VPN Policy-Based Routing + Web UI -- Discussion

Sure

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd58:xxxx:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.xxx.xxx.xxx'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns_search 'lan'

config interface 'wan'
	option device 'eth0'
	option proto 'pppoe'
	option username '<PPPoE Username>'
	option password '<PPPoE Password>'
	option ipv6 'auto'
	option peerdns '0'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option peerdns '0'
	option reqprefix 'auto'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'DSLite'
	option proto 'dslite'
	option encaplimit 'ignore'
	option peerdns '0'
	option peeraddr '2001:xxxx::1:1'
	option mtu '1460'

config interface 'NordVPN'
	option proto 'wireguard'
	option private_key '<Private Key>'
	list addresses '10.5.0.2'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '1.1.1.1'

config wireguard_NordVPN
	option public_key '<Public Key>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'xxx.xxx.xxx.xxx'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config interface 'Guest'
	option proto 'static'
	option ipaddr '172.16.xxx.xxx'
	option netmask '255.255.255.0'
	option device 'eth2'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<Private Key>'
	option listen_port '51821'
	list addresses '10.15.xxx.xx1/24'
	list addresses 'fdc8:xxx::xxx1/64'
	option peerdns '0'

config wireguard_wg0
	option public_key '<Public Key>'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description '<Peer 1 Name>'
	list allowed_ips '10.15.xxx.xx3/32'
	list allowed_ips 'fdc8:xxx::xxx3/128'

config wireguard_wg0
	option description '<Peer 2 Name>'
	option public_key '<Public Key>'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.15.xxx.xx4/32'
	list allowed_ips 'fdc8:xxx::xxx4/128'

config wireguard_wg0
	option description '<Peer 3 Name>'
	option public_key '<Public Key>'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.15.xxx.xx5/32'
	list allowed_ips 'fdc8:xxx::xxx5/128'

Regarding adding DS-Lite interface to the list of supported interfaces in VPR config, can you help me explain a bit more detail? This DS-Lite interface i got from the package called 'ds-lite' which is also available on openwrt repo.

Thanks!

Please check the README, there are decent screenshots of the WebUI and full description of all options.

Sure, thank you very much! I'll take a look!

Edited: Got it working, thanks again!

I am out of my depth on this but did update all the user files to your repo versions for aws and netflix but same error. When I have some time on the weekend I will try to get your recommended changes to debug it figured out.

Thanks.

Hey there stangri,

Just gave it a go and it seems that the custom user file is successfully generating the list of domains, but for some reason the route is not being actually arriving at the VPN interface. If I disable the script I'm able to connect to the test website, but enabling it leads me to a Destination Host Unreachable in ping and an ERR_CONNECTION_REFUSED on the browser. Same issue happens if I attempt to route via port instead of IPSETs.

[root@OpenWRT-RPi /usbstick/transmission]# TARGET_IPSET='vpn_usa'
[root@OpenWRT-RPi /usbstick/transmission]# TARGET_ASN='16509'
[root@OpenWRT-RPi /usbstick/transmission]# TARGET_FNAME="/var/vpn-policy-routing_tmp_AS
${TARGET_ASN}"
[root@OpenWRT-RPi /usbstick/transmission]# DB_SOURCE='api.bgpview.io'
[root@OpenWRT-RPi /usbstick/transmission]#TARGET_URL="https://api.bgpview.io/asn/${TARGET_ASN}/prefixes"
[root@OpenWRT-RPi /usbstick/transmission]# uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null | jsonfilter -e '@.data.ipv4_prefixes[*].prefix' > "$TARGET_FNAME"
[root@OpenWRT-RPi /usbstick/transmission]# awk -v ipset="$TARGET_IPSET" '{print "add "ipset " " $1}' "$TARGET_FNAME" | ipset restore -!

