No problem at all. Mostly cosmetic as all seems to work OK.
Hi everyone!
In my country, some website is block can not access, ex: bbc.com.... only access that website via VPN. I want default go internet thru not VPN, some website block go thru VPN. Could anyone share config same my case. Thank you in advance!
Issue: VBR not reloading when VPN route goes down and up (new route IP) as happens from time to time triggered by my VPN provider PIA. This has been an issue for me on Davic502's last image and also on the latest Snapshot Image I built a few days ago.
I have had this issue for some time and @stangri recommended the hot-plug solution with "70-vpn-policy-routing" in "/etc/hotplug.d/iface"; this did not work for me. Triggering did not work and I was not knowledgeable enough to figure out the hot-plug problem.
So I have been trying and trying various workarounds and seem to finally found one that may work, time will tell if it is a 100% solution but I thought I would put it out in case someone else is having the same issue.
I have 2 active VPNs to different countries always active in PIA with the WAN as a fall-back if one of those 2 routes goes done using list pull_filter 'ignore "redirect-gateway"' in my OpenVPN config file. I use VBR based on home network static IPs to direct some IPs to one or the other VPN.
I added the following 2 lines to the same OpenVPN config file for both the 2 VPNs:
option script_security '2'
option route_up '"/etc/init.d/vpn-policy-routing reload"'
Note double quotes inside the single quotes.
This reloads VBR on a route_up of either of the 2 VPNs and seems to work by reloading VBR with the new VPN route IP. I will give it a try for the next few days to see if it indeed works as expected.
Just FYI
Hi everyone!
I config VPR but can not access voatiengviet.com. Here my config.
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
list supported_interface 'vpn'
option enabled '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'voa'
option interface 'vpn'
option dest_addr 'voatiengviet.com'
/etc/openvpn/vpn.ovpn
dev tun
proto udp
remote sg2-smart.serverlocation.co 444
resolv-retry infinite
client
auth-user-pass /etc/openvpn/pw
nobind
persist-key
persist-tun
remote-cert-tls server
compress lzo
reneg-sec 0
pull-filter ignore "redirect-gateway"
cipher AES-256-CBC
auth SHA256
# Uncomment following line if you use MS Windows
# block-outside-dns
verb 3
<ca>
...
I can access voatiengviet.com when config policy
config policy
option name 'all'
option src_addr '192.168.1.0/24'
option interface 'vpn'
Could anyone help me! thank you very much!
Hi there I'm unable to bring it up working.
Here is my config
/etc/config/network
[...]
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
option private_key 'XXXXXX'
list addresses '10.20.40.2'
list addresses 'fde3:c0de:bad:beef::2'
config wireguard_wg0
option public_key 'XXXXXXXXX'
option description 'some-host.net'
option endpoint_host '194.xxx.xxx.xxx'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
/etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.3. WAN (IPv4): wan/dev/192.168.178.1.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default fritzbox.xxx 0.0.0.0 UG 0 0 0 eth0.2
IPv4 Table 201: default via 192.168.178.1 dev eth0.2
192.168.1.0/24 dev eth1.1 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev wlan1 proto kernel scope link src 192.168.3.1
IPv4 Table 201 Rules:
32725: from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: default via 10.20.40.2 dev wg0
192.168.1.0/24 dev eth1.1 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev wlan1 proto kernel scope link src 192.168.3.1
IPv4 Table 202 Rules:
32724: from all fwmark 0x20000/0xff0000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set wg0_mac src -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wg0_ip src -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wg0 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan_mac src -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set wan_ip src -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set wg0 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set wg0 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set wg0 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wan_ip hash:net family inet hashsize 1024 maxelem 65536 comment
create wan_mac hash:mac hashsize 1024 maxelem 65536 comment
create wg0 hash:net family inet hashsize 1024 maxelem 65536 comment
create wg0_ip hash:net family inet hashsize 1024 maxelem 65536 comment
add wg0_ip 192.168.0.0/24 comment "test: 192.168.129/24"
create wg0_mac hash:mac hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
/etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth0.2/192.168.178.1' [✓]
Creating table 'wg0/10.20.40.2' [✓]
Routing 'test' via wg0 [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth0.2/192.168.178.1 [✓]
wg0/10.20.40.2
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan wg0 .
