VPN Policy-Based Routing + Web UI -- Discussion

Routing with multiple IPv6 prefixes (e.g. native, he.net, VPN) is… unexpected/ strange. Contrary to the option of setting interface metrics for IPv4, with IPv6 the routing always (by default) chooses to use the interface with longest prefix match (this is as specified, but often not quite what one would appreciate). Meaning that outgoing sessions choose the sending prefix 'randomly' (o.k., not random at all, according to the longest prefix match - just that there is no real relation between hostnames and prefix) - in practice this still tends to work not too badly (as the critical remote servers tend to be hosted in the same data centre/ sharing a similar prefix), except for services that do geolocationing.

Personally I always wanted to combine native IPv6 from my ISP (dynamic prefixes, which are a curse) with a static prefix via he.net - using the ISP prefix for outgoing traffic (unless explicitly bound to a he.net IPv6 address), using he.net (almost) only for incoming traffic (with static addresses, rDNS, etc.). I couldn't really get that working with reasonable efforts and postponed those plans for the time being.

Given that IPv6 routing is quite different from IPv4, I'd suggest to split off that discussion from this thread - not because I'd think it would get more exposure that way, but mostly this thread clean for 'normal' issues. If you need a hand with setting up a he.net tunnel, feel free to pm me.

2 Likes

This a great package. works flawless. I was wondering if anyone knows the domain for Canada amazon prime video and Bell fibe tv. I couldn't find those domains by searching online. Thank you in advance!

I assume you want to route these via WAN? Have you tried the AWS user-file?

Hi
I have installed your plugin, it works pretty good!

But I got one problem!
I have multiple interfaces,
192.168.0.1/24 is set to WAN
192.168.5.1/24 is set to WAN
192.168.8.1/24 is set to VPN

I want to be able to connect from 192.168.0.1/24 to 192.168.5.1/24.
That worked before I enabled the policy based routing plugin.

Anyone knows how I can get it working with plugin enabled?

You may want to try something like:
uci set vpn-policy-routing.config.append_local_rules='! -d 192.168.5.0/24'; uci commit;

It didn't really work...
But when I changed IP mask to 255.255.0.0(/16), --> "! -d 192.168.5.0/16"
Then it worked!!

Thank you for the tip! It lead me to this solution :slight_smile:

1 Like

Hi - apologies I've been away and have only just been able to get back to this. I took the plunge and reinstalled Openwrt, resetup OpenVPN with NordVPN and confirmed before installing the VPN Policy-Based Routing package that I could reach the www.rtve.es and www.netflix.com domains successfully.

Once I install the policy based routing package however and enable I see the same problem again if I have a rule setup to use the WAN. It's strange how all other domain URLs I've tested work. When I set the rule to use the VPN tunnel I can also reach those domains as previously.

Thanks

New to this project, so please forgive any mis-assumptions...

Unlike most of the posters here, I am looking to configure vpn-policy-routing to route ONLY SELECTED domains through my WireGuard VPN. All other traffic should continue through my local wan interface.

Reading the intro material, it certainly seemed that routing via domain/ipset would take priority over any routing based on destination ip address. That led me to believe I could have policies for DNS domains and a match-all ip policy and the domain policy would prevail.

Pretty much any way I set it up using the GUI sends everything through the VPN. WireGuard is certainly different the OpenVPN in not using tap or tun but rather doing everything through iptables.

Here're my files:

A few things I've noticed...

  1. Even though I've added "wg0" as an interface in the "Supported Interfaces", I am only offered "WAN" as an interface choice in the policy configuration. Same if I edit the config file.
  2. Doesn't seem to matter if I pick PREROUTING or OUTPUT.
  3. I edited the config file directly to specify the actual interface names from ifconfig. Didn't work - got a bunch of "ERROR: unknown fw_mark for wg0!" messages.

Thanks,

Here's the usual info for evaluation- sorry I can't just upload.. it's only text.

root@GL-MT300N-V2:/etc/config# cat /etc/config/vpn-policy-routing 

config policy
	option name 'ViaVPN'
	option remote_address 'domain1.net'
	option chain 'OUTPUT'
	option proto 'tcp udp'
	option interface 'wg0'

config policy
	option interface 'apcli0'
	option chain 'OUTPUT'
	option proto 'tcp udp'
	option name 'LOC'
        option remote_address '0.0.0.0/0'

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option enable_control '1'
	option proto_control '1'
	option chain_control '1'
	option dnsmasq_enabled '1'
	option strict_enforcement '1'
	option enabled '1'
	list supported_interface 'wg0 apcli0'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

