I know it's using the tun1 interface because VPR is trying to route it and the internet is lost to the device. When I disable the entry for the device, internet returns. Though a tracert wouldn't hurt, so I'll have to try that.
No, I mean setting the WAN device to be the default path as listed in the upper area where it lists the wan/tun0/tun1/tun2 devices with the IP's and a checkmark. ((( Click here )))
For me, I use that so that devices default to using WAN, unless in a list to use a VPN tun, instead of the VPN being the default.
With the cycling, yes, I do mean during a time the router is up after a reboot. Also, I'm referring only to the VPR/tun devices. Focus on having that working before worrying about the wireless. Easier to troubleshoot an issue in one place rather than multiple places. Once you have one issue resolved, then work on the other issue... if it still exists.
Sorry about that. I told you to put it in the openvpn config file and not the .ovpn file because doing it that way actually works for me. I forgot that it'll work like that for me but not for others.
I have four FW's. LAN, WAN, VPN0 and VPN1 (to simplify it). Tried changing vpn1 to use the vpn0 firewall, no change. Changed to wan firewall, started working. Difference is it allows forwarding. So I enabled forwarding on vpn0 and vpn1 fw's and then changed vpn1 to use it's own firewall again. Working now.
Does anyone have any advice on how to get inter VLAN communication working with VPN policy based routing installed. I need to able to communicate with a device on a separate VLAN in order to administrate it.
Hey Stangri
I think I've observed a situation where the service is either not started or it stopped, and my IP was leaking. I actually stumbled on this by noticing the IP leak first. At that point I went to the luci PBR page, and saw that the service didn't seem to be running. (I didn't stop to look in detail on what it was saying, sorry, I just pressed 'start' as I recall). Concerned, I then rebooted the router, and noticed my DSCP tagged traffic was again getting out. I disabled and re-enabled the service from the startup page, and rebooted again, and was unable to reproduce the problem a third time.
Do you have any thoughts on what I should do here?
thx
Somehow I'm having a situation where the strict enforcement doesn't seem to, well, be enforced. Ie my VPN tagged traffic goes out the regular WAN. Do you have any ideas what might be happening?
[FEATURE REQ]
Hi @stangri
Would it be possible to use wildcards in the remote domain definition?
I need to list many 3rd level domains from the akamai network in order to have only the traffic I want to be routed via the VPN (actually wireguard).
If I set all of the 2nd level domains from the akamai network.....I end up forwarding via the VPN even a lot of traffic that I do not want to (resulting in an unwanted bottleneck)
So I need to fine-tune the 3rd level domain names.
Or maybe I can accomplish the same using your up + dnsmasq.....but I guess I need some help to know it would be a feasible solution
I did it
I installed dnsmasqFULL
I added all of the 2nd and 3rd level domains I wanted to be routed via the VPN
but actually ALL of the traffic from that host goes though the VPN....resulting in a bottleneck for other streaming services
Actually I want to go through the VPN only the traffic from my smartTV to RAI (italian TV). Cause you can only access within Italy, but I live abroad. So I go via the server I have in my office in Italy.
The VPN interaface is set to access 0.0.0.0, but then I limited the traffic via the policy.
I just have 2 policies:
from lan to 0.0.0.0 use WAN
from smartTV to rai and akamai used domains) use VPN (wireguard)
BUT
If the policy order is
1 smartTV
2 LAN
the TV is always going via the VPN (I use an app to test the speed and I am seen as connecting from an Italian IP
if the policy order is
1 smartTV (use VPN for the given doamins)
2 LAN (never use VPN)
the TV cannot access to the RAI streming (error message I'm connecting from abroad)
Nope [well, I don't think so anyways]. It's the ipv4 address that leaks, and I have this run at startup to disable ipv6 on the openwrt router, and my ISP provided router doesn't have an ipv6 address. And like I said, the odd behaviour at least once, included a situation where the status page "looked funny" when it was leaking. That suggests to me there's some situation where the service doesn't get started, or gets reset? (but then also the iptables would have to be cleared, which seems odd to me?)
Right, so strict_enforcement only applies when the desired interface is down. In the output you have provided all supported interfaces are up (if wg0 is a server, you may want to exclude it from VPR).
Also, from the VPR reload output I'm not seeing any policies.
I'll check on those interfaces, it might be that there's some left over crap from when I converted from openvpn to wireguard. [edit, no those are fine, I just had to refresh my memory sorry] But I only have literally one policy, a DSCP based one. Does that help any? I mean, this is functioning right now heh. [In the sense that the tunnel is up, and tagged traffic is indeed flowing]. I just ran the reload again, same output. wg0 is a wireguard incoming interface[rarely used], and the VPN interface is the actual outgoing path. Is it expected that a DSCP rule not show up in a reload?
The interface is currently up of course. The important thing to me is, without touching the config, this can fail, and somehow my traffic gets out when it shouldn't.
Update: So I just tested by taking down the VPN interface. It worked as expected, not allowing output. But as I then activated the interface again, traffic squeaked through for a second and my actual IP address was reported by ipinfo.io . The next refresh then showed the correct address.
Now, this isn't what I was experiencing previously, which was an ongoing situation where traffic was allowed out. But I wonder if this indicates anything?
Yeah, with multiple VLANs it may take a few/tens of seconds to reload VPR, it is possible for DSCP-tagged traffic to escape via WAN during the reload process.
I'm prepared to live with that limitation if need be. But I'm more concerned with the situation that (I think) is the service either doesn't start properly, or crashes, allowing traffic through ongoing. Thanks so much for taking the time to troubleshoot this with me. Much appreciated.