Policy-Based-Routing (pbr) package discussion

anon78773196 · November 24, 2022, 5:56pm

hi sometimes i Lost m'y connection network when i disable vpn on openvpn

i dont know why

i use openvpn and vpn policy routing tour packages

someone has a same problème ?

i can see that what is kill switch ?

Thu Nov 24 18:16:18 2022 user.notice pbr: Reloading pbr due to includes of firewall
Thu Nov 24 18:16:19 2022 user.notice pbr: Activating traffic killswitch [✓]
Thu Nov 24 18:16:19 2022 user.notice pbr: Setting up routing for 'wan/192.168.1.1' [✓]
Thu Nov 24 18:16:19 2022 user.notice pbr: Routing 'ps5' via vpn [✗]
Thu Nov 24 18:16:19 2022 user.notice pbr: Deactivating traffic killswitch [✓]
Thu Nov 24 18:16:20 2022 user.notice pbr: service monitoring interfaces: wan

stangri · November 24, 2022, 6:33pm

The pbr 0.9.9-41 and luci-app-pbr 0.9.9-41 need to be installed together (and cache refreshed/cleared for the luci app) as they contain localizable error/warning messages.

Unless there are issues discovered with this version, my plan is to push it to the pull requests as 1.0.0 some time early next week and then merge into official repo.

stangri · November 24, 2022, 7:06pm

anon78773196 · November 24, 2022, 7:28pm

I lost the connection again with this update

I have to redo startup and restart network to get the internet connection again

I put my ps5 on vpn
and my pc on wan

the only manipulation I do to lose the network is in opevpn start and stop the vpn

EDIT : i think my https dns proxy cause the problem if i disable i do'nt has the disconnect

stangri · November 25, 2022, 4:08pm

@odhiambo here's the correct user file for your case:

#!/bin/sh

TARGET_SET='pbr_wan_4_dst_ip_user'
TARGET_IPSET='pbr_wan_4_dst_net_user'
TARGET_TABLE='inet fw4'
TARGET_URL="http://www.ipdeny.com/ipblocks/data/countries/ke.zone"
TARGET_DL_FILE="/var/pbr_tmp_ke_ip_ranges"
TARGET_NFT_FILE="/var/pbr_tmp_ke_ip_ranges.nft"
[ -z "$nft" ] && nft="$(command -v nft)"
_ret=1

if [ ! -s "$TARGET_DL_FILE" ]; then
	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null > "$TARGET_DL_FILE"
fi

if [ -s "$TARGET_DL_FILE" ]; then
	if ipset -q list "$TARGET_IPSET" >/dev/null 2>&1; then
		if awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_DL_FILE" | ipset restore -!; then
			_ret=0
		fi
	elif [ -n "$nft" ] && [ -x "$nft" ] && "$nft" list set "$TARGET_TABLE" "$TARGET_SET" >/dev/null 2>&1; then
		printf "add element %s %s { " "$TARGET_TABLE" "$TARGET_SET" > "$TARGET_NFT_FILE"
		awk '{printf $1 ", "}' "$TARGET_DL_FILE" >> "$TARGET_NFT_FILE"
		printf " } " >> "$TARGET_NFT_FILE"
		if "$nft" -f "$TARGET_NFT_FILE"; then
			rm -f "$TARGET_NFT_FILE"
			_ret=0
		fi
	fi
fi

return $_ret

pesa1234 · November 30, 2022, 10:46am

Dear,
I have an OpenVPN client (Ovpn client redirect all traffic trought vpn) and I would like to use Wireguard "server", how to route wireguard server to wan?