========================
root@GL-MT300N-V2:/etc/config# ifconfig


### --- Comment... This router is behind another router, so 192.168.2.165 is my WAN address --- ###
apcli0    Link encap:Ethernet  HWaddr E6:95:6E:0A:E0:A8  
          inet addr:192.168.2.164  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::e495:6eff:fe0a:e0a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:80549 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br-lan    Link encap:Ethernet  HWaddr E4:95:6E:4A:E0:A8  
          inet addr:192.168.5.1  Bcast:192.168.5.255  Mask:255.255.255.0
          inet6 addr: fd43:2afc:d635::1/60 Scope:Global
          inet6 addr: fe80::e695:6eff:fe4a:e0a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1467430 errors:0 dropped:64 overruns:0 frame:0
          TX packets:1155388 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:567357729 (541.0 MiB)  TX bytes:227882455 (217.3 MiB)

eth0      Link encap:Ethernet  HWaddr E4:95:6E:4A:E0:A8  
          inet6 addr: fe80::e695:6eff:fe4a:e0a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:907703 errors:0 dropped:22 overruns:0 frame:0
          TX packets:955026 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:205055216 (195.5 MiB)  TX bytes:529509029 (504.9 MiB)
          Interrupt:5 

eth0.1    Link encap:Ethernet  HWaddr E4:95:6E:4A:E0:A8  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7851 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42100 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:974379 (951.5 KiB)  TX bytes:11933330 (11.3 MiB)

eth0.2    Link encap:Ethernet  HWaddr E4:95:6E:4A:E0:A8  
          inet addr:192.168.2.27  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::e695:6eff:fe4a:e0a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:899765 errors:0 dropped:87304 overruns:0 frame:0
          TX packets:912531 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:187734037 (179.0 MiB)  TX bytes:513702224 (489.9 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:625 errors:0 dropped:0 overruns:0 frame:0
          TX packets:625 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:73376 (71.6 KiB)  TX bytes:73376 (71.6 KiB)

ra0       Link encap:Ethernet  HWaddr E4:95:6E:4A:E0:A8  
          inet6 addr: fe80::e695:6eff:fe4a:e0a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1546627 errors:324 dropped:0 overruns:0 frame:0
          TX packets:1164666 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:622925751 (594.0 MiB)  TX bytes:211621958 (201.8 MiB)
          Interrupt:6 

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.0.140.2  P-t-P:10.0.140.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:600684 errors:0 dropped:9031 overruns:0 frame:0
          TX packets:870020 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:138904172 (132.4 MiB)  TX bytes:473217744 (451.2 MiB)


========================
root@GL-MT300N-V2:/etc/config# /etc/init.d/vpn-policy-routing restart

vpn-policy-routing 0.0.7-7 stopped [βœ“]
Creating table 'wan/192.168.2.1' [βœ“]
Routing 'ViaVPN' via wg0 [βœ—]
Routing 'LOC' via apcli0 [βœ—]
vpn-policy-routing 0.0.7-7 started on wan/192.168.2.1 with errors [βœ—]
ERROR: unknown fw_mark for wg0!
ERROR: unknown fw_mark for wg0!

ERROR: unknown fw_mark for apcli0!

vpn-policy-routing 0.0.7-7 monitoring interfaces: wan [βœ“]



========================
root@GL-MT300N-V2:/etc/config# ipset

ipset v6.34: No command specified.
Try `ipset help' for more information.
root@GL-MT300N-V2:/etc/config# ipset -L
Name: mwan3_connected_v4
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 1264
References: 1
Number of entries: 18
Members:
192.168.5.1
192.168.5.255
10.0.140.2
128.0.0.0/1
192.168.2.255
192.168.5.0/24
127.0.0.1
192.168.2.164
192.168.5.0
224.0.0.0/3
192.168.2.27
127.0.0.0/8
127.255.255.255
192.168.2.0
0.0.0.0/1
127.0.0.0
192.168.2.0/24
24.211.232.117

Name: mwan3_connected_v6
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1300
References: 1
Number of entries: 2
Members:
fd43:2afc:d635::/64
fe80::/64

Name: wan
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 312
References: 1
Number of entries: 0
Members:

Name: mwan3_connected
Type: list:set
Revision: 3
Header: size 8
Size in memory: 88
References: 4
Number of entries: 2
Members:
mwan3_connected_v4
mwan3_connected_v6


========================
root@GL-MT300N-V2:/etc/config# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
GL_SPEC_OPENING  all  --  anywhere             anywhere            
GL_INPUT   all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wireguard_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination         
GL_FORWARD  all  --  anywhere             anywhere            
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wireguard_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
GL_OUTPUT  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wireguard_output  all  --  anywhere             anywhere             /* !fw3 */

Chain GL_FORWARD (1 references)
target     prot opt source               destination         

