Vpn PBR only a port range and one ip

Hi actually I've configured pbr to use my vpn with only one ip of my lan, but now I want to set only port range (alwys from the sam ip)

Do you've some idea about it?

What does it mean 'PBR'?


Policies based on local ports numbers. Can be set as an individual port number ( 32400 ), a range ( 5060-5061 ), a space-separated list ( 80 8080 ) or a combination of the above ( 80 8080 5060-5061 ). Limited to 15 space-separated entries per policy.

Thank you both for your reply.

Actually if I follow the configuration from wiki I got some problem, I'm following this scenario:
Local OpenVPN Server (Scenario 2), because I also run openvpn server and I want to use vpn client only for one of my device, so, right now got this error if I follow the wiki

  1. All my lan is under vpn, I want that only one specifi host have to be under vpn

Here some screen
Firewall-Zones
Interfaces
Policies
Maybe I've a bad firewall settings?
Do you have some idea?

Your VPN appears unassigned to a firewall zone.

Yep, I'm not so able with firewall rules, I followed this
https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic#basic_server
And I added this rule
Open-Vpn-Server

Maybe I made some mistake?

The OpenVPN basic how-to describes the basic server setup focused on fault tolerance.
The VPN-PBR app relies on higher level abstraction which may require additional configuration.
However, it may not be really necessary in your case.
What you actually need is to switch your server and its clients to TCP and enable this policy.
Also you need to modify your current policy to limit the rule scope to specific ports.

Thanks @vgaetera

So, you suggest to use both? scenario 1 and scenario 2?
I never tried both, I'll try.
Like you said I've to switch to tcp protocoll

I think I miss some, not working, all lan under vpn

here some log/data:

vpn-policy-routing 0.1.1-1 running on OpenWrt 18.06.4. WAN (IPv4): wan/dev/192.168.1.1.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.57.10.5      128.0.0.0       UG    0      0        0 tun1
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.2
IPv4 Table 201: default via 192.168.1.1 dev eth0.2
IPv4 Table 201 Rules:
32759:	from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.57.10.6 dev tun1
IPv4 Table 202 Rules:
32758:	from all fwmark 0x20000 lookup 202
IPv4 Table 203: default via 10.8.0.1 dev tun0
IPv4 Table 203 Rules:
32757:	from all fwmark 0x30000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 10.0.0.100/32 ! -d 10.8.0.0/24 -p udp -m multiport --sports 10000:65535 -m comment --comment Nas -c 3760 351398 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -s 10.0.0.100/32 ! -d 10.8.0.0/24 -p tcp -m multiport --sports 10000:65535 -m comment --comment Nas -c 307635 20880105 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set VPN_SERVER dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set PIA_VPN dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -p tcp -m multiport --sports 1194 -m comment --comment OpenVPN_Server -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create PIA_VPN hash:net family inet hashsize 1024 maxelem 65536 comment
create VPN_SERVER hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
root@OpenWrt:~# cat /etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        option strict_enforcement '1'
        option boot_timeout '30'
        list ignored_interface 'vpn_server'
        option append_local_rules '! -d 10.8.0.0/24'
        option local_ipset '0'
        option iptables_rule_option 'append'
        option iprule_enabled '0'
        option enable_control '0'
        option proto_control '0'
        option chain_control '0'
        option remote_ipset 'dnsmasq.ipset'
        option sort_control '1'
        option enabled '1'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

config policy
        option chain 'PREROUTING'
        option name 'Nas'
        option local_address '10.0.0.100/32'
        option proto 'tcp udp'
        option interface 'PIA_VPN'
        option local_port '10000-65535'

config policy
        option name 'OpenVPN Server'
        option interface 'wan'
        option local_port '1194'
        option chain 'OUTPUT'

config openvpn 'vpn_server'
        option port '1194'
        option proto 'tcp'
        option server '10.8.0.0 255.255.255.0'

Your default route routes all traffic via VPN:

default         10.57.10.5      128.0.0.0       UG    0      0        0 tun1

Marking traffic from NAS and routing it into special table 202 routes it via 10.57.10.6. First of all, I don't understand, why there are two IPs: 10.57.10.5 and 10.57.10.6 You should leave default route after establishing connection to PIA_VPN.

Thank you @ulmwind for your reply.
I don't know why there are two 10.57.10.x
If can help, I can rewrite all from scratch, in order to better know what are the expectation and what is the current situation. There're so many settings and variables that is quite easy do some bad move, specially for me that I never understood very well the routing, I'm not expert at all about routing, I make question and I do searches but I always do moves like a blind on highway!

The goals:

  1. Have only some selected (for now only one) devices under OpenVpn client (connected to PIA vpn)
  2. Have a running OpenVpn server in order to connect from outside home
  3. All working, lol.

So actually right now, doing some researches and making some experiments I've
Openvpn server with these settings:

verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 10.8.0.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 10.0.8.1"
push "dhcp-option DOMAIN lan"
push "route 10.0.0.0 255.255.255.0 vpn_gateway"
push "persist-tun"
push "persist-key"

For the server I only set the traffic rules (inside firewall, we will see the firewall later) like the basic server guide say:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic#basic_server
Then I configured a vpn client to pia with these settings:

ca /etc/openvpn/ca.rsa.2048.crt
ifconfig 10.0.0.2 10.0.0.1
verb 3
mute 3
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto udp4
cipher aes-128-cbc
auth sha1
auth-user-pass /etc/openvpn/userpass.txt
remote sweden.privateinternetaccess.com 1198
comp-lzo adaptive
tun-mtu 1500
mtu-disc yes
fast-io
passtos
pull-filter ignore "dhcp-option DNS"
pull-filter ignore "redirect-gateway"
mute-replay-warnings
tls-client
remote-cert-tls server
persist-local-ip 
persist-remote-ip
log /var/log/openvpn.log
writepid /tmp/run/openvpncl.pid

