Setting up split tunnel / pbr

Before coming to ask for assistance I have tried to:

• read and understand (as best as I could) PBR with netifd
• review video Youtube - Don't VPN everything
• read and understand the docs
• review several posts on pbr / wireguard stuff

I have been able to get my VPN partially set up correctly but running a traceroute shows that my traffic is leaving out my default WAN interface rather than the VPN interface, so I know I have a some more configuration to do.

Can anyone assist?

My goal is to send only certain IPs through the VPN. All other traffic can use the default WAN interface. So far I have:

• installed the luci-app-pbr packages,
• configured a VPN interface with the information provided by a config file and
• setup some policy (though it might not be complete).

The area where I am struggling the most is the firewall piece of things but any guidance is appreciated! I rely on LuCI for setup as I am not real strong with UCI. Here are my configs thus far-

root@OpenWrt:/etc/config# ubus call system board

	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Linksys EA8300 (Dallas)",
	"board_name": "linksys,ea8300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
	 
root@OpenWrt:/etc/config# cat firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'
	list network 'voip'
	list network 'dmz'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'dmz'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Traccar-HTTP'
	list proto 'tcp'
	option src 'wan'
	option src_dport '30080'
	option dest_ip '172.30.50.84'
	option dest_port '30080'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Traccar-Client'
	option src 'wan'
	option src_dport '5055'
	option dest_ip '172.30.50.84'
	option dest_port '5055'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Web-HTTPS'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '172.30.50.11'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Web-HTTP'
	option src 'wan'
	option src_dport '80'
	option dest_port '80'
	option dest_ip '172.30.50.11'
	option enabled '0'

config forwarding
	option src 'lan'
	option dest 'wan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'ProtonVPN'
	option name 'VPN'

config forwarding
	option src 'lan'

config forwarding
	option src 'lan'
	option dest 'VPN'

root@OpenWrt:/etc/config# cat pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	list resolver_instance '*'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '0'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.wg_server_and_client'
	option enabled '0'

config policy
	option name 'Streaming'
	option src_addr '192.168.1.127,192.168.1.7'
	option interface 'ProtonVPN'
	option src_port '51820'

root@OpenWrt:/etc/config# ls
ddns      dropbear  luci      pbr       rpcd      ubootenv  uhttpd
dhcp      firewall  network   pbr-opkg  system    ucitrack  wireless
root@OpenWrt:/etc/config# cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd4:83c2:d280::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'

config device
	option name 'lan1'
	option macaddr 'e8:9f:80:a3:ef:e2'

config device
	option name 'lan2'
	option macaddr 'e8:9f:80:a3:ef:e2'

config device
	option name 'lan3'
	option macaddr 'e8:9f:80:a3:ef:e2'

config device
	option name 'lan4'
	option macaddr 'e8:9f:80:a3:ef:e2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option name 'wan'
	option macaddr 'e8:9f:80:a3:ef:e1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option type 'bridge'
	option name 'br-voip'
	list ports 'lan2'
	list ports 'lan3'

config device
	option type 'bridge'
	option name 'br-dmz'
	list ports 'lan4'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'voip'
	option proto 'static'
	option device 'br-voip'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'dmz'
	option proto 'static'
	option device 'br-dmz'
	option ipaddr '172.30.50.1'
	option netmask '255.255.255.0'
	list dns_search 'idm.nac-issa.org'

config interface 'ProtonVPN'
	option proto 'wireguard'
	option private_key '<my_private_key>'
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'

config wireguard_ProtonVPN
	option description 'Tourville_Router-US-FREE-65.conf'
	option public_key '7IP+uEN0mJ2xkrq5pVz2SFNvZ1OeyhBgjXNRhLmKfHQ='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host '149.102.226.237'
	option endpoint_port '51820'
	option route_allowed_ips '1'

No, no, and no.
I did pretty complex setup for my guest wifi for people in Ukraine which bombed by russians and for many hours without electricity, while i have fiber & powerbanks to share that.

Let me explain the problem. I faced the same too.
You dont need pbr, you dont need complex setups.
All that you need is "routing".

By default used "main" routing table for traffic.
You need create your own routing rules and add specific rules for that.
Google here about that.

image832×226 5.45 KB

something like that.
I did that, and i'm pretty sure that it will work fine too for you too. Plus you can add extra more rules to firewall on these pages too.

Plus read information about zones, do not rush. Its pretty simple if not rushing anywhere.

OK, thanks for pointing out an alternative I had not considered. I will study this some more and see if I can make that work. I will also review the info on zones further.

Just to clarify one other thing I should have mentioned in my OP- if you have a specific streaming service and that service should not go through a VPN isn’t that a use case for PBR? IE-most streaming should go through VPN but there is one exception. Otherwise I think I understand the general intent of what you posted.

This is correct but this is called policy based routing.

The pbr package is just a wrapper to make it more convenient to use.