VPN Policy-Based Routing + Web UI -- Discussion

stangri · October 14, 2019, 3:45pm

Is there something which is unclear in the README section I referred to above?

I believe so, yes.

stangri · October 14, 2019, 3:48pm

So I know I've gone back and forth about the options naming, but what do you guys think about renaming the options from local_address and local_port to src_addr and src_port (and likewise from remote_ to dest_) to be more consistent with the OpenWrt firewall options?

Of course, just like before, the existing configs would be converted on first start.

alberto · October 14, 2019, 6:33pm

I like that change of names.

alberto · October 14, 2019, 6:39pm

As stated in the Default Routing section, I added the following line to both OpenVPN clients.

list pull_filter 'ignore "redirect-gateway"'

However, I don't know how to specify which of the two VPN clients is the default route and thus show a tick next to it in the Service Status information in LuCI.

vanyaindigo · October 15, 2019, 10:49am

@stangri thanks for writing this and I have little question: I have wireguard vpn with ipv6 subnet adress on router. How I can manage some apps ipv6 internet access through wireguard via vpn-policy-routing?

stangri · October 15, 2019, 3:58pm

Whichever VPN client you want to be used as default routing, do NOT add the above-mentioned option to its config.

AFAIK, there's no easy way to force IPv6 routing on OpenWrt just yet. Some discussion of it is available here.

vanyaindigo · October 15, 2019, 6:54pm

Now I've got this:

root@OpenWrt:~# ip -6 route
fd42:42:42::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd42:42:42::/64 dev lo proto static metric 2147483647 error -113 pref medium
fd42:42:42::/48 dev wg0 proto kernel metric 256 pref medium
unreachable fd42:42:42::/48 dev lo proto static metric 2147483647 error -113 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium

vanyaindigo · October 16, 2019, 5:13pm

And now I made this, and it works!

root@OpenWrt:~# ip -6 route
fd42:42:42::2 dev wg0 proto static metric 1024 pref medium
fd42:42:42::/64 dev br-lan proto static metric 1024 pref medium
fd42:42:42::/48 dev wg0 proto kernel metric 256 pref medium
unreachable fd42:42:42::/48 dev lo proto static metric 2147483647 error -113 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
default dev wg0 proto static metric 1024 pref medium

vanyaindigo · October 16, 2019, 5:55pm

Now I can set wireguard VPN - as default route. And with VPR move some apps through WAN.

alberto · October 17, 2019, 5:31pm

Thanks stangri, I didn't get it right in the first place.
What I ended up doing is, I didn't add any additional gateway option in the file /etc/config/openvpn but I added the following line in the configuration file of one of the OpenVPN clients:

pull-filter ignore "redirect-gateway"

Everything seems to be working as it should.

dk4dk4 · October 18, 2019, 3:33am

vpn-policy-routing 0.1.1-3
luci-app-vpn-policy-routing git-19.290.74883-9c3e931-63
Repo: src/gz stangri_repo https://raw.githubusercontent.com/stangri/openwrt-repo/master

I updated VPN PBR luci app tonight and now it's not loading properly:

Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: Creating table 'wan/eth1.2/24.xxx.xx.x' [✓]
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: Creating table 'mullvad/10.xx.xx.xxx' [✓]
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: Routing 'GEOweb' via wan [✗]
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: Routing 'kijiji' via wan [✗]
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: Routing 'DDNS' via wan [✗]
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: Routing 'All443' via mullvad [✗]
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: Routing 'Lyric' via wan [✗]
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: Routing 'qbittorrent' via mullvad [✗]
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: Routing 'wgserver' via wan [✗]
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: service started on wan/eth1.2/24.146.58.1[✓] mullvad/10.99.60.248
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: with errors [✗]
Thu Oct 17 23:24:19 2019 user.notice vpn-policy-routing [8408]: ERROR: policy 'GEOweb' missing all IPs/ports! ERROR: policy 'kijiji' missing all IPs/ports! ERROR: policy 'DDNS' missing all IPs/ports! ERROR: policy 'All443' missing all IPs/ports! ERROR: policy 'Lyric' missing all IPs/ports! ERROR: policy 'qbittorrent' missing all IPs/ports! ERROR: policy 'wgserver' missing all IPs/ports!

