Wow, just discovered this today and it's great! One issue, the DSCP field doesn't seem to make an iptables rule.
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option strict_enforcement '1'
option enabled '1'
option vpn_dscp '22'
root@LEDE:~# /etc/init.d/vpn-policy-routing support vpn-policy-routing 0.0.1-16 running on LEDE 17.01.4. WAN (IPv4): wan/dev/65.XX.XX.XX. WAN (IPv6): wan/dev6/....
============================================================
Dnsmasq version 2.78 Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default 65.XX.XX.XX 0.0.0.0 UG 0 0 0 eth1
32533: from all fwmark 0x20000 lookup 202
32534: from all fwmark 0x10000 lookup 201
32613: from all fwmark 0x30000 lookup 203
IPv4 Table 201: default via 65.XX.XX.XX dev eth1
IPv4 Table 202: default via 10.XX.XX.5 dev tun0
IPv4 Table 203: default via 10.XX.XX.5 dev tun0
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
I set up the rule manually on the router to mark dscp=22 with the packet marking for tun0 then the traffic starts going through the VPN. root@LEDE $ iptables -A VPR_PREROUTING -t mangle -m dscp --dscp 22 -j MARK --set-xmark 0x20000/0xff0000
I am trying to get OpenVPN server and client to work at the same time using this guide, but not sure what or where the issue is. Both server and client work fine independently.
Config files included below.
/etc/config/vpn-policy-routing
config policy
option comment 'OpenVPN Server'
option local_ports '1194'
option interface 'wan'
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '1'
option strict_enforcement '1'
option dnsmasq_enabled '1'
option output_chain_enabled '1'
list ignored_interface 'vpnserver'
option enabled '1'
/etc/init.d/vpn-policy-routing support
root@LEDE:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.0.1-16 running on Lede SNAPSHOT. WAN (IPv4): wan/dev/172.16 .0.1. WAN (IPv6): wan/dev6/fe80::/64.
============================================================
Dnsmasq version 2.78 Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default 172.21.32.1 128.0.0.0 UG 0 0 0 tun0
default 172.16.0.1 0.0.0.0 UG 0 0 0 eth1.2
32760: from all fwmark 0x20000 lookup 202
32761: from all fwmark 0x10000 lookup 201
IPv4 Table 201: default via 172.16.0.1 dev eth1.2
IPv4 Table 202: default via 172.21.32.1 dev tun0
============================================================
IP Tables PREROUTING
- ARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p tcp -m multiport --sports 1194 -m comment --comment OpenVPN _Server -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set VPN_FW dst -c 0 0 -j MARK --set-xmark 0x200 00/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 140 15962 -j MARK --set-xmark 0x 10000/0xff0000
============================================================
IP6 Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -p tcp -m multiport --sports 1194 -m comment --comment OpenVPN _Server -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set VPN_FW6 dst -c 0 0 -j MARK --set-xmark 0x20 000/0xff0000
-A VPR_PREROUTING -m set --match-set wan6 dst -c 0 0 -j MARK --set-xmark 0x10000 /0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -p tcp -m multiport --sports 1194 -m comment --comment OpenVPN_Ser ver -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_OUTPUT -m set --match-set VPN_FW dst -c 0 0 -j MARK --set-xmark 0x20000/0 xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff 0000
============================================================
IPv6 Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -p tcp -m multiport --sports 1194 -m comment --comment OpenVPN_Ser ver -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_OUTPUT -m set --match-set VPN_FW6 dst -c 0 0 -j MARK --set-xmark 0x20000/ 0xff0000
-A VPR_OUTPUT -m set --match-set wan6 dst -c 0 0 -j MARK --set-xmark 0x10000/0xf f0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
