VPN Policy-Based Routing + Web UI -- Discussion

Which version?

Did you have a chance to test it?

0.3.2-20. Perhaps though it's more to do with the fact I recently set up a Wireguard server. Maybe I should start from fresh?

In the readme section it says DO NOT modify default OpenWrt firewall settings for neither wan nor lan. As far as I know, the firewalls, at least in Luci, have to be set in order to have an internet connection. I'm trying to setup airvpn client on the router. I'm not sure what to do regarding firewall settings. In the end I hope to have only guest wifi go through the router vpn. All ethernet connections would bypass the vpn. I have vlans setup and they are working fine.

The default configuration of the firewall allows traffic to pass from lan to the wan, you don't need to change anything there.

Create a zone for airvpn and allow forwarding from the guest zone only.
Then create the rules in VPN-PBR to forward the guest to airvpn and the lan to wan.

@tombadog I have the same problem (on 0.3.2-20) and had to manual restart the service after reboot.

I just added this to 'system -> Startup -> Tab local startup'

sleep 15 && /etc/init.d/vpn-policy-routing restart

Then it starts fine, it seems that it starts to early in the process or something.
Anyhow, this sorted it out for me.

I use the same line as my VPN goes up or down in a script, so it restarts when I take the VPN up or down.

If your on openvpn, just add something like this in your ovpn file

up "/etc/openvpn/up-downpbr"
down "/etc/openvpn/up-downpbr"

And make a script called up-downpbr in /etc/openvpn

#!/bin/sh

sleep 3 &&  /etc/init.d/vpn-policy-routing restart
1 Like

Thanks very much for this!

I have this under service errors:

Policy 'missjoyce' missing all IPs/ports
Policy 'blank' missing all IPs/ports

I think it is probably due how the vpn and wireless is forward but the firewall rules in openwwrt are somewhat confusing to me since I am a newbie. I'm willing to post logs or screenshots to help diagnose the problem. The lan stuff seems to be working since I am here.

Ignore blank missing. Missjoyce is the wireless network. I don't have it's ips filled in as I can't seem to find them. Under wireless, interface configuration, vpn is selected in network. The lan ips were easy to find under interfaces.

In openvpn instances it shows airvpn as being connected. I have "network device is not present" in interfaces section for vpn interface.

Had a chance to finally test tonight, and all came up well with your latest: vpn-policy-routing 0.3.4-1

1 Like

@stangri , we may have spoke too soon. I am still seeing some hiccups on reboot. As well, I just noticed that one of my rules actually never went into effect after a reboot, even though VPR said everything was okay. "Restart"-ing VPR in both cases of course solved the issue, but in both cases there were issues on boot.

Here is what I saw just after a reboot:

As well, this is the rule that was not in effect at all, I only realized it when I did a dnsleak test:

Dropped back to "0.3.2-20" and all seems okay on boot, all rules working.

1 Like

Thanks for the feedback, I need to rework some of the code to enable single interface reloads, for now this older version should be safe to use: https://github.com/stangri/repo.openwrt.melmac.net/blob/15b71e1812647c339212036dc8a524929f885456/vpn-policy-routing_0.3.3-1_all.ipk

1 Like

@stangri Is it possible to route an entire interface using PBR? I have dual wan at home, so my interfaces tab has a WAN and WANB, as well I have a WG tunnel using Mullvad so I also have a WGINTERFACE interface.

By default the WGINTERFACE is routing using the default route of the system, and by default that is WAN per my MWAN3 (Failover) setup. However, I do use PBR to route at an IP level some IP's over WANB and that works fine. However WGINTERFACE is still sending/receiving it's traffic over WAN (not WANB) by default.

WANB is a datacap free line for me, while WAN has a 1TB per month cap, so I try I route most of my heavy traffic to WANB when possible, leaving WAN for everything day to day.

Is it possible to use PBR to route WGINTERFACE over WANB vs WAN (even when WAN is the system default route)?

You can try using @wginterface as the source with the target wanb, but I'm not sure if that would work to establish the tunnel. Maybe better option would be to target the wg peer IP as the target. But if neither one of these options work and you figure out the iptables rule, you can just use the custom user file for VPR.

I've pushed version 0.3.4-2 to my repo (both IPK and source code), I'd appreciate any testing/feedback. I've reworked the single interface reload, but I can't fully test it for a while.

If you end up with non-working state after reboot, please try to capture as much information as possible, including full system log and the output of /etc/init.d/vpn-policy-routing support.

1 Like

@stangri I PM'd you on the side, since the logs have detailed info (IP's and such) that I would not want to post directly in the thread.

Short is it seemed to still have an issue coming up after reboot, regardless, thank you for your persistence.

Thank you for a quick test, I'll try to find an opportune time to reboot and test it on my own router.

I just upgraded to 21.02.0-rc with the vpn-policy-routing 0.3.4-2 installed and it booted just fine.

Perhaps if it just me seeing issues, I would say it's related to me having dual wan and mwan3 setup? Like I mentioned before, when there are issues on boot, all I need to do is go to the VPR page and hit restart, and then it works. Switching back to 0.3.2-20, it seems to work fine, everytime.