Reflash updated snapshot.
Hi!
On my openwrt rpi router i have installed and configured 2 wireguard interfaces. One of them acts like a wireguard client from azirevpn.
The other one is a wireguard "server" and the goal is connect to my Android phone through wireguard app, and have acess to my home network from outside (world).
When i am connetecd to my wifi home i can establish connection among wireguard server and my Android phone. However from outside I can't acess my home network.
As i read, I need policy routing and for this propose the PBR could be useful.
Can you give me any advise how achieve that?
Many thanks.
Yes, start with the README.
Hi thanks to stangri and Community for bringing pbr package.
I am very new to openwrt and come from a windows. I have managed to set up openwrtx86 with Luci/Apps interface with an basic internet connection with everything running over AirVPN Wireguard with some devices on pbr successfully with the help of this guide.
I did read the readme a few times but its a bit above my head with linux lingo atm, I just wished to find out is there a way I can select certain devices on my pbr to use a specific DNS.
Example:
CableTV box = ISP supplied DNS
Desktop PC = AirVPN supplied DNS
At the moment, from following that guide, I have 3 different DNS entries in
(LAN, WAN, DHCP and DNS sections) which oddly I have got running successfully but all devices will detect either my public free DNS like 1.1.1.1 or my AirVPN dns or ISP dns, so I was wondering if there is an easier way to manage devices to use a strict single DNS?
The pbr service doesn't manage the DNS assignments to clients. For now you'd have to do it manually via tag or mac classifiers: https://openwrt.org/docs/guide-user/base-system/dhcp_configuration
2 Likes
Thanks looks like it will be the ticket.
I did however come across this post here I followed Neos fixed post suggestion of adding
6,followed by my ISP dns under Interface>LAN>DHCP server>DHCP-Options and also Interfaces>WAN>Advanced setting>Use DNS servers advertised by peer>ticked
saved it, rebooted it and restarted my WG interfaces, WAN, LAN interfaces several times and its spot on no more DNS leaks all devices that are meant to be on WG AirVPN use the correct VPN dns and pbr devices also use the ISP DNS it looks like I did not require to add 1.1.1.1 per the guide instructions for pbr.
I will give it a good testing over the next few weeks, if not will try to learn Tagging.
1 Like
People who (still) use OpenVPN, could you please test pbr 1.1.0-3 and luci-app-pbr 1.1.0-3 from my repo?
Since OpenVPN is one of the more widely used VPN tunnels which is not netifd-compliant, it causes major headaches for fast restarts and single interface reloads. If the OpenVPN tunnel is incorrectly defined, the order of the tunnels can shift if one of the OpenVPN tunnels goes down. The version 1.1.0-3 shows an error message if it encounters an incorrectly defined OpenVPN tunnel.
If this works well, next step is support for atomic nft, which would drastically change/improve overall efficiency.
1 Like
Do you know what is going on?
root@OpenWrt:/tmp# ls
BF_MIMO_Ctrl_Field_Output.txt hosts resolv.conf.d
TZ lib run
adb_runtime.json lock shm
adblock-Backup log state
board.json luci-app-pbr_1.1.0-1_all.ipk syscfg
cache luci-indexcache.c766b40c.json sysinfo
dhcp.leases opkg-lists tmp
dnsmasq.d overlay usr
etc pbr_1.0.1-16_all.ipk wireguard
extroot resolv.conf
root@OpenWrt:/tmp# opkg install pbr_1.0.1-16_all.ipk
Installing pbr (1.0.1-16) to root...
Configuring pbr.
Installing rc.d symlink for pbr... OK
ERROR: The pbr service is currently disabled!
root@OpenWrt:/tmp#
TOR interface does not getting detected.
Policies with wg interface output through specific wan(2) interface don't work.
Hi I noticed an pbr error I receive when ever I reboot my openwrtx86 router build.
It says Failed to set up WG/10, regardless of error all pbr devices work correct ie isp or wg and so does internet with no dns leaks.
I have 2 WG interfaces under my interfaces tab, one is the primary and the 2nd is a backup in case the primary VPN should ever go down.