add wan X.x.x.x
add wan x.x.x.x
add wan x.x.x.x
add wan x.x.x.x
add wan x.x.x.x
add wan x.x.x.x
add wan x.x.x.x
add wan x.x.x.x
add wan x.x.x.x
create wan6 hash:net family inet6 hashsize 1024 maxelem 65536 comment
create VPN_FW hash:net family inet hashsize 1024 maxelem 65536 comment
create VPN_FW6 hash:net family inet6 hashsize 1024 maxelem 65536 comment
============================================================
DNSMASQ ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [β]
/etc/init.d/vpn-policy-routing reload
root@LEDE:~# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth1.2/172.16.0.1/fe80::/64' [β]
Creating table 'VPN_FW/tun0/172.21.32.1/fe80::779f:5d7e:6b50:1' [β]
Routing 'OpenVPN Server' via wan [β]
vpn-policy-routing 0.0.1-16 started on wan/eth1.2/172.16.0.1/fe80::/64 VPN_FW/tun0/172.21.32.1/fe80::779f:5d7e:6b50:1 [β]
vpn-policy-routing 0.0.1-16 monitoring interfaces: wan VPN_FW [β]
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'Guest'
option input 'REJECT'
option network 'Guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'Guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'Guest'
config forwarding
option dest 'wan'
option src 'Guest'
config forwarding
option dest 'wan'
option src 'lan'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'tcpudp'
option dest_port '1194'
config zone
option name 'vpnserver'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option network 'vpnserver'
config forwarding
option src 'vpnserver'
option dest 'wan'
config forwarding
option src 'vpnserver'
option dest 'lan'
config zone
option name 'VPN_FW'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'VPN_FW'
config forwarding
option dest 'VPN_FW'
option src 'lan'
config forwarding
option src 'vpnserver'
option dest 'VPN_FW'
/etc/config/openvpn
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'vpnserver'
option enabled '1'
option dev_type 'tun'
option dev 'ovpns0'
option port '1194'
option comp_lzo 'yes'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
option dh '/etc/openvpn/dh2048.pem'
option tls_auth '/etc/openvpn/tls-auth.key 0'
option mode 'server'
option tls_server '1'
option server '192.168.200.0 255.255.255.0'
option topology 'subnet'
option route_gateway 'dhcp'
option client_to_client '1'
option log '/tmp/openvpn.log'
option verb '5'
list push 'comp-lzo yes'
list push 'persist-key'
list push 'persist-tun'
list push 'topology subnet'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1'
list push 'route 192.168.200.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1'
option proto 'tcp'
Are you saying you have not had a chance to fully look at my etc/config/openvpn I posted, or what I have posted is incorrect? I disabled IPv6 but still the same issue.
The only option that works is manually pushing the OpenVPN Server's DNS to the clients. This will work in cases where you have traffic routed through the VPN tunnel from a whole interface/DHCP range. But for Domain-based policies, the only DNS that gets used is the WAN's DNS.
Sorry, I keep missing a post here or there and only come to find them again a week or so later.
Please confirm that you're clicking "SAVE & APPLY" when you finish making changes in Web UI and that still doesn't result in the service being reloaded with the new changes taking effect?
Hi @stangri, apologies, should have tagged you in the post.
I meant to reply sooner, I also found the same situation when using uci so it's not specific to using the GUI. I've also just updated vpn-policy-routing and luci-app-vpn-policy-routing with the same results.
Please see below output, hopefully shows what I'm experiencing. Steps are:
-Show commands for uci config and iptables being in line
-uci update and commit
-Show commands for updated uci config but iptables has not updated.
-Restarting the service then another show of iptables being updated correctly.
