VPN Policy-Based Routing + Web UI -- Discussion


#353

@stangri, do you need access to ipv6 vpn ? I can provide you wireguard vpn access with a /64 prefix.


#354

@stangri I think there's a problem with 3rd level domains because they are not working for me. I am using VPR on a TpLink TD-W8980 and I have to use twitter through a VPN but if I only put twitter.com in the remote address I cant access twitter content even though I have installed the dnsmasq-full package in the router. In any case I have to put api.twitter.com twitter.com twimg.com to access twitter properly otherwise it doesnt work. Can you advise anything for this?

Edit: I also would appreciate if you put the VPR at 99 position in /etc/init.d/ because for some routers the LEDs dont turn on because VPR keeps halting the boot when it cant find a WAN connection such as in the case of an ADSL router. I usually disable the VPR after installing it, edit the init script manually with 99 instead of 94 and then enable it again.


#355

README has the list of information needed to get proper help.

As far as I remember 94 is the recommended highest setting (forgot the reasons).

As in the device wouldn't boot at all, because VPR is waiting for WAN and WAN connection doesn't get established at all? VPR times out after about 50 seconds if it can't find the WAN connection, I can shorten it down to like 4-5 seconds if you could test wherever it then gets restarted on WAN up (like I expect it should).


#356

Hi PatrioTek

I had posted 'ram-root' script before. Somehow, I think, it was removed from the archive. If you still need it, I can provide an improved version.
I am planning to post it again by adding the usb storage option.


#357

Yes README only suggests to use dnsmasq-full, which I am using but still need to add 3rd level domains myself in order for them to work. Do they work for you?

Yes that is right, if you know how the init process works, it executes all the scripts in order so when it reaches VPR it cannot go forward unless VPR exits and it doesnt exit because it cant find WAN at that point so it stays there for at least more than a minute at least for me because I have ADSL and adsl_control script gets executed at 97. So I think lowering the timeout to 5 seconds would be great at startup for most users including me. Thanks


#358

They do.

Please update to VPR 0.0.4-1 (should be up in minutes) and let me know how it works.


#359

I'm also seeing this. As I was away for 2 weeks I didn't have time to experiment, but starting with v3 something has changed.... I'll find a time in next fews days to compare v2 and the current v4.


#360

How can i install older versions? I have some odd issues but I want to try older versions before I post.


#361

No it's not working for me even after the update.

Edit: @stangri Also after the update VPR doesnt start automatically anymore. I have it enabled under System -> Startup and also enabled it from config but it doesnt start. I have to manually start it each time the router reboots. But the boot is normal and it doesnt get halted anymore. Please optimize the behavior of VPR so it doesnt halt the boot and also gets started properly on bootup. Thank you for your efforts though, really appreciate it.


#362

The repository is a github repo, the list of updated packages is in the comments of each commit. You can manually pull the needed version from the specific commit and then --force-downgrade it.


#363

Please try VPR 0.0.4-2, also, please post the output of logread -e policy if it doesn't automatically start, before you start it manually.


#364

Alright, I upgraded to version 0.0.4-2 but it's the same behavior for me after the reboot.

This is the log:

root@AhmarRouter:~# logread -e policy
Thu Feb 28 11:26:37 2019 user.notice ucitrack: Setting up /etc/config/firewall reload dependency on /etc/config/vpn-policy-routing
Thu Feb 28 11:26:40 2019 user.notice vpn-policy-routing [2419]: service waiting for wan gateway...
Thu Feb 28 11:26:42 2019 user.notice vpn-policy-routing [2419]: service waiting for wan gateway...
Thu Feb 28 11:26:45 2019 user.notice vpn-policy-routing [2419]: ERROR: service failed to discover WAN gateway!
Thu Feb 28 11:26:45 2019 user.notice vpn-policy-routing [2419]: service waiting for wan gateway...
Thu Feb 28 11:26:48 2019 user.notice vpn-policy-routing [2419]: service waiting for wan gateway...
Thu Feb 28 11:26:50 2019 user.notice vpn-policy-routing [2419]: ERROR: service failed to discover WAN gateway!

