Is there any way to use VPR with Shadowsocks?
Are you willing to PM me output of some CLI commands from your router?
Sure I will
1 Like
I am using a Turris Omnia Router with Turris OS 4.0.1. Since recently I get the following error when trying to update to the newest version of VPN PBR. Any Idea how to solve this?
When I try to update to the newest VPN PBR routing I get the following error. Does somebody else have the same issue?
Error from 2019/11/15 13:37:clock430:
Updater failed:
inconsistent: Package luci-app-vpn-policy-routing requires package luci-compat that is not available.
While we use not 19.07 version it must be installed or updated with '--nodeps' flag
The package luci-compat was added 2 days ago into openwrt-18.06 branch. It will be included in the next version of Turris OS 4.0.2, which is going to be based on the latest stable commits of each feed. In the meantime, you can try the next version by using switch-branch hbk on your router, which is just available in Turris OS.
1 Like
Dear Pepe, thanks, I switched to 4.0.2 HBK branch, I don't get the error anymore.
1 Like
Hi!
I have been trying to enforce only one domain (iptv server) into VPN Tunnel but no luck so far.
Can anyone help me on achieving that (access iptv server domain inside tunnel and all the rest outside)?
@stangri, sorry about that. Below you can find the details.
- content of
/etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option local ''
option noresolv '1'
option domain ''
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '200'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option force '1'
option ra_management '1'
list dhcp_option '6,1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
- content of
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option network 'wan wan6'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option network 'openvpn'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
- content of
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd26:d49a:be36::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1 eth2'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option peerdns '0'
option dns '1.1.1.1 8.8.8.8 1.0.0.1 8.8.4.4'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option auto '0'
config interface 'openvpn'
option proto 'none'
option ifname 'tun0'
- content of
/etc/config/vpn-policy-routing:
config policy
option name 'FactoryIPTV'
option dest_addr 'tv.factoryiptv.com'
option interface 'openvpn'
config policy
option name 'IPLeak.net'
option dest_addr 'ipleak.net'
option interface 'openvpn'
config policy
option name 'Speedtest.net'
option dest_addr 'speedtest.net'
option interface 'openvpn'
config policy
option interface 'wan'
option src_addr '192.168.1.1/24'
option name 'All_Network'
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option webui_protocol_column '0'
option ipv6_enabled '0'
option src_ipset '0'
option webui_chain_column '0'
option enabled '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
- output of
/etc/init.d/vpn-policy-routing support:
vpn-policy-routing 0.2.1-0 running on OpenWrt 19.07.0-rc1. WAN (IPv4): wan/dev/201.82.28.1.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 141.101.149.193 128.0.0.0 UG 0 0 0 tun0
default c9521c01.virtua 0.0.0.0 UG 0 0 0 eth0
IPv4 Table 201: default via 201.82.28.1 dev eth0
IPv4 Table 201 Rules:
32765: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 141.101.149.205 dev tun0
IPv4 Table 202 Rules:
32764: from all fwmark 0x20000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.0/24 -m comment --comment All_Network -c 25580 2444414 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 151.101.194.219/32 -m comment --comment Speedtest_net_speedtest_net -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -d 151.101.130.219/32 -m comment --comment Speedtest_net_speedtest_net -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -d 151.101.66.219/32 -m comment --comment Speedtest_net_speedtest_net -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -d 151.101.2.219/32 -m comment --comment Speedtest_net_speedtest_net -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -d 95.85.16.212/32 -m comment --comment IPLeak_net_ipleak_net -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -d 149.56.40.70/32 -m comment --comment FactoryIPTV_tv_factoryiptv_com -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
- output of
/etc/init.d/vpn-policy-routing reload:
Creating table 'wan/eth0/201.82.28.1' [✓]
Creating table 'openvpn/tun0/141.101.149.205' [✓]
Routing 'FactoryIPTV' via openvpn [✓]
Routing 'IPLeak.net' via openvpn [✓]
Routing 'Speedtest.net' via openvpn [✓]
Routing 'All_Network' via wan [✓]
vpn-policy-routing 0.2.1-0 started with gateways:
wan/eth0/201.82.28.1
openvpn/tun0/141.101.149.205 [✓]
I wouldn't use dhcp option 6, however since you're not using dest_ipset it shouldn't matter in this case.
