VPN Policy-Based Routing + Web UI -- Discussion


#126

That's one of the bigger reasons I haven't sent a PR for this package yet -- I have not tested what would happen and more importantly I have no idea what a reasonable behaviour for VPR should be if some interface(s) do and some do not support IPv6.


#127

Well this is not working, I have installed all the required dependencies but it fails with an error every time, the odd thing is that in the error message it is spiting out it has the full command it tried to run and I see in it that it was trying to run a program called "ipt" which does not exist.


#128

At least from my point of view my preference for the connection logic would be:

  1. use ipv6 if the vpn tunnel supports it, if not
  2. use the same tunnel using ipv4
  3. if both fail and strict routing in not enforced failover to the default routing tables (ipv6 first, then ipv4).

#129

Isn't it up to a client to make either IPv6 or IPv4 requests tho?


#130

Yes that might be a problem.


#131

Hi all, recently I found this topic and lately I made successful tests of pair: wireguard (luci) + vpn policy based routing (luci) - all works perfectly fine.
Since I was doing some research before that I have a question on how VPN PBR works
I want to redirect whole traffic only from IP to the tunnel (and use other side internet access) - that works fine.
But why is the script using both : iptables + iproute ?
I tested iproute modification is enough (another routing table + routing based on source address)


#132

And also ipsets and dnsmasq's ipsets. :wink:

From my limited testing using ip rules where possible is faster then relying solely on iptables, especially with the long list of policies. You can force the service to use iptables rules exclusively tho if you want or need to establish clear priorities.


#133

Yes I know it can use all 4 methods. I just thought for simplest requirement (redirect whole traffic from 1 IP to tunnel) it would just add ip route and not iptables rules. Therefore I'm interested in sth opposite - force to use ip route/rule only, without iptables.
Still - huge thanks for such easy click&play solution!


#134

I don't think I've added it to the readme yet, add the option iprule_enabled '1' to the config to force it to use ip rules for simple policies.

Some iptables rules would still be created, but not used in your specific case.


#135

Hi
Is it any way to add custom,(not a VPN) interface?
For example I have

config interface 'tor'
        option ifname 'tor'
        option proto 'static'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'
        option type 'bridge'

But if i`m adding tor or br-tor in "Supported Interfaces" I can see "TOR" in drop down menu under Policies, but there is an error in system log:
user.notice vpn-policy-routing [7909]: ERROR: Failed to set up 'tor/br-tor/0.0.0.0'
And ofcourse nothing works.
Thanks


#136

Try updating to: vpn-policy-routing 0.0.1-25 and luci-app-vpn-policy-routing 23, they should support tor interfaces (where ifname is set to tor). Let me know how it works.


#137

Unfortunately it is the same
..
Creating table 'tor/br-tor/0.0.0.0' [✗]
ERROR: Failed to set up 'tor/br-tor/0.0.0.0'
..


#138

Ah, right, I'll PM you.


#139

I replayed in PM with necesarry data from my setup, but
Actually if you just want to add easy support of TOR for users of VPN Policy-Based Routing it is not necessary to have separate interface for TOR. As common TOR setup is a transparent proxy, it is enough to forward traffic to local port. (or port of TOR server somewhere in LAN)


#140

I'm not understanding this. I just want to assign a block of IPs (192.168.1.180-192.168.1.252) to use the VPN connection located at interface tun0 and ignore all other IPs (192.168.1.1 (should the router be included here?) or 192.168.1.2-192.168.1.179) but it doesn't seem to work at all for me because as soon as I run OpenVPN all my devices lose connectivity to each other and to the internet. All I've got so far is this:

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option dnsmasq_enabled '1'
        option enabled '1'
        option ipv6_enabled '0'

config policy
        option comment 'IPs into VPN'
        option local_addresses '192.168.1.180 192.168.1.252'
        option interface 'providervpn'

config policy
        option interface 'wan'
        option comment 'IPs out of VPN'
        option local_addresses '192.168.1.2 192.168.1.179'

config policy
        option interface 'wan'

I followed the instructions on OpenWRT docs about how to create a VPN connection which is why I ended up with this interface name. Please let me know what else I could try because this doesn't seem very intuitive to me at all.


#141

Hi @stangri great app, really helpful for a noob like me. However, I have one issue... I'm trying to do a simple port forward where I want to access one of my computers from outside my home. This computer is connected directly to the wan, and not filtered through your vpn-policy-routing on the vpn interface (I use that for a different computer in my network). The port forward (redirect) works when I disable the vpn-policy-routing but then when I turn it on, it stops :frowning:
What am I doing wrong and what can I change to fix?

