VPN Policy-Based Routing + Web UI -- Discussion


#268

I wonder if my modem/0.0.0.0 problem is also related to the latest version...


#269

I've managed to get it working - I needed to set rp_filter = 0 in my sysctl.conf.
It works a treat now, thanks!


#270

Hello,

I installed this following the information on the README, including adding an external repo (OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)). I get errors when it's trying to set the mangle:

root@hephaestus:~# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/62.72.136.165' sh:  : out of range
[✓]
Creating table 'wan6/0.0.0.0' [✓]
Creating table 'wg0/10.1.0.2' [✓]
Routing 'Wireguard' via wg0 [✗]
vpn-policy-routing 0.0.2-26 started on wan/62.72.136.165 wan6/0.0.0.0 wg0/10.1.0.2 with errors [✗]
ERROR: ipt -t mangle -I VPR_PREROUTING 1 -j MARK --set-xmark 0x030000/0xff0000 -s 10.1.2.0/24  -p tcp -m multiport --sport 0:65535 -d 0.0.0.0/0  -p tcp -m multiport --dport 0:65535 -m comment --comment Wireguard                                                              

vpn-policy-routing 0.0.2-26 monitoring interfaces: wan wan6 wg0 [✓]

I've tried running that command on its own, and the command ipt is not found. Is there another package or another version of a package I need to install that isn't listed on the README? I mean I guess it's just an alias to iptables, but you never know.


#271

I figured out that PBR reports 0.0.0.0 for my modem because i haven't set a default Gateway at the modem interface in OpenWrt. But if I set the modem IP as Gateway my router is trying to use this IP to connect to the internet so my whole internet connection does not work anymore.
I do want to have "Strict enforcement" enabled but at the same time i need access to my Modem to monitor my VDSL connection.
Any Idea on how to fix this problem?


#272

Yes, the 0.0.0.0 was being detected as invalid gateway in some of the newer versions only. Please try the vpn-policy-routing 0.0.2-27 where this code was regressed.

The repo is actually a GitHub repo, you can roll back to previous commits. I've made it easier yesterday by including the packages and the versions in the commit's comment.

Sorry, what is this the solution for?

Yes, you can do alias ipt=iptables. The error is that multiple -p flags not allowed. Can you post the policy which resulted in this?

Actually, could you please post complete VPR config? I'd like to get rid of Creating table 'wan/62.72.136.165' sh: : out of range as well.


#273

@stangri
Thanks for your reply... I was using vpn-policy-routing 0.0.2-26 but i just did a upgrade to 0.0.2-27 and rebooted my router.
Sadly i'm still getting timeouts when trying to access my modem with Strict enforcement enabled. :confused:

Here is my current config:

config policy
	option name 'MODEM_ACCESS'
	option interface 'modem'
	option local_addresses '192.168.1.1/24'
	option remote_addresses '192.168.252.254'

config policy
	option name 'VPN_TEST'
	option local_addresses '192.168.1.230/32'
	option interface 'vpn0'

config vpn-policy-routing 'config'
	option verbosity '2'
	option dnsmasq_enabled '1'
	list supported_interface 'modem'
	option enabled '1'
	option ipv6_enabled '0'
	option strict_enforcement '1'

Do you have any idea what's wrong with my setup?
I would really like to use "Strict enforcement" and still be able to access my VDSL modem to monitor my linestats.

edit: is there a way to tell VPR that my modem gateway is not/never down?


