cubrnook,
I seem to be having issues on restart as well. I'll attempt to get a log next time.
Using 19.07.7 with 0.3.4-2. It didn't show an error in the LuCI interface, but the Service Status screen just showed "running" with no Service Gateways listed. I immediately did a restart of the service (from LuCI) it the Gateways appeared. It may have been working properly and just not displaying -- I didn't check before restarting.
I would greatly appreciate if you could capture the support information in the booted/failed state.
Please add "Outline VPN" and "IKev2" and "V2Ray"
Please elaborate, #eli5.
Well it does support PPTP,L2TP,OpenVPN,Wireguard and Openconnnect.
Well Outline VPN (Shadowsocks) and V2Ray are new Generation VPN, It's better to add them to the script.
Hi, is there a nice way to change and apply new settings from the command-line? E.g. I now have this as my default ruleset:
config policy
option comment 'Default'
option src_addr '192.168.1.1/24'
option interface 'VPN_NL'
Depending on the connection quality, I would like to apply this setting:
config policy
option comment 'Default'
option src_addr '192.168.1.1/24'
option interface 'VPN_UK'
Of course I can always resort to sed, but I prefer something less hackish.
Using sed on a text file is a legit way of modifying it. 
But you can also look up uci.
Is it possible to force vpn for the router itself without changing the default gateway?
It's been a while since I've tested it, but if you create a policy with the OUTPUT chain, it should only work for router traffic.
Strange, just tried 127.0.0.1, 192.168.1.1 and empty together with OUTPUT, but it didn't work
Heh, will take a look at uci. Thx!
I'm on 21.02.0-rc2 (wrt32x) taken from the releases folder. I have tun0 and tun1 setup and connecting okay. However they don't appear in the PBR webui, I only see WAN. Is there anything I can run to see why it's not finding these devices? Thanks
README has all the information to help you.
@stangri 
just wanted to chime in that the latest release you have 0.3.4-6 seems to be starting cleanly now on reboot. Haven't tested extensively yet, but the first reboot was clean. That wasn't the case with the past few release. Good Job!
Just for note, I have dual wan with mwan3 (WAN + WANB) as well as a Wireguard tunnel.
My previously good configuration w/ OpenVPN stopped picking up the OpenVPN interfaces w/ no config changes, I think there may have been a regression.
Which version of openwrt are you on?
Trunk as of 5.31.2021
Look, realistically, what do you want me to do with this?
I worked hard on the README and it has a full list of information required for any sort of informative attempt to fix issues (not very often) or point out misconfigurations (very frequently), there's no action I can possibly take on a statement like above.
In addition, you may want to provide more information on what was "previous" and what is the "current" state.
With all due respect, you could have just asked for more details.
Previous environment was hnyman's-a early 21.02 snapshot from february w/ two OVPN, one wireguard, mwan3 w/ 2 v4 wans. Verison 0.3.2-20 as it is now.
Current environment is the 5302021 trunk NSS build by acwifidude, same interfaces.
