Great find, should be fixed in luci app version 42 and I've also fixed the README!
updated both main service and luci app to better support:
- custom user files with enable/disable
- enable checkbox for policies (needs to be activated in Advanced tab of WebUI or in the config file)
README has been updated to reflect new options.
Thanks to @anon45274024, implemented support for local policies based on MAC addresses in 0.0.7-5.
Major code refactoring, would appreciate confirmations that everything works from people with lots of policies.
whats the status/holdup with this?
the UI has been in desperate need of such capability for sometime... i hope that the "core devs" find impotus to fastrack any withstanding qarms if any.
IPv6 support. While mullvad has been providing me with free access to their service on request, my ISP doesn't support IPv6, so to fully test IPv6 I need to find the time to set up 6-in-4 tunnel separately.
Also, I myself am not quite clear on what the desired outcome would be on the case where not all of the tunnels/wan support ipv6, how's the routing supposed to happen.
Ideally, I'd like some feedback from IPv6 expert on the matter before I send the pr.
Routing with multiple IPv6 prefixes (e.g. native, he.net, VPN) is… unexpected/ strange. Contrary to the option of setting interface metrics for IPv4, with IPv6 the routing always (by default) chooses to use the interface with longest prefix match (this is as specified, but often not quite what one would appreciate). Meaning that outgoing sessions choose the sending prefix 'randomly' (o.k., not random at all, according to the longest prefix match - just that there is no real relation between hostnames and prefix) - in practice this still tends to work not too badly (as the critical remote servers tend to be hosted in the same data centre/ sharing a similar prefix), except for services that do geolocationing.
Personally I always wanted to combine native IPv6 from my ISP (dynamic prefixes, which are a curse) with a static prefix via he.net - using the ISP prefix for outgoing traffic (unless explicitly bound to a he.net IPv6 address), using he.net (almost) only for incoming traffic (with static addresses, rDNS, etc.). I couldn't really get that working with reasonable efforts and postponed those plans for the time being.
Given that IPv6 routing is quite different from IPv4, I'd suggest to split off that discussion from this thread - not because I'd think it would get more exposure that way, but mostly this thread clean for 'normal' issues. If you need a hand with setting up a he.net tunnel, feel free to pm me.
This a great package. works flawless. I was wondering if anyone knows the domain for Canada amazon prime video and Bell fibe tv. I couldn't find those domains by searching online. Thank you in advance!
I assume you want to route these via WAN? Have you tried the AWS user-file?
Hi
I have installed your plugin, it works pretty good!
But I got one problem!
I have multiple interfaces,
192.168.0.1/24 is set to WAN
192.168.5.1/24 is set to WAN
192.168.8.1/24 is set to VPN
I want to be able to connect from 192.168.0.1/24 to 192.168.5.1/24.
That worked before I enabled the policy based routing plugin.
Anyone knows how I can get it working with plugin enabled?
You may want to try something like:
uci set vpn-policy-routing.config.append_local_rules='! -d 192.168.5.0/24'; uci commit;
It didn't really work...
But when I changed IP mask to 255.255.0.0(/16), --> "! -d 192.168.5.0/16"
Then it worked!!
Thank you for the tip! It lead me to this solution
Hi - apologies I've been away and have only just been able to get back to this. I took the plunge and reinstalled Openwrt, resetup OpenVPN with NordVPN and confirmed before installing the VPN Policy-Based Routing package that I could reach the www.rtve.es and www.netflix.com domains successfully.
Once I install the policy based routing package however and enable I see the same problem again if I have a rule setup to use the WAN. It's strange how all other domain URLs I've tested work. When I set the rule to use the VPN tunnel I can also reach those domains as previously.
Thanks
New to this project, so please forgive any mis-assumptions...
Unlike most of the posters here, I am looking to configure vpn-policy-routing to route ONLY SELECTED domains through my WireGuard VPN. All other traffic should continue through my local wan interface.
