VPN Policy-Based Routing + Web UI -- Discussion


Thanks @stangri for making these packages available.

I had a few hiccups that others seemed to have but I have them ironed out and it`s up an running.

There is one strange thing I noticed, when I have my wired and wireless interfaces bridged to one subnet and then I set a policy for that subnet to the wan interface. For some reason only the wired traffic will access the internet but the wireless will not. Aside from this the vpn and lan are split perfectly.

I was just wondering if others had this happen.


That was actually very easy to put in place.

Just added the following line to feeds.conf.default:

src-git stangri_repo https://github.com/stangri/openwrt_packages.git

Had to change "include ../../luci.mk" to "include ../../luci/luci.mk" in a few places, and there is a dependency error in luci-app-templete but everything managed to build

Thank you


I've fixed a small multi-proto bug and rebuilt 0.0.3-3 using 18.06.2 SDK -- the domain/ipset feature is working for me (dnsmasq does fill ipsets when idle).

No idea. You may want to post relevant configs to see if others can help you.

If you're building packages from scratch with the SDK and you don't need everything from my repo, I'd recommend doing what it says in the README.


Hi stangri! I have been using vpn-policy-routing for about 5 months without issues. Really amazing package. I am using this to route 3 separate networks in my home into two different VPNs, or just plain internet to the the outside.

Everything has been working smoothly until today I have decided to upgrade to latest openwrt. My policy routing stopped working, and for the love of a star, I can't understand the problem.

my VPNs tunnes seem to be created correctly. The Luci pannel from vpn-policy-routing shows valid ip addresses for both tunnes. The logs are as follow

config policy
	option name 'szvpn'
	option local_addresses ''
	option interface 'szvpn'

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option ipset_enabled '1'
	option dnsmasq_enabled '0'
	option strict_enforcement '1'
	option wan_dscp '1'
	option devpn_dscp '2'
	option szvpn_dscp '3'
	option hkvpn_dscp '4'
	option enabled '1'

config policy
	option name 'MiTV'
	option local_addresses ''
	option interface 'hkvpn'

config policy
	option name 'Enigma'
	option local_addresses ''
	option interface 'hkvpn'
root@Gandalf:/etc/config# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/' [βœ“]
Creating table 'szvpn/' [βœ“]
Creating table 'hkvpn/' [βœ“]
Routing 'szvpn' via szvpn [βœ“]
Routing 'MiTV' via hkvpn [βœ“]
Routing 'Enigma' via hkvpn [βœ“]

vpn-policy-routing 0.0.3-3 running on OpenWrt 18.06.2. WAN (IPv4): wan/dev/
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
Routes/IP Rules
default         UG    10     0        0 eth0.2
IPv4 Table 201: default via dev eth0.2
IPv4 Table 201 Rules:
32747:	from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via dev tun-szvpn
IPv4 Table 202 Rules:
32746:	from all fwmark 0x20000 lookup 202
IPv4 Table 203: default via dev tun-hkvpn
IPv4 Table 203 Rules:
32745:	from all fwmark 0x30000 lookup 203
-A VPR_PREROUTING -s -m comment --comment Enigma -c 6 552 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s -m comment --comment MiTV -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s -m comment --comment szvpn -c 5 501 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set hkvpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m dscp --dscp 0x04 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set szvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m dscp --dscp 0x03 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m dscp --dscp 0x01 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create szvpn hash:net family inet hashsize 1024 maxelem 65536 comment
create hkvpn hash:net family inet hashsize 1024 maxelem 65536 comment

it can of course be a problem in my interfaces, but I have actually not changed anything from the past. I would like some suggestions on how to start debugging, since I am kind of stucked.

Thanks a bunch!


According to the status you posted, both Enigma and szvpn iptables rules have traffic flowing.

Having said that, I haven't upgraded to 18.06.2 so I can't say if VPR for sure works there.

PS. Have you flushed the clients (phones', computers') dns cache?