From my machine:

ping vrv.co
PING vrv.co (65.9.148.128): 56 data bytes
92 bytes from OpenWRT-RPi.lan (192.168.1.1): Destination Port Unreachable
92 bytes from OpenWRT-RPi.lan (192.168.1.1): Destination Port Unreachable
92 bytes from OpenWRT-RPi.lan (192.168.1.1): Destination Port Unreachable
92 bytes from OpenWRT-RPi.lan (192.168.1.1): Destination Port Unreachable
92 bytes from OpenWRT-RPi.lan (192.168.1.1): Destination Port Unreachable
92 bytes from OpenWRT-RPi.lan (192.168.1.1): Destination Port Unreachable
^C--- vrv.co ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

From the router:

[root@OpenWRT-RPi /usbstick/transmission]# ping vrv.co
PING vrv.co (65.9.148.128): 56 data bytes
64 bytes from 65.9.148.128: seq=0 ttl=247 time=11.594 ms
64 bytes from 65.9.148.128: seq=1 ttl=247 time=10.753 ms
64 bytes from 65.9.148.128: seq=2 ttl=247 time=7.974 ms
64 bytes from 65.9.148.128: seq=3 ttl=247 time=8.753 ms
64 bytes from 65.9.148.128: seq=4 ttl=247 time=8.196 ms
64 bytes from 65.9.148.128: seq=5 ttl=247 time=11.878 ms
^C
--- vrv.co ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 7.974/9.858/11.878 ms

From the router through the VPN

[root@OpenWRT-RPi /usbstick/transmission]# ping -I ovpnc0
vrv.co
PING vrv.co (65.9.148.128): 56 data bytes
64 bytes from 65.9.148.128: seq=0 ttl=241 time=93.113 ms
64 bytes from 65.9.148.128: seq=1 ttl=241 time=90.778 ms
64 bytes from 65.9.148.128: seq=2 ttl=241 time=93.853 ms
64 bytes from 65.9.148.128: seq=3 ttl=241 time=90.694 ms
64 bytes from 65.9.148.128: seq=4 ttl=241 time=92.037 ms
^C
--- vrv.co ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 90.694/92.095/93.853 ms

If there's anything in particular that I could do to help diagnose the issue, please let me know.

Yes, all the usual stuff mentioned in README.

Heheh, fair enough. I guess it has been a while since I posted them.

I'll attach them as follows:

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option noresolv '1'
        option port '53'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option dnsforwardmax '2300'
        option min_cache_ttl '270'
        option cachesize '5000'
        list address '/router/192.168.1.1'
        option sequential_ip '1'
        option dnssec '1'
        option allservers '1'
        option confdir '/tmp/dnsmasq.d'
        option enable_tftp '1'
        option tftp_root '/usbstick/tftp'
        list server '127.0.0.1#1053'
        list server '::1#1053'
        list server '172.18.0.6#1054'
        list server '2001:3984:3989::6#1054'
        list server '127.0.0.1#5054'
        list server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#1053'
        list doh_backup_server '::1#1053'
        list doh_backup_server '172.18.0.6#1054'
        list doh_backup_server '2001:3984:3989::6#1054'

config boot 'linux'
        option filename 'pxelinux.0'
        option serveraddress '192.168.1.1'
        option servername 'router'
        list dhcp_option '209,pxelinux.cfg/default'
        option force '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'OVERNET-ASUSWRT'
        option ip '192.168.1.2'
        option mac '40:B0:76:C1:B8:20'

config host
        option name 'UNDERNET-ASUSWRT'
        option ip '192.168.1.3'
        option mac 'FC:34:97:38:96:08'

config host
        option name 'SteamLink'
        option ip '192.168.1.5'
        option mac 'E0:31:9E:3B:21:73'

config host
        option name 'HomePrinter'
        option ip '192.168.1.6'
        option mac 'DC:4A:3E:BC:67:92'

config host
        option name 'SamsungLEDBedroom'
        option ip '192.168.1.7'
        option mac '0C:89:10:16:15:62'

config host
        option name 'BedroomTV'
        option ip '192.168.1.8'
        option mac '00:0E:C6:6B:4E:9F'

