Glad its working.
The policies in the UI and adding the remote address should do the IP address routing you mentioned.
Hello,
I'm not sure if I have the correct understanding of VPN Policy-Based Routing, therefore I'm hoping that someone could answer this question:
Is VPN Policy-Based Routing providing any kind of failure detection and failover function.
Example:
If there's an issue with the VPN connection to the WireGuard endpoint, will internet access work using WAN interface (via ISP) if the default route is set to WireGuard interface?
I have verified that Dynamic connection is working if your stop WireGuard interface ifdown wg0 in addition.
No, I didn't.
Tested PBR (netifd) 0.9.5-1. Out of memory error occured this time.
Does PBR support TOR based rules?
Hi Guys, want to switch to openwrt 22 from 19. can some kind sould help with a few clarifications-
-
pbris not included as a package in the rc or snapshots. where can i get it from - read through the posts above that pbr will still require
iptables. since the migration tonftableshas alrady happened, will installingiptables-nftsuffice or we need to remove 'nftables' and replace that with some form of 'iptables-legacy' - with iptables, will that work with already included fw4?
Thanks much in advance
edit - found the latest builds here in case anyone comes looking for it
it seems pbr also installs iptables-zz-legacy in addition to the iptables (which is actually iptables-nft). Then there is also the warning
Warning: iptables-legacy tables present, use iptables-legacy to see them
I dont know if this is related to iptables-zz-legacy.
All in all, i managed to install it and configure the rules but traffic wouldnt get routed through the specified interface. whereas vpn-pbr works flawlessly with similar configuration on openwrt v19. Before anyone asks, all i did in both cases was an out of box installation + WAN config + VPN-PBR / PBR + wireguard tunnel + config to route one domain through the wireguard.
as i said it works flawlessly on v19. and on v23, everything works including wireguard, but not the routing of the domain. happy to share configs if anyone is interested
I'm also interested in learning how to replace VPN-Policy-Routing with PBR in OpenWrt 22.03.
I currently run OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-22.119.37126-a993714 on a x86/64 based router with a few packages, including VPN-Policy-Routing. I'm not sure, but my current understanding is that I will only be able to update to 22.03 final if PBR is made 100% compatible with FW4. Is this correct?
Try this simpler and more elegant approach:
I suspect this is enough for most people.
I am not having luck setting this program to send all trafic through my vpn, but allow a few devices to not go through the vpn.
I did manage to get all my devices to go through the vpn though.
When I add the "DirectPhone" policy, my phone doesn't have connection to the internet
- content of
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option start '0'
option limit '99'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'Proteus'
option dns '1'
option mac 'B8:27:EB:62:DF:09'
option ip '192.168.11.5'
- content of
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnclient'
option network 'vpnclient'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'vpnclient'
config zone
option name 'vpnserver'
option network 'vpnserver'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
config forwarding
option src 'vpnserver'
option dest 'wan'
config forwarding
option src 'vpnserver'
option dest 'lan'
config forwarding
option src 'vpnserver'
option dest 'vpnclient'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcp'
option dest_port '54783'
root@Timur:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf6:b595:4368::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.11.1'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'wwan'
option proto 'dhcp'
config interface 'vpnclient'
option proto 'none'
option device 'ovpnc0'
config interface 'vpnserver'
option proto 'none'
option device 'ovpns0'
option auto '0'
- content of
/etc/config/network
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnclient'
option network 'vpnclient'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'vpnclient'
config zone
option name 'vpnserver'
option network 'vpnserver'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
config forwarding
option src 'vpnserver'
option dest 'wan'
config forwarding
option src 'vpnserver'
option dest 'lan'
config forwarding
option src 'vpnserver'
option dest 'vpnclient'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcp'
option dest_port '54783'
root@Timur:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf6:b595:4368::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.11.1'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'wwan'
option proto 'dhcp'
config interface 'vpnclient'
option proto 'none'
option device 'ovpnc0'
config interface 'vpnserver'
option proto 'none'
option device 'ovpns0'
option auto '0'
- content of
/etc/config/vpn-policy-routing
config policy
option name 'OpenVPN Server'
option interface 'wan'
option proto 'tcp'
option src_port '54783'
option chain 'OUTPUT'
config policy
option name 'DirectDNS'
option interface 'wan'
option src_addr '192.168.11.5'
config policy
option name 'DirectPhone'
option interface 'wan'
option src_addr 'AA:CC:BB:DD'
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '1'
option webui_show_ignore_target '1'
list supported_interface 'vpnclient'
option enabled '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
- the output of
/etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.3.4-8 running on OpenWrt 21.02.3.
