Sorry, I keep missing a post here or there and only come to find them again a week or so later.
Please confirm that you're clicking "SAVE & APPLY" when you finish making changes in Web UI and that still doesn't result in the service being reloaded with the new changes taking effect?
Hi @stangri, apologies, should have tagged you in the post.
I meant to reply sooner, I also found the same situation when using uci so it's not specific to using the GUI. I've also just updated vpn-policy-routing and luci-app-vpn-policy-routing with the same results.
Please see below output, hopefully shows what I'm experiencing. Steps are:
-Show commands for uci config and iptables being in line
-uci update and commit
-Show commands for updated uci config but iptables has not updated.
-Restarting the service then another show of iptables being updated correctly.
root@jenova:~# uci show vpn-policy-routing.@policy[0]
vpn-policy-routing.cfg036ff5=policy
vpn-policy-routing.cfg036ff5.comment='Kuja'
vpn-policy-routing.cfg036ff5.local_addresses='192.168.1.253'
vpn-policy-routing.cfg036ff5.interface='nordvpntun'
root@jenova:~# iptables -L VPR_PREROUTING -t mangle
Chain VPR_PREROUTING (1 references)
target prot opt source destination
MARK all -- ps4.midgar anywhere /* PS4 */ MARK xset 0x10000/0xff0000
MARK all -- 192.168.1.0/24 10.1.0.0/28 /* LAN_to_VPN_Clients */ MARK xset 0x20000/0xff0000
MARK all -- 192.168.1.64/26 anywhere /* DHCP_LAN_Clients */ MARK xset 0x10000/0xff0000
MARK all -- samsunght.midgar anywhere /* Samsung_HT */ MARK xset 0x10000/0xff0000
MARK all -- kuja.midgar anywhere /* Kuja */ MARK xset 0x30000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun1 dst MARK xset 0x40000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun dst MARK xset 0x30000/0xff0000
MARK all -- anywhere anywhere match-set vpnsvr0 dst MARK xset 0x20000/0xff0000
MARK all -- anywhere anywhere match-set wan dst MARK xset 0x10000/0xff0000
root@jenova:~# uci set vpn-policy-routing.@policy[0].interface=nordvpntun1
root@jenova:~# uci commit
root@jenova:~# uci show vpn-policy-routing.@policy[0]
vpn-policy-routing.cfg036ff5=policy
vpn-policy-routing.cfg036ff5.comment='Kuja'
vpn-policy-routing.cfg036ff5.local_addresses='192.168.1.253'
vpn-policy-routing.cfg036ff5.interface='nordvpntun1'
root@jenova:~# iptables -L VPR_PREROUTING -t mangle
Chain VPR_PREROUTING (1 references)
target prot opt source destination
MARK all -- ps4.midgar anywhere /* PS4 */ MARK xset 0x10000/0xff0000
MARK all -- 192.168.1.0/24 10.1.0.0/28 /* LAN_to_VPN_Clients */ MARK xset 0x20000/0xff0000
MARK all -- 192.168.1.64/26 anywhere /* DHCP_LAN_Clients */ MARK xset 0x10000/0xff0000
MARK all -- samsunght.midgar anywhere /* Samsung_HT */ MARK xset 0x10000/0xff0000
MARK all -- kuja.midgar anywhere /* Kuja */ MARK xset 0x30000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun1 dst MARK xset 0x40000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun dst MARK xset 0x30000/0xff0000
MARK all -- anywhere anywhere match-set vpnsvr0 dst MARK xset 0x20000/0xff0000
MARK all -- anywhere anywhere match-set wan dst MARK xset 0x10000/0xff0000
root@jenova:~#
root@jenova:~# service vpn-policy-routing restart
vpn-policy-routing 0.0.1-17b07 stopped [β]
Creating table 'wan/eth1/<snip>' [β]
Creating table 'vpnsvr0/tunsvr0/10.1.0.1' [β]
Creating table 'nordvpntun/tun0/10.8.8.33' [β]
Creating table 'nordvpntun1/tun1/10.8.8.5' [β]
Routing 'Kuja' via nordvpntun1 [β]
Routing 'Samsung HT' via wan [β]
Routing 'DHCP LAN Clients ' via wan [β]
Routing 'LAN to VPN Clients' via vpnsvr0 [β]
Routing 'PS4' via wan [β]
vpn-policy-routing 0.0.1-17b07 started on wan/eth1/<snip> vpnsvr0/tunsvr0/10.1.0.1 nordvpntun/tun0/10.8.8.33 nordvpntun1/tun1/10.8.8.5 [β]
vpn-policy-routing 0.0.1-17b07 monitoring interfaces: wan vpnsvr0 nordvpntun nordvpntun1 [β]
root@jenova:~# iptables -L VPR_PREROUTING -t mangle
Chain VPR_PREROUTING (1 references)
target prot opt source destination
MARK all -- ps4.midgar anywhere /* PS4 */ MARK xset 0x10000/0xff0000
MARK all -- 192.168.1.0/24 10.1.0.0/28 /* LAN_to_VPN_Clients */ MARK xset 0x20000/0xff0000
MARK all -- 192.168.1.64/26 anywhere /* DHCP_LAN_Clients */ MARK xset 0x10000/0xff0000
MARK all -- samsunght.midgar anywhere /* Samsung_HT */ MARK xset 0x10000/0xff0000
MARK all -- kuja.midgar anywhere /* Kuja */ MARK xset 0x40000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun1 dst MARK xset 0x40000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun dst MARK xset 0x30000/0xff0000
MARK all -- anywhere anywhere match-set vpnsvr0 dst MARK xset 0x20000/0xff0000
MARK all -- anywhere anywhere match-set wan dst MARK xset 0x10000/0xff0000
I've fixed a bug with using ucitrack (for reloading on changes done in WebUI) and added a trigger to reload the service on the uci commit changes in 0.0.1-18. Having said that, I don't think that there's a working mechanism in OpenWrt to reload the service on the uci commit -- even with that trigger you need to call another command (like reload_config or some such).