We'll discuss later for the pull-filter ignore "redirect-gateway" option, before that I want to show you the firewall, because here I think there's the very first mistake, I don't think that the firewall rule for vpn client is the right one:

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].device='tun0'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='WAN6 wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.lan_wan=forwarding
firewall.lan_wan.dest='wan'
firewall.lan_wan.src='lan'
firewall.@zone[2]=zone
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='pia'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='PIA_VPN'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='REJECT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='pia'
firewall.@forwarding[1].src='lan'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'

I created a pia zone for the firewall but like I said I don't know if is a good idea.
Then under vpn-policy-routing I created a rule named Nas:

root@OpenWrt:~# uci show vpn-policy-routing
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.ignored_interface='vpn_server'
vpn-policy-routing.config.append_local_rules='! -d 10.8.0.0/24'
vpn-policy-routing.config.local_ipset='0'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.config.enable_control='0'
vpn-policy-routing.config.proto_control='0'
vpn-policy-routing.config.chain_control='0'
vpn-policy-routing.config.remote_ipset='dnsmasq.ipset'
vpn-policy-routing.config.sort_control='1'
vpn-policy-routing.config.enabled='0'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].chain='PREROUTING'
vpn-policy-routing.@policy[0].name='Nas'
vpn-policy-routing.@policy[0].local_address='10.0.0.100/32'
vpn-policy-routing.@policy[0].proto='tcp udp'
vpn-policy-routing.@policy[0].interface='PIA_VPN'
vpn-policy-routing.@policy[0].local_port='10000-65535'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].name='OpenVPN Server'
vpn-policy-routing.@policy[1].interface='wan'
vpn-policy-routing.@policy[1].local_port='1194'
vpn-policy-routing.@policy[1].chain='OUTPUT'
vpn-policy-routing.vpn_server=openvpn
vpn-policy-routing.vpn_server.port='1194'
vpn-policy-routing.vpn_server.proto='tcp'
vpn-policy-routing.vpn_server.server='10.8.0.0 255.255.255.0'

Before yesterday the rule OpenVPN Server rule was not active. I don't know if make difference.
So, why I put the pull-filter ignore "redirect-gateway" rule inside the client config?
Because otherwise the rule to redirect only one ip through the vpn client won't work!
So in this way works, but seems that the port range is not working.
Originally I followed this


I think I miss the part If the VPN Client is not used as default routing because I don't know how to NOT set the vpn as default routing.

Later I opened this post, because I feel like some is wrong in my configuration and because I can't make the port range work

I don't know if pull-filter ignore "redirect-gateway" is a good idea, I can't find information about this on the wiki.

What I do wrong?

Sorry, I can't read output of uci. Please, post contents of corresponding files. https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

As far as I've understood, you should create additional routing table for client after establishing connection. I think, it is better to do via scripts corresponding to up/down connection.

Here my lack of knowledge is evident! I can't understand your link, because I'm using both server and client at the same time :smiley:
I know that if I put this ignore redirect gateway inside the pia vpn (client for my router) I can specify the ip that have to use the vpn, via PBR.
This's the actual vpn-policy-routing:

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option strict_enforcement '1'
	option boot_timeout '30'
	list ignored_interface 'vpn_server'
	option append_local_rules '! -d 10.8.0.0/24'
	option local_ipset '0'
	option iptables_rule_option 'append'
	option iprule_enabled '0'
	option enable_control '0'
	option proto_control '0'
	option chain_control '0'
	option remote_ipset 'dnsmasq.ipset'
	option sort_control '1'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option chain 'PREROUTING'
	option name 'Nas'
	option local_address '10.0.0.100/32'
	option proto 'tcp udp'
	option interface 'PIA_VPN'

This's the actual firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option device 'tun0'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'WAN6 wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config forwarding 'lan_wan'
	option dest 'wan'
	option src 'lan'

config zone
	option output 'ACCEPT'
	option name 'pia'
	option masq '1'
	option mtu_fix '1'
	option network 'PIA_VPN'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'pia'
	option src 'lan'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

With these settings (plus the files on others post) I have only my nas under vpn and all others ip are with normal ip
Now I want to go one step ahead and I want that only a port range of my nas have to be under my vpn connection

So with this:
myvpnip
If I check the ip from a ssh console I see the vpn ip
If I check the ip from a qbittorrent, that have one opened port over 10000 is under vpn

But If I use this:
working
If I check the ip from a qbittorrent, that have one opened port over 10000 is under vpn
If I check the ip from an ssh console from the nas, I see always the vpn ip. At this point I don't know if the setting is working or not, I don't think that the curl use one port over 10000, so I think is not working

Do you want to laugh?
So I tried this
funny
Where the 21395 is exactly the port that is opened for qbittorrent, so, both ip check return my real ip, and not the vpn one.

What can be?
@stangri do you have some idea? I'm feel crazy

Don't mess local and remote ports. If you run ssh FROM NAS, it connects to REMOTE port 22 choosing LOCAL PORT AS RANDOM VALUE. Leave all ports to VPN and do not bother by dilettante questions.

@ulmwind I wrote wrong, I was hurry, sorry.

I connect FROM my pc to my nas with a ssh connection, then from the nas I launch the curl command.

Is possible that there's no a way where only a range of port are under vpn? Because with all the nas under vpn I get slow speed when the nas need to download updates or from git or others program that are running, and so on.