You need to use the OUTPUT chain for this.
Thanks that did it!
Is VPN policy based routing or PBR working with the upcoming 22.03 ? Thanks
I don't use any OpenVPN tunnels and the earliest I could test it would be mid-June. If you can figure out the reason for the delay, do let me know. Did you have this issue with VPR too?
It should, with the iptables installed. I'm still in the dark on the future of dnsmas-full
which last time I checked still supported ipset, not nftset. AFAIK, the use of dnsmasq to resolve domains is the more frequently used feature of VPR/pbr than anything else. Once I know what direction dnsmasq-full
will be taking in the next release I will update the pbr
package to properly support that release, either by requiring the necessary packages in the Makefile or by updating the PROCD script to support default install of OpenWrt.
I flashed a spare R7800 with hnymans latest stable openwrt-22.03 (owrt2203-r19338-ae64d0624c-20220510) build that has iptables installed and then tried installing both VPN policy based routing and PBR. Both fail with the errors pasted below.
opkg install vpn-policy-routing
Installing vpn-policy-routing (0.3.4-8) to root...
Downloading https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/arm_cortex-a15_neon-vfpv4/packages/vpn-policy-routing_0.3.4-8_all.ipk
Collected errors:
* pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.113-1-7d02f6b387e4ac9273545d8a6168f147) for kmod-ipt-ipset
* pkg_hash_fetch_best_installation_candidate: Packages for kmod-ipt-ipset found, but incompatible with the architectures configured
* satisfy_dependencies_for: Cannot satisfy the following dependencies for vpn-policy-routing:
* kernel (= 5.10.113-1-7d02f6b387e4ac9273545d8a6168f147)
* opkg_install_cmd: Cannot install package vpn-policy-routing.
opkg install pbr-ipt
Installing pbr-ipt (0.9.4-10) to root...
Downloading https://repo.openwrt.melmac.net/pbr-ipt_0.9.4-10_all.ipk
Collected errors:
* pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.113-1-7d02f6b387e4ac9273545d8a6168f147) for kmod-ipt-ipset
* pkg_hash_fetch_best_installation_candidate: Packages for kmod-ipt-ipset found, but incompatible with the architectures configured
* satisfy_dependencies_for: Cannot satisfy the following dependencies for pbr-ipt:
* kernel (= 5.10.113-1-7d02f6b387e4ac9273545d8a6168f147)
* opkg_install_cmd: Cannot install package pbr-ipt.
You will either have to use an official openwrt or build (based in hnyman's sources/ patches) yourself, kernel version dependencies are very strict.
Thanks will muck with it
Hey there!
Just tried migrating over to pbr
while on OpenWRT 21.02.3 r16554-1d4dea6d4f
and it seems I'm now unable to set up any gateway, while on vpn-pbr only the port forwarding did not work at all.
I get the following error message from the LuCI dashboard:
Failed to set up 'wan/pppoe-wan/REDACTED/fc00:1020:1c:a2fb::1/64
fe80::1/128 \033[0;32m[\xe2\x9c\x93]\033[0m'
Failed to set up 'wg0/10.0.5.1/fd2d:a278:3852::1/64'
Failed to set up 'Zerotier/ztrta4adry/192.168.191.51/REDACTED/88
fcc5:eaac:71ca:f555:e355::1/40
fe80::cc3c:16ff:fee2:5e0b/64'
Failed to set up 'wg_usa/10.66.174.68/fc00:bbbb:bbbb:bb01::3:ae43/128'
Failed to set up 'wg_uk/10.67.195.42/fc00:bbbb:bbbb:bb01::4:c329/128'
Failed to set up 'wg_spa/10.64.222.190/fc00:bbbb:bbbb:bb01::1:debd/128'
iptables -t mangle -A PBR_PREROUTING -g PBR_MARK0x040000 -s 192.168.1.0/24 -m multiport --sport 58861 -m multiport --dport 58861 -m comment --comment P2P
failed to set up any gateway!
Is there anything else I should try to get pbr up and running?
