Hello. Tell me please how can I start a pptp connection when it appears traffic to a specific site, without autostart after power on. Can this be customized with VPN Policy?
Hey everyone - I've looked through here before posting and can't find anything that worked for me.
I've just moved my openvpn setup to wireguard - after making the jump to 22.03 (RC6) from 18(!!I I know) on my WRT1900ACS V2.
If I leave the route allowed ips setting on in my peer configurations, all traffic is routed to the tunnel and everything works fine.
I am obviously trying to selectively route things to the tunnel - mainly a few websites. Setting route allowed ips to off and adding a policy to route a website (e.g. showip.net) to the WG tunnel in the luci vpn-policy-routing app is doing nothing. The website is going through WAN and ignoring the policy setting.
Is there anything I am missing?
Could be that the client cached ns records for showip.net and didn't trigger dnsmasq to add the ip addresses for that site to the relevant ipset to be properly routed. Or could be other things, without config files listed in the README help section it's impossible to tell.
PS. Some logic for processing policies had to be changed in the newer version, making old configs while technically compatible with the new logic, producing unexpected policies priorities, so I've created package pbr which is where development is now happening.
So openwrt 19.7.10 is the last release
Are there any clear step by step guide for installing PBR on v22? Including installing any additional packages for successful routing and making it work with fw4 and iptables-nft?
No, as of now, OpenWrt 21.02 is the last release
Normal installation instructions apply, even current (non-nft-capable) releases of VPR/PBR work fine on 22.03 RC releases. Once there's a dnsmasq-full in OpenWrt which supports nftsets, there will be a version of pbr package which fully supports nft/nftsets.
4 Likes
Thanks. I was actually referring to this - the last release for v19
Anyways, i had managed to install this on v22, but routing never worked. Had also mentioned this above somewhere-
it seems
pbralso installsiptables-zz-legacyin addition to theiptables(which is actuallyiptables-nft). Then there is also the warning
Warning: iptables-legacy tables present, use iptables-legacy to see them
I dont know if this is related toiptables-zz-legacy.
is iptables-zz-legacy included in pbr installation? do we need to do anything to disable iptables-nft and force the system use the legacy version?
Works for me.
The iptables-zz-legacy package is required (and should be auto-installed in most cases when installing pbr) for pbr on snapshot builds and 22.03. I'm not sure what you mean by "included".
no, don't do that.
1 Like
Hello there.
I would like to have default traffic going to VPN, while BitTorrent traffic going to WAN.
I have these configuration:
config policy
option name 'PC BT'
option src_addr '192.168.50.10'
option proto 'all'
option interface 'wan'
option src_port '6881 7881 8881'
config policy
option name 'PC'
option src_addr '192.168.50.10'
option proto 'all'
option interface 'Mullvad_HK_04'
However, traffic from BitTorrent still goes through VPN.
How should I modify it?
Thanks.
I don't think you'll have much success trying to limit BT traffic to 3 ports. You may want to try to tag the BT client traffic with DSCP tag (I believe instructions for Windows are linked from README) and then force traffic with said DSCP tag to wan.
I have found there is "DSCP" setting in kTorrent. Thank you very much.
You can verify with 'tcpdump -i br-lan -vv' and checking the 'tos' field entries.
That's a valid question, not sure why you deleted it. As far as I remember the version in the official repo for 17.01 should work (it's 2.x-something). Wherever I'm right or wrong on that, please let me (and others!) know about the version for LEDE.
I actually deleted as I decided to cancel the work as there is some risk of breakage and no skills to recover the device on site.
But I bite the bullet and installed latest vpn-policy-routing on 17.01.6 just fine but the luci companion failed due to missing luci-compat
is there a working version with the new fw4 release ?
The version in the OpenWrt 22.03.0 repo is a working version. Now that there's a release, I've also added a section to README.
A compilation of 22.03.0 with pbr without adding "CONFIG_PACKAGE_iptables-zz-legacy=y" to a .config fails; Shouldn't zz just be added into dependencies?
I'm under impression that the legacy package would be auto-selected (unless explicitly blocked in the .config).
I make my images with Image Builder and it picks up the legacy iptables with pbr as is.
Thanks for the note about Image Builder! I'll probably try it..
But is there a chance the legacy package is actually being picked up by other software included to your build? 
Dear,
thanks for this package...
two things:
1- it is necessary to remove signature on imagebuilder if I add your repository.. 22.03.0
2- on openvpn - network restart it is necessary to restart pbr, reload, doesn't work with devices out of vpn example:
config policy
option interface 'wan'
option name 'Playstation'
option src_addr '192.168.181.20'
so I modify the hotplug script in this way...
#!/bin/sh
if [ "${ACTION}" = "ifup" ]; then
if [ "${INTERFACE}" = "VPN_TUN" ]; then
logger -t pbr "Restarting VPNPBR due to $ACTION of $INTERFACE ($DEVICE)"
etc/init.d/pbr restart
exit 0
fi
else
logger -t pbr "Reloading $INTERFACE due to $ACTION of $INTERFACE ($DEVICE)"
/etc/init.d/pbr reload_interface "$INTERFACE"
fi
If I understand opkg output correctly, no other package in my image is using iptables-zz-legacy:
SG-135 in ~ # opkg whatdepends iptables-zz-legacy
Root set:
iptables-zz-legacy
What depends on root set
pbr-iptables 0.9.6-3 depends on iptables
luci-app-pbr 0.9.6-2 depends on pbr
Can you please clarify what and where you removed? I build my images with the image builder including a lot of the packages I maintain and I don't believe I turn off signature check.