VPN Policy-Based Routing is a service supporting multiple types of VPN Connections (Openconnect, OpenVPN, PPTP and Wireguard) allowing you to create policies to use either VPN tunnel or WAN as a gateway. More information (requirements, full features list, etc.) on the service is available in the README.
Any policy can target either WAN or a VPN tunnel interface.
Policies based on local names, IPs or subnets. You can specify a single IP (as in 192.168.1.70) or a local subnet (as in 192.168.1.81/29) or a local device name (as in nexusplayer). IPv6 addresses are also supported.
Policies based on local ports numbers. Can be set as an individual port number (32400), a range (5060-5061), a space-separated list (80 8080) or a combination of the above (80 8080 5060-5061). Limited to 15 space-separated entries per policy.
Policies based on remote IPs/subnets or domain names. Same format/syntax as local IPs/subnets.
Policies based on remote ports numbers. Same format/syntax and restrictions as local ports.
You can mix the IP addresses/subnets and device (or domain) names in one field separating them by space (like this: 18.104.22.168 he.net tunnelbroker.net).
DSCP-tag Based Policies
You can also set policies for traffic with specific DSCP tag. On Windows 10, for example, you can mark traffic from specific apps with DSCP tags.
If things are not working as intended, please include the content of /etc/config/vpn-policy-routing and the output of /etc/init.d/vpn-policy-routing support with your post, as well as the output of /etc/init.d/vpn-policy-routing reload with verbosity setting set to 2. If you don't want to post the /etc/init.d/vpn-policy-routing support output in a public forum, there's a way to have the support details automatically uploaded to my account at paste.ee by running /etc/init.d/vpn-policy-routing support -p. You need to have the following packages installed to enable paste.ee upload functionality: curl libopenssl ca-bundle. WARNING: while paste.ee uploads are unlisted, they are still publicly available.
How to install
Both vpn-policy-routing and luci-app-vpn-policy-routing are available from official OpenWrt repositories. My repo: https://repo.openwrt.melmac.net/ may have newer/bleeding edge versions.
The old thread which grew too long and has too much of the no longer relevant information is kept here.
then the device 192.168.8.162 will not respect the first policy and will use usavpn for everything. Charging order of these policies will not fix the issue. This used to work several versions ago I had this working just fine.
@dziny saves the day (again!). I've accidentally reversed the order of the iptables rules which resulted in iptables rules having higher priority than ipsets. This has been fixed in vpn-policy-routing 0.0.1-12. The detailed description of priorities is posted in the Policies Priorities section of the README.
Hmmm...so, for example, by local ip like I've done?
Also, I noticed one other thing that seemed odd that may or may not be related: when removing dnsmasq and installing dnsmasq-full, I got an error telling me that the original dhcp config file would not be changed but a new file called "dhcp-opkg" would be created. Is this normal?
Please try removing this line from config file: list MULLVAD_VPN_dscp '' -- did you add it manually or was it added by Web UI? If you can recall how it might have been added to the config it would greatly help me!
It wasn't added by me. My guess is via web UI. I have been poking around the config files just to try and understand what's going on in there, but I have never changed anything. Unfortunately, I can't recall whether it was there from the very start or added more recently...
In any case, removing it in the config file and then attempting to enable DNSMASQ via Web UI seems to add the line back in again. However, it then occurred to me to try enabling DNSMASQ with the config file itself and this works and is reflected in the Web UI without any errors.
Any sense of why list MULLVAD_VPN_dscp ' ' is being added at this point? I assume I can keep it removed?
I am having the same issue as @Ion where I cannot enable DNSMASQ through Web UI. Can confirm trying to enable via the Web UI does nothing and gives the same error. And enabling via config file works. I noticed at the bottom of the Web UI, under DSCP tagging it has 1 WAN DSCP tag and 2 TUN0 DSCP tags. Even deleting the dscp tag from the config file, it still shows the 2 TUN0 DSCP tags in Web UI.
So I just updated, did it the full proof way and deleted both vpn-policy-routing and luci-app-vpn-policy-routing, and I deleted the config file as well. Reinstalled both packages and reconfigured my settings, you did manage to fix the duplicate TUN0 DSCP tags that were showing under DSCP tagging, however I still can't enable DNSMASQ via the Web UI. Same as before I can only enable it via the config file.
Enabling via the Web UI still gives the same "One or more required fields have no value!" error and DNSMASQ will not enabled.
Can you post/PM me the content of /etc/config/vpn-policy-routing? I cannot achieve the error with the default settings from package, it will be easier for me to hunt down what's causing an issue if I had your config.
Note: Following this output, I upgraded to luci-app-vpn-policy-routing 11 and retested. I'm still getting the error message and /etc/config/vpn-policy-routing remains unchanged as far as I can tell (i.e. input still spelled unput). The error message isn't the end of the world for me; it doesn't seem to affect overall functionality. I have no doubt you will get to the bottom of it eventually.
On another note: domain policy routing is now working for me (with the exception of netflix and hulu as we know). It seems to have started working correctly when I uninstalled vpnbypass service (had both to see if one worked better than the other for me). Coincidence or were they conflicting?