hi,
i have upgraded my build to the last 19.07.5 and since that, my policy based routing tab does not load correctly, are you talking about that ?
No, my issue was weird, something was triggering a reload, and it was affecting one of my other interfaces during the reload, I did what stangri suggested and added that interface to the ignore. I still see the reloads, but the problem with the other interface is fine now.
I see, I thought it was like me, browser tab freezes only on PBR tab
I'm using version 0.2.1-7 and I don't see the IGNORE target option. Do I need a version newer than the one in the official repo?
EDIT: updated to 0.3.0-1 and still don't see this option.
Also I don't see how to ignore a specific IP in the README. I've tried setting the local address I need ignored to interface: WAN but that somehow prevents this address to be accessed by it's hostname from inside the LAN.
Is there an easy way to exclude a specific ip addresses from OpenVPN all together? So that all traffic gets routed through the VPN apart from these? I've tried just adding them as a policy, but they still get routed through the VPN. One of the ip addresses I want to exclude belongs to a server running various daemons on various ports.
I've used this guide to configure OpenVPN. (I found that the VPN Bypass package let me exclude it from having to use the VPN ip address, but I couldn't get the portforwarding to work.)
VPN PBR does something similar to this for me. I need one ip always on wan, and occasionally a second ip to use wan instead of VPN.
Everything goes to VPN by default. Created one PBR policy to direct the single ip always to wan and enable it, and a second policy to re-direct the second ip to wan on demand. Works for me.
Alright, does it also work with portforwarding to daemons on 10.10.1.105 and 10.10.1.115?
Hi,
I have setup a Wireguard "client" to Mullvad vpn.
My default route remains WAN, I only route my NAS (192.168.1.3), running Transmission, through wireguard with policy routing.
/etc/config/vpn-policy-routing:
config policy
option src_addr '192.168.1.3'
option interface 'WGc_MULLVAD'
option name 'NAS via vpn'
I also run a Wireguard "server" (192.168.5.0/24).
/etc/config/network:
config interface 'WGS_MULLVAD'
option proto 'wireguard'
option private_key '[redacted]'
option listen_port '51820'
list addresses '192.168.5.1/24'
config wireguard_WGS_MULLVAD
list allowed_ips '192.168.5.2/32'
option description 'GalaxyNote10plus'
option persistent_keepalive '25'
option route_allowed_ips '1'
option public_key '[redacted]'
PROBLEM: When I connect my phone to my home network via Wireguard, I can't reach my NAS.
TROUBLESHOOTING
- I understand I route all my NAS traffic to the Wireguard client, while I'm trying to reach the NAS via the Wireguard server, but the firewall zone forwarding rules should allow that (see config files below).
- When I disable the vpn policy routing (meaning NAS traffic follows the default routing to WAN), I can reach the NAS.
- I tried adding the append_src_rules option to /etc/config/network:
option append_src_rules '! -d 192.168.5.0/24'
Or a dest_addr to the rule:
config policy
option src_addr '192.168.1.3'
option interface 'WGc_MULLVAD'
option name 'NAS via vpn'
option dest_addr '!192.168.5.0/24'
CONFIG FILES
/etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option dest_port '1010'
option src 'wan'
option name 'Allow-OpenVPN-Inbound-UDP'
option target 'ACCEPT'
list proto 'udp'
config rule
option target 'ACCEPT'
option name 'Allow-OpenVPN-Inbound-TCP'
option src 'wan'
option dest_port '443'
list proto 'tcp'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Allow DHCP request'
option src 'guest'
option src_port '67-68'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Allow DNS Queries'
option src 'guest'
config rule
option dest 'lan'
option target 'DROP'
option src 'guest'
option name 'Deny guest -> LAN'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option syn_flood '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'lan'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'vpnserver'
option mtu_fix '1'
option forward 'ACCEPT'
option network 'OVPNs_udp OVPNs_tcp WGS_MULLVAD'
option masq '1'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'vpnserver'
config forwarding
option src 'lan'