root@jenova:~# uci show vpn-policy-routing.@policy[0]
vpn-policy-routing.cfg036ff5=policy
vpn-policy-routing.cfg036ff5.comment='Kuja'
vpn-policy-routing.cfg036ff5.local_addresses='192.168.1.253'
vpn-policy-routing.cfg036ff5.interface='nordvpntun'
root@jenova:~# iptables -L VPR_PREROUTING -t mangle
Chain VPR_PREROUTING (1 references)
target prot opt source destination
MARK all -- ps4.midgar anywhere /* PS4 */ MARK xset 0x10000/0xff0000
MARK all -- 192.168.1.0/24 10.1.0.0/28 /* LAN_to_VPN_Clients */ MARK xset 0x20000/0xff0000
MARK all -- 192.168.1.64/26 anywhere /* DHCP_LAN_Clients */ MARK xset 0x10000/0xff0000
MARK all -- samsunght.midgar anywhere /* Samsung_HT */ MARK xset 0x10000/0xff0000
MARK all -- kuja.midgar anywhere /* Kuja */ MARK xset 0x30000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun1 dst MARK xset 0x40000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun dst MARK xset 0x30000/0xff0000
MARK all -- anywhere anywhere match-set vpnsvr0 dst MARK xset 0x20000/0xff0000
MARK all -- anywhere anywhere match-set wan dst MARK xset 0x10000/0xff0000
root@jenova:~# uci set vpn-policy-routing.@policy[0].interface=nordvpntun1
root@jenova:~# uci commit
root@jenova:~# uci show vpn-policy-routing.@policy[0]
vpn-policy-routing.cfg036ff5=policy
vpn-policy-routing.cfg036ff5.comment='Kuja'
vpn-policy-routing.cfg036ff5.local_addresses='192.168.1.253'
vpn-policy-routing.cfg036ff5.interface='nordvpntun1'
root@jenova:~# iptables -L VPR_PREROUTING -t mangle
Chain VPR_PREROUTING (1 references)
target prot opt source destination
MARK all -- ps4.midgar anywhere /* PS4 */ MARK xset 0x10000/0xff0000
MARK all -- 192.168.1.0/24 10.1.0.0/28 /* LAN_to_VPN_Clients */ MARK xset 0x20000/0xff0000
MARK all -- 192.168.1.64/26 anywhere /* DHCP_LAN_Clients */ MARK xset 0x10000/0xff0000
MARK all -- samsunght.midgar anywhere /* Samsung_HT */ MARK xset 0x10000/0xff0000
MARK all -- kuja.midgar anywhere /* Kuja */ MARK xset 0x30000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun1 dst MARK xset 0x40000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun dst MARK xset 0x30000/0xff0000
MARK all -- anywhere anywhere match-set vpnsvr0 dst MARK xset 0x20000/0xff0000
MARK all -- anywhere anywhere match-set wan dst MARK xset 0x10000/0xff0000
root@jenova:~#
root@jenova:~# service vpn-policy-routing restart
vpn-policy-routing 0.0.1-17b07 stopped [β]
Creating table 'wan/eth1/<snip>' [β]
Creating table 'vpnsvr0/tunsvr0/10.1.0.1' [β]
Creating table 'nordvpntun/tun0/10.8.8.33' [β]
Creating table 'nordvpntun1/tun1/10.8.8.5' [β]
Routing 'Kuja' via nordvpntun1 [β]
Routing 'Samsung HT' via wan [β]
Routing 'DHCP LAN Clients ' via wan [β]
Routing 'LAN to VPN Clients' via vpnsvr0 [β]
Routing 'PS4' via wan [β]
vpn-policy-routing 0.0.1-17b07 started on wan/eth1/<snip> vpnsvr0/tunsvr0/10.1.0.1 nordvpntun/tun0/10.8.8.33 nordvpntun1/tun1/10.8.8.5 [β]
vpn-policy-routing 0.0.1-17b07 monitoring interfaces: wan vpnsvr0 nordvpntun nordvpntun1 [β]
root@jenova:~# iptables -L VPR_PREROUTING -t mangle
Chain VPR_PREROUTING (1 references)
target prot opt source destination
MARK all -- ps4.midgar anywhere /* PS4 */ MARK xset 0x10000/0xff0000
MARK all -- 192.168.1.0/24 10.1.0.0/28 /* LAN_to_VPN_Clients */ MARK xset 0x20000/0xff0000
MARK all -- 192.168.1.64/26 anywhere /* DHCP_LAN_Clients */ MARK xset 0x10000/0xff0000
MARK all -- samsunght.midgar anywhere /* Samsung_HT */ MARK xset 0x10000/0xff0000
MARK all -- kuja.midgar anywhere /* Kuja */ MARK xset 0x40000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun1 dst MARK xset 0x40000/0xff0000
MARK all -- anywhere anywhere match-set nordvpntun dst MARK xset 0x30000/0xff0000
MARK all -- anywhere anywhere match-set vpnsvr0 dst MARK xset 0x20000/0xff0000
MARK all -- anywhere anywhere match-set wan dst MARK xset 0x10000/0xff0000
I've fixed a bug with using ucitrack (for reloading on changes done in WebUI) and added a trigger to reload the service on the uci commit changes in 0.0.1-18. Having said that, I don't think that there's a working mechanism in OpenWrt to reload the service on the uci commit -- even with that trigger you need to call another command (like reload_config or some such).
