[Solved] Configuration of VPN Policy Routing (doesn’t work)

Okay. I restarted the openWRT without stubby.
Internet access works, DNS is Cloudflare.
Whats next?

von-pbr is still not working.

root@OpenWrt:~# ipset list lan
Name: lan
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 344
References: 4
Number of entries: 0
Members:

Do a nslookup www.wieinstmeineip.de 192.168.1.2 to make sure that the dnsmasq is used. Now the ipset list lan must contain all 4 addresses.

Hmmm. Now the ipset list lan has 3 entries at once...

root@OpenWrt:~# ipset list lan
Name: lan
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 632
References: 4
Number of entries: 3
Members:
52.28.125.65
35.157.134.147
52.29.58.77

but still vpn ip

Okay. It took some minutes...
Now wimi.de shows real ip...
I'll try with IP ranges to access zattoo

That's good, it means that when you try to connect to these IPs the lan interface will be used.
Verify with
iptables-save -c -t mangle
The -A VPR_PREROUTING -m set --match-set lan line must not have zero hits.

One thing to mention is that after a few minutes of inactivity the ipset will be emptied. Upon the next query for resolving of the hostname it will be added again.

Okay. I have added 91.123.0.0/16 to rules.
Now I am waiting for the magic...
For now it shows me the real IP.
Do I have to restart dnsmasq after restarting vpn-pbr or just to wait some time?

If you add a new rule with just some IPs it is enough to restart the vpn-pbr.

Hmm. okay, Zattoo works now! That is great!
But wimi is not set? Why?

root@OpenWrt:~# ipset list lan
Name: lan
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 478
References: 4
Number of entries: 1
Members:
91.123.0.0/16 comment "Zattoo: 91.123.0.0/16"

I explained it earlier.

Adding IP ranges as rules starts right away. Great!
I was easly able to bypass Amazon Prime Video and Zattoo!
Thanks for your help trendy!!

What doesn’t work is entering domains.
I tried to add speedtest.net instead of wieistmeineip.de and it still doesn’t bypass...

It starts working if a do an nslookup. Shouldn’t this simply work if I browse to the webpage? Do I have to do ans nslookup for every webpage when I restart the service first?

It really seems that stubby hold off vpn-pbr from working.
Do you have any idea why?
And is there an alternative to stubby to use DNS over TLS without holding up vpn-pbr from working?

Can I use unbound together with vpn-pbr?
If this should work, I will give it a try, but only with your support trendy :smile:

What I noticed along the way is, that vpn-pbr only bypasses the IP address.
The traffic still goes trough the VPN tunnel.
Is this correct?

Any query to the dnsmasq should do the job. The problem is that if the lan hosts keep the address in cache and don't ask again the dnsmasq, it will not be renewed. Maybe there is some way to prolong the lifetime of the ipset.

wimi.de works fine for me. speedtest won't work, do a source view of the page and you'll see how many more sites you need to bypass apart from the main one.

Because dnsmasq needed to be working to create the ipsets.

Not that I know of, you'll have better luck opening a new topic for that.

The traffic that is not matching any rule uses the default gateway configured.
It is marked with the tick

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.