VPN Policy-Based Routing + Web UI -- Discussion


#146

Hi @stangri yes this seems to be the case. If I remove the local policy as you suggested, traffic from all the computers in my network now routes over the VPN tunnel. I also noticed the same if I disable the vpn-policy-routing, all traffic goes direct over the VPN tunnel.
I hope this sheds some light on the issue, let me know what I should test next. And thanks again for your help!
D


#147

@Dewey -- if that's the case, you will need some extra settings. I've written a wiki page for "OpenVPN client & server at the same time", but with the wiki re-org, I don't know where it went, try to google it.

@headless-cross -- search this thread (and possibly the archive linked from OP). Someone has posted what it takes to route netflix traffic before.


#148

Hi @stangri thanks for the quick response. This wasn't the issue (I don't need the server component), but upon searching your topic I discovered the term 'redirect-gateway' and 'def1' which lead me to learn that my vpn provider controls the routing when the connection is made. By adding the below to my vpn config and then having your service on everything now works!!!

pull-filter ignore redirect-gateway
route 10.0.0.101 255.255.255.0

I've spent days trying to solve this! As a total noob I don't truely understand why I need the route line AND your policy component in order for it to work but it does and so I'm happy and I learnt a lot in the process :slight_smile:

Thanks again for all your help!! Much appreciated.
D


#149

hi I have a problem with this package. my apple tv uses vpn interface and other clients use wan. when i watch a movie online with iphone the traffic goes through wan correctly but when i stream from iphone to apple tv it uses vpn interface. in this situation traffic is local and come through wan to iphone but it goes through vpn also . I appreciate help me
thanks


#150

Hi all,

I am having an issue where the service does not recognise 'wan' as a valid interface.

/etc/config/vpn-policy-routing:

config policy
	option interface 'wan'
	option comment 'Local Traffic'
	option local_addresses '192.168.52.1/24'
	option remote_addresses '192.168.51.1/24'

config policy
	option interface 'wan'
	option comment 'Der XBOX'
	option local_addresses '192.168.52.95'
	option local_ports '0-65535'
	option remote_addresses '0.0.0.0/0'
	option remote_ports '0-65535'

config policy
	option comment 'Internet Traffic'
	option local_addresses '192.168.52.1/24'
	option remote_addresses '0.0.0.0/0'
	option interface 'nordvpntun'

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option strict_enforcement '1'
	option enabled '1'
	option dnsmasq_enabled '1'

/etc/init.d/vpn-policy-routing support:

vpn-policy-routing 0.0.1-25 running on LEDE 17.01.4. WAN (IPv4): lan/dev/192.168.51.254. WAN (IPv6): lan/dev6/::/0.
============================================================
Dnsmasq version 2.78  Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default         10.8.8.1        128.0.0.0       UG    0      0        0 tun0
default         192.168.51.254  0.0.0.0         UG    0      0        0 br-wan
32748:  from all fwmark 0x20000 lookup 202
32749:  from all fwmark 0x10000 lookup 201
IPv4 Table 201: default via 192.168.51.254 dev br-wan
IPv4 Table 202: default via 10.8.8.1 dev tun0
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.52.0/24 -m comment --comment Internet_Traffic -c 103998 50208846 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set lan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create lan hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

/etc/init.d/vpn-policy-routing reload

Creating table 'lan/br-lan/192.168.51.254' [✓]
Creating table 'nordvpntun/tun0/10.8.8.1' [✓]
Routing 'Local Traffic' via wan [✗]
Routing 'Der XBOX' via wan [✗]
Routing 'Internet Traffic' via nordvpntun [✓]
vpn-policy-routing 0.0.1-25 started on lan/br-lan/192.168.51.254 nordvpntun/tun0/10.8.8.1 with errors [✗]
ERROR: policy 'Local Traffic' has an unknown interface: wan!
ERROR: policy 'Der XBOX' has an unknown interface: wan!
vpn-policy-routing 0.0.1-25 monitoring interfaces: lan nordvpntun [✓]

In ifconfig, I have a br-wan interface, and under the interfaces section in LEDE, WAN appears as a network along with LAN and NORDVPNTUN. I have tried manually editing the config file changing 'wan' to 'br-wan', but that does not solve the issue.

Any advice appreciated.

Thanks.


#151

Last few posters -- I'm not ignoring you guys (and girls, as the case may be), but May turned out to be very eventful for me.

