VPN Policy-Based Routing + Web UI -- Discussion

Community Builds, Projects & Packages
71

Sorry, I keep missing a post here or there and only come to find them again a week or so later.

Please confirm that you're clicking "SAVE & APPLY" when you finish making changes in Web UI and that still doesn't result in the service being reloaded with the new changes taking effect?

72

Hi @stangri, apologies, should have tagged you in the post.

I meant to reply sooner, I also found the same situation when using uci so it's not specific to using the GUI. I've also just updated vpn-policy-routing and luci-app-vpn-policy-routing with the same results.

Please see below output, hopefully shows what I'm experiencing. Steps are:
-Show commands for uci config and iptables being in line
-uci update and commit
-Show commands for updated uci config but iptables has not updated.
-Restarting the service then another show of iptables being updated correctly.

root@jenova:~# uci show vpn-policy-routing.@policy[0]
vpn-policy-routing.cfg036ff5=policy
vpn-policy-routing.cfg036ff5.comment='Kuja'
vpn-policy-routing.cfg036ff5.local_addresses='192.168.1.253'
vpn-policy-routing.cfg036ff5.interface='nordvpntun'
root@jenova:~# iptables -L VPR_PREROUTING -t mangle
Chain VPR_PREROUTING (1 references)
target     prot opt source               destination
MARK       all  --  ps4.midgar           anywhere             /* PS4 */ MARK xset 0x10000/0xff0000
MARK       all  --  192.168.1.0/24       10.1.0.0/28          /* LAN_to_VPN_Clients */ MARK xset 0x20000/0xff0000
MARK       all  --  192.168.1.64/26      anywhere             /* DHCP_LAN_Clients */ MARK xset 0x10000/0xff0000
MARK       all  --  samsunght.midgar     anywhere             /* Samsung_HT */ MARK xset 0x10000/0xff0000
MARK       all  --  kuja.midgar          anywhere             /* Kuja */ MARK xset 0x30000/0xff0000
MARK       all  --  anywhere             anywhere             match-set nordvpntun1 dst MARK xset 0x40000/0xff0000
MARK       all  --  anywhere             anywhere             match-set nordvpntun dst MARK xset 0x30000/0xff0000
MARK       all  --  anywhere             anywhere             match-set vpnsvr0 dst MARK xset 0x20000/0xff0000
MARK       all  --  anywhere             anywhere             match-set wan dst MARK xset 0x10000/0xff0000
root@jenova:~# uci set vpn-policy-routing.@policy[0].interface=nordvpntun1
root@jenova:~# uci commit
root@jenova:~# uci show vpn-policy-routing.@policy[0]
vpn-policy-routing.cfg036ff5=policy
vpn-policy-routing.cfg036ff5.comment='Kuja'
vpn-policy-routing.cfg036ff5.local_addresses='192.168.1.253'
vpn-policy-routing.cfg036ff5.interface='nordvpntun1'
root@jenova:~# iptables -L VPR_PREROUTING -t mangle
Chain VPR_PREROUTING (1 references)
target     prot opt source               destination
