Could you also post your "config dnsmasq" section of /etc/config/dhcp, so we can see your dhsnmasq settings?
Since your clients are using your router for resolution, these would never work. See my previous comment.
PS. Yeah, I don't know why the counters are not 0, but if you want DNS requests from router affected, you need to use OUTPUT chain.
2 Likes
Would it be possible to route some specified remote addresses through a specified interface for only certain local addresses/devices?
Generally speaking, yes.
1 Like
Alright, sweet. I'll just populate those fields in the gui. Unless I should be doing this some other way? Thanks in advance!
1 Like
Hi,
I've recently set up an OpenVPN service (called MediaVPN) and have configured a basic vpn policy for all devices on one interface (called media) to access the internet via the OpenVPN tunnel. I notice that when the policy is running, internet requests route correctly via the VPN, but I lose access to devices on my LAN that are not on the media interface and I need devices on both LAN and media interfaces to be able to communicate. I assume I'm missing a bit of policy / firewall config somewhere along the line but can't seem to work it out from the readme or forums...... advice would be much appreciated!
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/homenet.local/'
option domain 'homenet.local'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option noresolv '1'
option quietdhcp '1'
option cachesize '1000'
option rebind_protection '0'
option localuse '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'media'
option interface 'media'
option ra_management '1'
option ra 'server'
option dhcpv6 'server'
option start '100'
option leasetime '12h'
option limit '150'
option dynamicdhcp '0'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'MediaVPN wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
config redirect
option name 'Divert-DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option enabled '0'
config redirect
option name 'Divert-DNS, port 853'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
option enabled '0'
config redirect
option name 'Divert-DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
option enabled '0'
config zone
option name 'Media'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'media'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'Media'
config forwarding
option dest 'Media'
option src 'lan'
config forwarding
option dest 'lan'
option src 'Media'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
option broadcast '192.168.2.255'
option igmp_snooping '1'
option stp '1'
option ip6hint 'beef'
option ip6assign '60'
option ifname 'eth0.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.254'
option gateway '192.168.1.1'
option peerdns '0'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
option peerdns '0'
option reqprefix '56'
option reqaddress 'try'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '5t 3 2'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 4'
option vid '2'
config interface 'MediaVPN'
option ifname 'tun0'
option proto 'none'
option auto '1'
config interface 'media'
option ifname 'eth0.10'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint 'cafe'
option peerdns '0'
config switch_vlan
option device 'switch0'
option vlan '10'
option vid '10'
option ports '5t 1 0'
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_chain_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option webui_enable_column '1'
option webui_protocol_column '1'
list supported_interface 'MediaVPN'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'VPN'
option src_addr '192.168.3.0/24'
option interface 'MediaVPN'
/etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.6. WAN (IPv4): wan/dev/192.168.1.1.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1.2
IPv4 Table 201: default via 192.168.1.1 dev eth1.2
192.168.3.0/24 dev eth0.10 proto kernel scope link src 192.168.3.1
IPv4 Table 201 Rules:
32759: from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: default via 10.8.8.2 dev tun0
192.168.3.0/24 dev eth0.10 proto kernel scope link src 192.168.3.1
IPv4 Table 202 Rules:
32758: from all fwmark 0x20000/0xff0000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.3.0/24 -m comment --comment VPN -c 718894 579229892 -j MARK --set-xmark 0x20000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
============================================================
IP Tables INPUT
-N VPR_INPUT
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
============================================================
Current ipsets
create bcp38-ipv4 hash:net family inet hashsize 1024 maxelem 65536
add bcp38-ipv4 198.51.100.0/24
add bcp38-ipv4 169.254.0.0/16
add bcp38-ipv4 127.0.0.0/8
add bcp38-ipv4 172.16.0.0/12
add bcp38-ipv4 10.0.0.0/8
add bcp38-ipv4 203.0.113.0/24
add bcp38-ipv4 192.168.0.0/16
add bcp38-ipv4 192.168.1.0/24 nomatch
add bcp38-ipv4 192.0.2.0/24
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
/etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth1.2/192.168.1.1' [✓]
Creating table 'MediaVPN/tun0/10.8.8.2' [✓]
Routing 'VPN' via MediaVPN [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1.2/192.168.1.1 [✓]
MediaVPN/tun0/10.8.8.2
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan MediaVPN .
