Hey Stan,
I did that and updated everything, but still stays on disabled.
Any chance I can go to the older version?
Cheers
This is how "Basic Configuration" looks with the up-to-date luci app:
Let me know if yours looks the same.
You can, my repo is also a github repo you can go back in time: https://github.com/stangri/repo.openwrt.melmac.net
1 Like
I just noticed this post-i'm having a similar issue with the same set up-just one DSCP tag policy. I believe mine is also failing to set up on boot, but I don't remember the error. I just know that it wasn't that one. Will update when I figure it out. Also, thanks for the idea re: dscp, i'm leaking way too many torrents out on my wan for comfort right now.
It does show as being monitored, but creates the table as per the below;
Wed Mar 3 10:17:05 2021 user.notice vpn-policy-routing [1420]: service waiting for wan gateway...
Wed Mar 3 10:17:07 2021 user.notice vpn-policy-routing [1420]: service waiting for wan gateway...
Wed Mar 3 10:17:09 2021 user.notice vpn-policy-routing [1420]: Creating table 'wan/eth1/192.168.42.254' [✓]
Wed Mar 3 10:17:11 2021 user.notice vpn-policy-routing [1420]: Creating table 'vpn//0.0.0.0' [✓]
Wed Mar 3 10:17:12 2021 user.notice vpn-policy-routing [1420]: Routing 'PersonalDevices' via vpn [✓]
Wed Mar 3 10:17:13 2021 user.notice vpn-policy-routing [1420]: Routing 'AllowHHomeServers' via vpn [✓]
Wed Mar 3 10:17:13 2021 user.notice vpn-policy-routing [1420]: Routing 'ThMobile' via vpn [✓]
Wed Mar 3 10:17:14 2021 user.notice vpn-policy-routing [1420]: Routing 'THiPad' via vpn [✓]
Wed Mar 3 10:17:14 2021 user.notice vpn-policy-routing [1420]: service started with gateways: wan/eth1/192.168.42.254 [✓] vpn//0.0.0.0
Wed Mar 3 10:17:14 2021 user.notice vpn-policy-routing [1420]: service monitoring interfaces: wan vpn [✓]
This is the interface up section of the logs;
Wed Mar 3 10:17:02 2021 daemon.notice netifd: Interface 'lan' is enabled
Wed Mar 3 10:17:02 2021 daemon.notice netifd: Interface 'lan' is setting up now
Wed Mar 3 10:17:02 2021 daemon.notice netifd: Interface 'lan' is now up
Wed Mar 3 10:17:02 2021 daemon.notice netifd: Interface 'loopback' is enabled
Wed Mar 3 10:17:02 2021 daemon.notice netifd: Interface 'loopback' is setting up now
Wed Mar 3 10:17:02 2021 daemon.notice netifd: Interface 'loopback' is now up
Wed Mar 3 10:17:02 2021 daemon.notice netifd: Interface 'vpn' is setting up now
Wed Mar 3 10:17:02 2021 daemon.notice netifd: Interface 'wan' is enabled
Wed Mar 3 10:17:02 2021 daemon.notice netifd: Interface 'loopback' has link connectivity
Wed Mar 3 10:17:06 2021 daemon.notice hostapd: wlan1: interface state UNINITIALIZED->COUNTRY_UPDATE
Wed Mar 3 10:17:06 2021 daemon.notice netifd: Interface 'lan' has link connectivity
Wed Mar 3 10:17:06 2021 daemon.notice netifd: Interface 'wan' has link connectivity
Wed Mar 3 10:17:06 2021 daemon.notice netifd: Interface 'wan' is setting up now
Wed Mar 3 10:17:07 2021 daemon.notice hostapd: wlan1: interface state COUNTRY_UPDATE->ENABLED
Wed Mar 3 10:17:08 2021 daemon.notice netifd: Interface 'wan' is now up
Wed Mar 3 10:17:13 2021 daemon.notice netifd: Interface 'vpn' is now up
Wed Mar 3 10:17:14 2021 user.notice vpn-policy-routing [1420]: service monitoring interfaces: wan vpn [✓]
Mine looks more like the old way.. let me try to force update the luci app
I have tried everything, followed these guides too. Can you be kind enough to tell me the command to install the older version correctly? Thanks
I think I need t o find some help to create a custom image for my router so I dont have to worry about re-installations for the future.