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'nordvpntun'

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option src_dport '8812'
	option dest_ip '10.0.0.100'
	option dest_port '8812'
	option name 'eServer'
	option proto 'tcp udp'

/etc/config/vpn-policy-routing

config policy
	option local_addresses '10.0.0.101/32'
	option comment 'vpntraffic'
	option interface 'nordvpntun'

config policy
	option interface 'wan'
	option comment 'local'
	option local_addresses '10.0.0.1/24'

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option strict_enforcement '1'
	option dnsmasq_enabled '0'
	option udp_proto_enabled '1'
	option iprule_enabled '1'
	option enabled '1'

I tried setting option iprule_enabled '1' as you mentioned elsewhere but it appeared to have no effect...
Any input would be helpful, thanks!
D


#142

For some reason, this package has suddenly stopped working for me and my traffic isn't being routed in accordance with the policies (even though when I run start the service, all my policies have a green tick etc).

For anyone who's currently got this package working...would you mind checking something in your config for me please?

When I run /etc/init.d/vpn-policy-routing status part of the output is the routes/tables:

IPv4 Table 201: default via xxx.xxx.xxx.xxx dev pppoe-wan
IPv4 Table 202: default via 10.4.0.1 dev tun0

In particular, when I get the status, I can see that the package will route tun0 traffic via 10.4.0.1

But, if I do ifconfig tun0 the following line is present:

inet addr:10.4.15.250  P-t-P:10.4.15.250  Mask:255.255.0.0

Is this why the package has stopped working for me - because the IP that this package is trying to route by doesn't match the IP address as reported by ifconfig?

Would someone who's currently got this working be able to confirm if their route address is the same as the ifconfig address for their tun interface?


EDIT: I've come a step closer to 'fixing' it maybe.

The IP address listed for IPv4 Table 202: for tun0 is now the same IP address given when I run ifconfig tun0.

However, I've found another reason why maybe this still isn't working.
image

See the default route for tun0 which is currently given as 10.4.0.1 whilst Table 2 is via 10.4.11.234? For this service to work, do both of those addresses need to be identical?

Because the default route for pppoe-wan is the same address as the address given for Table 201.

image

Notice how the address for tun0 is 10.4.11.234 and how 10.4.0.1 appears nowhere here. So why is the service setting a default route of 10.4.0.1 for tun0?


EDIT again: I've restarted the router and everything seems to be working fine now. Odd. Oh well!


#143

Great tweak! Took some trail and error to get it to work but running beautifully now on my WRT1900ACS router! Thank you :laughing:

Here's how to get Netflix working if anyone is wondering;
Add

NetflixBypass_1    Local addresses/devices: 192.168.1.1/26    Remote addresses/domains: ichnaea.netflix.com
NetflixBypass_2    Local addresses/devices: 192.168.1.1/26    Remote addresses/domains: netflix.com

#144

I'd first make sure your OpenVPN connection is working without VPR.

When you run the OpenVPN client, is default routing set to go over VPN tunnel? In other words, if you remove the "local" policy, what happens?

There was a previous report that to get Netflix working reliably you need to route all of the AWS over VPN tunnel.


#145

First of all, thank you OP for this package and all members who contributed to this thread. For a reason, I can't route netflix traffic through my wan interface. The rules seems to be there, but aren't working. The rules are (firewall status):

|0|0.00 B|MARK|all|*|*|10.0.2.0/28|204.11.35.98|/* netflix_all */ MARK xset 0x10000/0xff0000|
|---|---|---|---|---|---|---|---|---|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|54.77.46.226|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.19.170.232|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|34.248.30.153|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|54.77.98.32|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.17.40.71|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.208.253.79|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.208.108.2|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|34.249.151.238|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|34.251.191.194|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|45.57.59.231|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|69.53.236.21|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|207.45.72.215|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|2.20.45.42|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|2.20.45.74|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|207.45.72.215|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.31.8.124|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.210.192.250|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.17.3.133|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|54.229.126.241|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|34.241.47.238|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.30.252.10|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.48.228.239|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.31.248.31|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.16.228.47|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|54.154.123.104|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|54.154.237.25|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.18.221.38|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.17.249.187|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.19.20.249|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.18.236.154|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.208.71.66|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.208.128.101|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.209.79.232|/* netflix_all */ MARK xset 0x10000/0xff0000|
|0|0.00 B|MARK|all|*|*|10.0.2.0/28|52.208.75.181|/* netflix_all */ MARK xset 0x10000/0xff0000|

Any help would be appreciated.