I'll attach the required config files below:
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option noresolv '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option logdhcp '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option dnsforwardmax '2300'
option min_cache_ttl '270'
list address '/router/192.168.1.1'
list address '/status.client/192.168.1.1'
option sequential_ip '1'
option dnssec '1'
option allservers '1'
option confdir '/tmp/dnsmasq.d'
option enable_tftp '1'
option tftp_root '/usbstick/tftp'
list doh_backup_server '127.0.0.1#1053'
list doh_backup_server '::1#1053'
option rebind_protection '0'
option port '5353'
option cachesize '5000'
config boot 'linux'
option filename 'pxelinux.0'
option serveraddress '192.168.1.1'
option servername 'router'
list dhcp_option '209,pxelinux.cfg/default'
option force '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.1.1'
list dhcp_option '3,192.168.1.1'
list dns 'fd04:52a5:a38a:aa::1'
list dhcp_option_force '114,http://status.client'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'OVERNET-ASUSWRT'
option ip '192.168.1.2'
option mac 'REDACTED'
config host
option name 'UNDERNET-ASUSWRT'
option ip '192.168.1.3'
option mac 'REDACTED'
config host
option name 'SteamLink'
option ip '192.168.1.5'
option mac 'REDACTED'
config host
option name 'HomePrinter'
option ip '192.168.1.6'
option mac 'REDACTED'
config host
option name 'SamsungLEDBedroom'
option ip '192.168.1.7'
option mac 'REDACTED'
config host
option name 'BedroomTV'
option ip '192.168.1.8'
option mac 'REDACTED'
config host
option name 'HabitaciondeCeliaTV'
option ip '192.168.1.9'
option mac 'REDACTED'
config host
option name 'SaladeEstar'
option ip '192.168.1.10'
option mac 'REDACTED'
config host
option name 'NSW-ETH'
option ip '192.168.1.11'
option mac 'REDACTED'
config host
option name 'NSW-WiFi'
option ip '192.168.1.12'
option mac 'REDACTED'
config host
option name 'MotoOneActiondeCelia'
option ip '192.168.1.100'
option mac 'REDACTED'
config host
option name 'LIZ-PC'
option ip '192.168.1.115'
option mac 'REDACTED'
config host
option mac 'REDACTED'
option name 'Note10PlusdeLiz'
option dns '1'
option ip '192.168.1.110'
option hostid '110'
config host
option name 'ToastySport'
option ip '192.168.1.211'
option mac 'REDACTED'
config host
option name 'TOASTYUFO-WiFi'
option ip '192.168.1.250'
option mac 'REDACTED'
config host
option name 'TOASTYUFO-GbE'
option ip '192.168.1.251'
option mac 'REDACTED'
config host
option name 'TOASTYTUF-UGREEN'
option mac 'REDACTED'
option ip '192.168.1.253'
config host
option name 'HomePrinter'
option duid 'REDACTED'
option mac 'REDACTED'
option hostid '6'
config host
option name 'SaladeEstar'
option duid 'REDACTED'
option mac 'REDACTED'
option hostid '10'
config host
option name 'TOASTYTUF-GbE'
option duid 'REDACTED'
option mac 'REDACTED'
option hostid '251'
config host
option name 'ToastySport'
option duid 'REDACTED'
option mac 'REDACTED'
option hostid '211'
config host
option ip '192.168.1.116'
option mac 'REDACTED'
option name 'LIZ-PC-ETH'
option dns '1'
config host
option name 'TOASTYTUF-KILLER'
option dns '1'
option mac 'REDACTED'
option ip '192.168.1.252'
option duid 'REDACTED'
config host
option name 'SaladeEstar'
option duid 'REDACTED'
option mac 'REDACTED'
option hostid '10'
config host
option name 'LIZ-PC'
option duid 'REDACTED'
option mac 'REDACTED'
option hostid 'be2'
config host
option name 'TOASTYTUF-UGREEN'
option duid 'REDACTED'
option mac 'REDACTED'
config host
option name 'SaladeEstar'
option duid 'REDACTED'
config host
option name 'HomePrinter'
option duid 'REDACTED'
config host
option name 'StereoSaladeEstar'
option ip '192.168.1.13'
option mac 'REDACTED'
config host
option name 'BedroomTVPlug'
option ip '192.168.1.14'
option mac 'REDACTED'
config host
option name 'BedroomLamp'
option ip '192.168.1.15'
option mac 'REDACTED'
config host
option name 'OfficeFan'
option ip '192.168.1.16'
option mac 'REDACTED'
config host
option name 'ToastyUltra22'
option dns '1'
option mac 'REDACTED'
option ip '192.168.1.210'
option hostid '210'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan_6'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'vpnzone'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option masq6 '1'
option masq6_privacy '1'
option mtu_fix '1'
list network 'wg_usa'
list network 'wg_uk'
list network 'wg_spa'
config forwarding
option src 'lan'
option dest 'vpnzone'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
option reload '1'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config rule
