[SOLVED] I can't route to an openVPN interface with PBR

mgazzin · January 30, 2024, 11:41am

Hello, the following is my configuration:

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'MAC_ADDRESS/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr MAC_ADDRESS'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'WG0'
	option proto 'wireguard'
	option private_key 'private'
	option defaultroute '0'
	list addresses '10.1.1.253/24'

config wireguard_WG0
	option description 'Imported peer configuration'
	option public_key 'public'
	option preshared_key 'preshared'
	option persistent_keepalive '25'
	option endpoint_host WG_IP'
	option endpoint_port 'WG_PORT'
	option route_allowed_ips '0'
	option private_key 'private'
	list allowed_ips '0.0.0.0/0'

config interface 'vpnFW04'
	option proto 'static'
	option device 'tun0'
	option ipaddr '10.40.30.3'
	option netmask '255.255.255.0'
	option broadcast '10.40.30.255'



# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WG0'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option log '1'
	option log_limit '100/minute'
	list network 'WG0'

config forwarding
	option src 'lan'
	option dest 'WG0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'FW04'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option log '1'
	option log_limit '100/minute'
	list network 'vpnFW04'

config forwarding
	option src 'lan'
	option dest 'FW04'


# cat /etc/config/pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list supported_interface 'WG0'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
       option name 'policy1'
       option dest_addr 'policy1.it'
       option interface 'WG0'
       option enabled '1'

config policy
       option name 'policy2'
       option dest_addr 'policy2.it'
       option interface 'WG0'
       option enabled '1'

config policy
       option name 'policy3'
       option dest_addr 'policy3.com'
       option interface 'WG0'
       option enabled '1'

config policy
       option name 'FW04'
       option dest_addr '192.168.30.0/24'
       option interface 'vpnFW04'
       option enabled '1'


#ip r l
default via 192.168.0.1 dev wan proto static src 192.168.0.3 
10.1.1.0/24 dev WG0 proto kernel scope link src 10.1.1.253 
10.40.30.0/24 dev tun0 proto kernel scope link src 10.40.30.3 
IP_ADDRESS via 192.168.0.1 dev wan proto static 
192.168.0.0/24 dev wan proto kernel scope link src 192.168.0.3 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

# ip address show dev tun0
31: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.40.30.3/24 brd 10.40.30.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::5de0:e776:f796:d8e4/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

routing does not work:

# traceroute 192.168.30.40
traceroute to 192.168.30.40 (192.168.30.40), 30 hops max, 46 byte packets
 1  192.168.0.1 (192.168.0.1)  0.954 ms  0.681 ms  0.629 ms
 2  172.18.0.1 (172.18.0.1)  7.208 ms  7.578 ms  7.107 ms

trendy · January 30, 2024, 1:25pm

If you are trying from OpenWrt, then you need to use the OUTPUT chain and not the default PREROUTING, which is used for transit traffic.

mgazzin · January 30, 2024, 1:43pm

Do you mean in firewall?

mgazzin · January 30, 2024, 4:35pm

After I ahve changed this line to:

list supported_interface 'WG0 vpnFW04'

it started working.
The only problem is that when I restart PBR it gives me the following error:

ERROR: 
vpnFW04/tun0/10.40.30.2 10.40.30.3

egc · January 30, 2024, 4:48pm

You should not set a static IP address on the interface, the VPN client sets its own interface up with the address it gets from the server:

config interface 'vpnFW04'
	option proto 'none'
	option device 'tun0'

Note: if you have more than one OVPN instance, then create extra interfaces with:
option device tunX.
In the openvpn config you reference this with: dev tunX

Usually you see just dev tun and then OpenVPN will just use tun0

mgazzin · January 30, 2024, 5:07pm

Thanks @egc but if I don't use static address it does not get the proper configuration and I only see this:

What might be?

egc · January 30, 2024, 5:24pm

It looks perfectly fine this is what my Mullvad tunnel looks like and it is working without a problem:

35: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 10.15.0.7/16 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fdda:d0d0:cafe:1301::1005/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::ff07:ecf5:ba43:e9cf/64 scope link stable-privacy proto kernel_ll
       valid_lft forever preferred_lft forever

mgazzin · January 30, 2024, 5:41pm

@egc you are right, now it pings:

# ping 192.168.30.40
PING 192.168.30.40 (192.168.30.40): 56 data bytes
64 bytes from 192.168.30.40: seq=0 ttl=63 time=20.044 ms
64 bytes from 192.168.30.40: seq=1 ttl=63 time=20.326 ms
64 bytes from 192.168.30.40: seq=2 ttl=63 time=19.949 ms
64 bytes from 192.168.30.40: seq=3 ttl=63 time=20.095 ms
64 bytes from 192.168.30.40: seq=4 ttl=63 time=19.994 ms

trendy · January 30, 2024, 8:32pm

No in PBR they are also used.

system · February 9, 2024, 8:33pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.