@Kherby Yes I know that you want it working inside VPR, that's what I'd like to have too.
But just in case you missed my point: you can just leave the firewall rule there that I added, no need to remove it or anything. If VPR works the firewall rule will do nothing. If VPR fails to route the VPN traffic of certain clients through the VPN interface, the clients will not be able to have internet through the WAN interface.

But of course you need fixed IP addresses for the VPN clients then - either set them as static on the clients or have fixed IPs for those clients in the DHCP server.

I'm now using your suggested Firewall rule with strict enforcement disabled and it's working very well!

config rule
	option name 'Killswitch'
	option src '*'
	option target 'DROP'
	option src_ip '192.168.1.141'
	option proto 'all'
	option dest 'wan'

Thanks again!

I can only select WAN interface in the Policy section but my WAN is actually called WWAN as I am using one of my wireless adapters as a client to connect to my main router downstairs. How can I get this to work with my config?

I'm using WireGuard as my VPN, I have some wired clients and some other wireless clients that connect to the 2.4GHz radio. My 5GHz radio is in client mode to the other router. All works well but I cannot access Netflix from my VPN protected devices which is why I wanted to use your package.

Thanks in advance...

@frijj2k
You should be able to add your WWAN interface at the advanced settings tab or via config file...

Luci: Services > VPN Policy Routing > Adanced > Supported Interfaces
Config (etc/config/vpn-policy-routing): add list supported_interface 'wwan' under config vpn-policy-routing 'config'

@stangri Just compiled from trunk; luci vpn policy routing is missing from luci applications in make menuconfig, does this need an update?

Edit: never-mind, was an issue on my end

I have this setup as follows:

LAN (10.10.10.0/24) -> over vpn
Guest (10.10.20.0/24) - > no vpn (direct to wan)

Its working great, the only problem is that I have a hosted webservice on 10.10.10.20:1234 which needs to be accessible from my public (non vpn) IP address

I have a port forwarding rule setup in openwrt to forward all traffic on 443 to 10.10.10.20:1234

When VPN policy based routing is disabled, I can access the webservice, but when I enable it, my port forwarding rules stop working

Is there something additional I need to do to allow INCOMING traffic to the 10.10.10.0/24 subnet outside of the VPN tunnel - i.e. via my public IP address, but continue to route traffic originating OUT from my network to the VPN?
Thanks!

Hi,

I have been trying to use VPR to get some devices on my network to bypass my VPN (specifically a set-top box and and a Chromecast). It does work for the most part.

The set-top box provides TV via a digital aerial and also has apps for Amazon Prime Video, Netflix, BBC iPlayer etc. all of which are prevented from working due to my VPN. If I try to play something on Amazon Video with VPR disabled it rightly complains of me using a VPN and won't play. If I enable VPR it then plays which suggests to me that VPR is working as it should. I even used the built-in web browser to check my IP address at ipaddress.net and it sees my IP address not the VPN's one.

The problem is Netflix.

When I disable VPR I can run the Netflix app and browse the library fine but when I play something it detects the VPN and won't play (as expected). However when I enable VPR the app complains that it can't connect to the Netflix servers but it can connect to the internet. Strangely I can play stuff on Netflix on my PC which doesn't bypass the VPN. I can also play stuff with the Netflix app on my Android phone but I cannot cast it to my Chromecast.

For some reason unlike BBC iPlayer or Amazon Video Netflix seems inconsistent but I can't seem to figure out why.

Has anyone encountered this before?

Regards,
Dan

I have successfully created VPN setup for myself on the router. I can use the vpn connection and it also changes the wan IP. Then I put route-nopull into the VPN config so I can selectively choose what sites go through the VPN. But it doesn't work for me. I think i have followed everything as it was written and entered the required websites into the LuCI config but those sites still route through my normal wan connection. They dont get routed from the vpn as i have put the config in VPN policy routing. Can someone help how do I fix it? If you need any config to see, I'll be happy to provide.

It would be really good if there were some expanded how tos and recipes for configuring openwrt with these packages(I realise that you can't put everything into a readme). This topic is really to long for every new user to read (I have read all of this topic and the preceding topic, but my brain went numb somewhere along the way). Is there a wiki for these packages? maybe I missed it.

What I want to do (and several others have previously asked with varying answers and degrees of success) is to set up a router with a VPN client where the wan remains the default route, but selected clients or subnets (and perhaps destinations) are routed through the VPN. I would prefer that the VPN route use the routing data pushed by the VPN server. I have tried a couple of times, but end up locking myself out of the router.