#365

Thanks stangri, I installed version 2 and all is well now.

My issue with v4 was that even with no policies defined some websites would not load. For example lbc.co.uk. If I kill the vpn policy service it worked fine. V2 is working good though.

My default route is wan not vpn.

Cheers


#366

In 0.0.4-4 I've introduced the boot_timeout option. You can set it to 0 to skip waiting for WAN to settle. In your case you may also want to specify all interfaces you want VPR to work on in supported_interface option. I hope then the proper triggers will be set up even if WAN is not discovered during boot.


#367

In my case proper triggers are not being set for some reason. I have tried to set explicitly the supported interfaces but it doesnt start at the boot. I also changed the timeout option between 0 to 15 but once it goes down at the boot, failing to find any wan interface, it doesnt start again. Also the 3rd level domains issue is still there, at least for me. Thank you

Edit: I am getting errors:

root@AhmarRouter:~# service vpn-policy-routing reload
Creating table 'wan/182.176.1.48' sh:  : out of range
[✓]
Creating table 'vpn/10.211.1.54' [✓]
Routing 'Twtr' via vpn [✓]
Routing 'CC' via vpn [✓]
Routing 'Hub' via vpn [✓]
Routing 'TT' via vpn [✗]
vpn-policy-routing 0.0.4-4 started on wan/182.176.1.48 vpn/10.211.1.54 with errors [✗]
ERROR: iptables -t mangle -I VPR_PREROUTING 1 -j MARK --set-xmark 0x020000/0xff0000 -s 192.168.1.1/24  -d twimg.com  -m comment --comment TT

vpn-policy-routing 0.0.4-4 monitoring interfaces: wan vpn [✓]

My config is as:

root@AhmarRouter:~# cat /etc/config/vpn-policy-routing

config policy
        option chain 'PREROUTING'
        option interface 'vpn'
        option remote_address 'twitter.com'
        option name 'Twtr'
        option proto 'tcp'
        option local_address '192.168.1.1/24'

config policy
        option proto 'tcp'
        option chain 'PREROUTING'
        option name 'CC'
        option remote_address 'curiouscat.me'
        option interface 'vpn'
        option local_address '192.168.1.1/24'

config policy
        option chain 'PREROUTING'
        option name 'Hub'
        option interface 'vpn'
        option remote_address 'phncdn.com'
        option local_address '192.168.1.1/24'
        option proto 'tcp'

config policy
        option proto 'tcp'
        option chain 'PREROUTING'
        option name 'TT'
        option local_address '192.168.1.1/24'
        option remote_address 'twimg.com'
        option interface 'vpn'

Why am I getting errors?
Also I would like to know what will be the appropriate way to add a rule into the config? For example if I want to route google.com through vpn, then how will I input it into config that whatever local or remote port is used, or whatever protocol is used, and in all of my network, google.com goes through vpn.

Edit: I have finally made it to work with 3rd level domains. The trick is to use only one address in remote address field. Such as twitter.com and provide a local address and name and it's working. I don't need to put twimg.com there because it just works without it for now. I'm not sure if it will be working long term but I'll have to do more tests on it.

Edit 2: 3rd level domains do not really work, at least the traffic doesnt pass through VPN as it should according to the config.


#368

I am new to OpenWrt and VPN Policy Based routing and just started using the GL-iNet GL-AR750s travel router. Everything is installed and working correctly from a travel router and VPN connectivity perspective. The issue I am having is when trying to setup a VPN routing policy I always get the error "unknown interface: wan!". The goal is to bypass the VPN for traffic dentin to a specific IP address (or domain name). I get the same error whether I use the destination IP or host name.

