@stangri Thank you. So I found this CIDR calculator https://mxtoolbox.com/subnetcalculator.aspx
Am I right in thinking if I enter 192.168.1.96/29, the PBR will work over 96 - 103?
That should work according to the Read.me as the example is noted as ‘Local Subnet’. Typically 192.168.1.96 would be your Network Address, 192.168.1.103 would be your Broadcast Address so you would lose those two, and Netmask would be 255.255.255.248, but I expect @stangri is just using the prefix to calculate the desired local ip range.
Thank you.....
But wouldn't 192.168.1.96 - 192.168.1.103 all be available to clients?
I assume the netmask of 255.255.255.248 is not used? It is just a by-product of using CIDR to give the IP address range?
I'm just passing it to iptables rule or an ipset, so it's up to them how to handle those.
Thanks for that distinction.
Is there no way to get a killswitch working with this on?
I'm assuming the killswitch doesn't work because for this to work I had to enable forwarding from lan to wan again.
FYI - I upgraded from vpn-policy-routing 0.2.1-21 to vpn-policy-routing 0.2.1-23 and it did not add the 200 series tables. The only difference I see in the files is lines 606 & 607. Did restarts of VPBR and OpenVPN along with a router reboot but same issue. I reverted back to vpn-policy-routing 0.2.1-21 and works OK.
vpn-policy-routing 0.2.1-21 good result:
Line difference:
Hi Stan. Im trying to include VPR to a minimal image with on 4MB router so that I can set up Wireguard. I have to use 18.06.8 sources(to get everything to fit) and add VPR from your git sources. The VPR Luci app doesn't seem to show the enable button. (It does when building from 19.07 to another router)
Btw with some trickery I also included Banip and Simple-Adblock in the same image. They seem work fine! Thanks so much!
I had to go from 0.2.1-21 to 0.2.1-25 back to 0.2.1-21. I unfortunately didn't have time to trouble shoot as it was late at night and I needed it working to avoid screaming children in the early hours next day.
I have 2 tunnels which I route specific devices in hierarchy, using a default wan 192.168.0.1/24. I was getting functionality to the tunnels but defaulting devices to the wan did not work at all therefore I reverted to 0.2.1-21
I'm using snapshot r13951.
@FCS001FCS, sorry forgot I was experimenting with the routing tables and didn't fix the code before accidentally pushing the binary to the repo.
You should be thanking @dibdot for banip (and for portions of the code in the simple-adblock too)!
Looks like the luci app cannot find the principal package installed -- it checks via opkg list-installed vpn-policy-routing.
Upgraded to "vpn-policy-routing 0.2.1-25" from "0.2.1-21" and it seems to work fine after a reboot. No uptime yet but will keep an eye on it.
Model Linksys WRT3200ACM Architecture ARMv7 Processor rev 1 (v7l) Firmware Version OpenWrt SNAPSHOT r13342-e35e40ad82 / LuCI Master git-20.144.63033-62ed4e6 Kernel Version 5.4.42
I have 2 VPNs setup and have the WAN as the default route and fallback if VPNs are not available.
Thanks @dibdot 
and thank you too 
I got Banip/Simple-adblock working with a "fake" opkg script and faking various *.control files, but forgot to check if luci-app-VPR used opkg to check for if VPR was installed. Now it works
I am having the same issue with VPBR not reloading when an OpenVPN Tun goes down and backup. It looses the Table and it is not listed anymore in the "Active IPv4-Routes". A manual VPBR "Restart" lists the table again.
I tried the "70-vpn-policy-routing" script in "/etc/hotplug.d/iface" but it does not trigger.
Any Ideas on how to fix this behaviour?
