VPN Policy-Based Routing is a service supporting multiple types of VPN Connections (Openconnect, OpenVPN, PPTP and Wireguard) allowing you to create policies to use either VPN tunnel or WAN as a gateway. More information (requirements, full features list, etc.) on the service is available in the README.
- Any policy can target either WAN or a VPN tunnel interface.
- L2TP tunnels supported (with protocol names l2tp*).
- Openconnect tunnels supported (with protocol names openconnect*).
- OpenVPN tunnels supported (with device names tun* or tap*).
- PPTP tunnels supported (with protocol names pptp*).
- Wireguard tunnels supported (with protocol names wireguard*).
- Policies based on local names, IPs or subnets. You can specify a single IP (as in 192.168.1.70) or a local subnet (as in
192.168.1.81/29) or a local device name (as in
nexusplayer). IPv6 addresses are also supported.
- Policies based on local ports numbers. Can be set as an individual port number (
32400), a range (
5060-5061), a space-separated list (
80 8080) or a combination of the above (
80 8080 5060-5061). Limited to 15 space-separated entries per policy.
- Policies based on remote IPs/subnets or domain names. Same format/syntax as local IPs/subnets.
- Policies based on remote ports numbers. Same format/syntax and restrictions as local ports.
- You can mix the IP addresses/subnets and device (or domain) names in one field separating them by space (like this:
18.104.22.168 he.net tunnelbroker.net).
DSCP-tag Based Policies
You can also set policies for traffic with specific DSCP tag. On Windows 10, for example, you can mark traffic from specific apps with DSCP tags.
If things are not working as intended, please include the content of
/etc/config/vpn-policy-routing and the output of
/etc/init.d/vpn-policy-routing support with your post, as well as the output of
/etc/init.d/vpn-policy-routing reload with
verbosity setting set to 2. If you don't want to post the
/etc/init.d/vpn-policy-routing support output in a public forum, there's a way to have the support details automatically uploaded to my account at paste.ee by running
/etc/init.d/vpn-policy-routing support -p. You need to have the following packages installed to enable paste.ee upload functionality:
curl libopenssl ca-bundle. WARNING: while paste.ee uploads are unlisted, they are still publicly available.
How to install
luci-app-vpn-policy-routing are available from official OpenWrt repositories. My repo: https://repo.openwrt.melmac.net/ may have newer/bleeding edge versions.
The old thread which grew too long and has too much of the no longer relevant information is kept here.