Thanks so much for your quick reply! I am not sure where you can see traffic flowing based on my output... but you did give me an idea. I have run

iptables -L -v -n

to see the traffic flow, and the output is very strange. I see traffic incrementing with time on various relevant rules. But after some time, the counters reset to zero.

I have cleared DNS as per your request, but I don't think this is the problem. I can't even ping from a network routed through a tunnel. I can ping it however from the network that doesn't go out via a vpn.

I am about to flash back 18.06.01 to see if this is the problem. But before doing this, are there any logs or information you would like to have, in case this happens to be a compatibility issue with your extension?


After doing a fresh openwrt install, now I am getting the following error

vpn-policy-routing 0.0.3-3 stopped [βœ“]
Creating table 'wan/' [βœ—]
Creating table 'szvpn/' [βœ—]
Creating table 'hkvpn/' [βœ—]
ERROR: vpn-policy-routing 0.0.3-3 failed to set up any interface!
vpn-policy-routing 0.0.3-3 monitoring interfaces: wan szvpn hkvpn [βœ“]

what could cause an error in creating the tables? is there any way I can see the actual commands issues via ip route, so that I can debug in the command line?


I have found this problem. Apparently I also needed to install

install iptables-mod-ipopt

@stangri It took me a lot of debugging, so maybe it would be useful to add it into your list of dependencies.


Thank you, fixed in 0.0.3-4.


Just thinking about some vpn options and would like some feedback on the following:
Rather than purchasing a more powerful openwrt host utilise the cpu HP sitting mainly idle in my file server as the vpn termination and forward traffic accordingly to/from it via the openwrt gateway.
ie: vpn gateway is behind the openwrt firewall.
internet .... openwrt ..... server/vpn termination.
Is it possible to configure VPN policy based routing where the vpn gateway is inside the local network rather than on the openwrt firewall?
Yes, I'm aware there may be security issues with terminating vpn traffic on the local lan.
Just seems a waste to have oodles of cpu horsepower unused while potentially overloading the openwrt device for a vpn.




Saw that thanks.
Still have a question regarding policy based routing as it is currently, would it support the vpn on a different device? ie not an interface on the same machine as the vpn service is running?
redirection isn't the issue, it's where it sits in the traffic stream relative to the policy routing


It is not clear, what do you want to achieve.
What is your reason to use policy-based routing in case of VPN-server?
Why plain routing is not enough?


I think it will only be possible if your current device is connected to the other one, which has vpn, and gets internet from that device. In that case your current device will have an interface as WAN maybe which can be setup in policy based routing. But then you’ll have to use your current device as your gateway if you want this to work.


Encountered an issue today with setting up a rule with a specific domain + port.

My IPTV subscription is reachable via a domain and a specific port.

e.g.: www.tencents.com:8080

If I type the exact domain above in the OPBR settings, it gets ignored and not added to IPSET list.

If I add the domain without the port, nothing gets routed properly (obviously).

I can’t simply route all traffic going to 8080 because other apps/service/websites might use that.

any idea?



Thanks for fixing the problem with the modem IP not showing up. (https://github.com/stangri/openwrt_packages/issues/33)
With version 0.0.4-0 I'm able to use "strict enforcement" + "supported interface (in my case modem)" and everything works as it should. :slight_smile:


I just want to say thank you @stangri

Thanks to this package, I was able to solve my particular problem https://forum.openwrt.org/t/problem-setting-up-2-isps-with-respective-wlan-for-each-one/

I was almost giving up. But now it is working like a charm :smiley:


Is there any news when this will occur?


Not for a while. I need to be able to test myself or get a bunch of reports on the IPv6 functionality. Sadly neither my ISP nor VPN provider are in no hurry to implement IPv6.


If you're looking for testing and/ or getting familiar with IPv6, I can strongly recommend using a free 6in4 tunnel from https://www.tunnelbroker.net/ and to participate in their free IPv6 certification program


Thanks, I think I've had it set up for a while, but without IPv6 support from VPN provider it didn't get me anywhere.