option dest 'vpnserver'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'vpnserver'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'guest'
option network 'guest'
option input 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option network 'wan wan6'
config forwarding
option dest 'wan'
option src 'guest'
config zone
option name 'vpnclient'
option input 'REJECT'
option masq '1'
option forward 'REJECT'
option output 'ACCEPT'
option mtu_fix '1'
option network 'OVPNc_MULLVAD WGc_MULLVAD'
config forwarding
option dest 'vpnclient'
option src 'lan'
config forwarding
option dest 'vpnclient'
option src 'vpnserver'
config rule
list proto 'all'
option name 'block nas to wan'
list src_ip '192.168.1.3'
option dest 'wan'
option target 'REJECT'
option src 'lan'
config redirect
option dest_port '30892'
option name 'NAS Transmission peer listening port'
option src_dport '30892'
option target 'DNAT'
option dest_ip '192.168.1.3'
option dest 'lan'
option src 'vpnclient'
config redirect 'adblock_dns_53'
option name 'Adblock DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_dns_853'
option name 'Adblock DNS, port 853'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_dns_5353'
option name 'Adblock DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config rule
option src 'wan'
option name 'Allow-Wireguard'
option target 'ACCEPT'
list proto 'udp'
option dest_port '51820'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '[redacted]'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option ifname 'eth1'
option peerdns '0'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
config interface 'OVPNs_udp'
option ifname 'tun0'
option proto 'none'
config interface 'OVPNs_tcp'
option proto 'none'
option ifname 'tun1'
config interface 'OVPNc_MULLVAD'
option ifname 'tun2'
option proto 'none'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.4.1'
option type 'bridge'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0 1 2 3t 5'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '2'
option ports '3t 4 6'
config interface 'WGc_MULLVAD'
option proto 'wireguard'
list addresses '[redacted]'
list addresses [redacted]'
option private_key '[redacted]'
config wireguard_WGc_MULLVAD
option endpoint_port '51820'
option public_key '[redacted]'
option endpoint_host '[redacted]'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option description 'NL Amsterdam'
option persistent_keepalive '25'
config interface 'WGS_MULLVAD'
option proto 'wireguard'
option private_key '[redacted]'
option listen_port '51820'
list addresses '192.168.5.1/24'
config wireguard_WGS_MULLVAD
list allowed_ips '192.168.5.2/32'
option description 'GalaxyNote10plus'
option persistent_keepalive '25'
option route_allowed_ips '1'
option public_key '[redacted]'
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '0'
option enabled '1'
option ipv6_enabled '0'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option src_addr '192.168.1.3'
option interface 'WGc_MULLVAD'
option name 'NAS via vpn'
config policy
option src_addr '192.168.1.23'
option interface 'WGc_MULLVAD'
option name 'SB2 via vpn'
option enabled '0'
root@WRT1900AC:/etc/config# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-7 running on OpenWrt 19.07.2. WAN (IPv4): wan/dev/192.168.0.1.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1
IPv4 Table 201: default via 192.168.0.1 dev eth1
192.168.4.0/24 dev br-guest proto kernel scope link src 192.168.4.1
IPv4 Table 201 Rules:
32699: from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: default via 192.168.2.1 dev tun0
192.168.4.0/24 dev br-guest proto kernel scope link src 192.168.4.1
IPv4 Table 202 Rules:
32698: from all fwmark 0x20000/0xff0000 lookup 202
IPv4 Table 203: default via 192.168.3.1 dev tun1
192.168.4.0/24 dev br-guest proto kernel scope link src 192.168.4.1
IPv4 Table 203 Rules:
32697: from all fwmark 0x30000/0xff0000 lookup 203
IPv4 Table 204: unreachable default
192.168.4.0/24 dev br-guest proto kernel scope link src 192.168.4.1
IPv4 Table 204 Rules:
32696: from all fwmark 0x40000/0xff0000 lookup 204
IPv4 Table 205: default via 10.69.232.202 dev WGc_MULLVAD
192.168.4.0/24 dev br-guest proto kernel scope link src 192.168.4.1
IPv4 Table 205 Rules:
32695: from all fwmark 0x50000/0xff0000 lookup 205
IPv4 Table 206: default via 192.168.5.1 dev WGS_MULLVAD