config host
        option name 'HabitaciondeCeliaTV'
        option ip '192.168.1.9'
        option mac '00:0E:C6:6B:4E:A7'

config host
        option name 'SaladeEstar'
        option ip '192.168.1.10'
        option mac '00:0E:C6:74:4D:31'

config host
        option name 'NSW-ETH'
        option ip '192.168.1.11'
        option mac '00:0E:C6:BC:78:34'

config host
        option name 'NSW-WiFi'
        option ip '192.168.1.12'
        option mac '64:B5:C6:70:C9:B9'

config host
        option name 'MotoOneActiondeCelia'
        option ip '192.168.1.100'
        option mac '08:CC:27:5D:91:18'

config host
        option name 'MotoOneActiondeLiz'
        option ip '192.168.1.110'
        option mac '8C:F1:12:58:02:EB'

config host
        option name 'LIZ-PC'
        option ip '192.168.1.115'
        option mac 'F8:E4:E3:6D:F1:23'

config host
        option name 'ToastyPen10'
        option ip '192.168.1.210'
        option mac '8C:B8:4A:45:F5:90'

config host
        option name 'ToastySport'
        option ip '192.168.1.211'
        option mac '74:EB:80:68:AC:54'

config host
        option name 'TOASTYTUF-WiFi'
        option ip '192.168.1.250'
        option mac '84:C5:A6:85:4C:FB'

config host
        option name 'TOASTYTUF-GbE'
        option ip '192.168.1.251'
        option mac '04:D4:C4:E9:4E:21'

config host
        option name 'TOASTYTUF-UGREEN'
        option mac '00:E0:4C:74:F6:18'
        option ip '192.168.1.253'

config host
        option name 'HomePrinter'
        option duid '00030001DC4A3EBC6792'
        option mac 'DC:4A:3E:BC:67:92'
        option hostid '6'

config host
        option name 'SaladeEstar'
        option duid '00030001546009C28DD6'
        option mac '54:60:09:C2:8D:D6'
        option hostid '10'

config host
        option name 'TOASTYTUF-GbE'
        option duid '000100012872C85B04D4C4E94E21'
        option mac '04:D4:C4:E9:4E:21'
        option hostid '251'

config host
        option name 'ToastySport'
        option duid '000100012655CE3274EB8068AC54'
        option mac '74:EB:80:68:AC:54'
        option hostid '211'

config host
        option ip '192.168.1.116'
        option mac '00:0E:C6:75:72:DC'
        option name 'LIZ-PC-ETH'
        option dns '1'

config host
        option name 'TOASTYTUF-KILLER'
        option dns '1'
        option mac '9C:B6:D0:3C:20:58'
        option ip '192.168.1.252'
        option duid '000100012872c85b04d4c4e94e21'

config host
        option name 'SaladeEstar'
        option duid '00030001000EC6744D31'
        option mac '00:0E:C6:74:4D:31'
        option hostid '10'

config host
        option name 'LIZ-PC'
        option duid '0001000128585C2D54BF643CDB58'
        option mac '54:BF:64:3C:DB:58'
        option hostid 'be2'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'
        option reload '1'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config rule
        option name 'AllowNGINXPMAdmin'
        option src_port '81'
        option dest 'lan'
        option dest_port '81'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_port '80'
        option dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy-SSL'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_port '443'
        option dest_ip '172.18.0.2'

config redirect 'adblock_docker53'
        option name 'Adblock DNS (docker, 53)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_docker853'
        option name 'Adblock DNS (docker, 853)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_docker5353'
        option name 'Adblock DNS (docker, 5353)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan853'
        option name 'Adblock DNS (lan, 853)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_lan5353'
        option name 'Adblock DNS (lan, 5353)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_wan53'
        option name 'Adblock DNS (wan, 53)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_wan853'
        option name 'Adblock DNS (wan, 853)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_wan5353'
        option name 'Adblock DNS (wan, 5353)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect
        option target 'DNAT'
        option name 'RProxy-Admin'
        option src 'lan'
        option src_dport '81'
        option dest 'lan'
        option dest_port '81'
        option dest_ip '172.18.0.2'