#274

I am using a Turris Omnia router. After updating to

vpn-policy-routing 0.0.2-27

VPN PBR doesn't work anymore, it's deactivated in the luci status and can't be activated.

here's the log:

2018-09-06 22:37:32 notice vpn-policy-routing[]: Reloading vpn-policy-routing due to ifup of wan6 (eth1)
2018-09-06 22:37:32 notice netifd[]: Interface 'VPN_Client' is enabled
2018-09-06 22:37:32 notice netifd[]: Network device 'tun0' link is up
2018-09-06 22:37:32 notice netifd[]: Interface 'VPN_Client' has link connectivity
2018-09-06 22:37:32 notice netifd[]: Interface 'VPN_Client' is setting up now
2018-09-06 22:37:32 notice netifd[]: Interface 'VPN_Client' is now up
2018-09-06 22:37:32 err modprobe[]: xt_set is already loaded
2018-09-06 22:37:32 err modprobe[]: ip_set is already loaded
2018-09-06 22:37:32 err modprobe[]: ip_set_hash_ip is already loaded
2018-09-06 22:37:32 notice [3995]: ERROR: service failed to load kernel modules!
2018-09-06 22:37:32 notice [3995]: service monitoring interfaces: wan VPN_Client [✓]
2018-09-06 22:37:32 notice firewall[]: Reloading firewall due to ifup of VPN_Client (tun0)

When I rollback to 0.0.2-26 everything works again. So I'll stick with this version for now.


#275

So the ipt 'command not found' isn't something to worry about? It's the other error that's the problem?

Here's the whole VPR config:

config vpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        option dnsmasq_enabled '0'
        option strict_enforcement '0'
        option enabled '1'
        option iprule_enabled '1'
        list wan_dscp ''
        list wan_dscp ''

config policy
        option name 'Wireguard'
        option local_ports '0-65535'
        option remote_addresses '0.0.0.0/0'
        option remote_ports '0-65535'
        option interface 'wg0'
        option local_addresses '10.1.2.0/24'

All I'm trying to do is route all traffic through the wg0 interface. It's all I want to do with it heh. I'm sure there's a more elegant way to do that without involving VPR, something like https://www.wireguard.com/netns/ but I can't see how to do it automagically on wg0 up/down.


#276

@stangri
I checked the github repo by clicking on the history box from the master branch. It shows a commit made on Aug 14, 2018, a955fd3, which shows the PKG_RELEASE changing from 22 to 23. The next previous commit shown is from Jul 11, 2018, 6445d5f, which shows the PKG_RELEASE changing from 6 to 10. Am I looking in the wrong place?

I seem to be having multiple issues since upgrading to 18.06.01 and I am trying to downgrade back to 17.01.04 and Pkg_Release 0.24, until I have time to investigate what is going on.

Thanks


#277

Updating to 0.0.2-28 seems to have solved the problem with TOS routers. Working again.


#278

I've just updated to 0.0.2-28 but sadly it doesn't fix my modem access problem when strict enforcement is enabled...


#279

Trying to setup windscribe for my guest network and excluding my lan network. But i get the following error.

root@FW01:/etc/config# service vpn-policy-routing restart
vpn-policy-routing 0.0.2-28 stopped [✓]
Creating table 'wan/external_ip' [✗]
Creating table 'windscribe_vpn/0.0.0.0' [✗]
Routing 'LAN' via wan [✓]
Routing 'Guests' via windscribe_vpn [✓]
ERROR: vpn-policy-routing 0.0.2-28 failed to set up any interface!
vpn-policy-routing 0.0.2-28 monitoring interfaces: wan windscribe_vpn [✓]

root@FW01:/etc/config# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.0.2-28 running on OpenWrt SNAPSHOT. WAN (IPv4): wan/dev/external_ip.
============================================================
Dnsmasq version 2.80test3  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         5ed06a01.cm-7-1 0.0.0.0         UG    0      0        0 eth0.2
IPv4 Table 201: default via external_ip dev eth0.2
IPv4 Table 201 Rules:
32759:  from all fwmark 0x10000 lookup 201
IPv4 Table 202: unreachable default
IPv4 Table 202 Rules:
32758:  from all fwmark 0x20000 lookup 202
ipset v6.34: Cannot open session to kernel.
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 10.80.10.0/24 -m comment --comment Guests -c 12 756 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -s 10.10.0.0/24 -m comment --comment LAN -c 1584 150748 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

Thanks in advanced.