192.168.4.0/24 dev br-guest proto kernel scope link src 192.168.4.1
IPv4 Table 206 Rules:
32694: from all fwmark 0x60000/0xff0000 lookup 206
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.3/32 -m comment --comment NAS_via_vpn -c 10569 2644644 -j MARK --set-xmark 0x50000/0xff0000
-A VPR_PREROUTING -m set --match-set WGS_MULLVAD dst -c 0 0 -j MARK --set-xmark 0x60000/0xff0000
-A VPR_PREROUTING -m set --match-set WGc_MULLVAD dst -c 0 0 -j MARK --set-xmark 0x50000/0xff0000
-A VPR_PREROUTING -m set --match-set OVPNc_MULLVAD dst -c 0 0 -j MARK --set-xmark 0x40000/0xff0000
-A VPR_PREROUTING -m set --match-set OVPNs_tcp dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set OVPNs_udp dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create OVPNs_udp hash:net family inet hashsize 1024 maxelem 65536 comment
create OVPNs_tcp hash:net family inet hashsize 1024 maxelem 65536 comment
create OVPNc_MULLVAD hash:net family inet hashsize 1024 maxelem 65536 comment
create WGc_MULLVAD hash:net family inet hashsize 1024 maxelem 65536 comment
create WGS_MULLVAD hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@WRT1900AC:/etc/config# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth1/192.168.0.1' [✓]
Creating table 'OVPNs_udp/tun0/192.168.2.1' [✓]
Creating table 'OVPNs_tcp/tun1/192.168.3.1' [✓]
Creating table 'OVPNc_MULLVAD/tun2/0.0.0.0' [✓]
Creating table 'WGc_MULLVAD/10.69.232.202' [✓]
Creating table 'WGS_MULLVAD/192.168.5.1' [✓]
Routing 'NAS via vpn' via WGc_MULLVAD [✓]
vpn-policy-routing 0.2.1-7 started with gateways:
wan/eth1/192.168.0.1 [✓]
OVPNs_udp/tun0/192.168.2.1
OVPNs_tcp/tun1/192.168.3.1
OVPNc_MULLVAD/tun2/0.0.0.0
WGc_MULLVAD/10.69.232.202
WGS_MULLVAD/192.168.5.1
Can’t say definitively, but if your port forwards work without the VPN in the equation, I would think it would.
This is a better source than I am:
We'll I've tried it together with my portforwarding settings that works without OpenVPN enabled, and it doesn't. And I couldn't figure out what to do through that guide. That's the reason for my post here..
After updating to vpn-policy-routing 0.3.0-3 I no longer can set the ipset option for remote policies to "Use DNSMASQ ipset" via the web ui. Every time I set it and save it gets reverted to Disabled (I have dnsmaqs-full installed and it was working before).
I've opened /etc/init.d/vpn-policy-routing and inside I've found the following lines:
convert_config(){
...
if [ "$(uci -q get $packageName.config.dest_ipset)" = "dnsmasq.ipset" ]; then
uci -q set "$packageName".config.dest_ipset='0'
elif [ "$(uci -q get $packageName.config.dest_ipset)" = "ipset" ]; then
uci -q set "$packageName".config.dest_ipset='1'
fi
Eighter the web ui (version git-20.347.59394-f8552af) is not interperting the value 0 as dnsmqs.ipset and seeing it wrongly as disable or actually 0 means disable and convert_config() function incorrectly converts the value dnsmqs.ipset to disabled. Or probably there's a deeper meaning that I don't get. Help please.
I have the same issue but vaguely remembered a comment by @stangri about the topic. See post VPN Policy-Based Routing + Web UI -- Discussion para # 5.
I think it is automatic now but I am not 100% certain. My setup seems to be working fine as it was before when it was set to dnsmasq.ipset
When you route all traffic over VPN, are you expected to see that traffic in the realtime graphs for the WAN interface (eth1 in my case) as well?
Because I do...
I have some sort of killswitch that whenever the VPN drops, all traffic is blocked on WAN, and that works.
But I'm paranoid 
Graph of VPN when starting and pausing a torrent:
Graph of WAN (eth1) at the same time:
Yes, it was brought to my attention that in current versions of OpenWrt the ipset (normal, not dnsmasq.ipset) only adds a first resolved IP to the ipset for domains, making it essentially useless. When addressing it, I've made dnsmasq.ipset a default option on systems with dnsmasq-full installed (essentially removing it from settings). Now that I've had time to reflect on that, I should have removed regular ipset from options tho, made dnsmasq.ipset a default option, but exposed in settings.
Over the next few days I'll have another look at it, obviously my initial attempt at fixing the ipset issue was flawed. Once I have it figured out, I'll update the WebUI too.
