Somehow I'm having a situation where the strict enforcement doesn't seem to, well, be enforced. Ie my VPN tagged traffic goes out the regular WAN. Do you have any ideas what might be happening?
[FEATURE REQ]
Hi @stangri
Would it be possible to use wildcards in the remote domain definition?
I need to list many 3rd level domains from the akamai network in order to have only the traffic I want to be routed via the VPN (actually wireguard).
If I set all of the 2nd level domains from the akamai network.....I end up forwarding via the VPN even a lot of traffic that I do not want to (resulting in an unwanted bottleneck)
So I need to fine-tune the 3rd level domain names.
Or maybe I can accomplish the same using your up + dnsmasq.....but I guess I need some help to know it would be a feasible solution
regards
No, not without the required config/outputs from README.
Checking the README would be a great start.
I did it
I installed dnsmasqFULL
I added all of the 2nd and 3rd level domains I wanted to be routed via the VPN
but actually ALL of the traffic from that host goes though the VPN....resulting in a bottleneck for other streaming services
Actually I want to go through the VPN only the traffic from my smartTV to RAI (italian TV). Cause you can only access within Italy, but I live abroad. So I go via the server I have in my office in Italy.
The VPN interaface is set to access 0.0.0.0, but then I limited the traffic via the policy.
I just have 2 policies:
from lan to 0.0.0.0 use WAN
from smartTV to rai and akamai used domains) use VPN (wireguard)
BUT
If the policy order is
1 smartTV
2 LAN
the TV is always going via the VPN (I use an app to test the speed and I am seen as connecting from an Italian IP
if the policy order is
1 smartTV (use VPN for the given doamins)
2 LAN (never use VPN)
the TV cannot access to the RAI streming (error message I'm connecting from abroad)
Maybe the requests go out thru IPv6?
Nope [well, I don't think so anyways]. It's the ipv4 address that leaks, and I have this run at startup to disable ipv6 on the openwrt router, and my ISP provided router doesn't have an ipv6 address. And like I said, the odd behaviour at least once, included a situation where the status page "looked funny" when it was leaking. That suggests to me there's some situation where the service doesn't get started, or gets reset? (but then also the iptables would have to be cleared, which seems odd to me?)
The ipv6 disable snippet from "local startup"
sysctl -w net.ipv6.conf.all.disable_ipv6=1
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
sysctl -w net.ipv6.conf.default.disable_ipv6=1
Right, so strict_enforcement only applies when the desired interface is down. In the output you have provided all supported interfaces are up (if wg0 is a server, you may want to exclude it from VPR).
Also, from the VPR reload output I'm not seeing any policies.
I'll check on those interfaces, it might be that there's some left over crap from when I converted from openvpn to wireguard. [edit, no those are fine, I just had to refresh my memory sorry] But I only have literally one policy, a DSCP based one. Does that help any? I mean, this is functioning right now heh. [In the sense that the tunnel is up, and tagged traffic is indeed flowing]. I just ran the reload again, same output. wg0 is a wireguard incoming interface[rarely used], and the VPN interface is the actual outgoing path. Is it expected that a DSCP rule not show up in a reload?
The interface is currently up of course. The important thing to me is, without touching the config, this can fail, and somehow my traffic gets out when it shouldn't.
Update: So I just tested by taking down the VPN interface. It worked as expected, not allowing output. But as I then activated the interface again, traffic squeaked through for a second and my actual IP address was reported by ipinfo.io . The next refresh then showed the correct address.
Now, this isn't what I was experiencing previously, which was an ongoing situation where traffic was allowed out. But I wonder if this indicates anything?
Yeah, with multiple VLANs it may take a few/tens of seconds to reload VPR, it is possible for DSCP-tagged traffic to escape via WAN during the reload process.
I'll need to sleep on how to best address it.
1 Like
I'm prepared to live with that limitation if need be. But I'm more concerned with the situation that (I think) is the service either doesn't start properly, or crashes, allowing traffic through ongoing. Thanks so much for taking the time to troubleshoot this with me. Much appreciated.
I slept on this too, and I came up with a solution!
I added a firewall rule to reject the DSCP value tagged traffic to the WAN interface regardless. Now, even if I stop the vpn policy routing service, the traffic that I want to stay inside does so. This is the behaviour that I want.
I also created a dummy policy rule that is enabled that does nothing in the PBR list just on a superstitious feeling that maybe having 0 ip based rules active is a problem at some point.
Thank you so much for applying your attention to the problem. I wouldn't have come up with this without our exchange. I wonder if it is worth considering this to be a wanted feature enhancement to your addon?
I'm not sure exactly how you would implement that in scenarios that are more complicated than mine. Anyways, thanks again. This addon is so great.
[I'm going to delete the post with my config info just out of an abundance of caution.]
1 Like
I need to figure out how to exclude one local server with fixed IP completely from the VPN. Is this doable?
Here's my setup. I've changed my default routing to be WAN and I'm using VPN only for specific domains via Policy-Based Routing and evertything works. I've tried adding the following rule:
- Local Address: [IP of the local machine]
- Interface: WAN
But as soon as I did this the local server is no longer accessible from the LAN using it's domain name. It's only accessible using it's IP from inside the LAN or by domain name if I access it from the WAN. If I disable only this rule - again I can access it from the LAN by domain name. Is there a way to fix this or completely exclude the server and it's ports from the VPN?
I am using VPN Policy-Based routing, it works great, just have one small issue that I can't resolve.
When the service is running, it looks like the service continues to reload the settings every few minutes, is there any way to stop this, or alternatively change the frequency.
The VPN tunnel I am using is very solid, it rarely (if ever) disconnects, I don't need the settings to reload. My issue is that when that connection reloads, it causes a small hiccup on the network, small enough to go unnoticed 95% of the time.
Is there any way to change how frequently those reloads happen? If I can disable those automatic reloads, that would be even better, but just delaying it so it doesn't happen that often is good enough.
I am running the latest 0.2.1-13 version
Thanks,
That shouldn't be happening. Please install the latest from my repo first and see if it helps.
If it doesn't, try to monitor your WAN/VPN/firewall for restarts, the VPR shouldn't be reloading unless you reload it from luci/cli or an interface/firewall gets reloaded.
PS. Make sure to include information requested in the README if things still don't work.
README should have information on this and now there's even a new option for IGNORE target which may be easier to use.
1 Like
You are right, something is triggering the reload, I don't know what it is, but the IGNORE target solved my problem.
hi,
i have upgraded my build to the last 19.07.5 and since that, my policy based routing tab does not load correctly, are you talking about that ?
No, my issue was weird, something was triggering a reload, and it was affecting one of my other interfaces during the reload, I did what stangri suggested and added that interface to the ignore. I still see the reloads, but the problem with the other interface is fine now.
I see, I thought it was like me, browser tab freezes only on PBR tab