It's been years since I had equipment that I could load openwrt on. I finally got four MX5300s and they are setup with 802.11s. I have a protonvpn config loaded and working. PBR installed and watched Dev Odyssey but I still seem to be stuck. I have set the dns policy for example to homedepot.com which is geo blocked where I live as well as a few utility sites I need to pay bills on. I am doing this in the gui btw. I guess what I need to find out how to do is stop all lan traffic from hitting the vpn, and set it to only route the sites I specify. I did notice tun0 doesn't exist until I start the vpn but saw someone online just manually create the interface. This should be easy but I feel like I am just a few clicks away.
The PBR read.me should get you going.
You use ProtonVPN but are you using OpenVPN or WireGuard?
I trust you have set this up on the main router and not on the AP?
Openvpn and yes it's on the main router. I also added the ignore redirect gateway to the Proton config. The vpn works perfect, just too perfect 
If you did that correctly then all traffic should go via the WAN.
It can help if you share your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
service pbr status
and of course the OpenVPN config 
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Linksys MX5300",
"board_name": "linksys,mx5300",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "qualcommax/ipq807x",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd93:3739:5cfc::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.68.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '9.9.9.9'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'openvpn'
option proto 'none'
option device 'tun0'
option auto '0'
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
list network 'wan'
list network 'wan6'
list network 'openvpn'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
default via 192.168.20.1 dev wan proto static src 192.168.20.9
192.168.20.0/24 dev wan proto kernel scope link src 192.168.20.9
192.168.68.0/24 dev br-lan proto kernel scope link src 192.168.68.1
It's not in bridge mode at the moment hence the 168.20 due to some issues after a storm last week and my old router no longer working with static WAN
pbr - environment
pbr 1.1.8-r10 running on OpenWrt 24.10.0.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.68.0/24 } goto pbr_mark_0x020000 comment "HD"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.68.0/24 } goto pbr_mark_0x010000 comment "ALL"
pbr chains - policies
chain pbr_forward { # handle 684
}
chain pbr_input { # handle 685
}
chain pbr_output { # handle 686
}
chain pbr_postrouting { # handle 688
}
chain pbr_prerouting { # handle 687
ip saddr 192.168.68.0/24 goto pbr_mark_0x020000 comment "HD" # handle 2859
ip saddr 192.168.68.0/24 goto pbr_mark_0x010000 comment "ALL" # handle 2860
}
chain pbr_dstnat { # handle 683
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 2853
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2854
return # handle 2855
}
chain pbr_mark_0x020000 { # handle 2856
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2857
return # handle 2858
}
pbr nft sets
pbr tables & routing
IPv4 table 256 pbr_wan route:
default via 192.168.20.1 dev wan
IPv4 table 256 pbr_wan rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 pbr_openvpn route:
IPv4 table 257 pbr_openvpn rule(s):
29998: from all fwmark 0x20000/0xff0000 lookup pbr_openvpn
opevpn
client
dev tun0
proto udp
pull-filter ignore "redirect-gateway"
remote-random
resolv-retry infinite
nobind
cipher AES-256-GCM
setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
Minor detail, as you have already added list network 'openvpn' you can remove list device 'tun0'
You have two PBR policies for your lan subnet one to use the wan the other to use the VPN, delete the rule using the wan (the wan is already default)
Is the VPN actually running? It does not look like it.
You can check with: logread -e openvpn
If you cannot get the OpenVPN going then consider using WireGuard, I have some notes about setting up WireGuard with Proton VPN.
If you are interested see my notes about setting up WireGuard:
You need the WireGuard Client Setup guide
Direct download WireGuard Client Setup guide
I have it turned off at the moment correct
Okay let me delete that policy, I think it was built in
I will check out that wireguard as well
Test with only one policy and that is to route your lan subnet via the VPN
so source 192.168.68.0/24 via openvpn and nothing else
Reboot after you have set the policy and check from lan clients with ipleak.net
Great we now know that OpenVPN and PBR are working.
You were talking about routing of domains, for that the domains must be resolved to their IP addresses that can be done one time at the start for that you have the PBR settings: Use resolver set support for domains
"Disabled" mean one time at the start
"DNSMasq nft set" means dynamically resolved
DNSMasq nft set is the preferred method but is not always working depending on dns settings
But try that for a start, note that the domains must be resolved first to become part of the set, and both your client and the router have their dns caches
For testing again use ipleak.net as domain just make a PBR rule and as remote address ipleak.net.
Some general focus points for Domain based routing:
- You need to have DNSMasq full installed to use nftsets (recommended) see the PBR read.me).
- DNSMasq must be used as DNS resolver so the use of DNS hijacking needs special attention, see PBR DNS policies above.
- The domains must first be resolved by DNSMasq before they are added to the set so flush DNS cache on router and client or reboot both router and client.
- It takes about a minute after Saving and Applying before services have restarted and routing is in place so be patient!
- Domain based PBR rules usually have to come first, so make sure those rules are on top in the GUI!
See my earlier post
But you can try without
Oh I see the full package. Okay setting it up. Also I noticed when I added a second proton config it seemed to break pbr. I disabled both of those and setup winguard using your guide and now pbr starts without issues. Sites load perfect and ipleak shows my non vpn IP due to my routes which is what I want. But digging deeper into homedepot it fails. Gettting the dns full package setup now. Thanks
and correct I have the lan to wan rule last and domains to vpn at the top
Think about what you want regarding WireGuard, if you want default routing via the VPN then enable Route Allowed IPs
For testing if domain based routing work you then you only have to have one rule with:
Remote domains: ipleak.net
Interface: wan
After rebooting, testing from your lan client should show the wan ip address with ipleak.net
As said it can take a minute or two before the domain ipleak.net is resolved and the ip address is added to the nftset via DNSMasq
Yea it looks like it's working now
I have 3 domain rules and all load now, tested tracert too and it goes out proton
tracert to google dns and it goes out my isp WAN pipe
Seems to be much faster too with WG
1 Like
Yes on average WireGuard is 2-3 times faster than OpenVPN.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!
Will do thanks for all the help
1 Like