config rule
        option name 'RClone-GUI'
        option src 'lan'
        option src_port '5572'
        option dest 'lan'
        option dest_port '5572'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'HomeAssistant'
        option src 'lan'
        option src_port '8123'
        option dest 'lan'
        option dest_port '8123'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'Allow-NFS-RPC'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '111'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '2049'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS-Lock'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '32777:32780'
        option target 'ACCEPT'

config rule
        option name 'Tautulli'
        option src 'lan'
        option src_port '8181'
        option dest 'lan'
        list dest_ip '172.18.0.5'
        option dest_port '8181'
        option target 'ACCEPT'

config rule
        option name 'PiHole-Admin'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config nat
        option name 'PiHole-DNAT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option src 'lan'
        option dest_ip '192.168.0.2'
        option dest_port '80'
        option target 'SNAT'
        option snat_ip '192.168.1.1'
        option snat_port '82'

config rule
        option name 'Transmission-GUI'
        option src 'lan'
        option dest 'lan'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'
        option src_port '9091'
        option dest_port '9091'

/etc/config/network

config interface 'vpn_usa'
        option proto 'none'
        option device 'ovpnc0'

config interface 'vpn_uk'
        option proto 'none'
        option device 'ovpnc1'

config interface 'vpn_spa'
        option proto 'none'
        option device 'ovpnc2'

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd04:52a5:a38a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0'
        option username 'REDACTED'
        option password 'REDACTED'
        option ipv6 'auto'
        option hostname 'router'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

/etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_ipset 'dnsmasq.ipset'
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option enabled '1'
        option ipv6_enabled '0'
        list supported_interface 'pppoe-wan'
        list supported_interface 'ovpnc0'
        list supported_interface 'ovpnc1'
        list supported_interface 'ovpnc2'
        option webui_enable_column '1'
        option webui_protocol_column '1'
        option webui_chain_column '1'
        option webui_show_ignore_target '1'
        option dest_ipset '1'
        option src_ipset '1'

config include
        option enabled '0'
        option path '/usbstick/vpn-pbr/vpn-policy-routing.netflix.user'

config include
        option enabled '0'
        option path '/usbstick/vpn-pbr/vpn-policy-routing.aws.user'

config include
        option path '/usbstick/vpn-pbr/vpn-policy-routing.vrv.user'
        option enabled '0'

config include
        option enabled '0'
        option path '/usbstick/vpn-pbr/vpn-policy-routing.disney.user'

config include
        option enabled '0'
        option path '/usbstick/vpn-pbr/vpn-policy-routing.disney2.user'

config include
        option enabled '0'
        option path '/usbstick/vpn-pbr/vpn-policy-routing.disney3.user'

config include
        option enabled '0'
        option path '/usbstick/vpn-pbr/vpn-policy-routing.disney4.user'

config include
        option enabled '0'
        option path '/usbstick/vpn-pbr/vpn-policy-routing.disney5.user'

config policy
        option name 'VRV'
        option dest_addr '65.9.148.84 65.9.148.128 65.9.148.62 65.9.148.37 65.9.148.101 65.9.148.122 65.9.148.121 65.9.148.28 65.9.148.10 65.9.148.117 65.9.148.121 65.9.148.110'
        option interface 'vpn_usa'
        option src_addr '192.168.1.252'
        option enabled '0'

config policy
        option name 'P2P'
        option src_port '51413'
        option dest_port '51413'
        option interface 'vpn_usa'

/etc/init.d/vpn-policy-routing support
Wouldn't let me post as text due to sheer size (In fact, I think it didn't even fit in my terminal's buffer), so I'll attach both output and /var/vpn-policy-routing-support in a zip file here.
/etc/init.d/vpn-policy-routing reload