Reading the intro material, it certainly seemed that routing via domain/ipset would take priority over any routing based on destination ip address. That led me to believe I could have policies for DNS domains and a match-all ip policy and the domain policy would prevail.
Pretty much any way I set it up using the GUI sends everything through the VPN. WireGuard is certainly different the OpenVPN in not using tap or tun but rather doing everything through iptables.
Here're my files:
A few things I've noticed...
- Even though I've added "wg0" as an interface in the "Supported Interfaces", I am only offered "WAN" as an interface choice in the policy configuration. Same if I edit the config file.
- Doesn't seem to matter if I pick PREROUTING or OUTPUT.
- I edited the config file directly to specify the actual interface names from ifconfig. Didn't work - got a bunch of "ERROR: unknown fw_mark for wg0!" messages.
Thanks,
Here's the usual info for evaluation- sorry I can't just upload.. it's only text.
root@GL-MT300N-V2:/etc/config# cat /etc/config/vpn-policy-routing
config policy
option name 'ViaVPN'
option remote_address 'domain1.net'
option chain 'OUTPUT'
option proto 'tcp udp'
option interface 'wg0'
config policy
option interface 'apcli0'
option chain 'OUTPUT'
option proto 'tcp udp'
option name 'LOC'
option remote_address '0.0.0.0/0'
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option boot_timeout '30'
option enable_control '1'
option proto_control '1'
option chain_control '1'
option dnsmasq_enabled '1'
option strict_enforcement '1'
option enabled '1'
list supported_interface 'wg0 apcli0'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
========================
root@GL-MT300N-V2:/etc/config# ifconfig
### --- Comment... This router is behind another router, so 192.168.2.165 is my WAN address --- ###
apcli0 Link encap:Ethernet HWaddr E6:95:6E:0A:E0:A8
inet addr:192.168.2.164 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::e495:6eff:fe0a:e0a8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:80549 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
br-lan Link encap:Ethernet HWaddr E4:95:6E:4A:E0:A8
inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fd43:2afc:d635::1/60 Scope:Global
inet6 addr: fe80::e695:6eff:fe4a:e0a8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1467430 errors:0 dropped:64 overruns:0 frame:0
TX packets:1155388 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:567357729 (541.0 MiB) TX bytes:227882455 (217.3 MiB)
eth0 Link encap:Ethernet HWaddr E4:95:6E:4A:E0:A8
inet6 addr: fe80::e695:6eff:fe4a:e0a8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:907703 errors:0 dropped:22 overruns:0 frame:0
TX packets:955026 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:205055216 (195.5 MiB) TX bytes:529509029 (504.9 MiB)
Interrupt:5
eth0.1 Link encap:Ethernet HWaddr E4:95:6E:4A:E0:A8
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7851 errors:0 dropped:0 overruns:0 frame:0
TX packets:42100 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:974379 (951.5 KiB) TX bytes:11933330 (11.3 MiB)
eth0.2 Link encap:Ethernet HWaddr E4:95:6E:4A:E0:A8
inet addr:192.168.2.27 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::e695:6eff:fe4a:e0a8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:899765 errors:0 dropped:87304 overruns:0 frame:0
TX packets:912531 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:187734037 (179.0 MiB) TX bytes:513702224 (489.9 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:625 errors:0 dropped:0 overruns:0 frame:0
TX packets:625 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:73376 (71.6 KiB) TX bytes:73376 (71.6 KiB)
ra0 Link encap:Ethernet HWaddr E4:95:6E:4A:E0:A8
inet6 addr: fe80::e695:6eff:fe4a:e0a8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1546627 errors:324 dropped:0 overruns:0 frame:0
TX packets:1164666 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:622925751 (594.0 MiB) TX bytes:211621958 (201.8 MiB)
Interrupt:6
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.140.2 P-t-P:10.0.140.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:600684 errors:0 dropped:9031 overruns:0 frame:0
TX packets:870020 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:138904172 (132.4 MiB) TX bytes:473217744 (451.2 MiB)
========================
root@GL-MT300N-V2:/etc/config# /etc/init.d/vpn-policy-routing restart
vpn-policy-routing 0.0.7-7 stopped [✓]
Creating table 'wan/192.168.2.1' [✓]
Routing 'ViaVPN' via wg0 [✗]
Routing 'LOC' via apcli0 [✗]
vpn-policy-routing 0.0.7-7 started on wan/192.168.2.1 with errors [✗]
ERROR: unknown fw_mark for wg0!