Chain GL_INPUT (1 references)
target     prot opt source               destination         

Chain GL_OUTPUT (1 references)
target     prot opt source               destination         

Chain GL_SPEC_OPENING (1 references)
target     prot opt source               destination         

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wireguard_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain input_wireguard_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain output_wireguard_rule (1 references)
target     prot opt source               destination         

Chain reject (5 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_wireguard_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to wireguard forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (2 references)
target     prot opt source               destination         
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (2 references)
target     prot opt source               destination         
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:83 /* !fw3: glservice */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:83 /* !fw3: glservice */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh /* !fw3: glssh */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ssh /* !fw3: glssh */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:5126 /* !fw3: Allow-Wireguard */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5126 /* !fw3: Allow-Wireguard */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (2 references)
target     prot opt source               destination         
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wireguard_dest_ACCEPT (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wireguard_forward (1 references)
target     prot opt source               destination         
forwarding_wireguard_rule  all  --  anywhere             anywhere             /* !fw3: Custom wireguard forwarding rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone wireguard to wan forwarding policy */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone wireguard to lan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wireguard_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wireguard_input (1 references)
target     prot opt source               destination         
input_wireguard_rule  all  --  anywhere             anywhere             /* !fw3: Custom wireguard input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wireguard_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wireguard_output (1 references)
target     prot opt source               destination         
output_wireguard_rule  all  --  anywhere             anywhere             /* !fw3: Custom wireguard output rule chain */
zone_wireguard_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wireguard_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */




========================
root@GL-MT300N-V2:/etc/config# /etc/init.d/vpn-policy-routing status

vpn-policy-routing 0.0.7-7 running on OpenWrt 18.06.1.
============================================================
Dnsmasq version 2.80test2  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         *               128.0.0.0       U     0      0        0 wg0
default         HanoverSouthFIO 0.0.0.0         UG    10     0        0 eth0.2
default         HanoverSouthFIO 0.0.0.0         UG    20     0        0 apcli0
IPv4 Table 201: default via 192.168.2.1 dev eth0.2
IPv4 Table 201 Rules:
1000:	from all fwmark 0x10000 lookup 201
IPv4 Table 202:
IPv4 Table 202 Rules:
IPv4 Table 203:
IPv4 Table 203 Rules:
IPv4 Table 204:
IPv4 Table 204 Rules:
IPv4 Table 205:
IPv4 Table 205 Rules:
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create mwan3_connected_v4 hash:net family inet hashsize 1024 maxelem 65536
add mwan3_connected_v4 192.168.5.1
add mwan3_connected_v4 192.168.5.255
add mwan3_connected_v4 10.0.140.2
add mwan3_connected_v4 128.0.0.0/1
add mwan3_connected_v4 192.168.2.255
add mwan3_connected_v4 192.168.5.0/24
add mwan3_connected_v4 127.0.0.1
add mwan3_connected_v4 192.168.2.164
add mwan3_connected_v4 192.168.5.0
add mwan3_connected_v4 224.0.0.0/3
add mwan3_connected_v4 192.168.2.27
add mwan3_connected_v4 127.0.0.0/8
add mwan3_connected_v4 127.255.255.255
add mwan3_connected_v4 192.168.2.0
add mwan3_connected_v4 0.0.0.0/1
add mwan3_connected_v4 127.0.0.0
add mwan3_connected_v4 192.168.2.0/24
add mwan3_connected_v4 24.211.232.117
create mwan3_connected_v6 hash:net family inet6 hashsize 1024 maxelem 65536
add mwan3_connected_v6 fd43:2afc:d635::/64
add mwan3_connected_v6 fe80::/64
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create mwan3_connected list:set size 8
add mwan3_connected mwan3_connected_v4
add mwan3_connected mwan3_connected_v6
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [βœ“]
root@GL-MT300N-V2:/etc/config# traceroute google.com
traceroute to google.com (172.217.2.206), 30 hops max, 38 byte packets
 1  10.0.140.1 (10.0.140.1)  63.849 ms  67.378 ms  57.324 ms
 2  192.168.1.1 (192.168.1.1)  55.889 ms  65.874 ms  58.819 ms
 3^C
root@GL-MT300N-V2:/etc/config# traceroute domain1.net
traceroute to domain1.net (34.197.0.224), 30 hops max, 38 byte packets
 1  10.0.140.1 (10.0.140.1)  57.904 ms  57.240 ms  56.166 ms
 2  192.168.1.1 (192.168.1.1)  56.660 ms  56.650 ms  59.507 ms
 3^C

### --- Note that 10.0.140.1 is the IP for the WireGuard VPN 
        If we were going thru the WAN, we'd be seeing different addresses. --- ###

If the wireguard interface is properly configured, VPR luci app should pick it up automatically.