Hi @stangri, any thoughts on how to combine firewall port forwarding with the VPN policy routing? If a port is forwarded from the vpn provider to the tun0 device, I cannot seem to find a way to route an external request from tun0 to the serving lan IP and get the response to go back out via the tunnel.
Thanks for any advice. I have been at this for about a week and have gotten as far as the request making its way to the lan IP, but the response makes its way through netfilter and with tcpdump, I watch it go out the wan interface even though the src ip of the packet belongs to tun0.
I should note that the port numbers need translation as well. the external tun0 port 8080 and the internal port on the lan is 80.
Could you provide clean link to the source code please?
Your website states:
SDK
The packages are in various branches at my packages source and my luci source repositories. Check out the code you want and add it to your SDK by adding src-link to feeds.conf (OpenWrt 15.05.1) or feeds.conf.default (LEDE Project and OpenWrt 18.xx or later).
However the links to your github forks of the luci and package feeds do not seem to contain vpn-policy-routing at the moment.
I have the policy-based routing working but if I kill the VPN the device that I have under the policy instantly switch over to my WAN connection. I have strict enforcement on. I used https://pastebin.com/SUPRRs9D commands to setup the VPN orginally. Any ideas?
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option enabled '1'
option strict_enforcement '1'
config policy
option interface 'pia'
option comment 'DELUGE'
option local_addresses '192.168.1.201'
Creating table 'wan/eth1.2/192.168.0.1' [β]
Creating table 'pia/ovpnc0/10.42.10.5' [β]
Routing 'DELUGE' via pia [β]
vpn-policy-routing 0.0.1-18 started on wan/eth1.2/192.168.0.1 pia/ovpnc0/10.42.10.5 [β]
vpn-policy-routing 0.0.1-18 monitoring interfaces: wan pia [β]
**vpn-policy-routing 0.0.1-18 running on Lede SNAPSHOT. WAN (IPv4): wan/dev/192.168.0.1. WAN (IPv6): wan/dev6/fe80::/64.**
**============================================================**
**Dnsmasq version 2.79rc1 Copyright (c) 2000-2018 Simon Kelley**
**Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify**
**============================================================**
**Routes/IP Rules**
**default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1.2**
**32730: from all fwmark 0x20000 lookup 202**
**32731: from all fwmark 0x10000 lookup 201**
**IPv4 Table 201: default via 192.168.0.1 dev eth1.2**
**IPv4 Table 202: default via 10.42.10.5 dev ovpnc0**
**============================================================**
**IP Tables PREROUTING**
**-N VPR_PREROUTING**
**-A VPR_PREROUTING -s 192.168.1.201/32 -m comment --comment DELUGE -c 9 1188 -j MARK --set-xmark 0x20000/0xff0000**
**-A VPR_PREROUTING -m set --match-set pia dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000**
**-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000**
**============================================================**
**Current ipsets**
**create wan hash:net family inet hashsize 1024 maxelem 65536 comment**
**create pia hash:net family inet hashsize 1024 maxelem 65536 comment**
**============================================================**
Hi @Strangi, this is an excellent module, and easy to use for a newbie like me
I have a question regarding policy routing with local ports which I can't seem to get working... I am looking to setup my utorrent so that anything in a given port range goes through the vpn. I have successfully tested the policy route with an IP address, but I'm not able to with local port, is there something wrong with my settings?
Has anyone been able to redirect to different DNS servers based on the routing? i.e. One DNS server for traffic that will be routed over VPN and another for WAN
I don't think the vpn was stopped when I ran the command. If I uncheck 'Enabled' under open vpn and hit stop. The VPN connection still starts right back up.
I don't know what's the difference between gateway and interface in policy settings. Examples in README uses gateway. For me it doesn't work. Changing gateway to interface works.