Thanks @stangri for making these packages available.
I had a few hiccups that others seemed to have but I have them ironed out and it`s up an running.
There is one strange thing I noticed, when I have my wired and wireless interfaces bridged to one subnet and then I set a policy for that subnet to the wan interface. For some reason only the wired traffic will access the internet but the wireless will not. Aside from this the vpn and lan are split perfectly.
Had to change "include ../../luci.mk" to "include ../../luci/luci.mk" in a few places, and there is a dependency error in luci-app-templete but everything managed to build
I've fixed a small multi-proto bug and rebuilt 0.0.3-3 using 18.06.2 SDK -- the domain/ipset feature is working for me (dnsmasq does fill ipsets when idle).
No idea. You may want to post relevant configs to see if others can help you.
If you're building packages from scratch with the SDK and you don't need everything from my repo, I'd recommend doing what it says in the README.
Hi stangri! I have been using vpn-policy-routing for about 5 months without issues. Really amazing package. I am using this to route 3 separate networks in my home into two different VPNs, or just plain internet to the the outside.
Everything has been working smoothly until today I have decided to upgrade to latest openwrt. My policy routing stopped working, and for the love of a star, I can't understand the problem.
my VPNs tunnes seem to be created correctly. The Luci pannel from vpn-policy-routing shows valid ip addresses for both tunnes. The logs are as follow
root@Gandalf:/etc/config# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/192.168.178.1' [β]
Creating table 'szvpn/10.10.100.5' [β]
Creating table 'hkvpn/10.10.200.5' [β]
Routing 'szvpn' via szvpn [β]
Routing 'MiTV' via hkvpn [β]
Routing 'Enigma' via hkvpn [β]
vpn-policy-routing 0.0.3-3 running on OpenWrt 18.06.2. WAN (IPv4): wan/dev/192.168.178.1.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 192.168.178.1 0.0.0.0 UG 10 0 0 eth0.2
IPv4 Table 201: default via 192.168.178.1 dev eth0.2
IPv4 Table 201 Rules:
32747: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.10.100.9 dev tun-szvpn
IPv4 Table 202 Rules:
32746: from all fwmark 0x20000 lookup 202
IPv4 Table 203: default via 10.10.200.5 dev tun-hkvpn
IPv4 Table 203 Rules:
32745: from all fwmark 0x30000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.30.0/24 -m comment --comment Enigma -c 6 552 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s 192.168.30.121/32 -m comment --comment MiTV -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s 192.168.20.0/24 -m comment --comment szvpn -c 5 501 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set hkvpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m dscp --dscp 0x04 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set szvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m dscp --dscp 0x03 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m dscp --dscp 0x01 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create szvpn hash:net family inet hashsize 1024 maxelem 65536 comment
create hkvpn hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
it can of course be a problem in my interfaces, but I have actually not changed anything from the past. I would like some suggestions on how to start debugging, since I am kind of stucked.
Thanks so much for your quick reply! I am not sure where you can see traffic flowing based on my output... but you did give me an idea. I have run
iptables -L -v -n
to see the traffic flow, and the output is very strange. I see traffic incrementing with time on various relevant rules. But after some time, the counters reset to zero.
I have cleared DNS as per your request, but I don't think this is the problem. I can't even ping 8.8.8.8 from a network routed through a tunnel. I can ping it however from the network that doesn't go out via a vpn.
I am about to flash back 18.06.01 to see if this is the problem. But before doing this, are there any logs or information you would like to have, in case this happens to be a compatibility issue with your extension?
After doing a fresh openwrt install, now I am getting the following error
vpn-policy-routing 0.0.3-3 stopped [β]
Creating table 'wan/192.168.178.1' [β]
Creating table 'szvpn/10.10.100.21' [β]
Creating table 'hkvpn/10.10.200.9' [β]
ERROR: vpn-policy-routing 0.0.3-3 failed to set up any interface!
vpn-policy-routing 0.0.3-3 monitoring interfaces: wan szvpn hkvpn [β]
what could cause an error in creating the tables? is there any way I can see the actual commands issues via ip route, so that I can debug in the command line?
Thanks!
Edit:
I have found this problem. Apparently I also needed to install
install iptables-mod-ipopt
@stangri It took me a lot of debugging, so maybe it would be useful to add it into your list of dependencies.
Just thinking about some vpn options and would like some feedback on the following:
Rather than purchasing a more powerful openwrt host utilise the cpu HP sitting mainly idle in my file server as the vpn termination and forward traffic accordingly to/from it via the openwrt gateway.
ie: vpn gateway is behind the openwrt firewall.
internet .... openwrt ..... server/vpn termination.
Is it possible to configure VPN policy based routing where the vpn gateway is inside the local network rather than on the openwrt firewall?
Yes, I'm aware there may be security issues with terminating vpn traffic on the local lan.
Just seems a waste to have oodles of cpu horsepower unused while potentially overloading the openwrt device for a vpn.
Saw that thanks.
Still have a question regarding policy based routing as it is currently, would it support the vpn on a different device? ie not an interface on the same machine as the vpn service is running?
redirection isn't the issue, it's where it sits in the traffic stream relative to the policy routing
I think it will only be possible if your current device is connected to the other one, which has vpn, and gets internet from that device. In that case your current device will have an interface as WAN maybe which can be setup in policy based routing. But then youβll have to use your current device as your gateway if you want this to work.
@stangri
Thanks for fixing the problem with the modem IP not showing up. (https://github.com/stangri/openwrt_packages/issues/33)
With version 0.0.4-0 I'm able to use "strict enforcement" + "supported interface (in my case modem)" and everything works as it should.
Not for a while. I need to be able to test myself or get a bunch of reports on the IPv6 functionality. Sadly neither my ISP nor VPN provider are in no hurry to implement IPv6.