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '0'
option localise_queries '1'
option rebind_protection '0'
option cachesize '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option domain 'redacted'
option noresolv '1'
list server '127.0.0.53#53'
list server '::1#5553'
option enable_tftp '1'
option tftp_root '/tftp/'
option local '/redacted/'
option ednspacket_max '1232'
option dnsforwardmax '1000'
option expandhosts '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dns 'fe80::46a5:6eff:fe3e:48ca'
option dhcpv6 'server'
option ra_management '1'
option ra 'server'
list domain 'redacted'
option ra_default '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'VLAN'
option interface 'VLAN'
list domain 'redacted'
list dns 'fe80::46a5:6eff:fe3e:48ca'
option ignore '1'
option ndp 'relay'
option ra_default '1'
option ra 'server'
option ra_maxinterval '600'
option ra_mininterval '200'
option ra_lifetime '1800'
option ra_mtu '0'
option ra_hoplimit '0'
option ra_management '1'
option dhcpv6 'server'
config boot 'netboot'
option filename 'undionly.kpxe'
option serveraddress '172.28.240.1'
option servername 'openwrt'
config domain
option name 'bbox01'
option ip '172.28.240.103'
config domain
option name 'mini01'
option ip '172.28.240.183'
config domain
option name 'mini02'
option ip '172.28.240.113'
config domain
option ip '172.28.240.10'
option name 'rprox'
config domain
option name 'rprox'
option ip 'fde2:ba78:bab7:ff:44be:adff:fe52:6850'
config domain
option name 'dendrite'
option ip '172.28.240.22'
config domain
option name 'dendrite'
option ip 'fde2:ba78:bab7:ff:d485:a1ff:fedc:fa84'
config domain
option name 'postgres'
option ip '172.28.240.21'
config domain
option name 'postgres'
option ip 'fde2:ba78:bab7:ff:cc72:3cff:fe9a:4887'
config domain
option name 'dns'
option ip '172.28.165.1'
config domain
option name 'dns'
option ip 'fe80::46a5:6eff:fe3e:48ca'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'VLAN'
option output 'ACCEPT'
option forward 'ACCEPT'
option input 'ACCEPT'
option auto_helper '0'
list helper 'amanda'
list helper 'ftp'
list helper 'RAS'
list helper 'Q.931'
list helper 'irc'
list helper 'netbios-ns'
list helper 'pptp'
list helper 'sane'
list helper 'snmp'
list helper 'tftp'
list helper 'rtsp'
list network 'VLAN'
config zone
option name 'WireGuard'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option mtu_fix '1'
list network 'WireGuard'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest '*'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest '*'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config forwarding
option src 'VLAN'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'VLAN'
config zone
option name 'HOMEVPN'
option output 'ACCEPT'
option forward 'ACCEPT'
option input 'ACCEPT'
option mtu_fix '1'
option masq '1'
list network 'HomeVPNnew'
config forwarding
option src 'lan'
option dest 'HOMEVPN'
config forwarding
option src 'WireGuard'
option dest 'lan'
config rule
option name 'Allow WG inbound'
list proto 'udp'
option src 'wan'
option target 'ACCEPT'
option dest_port '36664'
config zone
option name 'SURFSHARK'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option output 'ACCEPT'
option forward 'REJECT'
list network 'surfshark'
config forwarding
option src 'lan'
option dest 'SURFSHARK'
config redirect
option target 'DNAT'
option name 'http'
option src 'wan'
option src_dport '80'
option dest 'VLAN'
option dest_port '80'
option dest_ip '172.28.240.10'
option reflection_src 'external'
config redirect
option target 'DNAT'
option name 'https'
option src 'wan'
option src_dport '443'
option dest 'VLAN'
option dest_port '443'
option dest_ip '172.28.240.10'
option reflection_src 'external'
config forwarding
option src 'WireGuard'
option dest 'VLAN'
config forwarding
option src 'WireGuard'
option dest 'HOMEVPN'
config rule
option name 'http-in'
option src 'wan'
option dest 'VLAN'
option target 'ACCEPT'
list dest_ip 'redacted'
option family 'ipv6'
list proto 'tcp'
list proto 'udp'
option dest_port '80'
option src_port '80'
config rule
option name 'https in'
option family 'ipv6'
option src 'wan'
option src_port '443'
option dest 'VLAN'
list dest_ip 'redacted'
option dest_port '443'
option target 'ACCEPT'
config redirect
option name 'Divert-DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option dest_ip '172.28.165.1'
option dest 'lan'
config rule
option name 'Reject-DoT, port 853'
option src 'lan'
option dest 'wan'
option dest_port '853'
