VPN Policy-Based Routing + Web UI - ARCHIVE #1

stangri · January 7, 2018, 9:33pm

THIS THREAD IS KEPT AS AN ARCHIVE, BUT IS NOW LOCKED. REFER TO THIS NEW THREAD: VPN Policy-Based Routing + Web UI -- Discussion

As the VPNBypass package was well received but was lacking ability to explicitly route specific traffic via OpenVPN tunnel instead of bypassing it, I've written a policy-based routing service.

Make sure to go over README or at least its Known Issues section.

Both vpn-policy-routing and luci-app-vpn-policy-routing are available from my repo: https://stangri.github.io/openwrt-repo/. After adding this custom repo to your router, you can install and upgrade both vpn-policy-routing and luci-app-vpn-policy-routing from the command line or Web UI like any other package.

If you have any problems, be sure to include the config file, as well as output of the service when it's being started/reloaded and the output of /etc/init.d/vpn-policy-routing support.

I'd welcome any feedback!

stangri · February 7, 2017, 12:59am

Thanks to feedback from @hnyman I've managed to re-organize both luci app and how the service works internally. I've also added a screenshot to the README so you can see what you're getting yourselves into.

cybrnook · February 9, 2017, 1:01am

Looking forward to giving this a whirl this coming weekend.

stangri · February 11, 2017, 2:59am

From version 3.0 supports multiple OpenVPN tunnels (with device names tun* or tap*).

stangri · February 11, 2017, 10:24pm

From version 3.1 supports strict enforcement of policies when their gateway is down (resulting in network unreachable for affected policies).

Could be used if you want to ensure that the specific policy (I've only tested it with a single local IP) is routed thru specific gateway and has no connectivity when that gateway is down.

stangri · February 12, 2017, 2:43am

Thanks to @hnyman suggestion I've adapted some code from dropbear init script and version 3.2 should react to changes in OpenVPN tunnels.

I'd appreciate feedback on that functionality.

stangri · February 12, 2017, 7:45am

So openvpn-policy-routing seem to be reloading just fine on OpenVPN changes, so that seems to be working.

In 3.3 I've added support for domain-based routing and tweaked luci-app-openvpn-policy-routing.

Major changes in README (including the new screenshot) as well.

I consider it polished enough to send a PR to be published in the official repo/feed as soon as I get feedback from others (preferably with multiple OpenVPN tunnels).

cybrnook · February 12, 2017, 1:28pm

Hope to get some testing in later today.

nidstigator · February 12, 2017, 3:48pm

Hey man,

Just installed openvpn-policy-routing (and its luci-app) on 17.01RC2 on a wrt1900acsv2.
Source port/ip routing is working.
Domain-based routing does not work no matter what I try. It's as if I don't have anything defined. Websites are still accessed per source ip/port policy.

This has great potential! keep up the good work

cybrnook · February 12, 2017, 4:59pm

are you adding the target at the end?

example:
Added support for routed domains in format /domain1.com/domain2.com/gwroute where gwroute could be wanroute, tun0route, etc.

nidstigator · February 12, 2017, 5:10pm

yes, had:
/netflix.com/hbonow.com/tun0route
/showip.net/wanroute

nidstigator · February 12, 2017, 5:51pm

Logs (restarting openvpn && reapplying settings for openvpn-policy-routing):

http://pastebin.com/1UsxiR31

stangri · February 12, 2017, 7:28pm

@nidstigator, hey, thanks for testing it. I believe you've used vpnbypass in the past -- did you by any chance configure ipsets in dnsmasq when you were using it? If, with the openvpn-policy-routing stopped, you have any conflicting ipset entries in /etc/config/dhcp you have to remove those (those ending with /vpnbypass). If it turns out that was the source of the problem, I can add removal of these old ipsets into openvpn-policy-routing.

Can you modify your first rule to be /netflix.com/hbonow.com/whatismyip.com/tun0route and visit whatismyip.com 20-30 seconds after openvpn-policy-routing reload?

After the service is loaded, can you do grep ipset /etc/config/dhcp (actually, do it with the service stopped and service loaded, the result should be different) -- verify that it has exactly the same domain rules as you have in the openvpn-policy-routing config.

Also, please give it like 20 seconds after the openvpn-policy-routing reloads, as it restarts dnsmasq in background, it doesn't wait for dnsmasq to restart to report openvpn-policy-routing has started.

nidstigator · February 12, 2017, 8:20pm

Thanks for responding.
I have used mwan3 1-2 months ago, and gave up on it due to issues with recent builds of LEDE. (won't detect tun0 interfaces)

Like you said, I had some leftover ipset rules in dhcp file.

However, deleting these, reloading service with your rule, I don't see any rules being added /etc/config/dhcp.

Tried disabling-enabling service and still nothing.

Any ideas?

stangri · February 12, 2017, 8:32pm

Not really, there're a few steps you can take to help me figure out what might be source of the problem.

Please post results of opkg list_installed | grep dnsmasq .

Please post results of grep ipset /etc/config/dhcp with service stopped and then results of the same command with service loaded.

Can you modify your first rule to be/netflix.com/hbonow.com/whatismyip.com/tun0route and visit whatismyip.com 20-30 seconds after openvpn-policy-routing reload?

Also -- do I take it that things worked well for domains with vpnbypass? Have you removed vpnbypass?

nidstigator · February 12, 2017, 8:32pm

Never mind, figured it out:

I uninstalled your packages, cleared up all ipset rules from /etc/config/dhcp, and reinstalled your package.

Added: /netflix.com/hbonow.com/whatismyip.com/wanroute, reloaded service.

grep ipset /etc/config/dhcp outputs:
list ipset '/netflix.com/hbonow.com/whatismyip.com/wanroute'

tried visiting above sites, they still go through tun0 (where I want them to go through wan)

nidstigator · February 12, 2017, 8:42pm

Also, I have never used vpnbypass.

Observation:

The multiple rules found in /etc/config/dhcp are due to your luci-app adding a rule to /etc/config/dhcp everytime i edit a rule, and not deleting them once i delete them using the app.

stangri · February 12, 2017, 8:46pm

I might have pre-maturely pushed the domain-supporting version which didn't clean things up, but I've updated it shortly after. Sorry about that.
When you do /etc/init.d/openvpn-policy-routing stop, does it display destroying domain routes.. [OK]?

If not, just install the current version from https://github.com/stangri/Files

nidstigator · February 12, 2017, 9:02pm

here is the output of /etc/init.d/openvpn-policy-routing stop :
destroying table wan/eth0/82.29.57.1 TID=200 FW_MARK=0x010000 IP_SET=wanroute [OK]
destroying table VyprVPN/tun0/10.2.28.241 TID=201 FW_MARK=0x20000 IP_SET=tun0route [OK]
destroying domain routes. [OK]
removing policy routes... [OK]
service stopped
Command failed: Not found

stangri · February 12, 2017, 9:04pm

Can you do this: VPN Policy-Based Routing + Web UI - ARCHIVE #1