Trying to get VPN Policy Based Routing working

Installing and Using OpenWrt
1

Before anyone says anything, I've definitely done my research and seen a bunch of different posts on this in the past, but I still don't seem to be able to figure this one out..

Setup

  • RPi-4
  • OpenWrt 22.03.0-rc6 custom imagebuilder
    • Relevant packages I installed: vpn-policy-routing luci-app-vpn-policy-routing ipset resolveip ip-full kmod-ipt-ipset iptables
  • wan0 and tun0 are both seen as service gateways in vpn-policy-routing and both get internet traffic
  • I've added pull-filter ignore "redirect-gateway" and tried different policies with both tun0 and wan0 as the default gateway

I want to be able to route a specific client by IP, or even a subnet with devices, through an OpenVPN tunnel via the luci UI provided by luci-app-vpn-policy-routing or even cli with uci. What I don't get is, my use case is pretty simple, yet my policies don't seem to work at all.

I've tried using tun0 as the default gateway for traffic and add policies to exclude specific devices to go through wan0 instead, but no luck. As well as then inverse; wan0 as the default gateway with policies for specific clients to route to tun0 instead, also no luck unfortunately.

/etc/init.d/vpn-policy-routing support:

vpn-policy-routing 0.3.4-8 running on OpenWrt 22.03.0-rc6.
============================================================
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         d75-157-97-1.bc 0.0.0.0         UG    10     0        0 eth1

IPv4 Table 201: default via 10.188.1.90 dev tun0
10.0.0.0/8 dev br-lan proto kernel scope link src 10.0.0.1
IPv4 Table 201 Rules:
32765:	from all fwmark 0x10000/0xff0000 lookup tun0

IPv4 Table 202: unreachable default
10.0.0.0/8 dev br-lan proto kernel scope link src 10.0.0.1
IPv4 Table 202 Rules:
32764:	from all fwmark 0x20000/0xff0000 lookup tun1

IPv4 Table 203: default via 75.157.97.1 dev eth1
10.0.0.0/8 dev br-lan proto kernel scope link src 10.0.0.1
IPv4 Table 203 Rules:
32763:	from all fwmark 0x30000/0xff0000 lookup wan0
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set wan0_mac src -c 0 0 -g VPR_MARK0x030000
-A VPR_PREROUTING -m set --match-set wan0_ip src -c 0 0 -g VPR_MARK0x030000
-A VPR_PREROUTING -m set --match-set tun1_mac src -c 0 0 -g VPR_MARK0x020000
-A VPR_PREROUTING -m set --match-set tun1_ip src -c 0 0 -g VPR_MARK0x020000
-A VPR_PREROUTING -m set --match-set tun0_mac src -c 0 0 -g VPR_MARK0x010000
-A VPR_PREROUTING -m set --match-set tun0_ip src -c 6 401 -g VPR_MARK0x010000
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x010000
-N VPR_MARK0x010000
-A VPR_MARK0x010000 -c 6 401 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_MARK0x010000 -c 6 401 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x020000
-N VPR_MARK0x020000
-A VPR_MARK0x020000 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_MARK0x020000 -c 0 0 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x030000
-N VPR_MARK0x030000
-A VPR_MARK0x030000 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_MARK0x030000 -c 0 0 -j RETURN
============================================================
Current ipsets
create vpnbypass hash:ip family inet hashsize 1024 maxelem 65536
create tun0_ip hash:net family inet hashsize 1024 maxelem 65536 comment
add tun0_ip 10.0.0.168 comment "phone: 10.0.0.168"
create tun0_mac hash:mac hashsize 1024 maxelem 65536 comment
create tun1_ip hash:net family inet hashsize 1024 maxelem 65536 comment
create tun1_mac hash:mac hashsize 1024 maxelem 65536 comment
create wan0_ip hash:net family inet hashsize 1024 maxelem 65536 comment
create wan0_mac hash:mac hashsize 1024 maxelem 65536 comment
============================================================

/etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option dest_ipset '0'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option procd_reload_delay '1'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option enabled '1'
	option webui_enable_column '1'
	option webui_protocol_column '1'
	option webui_chain_column '1'
	option webui_show_ignore_target '1'
	option resolver_ipset 'none'
	option src_ipset '1'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option src_addr '10.0.0.168'
	option proto 'all'
	option name 'phone'
	option interface 'tun0'

/etc/init.d/vpn-policy-routing reload

Creating table 'tun0/10.188.1.90' [✓]
Creating table 'tun1/0.0.0.0' [✓]
Creating table 'wan0/eth1/75.157.97.1' [✓]
Routing 'phone' via tun0 [✓]
vpn-policy-routing 0.3.4-8 monitoring interfaces: tun0 tun1 wan0 [✓]
vpn-policy-routing 0.3.4-8 started with gateways:
tun0/10.188.1.90
tun1/0.0.0.0
wan0/eth1/75.157.97.1 [✓]

/etc/config/network/

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5f:c502:cdb7::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '10.0.0.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option netmask '255.0.0.0'

config interface 'tun0'
	option proto 'none'
	option device 'tun0'

config interface 'tun1'
	option proto 'none'
	option device 'tun1'

config interface 'wan0'
	option proto 'dhcp'
	option device 'eth1'
	option peerdns '0'
	option dns '10.0.0.1'
	option dns_search 'lan'
	option metric '10'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wan0'
	list network 'wwan0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'tun0'
	list network 'tun1'
	list device 'tun+'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'vpn'

Any thoughts or pointers?