536

Hi Stangri,

thanks for your answer! I infer from it you have to use iptables to set the DSCP mark. It probably won't work in my case as I'm sending a top level domain (.cz) to that VPN, hence it's impossible for me to list all possible domain names.I have a second solution that should work - create a second vpn instance to that server that assigns ip address from a different private range, it's just not pretty...

537

Then you have to use VPR's built-in functions:

mark='0x020000' #adjust it for your vpn tunnel
ips create "custom" && ips flush "custom"
ips add_dnsmasq "custom" cz
ipt -t mangle -A VPR_PREROUTING -m set --match-set "custom" dst -j MARK --set-xmark "${mark}/0xff0000"
ipt -t mangle -A VPR_PREROUTING -m set --match-set "custom" dst -j DSCP --set-dscp-class AF21
538

Thanks, I've removed some mentions of LEDE which didn't make sense after the merge, however with OpenWrt dropping support for some of the older routers there could be legitimate reasons some people would want to stick with LEDE and I want to explicitly mention that it's supported.

I'll push the new readme to repo shortly.

539

I'm a bit stumped about how the custom user file should look like. The samples (for netflix and aws) are #!/bin/sh but that makes sense since you invoke curl awk. Is it the case here? I've tried both options but I'm getting

ERROR: Error running custom user file '/etc/vpn-policy-routing.cesko'

with no detail on what is the error (verbosity is 2).

540

Sorry, missed an ips parameter. :wink:

mark='0x020000' #adjust it for your vpn tunnel
ips create "custom" 'hash:net family inet comment' && ips flush "custom"
ips add_dnsmasq "custom" cz
ipt -t mangle -A VPR_PREROUTING -m set --match-set "custom" dst -j MARK --set-xmark "${mark}/0xff0000"
ipt -t mangle -A VPR_PREROUTING -m set --match-set "custom" dst -j DSCP --set-dscp-class AF21

541

Perfect! It works precisely as I was hoping it would. Thanks :slight_smile:

542

Hi Stangri,

Maybe a bogus question.... but does the PBR service only use the exact/explicit names "wan" & "wan6" for configured WAN interfaces??

Within a customer setup, there are 2 WAN interfaces configured with the names: "wan4" & "wan6". Before i introduce PBR, i want to make sure other WAN interface names than "wan" & "wan6" are possible to use.

Thank you.

UPDATED:
I never touched the "wan" interface name before (no reason to do so), but anyway, I did a test renaming "wan" to "wan4". And yes so far so good via CLI.

Then, using the "luci-app-vpn-policy-routing" GUI, you can only select "WAN" & "WAN6" interface names when adding or changing "Policies". I would expect to find "WAN4" as well because "WAN" was renamed earlier.

Maybe a fix to be planned someday...

543

No, it tries to figure out the true WAN interface (as oftentimes the VPN tunnel is set as default gateway and it's not a true WAN), but in case it fails, you can manually specify it in the config file as a supported interface.

544

Potentially. Not a high priority, as very few people have real wan interface called something else and if they do, it's usually wwan.

545

Even better! Thanks for the clarification.

546

Yep, agree. And can already be fixed manually with the "supported interface" option!

547

I am trying this package but I am getting
ERROR: policy 'X' has an unknown interface: wan!
Yes, I have wan interface. What may be going on?

root@OpenWrt:~# uci  show network.wan
network.wan=interface
network.wan.proto='dhcp'
network.wan.ifname='eth1'
root@OpenWrt:~#
549

I have a suspicion about why that could happen, please upgrade to vpn-policy-routing 0.1.0-14.

1 Like
550

For anyone who has had trouble getting vpn-policy-routing to play nice within a network having VLANs, I've found a fix (although it's not very elegant at this point).

The way vpn-policy-routing works is to create a new set of routing tables -- one for traffic using the WAN (table 201 by default); one for VPN routed traffic (202 by default). In my case, I have three separate VLANs with firewall rules to allow some traffic between them -- these firewall rules appeared to stop working with vpn-policy-routing running. This is because I had configured vpn-policy-routing to route via the WAN/VPN based on source IP address/subnet and really I only wanted traffic not destined for hosts on my LAN(s) to be subject to this policy.
The routing tables created contain only a default route so all traffic from the configured IP ranges tries to route via the WAN/VPN even though their destination IPs are within the local network (so anything destined for the local networks got lost).