Many thanks in advance
This isn't working
config policy
option interface 'wan'
option name 'all traffic'
option dest_addr '0.0.0.0/0'
How do it get it to match everything? There's something very weird about how the ip and netmask is being interpreted. If I use 0.0.0.0/2 instead, then it will allow some though such as 8.8.8.8, BUT! If i then add another policy that uses 64.0.0.0/2 , I lose connectivity to 8.8.8.8 which doesn't make any sense. 8.8.8.8 won't match 64.0.0.0/2, it will match 0.0.0.0/2 above it, so why is the 64.0.0.0/2 policy making any difference?
You may need to use a top-priority policy with IGNORE target.
What you're doing is a bad idea. Reconfigure your VPN client if you want all your traffic to go to WAN by default.
I was experimenting, it's obviously not a final solution. In any case, I didn't need this in the end.
Thanks for the swift response, I do appreciate it.
I've added the webui_show_ignore_target '1' to the config file but don't get the option to select IGNORE from the list of interfaces in LUCI so any additional ignore policies I try to apply fail.
Any advice on troubleshooting this please?
Thanks again
Is it possible to define a policy like "If the soruce ip is 192.168.2.207 and the destination ip in the primevideo ipset then route the packet over wan"?
I successfully defined the primevideo ipset but I fail miserably to tell vpn-policy-routing to use that ipset for the dest address for one of my policies.
The README doesn't seem to tell you how to actually use ipsets for only one device.
No, if you want to define a source IP, the ipset can't be used.
You may have to manually install an updated luci app from my repo: https://repo.openwrt.melmac.net/luci-app-vpn-policy-routing_git-21.049.50429-af1e587_all.ipk
1 Like
Just an FYI.
I am on OpenWRT19.07.7 and upgraded to your vpn-policy-routing 0.3.2-12 and then the "DNSMASQ ipset" was not visible in the GUI. I tried to set it and save-apply but it would not stay set.
I check the config file and it was listed:
option resolver_ipset 'dnsmasq.ipset'
After much back and forth I uninstalled the "luci-app-vpn-policy-routing", I think it was "git-21.050" and manually installed the IPK from your site that is "git-21.049" and now all is working again.
For those who may have similar such issues with the "luci-app-vpn-policy-routing" GUI.
1 Like
Hi guys so 6 months later I still haven't been able to do this lol
I have tried this but it doesn't seem to work, still going through my ovpn. And if anyone knows of an easy way to do the same for netflix. I live in Asia and just want my Netflix/hulu/Prime to go through WAN.
If anyone has done this successfully please let me know and share the config on here. Otherwise I will have to just block them from my VPN firewall.
And before anyone says anything I have tried numerous ways, adding local IP specific to the devices i want bypassed or sub-nets.
Thanks Stan for this awesome app as it works easily for my other uses.
I am trying to do the exact same thing. My plan atm is to:
- Create an ipset with all CLOUDFRONT IPs amazon is using
- Tell
vpn-policy-rountingto route any packets which are sent to these IPs through the WAN interface (disregarding the source IP) - Create a firewall rule that only allows certain devices to route these packets through the WAN interface
I am still stuck at step 2 though.
1 Like
I wish there was a simpler solution, your solution is a little beyond my scope.
but would be interesting if you make it work, please share it with me when you do.
Thanks @stangri - that has fixed the problem I didn't know I had! I can't seem to fix the problem I originally posted about though. Specifically I can't rdp onto a machine in the vlan when vpr is running from an Android client on lan. Rdp from windows client on lan works fine with vpr enabled..... I've now tried to ignore port 3389 but still no joy. I assumed that android just does rdp differently using the Microsoft remote desktop app but can only find reference to port 3388 being used.
Any ideas gratefully received......
@rassamf @C4ne
I've added a Netflix/Amazon Prime/Hulu section to the README.
If you use VLANs you probably know more about networking than I do. 
Add VLANs CIDRs to ignore target policies. You may want to post your network and VPR configs and someone else might be able to provide a better advise.
1 Like
Having read your updated readme I note the new section on DOH. I use a private DNS provider on my Android device and turning this off allows me to remote to the devices I need to. So no ignore policies needed after all.
Thanks again for your support, it's a really great package!