MARK       all  --  ps4.midgar           anywhere             /* PS4 */ MARK xset 0x10000/0xff0000
MARK       all  --  192.168.1.0/24       10.1.0.0/28          /* LAN_to_VPN_Clients */ MARK xset 0x20000/0xff0000
MARK       all  --  192.168.1.64/26      anywhere             /* DHCP_LAN_Clients */ MARK xset 0x10000/0xff0000
MARK       all  --  samsunght.midgar     anywhere             /* Samsung_HT */ MARK xset 0x10000/0xff0000
MARK       all  --  kuja.midgar          anywhere             /* Kuja */ MARK xset 0x30000/0xff0000
MARK       all  --  anywhere             anywhere             match-set nordvpntun1 dst MARK xset 0x40000/0xff0000
MARK       all  --  anywhere             anywhere             match-set nordvpntun dst MARK xset 0x30000/0xff0000
MARK       all  --  anywhere             anywhere             match-set vpnsvr0 dst MARK xset 0x20000/0xff0000
MARK       all  --  anywhere             anywhere             match-set wan dst MARK xset 0x10000/0xff0000
root@jenova:~#
root@jenova:~# service vpn-policy-routing restart
vpn-policy-routing 0.0.1-17b07 stopped [βœ“]
Creating table 'wan/eth1/<snip>' [βœ“]
Creating table 'vpnsvr0/tunsvr0/10.1.0.1' [βœ“]
Creating table 'nordvpntun/tun0/10.8.8.33' [βœ“]
Creating table 'nordvpntun1/tun1/10.8.8.5' [βœ“]
Routing 'Kuja' via nordvpntun1 [βœ“]
Routing 'Samsung HT' via wan [βœ“]
Routing 'DHCP LAN Clients ' via wan [βœ“]
Routing 'LAN to VPN Clients' via vpnsvr0 [βœ“]
Routing 'PS4' via wan [βœ“]
vpn-policy-routing 0.0.1-17b07 started on wan/eth1/<snip> vpnsvr0/tunsvr0/10.1.0.1 nordvpntun/tun0/10.8.8.33 nordvpntun1/tun1/10.8.8.5 [βœ“]
vpn-policy-routing 0.0.1-17b07 monitoring interfaces: wan vpnsvr0 nordvpntun nordvpntun1 [βœ“]
root@jenova:~# iptables -L VPR_PREROUTING -t mangle
Chain VPR_PREROUTING (1 references)
target     prot opt source               destination
MARK       all  --  ps4.midgar           anywhere             /* PS4 */ MARK xset 0x10000/0xff0000
MARK       all  --  192.168.1.0/24       10.1.0.0/28          /* LAN_to_VPN_Clients */ MARK xset 0x20000/0xff0000
MARK       all  --  192.168.1.64/26      anywhere             /* DHCP_LAN_Clients */ MARK xset 0x10000/0xff0000
MARK       all  --  samsunght.midgar     anywhere             /* Samsung_HT */ MARK xset 0x10000/0xff0000
MARK       all  --  kuja.midgar          anywhere             /* Kuja */ MARK xset 0x40000/0xff0000
MARK       all  --  anywhere             anywhere             match-set nordvpntun1 dst MARK xset 0x40000/0xff0000
MARK       all  --  anywhere             anywhere             match-set nordvpntun dst MARK xset 0x30000/0xff0000
MARK       all  --  anywhere             anywhere             match-set vpnsvr0 dst MARK xset 0x20000/0xff0000
MARK       all  --  anywhere             anywhere             match-set wan dst MARK xset 0x10000/0xff0000
1 Like
73

