VPN Policy-Based Routing + Web UI - ARCHIVE #1

I want to access my VDSL2 Netgear DM200 Modem from my PC through my LEDE WRT3200AC Router. DM200 is setup in Bridge Mode for the PPPOE connection to my ISP with the WRT3200AC doing all the login etc..

I have setup an Interface and Firewall rule as described in [SOLVED] How to access the modem (which is in bridge mode)? for my IPs and it works when OPR is Disabled but does not work when OPR is Enabled

I tried an entry in OPR for the interface name (DSLModem) of the DSL Modem connection but it is still blocked.


WRT3200AC IP = Static IP
DSL Modem DM200 = Static IP
OpenVPN = 2 VPNs with both setup with "route_nopull" option so WAN remains the default route.
Static IPs assigned in the WRT3200AC for all connected machines on my LAN

Settings I changed/added that work (can access DM200 GUI at when OPR Disabled:

Network Config:

config interface 'DSLModem'
	option proto 'static'
	option ifname 'eth1.2'
	option delegate '0'
	option ipaddr ''
	option netmask ''

Firewall Config:

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 DSLModem'

Has anyone got something like this working with OPR ENABLED or any ideas on how to get access to the DM200 Modem GUI working with OPR Enabled?

OPR has strict enforcement
I tested it on previous versions but it wasn't working for me. Now I use separate iptables rules with ipset match like
iptables -t filter -N tunnel0_enforce
iptables -A tunnel0_enforce -o tun0 -j ACCEPT
iptables -A tunnel0_enforce -j DROP
iptables -t filter -I FORWARD -m set --match-set tunnel0group src -j tunnel0_enforce
It also allows me create enforcement chains for each tunnel separately.

Alex, thank you for your feedback, you seem to have a much better grip on itables than I do, if there's anything OPR is doing inefficiently, please let me know.

Ok, everything works until I enable OPR.
After doing so, no inet connection.
And it doesn't matter if “Use DNS servers advertised by peer” is ticked or if I put other dns server(s) in wan settings.
Also having DNS entries in the “DNS forwardings” doesn't change anything.
Active routes field after enavling OPR lookslike this:

wan	0 201
torguard_vpn	0 202
torguard_vpn	0 main
wan	0 main
torguard_vpn		0	main
wan		0	main
wan		0	main
torguard_vpn	0 main
lan       0        main

Any ideas?

Yes, strict enforcement work in -17. Previously tested in 5.0.1-1.

..any idea how can I deal with this error and install the OPR? Thank you!

Collected errors:

  • check_data_file_clashes: Package libustream-mbedtls wants to install file /lib/libustream-ssl.so
    But that file is already provided by package * libustream-openssl
  • opkg_install_cmd: Cannot install package libustream-mbedtls.

Sorry, no.

First of all, OPR does not depend on libustream, so that's a weird error. Were you installing anything else besides OPR? Second, you can try to force-install OPR ignoring dependencies: opkg install --nodeps openvpn-policy-routing.

I use hnyman's LEDE Reboot SNAPSHOT r4786 version (for now).
Besides what's there by default, I have OpenVPN installed (obviously), and DNSCrypt-Proxy package. I have tried before to use your VPNBypass, but I couldn't make it working, so I have uninstalled it... Now trying to install OPR, and Ive got that error. It looks like your repo is not being installed (following your OpenVPN Policy-Based Routing guides from Github/github.io), as it doesn't show up in Luci when searching for it.
Any impact trying to force installing OPR ignoring the dependencies?
(I prefer to use Luci, as I am not good with terminal commands.)


I am a new LEDE user (until now I used OpnSense): I installed OPR and, after some reading, I configured and run it without problems.

I configured two openvpn connections but I don't know how to use them in "load balancing mode": for example

if (src_address is 192.168.x.y) then use VPN1 or VPN2 in load balancing (or merely random) mode.

It's possible?


That's unfortunate, it's a great idea and I'd like to use your package. Could it be router dependent or firmware dependt?
I have a Linksys Wrt-1200acs v2 router with david's LEDE build:
Are there logs I could provide? Are they all in the system protocol tab, I saw entries from OPR there but not much info.
I'll also ask the maintainer of my custom build if something could hinder your package to work.

So, I've managed to install OPR (for some reasons unknown to me, the repo was added in the Feeds after #, and without src/ in front. But then I've moved it to a new line adding src/ in front, and it was working).

Now, I've got this errors. Any idea? To me, it looks like OPR is not choosing the right WAN interface, but some other interface I have, even if in the dropbox I have chosen WAN.
(note: I do not know why, but Lede is reporting XIF as the WAN interface in the Overview page instead of the actual WAN.)

user.notice openvpn-policy-routing [10338]: ERROR: service is not enabled!
user.notice openvpn-policy-routing [10338]: service monitoring interfaces: [✓]
daemon.err modprobe: xt_set is already loaded
daemon.err modprobe: ip_set is already loaded
daemon.err modprobe: ip_set_hash_ip is already loaded
user.notice openvpn-policy-routing [10392]: Creating table 'VPN/tun11/100.xx.x.1/::/0' [✓]
user.notice openvpn-policy-routing [10392]: Creating table 'XIF/br-XIF/' [✓]
user.notice openvpn-policy-routing [10392]: Routing 'OPR' via wan [✗]
user.notice openvpn-policy-routing [10392]: service started on VPN/tun11/100.x.x.1/::/0 XIF/br-XIF/ with errors [✗]
user.notice openvpn-policy-routing [10392]: ERROR: policy 'OPR' has unknown interface: wan!
user.notice openvpn-policy-routing [10392]: service monitoring interfaces: VPN XIF [✓]

If there's an easily implementable by iptables rules load balancing mode, I could look into it. Other than that, no.