People with the br-wan and other not properly identified interfaces -- please post more about your devices/configurations and the output of ifconfig and ip -4 route.


#152

I could be mistaken, but afaik, the phone doesn't stream to apple tv. the phone sends an URL to the apple tv, so that apple tv would start its own stream. Hence, the VPN interface.


#153

It's a Linksys WRT1900AC running LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685). WAN is connected through the 'Internet' (ethernet) port.

ifconfig:

br-lan    Link encap:Ethernet  HWaddr 94:10:3E:18:65:0E
          inet addr:192.168.52.254  Bcast:192.168.52.255  Mask:255.255.255.0
          inet6 addr: fe80::9610:3eff:fe18:650e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:671762 errors:0 dropped:0 overruns:0 frame:0
          TX packets:582673 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:362855157 (346.0 MiB)  TX bytes:206603684 (197.0 MiB)

br-wan    Link encap:Ethernet  HWaddr 94:10:3E:18:65:0E
          inet addr:192.168.51.246  Bcast:192.168.51.255  Mask:255.255.255.0
          inet6 addr: fe80::9610:3eff:fe18:650e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:648502 errors:0 dropped:0 overruns:0 frame:0
          TX packets:684236 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:230737905 (220.0 MiB)  TX bytes:407024539 (388.1 MiB)

eth0      Link encap:Ethernet  HWaddr 94:10:3E:18:65:0E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:692926 errors:0 dropped:0 overruns:0 frame:0
          TX packets:581763 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532
          RX bytes:373263482 (355.9 MiB)  TX bytes:205876159 (196.3 MiB)
          Interrupt:27

eth1      Link encap:Ethernet  HWaddr 94:10:3E:18:65:0E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:648503 errors:0 dropped:0 overruns:0 frame:0
          TX packets:684236 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532
          RX bytes:239816987 (228.7 MiB)  TX bytes:407024539 (388.1 MiB)
          Interrupt:28

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:1893 (1.8 KiB)  TX bytes:1893 (1.8 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.8.171  P-t-P:10.8.8.171  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:580172 errors:0 dropped:0 overruns:0 frame:0
          TX packets:685727 errors:0 dropped:4053 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:197674015 (188.5 MiB)  TX bytes:361362822 (344.6 MiB)

wlan0     Link encap:Ethernet  HWaddr 94:10:3E:18:65:0F
          inet6 addr: fe80::9610:3eff:fe18:650f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1604 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:307878 (300.6 KiB)

wlan1     Link encap:Ethernet  HWaddr 94:10:3E:18:65:10
          inet6 addr: fe80::9610:3eff:fe18:6510/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1053 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2598 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:306866 (299.6 KiB)  TX bytes:1068971 (1.0 MiB)

ip -4 route

0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.51.254 dev br-wan  proto static  src 192.168.51.246
10.8.8.0/24 dev tun0  proto kernel  scope link  src 10.8.8.171
45.248.79.132 via 192.168.51.254 dev br-wan
128.0.0.0/1 via 10.8.8.1 dev tun0
192.168.51.0/24 dev br-wan  proto kernel  scope link  src 192.168.51.246
192.168.51.254 dev br-wan  proto static  scope link  src 192.168.51.246
192.168.52.0/24 dev br-lan  proto kernel  scope link  src 192.168.52.254

#154

I have been using this service for more than a year with great success. However my ISP has started throttling UDP traffic to fight VoIP and has affected OPENVPN. To bypass this throttling I have moved openvpn to tcp and the speed was dramatically reduced. To improve speed, I modified openvpn configuration:

  • Protocol: from udp to tcp
  • Cyper: from AES-256 to none

Then I have tunneled the openvpn link over shadowsocks proxy to maintain encrypted secured communications. This configuration has improved my speed noticeably and now it is even faster that the speed I had with UDP only. Now I want to have 3 routes:

  • Route #1: devices that use openvpn over shadowsocks (VoIP devices)
  • Route #2: shadosocks only (only bypass geolocation services for some devices)
  • Route #3: direct WAN.

I managed to get this working by starting the services in order:
(1) shadowsocks - witch implements its own access control and policy routing. It will route through shadowsocks or directly to interned based on the cofigured policies.
(2) VPN policy routing, including on the policies ONLY those devices that will be routed via openvpn.

The problem comes when shadowsocks server restarts and rewrites the ip tables. the devices that were routed using vpn-policy-routing loose internet connection until I manually restart the service.

