VPN Policy-Based Routing + Web UI -- Discussion


#312

lepidas,
I have been using davidc502 builds on my Linksys WRT1900ACS for a bit over a year, most recently build r8873. I install vpn-policy-routing each time per the instructions and I have no problem. Did you do an opkg update first? That may be important.


#313

https://openwrt.org/playground/faq/failed_to_download_wget_returned_4


#314

@slim0287 I had updated....see

* opkg_download: Failed to download https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.gz, wget returned 4.

@tmomas
I have ipv6 disabled indeed but hey without enabling ipv6....

I just tried today again and boom packages installed.
Maybe something wrong with the server I guess..;


#315

@stangri
Hi there I've tried to use your repo on my customfeed (feeds.conf.default) but I get dependency errors and can't install on my build system. (I don't use imagebuilder I prefer using buildroot instead.)


#316

My source code repo is not a feed: https://github.com/stangri/openwrt-repo#sdk.


#317

@stangri his is the error that I'm getting, same error when I created my own customfeed.

pepega@pepega-virtual-machine:~/openwrt$ make menuconfig
tmp/.config-package.in:45789:error: recursive dependency detected!
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
tmp/.config-package.in:45789:   symbol PACKAGE_vpn-policy-routing depends on PACKAGE_vpnbypass
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
tmp/.config-package.in:45808:   symbol PACKAGE_vpnbypass depends on PACKAGE_vpn-policy-routing

mydiffconfig


#318

I build my packages one at a time, so I've never had this problem. I don't know how to resolve it short of removing CONFLICTS:= from the Makefiles.


#319

Hey @stangri . I'm also struggling with your package - it looks like -the- thing I'm envisioning but I can't get it to run. I tried that a couple of months ago but I'm just coming back to it now as I finally want to get this working.

Following usecase: I use ExpressVPN via OpenVPN. I want to:

  • Still be able to use Netflix and Amazon Prime TV
  • Being able to access certain ports from the outside via WAN (for example to SSH into my router or to host a local web application)

What I did so far:
I installed and set up OpenVPN on my router, downloaded and installed your package (incl. luci-pkg). My current config is this:

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option ipset_enabled '1'
	option dnsmasq_enabled '0'
	option strict_enforcement '1'
	option output_chain_enabled '1'
	list supported_interface 'expressvpn'
	option iprule_enabled '1'
	option forward_chain_enabled '1'
	option enabled '1'

config policy
	option interface 'wan'
	option comment 'SSH'
	option local_addresses '192.168.1.1'
	option local_ports '22'

config policy
	option interface 'wan'
	option comment 'Netflix'
	option remote_addresses 'netflix.com'
	option local_addresses '192.168.1.102'

The IP 192.168.1.102 is a local device I am testing the netflix bridge with.
If I'm connected to my local wifi I can SSH in via my public IP address with VPN running and your service running. Once I set my phone for example to 4G I'm not able to connect anymore. From the samples I see in this thread here I don't seem to be off by much but I can't find my specific use case. Covered. It would be great if you could help me with this. What is not working here?
Let me know whether you need more logs and config.


EDIT:

So I did some further digging. Netflix itself seems to query quite some different pages, that's why netflix.com did not really work out. I guess with some very careful traffic observation one can 'handcollect' the domains and include them manually.

For now I just used my laptop and excluded everything - that does the job, so your package works on my side. For now, that's actually sufficient.
What still hasn't worked so far is the SSH part. I'll post my support and reload outputs here:

Creating table 'expressvpntun/10.89.0.113' [✓]
Routing 'SSH' via wan [✓]
Routing 'TV' via wan [✓]
vpn-policy-routing 0.0.2-36 started on wan/62.155.246.66 expressvpntun/10.89.0.113 [✓]
vpn-policy-routing 0.0.2-36 monitoring interfaces: wan expressvpntun [✓]
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         xx.xx.xx.xx     128.0.0.0       UG    0      0        0 tun0
default         xx.xxx.xx.xx   0.0.0.0         UG    0      0        0 pppoe-wan
IPv4 Table 201: default via xxx.xx.xx.xx dev pppoe-wan
IPv4 Table 201 Rules:
32661:	from 192.168.1.237 lookup 201
32663:	from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.89.0.113 dev tun0
IPv4 Table 202 Rules:
32662:	from all fwmark 0x20000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.1 -p tcp -m multiport --dports 22 -m comment --comment SSH -c 22 1268 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set expressvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set expressvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set expressvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set expressvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create expressvpntun hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

It feels close...


#320

For the SSH to work, you'll need an OUPUT chain. Please read my other post below on that.


#321

Hello fellow VPR users. If you're running a VPN client and you also want to expose any service on the router (like an OpenVPN server or an SSH port) to WAN, I'm planning a change which may affect you.