I've fixed a bug with using ucitrack (for reloading on changes done in WebUI) and added a trigger to reload the service on the uci commit changes in 0.0.1-18. Having said that, I don't think that there's a working mechanism in OpenWrt to reload the service on the uci commit -- even with that trigger you need to call another command (like reload_config or some such).

74

Hi @stangri, any thoughts on how to combine firewall port forwarding with the VPN policy routing? If a port is forwarded from the vpn provider to the tun0 device, I cannot seem to find a way to route an external request from tun0 to the serving lan IP and get the response to go back out via the tunnel.

Thanks for any advice. I have been at this for about a week and have gotten as far as the request making its way to the lan IP, but the response makes its way through netfilter and with tcpdump, I watch it go out the wan interface even though the src ip of the packet belongs to tun0.

I should note that the port numbers need translation as well. the external tun0 port 8080 and the internal port on the lan is 80.

75

Could you provide clean link to the source code please?

Your website states:

SDK
The packages are in various branches at my packages source and my luci source repositories. Check out the code you want and add it to your SDK by adding src-link to feeds.conf (OpenWrt 15.05.1) or feeds.conf.default (LEDE Project and OpenWrt 18.xx or later).

However the links to your github forks of the luci and package feeds do not seem to contain vpn-policy-routing at the moment.

https://github.com/stangri/openwrt-luci
https://github.com/stangri/openwrt-packages/

76

Since I use the vpn policy-based routing app, I want to link my problem here,...maybe someone here can help.

I found this: https://openwrt.org/docs/user-guide/services/openvpnserverandclient
it looked promising but didn't help :frowning:

78

I have the policy-based routing working but if I kill the VPN the device that I have under the policy instantly switch over to my WAN connection. I have strict enforcement on. I used https://pastebin.com/SUPRRs9D commands to setup the VPN orginally. Any ideas?

config vpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        option ipset_enabled '1'
        option dnsmasq_enabled '0'
        option enabled '1'
        option strict_enforcement '1'

config policy
        option interface 'pia'
        option comment 'DELUGE'
        option local_addresses '192.168.1.201'


Creating table 'wan/eth1.2/192.168.0.1' [βœ“]
Creating table 'pia/ovpnc0/10.42.10.5' [βœ“]
Routing 'DELUGE' via pia [βœ“]
vpn-policy-routing 0.0.1-18 started on wan/eth1.2/192.168.0.1 pia/ovpnc0/10.42.10.5 [βœ“]
vpn-policy-routing 0.0.1-18 monitoring interfaces: wan pia [βœ“]

**vpn-policy-routing 0.0.1-18 running on Lede SNAPSHOT. WAN (IPv4): wan/dev/192.168.0.1. WAN (IPv6): wan/dev6/fe80::/64.**
**============================================================**
**Dnsmasq version 2.79rc1  Copyright (c) 2000-2018 Simon Kelley**
**Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify**
**============================================================**
**Routes/IP Rules**
**default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1.2**
**32730:  from all fwmark 0x20000 lookup 202**
**32731:  from all fwmark 0x10000 lookup 201**
**IPv4 Table 201: default via 192.168.0.1 dev eth1.2**
**IPv4 Table 202: default via 10.42.10.5 dev ovpnc0**
**============================================================**
**IP Tables PREROUTING**
**-N VPR_PREROUTING**
**-A VPR_PREROUTING -s 192.168.1.201/32 -m comment --comment DELUGE -c 9 1188 -j MARK --set-xmark 0x20000/0xff0000**
**-A VPR_PREROUTING -m set --match-set pia dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000**
**-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000**
**============================================================**
**Current ipsets**
**create wan hash:net family inet hashsize 1024 maxelem 65536 comment**
**create pia hash:net family inet hashsize 1024 maxelem 65536 comment**
**============================================================**
79

Hi @Strangi, this is an excellent module, and easy to use for a newbie like me :slight_smile:

I have a question regarding policy routing with local ports which I can't seem to get working... I am looking to setup my utorrent so that anything in a given port range goes through the vpn. I have successfully tested the policy route with an IP address, but I'm not able to with local port, is there something wrong with my settings?

Thanks for your help!
D

/etc/config/vpn-policy-routing

config policy
	option comment 'uTorrent'	
	option local_ports '12100'
	option interface 'vpn_hk'

config policy
	option comment 'uTorrTmp'
	option local_addresses '10.0.0.82/32'
	option interface 'vpn_hk'

config policy
	option comment 'local'
	option local_addresses '10.0.0.1/24'
	option interface 'wan'

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option strict_enforcement '1'
	option enabled '1'
	option dnsmasq_enabled '1'

