seem not to work. In this example I'm trying to route PC from LAN to Internet via tunnel in exception of some set of IPs/nets like strict banks or services like Netflix who block known VPN providers.
Currently I found such workaround:
Then insert into this chain my exception: iptables -t mangle -I OPR_BYPASS -s 192.168.1.182/32 -d '<very strict bank IP>' -m comment --comment vagrant0 -j MARK --set-xmark 0x10000/0xff0000
Maybe it's a good idea to move more specific rules to the end of OPR_CHAIN after ipset matches? Or maybe I'm doing it wrong?
Alex,
Ever since I've allowed to mix and match domain names and IP addresses/ports, it became quite difficult to enforce the proper order of policies (as I don't want to end up creating a new ipset for each domain and clutter the iptables with a lot of rules).
Please try the -17 build, I've made modifications to the policies ordering, so it may work for you. I may have to revise it again in the future tho.
I've had some time to reflect on that, the only way to enforce the proper ordering of rules is when ipsets are not used at all. I will implement that in the future build.
Thx, I will try that. Is there a way to set a delay for these 2 to start? I mean it's not important since normally you don't start your router every day, but it would be nice.
I have 2 more questions:
How can I update the OPR version?
Also, I'd like to iplement some sort of killswitch. Like if the vpn connection between my specified device(s) cannot be established or breaks up the devices should not be able to connect to the internet at all. It would be perfect if these ip(s) then automatically will try to establish the vpn connection again.
Using dd-wrt I could get the first part to work by using these firewall rules:
This might be off topic but I thought I'll ask beforehand if maybe this OPR package already has such kill switch included.
If not it would be a suggestion of mine. The above rules are a bit crude, I noticed that they "break up" all access to the internet for all devices, even if they don't go trough vpn tunnel. Also there is no retry happening, I had to restart the vpn client manually each time a breakup happened.
I want to access my VDSL2 Netgear DM200 Modem from my PC through my LEDE WRT3200AC Router. DM200 is setup in Bridge Mode for the PPPOE connection to my ISP with the WRT3200AC doing all the login etc..
I tried an entry in OPR for the interface name (DSLModem) of the DSL Modem connection but it is still blocked.
Setup:
WRT3200AC IP = Static IP 192.168.2.1
DSL Modem DM200 = Static IP 192.168.5.1
OpenVPN = 2 VPNs with both setup with "route_nopull" option so WAN remains the default route.
Static IPs assigned in the WRT3200AC for all connected machines on my LAN
Settings I changed/added that work (can access DM200 GUI at 192.168.5.1) when OPR Disabled:
OPR has strict enforcement https://github.com/stangri/openwrt-packages/tree/openvpn-policy-routing/net/openvpn-policy-routing/files#strict-enforcement
I tested it on previous versions but it wasn't working for me. Now I use separate iptables rules with ipset match like
iptables -t filter -N tunnel0_enforce
iptables -A tunnel0_enforce -o tun0 -j ACCEPT
iptables -A tunnel0_enforce -j DROP
iptables -t filter -I FORWARD -m set --match-set tunnel0group src -j tunnel0_enforce
It also allows me create enforcement chains for each tunnel separately.
Alex, thank you for your feedback, you seem to have a much better grip on itables than I do, if there's anything OPR is doing inefficiently, please let me know.
Ok, everything works until I enable OPR.
After doing so, no inet connection.
And it doesn't matter if “Use DNS servers advertised by peer” is ticked or if I put other dns server(s) in wan settings.
Also having DNS entries in the “DNS forwardings” doesn't change anything.
Active routes field after enavling OPR lookslike this:
wan 0.0.0.0/0 81.217.146.1 0 201
torguard_vpn 0.0.0.0/0 10.22.0.9 0 202
torguard_vpn 0.0.0.0/1 10.22.0.9 0 main
wan 0.0.0.0/0 81.217.146.1 0 main
torguard_vpn 10.22.0.9 0 main
wan 81.217.146.0/24 0 main
wan 81.217.146.1 0 main
torguard_vpn 128.0.0.0/1 10.22.0.9 0 main
lan 192.168.1.0/24 0 main
..any idea how can I deal with this error and install the OPR? Thank you!