[root@OpenWRT-RPi /]# /etc/init.d/vpn-policy-routing reload
Creating table 'vpn_usa/ovpnc0/REDACTED' [✓]
Creating table 'vpn_uk/ovpnc1/REDACTED' [✓]
Creating table 'vpn_spa/ovpnc2/REDACTED' [✓]
Creating table 'wan/pppoe-wan/REDACTED' [✓]
Routing 'P2P' via vpn_usa [✓]
vpn-policy-routing 0.3.4-8 monitoring interfaces: vpn_usa vpn_uk vpn_spa wan [✓]
vpn-policy-routing 0.3.4-8 started with gateways:
vpn_usa/ovpnc0/REDACTED
vpn_uk/ovpnc1/REDACTED
vpn_spa/ovpnc2/REDACTED
wan/pppoe-wan/REDACTED [✓]

If you need me to post anything else, please let me know.

The vpn_usa ipset is empty, also you have a bunch of other ipsets which may interfere with the VPR operation. I'd start with not using any other ipsets besides VPR ones and finding out why the vpn_usa ipset is empty after running user file.

Okay, I've disabled banIP temporarily to check if that IP tables it generates cause interference.

After disabling, the following results were outputted to paste.ee:
Paste.ee - vpn-policy-routing-support
Then, I tried enabling on of my per-device rules with the following results:
Paste.ee - vpn-policy-routing-support
However, the same behavior remains as per the previous diagnosis: The routed site is unable to be connected to from the test device.

As per doing this, would you happen to have any advice on where to begin? I'm still a bit green on routing itself.

Well, after reviewing your VPR config I've realized you're not running the custom user file from within VPR, but manually from CLI. So of course the VPR restart/reload would flush the vpn_usa ipset and remove any entries you may have added there manually.

It's hard to say what's happening on your system then, as you haven't provided the output of support in the failing state. Not to say that I'd be able to diagnose the issue even with that information, but I'd recommend you disable banip, restart VPR, do your manual user file thing, try to access the domains in the custom user file from a freshly rebooted computer and then capture/upload to paste.ee the support output.

On that topic, I'd tried to run the latest commit's custom user file line by line, but even when trying to do so through VPN-PBR's LuCI applet in both file form and manually typing the resulting IPs the end result ends up being the same.

image1202×403 21.4 KB

image1308×709 43.3 KB

That's exactly what I have done so far, even went as far as to flush both DNS caching and renewing my DHCP lease in between attempts, but so far the only way I'm able to see a difference is by disabling the policies in the applet and applying, in which case the website loads successfully.

If there's anything else I should be doing (perhaps a different version of a dependency or something to do with my particular loadout), I'm willing to try and see, but at the moment I'm kind of stumped in regards to what I could try next.

In any case, thanks for the help you've given me so far, I've seen you mention that you're currently very busy, so I'm grateful you have decided to offer me help in spite of it.

Cheers!

came across this condition today with api.bgpview.io ...

for uber short term fix...

suggest sleep 2 in process_user_file() or
under the api.bgpview.io if statement in .user (or even a commented out line there mentioning multiple calls)

Thanks for bringing this up. I really don't want to add 2 seconds delay into the principal PROCD script, but I should definitely append documentation in the custom user files section.

The sleep command (if necessary) can be added to custom user files themselves by users.

in this case... other dudes here may benefit from my hacked up 'does-it-all' userfile

which deals with the above and this issue

../_USERFILE_ASN 51° ./vpn-policy-routing.userfile.cache 
flushandcreate vpn_usa ipset [skip]
result 0 [162] netflix https://api.bgpview.io/asn/2906/prefixes
populating vpn_usa ipset from netflix [162:162]
result 0 [6] disney https://api.bgpview.io/asn/8137/prefixes
populating vpn_usa ipset from disney [6:168]
result 0 [1] disney2 https://api.bgpview.io/asn/30224/prefixes
populating vpn_usa ipset from disney2 [1:169]

• mostly just edit value 2 in the top here doc for now...
• warning... stores files on rootfs...
• change CACHEd if you want in tmp
• intV ( redownload interval is set to 1 week )
• TBA: download error handling when no cached list exists

hey stangri

Small suggestion to add wg0 along with the default Ignored Interface names. It seems to be one of the common default wireguard interface names in tutorials.