If I click Restart button in pbr it fixes it to the right WG gate way though with a tick, can I just ignore this pbr gateway error since everything seems to work fine?
Is something unclear about the error message?
It's not the first time you've posted, you already know what to do, don't you?
The output of logread -epbr and service pbr info while in the error state would be super-helpful.
Could you please tell me, what do I have to do?
README Getting Help has information what's needed from your system to provide any meaningful reply if it's a user error or to be a starting point for a bug investigation.
I understand that. I'm afraid I would like to avoid posting any logs no more. I'm sorry.
It's just my feedback what I have noticed so far. I've been waiting with this until you beautified things in pbr.
The TOR interface also does not getting detected in the web UI.
...
pbr.cfg176ff5.name=TOR validates as string with true
pbr.cfg176ff5.enabled is unset and defaults to bool 1
pbr.cfg176ff5.interface=tor validates as or(uci("network", "@interface"),"ignore") with false
pbr.cfg176ff5.proto is unset and defaults to or(string) (null)
pbr.cfg176ff5.chain is unset and defaults to or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING") prerouting
pbr.cfg176ff5.src_addr is unset and defaults to list(neg(or(host,network,macaddr,string))) (null)
pbr.cfg176ff5.src_port is unset and defaults to list(neg(or(portrange,string))) (null)
...
Routing 'TOR' via [✗]
...
ERROR: Failed to set up 'tor/53->9053/80,443->9040'!
ERROR: Policy 'TOR' has no assigned interface!
My config worked fine with vpn pbr 3.4.8, iptables, ipset and fw3. And I didn't change anything since then.
If you please could confirm that pbr is fully compatible with fw4, nftables, dnsmasq + nftset (no ipset, iptables packages installed). But as far as I can remember, I had the same issues with 22.03 + fw4 + dnsmasq + iptables/ipset.
If so, there might be an issue in pbr. Is there maybe any config for nftset in firewall missing?
I think TOR based policies never worked with fw4 so far.
But my 2nd and new problem with pbr is this
Thank you for doing troubleshooting for me!
Please update both pbr and luci-app-pbr to version 1.1.0-4 from my repo. It should get rid of the validation error, not sure what the issue is setting up TOR.
Can't help without details.
thanks, I do apologise I am new to openwrt so not sure how to do logread -epbr or service pbr info but I gave it a shot below while with error message loaded:
logread -epbr:
Blockquote
root@OpenWrt:~# logread -epbr
Wed Mar 1 19:10:16 2023 user.notice pbr: Reloading pbr due to includes of firewall
Wed Mar 1 19:10:16 2023 user.notice pbr: Reload on firewall action aborted: service not running.
Wed Mar 1 19:10:16 2023 user.notice pbr: service waiting for wan gateway...
Wed Mar 1 19:10:17 2023 user.notice pbr: service waiting for wan gateway...
Wed Mar 1 19:10:18 2023 user.notice pbr: service waiting for wan gateway...
Wed Mar 1 19:10:19 2023 user.notice pbr: service waiting for wan gateway...
Wed Mar 1 19:10:20 2023 user.notice pbr: service waiting for wan gateway...
Wed Mar 1 19:10:21 2023 user.notice pbr: service waiting for wan gateway...
Wed Mar 1 19:10:22 2023 user.notice pbr: service waiting for wan gateway...
Wed Mar 1 19:10:24 2023 user.notice pbr: service waiting for wan gateway...
Wed Mar 1 19:10:25 2023 user.notice pbr: service waiting for wan gateway...
Wed Mar 1 19:10:26 2023 user.notice pbr: service waiting for wan gateway...