/etc/init.d/vpn-policy-routing support

root@______:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.0.1-18 running on LEDE 17.01.4. WAN (IPv4): wan/dev/219.78.212.254. WAN (IPv6): wan/dev6/fe80::/64.
============================================================
Dnsmasq version 2.78  Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default         10.8.8.1        128.0.0.0       UG    0      0        0 tun0
default         n219078212254.n 0.0.0.0         UG    0      0        0 eth1
32762:  from all fwmark 0x20000 lookup 202
32763:  from all fwmark 0x10000 lookup 201
IPv4 Table 201: default via 219.78.xxx.xxx dev eth1
IPv4 Table 202: default via 10.8.8.1 dev tun0
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 10.0.0.0/24 -m comment --comment local -c 91686 11097244 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 10.0.0.82/32 -m comment --comment uTorrTmp -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -p tcp -m multiport --sports 12100 -m comment --comment uTorrent -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set vpn_hk dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create vpn_hk hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'.
80

Is there something wrong with the repo? I can't seem to update it.

81

Has anyone been able to redirect to different DNS servers based on the routing? i.e. One DNS server for traffic that will be routed over VPN and another for WAN

82

Can you please post the output of status command with the VPN device killed?

Not sure if the uTorrent uses a single static port. Maybe that's why it's not working. Otherwise I'm sorry, I have no idea.

Is there an error?

I wonder how do all these "smart DNS" providers do that. If I had a clue, I might be able to implement it.

83

I tend to only push the source when I'm ready to send a PR, so it will likely not contain the newest version or is recommended to be used until the package is accepted into official repo, but here you go: https://github.com/stangri/openwrt-packages/tree/vpn-policy-routing/net/vpn-policy-routing

In essence -- just use the vpn-policy-routing branch of my openwrt-packages.

1 Like
84 
> root@OpenWrt:~# /etc/init.d/vpn-policy-routing status
> vpn-policy-routing 0.0.1-18 running on Lede SNAPSHOT. WAN (IPv4): wan/dev/192.168.0.1. WAN (IPv6): wan/dev6/fe80::/64.
> ============================================================
> Dnsmasq version 2.79rc1  Copyright (c) 2000-2018 Simon Kelley
> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify
> ============================================================
> Routes/IP Rules
> default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1.2
> 32729:  from all fwmark 0x10000 lookup 201
> 32730:  from all fwmark 0x20000 lookup 202
> IPv4 Table 201: default via 192.168.0.1 dev eth1.2
> IPv4 Table 202:
> ============================================================
> IP Tables PREROUTING
> -N VPR_PREROUTING
> -A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
> ============================================================
> Current ipsets
> create wan hash:net family inet hashsize 1024 maxelem 65536 comment
> create pia hash:net family inet hashsize 1024 maxelem 65536 comment
> ============================================================
1 Like
85

That's not normal, with the VPN down, can you please post the output of:

dev=tun0
gw4="$(ip -4 route | grep -m1 ${dev} | awk '{print $3}')"; echo "$gw4";
gw4=$(ifconfig "$dev" 2>/dev/null | grep 'inet addr:' | grep 'P-t-P' | awk '{print $3}' | awk -F ":" '{print $2}'); echo "$gw4";
86

Are l2tp tunnels supported?

Tunnels are made by xl2tpd by specifing proto 'l2tp' in /etc/config/network.

87

Awesome thanks. Any idea on when the package will be accepted into the official OpenWRT repo?

Do you also have the source of the luci package somewhere?

88

Please upgrade to vpn-policy-routing 0.0.1-18b01, test and let me know. Luci app version 17 should also support L2TP.

The only roadblock is user testing wherever it works with IPv6.

Check the openwrt-luci repo on my github and use the vpn-policy-routing branch.

1 Like
89

I don't think the vpn was stopped when I ran the command. If I uncheck 'Enabled' under open vpn and hit stop. The VPN connection still starts right back up.

90

Not sure if the uTorrent uses a single static port. Maybe that's why it's not working. Otherwise I'm sorry, I have no idea.

Thanks @stangri, I will try another solution :slight_smile:
Great program, thanks for making life easier for us average folk :grinning:

91

0.0.1-18b01 works with l2tp.

I don't know what's the difference between gateway and interface in policy settings. Examples in README uses gateway. For me it doesn't work. Changing gateway to interface works.