The IGNORE target hasn't made its way into README just yet (you'll have to skim the thread for instructions). I would welcome feedback from anyone using either IGNORE target and/or append_src_rules/append_dest_rules. I believe that the IGNORE target might be able to replace both latter settings (which also require a lot of special handling in the policy processing code) and be a better solution, however I may be not thinking of use cases, where the latter settings may be needed. I'd like to update the README once I figure out if IGNORE is to replace the other two settings or co-exist with them.
1 Like
Further reflecting on the issue with ipsets, I've split the resolver_ipset setting from the dest_ipset option. Both principal package and Web UI package, as well as the README have been updated.
The dnsmasq.ipset is a default value for resolver_ipset so unless you explicitly set it to none, dnsmasq-full is required/used.
1 Like
Hello, first time posting. (my router info = Linksys WRT32X, OpenWrt SNAPSHOT r13342-e35e40ad82 / LuCI Master git-20.144.63033-62ed4e6)
I've combed through the support document docs.openwrt.melmac.net/vpn-policy-routing/ as best I could. Specifically the section I'm struggling with Local Wireguard Server + Wireguard Client (Scenario 1)
I've been able set my router up so that my existing WAN routing via DSCP and my default Mullvad Wg Client routing are working just fine. Great software! I'd like to be able to access my LAN via wireguard VPN while away from home as well, though. The last time I tried to get this remote access working, somehow I stopped any internet connection and I reset the router to start over.
The VPR DSCP routing is all working as well as ever, after I got it set back up. And this time, I've gotten 'through' all the steps that should allow me to use a wgclient(wg0) and wgserver(wgsrvr) at once, but I still cannot connect to the wireguard server from my phone, outside of the network.
For what it's worth, on my phone I'm using Vw0x= as the public interface key and aAwC= as the Peer public key.
It's not perfect, but from what I've read It looks like I should be able to connect based on my settings. I've quadruple checked the pub/private keys and where they are, so unless I'm not realizing I'm messing up what code goes where, those are correct.
...
Speak of the devil - as soon as I posted my debugs, I wanted to reboot just to make sure it was all working... and it broke 
... I will try setting it up again and post debugs again at that time.
Welcome! Outstanding details on your first post!
People more knowledgeable than I told me that because WG is UDP, the configuration I've posted for WG client + server won't work. I myself use WAN as default gateway and use VPR for explicit WG policies.
The only thing you can troubleshoot (to ensure that your wg server is working) is bring down wg0 connection, stop VPR and try to connect to your wgserver from the phone.
I'm confused by conflicting DSCP settings and the fact you're using wgclient's DNS server in dhcp_option and for dnsmasq. Maybe you want to fix that. Not at all saying it'll make WG server + client working tho.
PS. If you're defining the "static" IP addresses for your local devices, you can use their names instead of IP addresses in the VPR policies.
1 Like
Most of the conflicting/unnecessary/overlapping setup is from me being paranoid/overbearing in my application of the guides.
I don't really neeeeed to have my wgclient set as the default interface, I suppose. It was the only way I could get my browser to confirm I didn't have any DNS leaks, though. I couldn't figure out how to shore that up, so I kept wgclient as the default path on top of the DSCP routing of the browser.
When you say the DSCP had conflicts, did you just mean unnecessary? Either way, if I set wan as the default interface and just use the DSCP routing, I basically don't need most of the routing I needed to force my other devices around the wgclient interface.
If I change it so that my default interface is wan, and allow the wgserver interface to route its allowed ip, would I be able to run them both? I know you said the only way to test it is to drop the wgclient interface and VPR routing, but is that only to test or that's the only way it will work, period?
I'm pulling them down to test as you said, and make sure I've got the wgserver setup working from my phone before trying to get them both working, again. Thanks!
Edit: Okay, so if there's no way of having a wgclient as the default, I don't think I can get any more help here. With wan as the default interface and routing things individually through the wgclient, the wgserver does work at the same time. Now I just need to figure out how to setup DNS so I don't have leaks when routing through the wgclient. Thanks again!
Having DNSMASQ use local DoH or DoT proxy should be one of the options.
Could anyone help? I need to fix a ip here so it will be the only at my home to use the VPN.
It’s in etc/config/firewall:
config include
option path '/etc/firewall.user'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'protontun'
config forwarding
option src 'lan'
option dest 'vpnfirewall‘