Wed Mar 1 19:10:27 2023 user.notice pbr: Activating traffic killswitch [✓]
Wed Mar 1 19:10:27 2023 user.notice pbr: Setting up routing for 'wan/eth1/8.x.x.x' [✓]
Wed Mar 1 19:10:27 2023 daemon.notice procd: /etc/rc.d/S94pbr: Error: argument "257
Wed Mar 1 19:10:27 2023 daemon.notice procd: /etc/rc.d/S94pbr: 258" is wrong: invalid table ID
Wed Mar 1 19:10:27 2023 daemon.notice procd: /etc/rc.d/S94pbr:
Wed Mar 1 19:10:27 2023 user.notice pbr: Setting up routing for 'WG/10.x.x.x' [✗]
Wed Mar 1 19:10:27 2023 user.notice pbr: Setting up routing for 'WGAIRBackup/0.0.0.0' [✓]
Wed Mar 1 19:10:27 2023 user.notice pbr: Routing 'Virgin-TV-Upstairs' via wan [✓]
Wed Mar 1 19:10:27 2023 user.notice pbr: Routing 'Virgin-TV-Downstairs' via wan [✓]
Wed Mar 1 19:10:27 2023 user.notice pbr: Routing 'LGTV' via wan [✓]
Wed Mar 1 19:10:27 2023 user.notice pbr: Deactivating traffic killswitch [✓]
Wed Mar 1 19:10:27 2023 user.notice pbr: service monitoring interfaces: wan WG WGAIRBackup
Wed Mar 1 19:10:27 2023 user.notice pbr: Reloading pbr due to includes of firewall
Wed Mar 1 19:10:27 2023 user.notice pbr: Activating traffic killswitch [✓]
Wed Mar 1 19:10:27 2023 user.notice pbr: Setting up routing for 'wan/eth1/8.x.x.x' [✓]
Wed Mar 1 19:10:28 2023 user.notice pbr: Setting up routing for 'WG/10.x.x.x' [✗]
Wed Mar 1 19:10:28 2023 user.notice pbr: Setting up routing for 'WGAIRBackup/0.0.0.0' [✓]
Wed Mar 1 19:10:28 2023 user.notice pbr: Routing 'Virgin-TV-Upstairs' via wan [✓]
Wed Mar 1 19:10:28 2023 user.notice pbr: Routing 'Virgin-TV-Downstairs' via wan [✓]
Wed Mar 1 19:10:28 2023 user.notice pbr: Routing 'LGTV' via wan [✓]
Wed Mar 1 19:10:28 2023 user.notice pbr: Deactivating traffic killswitch [✓]
Wed Mar 1 19:10:28 2023 user.notice pbr: service monitoring interfaces: wan WG WGAIRBackup
Wed Mar 1 19:10:28 2023 user.notice pbr: Reloading pbr due to includes of firewall
Wed Mar 1 19:10:28 2023 user.notice pbr: Activating traffic killswitch [✓]
Wed Mar 1 19:10:28 2023 user.notice pbr: Setting up routing for 'wan/eth1/8.x.x.x' [✓]
Wed Mar 1 19:10:28 2023 user.notice pbr: Setting up routing for 'WG/10.x.x.x' [✗]
Wed Mar 1 19:10:29 2023 user.notice pbr: Setting up routing for 'WGAIRBackup/0.0.0.0' [✓]
Wed Mar 1 19:10:29 2023 user.notice pbr: Routing 'Virgin-TV-Upstairs' via wan [✓]
Wed Mar 1 19:10:29 2023 user.notice pbr: Routing 'Virgin-TV-Downstairs' via wan [✓]
Wed Mar 1 19:10:29 2023 user.notice pbr: Routing 'LGTV' via wan [✓]
Wed Mar 1 19:10:29 2023 user.notice pbr: Deactivating traffic killswitch [✓]
Wed Mar 1 19:10:29 2023 user.notice pbr: service monitoring interfaces: wan WG WGAIRBackup
Wed Mar 1 19:10:29 2023 user.notice pbr: Reloading pbr due to includes of firewall
Wed Mar 1 19:10:29 2023 user.notice pbr: Activating traffic killswitch [✓]
Wed Mar 1 19:10:29 2023 user.notice pbr: Setting up routing for 'wan/eth1/8.x.x.x' [✓]
Wed Mar 1 19:10:29 2023 user.notice pbr: Setting up routing for 'WG/10.x.x.x' [✗]
Wed Mar 1 19:10:29 2023 user.notice pbr: Setting up routing for 'WGAIRBackup/0.0.0.0' [✓]
Wed Mar 1 19:10:29 2023 user.notice pbr: Routing 'Virgin-TV-Upstairs' via wan [✓]
Wed Mar 1 19:10:29 2023 user.notice pbr: Routing 'Virgin-TV-Downstairs' via wan [✓]
