VPN Policy-Based Routing + Web UI -- Discussion


Yes correct, if I stop VPR service I can access both sites via the VPN provider.

I´ve posted the requested output here:

Contents of `/etc/config/vpn-policy-routing:

config vpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        option ipset_enabled '1'
        option dnsmasq_enabled '0'
        option strict_enforcement '1'
        option boot_timeout '30'
        option enabled '1'

config policy
        option chain 'PREROUTING'
        option proto 'tcp udp'
        option interface 'wan'
        option name 'LAN'
        option local_address ''

Output of /etc/init.d/vpn-policy-routing reload

Creating table 'wan/' [✓]
Creating table 'nordvpntun/' [✓]
Routing 'LAN' via wan [✓]
vpn-policy-routing 0.0.6-1 started on wan/ nordvpntun/ [✓]
vpn-policy-routing 0.0.6-1 monitoring interfaces: wan nordvpntun [✓]

I´ve uploaded the /etc/init.d/vpn-policy-routing status -p to paste.ee. Should I message you the URL?


Can you help here, Multiple Wifi Interface with L2TP Client

If you stop VPR and the VPN tunnel, can you access these sites over WAN?

If I stop VPR and the VPN tunnel I can't access any sites at all including these ones.


But when you run VPR you can't access these domains thru VPN either?

There was a bug which precluded VPR from cleaning up some jumps in the iptables which was fixed in the build you have, so you may want to reboot your router if you haven't yet after upgrading to the newest build.

Hi, thanks a lot for a great tool!
just updated to 0.0.6-1.
My rules lost. New rules don't work. Luci button "add" rule don't work.

Here is screenshot

Preferences are lost to.
Is there some way to back on previous build?

Hi, I just installed a vpn client (PIA) following the pia guide, I don't know if is the best but I've some questions

My purpose is to have only one ip of the lan under vpn so:
Router ->
Nas -> (this device must be under vpn)

Like I said I configured the client with the pia guide, that don't make a new firewall zone but edit the zone and add the interface for pia_vpn to the wan. Is best to make a new firewall zone? Considering what I want to do.

I tried to take a look to the pbr interface but I think I need some help, I can't understand what I've to put, I only want that the Nas can reach internet only if tun1 is active, is like a kill-switch right? But I can't understand how to do it.

Is possible to have any advice?

Thanks, Jo

Yes, the repo is a github repo, you can browse earlier commits with earlier versions of VPR.

Do you remember which version did you upgrade from?
Did you upgrade the luci app? Which version of the luci-app-vpn-policy-routing do you have?
What's the content of /etc/config/vpn-policy-routing?

You need to configure your VPN client with its own firewall zone. Then make sure to configure it so it doesn't became the default gateway (check the README) and create single policy for your NAS to route via VPN.

I feel like you may need some hand-holding thru the process, sorry, I can't help, but there are other users who may be able to (if you post in a separate thread), @vgaetera is one of the top VPN gurus on the forum.

Many thanks, I'll try and if no success I'll do a new post!

Yes, I've found previous version, not installed yet to check.
I had a troubles with router and had to reset preferences to default, after setup vpn-policy-routing from repo. I see last commit was yesterday. Now I have version 0.0.6-1 Wich don't work.
Luci-vpn-polity is git-19.194.40998-7b1a..-41
(The last)
I don't think the trouble is in luci-vpn.... Because it doesn't work from command line too.

enable '1'
config policy
	option chain 'PREROUTING'
	option interface 'wan'
	option name 'st'
	option proto 'tcp udp'
	option remote_address 'pikabu.ru'

config policy
	option chain 'PREROUTING'
	option interface 'wan'
	option name 'prt'
	option proto 'tcp udp'
	option local_port '8621-8626 53599'

Rules are present but have no any effect. And Luci have no buttons to configure.
I tried to restart, enable, start from command line but have one error '...is not enabled try to enable...' but as you can see enable is '1' in config. I'll try to roll out tomorrow. Just curious is it version trouble or my router.

with 0.0.6-0 the same issues

Your config file is corrupted (I suspect from manual editing). If you installed from my repo, run:
opkg update; opkg install --force-reinstall --force-maintainer vpn-policy-routing;

You will lose your policies, but this will install the valid config file instead of your corrupted one.

Now it seems work great! Thank you, kind man!

Hi, Just started using this package and believe i've come across a bug.
On my system (x86 atom based), latest openwrt 18.06.4 with latest vpn-policy-routing 0.0.6-1 I have 1 wan connection with two vpn clients with airvpn.
I've settup the option icmp_interface 'wan' in /etc/config/vpn-policy-routing. this works fine. Until in Luci i changed my interface from vpn client to wan. The effect of this is to remove the icmp_interface option in the config file.

from > services > VPN-Policy-Routing stop/disable seems ok, bu re enabling it wipes that option from the config file.

also, changing the option in /etc/config/vpn-policy-routing from "option enabled '1'" to "option enabled '0'" and back works as expected.

1 Like

Great find, should be fixed in luci app version 42 and I've also fixed the README!

updated both main service and luci app to better support:

  1. custom user files with enable/disable
  2. enable checkbox for policies (needs to be activated in Advanced tab of WebUI or in the config file)

README has been updated to reflect new options.

Thanks to @anon45274024, implemented support for local policies based on MAC addresses in 0.0.7-5.

Major code refactoring, would appreciate confirmations that everything works from people with lots of policies.

1 Like

whats the status/holdup with this?

the UI has been in desperate need of such capability for sometime... i hope that the "core devs" find impotus to fastrack any withstanding qarms if any.

IPv6 support. While mullvad has been providing me with free access to their service on request, my ISP doesn't support IPv6, so to fully test IPv6 I need to find the time to set up 6-in-4 tunnel separately.

Also, I myself am not quite clear on what the desired outcome would be on the case where not all of the tunnels/wan support ipv6, how's the routing supposed to happen.

Ideally, I'd like some feedback from IPv6 expert on the matter before I send the pr.

1 Like