VPN Policy-Based Routing + Web UI -- Discussion

Community Builds, Projects & Packages
436

@ahmar16 I tried it out an unfortunately that didn't work. No traffic at all to the pi hole.

Thanks for the suggestion though.

Hopefully someone else has some ideas??

This is my current config

Capture
Capture.JPG1044×802 64.5 KB

437

Hi @stangri,

Ok, I changed this second rule to exclude the router (which is infact 10.0.0.1); The rule is now 10.0.0.128/25 which covers the IP range 10.0.0.129-254 and I've adjusted my dhcp leasing to match. However, all devices connected to my router in this range are still exhibiting the same issue; navigate to google works, amazon not :frowning:

vpn-policy-routing: config

config policy
option chain 'PREROUTING'
option local_address '10.0.0.50/32'
option interface 'openvpn'
option proto 'tcp udp'
option name 'vpn'

config policy
option chain 'PREROUTING'
option interface 'wan'
option name 'wan_reserve'
option local_address '10.0.0.64/26'
option proto 'tcp udp'

config policy
option chain 'PREROUTING'
option interface 'wan'
option proto 'tcp udp'
option local_address '10.0.0.128/25'
option name 'wan_lease'

config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option strict_enforcement '1'
option boot_timeout '30'
option dnsmasq_enabled '1'
option enabled '1'

vpn-policy-routing: status

This text will be hidden
root@openwrt:~# /etc/init.d/vpn-policy-routing status
vpn-policy-routing 0.0.5-0 running on OpenWrt 18.06.2.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Routes/IP Rules
default 10.8.1.1 128.0.0.0 UG 0 0 0 tun0
default 42-2-XXX-XXX.st 0.0.0.0 UG 0 0 0 eth1
IPv4 Table 201: default via 42.2.XXX.XXX dev eth1
IPv4 Table 201 Rules:
32753: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.8.1.1 dev tun0
IPv4 Table 202 Rules:
32752: from all fwmark 0x20000 lookup 202
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 10.0.0.50/32 -m comment --comment vpn -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -s 10.0.0.50/32 -m comment --comment vpn -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -s 10.0.0.128/25 -m comment --comment wan_lease -c 3562 630245 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 10.0.0.128/25 -m comment --comment wan_lease -c 3570 630604 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 10.0.0.64/26 -m comment --comment wan_reserve -c 641 100199 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 10.0.0.64/26 -m comment --comment wan_reserve -c 642 100401 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
IP Tables FORWARD
-N VPR_FORWARD
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
IP Tables INPUT
-N VPR_INPUT
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
IP Tables OUTPUT
-N VPR_OUTPUT
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create openvpn hash:net family inet hashsize 1024 maxelem 65536 comment
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Pls let me know any other outputs I can provide to help trouble shoot this further. Thanks!

@dk4dk4 & cybrnook Thanks for your input, but I believe there might be some confusion. I'm not using dynamic IP rules or domain name rules in VPR, its a simple local IP rule that directs a certain machine (via its IP address) over the VPN, while all other local IP traffic goes over the WAN.

Cheers, D

438

Hi @shaneog,

Did you ever resolve this? I appear to be having a similar issue??

Thx, D

439

Hi @nydssa,

Did you ever resolve this? I appear to be having a similar issue??

Thx, D

440

Hi @stangri,

I'm running vpn-policy-routing 0.0.5-0 and mostly everything is working fine (thank you).

I have a wireguard interface with a number of peers, 2 of which I should be able to route through. Only one of them is being detected as a valid route (wg0/10.1.2.5). Is there a conf setting somewhere to get it to detect the other route (wg0/10.1.2.3)?

The detected peer has Allowed IPs of 192.168.1.0/24 and 10.1.2.5/32 and "Route Allowed IPs" set, to create the route to 192.168.1.0/24. The undetected peer has Allowed IPs of 0.0.0.0/0 and 10.1.2.3/32, but "Route Allowed IPs" isn't set as I don't want to set the default route through wg0.

Thanks in advance for any conf pointers.

Tim

441

Any chance you could set it up as two different interfaces with one peer each?

1 Like
442

According to the counts in the rule, some traffic does get sent over WAN on port 53.

There are so many variables on DNS configuration, it's impossible to offer a solid suggestion based on VPR config alone.

1 Like
443

Thanks @stangri I currently use a port forward to get it working. I was hoping to add VPR to detect if the remote pi hole server was unreachable and revert to my ISPs DNS automatically.

Thanks for checking it out I appreciate it.

444

Hi @stangri,

Just an update on my issue;

  • I did a complete fresh install, this time putting VPR on first, and setting my policies (as in previous post, now with the router not encapsulated in the rules) at this point all domains (inc amazon/netflix) resolve [all VPR policies point to WAN].
  • I then installed openvpn [tun0, interface name VPN] and set the first VPR policy to the new interface. Everything is working as expected; that device is on the VPN and the rest aren't AND more importantly sites like amazon and netflix are still resolving via the WAN interface.
  • Now here is the strange bit... I changed the VPR policy for one of the others, pointing it to VPN to check if it routes over the vpn, which it does, BUT when I point it back to the WAN, I can no longer resolve amazon or netflix websites :frowning: only way I could fix it was to do a full re-install again.

