VPN Bypass (split tunneling) Service + Luci UI


#83

Hello. I'm using chaos calmer 15.05. Installed service without any problem, but it did not worked. Inspecting logs, I found, where was no "ip" command in my system. So I installed it via "opkg install ip". However, upon vpn-bypass reload, my router stopped accepting any traffic on LAN port, and refused any connections to WEB interface and SSH (Internet still worked, though), so I had to enter in SAFE mode and disable vpn-bypass service again. What did went wrong here? Thank you.

UPDATE: I set "Local IP Addresses to Bypass" to 192.168.1.6 (it was 192.168.1.6/24), and started service again, via WEB interface (not SSH console) and now everything seems to work fine. Thank you for this handy service.


#84

Hello. Thanks for your work!
I seem to be struggling with domain based exclusions. It seemed to be working a few days back, but now it's not. I went back to that config from a couple of days ago (I saved that config right after I installed your mod, and had tested it) but to no avail. Same issue now.

IP exclusions work fine, so other than domains, it seems to be working. I've stripped all my domains but one for testing ( /whatismyipaddress.com/vpnbypass ). Still no luck.

DHCP:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option quietdhcp '1'
	option sequential_ip '1'
	option nonwildcard '0'
	option serversfile '/tmp/adb_list.overall'
	list ipset '/whatismyipaddress.com/vpnbypass'

ipset save returns:

root@LEDE:~# ipset save
create vpnbypass hash:ip family inet hashsize 1024 maxelem 65536

So, it seems no ips for exclusion for the domain are being issued.

dnsmasq-full	2.78-6
ipset	6.32-1
iptables	1.4.21-3
luci-app-vpnbypass	    git-18.068.60872-bf04031-3
vpnbypass	1.3.1-1

Maybe noteworthy, when restarting dnsmasq service:

Sun Apr  8 00:08:03 2018 daemon.err uhttpd[584]: udhcpc: started, v1.25.1
Sun Apr  8 00:08:03 2018 daemon.err uhttpd[584]: udhcpc: sending discover
Sun Apr  8 00:08:06 2018 daemon.err uhttpd[584]: udhcpc: no lease, failing
...
Sun Apr  8 00:09:23 2018 daemon.err modprobe: xt_set is already loaded
Sun Apr  8 00:09:23 2018 daemon.err modprobe: ip_set is already loaded
Sun Apr  8 00:09:23 2018 daemon.err modprobe: ip_set_hash_ip is already loaded
...

#85

The reason for that is most likely either one or a combination of the below:

  • hardcoded DNS (other than router's IP) setting in the client
  • dhcp options pointing clients to DNS (other than router's IP) server
  • DNS cache on the client

Start by rebooting your client device(s).


#86

Ah, understood. Between my previous post and now, I ended up reloading everything from scratch on the router. Seems to be working well at the moment.
So to confirm, I should be issuing my clients my router's IP (and only the router's IP) for DNS?
I indeed have both:

  1. hardcoded DNS (other than router’s IP) setting in the client
  2. dhcp options pointing clients to DNS (other than router’s IP) server

Appreciate the feedback and time spent. You've gone above and beyond with this much needed mod. I'll donate for your efforts if you have a place to send. No strings attached.

UPDATE:
After repeating my setup, changing configs and installing mods, restarting each time and checking the proper functioning of bypass, I've narrowed it down to Adblock. Once I installed and enabled adblock w/ luci-app, and then restarted the router, I'm back to where I was before.(somewhat). Removing the mods returned functionality to normal.
Dunno what to think.


#87

I personally use the simple-adblock package instead, but any ad-blocking running on the router shouldn't affect VPNBypass (or vice versa). If dnsmasq on your server is used by your clients to resolve addresses, then both vpnbypass and vpn-policy-routing domain-based policies should work just fine.

PS. I'm not sure if there's a way to do it yet, but please donate to the OpenWrt project instead. :wink:


#88

Donation to Software in the Public Interest, Inc. (for OpenWRT)
Completed
-$50.00 USD

Alright, while you already contribute to OpenWRT with code, you've now donated 50 bucks too. Thanks Stan.

I was able to narrow down that adblock in itself wasn't the issue, as you thought. It was one of the lists I was subscribed to within adblock that was causing my ip tests to fail. ipset save was reporting ips fine. So I don't really know what caused my initials failures that brought be to this thread (blank ipset save), but now that I've reloaded everything, it's all good and running strong.

I will note, that your custom repo instructions initially 'broke' my R7800. It has something to do with libustream-mbedtls.

That's it. Thanks again for your responses and dev. Best.