Use interface names from /etc/config/network, not the device names from ifconfig.

Also, check README on mwan3 compatibility.

There are also settings outside of VPR which need to be configured for this.

I downloaded a new update today and now everything is being routed via my VPN interface. Has anything changed for .7-7? The log shows computer hawkeye going through the WAN, but it is really not, as I do a traceroute and see AirVPN's servers and not Spectrum

Mon Aug  5 19:49:09 2019 user.notice vpn-policy-routing [15455]: Creating table 'wan/76.185.192.1' [βœ“]
Mon Aug  5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Creating table 'airvpn/xx.xx.xx.1' [βœ“]
Mon Aug  5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Routing 'Home Network' via wan [βœ“]
Mon Aug  5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Routing 'Hawkeye' via wan [βœ“]
Mon Aug  5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Routing 'Deluge Box' via airvpn [βœ“]
Mon Aug  5 19:49:10 2019 user.notice vpn-policy-routing [15455]: service started on wan/76.xxx.xxx.1 airvpn/10.26.65.1 [βœ“]
Mon Aug  5 19:49:10 2019 user.notice vpn-policy-routing [15455]: service monitoring interfaces: wan airvpn [βœ“]

I also tried installing vpnbypass instead of VPR but see the exact same behaviour. Both URLs are pingable but time out when trying to browse to them :frowning:

status output?

What are your DHCP settings both on router and the PC you're testing from?

Hi,

This is my /etc/config/dhcp file:

Blockquote
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config dhcp 'Guest'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'Guest'

Blockquote

I'm testing from a Windows 10 machine and have DHCP enabled, this is the result of Ipconfig/all:

Blockquote
Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . : lan
Description . . . . . . . . . . . : 802.11n Wireless LAN Card
Physical Address. . . . . . . . . : 90-48-9A-8E-53-3F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . :
Lease Obtained. . . . . . . . . . : 02 August 2019 21:54:10
Lease Expires . . . . . . . . . . : 14 September 2155 09:12:56
IPv6 Address. . . . . . . . . . . :
Temporary IPv6 Address. . . . . . :
Link-local IPv6 Address . . . . . :
IPv4 Address. . . . . . . . . . . : 192.168.1.244(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 08 August 2019 01:57:10
Lease Expires . . . . . . . . . . : 08 August 2019 14:36:43
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . :
DHCPv6 Client DUID. . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Blockquote

I blanked out the IPV6 addresses in the above.

Thanks

Everything looks alright. Maybe it's actually IPv6 routing which is getting in the way. I have IPv6 disabled on my OpenWrt config.

Hi,

I am setting up nordvpn using the following: https://support.nordvpn.com/Connectivity/Router/1364683552/OpenWRT-LuCI-setup-with-NordVPN.htm
I was just wondering if the firewall section of instructions relevant if using VPN Policy-Based Routing?

Many Thanks in advanced

1 Like

I think you have cracked it for me! If I disable the IPV6 DHCP server on the OpenWRT router I can now hit both those URLs with VPNBypass in place and active for the IP address - so it does appear to be an issue when using IPV6.

That is great - thanks you very much for your help. My next step is to retest with VPR which was what I was originally hoping to use.

1 Like

I've updated the README's Notes/Known Issues with the relevant information.

Thanks Stan.
:slightly_smiling_face:

I started from a clean openwrt install and have now installed VPR again to continue testing. For some reason I can't fathom though VPR now has a problem creating tables for my WAN interface :frowning:

This is my config:

config vpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        option ipset_enabled '1'
        option dnsmasq_enabled '0'
        option strict_enforcement '1'
        option boot_timeout '30'
        option enabled '1'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

and the output of /etc/init.d/vpn-policy-routing status:

vpn-policy-routing 0.0.7-15 running on OpenWrt 18.06.4.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.7.3.1        128.0.0.0       UG    0      0        0 tun0
default         static-10-0-235 0.0.0.0         UG    0      0        0 pppoe-wan
IPv4 Table 201:
IPv4 Table 201 Rules:
32765:	from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.7.3.1 dev tun0
IPv4 Table 202 Rules:
32764:	from all fwmark 0x20000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set nordvpntun_local_mac src -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun_local_ip src -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create nordvpntun hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun_local_ip hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun_local_mac hash:mac hashsize 1024 maxelem 65536 comment
============================================================

type or paste code here

IΒ΄ve uploaded the output of /etc/init.d/vpn-policy-routing reload to your paste.ee account. @stangri are you able to give me any clues as to what this new problem might be? Did I miss something in the config?

Interestingly if I enable IPV6 VPR will create the tables for the WAN interface, but that brings a new set of problems...

Thanks