VPN Policy-Based Routing + Web UI -- Discussion

dziny · April 21, 2018, 8:32pm

Yes that might be a problem.

miguelos · April 23, 2018, 9:54am

Hi all, recently I found this topic and lately I made successful tests of pair: wireguard (luci) + vpn policy based routing (luci) - all works perfectly fine.
Since I was doing some research before that I have a question on how VPN PBR works
I want to redirect whole traffic only from IP to the tunnel (and use other side internet access) - that works fine.
But why is the script using both : iptables + iproute ?
I tested iproute modification is enough (another routing table + routing based on source address)

stangri · April 23, 2018, 10:42pm

And also ipsets and dnsmasq's ipsets.

From my limited testing using ip rules where possible is faster then relying solely on iptables, especially with the long list of policies. You can force the service to use iptables rules exclusively tho if you want or need to establish clear priorities.

miguelos · April 24, 2018, 10:11am

Yes I know it can use all 4 methods. I just thought for simplest requirement (redirect whole traffic from 1 IP to tunnel) it would just add ip route and not iptables rules. Therefore I'm interested in sth opposite - force to use ip route/rule only, without iptables.
Still - huge thanks for such easy click&play solution!

stangri · April 24, 2018, 7:00pm

I don't think I've added it to the readme yet, add the option iprule_enabled '1' to the config to force it to use ip rules for simple policies.

Some iptables rules would still be created, but not used in your specific case.

prototype · May 6, 2018, 7:03pm

Hi
Is it any way to add custom,(not a VPN) interface?
For example I have

config interface 'tor'
        option ifname 'tor'
        option proto 'static'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'
        option type 'bridge'

But if i`m adding tor or br-tor in "Supported Interfaces" I can see "TOR" in drop down menu under Policies, but there is an error in system log:
user.notice vpn-policy-routing [7909]: ERROR: Failed to set up 'tor/br-tor/0.0.0.0'
And ofcourse nothing works.
Thanks

stangri · May 7, 2018, 2:05am

Try updating to: vpn-policy-routing 0.0.1-25 and luci-app-vpn-policy-routing 23, they should support tor interfaces (where ifname is set to tor). Let me know how it works.

prototype · May 7, 2018, 4:34am

Unfortunately it is the same
..
Creating table 'tor/br-tor/0.0.0.0' [✗]
ERROR: Failed to set up 'tor/br-tor/0.0.0.0'
..

stangri · May 9, 2018, 6:01am

Ah, right, I'll PM you.

prototype · May 9, 2018, 10:28am

I replayed in PM with necesarry data from my setup, but
Actually if you just want to add easy support of TOR for users of VPN Policy-Based Routing it is not necessary to have separate interface for TOR. As common TOR setup is a transparent proxy, it is enough to forward traffic to local port. (or port of TOR server somewhere in LAN)

leonmorlando · May 13, 2018, 8:23am

I'm not understanding this. I just want to assign a block of IPs (192.168.1.180-192.168.1.252) to use the VPN connection located at interface tun0 and ignore all other IPs (192.168.1.1 (should the router be included here?) or 192.168.1.2-192.168.1.179) but it doesn't seem to work at all for me because as soon as I run OpenVPN all my devices lose connectivity to each other and to the internet. All I've got so far is this:

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option dnsmasq_enabled '1'
        option enabled '1'
        option ipv6_enabled '0'

config policy
        option comment 'IPs into VPN'
        option local_addresses '192.168.1.180 192.168.1.252'
        option interface 'providervpn'

config policy
        option interface 'wan'
        option comment 'IPs out of VPN'
        option local_addresses '192.168.1.2 192.168.1.179'

config policy
        option interface 'wan'

I followed the instructions on OpenWRT docs about how to create a VPN connection which is why I ended up with this interface name. Please let me know what else I could try because this doesn't seem very intuitive to me at all.

Dewey · May 15, 2018, 8:53am

Hi @stangri great app, really helpful for a noob like me. However, I have one issue... I'm trying to do a simple port forward where I want to access one of my computers from outside my home. This computer is connected directly to the wan, and not filtered through your vpn-policy-routing on the vpn interface (I use that for a different computer in my network). The port forward (redirect) works when I disable the vpn-policy-routing but then when I turn it on, it stops
What am I doing wrong and what can I change to fix?

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'nordvpntun'

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option src_dport '8812'
	option dest_ip '10.0.0.100'
	option dest_port '8812'
	option name 'eServer'
	option proto 'tcp udp'

/etc/config/vpn-policy-routing

config policy
	option local_addresses '10.0.0.101/32'
	option comment 'vpntraffic'
	option interface 'nordvpntun'

config policy
	option interface 'wan'
	option comment 'local'
	option local_addresses '10.0.0.1/24'

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option strict_enforcement '1'
	option dnsmasq_enabled '0'
	option udp_proto_enabled '1'
	option iprule_enabled '1'
	option enabled '1'

I tried setting option iprule_enabled '1' as you mentioned elsewhere but it appeared to have no effect...
Any input would be helpful, thanks!
D

thencein · May 15, 2018, 3:27pm

For some reason, this package has suddenly stopped working for me and my traffic isn't being routed in accordance with the policies (even though when I run start the service, all my policies have a green tick etc).