#280

Is there anyone who can help me with my modem access problem? I've also opened a issue at github but no response yet...


#281

Hi to all, just discovered and installed this package, looks very promising but I am ig some errors.


root@OpenWrt:~#  /etc/init.d/vpn-policy-routing reload 
Creating table 'lan/0.0.0.0' [✓]
Creating table 'nordvpntun/10.7.7.1' [✓]
Routing 'out' via wan [✗]
vpn-policy-routing 0.0.2-28 started on (strict mode): lan/0.0.0.0 nordvpntun/10.7.7.1 with errors [✗]
ERROR: policy 'out' has an unknown interface: wan!
vpn-policy-routing 0.0.2-28 monitoring interfaces: lan nordvpntun [✓]
root@OpenWrt:~# cat  /etc/config/vpn-policy-routing 

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option ipset_enabled '1'
	option dnsmasq_enabled '0'
	option strict_enforcement '1'
	option enabled '1'

config policy
	option local_addresses '192.168.144.214'
	option name 'out'
	option remote_addresses 'nordvpn.com'
	option interface 'wan'


#282

@lepidas It looks like wan is explicitly set in "Supported Interfaces" in Advanced Configuration. Try removing that.


#283

I managed to make it work with adding "wan" in Supported interfaces in Advanced conf. Than you :slight_smile: what a great tool this is.


#284

Possibly you can make it work using the new append_remote_rules setting, excluding the modem's IP address with it. Scroll up in this thread for examples.


#285

I had the same issue as yourself, and thankfully I was able to gain access to my bridged modem because of your posts. :slight_smile: I then encountered the same problems when using strict policy enforcement.
A way around this for me was to disable strict enforcement in VPR and add a firewall rule to my firewall config that prevents forwarding for my VPN clients (they have a specific IP range) to the WAN interface.
That way I can prevent them from accessing the internet if the VPN interface is down.

/etc/init.d/firewall

config rule
option dest 'wan'
option name 'drop noVPN'
option src '*'
option src_ip '192.168.178.32/27' #my VPN clients, IPs 32-64
option target 'DROP'

That seems to work alright, even though it is not the most elegant solution.


#286

Thanks for you help.
I've tried:

config vpn-policy-routing 'config'
	option verbosity '2'
	list supported_interface 'modem'
	option ipv6_enabled '0'
	option strict_enforcement '1'
	option dnsmasq_enabled '1'
	option enabled '1'
	option append_remote_rules '! -s 192.168.254.0/24'

And it seems to work but i get Service started with error(s)...
The most weird thing is that i removed the modem interface and the modem access rule rebooted the router and now im able to access my modem just fine and there is no vpr service error. I'm very confused... :confused:
Any idea why it's working now, even without the modem interface in the config?

Current config:

config policy
	option local_addresses '192.168.1.141'
	option interface 'vpn0'
	option name 'VPN_TEST'

config policy
	option name 'WEBSITE_TEST'
	option local_addresses '192.168.1.230'
	option interface 'vpn0'
	option remote_addresses 'ipinfo.io'

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option strict_enforcement '1'
	option dnsmasq_enabled '1'
	option enabled '1'

@coldtech
Thanks for sharing your solution!! <3
I just need a simple killswitch solution and thought "strict enforcement" with VPR will do the job...


#287

Hey stangri

This addon makes my life so easy :slight_smile: I hope you have some advice for a wrinkle though.

Currently I use DSCP tagging to direct my torrent client traffic out the VPN tunnel.
I'm going to be away from home with a lot of time on my hands, and so I've set up incoming VPN access for myself. That all works great, except for the fact that I can't access my torrent server UI, because (I guess) it's forced out the other vpn tunnel.

What I did was set up a specific rule to force traffic destined for my client IP 192.168.200.2 into the server tunnel. This did not seem to work, but I admit I didn't play around with it much because I didn't know if it was supposed to work.

Do you have any ideas how I might go about doing this?
thanks