root@OpenWrt:~# ip rule
0: from all lookup local
10000: from 192.168.1.1 lookup br-lan
10000: from 10.241.219.131 lookup wan
10000: from 10.5.0.2 lookup vpn
14000: from all to 192.168.8.1 iif br-lan lookup wan
14000: from 192.168.1.10 iif br-lan lookup wan
14000: from 192.168.1.9 iif br-lan lookup wan
14000: from 192.168.1.8 iif br-lan lookup wan
14000: from all iif wan lookup veth-lan
14000: from all iif vpn lookup veth-lan
15000: from all iif br-lan lookup vpn
20000: from all to 192.168.1.1/24 lookup br-lan
20000: from all to 10.241.219.131/8 lookup wan
20000: from all to 10.5.0.2 lookup vpn
32766: from all lookup main
32767: from all lookup default
40000: from all iif br-lan lookup wan
90007: from all iif lo lookup wan
90014: from all iif lo lookup br-lan
90016: from all iif lo lookup veth-lan
90022: from all iif lo lookup vpn
But DNS queries from my router are going straight to WAN.
What should I set to ensure DNS queries go through VPN?
root@OpenWrt:~# ip rule
0: from all lookup local
10000: from 192.168.1.1 lookup br-lan
10000: from 10.241.219.131 lookup wan
10000: from 10.5.0.2 lookup vpn
14000: from all iif wan lookup veth-lan
14000: from all iif vpn lookup veth-lan
14000: from 192.168.1.8 iif br-lan lookup wan
14000: from 192.168.1.9 iif br-lan lookup wan
14000: from 192.168.1.10 iif br-lan lookup wan
14000: from all to 192.168.8.1 iif br-lan lookup wan
15000: from all iif br-lan lookup vpn
15000: from all iif lo lookup vpn
20000: from all to 192.168.1.1/24 lookup br-lan
20000: from all to 10.241.219.131/8 lookup wan
20000: from all to 10.5.0.2 lookup vpn
32766: from all lookup main
32767: from all lookup default
40000: from all iif br-lan lookup wan
90007: from all iif lo lookup wan
90014: from all iif lo lookup br-lan
90016: from all iif lo lookup veth-lan
90040: from all iif lo lookup vpn
So compared to what I had, I now have an extra 15000 priority rule:
15000: from all iif lo lookup vpn
Does this seem right? Certainly tcpdump now shows DNS requests from the router now going through VPN.
By the way, maybe you can help me with another routing question since you seem like an expert?
As reflected in the IP rules above, I route download traffic from both WAN and VPN to go through 'veth-lan', which is one end of a veth pair, the other end of the pair being 'veth-br', the latter being a part of 'br-lan'.
This trick allows me to apply SQM on veth-lan to handle the combined VPN and non-VPN flows through my LTE connection. Buy unfortunately it does not catch download traffic destined for the router itself.
Is it possible to have traffic destined for the router itself, i.e. traffic with destination 192.168.1.1 go via veth-lan?
Reason being is that I really want all download traffic to go veth-lan whereas now it is everything except download to router, which instead bypasses veth-lan.
Traffic destined to the router will certainly not hit the br-lan interface, but the wan interface. I guess you'll have to apply SQM on the wan interface as well.
Is there a way you can think of to have traffic destined to the router go from WAN through to veth-lan (in the same way that traffic for br-lan goes from either WAN or VPN through to veth-lan)? You see I am trying to have just one CAKE instance for upload and one instance for download so that I get flow fairness across all the flows that are passed over the LTE connection.
I really don't think that's possible you don't want traffic destined for the router to be sent by the veth my advice would be to just ignore traffic destined to the router because it should be a tiny fraction of the total traffic
Initially worked, but eventually resulted in loss of internet connectivity. That seemed a nice sort of 'catch all' to catch any outgoing traffic originating from router and ensure it goes through VPN.
So I have instead opted for:
14000: from all to 185.228.168.168 lookup vpn
14000: from all to 185.228.169.168 lookup vpn
Does that look OK for redirecting output DNS queries from router to VPN rather than WAN?
I'm not sure what the correct way to do any of this is. Will my router still use DNS caching?
Does setting up the VPN tunnel require a DNS query? If yes and you lose the VPN it won't be able to start up again. Make sure you use IP addresses for the VPN endpoint and then it might work better.
You might also want a hot plug rule to change the routing if the VPN goes down
Traffic trying to reach the VPN server can't go inside the VPN tunnel obviously (it is the tunnel) it needs to be sent out the actual wan. So you need an earlier rule that selects wan for traffic going to the VPN provider.
DNS traffic will use the same rules that you have. However if the nameservers belong to your ISP, then you must use the wan uplink to reach them, as they won't allow IPs outside their address space to use recursion.
Regarding caching, it usually is being used for as long as the TTL of the record is configured.
I am not sure what have you done there, so my answer might be wrong.
In the first redirect you are forcing dns queries pointed to the router to go to GoogleDNS? Why not advertise GoogleDNS directly to that host?
In the second redirect you hijack everything to dnsmasq, so dnsmasq will be caching the answers.
I use WireGuard with source IP: 10.5.0.2. Rather than setting traffic to VPN server IP to use WAN can I instead have traffic from iif lo with source 10.5.0.2 use WAN? I tried to set this, but this gave rule:
14000: from 10.5.0.2 iif lo lookup wan
Does that seem right?
So in sum I have:
14000: from 10.5.0.2 iif lo lookup wan
15000: from all iif br-lan lookup vpn
15000: from all iif lo lookup vpn