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
list supported_interface ''
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option src_ipset '1'
option webui_sorting '1'
option strict_enforcement '1'
option webui_protocol_column '1'
option webui_chain_column '1'
option enabled '1'
option ipv6_enabled '0'
option dest_ipset 'dnsmasq.ipset'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'test'
option interface 'wg0'
option src_addr '192.168.129/24'
I'm not sure what the problem here is.
If I run wireguard on my linux I'm able to route all traffic over my wg interface, so I'm sure its not the wireguard server.
If i active the vpn-policy-routing on my openwrt there a absolut nothing happend, everythink work like before, can access the internet and when i check my internet ip on client its my regular public ip and not the ip of the wireguard server.
Did I miss somethink?
That's not a valid value for src_addr.
oh ... now i feel very stupid ... thank you!
please help
Thank You for such a great app!
It working simply and provide some sort of security for home network! Thumb Up 
Hello and thank you for great app,
I am wondering, is it possible to use amazon and netflix custom files, but only for certain devices?
So the custom files would only be used for specific internal devices, the rest would not use the custom files?
Thanks
Hello, I try to redirect to my vpn all the connection when the destination DNS hostname include a sub-domains. So i add a rules like it :
config policy
option name 'canal'
option interface 'nordvpntun'
option src_addr '192.168.2.110'
option dest_addr 'canalplus-cdn.net'
On the help page it's write "Another benefit of using dnsmasq 's ipset is that it also automatically adds third-level domains to the ipset : if domain.com is added to the policy, this policy will affect all *.domain.com subdomains."
But when i try to connect to host : hss-m005.p-cdnlive-edge020107.scy.canalplus-cdn.net or hss-m004.p-cdnlive-edge010402.scy.canalplus-cdn.net, It doesn't use the my vpn link.
Where is my mistake ? It is possible to do it ?
Drop the 'src_addr' from policy so it's created as dnsmasq ipset. I believe there's a section of readme which explains how policies are created based in their options.
Hi, I can't get internet access in the client that has a policy to go through the VPN.
I've setup OpenVPN, (as standalone it works fine), then defined my WAN as a default gateway since my intention is to only route specific traffic through the VPN, but it doesn't work:
I set up a policy to make a specific local IP go through the VPN (all ports, all destinations), but the client with that IP has no internet access at all when the policy is applied.
if I setup a windows client to be that client, I can see that any ping to any target IP is not answered, but doing tracert works, and when it's completed, I do get a ping response to that target IP, but still nothing else works.
as per the OP, here's /etc/init.d/vpn-policy-routing support output, and /etc/init.d/vpn-policy-routing reload output (with redacted IPs), and some more setting files:
/etc/config/vpn-policy-routing, /etc/config/firewall, /etc/config/network, /etc/config/openvpn
I would really appreciate any help!
Have you made sure that your vpn connection actually works and routes traffic?
According to the output you've provided the src upset is being created and I see the counter running up for that policy so the traffic is sent there.
You may also want to experiment with disabling src_ipset so that an iptables rule is created for that policy, in case I messed something up in VPR.
the VPN works in general - if I set it as non default gateway I can see that my IP is different.
I tried disabling src_ipset but the result is the same..
is there any additional info I can provide to help figure this out?
I don't mind digging in logs, but I've no idea where to look for.
I tried reading more on similar issues but couldn't find exactly what I have.
my configuration is very basic, I have the vpn set as non default gateway, and for starters I want only a single local IP going through the VPN.
if the vpn is set as default, and the vpn policy routing is disabled, every device is going through the vpn successfully.
if I set the vpn as non default, and the vpn policy routing is disabled then every device is going through the WAN as expected.
if I enable the policy routing with a very simple rule:
then that local device has no internet access at all, even after restarting its network interface.
ping fails, then if I do traceroute to that address it resolves sucessfully, and from that point, ping to that address succeeds:
Pinging 1.1.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
....
Ping statistics for 1.1.1.1:
Packets: Sent = 10, Received = 0, Lost = 10 (100% loss),
Tracing route to one.one.one.one [1.1.1.1]
over a maximum of 30 hops:
1 <1 ms 1 ms <1 ms OpenWrt.lan [192.168.1.X]
2 74 ms 71 ms 72 ms 10.20.0.1
3 * * * Request timed out.