Wed Mar 1 19:10:30 2023 user.notice pbr: Routing 'LGTV' via wan [✓]
Wed Mar 1 19:10:30 2023 user.notice pbr: Deactivating traffic killswitch [✓]
Wed Mar 1 19:10:30 2023 user.notice pbr: service monitoring interfaces: wan WG WGAIRBackup
Also service pbr info
Blockquote
{
"pbr": {
"instances": {
"main": {
"running": false,
"command": [
"/bin/true"
],
"term_timeout": 5,
"exit_code": 0,
"data": {
"gateways": [
{
"name": "wan",
"device_ipv4": "eth1",
"gateway_ipv4": "8.x.x.x",
"device_ipv6": "eth1",
"gateway_ipv6": "f:x:x:x/64",
"default": false,
"action": "create",
"table_id": "256",
"mark": "0x010000",
"priority": "30000"
},
{
"name": "WGAIRBackup",
"device_ipv4": "",
"gateway_ipv4": "",
"device_ipv6": "",
"gateway_ipv6": "",
"default": false,
"action": "create",
"table_id": "258",
"mark": "0x030000",
"priority": "30002"
}
],
"status": {
"gateways": "wan/eth1/8.x.x.x\nWGAIRBackup/0.0.0.0\n",
"errors": "errorFailedSetup WG/10.x.x.x",
"mode": "strict"
}
}
}
},
"triggers": [
[
"config.change",
[
"if",
[
"eq",
"package",
"openvpn"
],
[
"run_script",
"/etc/init.d/pbr",
"reload"
]
]
],
[
"config.change",
[
"if",
[
"eq",
"package",
"pbr"
],
[
"run_script",
"/etc/init.d/pbr",
"reload"
]
]
],
[
"interface.",
[
"if",
[
"eq",
"interface",
"wan"
],
[
"run_script",
"/etc/init.d/pbr",
"on_interface_reload",
"wan"
]
]
],
[
"interface.",
[
"if",
[
"eq",
"interface",
"WG"
],
[
"run_script",
"/etc/init.d/pbr",
"on_interface_reload",
"WG"
]
]
],
[
"interface.*",
[
"if",
[
"eq",
"interface",
"WGAIRBackup"
],
[
"run_script",
"/etc/init.d/pbr",
"on_interface_reload",
"WGAIRBackup"
]
]
]
],
"validate": [
{
"package": "pbr",
"type": "include",
"rules": {
"enabled": "bool",
"path": "file"
}
},
{
"package": "pbr",
"type": "policy",
"rules": {
"chain": "or(, forward, input, output, prerouting, postrouting, FORWARD, INPUT, OUTPUT, PREROUTING, POSTROUTING)",
"dest_addr": "list(neg(or(host,network,string)))",
"dest_port": "list(neg(or(portrange,string)))",
"enabled": "bool",
"interface": "or(uci(network, @interface),ignore)",
"name": "string",
"proto": "or(string)",
"src_addr": "list(neg(or(host,network,macaddr,string)))",
"src_port": "list(neg(or(portrange,string)))"
}
},
{
"package": "pbr",
"type": "pbr",
"rules": {
"boot_timeout": "integer",
"enabled": "bool",
"fw_mask": "regex('0x[A-x-x-x]{x}')",
"icmp_interface": "or(,ignore, uci(network, @interface))",
"ignored_interface": "list(uci(network, @interface))",
"ipv6_enabled": "bool",
"procd_boot_delay": "integer",
"procd_reload_delay": "integer",
"resolver_set": "or(, none, dnsmasq.ipset, dnsmasq.nftset)",
"rule_create_option": "or(, add, insert)",
"secure_reload": "bool",
"strict_enforcement": "bool",
"supported_interface": "list(uci(network, @interface))",
"verbosity": "range(0,2)",
"wan_ip_rules_priority": "uinteger",
"wan_mark": "regex('0x[A-x-x-x]{x}')",
"webui_supported_protocol": "list(string)"
}
}
]
}
I have removed any ip/mac info from the post. I think I have done a incorrect set up with 2 WG interfaces, I did remove my 2nd back up WG so just left 1 WG interface, rebooting that few times and no pbr gateway error so it works fine with just 1 WG interface.