option target 'REJECT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'federated https in'
option src 'wan'
option dest 'VLAN'
list dest_ip 'redacted'
option dest_port '8448'
option target 'ACCEPT'
option family 'ipv6'
config redirect
option target 'DNAT'
option name 'httploop'
option src 'lan'
option src_dport '80'
option dest 'VLAN'
option dest_ip '172.28.240.10'
option enabled '0'
config redirect
option target 'DNAT'
option name 'httpsloop'
option src 'lan'
option src_dport '443'
option dest 'VLAN'
option dest_ip '172.28.240.10'
option enabled '0'
config redirect
option target 'DNAT'
option name 'matrix fed'
option src 'wan'
option src_dport '8448'
option dest 'VLAN'
option dest_ip '172.28.240.10'
option dest_port '8448'
config redirect
option target 'DNAT'
option name 'TURN'
option src 'wan'
option src_dport '3478'
option dest 'VLAN'
option dest_ip '172.28.240.10'
config redirect
option target 'DNAT'
option name 'TURNS'
option src 'wan'
option dest 'VLAN'
option dest_ip '172.28.240.10'
option src_dport '5479'
config redirect
option target 'DNAT'
option name 'UDP chatter'
list proto 'udp'
option src 'wan'
option src_dport '49152-65535'
option dest 'VLAN'
option dest_ip '172.28.240.10'
config rule
option name 'Jellyfin'
option family 'ipv4'
list src_ip '172.28.240.10'
option dest 'lan'
list dest_ip '172.28.165.177'
option dest_port '8096'
option target 'ACCEPT'
option src 'VLAN'
config forwarding
option src 'HOMEVPN'
option dest 'lan'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
option family 'any'
option reload '1'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
root@OpenWrt:~# cat /etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option src_ipset '0'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iprule_enabled '0'
option webui_enable_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option surfshark_dscp '2'
option webui_protocol_column '1'
option webui_chain_column '1'
list supported_interface 'stun'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option webui_show_ignore_target '0'
option strict_enforcement '1'
option iptables_rule_option 'insert'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
pastebins incoming for the last two
root@OpenWrt:~# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth0.1/redacted' [✓]
Creating table 'WireGuard/10.10.199.1' [✓]
Creating table 'wwan/wlan0/10.10.20.1' [✓]
vpn-policy-routing 0.3.2-20 monitoring interfaces: wan WireGuard wwan [✓]
vpn-policy-routing 0.3.2-20 started with gateways:
wan/eth0.1/redacted
WireGuard/10.10.199.1
wwan/wlan0/10.10.20.1 [✓]
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fde2:ba78:bab7::/48'
option packet_steering '1'
config interface 'lan'
option proto 'static'
list ipaddr '172.28.165.1/24'
option force_link '0'
option ip6assign '64'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option broadcast '1'
option metric '10'
option device 'eth0.1'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix '56'
option peerdns '0'
list dns '::1:5553'
option device 'eth0.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 4 6t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '3 6t'
option vid '3'
config interface 'VLAN'
option proto 'static'
list ipaddr '172.28.240.1/24'
option ip6hint 'ff'
option ip6assign '64'
option force_link '0'
option device 'eth1.3'
config interface 'WireGuard'
option proto 'wireguard'
option private_key 'redacted'
option listen_port '36664'
list addresses '10.10.199.1/24'
config wireguard_WireGuard
option description 'laptop'
option public_key 'redacted'
list allowed_ips '10.10.199.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config interface 'surfshark'
option proto 'none'
option device 'stun0'
config wireguard_WireGuard
option description 'redacted'
option public_key 'redacted'
list allowed_ips '10.10.199.3/32'
option route_allowed_ips '1'
config wireguard_WireGuard
option description 'redacted'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '10.10.199.4/32'
option public_key 'redacted'
config wireguard_WireGuard
option description 'redacted'
option public_key 'redacted'
list allowed_ips '10.10.199.8/32'
option route_allowed_ips '1'
config wireguard_WireGuard
option description 'redacted'
option public_key 'redacted'
option route_allowed_ips '1'
option endpoint_host 'redacted'
option endpoint_port '36664'
list allowed_ips '10.10.199.6/24'
config interface 'HomeVPNnew'
option proto 'none'
option delegate '0'
option device 'tun0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.2'
config interface 'wwan'
option proto 'dhcp'