In short, I was able to get it working by adding entries to the additional routing tables to duplicate those entries in the main table:
For example, my main table was...

root@OpenWrt:~# ip route ls table main
0.0.0.0/1 via 10.8.2.1 dev tun0
default via 159.2.240.1 dev eth1.35 proto static src <WAN IP>
10.8.2.0/24 dev tun0 proto kernel scope link src 10.8.2.19
104.156.210.168 via 159.2.240.1 dev eth1.35
128.0.0.0/1 via 10.8.2.1 dev tun0
159.2.240.0/22 dev eth1.35 proto kernel scope link src <WAN IP>
192.168.1.0/24 dev eth0.1 proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev eth0.10 proto kernel scope link src 192.168.10.1
192.168.20.0/24 dev eth0.20 proto kernel scope link src 192.168.20.1

Table 201 (local routes added):

root@OpenWrt:~# ip route ls table 201
default via 159.2.240.1 dev eth1.35
192.168.1.0/24 dev eth0.1 proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev eth0.10 proto kernel scope link src 192.168.10.1
192.168.20.0/24 dev eth0.20 proto kernel scope link src 192.168.20.1

Table 202 (default route via VPN) has the same entries added.

@stangri, is there a way for me to configure vpn-policy-routing to do this (instead of manually adding routes -- these disappear when the service restarts)...

My config is:

root@OpenWrt:~# cat /etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option dnsmasq_ipset '0'
        option remote_ipset '1'
        option ipv6_enabled '0'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option enable_control '0'
        option proto_control '0'
        option chain_control '0'
        option local_ipset '0'
        option iprule_enabled '1'
        option enabled '1'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

config policy
        option interface 'wan'
        option proto 'tcp udp'
        option name 'LAN'
        option local_address '192.168.1.1/24'
        option chain 'PREROUTING'

config policy
        option chain 'PREROUTING'
        option interface 'wan'
        option proto 'tcp udp'
        option name 'VLAN10'
        option local_address '192.168.10.1/24'

config policy
        option chain 'PREROUTING'
        option proto 'tcp udp'
        option interface 'vpn'
        option name 'VLAN20'
        option local_address '192.168.20.1/24'
        option enabled '0'

The config above has clients connected to the main LAN (192.168.1.x) and VLAN10 (192.168.10.x) use the WAN; VLAN20 traffic is tunnelled through the VPN.

1 Like
551

Yes, use custom user file.

Nicer solution would be for me to copy all local device routes from the main table to the new VPR tables, let me ponder on this.

PS. I think someone has accomplished the same with append_local_rules setting.

552

Thanks @stangri it seems to have fixed the problem. I did not test it yet but there is no error message right now.

1 Like
553

Anyone using VPR with VLANs wants to test a new version aimed at better supporting VLANs?

If you can add another repo (or just download the newer ipk): https://dev.melmac.net/openwrt-repo/ try the vpn-policy-routing 0.1.0-16.

554

Should it work when using a dynamic routing protocol such as babeld? OpenWrt isn't aware of the routes inserted by babeld which means they won't be copied to the different tables.

555

Not familiar with babeld -- does it insert routes in the main routing table?

556

I got Netflix and Amazon working good using the "Custom User Files" provided - vpn-policy-routing.netflix.user and .... aws.user. Traffic for my TV goes through a German VPN server but Netflix and Amazon are going through the WAN.

I tried the same thing for BBC IPlayer by copying and adjusting the netflix.user file for the BBC ASN (TARGET_ASN='2818') and routing it through a PIA VPN server in the UK.

I also made a policy for the known addresses I could find on the internet:

config policy
option comment 'UK Players'
option remote_address 'bbc.co.uk bbci.co.uk bbctvapps.co.uk bbc.com bbc.net.uk sitestat.com bbcfmt.hs.llnwd.net bbci.co.uk.edgekey.net loris.llnwd.net bbci.co.uk.edgekey.net 23.3.13.178 23.3.13.146 178.79.192.0/18'
option interface '4_GBR_VPN'

config include
option path '/etc/vpn-policy-routing.netflix.user'

config include
option path '/etc/vpn-policy-routing.aws.user'

config include
option path '/etc/vpn-policy-routing.bbc.user'

I cannot get IPlayer to work. I connect to the site but cannot stream content.

Has anyone had success using VPR to access the BBC IPlayer outside the UK? If so, could you share your setup?