Even better would be if someone would write a complete how-to for setting up a router with 2 radio interfaces, one defaulting to WAN routing and the other defaulting to VPN, with the ability to add routing exceptions as required.

Any luck with this? I have subscribed to windscribe as well and would basically like only my AppleTV routed through windscribe .

Hello.
Is it possible that apps installed on the router, like i2pd and TOR, will not use VPN tunnel but rest of Lan will use VPN?
Do you know how to do this?

Regards.

An option to load domains from file would be nice to have. For example in countries with state-wide censorship.
But there is also a concern about how will dnsmasq/iptables/ipsets behave when loaded with thousands of domains/ips.

Hi guys, according to the readme, by using dnsmasq-full I can use wildcard domain names (or top level domain names ie *.domain-com) What I have found is, if I add a domain name that does not have an A record but does have A records at 3rd level only, I get an error on start. Wondering if anyone has a solution to this. Seems to me what happens is when I add a domain, it does an nslookup, grabs all the ip addresses then adds them to IPtables.

error I get:

ERROR: ipt -t mangle -I VPR_PREROUTING 1 -j MARK --set-xmark 0x020000/0xff0000 -s 192.168.101.0/24 -d nflximg.net

(where nflximg-net doesn't resolve, but there are 10 or so subdomains that do resolve)

What I am trying to achieve is, route all netflix traffic through my VPN tunnel, and route all other traffic through the WAN. The purpose of this is I want to get USA netflix at the same time as be able to use a local streaming tv service that also uses geo blocking. As part of the universes plan to make my life difficult, my local tv streaming service also uses AWS for content hosting, so trying to whitelist the entire aws AS does not help me. (Adding just netflix-com and 8.8.8.8/8.8.4.4 does not let me see the USA content). I could list all the domains one by one, but some of them look dynamic eg: netflix-990.vo.llnwd-net

These are the list of top level domains I believe I need:
llnwd-net nflximg-com nflxvideo-net netflix-com nflxext-com nflxso-net btstatic-com

Any suggestions on how to do a clean solution of adding all the TLD only?

thanks!

Never mind I re-read the manual carefully " Policies with only remote IP address or a domain name are created as dnsmasq 's ipset or an ipset (if enabled)."

Remove the source subnet and left only the destination TLD's and it created correctly as ipset rather than tried to resolve the domains

Is it possible to use regex with domain name entries? I'm trying to make VPN rules for exceptions to Netflix, Amazon, and a few others. Going to be very hard to do that without regex (or DPI, if it exists for openwrt?)

Looks like there's a regex supported dnsmasq available, but I still haven't been able to determine if iptables ipsets can process regex values, or if vpn-policy-routing can pass them along to dnsmasq.

Hello @stangri , thanks so much for the support and development.

Running OpenWRT, installed OpenVPN, using ExpressVPN, it works flawlessly, installed your build and configured as per your guide.

The issue: port based policies do not work on some ports it would seem, the read me says 15 ports could be entered, after about 4-5 ports in one "remote ports" field, they no longer work after that. Some ports (27960 simply does not work to get out to WAN). IP based policies work perfectly. The ports that seem to work without an issue are 4 digits long.

27960 is a game port, confirmed that is the only one needed to go out via multiple sources (and devs), when I apply an IP policy to the game server, it works fine, when I apply the port based policy, it will not connect

If anyone else has any ideas please chime in, at this point am out of ideas and the same google pages continue to show up lol

Router = 192.168.2.1
Modem = 192.168.1.1
PC = 192.168.2.175

-->>>>>>>>>>>>>>>>> EXAMPLE OF WHAT WORKS FIRST

content of /etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option strict_enforcement '1'
option enabled '1'

config policy
option interface 'wan'
option name 'test'
option local_addresses '192.168.2.175'

------output of /etc/init.d/vpn-policy-routing status-------

root@OpenWrt:~# /etc/init.d/vpn-policy-routing status
vpn-policy-routing 0.0.2-32 running on OpenWrt 18.06.1. WAN (IPv4): wan/dev/192.168.1.1.
============================================================
Dnsmasq version 2.80test3 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 10.116.0.65 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1.2
IPv4 Table 201: default via 192.168.1.1 dev eth1.2
IPv4 Table 201 Rules:
32677: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.116.0.65 dev tun0
IPv4 Table 202 Rules:
32676: from all fwmark 0x20000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.2.175/32 -m comment --comment test -c 387 304741 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set vpnclient dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create vpnclient hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