Yes, the output of /etc/init.d/openvpn-policy-routing reload and /etc/init.d/openvpn-policy-routing support.

OPR uses the LEDE/OpenWrt default function to find WAN which relies on default route. You must have default route set to XIF interface.

I've found the issue: I had to remove the content of "IPv4 gateway" in the interface. Now seems to be fine. Thanks!

1 Like

Hi there,

I have a question:
I have some port forwardings from WAN to local LAN device. (Need to acces local device port from WAN)
And a openVPN routing for local LAN device to go outbound using a OpenVPN.

Why does the portf orwaring does not work? Do i need to add aditional configs?


Example: config/firewall

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option dest_ip ''
	option dest_port '9999'
	option name 'Test'
	option proto 'tcp'
	option src_dport '9999'

Example config/openvpn-policy-routing

config policy
	option comment 'Localdevice'
	option local_addresses ''
	option interface 'vpntun'

Thanks for your work, this package is really helpful! Unfortunately you can't tell from the package name that it also supports WIreGuard.

Does "Local addresses/devices" also take hostnames or just ips? I copied a hostname from DHCP Leases, but it doesn't seem to do anything.

Edit: The routing doesn't work for some domains like netflix.com. Netflix has a huge ip range and I noticed that when I run resolveip netflix.com on the router it lists other ips than nslookup netflix.com. I did a few traceroute netflix.com on my laptop and most of the time it picks an ip that resolveip doesn't list and the policy doesn't trigger.

Hi, complete newbie (to routing/tables etc, but long-time programmer) here. This looks like a great package, and I'm desperate to get it to work! I'll try to keep this short...

Completely new install of lede 17.01.4 on Raspberry Pi 2, OpenVPN client, DDNS, everything working fine.

The initial error I get from OPR is:

ERROR: policy 'ALL Via WAN' has unknown interface: wan!

The lower caps 'wan' looks suspicious - the WAN interface config displays in uppper caps in LuCl, so I edited the OPR config file via SCP to upper-caps:

config policy
option comment 'ALL Via WAN'
option local_addresses ''
option interface 'WAN'

Now I get the OPR error (I've masked the ip with xxx):

Creating table 'WAN/pppoe-WAN/172.16.xxx.xxx/fe80::/10' [✓]
ERROR: unknown fw_mark for WAN!
ERROR: ipt -t mangle -A OPR_CHAIN -j MARK --set-xmark /0xff0000 -s -m comment --comment ALL_Via_WAN

Any help would be greatly appreciated - I'm probably doing something drastically wrong! This looks to be a great bit of software.

quick update...

The second error (unknown fw_mark) must be something to do with the subnet mask, no combination of address/mask works for me.

Specifying a huge list of ; delimited hosts works without error.

The case-sensitive wan/WAN is still a problem; i have to SCP/SSH to the router and manually edit the OPR config file every time I make an update in LuCl.

Other than that, working great now!! Thank you so much.

I don't know for sure, have you tried creating a policy to ensure that the traffic on that local ip/port 9999 goes out over WAN?

I use local device names, but I have them configured as hosts entries in /etc/config/dhcp and it works.

Should work with DNSMASQ/IPSET enabled.

It should be lower case 'wan' whatever your actual WAN interface name is.

@Michael123 -- I've only done very limited testing with wireguard, I would appreciate if you share your experience with wg and this package. I would also be grateful if you posted sanitized wg config from your router. Every time I've tried to set up a wg tunnel it took over the default routing and became WAN, ruining the package logic.

I installed everything listed in the README under Requirements, and both ipset and dnsmasq are enabled in /etc/config/openvpn-policy-routing.

config openvpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '1'
        option ipset_enabled '1'
        option strict_enforcement '1'
        option dnsmasq_enabled '1'
        option enabled '1'

I think it works fine except the issue with some domains as mentioned.
I have a Linksys WRT1200AC router and WireGuard is pretty fast. I just did a speed test and I got 90 Mbps download (100 Mbps without) while one core was at ~50% load and the other at ~15%. I don't remember the speeds with OpenVPN and I currently don't have it installed. I assume that my results fit the benchmarks from https://www.wireguard.com/performance/.

WireGuard doesn't have a separate config file, does it? I think it only adds something to /etc/config/network.

config interface 'wireguard'
        option proto 'wireguard'
        option private_key '--- removed ---'
        option listen_port '51820'
        list addresses ''

config wireguard_wireguard
        option public_key '--- removed ---'
        option endpoint_host 'de1-wireguard.mullvad.net'


root@LEDE:~# wg showconf wireguard
ListenPort = 51820
PrivateKey = --- removed ---

PublicKey = --- removed ---
AllowedIPs =
Endpoint =
PersistentKeepalive = 25

The endpoint IP is the same as resolveip de1-wireguard.mullvad.net.

Did you check Route Allowed IPs? That sets the WireGuard interface as default route. I have it unchecked and WireGuard is only used for policies with WIREGUARD as interface and not WAN.

Edit: An enable checkbox for every policy would be nice. If I want to temporarily disable a policy I always have to delete it and recreate it later.