VPN-PBR works but gives error when starting

Hi,

My openvpn/pbr setup works, when connecting to the vpnlan network i get routed through the vpn.

But when starting vpn-policy-based-routing it generates an error on the openvpn tun interface.
I am unable to find any logging or other pointers on what is happening here.

Anyone any ideas on this?

Creating table 'lan/br-lan/192.168.0.250' [✓]
Creating table 'wan/eth0.2/0.0.0.0' [✓]
Creating table 'vpnclient/tun0/10.8.1.2' [✗]
Creating table 'vpnlan/br-vpnlan/172.16.12.1' [✓]
Routing 'vpnpolicy' via vpnclient [✓]
vpn-policy-routing 0.3.2-16 started with gateways:
lan/br-lan/192.168.0.250 [✓]
wan/eth0.2/0.0.0.0
vpnlan/br-vpnlan/172.16.12.1
ERROR: Failed to set up 'vpnclient/tun0/10.8.1.2'
vpn-policy-routing 0.3.2-16 monitoring interfaces: lan wan vpnclient vpnlan [✓]

Establish the VPN connection and post the output to pastebin.com redacting the private parts:

uci show network; uci show firewall; uci show vpn-policy-routing; \
/etc/init.d/vpn-policy-routing support; \
ip address show; ip route show table all; ip rule show; iptables-save

Here it is

https://pastebin.com/raw/gpBM3Whu

Unfortunately, I haven't managed to spot the cause of the problem.

It appears to fail here:

Try to restart the service with debugging enabled:

reset; \
sed -i -e "729i set -x -v" -e "735a set +x +v" /etc/init.d/vpn-policy-routing; \
/etc/init.d/vpn-policy-routing restart; \
sed -i -e "/^set [-+]x [-+]v$/d" /etc/init.d/vpn-policy-routing

Thats some nice logging

https://pastebin.com/raw/0zfpXaMw

i would suspect something goes wrong around line 1298

It fails because the chain VPR_OUTPUT is missing as well as the code that should create it.

uci -q delete vpn-policy-routing.config.icmp_interface
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

@stangri

hmm, that did the trick indeed...

Thnx a bundle!

But why does the config have this option in the first place?

I guess this feature is not so widely used, so it might not be well tested.

just did

Thanks for the tag, this has been resolved in the latest build.

A while back I moved from blindly creating VPR chains for FORWARDING, INPUT, PREROUTING and OUTPUT to only creating chains used in policies. If there's no policy with OUTPUT chain, then the VPR_OUTPUT chain is not created on start, hence an attempt to create ICMP-related policy for the interface fails. That was fixed.

@polleke69 I'd appreciate some testing if you restore your icmp_interface option.

installed your package and it seems to work, it creates the VPR_OUTPUT rules (and everything seems to work as intended ;-):

set: option icmp_interface 'vpnclient':

Mangle IP Table: OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set vpnlan dst -c 0 0 -g VPR_MARK0x040000
-A VPR_OUTPUT -p icmp -c 10 2930 -g VPR_MARK0x030000
-A VPR_OUTPUT -m set --match-set vpnclient dst -c 0 0 -g VPR_MARK0x030000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -g VPR_MARK0x020000
-A VPR_OUTPUT -m set --match-set lan dst -c 0 0 -g VPR_MARK0x010000

set: option icmp_interface 'vpnlan':

Mangle IP Table: OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -p icmp -c 4 399 -g VPR_MARK0x040000
-A VPR_OUTPUT -m set --match-set vpnlan dst -c 0 0 -g VPR_MARK0x040000
-A VPR_OUTPUT -m set --match-set vpnclient dst -c 0 0 -g VPR_MARK0x030000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -g VPR_MARK0x020000
-A VPR_OUTPUT -m set --match-set lan dst -c 0 0 -g VPR_MARK0x010000

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.