============================================================
Dnsmasq version 2.85 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 10.121.76.1 128.0.0.0 UG 0 0 0 ovpnc0
default 192.168.0.1 0.0.0.0 UG 0 0 0 wlan1
IPv4 Table 201: unreachable default
192.168.0.0/24 dev wlan1 proto kernel scope link src 192.168.0.59
192.168.11.0/24 dev br-lan proto kernel scope link src 192.168.11.1
206.217.128.3 via 192.168.0.1 dev wlan1
IPv4 Table 201 Rules:
32765: from all fwmark 0x10000/0xff0000 lookup wan
IPv4 Table 202: default via 192.168.0.1 dev wlan1
192.168.0.0/24 dev wlan1 proto kernel scope link src 192.168.0.59
192.168.11.0/24 dev br-lan proto kernel scope link src 192.168.11.1
206.217.128.3 via 192.168.0.1 dev wlan1
IPv4 Table 202 Rules:
32764: from all fwmark 0x20000/0xff0000 lookup wwan
IPv4 Table 203: default via 10.121.76.12 dev ovpnc0
192.168.0.0/24 dev wlan1 proto kernel scope link src 192.168.0.59
192.168.11.0/24 dev br-lan proto kernel scope link src 192.168.11.1
206.217.128.3 via 192.168.0.1 dev wlan1
IPv4 Table 203 Rules:
32763: from all fwmark 0x30000/0xff0000 lookup vpnclient
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.11.5/32 -m comment --comment DirectDNS -c 1794 168379 -g VPR_MARK0x010000
-A VPR_PREROUTING -m mac --mac-source de:34:e8:83:d9:71 -m comment --comment DirectPhone -c 1640 300386 -g VPR_MARK0x010000
============================================================
Mangle IP Table: OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -p tcp -m multiport --sports 54783 -m comment --comment OpenVPN_Server -c 0 0 -g VPR_MARK0x010000
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x010000
-N VPR_MARK0x010000
-A VPR_MARK0x010000 -c 3434 468765 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_MARK0x010000 -c 3434 468765 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x020000
-N VPR_MARK0x020000
-A VPR_MARK0x020000 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_MARK0x020000 -c 0 0 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x030000
-N VPR_MARK0x030000
-A VPR_MARK0x030000 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_MARK0x030000 -c 0 0 -j RETURN
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
- the output of
/etc/init.d/vpn-policy-routing reloadwith verbosity setting set to 2
Creating table 'wan/eth0.2/0.0.0.0' [✓]
Creating table 'wwan/wlan1/192.168.0.1' [✓]
Creating table 'vpnclient/ovpnc0/10.121.76.12' [✓]
Routing 'OpenVPN Server' via wan [✓]
Routing 'DirectDNS' via wan [✓]
Routing 'DirectPhone' via wan [✓]
vpn-policy-routing 0.3.4-8 monitoring interfaces: wan wwan vpnclient [✓]
vpn-policy-routing 0.3.4-8 started with gateways:
wan/eth0.2/0.0.0.0
wwan/wlan1/192.168.0.1
vpnclient/ovpnc0/10.121.76.12 [✓]
Based on information above, I don't think you have a working wan connection, you may want to try setting your policies to wwan.
1 Like
oh, I should had tried that. It works now
there's a spelling mistake in your wiki https://docs.openwrt.melmac.net/vpn-policy-routing/#local-openvpn-server--openvpn-client-scenario-2
It says dest_address instead of dest_addr
1 Like
I want to achieve these:
- route my phone and devices in Guest-Wifi via WAN (no VPN)
- route specific destination IPs (company resources) via WAN (no VPN)
- route everything else via VPN
I have setup WireGuard connection without "route allowed IP" being checked:
I want my phone and all devices connected to Guest-Wifi excluded from VPN. Everything other devices should connect via VPN.
Destination going to these two subnet should not be via VPN.
Currently traffic does not go through VPN at all.
How should I modify the settings?
Thanks.
Thank you for spotting and reporting it, it's been fixed!
1 Like
First you need to make sure that your WG connection is working when route allowed IPs is set to cover everything and that your WAN connection is working when route allowed IPs has been turned off.
You may also want to check the README and post relevant config files, not the WebUI screenshots, so other people can comment on your config.
Maybe I am missing something but I was wondering if there is a way to start vpn-pbr service after vpn client successfully connects to VPN? My VPN handshake takes around 10-15 seconds on boot and even though I changed startup priority in the init.d file, it still starts before VPN connects.
This may not be a problem from everyone when "strict-enforcement" is enabled but for some reason, it results in my android devices (even when they are not subject to to any PBR rules) to claim limited connectivity and straight up reject connecting to the network. Everything is fine if I manually restart VPN-PBR service thought luci or uci.
Use hotplug file like this:
I'd advise against changing anything in the init file. There's a boot start delay parameter that can be set for pbr/vpn-policy-routing in config.
Hello. Tell me please how can I start a pptp connection when it appears traffic to a specific site, without autostart after power on. Can this be customized with VPN Policy?
Hey everyone - I've looked through here before posting and can't find anything that worked for me.
I've just moved my openvpn setup to wireguard - after making the jump to 22.03 (RC6) from 18(!!I I know) on my WRT1900ACS V2.
If I leave the route allowed ips setting on in my peer configurations, all traffic is routed to the tunnel and everything works fine.
I am obviously trying to selectively route things to the tunnel - mainly a few websites. Setting route allowed ips to off and adding a policy to route a website (e.g. showip.net) to the WG tunnel in the luci vpn-policy-routing app is doing nothing. The website is going through WAN and ignoring the policy setting.
Is there anything I am missing?
Could be that the client cached ns records for showip.net and didn't trigger dnsmasq to add the ip addresses for that site to the relevant ipset to be properly routed. Or could be other things, without config files listed in the README help section it's impossible to tell.
PS. Some logic for processing policies had to be changed in the newer version, making old configs while technically compatible with the new logic, producing unexpected policies priorities, so I've created package pbr which is where development is now happening.
So openwrt 19.7.10 is the last release
Are there any clear step by step guide for installing PBR on v22? Including installing any additional packages for successful routing and making it work with fw4 and iptables-nft?