[Solved] Vpn-policy-routing help pls, ive been searching here and trial and error for hours

user674574 · August 15, 2020, 5:42pm

So i have ordered hardware for an upcoming router which im planning on using openwrt on.
Im trying to learn openwrt things to be somewhat prepared for the real deal.

Ive setup 2 VMs, one is openwrt with x86_64 and one is just Win10 connected to openwrt LAN (host-only network)

openwrt VM is setup:
WAN -> dhcp client from my real router, which im using until i get the hardware and can fix openwrt router
LAN -> dhcp from virtualbox, host-only network

I installed luci-app-wireguard and luci-app-vpn-policy-routing + vpn-policy-routing to test this out, because its a good thing in my current setup, so i want to learn it

I followed mullvad (vpn-provider for my wireguard client) guide: https://mullvad.net/sv/help/running-wireguard-router/ - i did NOT do DHCP/DNS steps because i believe its not needed in my current VM
setup(?)

The wireguard tunnel works and is online.

I want to be able to policy-route some IPs / subnets to WAN, for example.

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option network 'wg_mlvd'
        option name 'wg_mlvdzone'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option dest 'wg_mlvdzone'
        option src 'lan'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd61:4966:0236::/48'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0'

config interface 'lan'
        option proto 'dhcp'
        option ifname 'eth1'
        option gateway '192.168.1.42'

config interface 'wg_mlvd'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option force_link '1'
        list addresses 'xx.xx.xxx.xxx/32'

config wireguard_wg_mlvd
        option endpoint_host 'xxx.xx.xxx.xxx'
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'

/etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset 'dnsmasq.ipset'
        option ipv6_enabled '0'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option iprule_enabled '0'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option enabled '1'
        list supported_interface 'wg_mlvd'
        list supported_interface 'wan'
        option webui_enable_column '1'
        option webui_protocol_column '1'
        option webui_chain_column '1'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

config policy
        option name 'Win10-VM'
        option src_addr '192.168.214.13'
        option proto 'all'
        option interface 'wan'
        option chain 'PREROUTING'

The thing is if i select proto 'tcp udp', i can ping from the windows 10, but not surf, but ping works, which i find weird.
When selecting proto 'all' nothing works
When selecting interface 'wireguard' it all works, but it doesnt go to WAN then, which is what i want

Please let me know if there is additional information i forgot to mention here, that u need to help me

Appreciate alot if i get help
Thanks

EDIT: I might be wrong but from more testing around, it seems is has to do with firewall and/or allowedips in wireguard peer configuration under interface.
When i set allow forwarding in firewall general rules traffic seems to get through, although it still seems to go through wireguard, even though WAN is set as interface for the policy..

EDIT #2: It seems like i have sorted it out for now, i had incorrect settings in input/output/forward in firewall

trendy · August 15, 2020, 7:05pm

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please edit your post accordingly. Thank you!

Ping uses ICMP protocol, that's why.

For further troubleshooting you can follow the instructions in VPN-PBR page.

user674574 · August 15, 2020, 7:10pm

Thank you, i edited post.

So it seems like traffic wont go through WAN interface, through policy rules

trendy · August 15, 2020, 7:27pm

LAN interface should not be DHCP client because 1) it will also get gateway settings and 2) it is acting as DHCP server. Change it to static with IP and mask only, or make sure you filter out the gateway and disable the DHCP server.

user674574 · August 15, 2020, 7:42pm

Ok, I changed LAN interface to static with same IP and same netmask, no gateway.
Turned off DHCP server on LAN

No difference im afraid

I feel like maybe it has something to do with wireguard forcing routes?

(I cant find how to quote here?)
Thx

trendy · August 15, 2020, 11:12pm

Just select some text and the Quote button will pop up.

That should not be an issue. Let's see more about why it doesn't work:
ip -4 addr; ip -4 ru; ip -4 ro li tab all; iptables-save -c

user674574 · August 16, 2020, 8:36am

What does this do?
I believe for now i have solved it, i had incorrect firewall zone rules for input/output/forward

trendy · August 16, 2020, 8:37am

It is a few diagnostics.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

user674574 · August 16, 2020, 8:43am

I did mark it as solved, just wanted to check with you, you seem like a skillful person in this, does this look good? it seems to work as i want, just wanna make sure

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'
        option forward 'ACCEPT'

config zone
        option network 'wg_mlvd'
        option name 'wg_mlvdzone'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'ACCEPT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option dest 'wg_mlvdzone'
        option src 'lan'

trendy · August 16, 2020, 8:58am

Seems right, you may change the forward to REJECT for wan and wg zones.

tmomas · August 26, 2020, 8:58am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.