If it's monitored, VPR should be reloaded on the VPN interface updates. If the VPN interface hasn't started by the time VPR is first loaded, it will still start up but with 0.0.0.0 as the VPN gateway.
If VPR does not get reloaded on the VPN update, you may want to place a hotplug iface script (/etc/hotplug.d/iface/70-vpn-policy-routing):
#!/bin/sh
if [ "$ACTION" != "ifup" ] && [ "$ACTION" != "ifupdate" ]; then exit 0; fi
logger -t vpn-policy-routing "Reloading vpn-policy-routing due to $ACTION of $INTERFACE ($DEVICE)"
/etc/init.d/vpn-policy-routing reload
I need some help guys, can someone teach me how I can install an older version from terminal?
Why don't you just install the newest luci app?
Hello, wireguard is set as my default gateway (allowed_ips '0.0.0.0/24' and allowed_ips '::/0'), but I cannot seem to get IPv6 connectivity on any hosts that are routed to WAN and not the default WireGuard interface. Is it necessary to duplicate entries for each host and point them at both the WAN and WAN6 interfaces to account for dual-stack traffic?
vpn-policy-routing 0.3.2-18 running on OpenWrt SNAPSHOT.
============================================================
Dnsmasq version 2.84 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default * 0.0.0.0 U 0 0 0 wireguard
IPv4 Table 201: default via 93.59.62.1 dev eth1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 Table 201 Rules:
32467: from all fwmark 0x10000/0xff0000 lookup wan
IPv4 Table 202: default via 10.10.128.11 dev wireguard
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 Table 202 Rules:
32466: from all fwmark 0x20000/0xff0000 lookup wireguard
IPv6 Table 201: default from 2603:9000:e70f:3d00::/56 via fe80::2a3:e1ff:fe5d:6c14 dev eth1 proto static metric 384 pref medium
IPv6 Table 201: default from 2603:9000:ff00:e7:95d0:37e9:2a94:54f5 via fe80::2a3:e1ff:fe5d:6c14 dev eth1 proto static metric 384 pref medium
IPv6 Table 201: fe80::/64 dev eth1 proto kernel metric 256 pref medium
IPv6 Table 202: unreachable default dev lo metric 1024 pref medium
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set wireguard dst -c 0 0 -g VPR_MARK0x020000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -g VPR_MARK0x010000
-A VPR_PREROUTING -s 192.168.1.4/32 -m comment --comment laptop -c 331 66321 -g VPR_MARK0x010000
============================================================
Mangle IPv6 Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set wireguard6 dst -c 0 0 -g VPR_MARK0x020000
-A VPR_PREROUTING -m set --match-set wan6 dst -c 0 0 -g VPR_MARK0x010000
-A VPR_PREROUTING -s fdc2:9aea:13b1::10e/128 -m comment --comment laptop -c 0 0 -g VPR_MARK0x010000
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x010000
-N VPR_MARK0x010000
-A VPR_MARK0x010000 -c 604 190003 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_MARK0x010000 -c 604 190003 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x020000
-N VPR_MARK0x020000
-A VPR_MARK0x020000 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_MARK0x020000 -c 0 0 -j RETURN
============================================================
Current ipsets
create wan6 hash:net family inet6 hashsize 1024 maxelem 65536 comment
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wireguard6 hash:net family inet6 hashsize 1024 maxelem 65536 comment
create wireguard hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
DNSMASQ ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
Thanks for all your help, the hotplug script works perfectly :).
Just a quick one, how could i go about amending the hotplug script to kick in if a specific interface changes rather than all of them as at the moment it restarts it four times (WAN, LAN, Lo and VPN interface) but ideally id just set it to restart when the interface vpn comes up and /or is updated?