I'm not sure this last point shed's any light on the issue, happy to send over more configs if you think so.

At the moment, its obviously working, and I just won't change the Interfaces in VPR again so that I don't break it again - not the best outcome but might have to suffice as this one could be difficult to find the source of the problem.

Thanks,
Dewey

445

I'm having some trouble with VPN Policy-Based Routing and my dedicated VPN-Device in my Network.
The problem is that if the VPN policy based routing service is running I do recieve timeouts when trying to connect to my VPN-device (via DynDNS address) but if the service is disabled I can connect without any problems...

I do have no idea what kind of policy I would need to fix the problem so it would be great if someone could help me with this.

OpenWRT: 192.168.1.1, VPN-Device (local IP): 192.168.1.11 (WebGUI at 192.168.178.1),
If I connect via VPN I'm recieving a local IP adress from a different Subnet (192.168.178.x) and can browse the internet with my WAN IP and access everything at my normal LAN. I'm also able to access the Web GUI (192.168.178.1) of my VPN-Device when connected over VPN.

446

Does your router have a routing via VPN-Device?

VPR was designed to be used on a router running WAN and VPN connections, I'm not sure how well it may work with the dedicated VPN device.

447

My dedicated VPN-device is basicaly a ordinary router configured in IP client mode with its own firewall and own subnet for the VPN connection. I'm using the VPN software of the router vendor and had to configure two port forwards (UDP 500, UDP 4500) from my main to the VPN router to be able to establish the connection.

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '500'
	option dest_port '500'
	option name 'VPN1'
	option dest_ip '192.168.1.11'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '4500'
	option dest_port '4500'
	option name 'VPN2'
	option dest_ip '192.168.1.11'

Anyway I just figured out that the timeout only occours if I try to establish the VPN connection over my own WAN IP and I was able to establish the connection over my friends internet/WAN IP while VPR was running.

Conclusion: The VPR service doesn't block any in or outcoming connections to my VPN device if the connection is coming from any other WAN IP than my own one!

Therefore I dont have a real problem anymore but I would still like to understand why I'm not able to connect from my own WAN IP to my VPN device while the VPR service is running on my main router. Could it be a problem with NAT Loopback and the VPR service? I ticked "Enable NAT Loopback" on both VPN forwards which were needed to establish the VPN connection...

448

I'm using aria2 on my router. Is there any way to use VPN Policy-Based Routing to force aria2 (or any other app) use WAN interface, not OpenVPN?

449

@Soberia
I guess that should work via "Policies based on local ports numbers"...

1 Like
450

Create policies in the OUTPUT chain for stuff which runs on the router. I'm not sure if the blanket policy for the router would work, like @Kherby said, you should probably start with the port number policy.

1 Like
451

Added an option for custom user files: https://github.com/stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md#custom-user-files. Useful if you want to add things to ipsets created/used by VPR (like @bolvan asked a while ago).

2 Likes
452

@stangri

In your README there are a couple of errors concerning:

list pull_filter='ingore "redirect-gateway"'

Ignore (ingore) is a typo and there is no equal sign required.

I works for me for on a WRT3200ACM with Davidc502's latest OpenWRT build using OpenVPN client with PIA with the following format:

list pull_filter 'ignore "redirect-gateway"'

Note double quotes inside of single quotes.

It is not supported by the LUCI OpenVPN page that I can find but I added it to the OpenVPN config file (/etc/config/openvpn) manually and it seems to work OK.

2 Likes
453

Thanks, pushed update to github.

454

hello stangri,

i'm just new setup my openvpn.
i can connect to openvpn server and get tun0 interface.
i want some ip on my lan which can access to vpn. the default routing for all ip on my lan was routed to vpn.
how to give internet accesss only for some ip using vpn ?
i just heard, this packages can do that.
tried to add your repo but after opkg update, it failed.. seems, the repo url is no longer available.
pls help me...

455

This script recreate config file for those who loose that file sometimes
First make backup of config file

cp -v /etc/config/vpn-policy-routing /etc/config/vpn-policy-routing.bak

And put below script in "/etc/config/script.sh"

#!/bin/sh
#VPN Policy Routing Auto-Restart
v=$(cat /etc/config/vpn-policy-routing | grep "option enabled '1'" | grep -o "1")
if [ "$v" != 1 ]; then
       cp -v /etc/config/vpn-policy-routing.bak /etc/config/vpn-policy-routing
       uci set vpn-policy-routing.config.enabled=1; uci commit vpn-policy-routing;
       /etc/init.d/vpn-policy-routing start
else
       logger [VPN Policy Routing is Running]
fi

Then add this line to cron by editing "/etc/crontabs/root"

*/1 * * * * /bin/sh /etc/config/script.sh