---------output of /etc/init.d/vpn-policy-routing reload with verbosity setting set to 2---------

root@OpenWrt:~# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/192.168.1.1' [✓]
Creating table 'vpnclient/10.116.0.65' [✓]
Routing 'test' via wan [✓]
vpn-policy-routing 0.0.2-32 started on wan/192.168.1.1 vpnclient/10.116.0.65 [✓]
vpn-policy-routing 0.0.2-32 monitoring interfaces: wan vpnclient [✓]

================= HERE IS A COPY OF THE PORT BASED POLICY THAT DOES NOT WORK =============================

config policy
option interface 'wan'
option name 'qqa'
option remote_ports '27960'

config policy
option interface 'wan'
option name 'qqa'
option remote_ports '27960'

config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option strict_enforcement '1'
option udp_proto_enabled '1'
option dnsmasq_enabled '0'
option enabled '1'

root@OpenWrt:~# /etc/init.d/vpn-policy-routing status
vpn-policy-routing 0.0.2-32 running on OpenWrt 18.06.1. WAN (IPv4): wan/dev/192.168.1.1.

Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile

Routes/IP Rules
default 10.192.0.161 128.0.0.0 UG 0 0 0 tun0
default ControlPanel.Ho 0.0.0.0 UG 0 0 0 eth1.2
IPv4 Table 201: default via 192.168.1.1 dev eth1.2
IPv4 Table 201 Rules:
32697: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.192.0.161 dev tun0
IPv4 Table 202 Rules:
32696: from all fwmark 0x20000 lookup 202

IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -p udp -m multiport --dports 27960 -m comment --comment qqa -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p tcp -m multiport --dports 27960 -m comment --comment qqa -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set vpnclient dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000

Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create vpnclient hash:net family inet hashsize 1024 maxelem 65536 comment

Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

root@OpenWrt:~# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/192.168.1.1' [✓]
Creating table 'vpnclient/10.192.0.161' [✓]
Routing 'qqa' via wan [✓]
vpn-policy-routing 0.0.2-32 started on wan/192.168.1.1 vpnclient/10.192.0.161 [✓]
vpn-policy-routing 0.0.2-32 monitoring interfaces: wan vpnclient [✓]

Hi,

I'm new to your packages, stangri. So, I'm not sure, which one I need.
I need OpenVPN to exclude some internal IPs to connect with. So, some IPs won't get VPN at all. Is VPN Bypass sufficient for this? Do I need vpn-policy-routing package instead?
Here are the errors, as I try to access to your repo (while executing opkg list-upgradable after entering your install commands) and showing dependencies, while installing vpn-policy-routing package:

Any solution to these?

Hi @stangri, thank you for this big enhancement that you made for the community!
It makes my life easy.
I only want to ask you if it is possible to make a routing policy for a service in lan (e.g webserver) to two different interfaces with your package ? So if I have A Webserver with IP 192.168.1.15 and I want to serve it to WAN and OPENVPN at same time.......
Would be nice if you give me a short hint if it's possible or i should stop to try it.....
Thank you in advance!
Regards
wiesel

Hello, wrt1900acs running DavidC502 build, trying to
opkg install vpn-policy-routing luci-app-vpn-policy-routing

I get

root@OpenWrt:~# opkg install vpn-policy-routing luci-app-vpn-policy-routing
Unknown package 'vpn-policy-routing'.
Unknown package 'luci-app-vpn-policy-routing'.
Collected errors:
 * opkg_install_cmd: Cannot install package vpn-policy-routing.
 * opkg_install_cmd: Cannot install package luci-app-vpn-policy-routing.

Also I see this server down, maybe this is the issue; https://raw.githubusercontent.com

I tried with adding the repo to my router, still no success

Collected errors:
 * opkg_download: Failed to download https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

root@OpenWrt:~# opkg install vpn-policy-routing luci-app-vpn-policy-routing
Unknown package 'vpn-policy-routing'.
Unknown package 'luci-app-vpn-policy-routing'.
Collected errors:
 * opkg_install_cmd: Cannot install package vpn-policy-routing.
 * opkg_install_cmd: Cannot install package luci-app-vpn-policy-routing.