Many thanks!
Outside of the IPv6 related comment in the docs I don't think I can help you with that.
I don't understand why the PROCD isn't working for you as it does for me. Which version of OpenWrt/device is it?
But yeah, just add somewhere before the logger line a line like [ "$INTERFACE" = "vpn" ] || exit 0 .
That seems to have done it :).
I am using Luci openwrt / OpenWrt 19.07.4 r11208-ce6496d796
Thanks for all your help 
I am just waiting for my travel router to support a more recent version of OpenWRT then will use this along with the HTTPS DNS Proxy on that as well.
No worries, I've added the script to the README. When you upgrade to 19.07.7 or 21.02 please do let me know if there are still issues without the iface hotplug.
Hi!
I am trying to get policy based working with Wireguard interface (Mullvad).
The WG interface is working, I verified it by:
# curl --interface WGINTERFACE ipinfo.io
{
"ip": "86.106.xx.xx",
...
I see IP of the VPN.
PBR is configured:
...but after clicking on Start, nothing happens, it remains stopped.
In LOG I see:
Sat Mar 13 15:43:26 2021 user.notice vpn-policy-routing [4944]: service waiting for wan gateway...
Sat Mar 13 15:43:27 2021 user.notice vpn-policy-routing [4944]: service waiting for wan gateway...
Sat Mar 13 15:43:29 2021 user.notice vpn-policy-routing [4944]: service waiting for wan gateway...
Sat Mar 13 15:43:30 2021 user.notice vpn-policy-routing [4944]: service monitoring interfaces: wan WGINTERFACE [✓]
Sat Mar 13 15:43:31 2021 user.notice vpn-policy-routing [4944]: ERROR: service failed to discover WAN gateway!
What can be the problem?
Did you go over the README?
First of all @stangri thank you for this package, it works great.
I would like to share my experience in getting to work hotplug script from README. I don't know if this was already mentioned before, but I not found such case.
I'm using OpenWRT 19.07.4 r11208-ce6496d796 on TP-Link TL-WR841N.
According to openvpn client configuration manual from OpenWRT wiki (yeah, in README it's clearly pointed to use provided configs as example) I've decided to not bring up on boot my VPN interface and that caused me some troubles.
For some reasons scripts either for firewall and vpn-policy-routing from /etc/hotplug.d/iface not executed on down/up of tun0. I've tried to debug hotplug script by adding set -x; exec >>/root/vpn-policy.log 2>&1 after first line, but none output was produced until I checked in LuCI "Bring up on boot" in VPN interface settings. According to docs that option is set by default as 1 (bring up on boot) for each interface in /etc/config/network if not specified, so if I'd used configs straight from README I've never faced this problem.
I'm lacking of understanding how it works on deeper level, it'll be great to someone pointing root cause of this behaviour. Right now everything works fine.
1 Like
@stangri
Recent update of my router packages presents me with the following service "warning"
It also looks like the policy isn't reloaded on VPN reconnects. I am not sure if there is correlation between that or not. I have to restart vpr to get port forwarding to work.
Do you have any idea what my configuration might have in it to give that warning?
wg0 and vpn0 are my dial in VPN connections.
@masta0f1eave @txcanyon I can't reproduce VPR not being reloaded on interfaces coming up, the PROCD method is working reliably for me. If this isn't fixed for you guys in 21.02, I may consider a setting where you could switch between PROCD and iface hotplug for monitoring interfaces, but for obvious reasons I don't want to deal with it until after 21.02 is released.
Also, @txcanyon, come on, the name of the setting is in the warning message.
1 Like
It's not in my settings/advanced tab, but does exist on your readme page as a photo nothing more (which I am not sure what is up with that unless your photo is from the testing branch).
But I don't know what it does. Searches on the internet don't really make sense in how my setup is configured (1 range of ports sent to the VPN out interface, everything else via wan).
I manually set it to '0' and the error is gone and my forwarded port still works properly, so I dunno how it got enabled, unless it was carried over from a default install.