Collected errors:
check_data_file_clashes: Package libustream-mbedtls wants to install file /lib/libustream-ssl.so
But that file is already provided by package * libustream-openssl
First of all, OPR does not depend on libustream, so that's a weird error. Were you installing anything else besides OPR? Second, you can try to force-install OPR ignoring dependencies: opkg install --nodeps openvpn-policy-routing.
I use hnyman's LEDE Reboot SNAPSHOT r4786 version (for now).
Besides what's there by default, I have OpenVPN installed (obviously), and DNSCrypt-Proxy package. I have tried before to use your VPNBypass, but I couldn't make it working, so I have uninstalled it... Now trying to install OPR, and Ive got that error. It looks like your repo is not being installed (following your OpenVPN Policy-Based Routing guides from Github/github.io), as it doesn't show up in Luci when searching for it.
Any impact trying to force installing OPR ignoring the dependencies?
(I prefer to use Luci, as I am not good with terminal commands.)
That's unfortunate, it's a great idea and I'd like to use your package. Could it be router dependent or firmware dependt?
I have a Linksys Wrt-1200acs v2 router with david's LEDE build: https://davidc502sis.dynamic-dns.net/releases/
Are there logs I could provide? Are they all in the system protocol tab, I saw entries from OPR there but not much info.
I'll also ask the maintainer of my custom build if something could hinder your package to work.
So, I've managed to install OPR (for some reasons unknown to me, the repo was added in the Feeds after #, and without src/ in front. But then I've moved it to a new line adding src/ in front, and it was working).
Now, I've got this errors. Any idea? To me, it looks like OPR is not choosing the right WAN interface, but some other interface I have, even if in the dropbox I have chosen WAN.
(note: I do not know why, but Lede is reporting XIF as the WAN interface in the Overview page instead of the actual WAN.)
user.notice openvpn-policy-routing [10338]: ERROR: service is not enabled!
user.notice openvpn-policy-routing [10338]: service monitoring interfaces: [✓]
daemon.err modprobe: xt_set is already loaded
daemon.err modprobe: ip_set is already loaded
daemon.err modprobe: ip_set_hash_ip is already loaded
user.notice openvpn-policy-routing [10392]: Creating table 'VPN/tun11/100.xx.x.1/::/0' [✓]
user.notice openvpn-policy-routing [10392]: Creating table 'XIF/br-XIF/192.168.1.2/fe80::/64' [✓]
user.notice openvpn-policy-routing [10392]: Routing 'OPR' via wan [✗]
user.notice openvpn-policy-routing [10392]: service started on VPN/tun11/100.x.x.1/::/0 XIF/br-XIF/192.168.1.2/fe80::/64 with errors [✗]
user.notice openvpn-policy-routing [10392]: ERROR: policy 'OPR' has unknown interface: wan!
user.notice openvpn-policy-routing [10392]: service monitoring interfaces: VPN XIF [✓]
I have a question:
I have some port forwardings from WAN to local LAN device. (Need to acces local device port from WAN)
And a openVPN routing for local LAN device to go outbound using a OpenVPN.
Why does the portf orwaring does not work? Do i need to add aditional configs?
Thanks,
Example: config/firewall
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option dest_ip '10.0.1.99'
option dest_port '9999'
option name 'Test'
option proto 'tcp'
option src_dport '9999'
Thanks for your work, this package is really helpful! Unfortunately you can't tell from the package name that it also supports WIreGuard.
Does "Local addresses/devices" also take hostnames or just ips? I copied a hostname from DHCP Leases, but it doesn't seem to do anything.
Edit: The routing doesn't work for some domains like netflix.com. Netflix has a huge ip range and I noticed that when I run resolveip netflix.com on the router it lists other ips than nslookup netflix.com. I did a few traceroute netflix.com on my laptop and most of the time it picks an ip that resolveip doesn't list and the policy doesn't trigger.