ERROR: unknown fw_mark for wg0!
ERROR: unknown fw_mark for apcli0!
vpn-policy-routing 0.0.7-7 monitoring interfaces: wan [✓]
========================
root@GL-MT300N-V2:/etc/config# ipset
ipset v6.34: No command specified.
Try `ipset help' for more information.
root@GL-MT300N-V2:/etc/config# ipset -L
Name: mwan3_connected_v4
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 1264
References: 1
Number of entries: 18
Members:
192.168.5.1
192.168.5.255
10.0.140.2
128.0.0.0/1
192.168.2.255
192.168.5.0/24
127.0.0.1
192.168.2.164
192.168.5.0
224.0.0.0/3
192.168.2.27
127.0.0.0/8
127.255.255.255
192.168.2.0
0.0.0.0/1
127.0.0.0
192.168.2.0/24
24.211.232.117
Name: mwan3_connected_v6
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1300
References: 1
Number of entries: 2
Members:
fd43:2afc:d635::/64
fe80::/64
Name: wan
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 312
References: 1
Number of entries: 0
Members:
Name: mwan3_connected
Type: list:set
Revision: 3
Header: size 8
Size in memory: 88
References: 4
Number of entries: 2
Members:
mwan3_connected_v4
mwan3_connected_v6
========================
root@GL-MT300N-V2:/etc/config# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
GL_SPEC_OPENING all -- anywhere anywhere
GL_INPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere /* !fw3 */
input_rule all -- anywhere anywhere /* !fw3: Custom input rule chain */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input all -- anywhere anywhere /* !fw3 */
zone_wan_input all -- anywhere anywhere /* !fw3 */
zone_wan_input all -- anywhere anywhere /* !fw3 */
zone_wireguard_input all -- anywhere anywhere /* !fw3 */
Chain FORWARD (policy DROP)
target prot opt source destination
GL_FORWARD all -- anywhere anywhere
forwarding_rule all -- anywhere anywhere /* !fw3: Custom forwarding rule chain */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward all -- anywhere anywhere /* !fw3 */
zone_wan_forward all -- anywhere anywhere /* !fw3 */
zone_wan_forward all -- anywhere anywhere /* !fw3 */
zone_wireguard_forward all -- anywhere anywhere /* !fw3 */
reject all -- anywhere anywhere /* !fw3 */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
GL_OUTPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere /* !fw3 */
output_rule all -- anywhere anywhere /* !fw3: Custom output rule chain */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output all -- anywhere anywhere /* !fw3 */
zone_wan_output all -- anywhere anywhere /* !fw3 */
zone_wan_output all -- anywhere anywhere /* !fw3 */
zone_wireguard_output all -- anywhere anywhere /* !fw3 */
Chain GL_FORWARD (1 references)
target prot opt source destination
Chain GL_INPUT (1 references)
target prot opt source destination
Chain GL_OUTPUT (1 references)
target prot opt source destination
Chain GL_SPEC_OPENING (1 references)
target prot opt source destination
Chain forwarding_lan_rule (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain forwarding_wireguard_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan_rule (1 references)
target prot opt source destination
Chain input_wireguard_rule (1 references)
target prot opt source destination
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
Chain output_wan_rule (1 references)
target prot opt source destination
Chain output_wireguard_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere /* !fw3 */ reject-with tcp-reset
REJECT all -- anywhere anywhere /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP all -- anywhere anywhere /* !fw3 */
Chain zone_lan_dest_ACCEPT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all -- anywhere anywhere /* !fw3: Custom lan forwarding rule chain */
zone_wireguard_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone lan to wireguard forwarding policy */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all -- anywhere anywhere /* !fw3: Custom lan input rule chain */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all -- anywhere anywhere /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT all -- anywhere anywhere /* !fw3 */
DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */
reject all -- anywhere anywhere /* !fw3 */
Chain zone_wan_forward (2 references)
target prot opt source destination
forwarding_wan_rule all -- anywhere anywhere /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT esp -- anywhere anywhere /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT udp -- anywhere anywhere udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_input (2 references)
target prot opt source destination
input_wan_rule all -- anywhere anywhere /* !fw3: Custom wan input rule chain */
ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* !fw3: Allow-Ping */
ACCEPT igmp -- anywhere anywhere /* !fw3: Allow-IGMP */
ACCEPT tcp -- anywhere anywhere tcp dpt:83 /* !fw3: glservice */
ACCEPT udp -- anywhere anywhere udp dpt:83 /* !fw3: glservice */
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* !fw3: glssh */
ACCEPT udp -- anywhere anywhere udp dpt:ssh /* !fw3: glssh */
ACCEPT udp -- anywhere anywhere udp dpt:5126 /* !fw3: Allow-Wireguard */
ACCEPT tcp -- anywhere anywhere tcp dpt:5126 /* !fw3: Allow-Wireguard */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_output (2 references)
target prot opt source destination
output_wan_rule all -- anywhere anywhere /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */
reject all -- anywhere anywhere /* !fw3 */
Chain zone_wireguard_dest_ACCEPT (3 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wireguard_forward (1 references)
target prot opt source destination
forwarding_wireguard_rule all -- anywhere anywhere /* !fw3: Custom wireguard forwarding rule chain */
zone_wan_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone wireguard to wan forwarding policy */
zone_lan_dest_ACCEPT all -- anywhere anywhere /* !fw3: Zone wireguard to lan forwarding policy */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port forwards */
zone_wireguard_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wireguard_input (1 references)
target prot opt source destination
input_wireguard_rule all -- anywhere anywhere /* !fw3: Custom wireguard input rule chain */
ACCEPT all -- anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
zone_wireguard_src_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wireguard_output (1 references)
target prot opt source destination
output_wireguard_rule all -- anywhere anywhere /* !fw3: Custom wireguard output rule chain */
zone_wireguard_dest_ACCEPT all -- anywhere anywhere /* !fw3 */
Chain zone_wireguard_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 */
========================
root@GL-MT300N-V2:/etc/config# /etc/init.d/vpn-policy-routing status
vpn-policy-routing 0.0.7-7 running on OpenWrt 18.06.1.
============================================================
Dnsmasq version 2.80test2 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default * 128.0.0.0 U 0 0 0 wg0
default HanoverSouthFIO 0.0.0.0 UG 10 0 0 eth0.2
default HanoverSouthFIO 0.0.0.0 UG 20 0 0 apcli0
IPv4 Table 201: default via 192.168.2.1 dev eth0.2
IPv4 Table 201 Rules:
1000: from all fwmark 0x10000 lookup 201
IPv4 Table 202:
IPv4 Table 202 Rules:
IPv4 Table 203:
IPv4 Table 203 Rules:
IPv4 Table 204:
IPv4 Table 204 Rules:
IPv4 Table 205:
IPv4 Table 205 Rules:
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create mwan3_connected_v4 hash:net family inet hashsize 1024 maxelem 65536
add mwan3_connected_v4 192.168.5.1
add mwan3_connected_v4 192.168.5.255
add mwan3_connected_v4 10.0.140.2
add mwan3_connected_v4 128.0.0.0/1
add mwan3_connected_v4 192.168.2.255
add mwan3_connected_v4 192.168.5.0/24
add mwan3_connected_v4 127.0.0.1
add mwan3_connected_v4 192.168.2.164
add mwan3_connected_v4 192.168.5.0
add mwan3_connected_v4 224.0.0.0/3
add mwan3_connected_v4 192.168.2.27
add mwan3_connected_v4 127.0.0.0/8
