VPN Policy-Based Routing + Web UI -- Discussion

Awesome work. I can confirm that enabling DNSMASQ through the Web UI is working again.

Thanks sir. I know you put a lot of time into making these packages work and improving on them. They are only getting better over time. I'll continue to help in any way I can.

1 Like

Upgrade worked for me too! I agree with @jvquintero1021: thanks for your hard work and dedication :grinning:

Just was redirected to this new thread, thx @stangri for continue working on this, I gotta update the package.
However I have a question which settings I have to set for my current setup to work.
I'll try to recall it now as good as possible, can give details later if needed:

I have set up both a vpn client and a vpn server on my router.
For both I have specific interfaces and firewalls set up.
I only want one ip (homeserver) in my lan to "use" the vpn client and go through vpn tunnel to my vpn provider.
This works with your app.
From away I also can connect to my vpn server, there's just one problem: Connecting to my vpn server I can reach all ip's except of the homeserver :frowning:

I'm a noob and happy whit how far I got but that last step is missing.
I'm unsure if it's just some setting in your app or if I have to change something in the firewall zones, but maybe someone here can help me.

Uhm, I don't even know where to start. If the homeserver is accessible from LAN it should be accessible via OpenVPN Server connection as well, especially if all other local devices are accessible.

You may want to post your openvpn, firewall and vpn-policy-routing configs, as well as the service/port you're trying to access on your homeserver.

Yes, homeserver is accessible via lan.
But not via ovpn server connection, this concerns every port I tried so far.
Where are all the config files i should post..also I don't really know which info better not post publicly.
Can you help me here?
I'll attach pics of interfaces and fw zones.

@stangri helped me, I added this in /etc/config/firewall :

config policy
option comment 'hummingboard’
option local_addresses '’
option local_ports '22’
option interface ‘wan’

Now connecting to my vpn server I can reach Port 22 (SSH) on my homeserver. :fireworks:

@stangri Just updated today and none of the IP's I have set to go through wan interface are working. Everything is going through my VPN tunnel

here is the out put of 'opkg list-installed | grep vpn-policy-routing'

luci-app-vpn-policy-routing - git-18.023.74248-ee409b6-12
vpn-policy-routing - 0.0.1-15

All was working fine before the update :frowning:

I noticed that in the config file " option ipset_enable '1' " is no longer available and manually inputting it into the config does nothing. Maybe this has something to do with it?

this is all that shows not in the config file now

config vpn-policy-routing 'config'
    option verbosity '2'
    option strict_enforcement '1'
    option enabled '1'
    option output_chain_enabled '1'
    list ignored_interface 'vpnserver'
    option dnsmasq_enabled '1'

Make sure to read this. I'm very curious what might have happened tho, so make sure to post required information.

And once again I refer you to README. With dnsmasq enabled, the ipset is assumed enabled. The actual setting only plays if you disable dnsmasq support. :wink:

Yes sir, this I am aware. Here is what my config looks like when I disable DNSMASQ

config vpn-policy-routing 'config'
    option verbosity '2'
    option strict_enforcement '1'
    option enabled '1'
    option output_chain_enabled '1'
    list ignored_interface 'vpnserver'

This is what I meant earlier when I said IPSET is no longer available

08 PM

Even with DNSMASQ disabled it does not show up in Web UI, and adding manually through config does nothing.

Edit: @stangri by the way I just posted output of /etc/init.d/vpn-policy-routing support -p to paste.ee

May have figured it out. It seems that vpn-policy-routing was set to "DISABLED" in the system startup tasks. I noticed this because I tried running /etc/init.d/vpn-policy-routing restart and everything started working. After restarting the router I noticed I had to run a restart again on vpn-policy-routing. So I checked the startup page and what do you know it was DISABLED. Idk if maybe it is set to disabled by default from when I updated. maybe something you can check out? Otherwise I must have hit disable by accident

Ah, I see. My bad -- you quoted the config file and I assumed you're talking about the actual configuration, not the luci page. Thanks for bringing it up, fixed in luci-app-vpn-policy-routing 13.

Consequence of using old luci app probably. It had a bug that it disabled the service every time you tried to stop it from Web UI. Once you enable it once tho (or on the new installs), it should be good to go. Thank you for sticking with it. :wink:

Does anyone know the most effective way to bypass the BBC iplayer service (android app)? What are the IPs/domain names that have to be bypassed? I have multiple devices that access iplayer and bypassing the entire device is not ideal.


You want to forward/bypass all of these

bbctvapps.co.uk bbc.co.uk bbc.com bbc.net.uk sitestat.com bbci.co.uk bbcfmt.hs.llnwd.net bbci.co.uk.edgekey.net loris.llnwd.net bbci.co.uk.edgekey.net

The only way to do it properly (get all domain names) is to sniff dns requests at router.

Thanks. Unfortunately, having added the domains you mentioned, iplayer still does not work.

I did yesterday, have a look at packet capturing on the router. Only managed to get Cloudshark sort off working. But the problem seem to be that uploading a capture time of any more than 10 seconds would just seem to hang that process.

Despite a couple of 'vague' tutorials online, I couldn't figure out how a desktop based program such as wireshark works with LEDE.

Also, newb question here. If the router IP is within a subnet range that is excluded by policy-routing from the VPN does that mean the router is also excluded? Just because I am trying to figure out why I am unable to access the router from WAN yet I can access things like my NAS that aren't within that subnet even though I have setup policies and firewall rules for it on ports like 22, 80 and 443. If it is already bypassing the VPN then I am wondering if that a specific route for that IP is not needed and confusing it.

Another thing I haven't figured out is when a remote port would need to be used for bypassing/routing as the only way I have been able to get it work is to leave that blank and bypass on local ports only.

@DVS: there's a wiki article on how to run an OpenVPN server and client on router at the same time: https://lede-project.org/docs/user-guide/openvpnserverandclient -- just adjust the instructions for whatever service/port you want to make accessible on your router instead of an OpenVPN Server.

Oooh thank you I will check that out as I expect it answers my last question at least.

From my experience some dns requests might be cached and hence it does not work immediately after you apply it if you have just tried it. I would reboot the router, then make sure vpn-policy-routing is running (sometimes it fails to start for me) and only then test the iplayer.

You can use dnsmasq on the router to do that. See post #5 here