root@GL-AR750S:~# cat /etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        option strict_enforcement '1'
        option boot_timeout '30'
        option dnsmasq_enabled '1'
        option enabled '1'

config policy
        option chain 'PREROUTING'
        option name 'test'
        option remote_address '74.112.244.7'
        option interface 'wan'
        option proto 'tcp udp'

root@GL-AR750S:~# /etc/init.d/vpn-policy-routing status

vpn-policy-routing 0.0.4-4 running on OpenWrt 18.06.1. WAN (IPv4): wwan/dev/172.31.2.1.
============================================================
Dnsmasq version 2.80test2  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.15.10.5      128.0.0.0       UG    0      0        0 tun0
default         172.31.2.1      0.0.0.0         UG    20     0        0 wlan-sta
IPv4 Table 201: default via 172.31.2.1 dev wlan-sta
IPv4 Table 201 Rules:
1001:   from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.15.10.5 dev tun0
IPv4 Table 202 Rules:
1000:   from all fwmark 0x20000 lookup 202
IPv4 Table 203:
IPv4 Table 203 Rules:
IPv4 Table 204:
IPv4 Table 204 Rules:
IPv4 Table 205:
IPv4 Table 205 Rules:
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set ovpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create mwan3_connected_v4 hash:net family inet hashsize 1024 maxelem 65536
add mwan3_connected_v4 127.0.0.1
add mwan3_connected_v4 192.168.8.0/24
add mwan3_connected_v4 10.15.10.5
add mwan3_connected_v4 193.37.253.82
add mwan3_connected_v4 10.15.10.1
add mwan3_connected_v4 172.31.2.61
add mwan3_connected_v4 192.168.8.255
add mwan3_connected_v4 127.255.255.255
add mwan3_connected_v4 172.31.2.255
add mwan3_connected_v4 172.31.2.0
add mwan3_connected_v4 192.168.8.0
add mwan3_connected_v4 172.31.2.0/24
add mwan3_connected_v4 10.15.10.6
add mwan3_connected_v4 192.168.8.1
add mwan3_connected_v4 127.0.0.0
add mwan3_connected_v4 224.0.0.0/3
add mwan3_connected_v4 127.0.0.0/8
add mwan3_connected_v4 128.0.0.0/1
add mwan3_connected_v4 0.0.0.0/1
create mwan3_connected_v6 hash:net family inet6 hashsize 1024 maxelem 65536
add mwan3_connected_v6 fe80::/64
add mwan3_connected_v6 fdf2:e58a:708e::/64
create wwan hash:net family inet hashsize 1024 maxelem 65536 comment
create ovpn hash:net family inet hashsize 1024 maxelem 65536 comment
create mwan3_connected list:set size 8
add mwan3_connected mwan3_connected_v4
add mwan3_connected mwan3_connected_v6
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@GL-AR750S:~#

root@GL-AR750S:~# /etc/init.d/vpn-policy-routing reload

Creating table 'wwan/172.31.2.1' [✓]
Creating table 'ovpn/10.15.10.5' [✓]
Routing 'test' via wan [✗]
vpn-policy-routing 0.0.4-4 started on wwan/172.31.2.1 ovpn/10.15.10.5 with errors [✗]
ERROR: policy 'test' has an unknown interface: wan!
vpn-policy-routing 0.0.4-4 monitoring interfaces: wwan ovpn [✓]
root@GL-AR750S:~#

#369

Pay attention to the extra 'w' in 'wwan'.


#370

I have been looking into just that. I noticed that network_find_wan (network.sh function) returns 'wwan' so I updated my vpn-policy-routing config to use the wwan interface instead of the wan interface. The policy now loads without issue but I cannot route traffic for the packets that are being tagged. When performing a tracert from a Windows host I get 'Destination protocol unreachable'.


#371

I've re-assigned wlan-sta interface to wan instead of wwan. The routing policy loads without issue now using the wan interface however marked packets are not routing outside the VPN, they appear to dead end on the router. I seem to be back in the same boat I was earlier when I had manually set the interface to wwan in the vpn-policy-routing config.

I am trying to figure out why market packets are not routing out the wan, bypassing the VPN. Anyone have any ideas?

Also does the VPN Policy Based routing script need to be updated to support wwlan? Prior to re-assigning wan to wlan-sta I tried adding wwlan and wlan-sta to the Supported Interfaces list but it didn't alter the Interface options I could select for the policy.