add mwan3_connected_v4 127.255.255.255
add mwan3_connected_v4 192.168.2.0
add mwan3_connected_v4 0.0.0.0/1
add mwan3_connected_v4 127.0.0.0
add mwan3_connected_v4 192.168.2.0/24
add mwan3_connected_v4 24.211.232.117
create mwan3_connected_v6 hash:net family inet6 hashsize 1024 maxelem 65536
add mwan3_connected_v6 fd43:2afc:d635::/64
add mwan3_connected_v6 fe80::/64
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create mwan3_connected list:set size 8
add mwan3_connected mwan3_connected_v4
add mwan3_connected mwan3_connected_v6
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@GL-MT300N-V2:/etc/config# traceroute google.com
traceroute to google.com (172.217.2.206), 30 hops max, 38 byte packets
1 10.0.140.1 (10.0.140.1) 63.849 ms 67.378 ms 57.324 ms
2 192.168.1.1 (192.168.1.1) 55.889 ms 65.874 ms 58.819 ms
3^C
root@GL-MT300N-V2:/etc/config# traceroute domain1.net
traceroute to domain1.net (34.197.0.224), 30 hops max, 38 byte packets
1 10.0.140.1 (10.0.140.1) 57.904 ms 57.240 ms 56.166 ms
2 192.168.1.1 (192.168.1.1) 56.660 ms 56.650 ms 59.507 ms
3^C
### --- Note that 10.0.140.1 is the IP for the WireGuard VPN
If we were going thru the WAN, we'd be seeing different addresses. --- ###
If the wireguard interface is properly configured, VPR luci app should pick it up automatically.
Use interface names from /etc/config/network
, not the device names from ifconfig.
Also, check README on mwan3
compatibility.
There are also settings outside of VPR which need to be configured for this.
I downloaded a new update today and now everything is being routed via my VPN interface. Has anything changed for .7-7? The log shows computer hawkeye going through the WAN, but it is really not, as I do a traceroute and see AirVPN's servers and not Spectrum
Mon Aug 5 19:49:09 2019 user.notice vpn-policy-routing [15455]: Creating table 'wan/76.185.192.1' [✓]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Creating table 'airvpn/xx.xx.xx.1' [✓]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Routing 'Home Network' via wan [✓]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Routing 'Hawkeye' via wan [✓]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Routing 'Deluge Box' via airvpn [✓]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: service started on wan/76.xxx.xxx.1 airvpn/10.26.65.1 [✓]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: service monitoring interfaces: wan airvpn [✓]
I also tried installing vpnbypass instead of VPR but see the exact same behaviour. Both URLs are pingable but time out when trying to browse to them
status
output?
What are your DHCP settings both on router and the PC you're testing from?
Hi,
This is my /etc/config/dhcp file:
Blockquote
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Guest'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'Guest'
Blockquote
I'm testing from a Windows 10 machine and have DHCP enabled, this is the result of Ipconfig/all:
Blockquote
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : lan
Description . . . . . . . . . . . : 802.11n Wireless LAN Card
Physical Address. . . . . . . . . : 90-48-9A-8E-53-3F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . :
Lease Obtained. . . . . . . . . . : 02 August 2019 21:54:10
Lease Expires . . . . . . . . . . : 14 September 2155 09:12:56
IPv6 Address. . . . . . . . . . . :
Temporary IPv6 Address. . . . . . :
Link-local IPv6 Address . . . . . :
IPv4 Address. . . . . . . . . . . : 192.168.1.244(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 08 August 2019 01:57:10
Lease Expires . . . . . . . . . . : 08 August 2019 14:36:43
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . :
DHCPv6 Client DUID. . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Blockquote
I blanked out the IPV6 addresses in the above.
Thanks
Everything looks alright. Maybe it's actually IPv6 routing which is getting in the way. I have IPv6 disabled on my OpenWrt config.