4 71 ms 70 ms 71 ms 185.165.241.2
5 70 ms 70 ms 71 ms 109.236.95.182
6 73 ms 73 ms 72 ms 109.236.95.173
7 93 ms 79 ms 86 ms 80.249.211.140
8 73 ms 73 ms 75 ms one.one.one.one [1.1.1.1]
Trace complete.
I have a similar setup. I want all traffic to go through the WAN except specific IPs (I assign static IPs to each device on my net) that will go through one of 2 VPNs I have with PIA.
I think the main issue you have may be not with VBR but with OpenVPN settings. Specifically, investigate list pull_filter 'ignore "redirect-gateway"' in your OpenVPN setup. It ignores the VPN commands to set the VPN IP as the default Gateway. I had to manually set this in OpenVPN Config since it is not available via the GUI. It is also noted in the VBR README.
I am on OpenWRT Stable 19.07.4 using VBR VPN-Policy-Routing 0.2.1-29 and OpenVPN-OpenSSL 2.4.7-2
Here is my VBR Config: (part of)
config vpn-policy-routing 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '0'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list supported_interface ''
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_enable_column '1'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
config include
option path '/etc/config/vpn-policy-routing.netflix.user'
config include
option path '/etc/config/vpn-policy-routing.aws.user'
config policy
option src_addr '192.168.2.160'
option interface 'wan'
option comment 'FritzExtender_2_4GHz'
config policy
option src_addr '192.168.2.161'
option interface 'wan'
option comment 'FritzExtender_5GHz'
config policy
option src_addr '192.168.2.162'
option interface '2_ABC_VPN'
option comment 'AnkerUSB-GB-Adapter'
++++++++++++++++++and many more Config policies+++++++++++++++++++
Here is one of my OpenVPN Config entries:
config openvpn 'PIA_abc_AES128'
option tls_client '1'
option port '1198'
option auth_nocache '1'
option auth_user_pass '/etc/openvpn/userpass.txt'
option proto 'udp'
option cipher 'AES-128-CBC'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option remote_cert_tls 'server'
option client '1'
option auth 'SHA1'
option dev 'tun1'
option ca '/etc/openvpn/ca.rsa.2048.crt'
option mute_replay_warnings '1'
option reneg_sec '0'
option crl_verify '/etc/openvpn/crl.rsa.2048.pem'
option disable_occ '1'
option log '/mnt/sdb1/openvpn_logs/openvpn_PIA_abc_AES128.log'
list pull_filter 'ignore "redirect-gateway"'
option compress 'lzo'
option fast_io '1'
option enabled '1'
option verb '4'
option sndbuf '360488'
option rcvbuf '360488'
option engine 'devcrypto'
list remote 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option script_security '2'
option route_up '"/etc/init.d/vpn-policy-routing reload"'
1 Like
@FCS001FCS
the config vpn-policy-routing 'config' part is identical to what you showed.
all traffic thru 192.168.2.162 is routed via the VPN in your case?
my openvpn settings already included pull_filter 'ignore "redirect-gateway"'
protonvpn supplies .ovpn file and I just added that to it.
this is what's inside:
client
dev tun
proto udp
remote nl-free-03.protonvpn.com 80
remote nl-free-03.protonvpn.com 443
remote nl-free-03.protonvpn.com 4569
remote nl-free-03.protonvpn.com 1194
remote nl-free-03.protonvpn.com 5060
remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo no
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
auth-user-pass /etc/openvpn/proton.auth
pull
fast-io
pull-filter ignore "redirect-gateway"
...ca...
...tls-auth...
still, I can't get working internet in the client set to use the vpn.
I do not know which OpenVPN version you are using but mine required the double and single quotes be exactly correct in the config file /etc/config/openvpn. Command: list pull_filter 'ignore "redirect-gateway"' Double quotes on redirect-gateway and single quotes before ignore and at end of of the command. Check with the OpenVPN Manual for your version.
I do my OpenVPN setup with the OpenWRT Luci GUI but I had to add this command manually to the config file.