Current config:

root@GL-AR750S:~# cat /etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        option boot_timeout '30'
        option enabled '1'
        option strict_enforcement '1'
        option dnsmasq_enabled '0'

config policy
        option name 'test'
        option proto 'tcp udp'
        option chain 'PREROUTING'
        option remote_address '74.112.244.7/32'
        option interface 'wan'

		
root@GL-AR750S:~# /etc/init.d/vpn-policy-routing status
vpn-policy-routing 0.0.4-4 running on OpenWrt 18.06.1. WAN (IPv4): wan/dev/172.31.2.1.
============================================================
Dnsmasq version 2.80test2  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.28.10.5      128.0.0.0       UG    0      0        0 tun0
default         172.31.2.1      0.0.0.0         UG    0      0        0 wlan-sta
IPv4 Table 201: default via 172.31.2.1 dev wlan-sta
IPv4 Table 201 Rules:
994:    from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.28.10.5 dev tun0
IPv4 Table 202 Rules:
993:    from all fwmark 0x20000 lookup 202
IPv4 Table 203:
IPv4 Table 203 Rules:
IPv4 Table 204:
IPv4 Table 204 Rules:
IPv4 Table 205:
IPv4 Table 205 Rules:
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -d 74.112.244.7/32 -m comment --comment test -c 8 736 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -d 74.112.244.7/32 -m comment --comment test -c 8 736 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set ovpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create mwan3_connected_v4 hash:net family inet hashsize 1024 maxelem 65536
add mwan3_connected_v4 128.0.0.0/1
add mwan3_connected_v4 172.31.2.61
add mwan3_connected_v4 224.0.0.0/3
add mwan3_connected_v4 127.255.255.255
add mwan3_connected_v4 10.28.10.6
add mwan3_connected_v4 192.168.8.1
add mwan3_connected_v4 127.0.0.0/8
add mwan3_connected_v4 10.28.10.5
add mwan3_connected_v4 172.31.2.0/24
add mwan3_connected_v4 172.31.2.0
add mwan3_connected_v4 127.0.0.0
add mwan3_connected_v4 192.168.8.0/24
add mwan3_connected_v4 192.168.8.255
add mwan3_connected_v4 172.31.2.255
add mwan3_connected_v4 194.59.251.238
add mwan3_connected_v4 192.168.8.0
add mwan3_connected_v4 127.0.0.1
add mwan3_connected_v4 0.0.0.0/1
add mwan3_connected_v4 10.28.10.1
create mwan3_connected_v6 hash:net family inet6 hashsize 1024 maxelem 65536
add mwan3_connected_v6 fe80::/64
add mwan3_connected_v6 fdf2:e58a:708e::/64
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create ovpn hash:net family inet hashsize 1024 maxelem 65536 comment
create mwan3_connected list:set size 8
add mwan3_connected mwan3_connected_v4
add mwan3_connected mwan3_connected_v6
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]


root@GL-AR750S:~# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/172.31.2.1' [✓]
Creating table 'ovpn/10.28.10.5' [✓]
Routing 'test' via wan [✓]
vpn-policy-routing 0.0.4-4 started on wan/172.31.2.1 ovpn/10.28.10.5 [✓]
vpn-policy-routing 0.0.4-4 monitoring interfaces: wan ovpn [✓]
root@GL-AR750S:~#


#372

Hi Stangri!
My setup is TUN default and WAN via rules.
Having issue with remote domains in the rules.
When a remote domain is first added to the rules everything seems to work, after a few hours the URL stops resolving and the site is unreachable via WAN. I would assume the domain is resolving to a different IP compared to when the rule was added...

www.kijiji.ca is the site (it requires WAN to use the location based services)

-A VPR_PREROUTING -d 195.78.85.110/32 -m comment --comment Kijiji_www_kijiji_ca -c 0 0 -j MARK --set-xmark 0x10000/0xff0000

vpn-policy-routing 0.0.4-4 running on OpenWRT SNAPSHOT r9578-b4917fa. WAN (IPv4)