It threw me for a loop trying to get wireguard server working over the weekend in Openwrt until I discovered this was the culprit for me.

Does it work, if want to use it on my second router connected as wired repeater, no wan connection.
Please guide

Hi stangri,

I am trying to set up one domain to be routed via a Wireguard tunnel (called Cloudflare below). The Wireguard tunnel is working correctly, however PBR doesn't seem to work. Can anyone help?

Output of /etc/config/vpn-policy-routing :

config policy
        option name 'BTDig'
        option dest_addr 'btdig.com'
        option interface 'Cloudflare'

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option resolver_ipset 'dnsmasq.ipset'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_enable_column '0'
        option webui_protocol_column '0'
        option webui_chain_column '0'
        option webui_show_ignore_target '0'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option enabled '1'
        list supported_interface 'wan'
        list supported_interface 'wireguard'
        list supported_interface 'erx'
        list supported_interface 'cloudflare'

Output of /etc/init.d/vpn-policy-routing support:

vpn-policy-routing 0.3.2-20 running on OpenWrt 19.07.1.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         edge.lan        0.0.0.0         UG    0      0        0 eth0.2
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -d 37.1.202.102/32 -m comment --comment BTDIG_btdig_com -c 0 0 -g VPR_MARK0x040000
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

Output of /etc/init.d/vpn-policy-routing reload:

Creating table 'wan/eth0.2/192.168.1.2' ip: invalid argument '0x010000/0xff0000' to 'fwmark'
[✗]
Creating table 'Wireguard/192.168.3.1' ip: invalid argument '0x020000/0xff0000' to 'fwmark'
[✗]
Creating table 'ERX/eth0.2/192.168.1.1' ip: invalid argument '0x030000/0xff0000' to 'fwmark'
[✗]
Creating table 'Cloudflare/172.16.0.2' ip: invalid argument '0x040000/0xff0000' to 'fwmark'
[✗]
Routing 'BTDIG' via Cloudflare [✓]
vpn-policy-routing 0.3.2-20 monitoring interfaces: wan Wireguard ERX Cloudflare [✓]
ERROR: Failed to set up 'wan/eth0.2/192.168.1.2 [✓]'
ERROR: Failed to set up 'Wireguard/192.168.3.1'
ERROR: Failed to set up 'ERX/eth0.2/192.168.1.1 [✓]'
ERROR: Failed to set up 'Cloudflare/172.16.0.2'
ERROR: failed to set up any gateway!
WARNING: The 'resolver_ipset' is set to 'dnsmasq.ipset', but DNSMASQ ipsets are not supported on this system!
WARNING: The 'resolver_ipset' is set to 'dnsmasq.ipset', but DNSMASQ ipsets are not supported on this system!

If you don't mind adding a description to the top of your script which describes what does it do and how is it better than the scripts I bundle with the VPR package, I'd be glad to add it to a new section in the README linking other user scripts.

I realize that there's no such thing as a "server" and a "client" in wireguard, it's all peers, however I wouldn't want to ignore wg0 on the grounds that it's most likely as popular name for the client as it is for the server.

Where are your VPN tunnels configured?

Uninstall 0.3.x version from your router (and remove reference to my packages repo if you have it added) and install the 0.2.x version of VPR from the 19.07 repo. Or upgrade to OpenWrt 21.02.1 if you want to use a more modern version of VPR/PBR.

kind offer sir... if/when I clean it up, will definitely get in touch regarding this.

Thank you stangri, for the advice. My router model seems to have some issues with 21.02, so holding off on the upgrade. Will try and install the older VPR version.