Routing with multiple IPv6 prefixes (e.g. native, he.net, VPN) is⦠unexpected/ strange. Contrary to the option of setting interface metrics for IPv4, with IPv6 the routing always (by default) chooses to use the interface with longest prefix match (this is as specified, but often not quite what one would appreciate). Meaning that outgoing sessions choose the sending prefix 'randomly' (o.k., not random at all, according to the longest prefix match - just that there is no real relation between hostnames and prefix) - in practice this still tends to work not too badly (as the critical remote servers tend to be hosted in the same data centre/ sharing a similar prefix), except for services that do geolocationing.
Personally I always wanted to combine native IPv6 from my ISP (dynamic prefixes, which are a curse) with a static prefix via he.net - using the ISP prefix for outgoing traffic (unless explicitly bound to a he.net IPv6 address), using he.net (almost) only for incoming traffic (with static addresses, rDNS, etc.). I couldn't really get that working with reasonable efforts and postponed those plans for the time being.
Given that IPv6 routing is quite different from IPv4, I'd suggest to split off that discussion from this thread - not because I'd think it would get more exposure that way, but mostly this thread clean for 'normal' issues. If you need a hand with setting up a he.net tunnel, feel free to pm me.
This a great package. works flawless. I was wondering if anyone knows the domain for Canada amazon prime video and Bell fibe tv. I couldn't find those domains by searching online. Thank you in advance!
Hi - apologies I've been away and have only just been able to get back to this. I took the plunge and reinstalled Openwrt, resetup OpenVPN with NordVPN and confirmed before installing the VPN Policy-Based Routing package that I could reach the www.rtve.es and www.netflix.com domains successfully.
Once I install the policy based routing package however and enable I see the same problem again if I have a rule setup to use the WAN. It's strange how all other domain URLs I've tested work. When I set the rule to use the VPN tunnel I can also reach those domains as previously.
New to this project, so please forgive any mis-assumptions...
Unlike most of the posters here, I am looking to configure vpn-policy-routing to route ONLY SELECTED domains through my WireGuard VPN. All other traffic should continue through my local wan interface.
Reading the intro material, it certainly seemed that routing via domain/ipset would take priority over any routing based on destination ip address. That led me to believe I could have policies for DNS domains and a match-all ip policy and the domain policy would prevail.
Pretty much any way I set it up using the GUI sends everything through the VPN. WireGuard is certainly different the OpenVPN in not using tap or tun but rather doing everything through iptables.
Here're my files:
A few things I've noticed...
Even though I've added "wg0" as an interface in the "Supported Interfaces", I am only offered "WAN" as an interface choice in the policy configuration. Same if I edit the config file.
Doesn't seem to matter if I pick PREROUTING or OUTPUT.
I edited the config file directly to specify the actual interface names from ifconfig. Didn't work - got a bunch of "ERROR: unknown fw_mark for wg0!" messages.
Thanks,
Here's the usual info for evaluation- sorry I can't just upload.. it's only text.
I downloaded a new update today and now everything is being routed via my VPN interface. Has anything changed for .7-7? The log shows computer hawkeye going through the WAN, but it is really not, as I do a traceroute and see AirVPN's servers and not Spectrum
Mon Aug 5 19:49:09 2019 user.notice vpn-policy-routing [15455]: Creating table 'wan/76.185.192.1' [β]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Creating table 'airvpn/xx.xx.xx.1' [β]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Routing 'Home Network' via wan [β]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Routing 'Hawkeye' via wan [β]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: Routing 'Deluge Box' via airvpn [β]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: service started on wan/76.xxx.xxx.1 airvpn/10.26.65.1 [β]
Mon Aug 5 19:49:10 2019 user.notice vpn-policy-routing [15455]: service monitoring interfaces: wan airvpn [β]
I think you have cracked it for me! If I disable the IPV6 DHCP server on the OpenWRT router I can now hit both those URLs with VPNBypass in place and active for the IP address - so it does appear to be an issue when using IPV6.
That is great - thanks you very much for your help. My next step is to retest with VPR which was what I was originally hoping to use.
I started from a clean openwrt install and have now installed VPR again to continue testing. For some reason I can't fathom though VPR now has a problem creating tables for my WAN interface
and the output of /etc/init.d/vpn-policy-routing status:
vpn-policy-routing 0.0.7-15 running on OpenWrt 18.06.4.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 10.7.3.1 128.0.0.0 UG 0 0 0 tun0
default static-10-0-235 0.0.0.0 UG 0 0 0 pppoe-wan
IPv4 Table 201:
IPv4 Table 201 Rules:
32765: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.7.3.1 dev tun0
IPv4 Table 202 Rules:
32764: from all fwmark 0x20000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set nordvpntun_local_mac src -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun_local_ip src -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create nordvpntun hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun_local_ip hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun_local_mac hash:mac hashsize 1024 maxelem 65536 comment
============================================================
type or paste code here
IΒ΄ve uploaded the output of /etc/init.d/vpn-policy-routing reload to your paste.ee account. @stangri are you able to give me any clues as to what this new problem might be? Did I miss something in the config?
Interestingly if I enable IPV6 VPR will create the tables for the WAN interface, but that brings a new set of problems...