System Log Extract:
Thu Aug 6 23:25:13 2020 daemon.notice netifd: Network device 'tun1' link is down
Thu Aug 6 23:25:13 2020 daemon.notice netifd: Interface '2_NLD_VPN' has link connectivity loss
Thu Aug 6 23:25:14 2020 daemon.notice netifd: Network device 'tun1' link is up
Thu Aug 6 23:25:14 2020 daemon.notice netifd: Interface '2_NLD_VPN' has link connectivity
70-vpn-policy-routing:
#!/bin/sh
if [ "$ACTION" != "ifup" ] && [ "$ACTION" != "ifupdate" ]; then exit 0; fi
logger -t vpn-policy-routing "Reloading vpn-policy-routing due to $ACTION of $INTERFACE ($DEVICE)"
/etc/init.d/vpn-policy-routing reload
vpn-policy-routing 0.2.1-25
Model Linksys WRT3200ACM Architecture ARMv7 Processor rev 1 (v7l) Firmware Version OpenWrt SNAPSHOT r13342-e35e40ad82 / LuCI Master git-20.144.63033-62ed4e6 Kernel Version 5.4.42
Because of the ACL in the newer releases of OpenWrt I've been slowly converting all of my luci apps to not rely on opkg command and parse the /usr/lib/opkg/status file. The next version of VPR luci app will be doing the same.
If the iface hotplug script is not being triggered, I have no idea how to fix that.
Ok, thanks, I will research it and see if I can find the non-triggering issue.
What should be done if I want my iPad to go through vpn with its ip 192.168.1.114
Please guide,
Thanks
So i have ordered hardware for an upcoming router which im planning on using openwrt on.
Im trying to learn openwrt things to be somewhat prepared for the real deal.
Ive setup 2 VMs, one is openwrt with x86_64 and one is just Win10 connected to openwrt LAN (host-only network)
openwrt VM is setup:
WAN -> dhcp client from my real router, which im using until i get the hardware and can fix openwrt router
LAN -> dhcp from virtualbox, host-only network
I installed luci-app-wireguard and luci-app-vpn-policy-routing + vpn-policy-routing to test this out, because its a good thing in my current setup, so i want to learn it
I followed mullvad (vpn-provider for my wireguard client) guide: https://mullvad.net/sv/help/running-wireguard-router/ - i did NOT do DHCP/DNS steps because i believe its not needed in my current VM
setup(?)
The wireguard tunnel works and is online.
I want to be able to policy-route some IPs / subnets to WAN, for example.
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'wg_mlvd'
option name 'wg_mlvdzone'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
config forwarding
option dest 'wg_mlvdzone'
option src 'lan'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd61:4966:0236::/48'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0'
config interface 'lan'
option proto 'dhcp'
option ifname 'eth1'
option gateway '192.168.1.42'
config interface 'wg_mlvd'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option force_link '1'
list addresses 'xx.xx.xxx.xxx/32'
config wireguard_wg_mlvd
option endpoint_host 'xxx.xx.xxx.xxx'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
list supported_interface 'wg_mlvd'
list supported_interface 'wan'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'Win10-VM'
option src_addr '192.168.214.13'
option proto 'all'
option interface 'wan'
option chain 'PREROUTING'
The thing is if i select proto 'tcp udp', i can ping from the windows 10, but not surf, but ping works, which i find weird.
When selecting proto 'all' nothing works
When selecting interface 'wireguard' it all works, but it doesnt go to WAN then, which is what i want
Please let me know if there is additional information i forgot to mention here, that u need to help me
Appreciate alot if i get help
Thanks
EDIT: I might be wrong but from more testing around, it seems is has to do with firewall and/or allowedips in wireguard peer configuration under interface.
When i set allow forwarding in firewall general rules traffic seems to get through, although it still seems to go through wireguard, even though WAN is set as interface for the policy..
EDIT #2: It seems like i have sorted it out for now, i had incorrect settings in input/output/forward in firewall
1 Like
A little belated I appreciate but thanks for the advice - it informed me enough not to pursue what I was trying to do. I decided my needs were best served with a layer 2 ethernet bridge vpn setup and let the policy routing happen on the server side. Its more transparent to the clients and ultimately simpler.