Previously, you needed to enable the OUTPUT chain for that and VPR would try to guess which policies you wanted duplicated in the OUTPUT chain. I do not believe this was the best implementation of supporting scenarios above and I'm planning a change where you could explicitly set the chain for the policy.

If you're currently running both VPN client and OpenVPN server on your router or if you're using VPR FORWARD/INPUT/OUTPUT chains support, please let me know if you'd like to test a new version before I publish it to the repo.

PS. Also, this new version will allow you to explicitly set protocol for the policy (between tcp, udp and tcp udp).


#322

Hey,
well it's not super urgent so I guess I would wait for the actual solution instead of fiddling around temporary hacks.
If you need some tester, let me know!


#323

Is it possible to set a RANGE of IP addresses for routing?


#324

The version of the service/luci app which support explicit chains/protocols:
https://www.melmac.net/openwrt/packages/vpn-policy-routing_0.0.3-1_all.ipk
https://www.melmac.net/openwrt/packages/luci-app-vpn-policy-routing_git-19.030.26678-74e4cf5-35_all.ipk

Make sure to read this part of README before installing.

@benchgrade -- yes, in CIDR notation.


#325

Unfortunately CIDR won't cover a complete range without multiple entries. It would be nice to be able to enter a range 192.168.1.1-192.168.1.5.

No worries if it isn't in scope for the project. Great work on it!


#326

AFAIR it's the iptables limitation, I don't want to parse user data any more than I need to.

You can also create a DHCP host records for those IP addresses and then you can put in the machine names instead of the IP addresses.


#328

Is there any way to download an older version? Something has changed recently (I'm now at vpn-policy-routing - 0.0.3-2) and webpages that worked fine previously now do not. An example: I have
http://ams.org/mathscinet
redirected to my uni vpn, otherwise the site requires login when you attempt a search. But things no longer work for me. Strangely enough other things still are fine. So I want to go back to previous version(s) to figure out what's going on. Maybe then stangri will understand why this is happening.

Edit: Never mind, I figured out how to get to the v 0.0.2-37 (got it from github). Now things works are before, so v 0.0.3-2 has broken something for me. Happy to test things, if you would like me to!

Edit2: I checked my logs. Here is the difference:

Using 0.0.2-37 I get:

Feb  5 23:01:33 dnsmasq[24001]: query[AAAA] mathscinet.ams.org from 192.168.8.144
Feb  5 23:01:33 dnsmasq[24001]: forwarded mathscinet.ams.org to 208.67.222.222
Feb  5 23:01:33 dnsmasq[24001]: query[A] mathscinet.ams.org from 192.168.8.144
Feb  5 23:01:33 dnsmasq[24001]: forwarded mathscinet.ams.org to 208.67.222.222
Feb  5 23:01:34 dnsmasq[24001]: reply mathscinet.ams.org is NODATA-IPv6
Feb  5 23:01:34 dnsmasq[24001]: ipset add uoevpn 104.238.176.204 mathscinet.ams.org

Using 0.0.3-2 I get:

Feb  5 21:51:36 dnsmasq[26856]: query[AAAA] mathscinet.ams.org from 192.168.8.144
Feb  5 21:51:36 dnsmasq[26856]: forwarded mathscinet.ams.org to 208.67.222.222
Feb  5 21:51:36 dnsmasq[26856]: query[A] mathscinet.ams.org from 192.168.8.144
Feb  5 21:51:36 dnsmasq[26856]: forwarded mathscinet.ams.org to 208.67.222.222
Feb  5 21:51:36 dnsmasq[26856]: reply mathscinet.ams.org is NODATA-IPv6
Feb  5 21:51:36 dnsmasq[26856]: reply mathscinet.ams.org is 104.238.176.204

Notice the ipset add is missing!


#329

Just an FYI, if anybody wants to use this to DENY access to a host since luci-app-access-control is defunct:

Create a dummy "physical" interface.

sudo ip tuntap add mode tap dev tap0

Add a new unmanaged interface.

config interface 'BLOCKED'
        option ifname 'tap0'
        option proto 'none'

You can now select and assign it in the drop down. Looks like rules are processed in reverse? So TOP MOST rule takes precedence -- you can leave your "route this host over VPN" in place and simply add a "route this host to BLOCKED" at the top, and it will be blocked until the rule is removed.


#330

Hi @stangri,

Is it possible to pull both vpn-policy-routing and luci-app-vpn-policy-routing into a custom build?

I tend to build and upgrade weekly, but have stayed within the OpenWRT repo thus far....

Thank you


#331

Oh, sorry, I unintentionally pushed 0.0.3-2 to the repo.

On top of the changes to chains/protocols mentioned above, I've also renamed two options:
supported_interface -> supported_interfaces
ignored_interface -> ignored_interfaces

Could that be the reason? Or did everything else run fine for VPR but just ipsets stopped working?

Yes, the repo's README has a section about it.


#332

All my interfaces are tun or tap so those flags do not appear in my config. It just seems ipset is not working.