Since I am new to openwrt I can just stick with 1 WG interface and modify as required might be easier, but if there is a simple fix thanks.
Thank you. There's still this
pbr.cfg076ff5.name=DEFAULTVPNI validates as string with true
pbr.cfg076ff5.enabled=0 validates as bool with true
pbr.cfg076ff5.interface=somevpn_wg validates as or("ignore", "tor", uci("network", "@interface")) with true
pbr.cfg076ff5.proto is unset and defaults to or(string) (null)
pbr.cfg076ff5.chain is unset and defaults to or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING") prerouting
pbr.cfg076ff5.src_addr= validates as list(neg(or(host,network,macaddr,string))) with false
pbr.cfg076ff5.src_port is unset and defaults to list(neg(or(portrange,string))) (null)
pbr.cfg076ff5.dest_addr is unset and defaults to list(neg(or(host,network,string))) (null)
pbr.cfg076ff5.dest_port is unset and defaults to list(neg(or(portrange,string))) (null)
TOR interface reappeared in the UI.
logread
...
daemon.err dnsmasq[1]: nftset inet fw4 pbr_tor_4_dst_ip Error: No such file or directory
...
And for this
I provide part of the config for now:
config policy
option src_port '4000'
option dest_addr '101.01.010.10'
option interface 'wan2'
option chain 'output'
option name 'INIT_SOME_VPN2_WG'
option dest_port '9000'
...
config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option boot_timeout '0'
option secure_reload '0'
option procd_reload_delay '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '1'
option webui_show_ignore_target '1'
option ipv6_enabled '0'
option dest_ipset '1'
option src_ipset '1'
list supported_interface 'lan'
list supported_interface 'tor'
list supported_interface 'wan'
list supported_interface 'wan2'
list supported_interface 'somevpn_wg'
list supported_interface 'somevpn2_wg'
list ignored_interface 'wgserver'
option rule_create_option 'add'
option resolver_set 'dnsmasq.nftset'
option enabled '1'
And
daemon.err dnsmasq[1]: nftset inet fw4 pbr_somevpn2_wg_4_dst_ip_cfg136ff5 Error: No such file or directory; did you mean set ‘pbr_wan_4_dst_ip_cfg026ff5’ in table inet ‘fw4’?
Not sure if you've redacted the value or it's set to nothing. If latter, that's invalid.
How are you testing this?
I suspect it's an older/outdated version of pbr, could you please confirm the installed pbr version thru WebUI?
1 Like
Realtime graph. There's no traffic going through this specific wan2 interface.
Yes it's not set and invalid. Anyway, the policy is disabled.
network
...
config interface 'wan2'
option proto 'prototype'
option force_link '1'
option auth 'none'
option peerdns '0'
list dns '127.0.0.1'
option iptype 'ipv4v6' '
option device '/sys/devices/...'
option defaultroute '0'
config interface 'somevpn2_wg'
option proto 'wireguard'
list addresses '10.10.101.010/32'
list addresses ':ipv6::::/128'
option private_key 'somekey'
option force_link '1'
option listen_port '4000'
option defaultroute '0'
config wireguard_somevpn2_wg
option description 'somedescription'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host '101.01.010.10'
option endpoint_port '9000'
option public_key 'somekey'
# wan2
config device
option name 'wwan1'
config device
option name 'somevpn2_wg'
...
firewall
...
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
...