For anyone who's currently got this package working...would you mind checking something in your config for me please?

When I run /etc/init.d/vpn-policy-routing status part of the output is the routes/tables:

IPv4 Table 201: default via xxx.xxx.xxx.xxx dev pppoe-wan
IPv4 Table 202: default via 10.4.0.1 dev tun0

In particular, when I get the status, I can see that the package will route tun0 traffic via 10.4.0.1

But, if I do ifconfig tun0 the following line is present:

inet addr:10.4.15.250  P-t-P:10.4.15.250  Mask:255.255.0.0

Is this why the package has stopped working for me - because the IP that this package is trying to route by doesn't match the IP address as reported by ifconfig?

Would someone who's currently got this working be able to confirm if their route address is the same as the ifconfig address for their tun interface?

EDIT: I've come a step closer to 'fixing' it maybe.

The IP address listed for IPv4 Table 202: for tun0 is now the same IP address given when I run ifconfig tun0.

However, I've found another reason why maybe this still isn't working.

See the default route for tun0 which is currently given as 10.4.0.1 whilst Table 2 is via 10.4.11.234? For this service to work, do both of those addresses need to be identical?

Because the default route for pppoe-wan is the same address as the address given for Table 201.

Notice how the address for tun0 is 10.4.11.234 and how 10.4.0.1 appears nowhere here. So why is the service setting a default route of 10.4.0.1 for tun0?

EDIT again: I've restarted the router and everything seems to be working fine now. Odd. Oh well!

cantenna · May 16, 2018, 7:31am

Great tweak! Took some trail and error to get it to work but running beautifully now on my WRT1900ACS router! Thank you

Here's how to get Netflix working if anyone is wondering;
Add

NetflixBypass_1    Local addresses/devices: 192.168.1.1/26    Remote addresses/domains: ichnaea.netflix.com
NetflixBypass_2    Local addresses/devices: 192.168.1.1/26    Remote addresses/domains: netflix.com

stangri · May 20, 2018, 7:20am

I'd first make sure your OpenVPN connection is working without VPR.

When you run the OpenVPN client, is default routing set to go over VPN tunnel? In other words, if you remove the "local" policy, what happens?

There was a previous report that to get Netflix working reliably you need to route all of the AWS over VPN tunnel.

headless-cross · May 20, 2018, 5:12pm

First of all, thank you OP for this package and all members who contributed to this thread. For a reason, I can't route netflix traffic through my wan interface. The rules seems to be there, but aren't working. The rules are (firewall status):

|0|0.00 B|MARK|all|*|*|10.0.2.0/28|204.11.35.98|/* netflix_all */ MARK xset 0x10000/0xff0000|
|---|---|---|---|---|---|---|---|---|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|54.77.46.226|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.19.170.232|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|34.248.30.153|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|54.77.98.32|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.17.40.71|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.208.253.79|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.208.108.2|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|34.249.151.238|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|34.251.191.194|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|45.57.59.231|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|69.53.236.21|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|207.45.72.215|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|2.20.45.42|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|2.20.45.74|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|207.45.72.215|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.31.8.124|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.210.192.250|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.17.3.133|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|54.229.126.241|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|34.241.47.238|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.30.252.10|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.48.228.239|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.31.248.31|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.16.228.47|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|54.154.123.104|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|54.154.237.25|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.18.221.38|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.17.249.187|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.19.20.249|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.18.236.154|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.208.71.66|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.208.128.101|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.209.79.232|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.208.75.181|/* netflix_all */ MARK xset 0x10000/0xff0000|

Any help would be appreciated.

Dewey · May 21, 2018, 6:19am

Hi @stangri yes this seems to be the case. If I remove the local policy as you suggested, traffic from all the computers in my network now routes over the VPN tunnel. I also noticed the same if I disable the vpn-policy-routing, all traffic goes direct over the VPN tunnel.
I hope this sheds some light on the issue, let me know what I should test next. And thanks again for your help!
D

stangri · May 21, 2018, 6:36am

@Dewey -- if that's the case, you will need some extra settings. I've written a wiki page for "OpenVPN client & server at the same time", but with the wiki re-org, I don't know where it went, try to google it.

@headless-cross -- search this thread (and possibly the archive linked from OP). Someone has posted what it takes to route netflix traffic before.

Dewey · May 21, 2018, 12:27pm

Hi @stangri thanks for the quick response. This wasn't the issue (I don't need the server component), but upon searching your topic I discovered the term 'redirect-gateway' and 'def1' which lead me to learn that my vpn provider controls the routing when the connection is made. By adding the below to my vpn config and then having your service on everything now works!!!

pull-filter ignore redirect-gateway
route 10.0.0.101 255.255.255.0

I've spent days trying to solve this! As a total noob I don't truely understand why I need the route line AND your policy component in order for it to work but it does and so I'm happy and I learnt a lot in the process

Thanks again for all your help!! Much appreciated.
D

erahimi · May 26, 2018, 5:23am

hi I have a problem with this package. my apple tv uses vpn interface and other clients use wan. when i watch a movie online with iphone the traffic goes through wan correctly but when i stream from iphone to apple tv it uses vpn interface. in this situation traffic is local and come through wan to iphone but it goes through vpn also . I appreciate help me
thanks