.

opkg install --force-reinstall pbr luci-app-pbr didn't help

Changing an interface on an existing rule are all undefined too.

0.9.9-8 is okay now .. they all display correctly

Did a opkg remove --force-remove luci-app-pbr pbr


opkg update
opkg install pbr luci-app-pbr

No luck, still only option (on Luci) is "undefined'

Sadly, I can't reproduce to try to figure it out.

I feel it's RPCD not picking up the changes. I believe I've read that sometimes it's needed to restart (not reload) RPCD when installing/updating RPCD scripts, however RPCD restart will log you out of WebUI, which is bad user experience when installing packages from WebUI.

Please try running from shell:

rm -rf /var/luci-modulecache/; rm -f /var/luci-indexcache;
[ -x /etc/init.d/rpcd ] && /etc/init.d/rpcd restart;

And/or rebooting your router.

PS. Oh, the old webui javascript may be cached in your browser!!! If using chrome, open dev tools and in the dev tools settings, check "Disable cache (while DevTools is open)". Or open a new incognito window in whatever browser you use.

I'd appreciate more testing/feedback on the nft support in the pbr. I have a handful of policies, so would like larger testing. @d3adc0d3 already spotted a bug which will be fixed in upcoming 0.9.9-9.

Did run;

rm -rf /var/luci-modulecache/; rm -f /var/luci-indexcache;
[ -x /etc/init.d/rpcd ] && /etc/init.d/rpcd restart;

After disable cache (and in a incognito window) it works again. So a cache refresh problem I gues.

Yeah, I'm thinking it's more of a browser cache problem than anything else. I see why it's enabled for WebUI by default, but I don't understand why have a new file on the router doesn't trigger cache refresh.


I see in the scenario 2 wireguard example for PBR/vpn-policy-routing there are 2 interfaces, wg-server and wg-client. I am a bit confused why this is done. Can you explain a bit more about why this is necessary vs simply adding an interface with Protocol: WireGuard VPN as per docs?

You run the wg "client" on your router if you want traffic originating from your router to be encrypted/go thru the VPN tunnel.

You run the wg "server" on your router, if you want to be able to connect to your home network while away from home.

A lot of people have both and those are the scenarios where headaches occur, hence the examples.

PS. In reality, everything in wg is peers, there's no client or server, but it's way easier to use those definitions to express the intent of the peer.