Check your OpenVPN log file, I get the following lines in my logs to confirm that the redirect is filtered:
Fri Sep 25 22:02:08 2020 us=215335 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS xx.0.0.xxx,dhcp-option DNS xx.0.0.xxx,ping 10,comp-lzo no,route-gateway xx.x.xxx.x,topology subnet,ifconfig xx.x.xxx.x 255.255.255.0,auth-token'
Fri Sep 25 22:02:08 2020 us=215438 Pushed option removed by filter: 'redirect-gateway def1'
Otherwise, I am out of ideas for your issue.
1 Like
well, thanks for trying, it's much appreciated.
the ovpn logs show it's working:
daemon.notice openvpn(protonVpn)[15612]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
daemon.notice openvpn(protonVpn)[15612]: [nl-143.protonvpn.com] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
daemon.notice openvpn(protonVpn)[15612]: SENT CONTROL [nl-143.protonvpn.com]: 'PUSH_REQUEST' (status=1)
daemon.notice openvpn(protonVpn)[15612]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.x.x.1,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.x.x.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.x.x.x 255.255.0.0,peer-id 65577,cipher AES-256-GCM'
daemon.notice openvpn(protonVpn)[15612]: Pushed option removed by filter: 'redirect-gateway def1'
daemon.notice openvpn(protonVpn)[15612]: OPTIONS IMPORT: timers and/or timeouts modified
daemon.notice openvpn(protonVpn)[15612]: OPTIONS IMPORT: explicit notify parm(s) modified
daemon.notice openvpn(protonVpn)[15612]: OPTIONS IMPORT: compression parms modified
daemon.notice openvpn(protonVpn)[15612]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
daemon.notice openvpn(protonVpn)[15612]: Socket Buffers: R=[180224->360448] S=[180224->360448]
daemon.notice openvpn(protonVpn)[15612]: OPTIONS IMPORT: --ifconfig/up options modified
daemon.notice openvpn(protonVpn)[15612]: OPTIONS IMPORT: route-related options modified
daemon.notice openvpn(protonVpn)[15612]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
daemon.notice openvpn(protonVpn)[15612]: OPTIONS IMPORT: peer-id set
daemon.notice openvpn(protonVpn)[15612]: OPTIONS IMPORT: adjusting link_mtu to 1657
daemon.notice openvpn(protonVpn)[15612]: OPTIONS IMPORT: data channel crypto options modified
daemon.notice openvpn(protonVpn)[15612]: Data Channel: using negotiated cipher 'AES-256-GCM'
daemon.notice openvpn(protonVpn)[15612]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
daemon.notice openvpn(protonVpn)[15612]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
daemon.notice netifd: Interface 'protonVpn' is enabled
daemon.notice netifd: Network device 'tun0' link is up
daemon.notice netifd: Interface 'protonVpn' has link connectivity
daemon.notice netifd: Interface 'protonVpn' is setting up now
daemon.notice netifd: Interface 'protonVpn' is now up
daemon.notice openvpn(protonVpn)[15612]: TUN/TAP device tun0 opened
daemon.notice openvpn(protonVpn)[15612]: TUN/TAP TX queue length set to 100
daemon.notice openvpn(protonVpn)[15612]: /sbin/ifconfig tun0 10.x.x.x netmask 255.255.0.0 mtu 1500 broadcast 10.17.255.255
daemon.debug dnsmasq[2092]: listening on tun0(#26): 10.x.x.x port 53
daemon.notice openvpn(protonVpn)[15612]: /usr/libexec/openvpn-hotplug up protonVpn tun0 1500 1585 10.x.x.x 255.255.0.0 init
daemon.notice openvpn(protonVpn)[15612]: Initialization Sequence Completed
user.notice firewall: Reloading firewall due to ifup of protonVpn (tun0)
user.notice vpn-policy-routing [15778]: Creating table 'wan/eth0.2/y.y.y.y' [✓]
user.notice vpn-policy-routing [15778]: Creating table 'protonVpn/tun0/10.x.x.x' [✓]
user.notice vpn-policy-routing [15778]: Routing 'test1' via protonVpn [✓]
user.notice vpn-policy-routing [15778]: service started with gateways: wan/eth0.2/y.y.y.y [✓] protonVpn/tun0/10.x.x.x
user.notice vpn-policy-routing [15778]: service monitoring interfaces: wan protonVpn .
I don't think it's an issue with the ovpn settings, but a bad routing setting that I'm trying to find.