Hi @stangri, any thoughts on how to combine firewall port forwarding with the VPN policy routing? If a port is forwarded from the vpn provider to the tun0 device, I cannot seem to find a way to route an external request from tun0 to the serving lan IP and get the response to go back out via the tunnel.
Thanks for any advice. I have been at this for about a week and have gotten as far as the request making its way to the lan IP, but the response makes its way through netfilter and with tcpdump, I watch it go out the wan interface even though the src ip of the packet belongs to tun0.
I should note that the port numbers need translation as well. the external tun0 port 8080 and the internal port on the lan is 80.
Could you provide clean link to the source code please?
Your website states:
SDK
The packages are in various branches at my packages source and my luci source repositories. Check out the code you want and add it to your SDK by adding src-link to feeds.conf (OpenWrt 15.05.1) or feeds.conf.default (LEDE Project and OpenWrt 18.xx or later).
However the links to your github forks of the luci and package feeds do not seem to contain vpn-policy-routing at the moment.
I have the policy-based routing working but if I kill the VPN the device that I have under the policy instantly switch over to my WAN connection. I have strict enforcement on. I used https://pastebin.com/SUPRRs9D commands to setup the VPN orginally. Any ideas?
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option enabled '1'
option strict_enforcement '1'
config policy
option interface 'pia'
option comment 'DELUGE'
option local_addresses '192.168.1.201'
Creating table 'wan/eth1.2/192.168.0.1' [β]
Creating table 'pia/ovpnc0/10.42.10.5' [β]
Routing 'DELUGE' via pia [β]
vpn-policy-routing 0.0.1-18 started on wan/eth1.2/192.168.0.1 pia/ovpnc0/10.42.10.5 [β]
vpn-policy-routing 0.0.1-18 monitoring interfaces: wan pia [β]
**vpn-policy-routing 0.0.1-18 running on Lede SNAPSHOT. WAN (IPv4): wan/dev/192.168.0.1. WAN (IPv6): wan/dev6/fe80::/64.**
**============================================================**
**Dnsmasq version 2.79rc1 Copyright (c) 2000-2018 Simon Kelley**
**Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify**
**============================================================**
**Routes/IP Rules**
**default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1.2**
**32730: from all fwmark 0x20000 lookup 202**
**32731: from all fwmark 0x10000 lookup 201**
**IPv4 Table 201: default via 192.168.0.1 dev eth1.2**
**IPv4 Table 202: default via 10.42.10.5 dev ovpnc0**
**============================================================**
**IP Tables PREROUTING**
**-N VPR_PREROUTING**
**-A VPR_PREROUTING -s 192.168.1.201/32 -m comment --comment DELUGE -c 9 1188 -j MARK --set-xmark 0x20000/0xff0000**
**-A VPR_PREROUTING -m set --match-set pia dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000**
**-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000**
**============================================================**
**Current ipsets**
**create wan hash:net family inet hashsize 1024 maxelem 65536 comment**
**create pia hash:net family inet hashsize 1024 maxelem 65536 comment**
**============================================================**
Hi @Strangi, this is an excellent module, and easy to use for a newbie like me
I have a question regarding policy routing with local ports which I can't seem to get working... I am looking to setup my utorrent so that anything in a given port range goes through the vpn. I have successfully tested the policy route with an IP address, but I'm not able to with local port, is there something wrong with my settings?
Has anyone been able to redirect to different DNS servers based on the routing? i.e. One DNS server for traffic that will be routed over VPN and another for WAN