VPN Policy-Based Routing + Web UI -- Discussion

You want to forward/bypass all of these

bbctvapps.co.uk bbc.co.uk bbc.com bbc.net.uk sitestat.com bbci.co.uk bbcfmt.hs.llnwd.net bbci.co.uk.edgekey.net loris.llnwd.net bbci.co.uk.edgekey.net

The only way to do it properly (get all domain names) is to sniff dns requests at router.

Thanks. Unfortunately, having added the domains you mentioned, iplayer still does not work.

I did yesterday, have a look at packet capturing on the router. Only managed to get Cloudshark sort off working. But the problem seem to be that uploading a capture time of any more than 10 seconds would just seem to hang that process.

Despite a couple of 'vague' tutorials online, I couldn't figure out how a desktop based program such as wireshark works with LEDE.

Also, newb question here. If the router IP is within a subnet range that is excluded by policy-routing from the VPN does that mean the router is also excluded? Just because I am trying to figure out why I am unable to access the router from WAN yet I can access things like my NAS that aren't within that subnet even though I have setup policies and firewall rules for it on ports like 22, 80 and 443. If it is already bypassing the VPN then I am wondering if that a specific route for that IP is not needed and confusing it.

Another thing I haven't figured out is when a remote port would need to be used for bypassing/routing as the only way I have been able to get it work is to leave that blank and bypass on local ports only.

@DVS: there's a wiki article on how to run an OpenVPN server and client on router at the same time: https://lede-project.org/docs/user-guide/openvpnserverandclient -- just adjust the instructions for whatever service/port you want to make accessible on your router instead of an OpenVPN Server.

Oooh thank you I will check that out as I expect it answers my last question at least.

From my experience some dns requests might be cached and hence it does not work immediately after you apply it if you have just tried it. I would reboot the router, then make sure vpn-policy-routing is running (sometimes it fails to start for me) and only then test the iplayer.

You can use dnsmasq on the router to do that. See post #5 here
https://forum.openwrt.org/viewtopic.php?id=54048

I've used a setup like these two guides cover:
http://www.ayomaonline.com/security/analyzing-network-traffic-with-openwrt/

Please run /etc/init.d/vpn-policy-routing enable. I've used a problematic code in Web UI which could have disabled automatic start of the service in the past.

EDIT: Just realised I've been running an older version of policy routing.

I am going to spend some time digesting the helpful posts here and see how I get on - both with OpenVPN server/client combo and the iPlayer thing.

Thanks to all so far.


It's funny that you and dziny mention the command /etc/init.d/vpn-policy-routing enable. I got slightly side tracked with my original question regarding iPlayer/DNS names etc but am also interested in your guide about running OpenVPN server and client at the same time. After following all the instructions, and coming to the last one to enable policy routing, I get this error: -ash: /etc/init.d/vpn-policy-routing: not found

When I check the web interface, it shows as running. I also know it's running as I've always been able to bypass device IP addresses.

This addon is so helpful and powerful, and it simplifies my setup so much, your efforts are really appreciated @stangri.

I'm using Win 10 group policy to separate some of my apps for routing over the VPN via DSCP, and now I want to do the same (by matching user) on a pi. Previously I had a convoluted setup involving a split tunnel and iptables on the pi itself that routed a particular user over the tunnel, but I have to rebuild the box and so now I'm trying to simplify.

This iptables command seems to work, but I guess I would like to know if I need a more robust set of matches and excludes. Like excluding traffic that's local - that seems unnecessary because it won't be directed to the default gateway if it is, but maybe there's other things I have overlooked.

Anyways this is how I'm matching by user:

sudo iptables -t mangle -A OUTPUT -m owner --uid-owner vpnuser -j DSCP --set-dscp 0x10

Any comments or suggestions appreciated. I realize I have to make arrangements for the iptables to be persistent somehow.

thanks

If I remember correctly, the table/chain which this service uses by default affects only external traffic, so you shouldn't need to implement any additional rules to unmark local traffic.

1 Like

Thanks. If one day I were to want to install a torrent client on lede, could I use this addon to direct that traffic out the tunnel? Or would I be better off trying to find a package that binds to an interface (I'm not sure if any of the lede packages exist that can do this, I haven't checked)?

You will need to enable OUTPUT chain in advanced settings to affect external traffic from the router itself.

1 Like

What criteria would I use to identify the torrent package traffic?

Uhm, good question, I don't know really. Doesn't it bind to a local port?

Hey mate, just wanted to say first up this thing is awesome, usually open source linuxy things just don't work for me but this has been great!

I have a bit of an odd issue at the moment, have only noticed it on latest update to 0.0.1-16. What appears to be happening is if I make a change in the GUI on an existing rule to change which interface it will use, the entry in the PREROUTING chain doesn't seem to get updated. If i restart the vpn-policy-routing service in CLI then it works fine, so it seems at least for me that hitting save in the GUI doesn't actually update iptables.

I can probably put all the config up but an example is as below. I have two nordvpn tunnels setup, tun0 and tun1, which in LEDE are interface names nordvpntun and nordvpntun1 respectively.
What I have done to arrive at the below output is config for kuja working as expected on tun0, then in the GUI I change kuja to use tun1, which updates in /etc/config/vpn-policy-routing but seems nowhere else.
After making the change I would expect the PREROUTING rule for kuja to change from 0x30000 to 0x40000, but this will only happen if I manually restart the vpn-policy-routing service on the CLI.

/etc/config/vpn-policy-routing:
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option dnsmasq_enabled '1'
option enabled '1'

config policy
option comment 'Kuja'
option local_addresses '192.168.1.253'
option interface 'nordvpntun1'

Relevant lines from /etc/init.d/vpn-policy-routing support:
IP Rules
32742: from all fwmark 0x40000 lookup 204
32743: from all fwmark 0x30000 lookup 203

IP Route Tables
IPv4 Table 203: default via 10.x.x.x dev tun0
IPv4 Table 204: default via 10.x.x.x dev tun1

iptables rules
-A VPR_PREROUTING -s 192.168.1.253/32 -m comment --comment Kuja -c 5157 717410 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun1 dst -c 0 0 -j MARK --set-xmark 0x40000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000

I have a question for anyone who's used this great service (and @stangri too):

I am aware we need to use

option route_nopull '1'

In the configuration file to prevent the VPN from adding default routes to the routing table.

However, I just encountered an issue where basically due to the option above, the VPN server isn't pushing the DNS to the client (my router) either, causing a DNS leak.

Has anyone come accross this problem or knows of a solution?

EDIT: To make it clearer, I would like to use the DNS that's pushed by the openvpn server (using dhcp-option), and not a custom OpenDNS/Google DNS.
However, dhcp-option are not applied when using route_nopull.

Thanks!

1 Like

You can push manually your favourite DNS server to go through the tunnel.

route 8.8.8.8 255.255.255.255 vpn_gateway

in your openvpn client config for the google dns server.

1 Like

Thanks.
I understand that, however, I want to use the DNS that's pushed by the OpenVPN server on the tun0/tun1 interfaces (but it's prevented from being pushed due to route_npull 1).

Any ideas?

I have the same issue and never really figured it out. It would be great if someone could provide a quick guide on how to do this.