Is there a way add dependencies to other services (like shadowsocks) so that when this service is restarted, vpn-policy-routing is also restarted?.
Similar to openvpn restart, that will trigger a vpn-policy router restart right afterwards.

It is also not ideal to manage policies via two services/luci interfaces. so any idea that could help to define clearer routing policies would be welcome.


#155

Khm, the br-wan part is intriguing. Can you please post your /etc/config/network?

I'm not familiar with shadowsocks, I'm guessing it doesn't create its own interface -- does it?
Maybe ucitrack could help, sadly I don't have time to look into it.


#156

Surely.


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde6:4fb7:e5c8::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option dns '192.168.52.252'
	option ipaddr '192.168.52.254'
	option gateway '192.168.51.254'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option delegate '0'
	option type 'bridge'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'none'
	option reqprefix 'no'
	option auto '0'
	option delegate '0'
	option defaultroute '0'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'

config interface 'nordvpntun'
	option proto 'none'
	option ifname 'tun0'
	option delegate '0'
	option auto '1'

If you think it would help, I can try deleting the extant configuration and try setting that interface up again.

Thanks.


#157

Are you really bridging multiple ifnames for WAN? If not, try removing the quoted line from WAN interface and rebooting the router.


#158

I wasn't - I suspect that's the default configuration to support IPv6 traffic. I added the 'wan' interface under advanced settings, so I have managed to change the errors I'm getting.

A reload command now gives:


Creating table 'lan/br-lan/192.168.51.254' [✓]
Creating table 'wan/eth1/0.0.0.0' [✗]
Creating table 'nordvpntun/tun0/10.8.8.1' [✓]
Routing 'Der XBOX' via wan [✓]
Routing 'Internet Traffic' via nordvpntun [✓]
vpn-policy-routing 0.0.1-25 started on lan/br-lan/192.168.51.254 nordvpntun/tun0/10.8.8.1 with errors [✗]
ERROR: Failed to set up 'wan/eth1/0.0.0.0'
vpn-policy-routing 0.0.1-25 monitoring interfaces: lan wan nordvpntun [✓]

That said, everything appears to be working.


#159

Looks like VPR is detecting your LAN interface as WAN. Probably due to having gateway manually configured for that interface.

I have updated the gateway and WAN detection logic in 0.0.2-1, that build might work better for you.


#160

I'm trying to get a simple setup working, and have used vpn-policy-routing instead of mwan3 since it seems to be the future.

My goal is to have a network with VPN for some devices for Amazon Prime US and Netflix US, whilst another network will go directly via the WAN port.

I've got the network going via VPN working ok, however the non-VPN network then cannot access Netflix? Is this a known problem? I want both networks to be able to access Netflix, one via the VPN (US) and one without (local Netflix library).

Is this a known issue? Are there workarounds for my situation?

/etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        option strict_enforcement '1'
        option dnsmasq_enabled '1'
        option udp_proto_enabled '1'
        option enabled '1'

config policy
        option interface 'wan'
        option local_addresses '192.168.50.0/24'
        option comment 'default'

config policy
        option local_addresses '192.168.55.0/24'
        option interface 'nordvpn_us'
        option comment 'vpn_us'

ip -4 route

default via 187.X.X.X dev pppoe-wan  proto static  metric 10
187.X.X.X dev pppoe-wan  proto kernel  scope link  src 191.X.X.X
192.168.50.0/24 dev br-lan  proto kernel  scope link  src 192.168.50.1
192.168.55.0/24 dev wlan0-1  proto kernel  scope link  src 192.168.55.1

I also have difficulty connecting to Amazon.com on the non-VPN network.

Could there be some issue with DNS leaking?


#161

Awesome, I appreciate that - any idea of when you will have it in your repo?


Davidc502- wrt1200ac wrt1900acx wrt3200acm wrt32x builds
#162

For reference, a factory reset of the router and reconfiguration of everything has fixed all my issues.

Thanks all.


#163

Hi, can someone produce a full guide for someone who has no understanding of networking on how to set up two wifi networks, one with a OpenVPN client and one without, on LEDE? I will gladly pay someone to help me with setup.


#164

I just pushed the vpn-policy-routing 0.0.2-3 to my repo, where you can specify a "physical device" (like wlan1 or wlan0-1) as the "local address/device". I haven't tested it yet tho.


#165

Anyone on 18.06 (either snapshot or rc1) has tested this with the flow_offloading (either sw or hw) enabled?