I'm guessing the priorities get mixed up as everything is going thru the All_Network policy (btw, including the router's ip in the prerouting policy is not recommended).
I would make WAN the default routing and remove All_Network policy from the config, that should do the trick. However, generally speaking, domains may not work reliably without dest_ipset=dnsmasq.ipset.
Thanks @stangri!
By making WAN default routing you mean this?
I already disabled All_Network policy and enabled dnsmasq.ipset.
config policy
option interface 'wan'
option src_addr '192.168.1.1/24'
option name 'All_Network'
option enabled '0'
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option webui_protocol_column '0'
option ipv6_enabled '0'
option src_ipset '0'
option webui_chain_column '0'
option enabled '1'
option dest_ipset 'dnsmasq.ipset'
option icmp_interface 'wan'
vpn-policy-routing 0.2.1-0 running on OpenWrt 19.07.0-rc1. WAN (IPv4): wan/dev/201.82.28.1.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 141.101.156.193 128.0.0.0 UG 0 0 0 tun0
default c9521c01.virtua 0.0.0.0 UG 0 0 0 eth0
IPv4 Table 201: default via 201.82.28.1 dev eth0
IPv4 Table 201 Rules:
32761: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 141.101.156.200 dev tun0
IPv4 Table 202 Rules:
32760: from all fwmark 0x20000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -p icmp -c 56 13503 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create openvpn hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
DNSMASQ ipsets
ipset=/tv.factoryiptv.com/wan # FactoryIPTV
ipset=/ipleak.net/openvpn # IPLeak.net
ipset=/speedtest.net/openvpn # Speedtest.net
============================================================
As I now have the dest_ipset=dnsmasq.ipset, I am not sure where to disable this option.
BTW, everything is going through the tunnel now, even after the changes above.
No, check the readme. If you enabled dnsmasq.ipset, you definitely need to disable dhcp option.
I added the option list pull-filter 'ignore "redirect-gateway"' on OpenVPN client config and now all traffic is going trough WAN as default but nothing is getting inside the tunnel using even though I have the same rules applied in VPN Policy.
Hello Everyone!
@stangri Do you, or anyone for that matter, know if this package functions with/supports SoftetherVPN? If so, what would be the vpn-policy-routing policy configuration to run both the VPN client and server simultaneously? In this case meaning that all network traffic flows via the VPN client but the server listens on the WAN interface. I'd imagine it's similar to the OpenVPN configuration example but I have not been able to get it to work.
Thank you for any help you can provide!
If it creates an interface, it should.
Should use similar config as in the VPN/Wireguard client/server examples.
I've tried to fix the missing VPN tab for 18.06 installs in version 67, I'm not sure what it may do if you have luci-app-openvpn installed on 19.07, I would appreciate if someone can test it.
I have them both installed in v19.07 and they show up under VPN category. I haven't tried the new version yet.
Just did an update via GUI Software from Ver 65 to 67 VPR LUCI App and VPR now shows up under the VPN menu. It was under Services before the update.
I did a reboot to see it under VPN menu.
Using Bootstrap theme on Davidc502 version:
- Firmware Version - OpenWrt SNAPSHOT r11583-68fb38548b / LuCI Master git-19.327.83508-5e1253f
- Kernel Version - 4.19.85
Hope this helps.
1 Like
@stangri I'm experiencing a weird issue with clients that are being routed through the VPN through VPR LAN range, but having domain based exceptions fail that are marked through the WAN.
In my case, I have defined the DHCP range of 192.168.1.100 to 192.168.1.250 to go through the VPN, this is the first rule, then for domain based exceptions these are defined as dest_addr and marked for the WAN using dnsmasq ipset. It seems after a few minutes all domains that use ipset policies suddenly won't work with VPR enabled, but any VPN traffic still works fine. It's as if the routing for the WAN is broke. When trying to traceroute from a VPN client, the traffic for any domain marked as WAN dies after the first hop (the router)
It seems to work for a few minutes after VPR is initialised, then any domain specified for the WAN through dest_addr won't work, until a reload of the service, but it only works for a small amount of time, before breaking again.
I have uploaded my config to paste.ee if it will help.
Thanks in advance!