#89

The dependency in the libustream libraries are not easily resolved, but I will update my guide to check if there's a libustream library already installed to not install the libustream-mbedtls. :wink:


#90

Hi @stangri! I need your help, I'm a bit stuck here.
I've bought a GL-B1300, by GL.iNet, a wifi router:

cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='Chaos Calmer'
DISTRIB_REVISION='r35193'
DISTRIB_CODENAME='chaos_calmer'
DISTRIB_TARGET='ipq806x/generic'
DISTRIB_DESCRIPTION='OpenWrt Chaos Calmer 15.05.1'
DISTRIB_TAINTS='busybox'

I've set up my router-modem into "Modem only" mode, enabled the VPN and I wanted to exclude Plex (which is in the same room as the router). Found your package, (thank you!!) installed.. but unfortunately my external IP isn't changing.
I've left 3200 as port, added a client as testing (the laptop I'm typing on), enabled the service and tried whatsmyip: the result with or without enabling VPNBypass is ideantical, the IP is always the one on the other end of the VPN.
Can you point me in the right direction? Is there any log I could check to understand what's going on? Do I need to add any rule to my firewall or it should work out of the box?

Thanks! :slight_smile:


#91

The GL-inet version of B1300 firmware is pretty heavily customized. Does the vpnbypass start without errors?

Also, post (or PM me) the content of the following files from your router:
/etc/config/dhcp
/etc/config/firewall
/etc/config/upnpd
/etc/config/vpnbypass

and the output of iptables-save | grep xmark.


#92

The GL.iNet GL-B1300 is supported in master (snapshots) for about two months by now, it would probably be a better idea to install one of those (the usual caveats of snapshots and luci not being preinstalled apply).

https://github.com/openwrt/openwrt/commit/04d3308b6248ef21a6f0bc3378b342906c2d2865


#93

@slh -- last time I've built an image for B1300 with the image builder not everything worked. I think there were some issues with some radios and definitely one of the ethernet ports didn't work. It's been about a month ago tho.


#94

The last relevant fixes for the GL.iNet GL-B1300 have been merged on march 17th and it seems to be complete (obviously I can't judge if the settings are correct or if it actually works).


#95

Thank you for confirming that. Would those fixes be present in 18.04 when it's released?


#96

18.xx hasn't branched off yet, so everything that's in master already (or will end up there 'soon') will be part of 18.xx; so, yes.


#97

Hi, thanks for answering
I would really love having only openwrt on my router actually, I'll try version 18 once out, but at the moment I'm stuck with current unfortunately (I don't like the GUI GL.iNet added on top of OpenWRT).

@stangri:
This is logread after a vpnbypass restart:

Sun Apr 22 01:11:23 2018 user.notice vpnbypass [4290]: service stopped
Sun Apr 22 01:11:23 2018 daemon.err modprobe: xt_set is already loaded
Sun Apr 22 01:11:23 2018 daemon.err modprobe: ip_set is already loaded
Sun Apr 22 01:11:23 2018 daemon.err modprobe: ip_set_hash_ip is already loaded
Sun Apr 22 01:11:23 2018 user.notice vpnbypass [4290]: service started with TID: 200; FW_MARK: 0x010000
Sun Apr 22 01:11:24 2018 user.notice vpnbypass [4290]: service monitoring interfaces: wan VPN_client ✓

And here, my config files (other 2 on next post since this system isn't allwoing me to post more than 2 links):
/etc/config/dhcp
/etc/config/firewall

Thanks :slight_smile:


#98

The last two config files:
/etc/config/upnpd
/etc/config/vpnbypass

Most of these files should be the default since I've reset the router thinking changes I did earlier could be the issue with vpnbypass.

:slight_smile:


#99

Hi, sorry, do anyone have any hint about my problem? I really cannot figure out what's going wrong. Thanks :slight_smile:


#100

Still need this.


#101

iptables-save | grep xmark

-A VPNBYPASS -p tcp -m multiport --sports 32400 -j MARK --set-xmark 0x10000/0xff0000
-A VPNBYPASS -s 192.168.8.115/32 -j MARK --set-xmark 0x10000/0xff0000
-A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-xmark 0x10000/0xff0000
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0xff00/0xff00
-A mwan3_iface_wan -i eth0 -m set --match-set mwan3_connected src -m mark --mark 0x0/0xff00 -m comment --comment default -j MARK --set-xmark 0xff00/0xff00
-A mwan3_iface_wan -i eth0 -m mark --mark 0x0/0xff00 -m comment --comment wan -j MARK --set-xmark 0x100/0xff00
-A mwan3_policy_default_poli -m mark --mark 0x0/0xff00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0xff00
-A mwan3_track -p icmp -m set --match-set mwan3_track_wan dst -m icmp --icmp-type 8 -m length --length 32 -j MARK --set-xmark 0xff00/0xff00
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff

#102

I haven't used mwan3 much, but as far as I understand it also allows you to set policies to route traffic. I'll need to review the full iptatbles-save output, but my immediate reaction would be that probably combination of vpnbypass and mwan3 is producing unexpected results.

How and what for are you using mwan3?