/etc/config/vpn-policy-routing

config policy
        option interface 'wan'
        option name 'WANsub'
        option src_addr '192.168.1.81/28'
        option enabled '0'
        option proto 'all'

config policy
        option interface 'wan'
        option name 'GEOweb'
        option dest_addr 'www.flipp.ca flipp.ca www.costco.ca www.rottentomatoes.com www.amazon.ca'
        option proto 'all'

config policy
        option interface 'wan'
        option name 'kijiji'
        option dest_addr 'www.kijiji.ca 91.195.49.142 195.78.85.110'
        option proto 'all'

config policy
        option interface 'wan'
        option name 'DDNS'
        option dest_addr 'dkroad.ddns.net'
        option proto 'all'

config policy
        option name 'All443'
        option dest_port '443'
        option interface 'mullvad'
        option proto 'tcp'

config policy
        option interface 'wan'
        option name 'Lyric'
        option src_addr '192.168.1.50'
        option proto 'all'

config policy
        option interface 'wan'
        option name 'wgserver'
        option src_port '12159'
        option proto 'udp'
        option chain 'OUTPUT'

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option remote_ipset 'dnsmasq.ipset'
        option local_ipset '0'
        option ipv6_enabled '0'
        list supported_interface ''
        option iptables_rule_option 'append'
        option iprule_enabled '0'
        option enable_control '0'
        option proto_control '0'
        option chain_control '0'
        option sort_control '1'
        option src_ipset '0'
        option webui_sorting '1'
        list ignored_interface 'wgserver'
        list ignored_interface 'ipvanvpntun'
        option webui_enable_column '1'
        option webui_protocol_column '1'
        option webui_chain_column '1'
        option enabled '1'
        option boot_timeout '40'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

dscpl · October 18, 2019, 2:15pm

After the last upgrade I'm getting an error on policies, examples:

Fri Oct 18 10:07:16 2019 user.notice vpn-policy-routing [2749]: Creating table 'wan/eth0.2/192.168.X.X' [0;32m[✓][0mCreating table 'nordvpntun/tun0/10.8.X.X' [0;32m[✓][0mRouting 'RemoteAccess' via wan [0;31m[✗][0mRouting 'ZeroTier' via wan [0;31m[✗][0mRouting 'Embratel' via wan [0;31m[✗][0mservice started on wan/eth0.2/192.168.X.X nordvpntun/tun0/10.8.X.X[0;32m[✓][0m With ERRORS:[0;31mERROR[0m: policy 'RemoteAccess' missing all IPs/ports! [0;31mERROR[0m: policy 'ZeroTier' missing all IPs/ports! [0;31mERROR[0m: policy 'Embratel' missing all IPs/ports!

luci-app-vpn-policy-routing - git-19.290.74883-9c3e931-63
vpn-policy-routing - 0.2.0-1

stangri · October 18, 2019, 2:16pm

You need to update the main package too.

dscpl · October 18, 2019, 2:19pm

root@Router:~# opkg update                                                                                              
Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.gz
Updated list of available packages in /var/opkg-lists/stangri_repo
Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.sig
Signature check passed.
root@Router:~# opkg list-upgradable 
root@Router:~#

Here all packages are updated! Error applying policies remains.

stangri · October 18, 2019, 2:22pm

Please refer to Getting Help.

dscpl · October 18, 2019, 2:26pm

My policy is very simple:

config policy
	option interface 'wan'
	option name 'Embratel'
	option dest_addr '186.215.XXX.XX'

I recreated it via Luci, same error.

Creating table 'wan/eth0.2/192.168.XX.XX' [✓]
Creating table 'nordvpntun/tun0/10.8.XX.XX' [✓]
Routing 'Embratel' via wan [✗]
vpn-policy-routing 0.2.0-1 started on wan/eth0.2/192.168.XX.XX nordvpntun/tun0/10.8.XX.XX[✓]
With ERRORS:
ERROR: policy 'Embratel' missing all IPs/ports!

stangri · October 18, 2019, 2:41pm

Try updating to 0.2.0-2.

dk4dk4 · October 18, 2019, 8:00pm

Hi Stan,

When I search for the main VPN package nothing new comes up in the Luci software packages? Did the repository change for it?

Can I pull it manually and install it?

stangri · October 18, 2019, 9:25pm

Yeah, sorry, I've modified my build script recently and when luci apps were built they would remove the principle apps from repo. Fixed now, please try updating and upgrading again.

dk4dk4 · October 18, 2019, 10:50pm

OK thanks, I was able to find vpn-policy-routing 0.2.0-2 and upgrade.
It's running with my policies but I no longer see any entries in the system log for VPR?

I usually see the startup status and interfaces, policies, etc...?
I rebooted and still no log entries...