So, at the moment all works good if I stop openvpn client... otherwise clients are not able to do handshake..

anon78773196 · November 30, 2022, 11:50am

hi stangri do you have a news about fusion ? thanks

stangri · November 30, 2022, 8:20pm

An issue was found, I'll probably push update later this week and merge on the weekend.

pesa1234 · November 30, 2022, 8:36pm

Do you have some suggestion for my small issue Ovpn client and wireguard as "server"?

thanks.

stangri · November 30, 2022, 8:54pm

I thought in can be inferred from README, but maybe not. If the VPN client is your default gateway and you run a VPN server which is UDP-based, you can't selectively route the server traffic with pbr.

pesa1234 · November 30, 2022, 9:05pm

Ah ok, sorry for bad question, do you know how can I do that without close openvpn client?

Thanks

stangri · November 30, 2022, 9:31pm

Either do not use VPN client as default gateway or use the VPN server which is TCP-based (like OpenVPN in a tcp mode).

stangri · December 3, 2022, 2:45am

I'm planning on merging these early next week unless there're reported issues or objections:

Snapshots:

github.com/openwrt/packages

pbr: initial commit

openwrt:master ← stangri:master-pbr

opened 11:15PM - 31 Oct 22 UTC

stangri

+2891 -1713

Maintainer: me Compile tested: x86_64, Sophos SG-135, OpenWrt 22.03.2 Run test…ed: x86_64, Sophos SG-135, OpenWrt 22.03.2, test basic functionality with dnsmasq.nftset and simple policies Description * The makefile produces the nft and iptables capable `pbr` package and the `pbr-iptables` package for legacy setups * This replaces `vpnbypass` and `vpn-policy-routing` packages * I'm soliciting feedback on this package and my intention is to update the version to 1.0.0 before this is merged, but I need the feedback on this and luci-app-pbr before then. Signed-off-by: Stan Grishin <stangri@melmac.ca>

22.03:

github.com/openwrt/packages

[22.03] pbr: initial commit

openwrt:openwrt-22.03 ← stangri:openwrt-22.03-pbr

opened 02:39AM - 03 Dec 22 UTC

stangri

+2891 -1713

Maintainer: me Compile tested: x86_64, Sophos SG-135, OpenWrt 22.03.2 Run test…ed: x86_64, Sophos SG-135, OpenWrt 22.03.2, test basic functionality with dnsmasq.nftset and simple policies Description * The makefile produces the nft and iptables capable `pbr` package and the `pbr-iptables` package for legacy setups * This replaces `vpnbypass` and `vpn-policy-routing` packages * I'm soliciting feedback on this package and my intention is to update the version to 1.0.0 before this is merged, but I need the feedback on this and luci-app-pbr before then. Signed-off-by: Stan Grishin <stangri@melmac.ca> (cherry picked from commit 47eca64cb82a5459668fc14df9422e365c8343b6)

anon78773196 · December 3, 2022, 6:08am

thanks for your work stangri

stangri · December 4, 2022, 5:52pm

Just merged all 4 PRs, the binaries should be available in official repos within a few days.

peras · December 4, 2022, 6:19pm

Great news, thank you!!!

pesa1234 · December 4, 2022, 9:55pm

Compiled right now, from source...
daemon.err dnsmasq[1]: nftset inet fw4 pbr_wan_4_dst_ip_cfg0d6ff5 Error: No such file or directory; did you mean set ‘pbr_wan_4_dst_ip_cfg076ff5’ in table inet ‘fw4’?

Do you know why I get these errors?

It seems that it happens only on startup...

How to understand what is it cfg0d6ff5, sorry for stupid question

AlexK · December 5, 2022, 7:55am

Thank you for the great work stangri!

I just installed pbr and UI on OpenWrt 22.03.2 (x86_64). Also installed dnsmasq-full. However I cannot change resolver set. It displays:
The adguardhome.ipset is not supported on this system.
The dnsmasq.ipset is not supported on this system.
The dnsmasq.nftset is not supported on this system.

Where could be the problem?

anon78773196 · December 5, 2022, 8:04am

is what dnsmasq full is nécessary for 22.03.2 ? thanks

stangri · December 5, 2022, 8:20am

@pesa1234, @AlexK please refer to README.