option name 'AllowNGINXPMAdmin'
option src_port '81'
option dest 'lan'
option dest_port '81'
option target 'ACCEPT'
option src 'lan'
list dest_ip '172.18.0.2'
config redirect
option target 'DNAT'
option name 'RProxy-Admin'
option src 'lan'
option src_dport '81'
option dest 'lan'
option dest_port '81'
option dest_ip '172.18.0.2'
config redirect
option target 'DNAT'
option name 'RProxy'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_port '80'
option dest_ip '172.18.0.2'
config redirect
option target 'DNAT'
option name 'RProxy-SSL'
option src 'wan'
option src_dport '443'
option dest 'lan'
option dest_port '443'
option dest_ip '172.18.0.2'
config redirect 'adblock_wan853'
option src 'wan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
option name 'AGH DNS over TLS'
option dest 'lan'
option dest_ip '192.168.1.1'
config redirect
option target 'DNAT'
option name 'AGH DNS over QUIC'
option src 'wan'
option src_dport '784'
option dest 'lan'
option dest_ip '192.168.1.1'
option dest_port '784'
config rule
option name 'RClone-GUI'
option src 'lan'
option src_port '5572'
option dest 'lan'
option dest_port '5572'
option target 'ACCEPT'
list dest_ip '192.168.1.1'
list dest_ip 'fd04:52a5:a38a::1'
config rule
option name 'HomeAssistant'
option src 'lan'
option src_port '8123'
option dest 'lan'
option dest_port '8123'
option target 'ACCEPT'
list dest_ip '192.168.1.1'
list dest_ip 'fd04:52a5:a38a::1'
config rule
option name 'Allow-NFS-RPC'
option src 'lan'
option proto 'tcp udp'
option dest_port '111'
option target 'ACCEPT'
config rule
option name 'Allow-NFS'
option src 'lan'
option proto 'tcp udp'
option dest_port '2049'
option target 'ACCEPT'
config rule
option name 'Allow-NFS-Lock'
option src 'lan'
option proto 'tcp udp'
option dest_port '32777:32780'
option target 'ACCEPT'
config rule
option name 'Tautulli'
option src 'lan'
option src_port '8181'
option dest 'lan'
list dest_ip '172.18.0.5'
option dest_port '8181'
option target 'ACCEPT'
config rule
option name 'PiHole-Admin'
option src_port '82'
option dest 'lan'
option dest_port '82'
option target 'ACCEPT'
option src 'lan'
list dest_ip '192.168.1.1'
list dest_ip 'fd04:52a5:a38a::1'
config nat
option name 'PiHole-DNAT'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
option src 'lan'
option dest_ip '192.168.0.2'
option dest_port '80'
option target 'SNAT'
option snat_ip '192.168.1.1'
option snat_port '82'
config rule
option name 'Transmission-GUI'
option src 'lan'
option dest 'lan'
option target 'ACCEPT'
list dest_ip '192.168.1.1'
list dest_ip 'fd04:52a5:a38a::1'
option src_port '9091'
option dest_port '9091'
config rule
option name 'NGINXPM-DB'
option src 'lan'
list src_ip '172.18.0.2'
option src_port '3306'
option dest 'lan'
list dest_ip '172.18.0.3'
option dest_port '3306'
option target 'ACCEPT'
config rule
option name 'Adguard-Admin'
option src 'wan'
option src_port '82'
option dest 'lan'
option dest_port '82'
option target 'ACCEPT'
list dest_ip '172.18.0.6'
list dest_ip '2001:3984:3989::6'
config rule 'wg'
option dest_port '51820'
option target 'ACCEPT'
option name 'Allow-WireGuard-lan'
list proto 'tcp'
list proto 'udp'
option src 'wan'
config defaults
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
config rule
option name 'Allow-ZeroTier-Inbound'
list proto 'udp'
option src 'wan'
option dest_port '9993'
option target 'ACCEPT'
config zone
option name 'mesh'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'Zerotier'
config forwarding
option src 'mesh'
option dest 'lan'
config forwarding
option src 'mesh'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'mesh'
config forwarding
option src 'wan'
option dest 'mesh'
config redirect 'adblock_docker53'
option name 'Adblock DNS (docker, 53)'
option src 'docker'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_docker853'
option name 'Adblock DNS (docker, 853)'
option src 'docker'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_docker5353'
option name 'Adblock DNS (docker, 5353)'
option src 'docker'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_lan853'
option name 'Adblock DNS (lan, 853)'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_lan5353'
option name 'Adblock DNS (lan, 5353)'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config redirect 'adblock_vpnzone53'
option name 'Adblock DNS (vpnzone, 53)'
option src 'vpnzone'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_vpnzone853'
option name 'Adblock DNS (vpnzone, 853)'
option src 'vpnzone'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_vpnzone5353'
option name 'Adblock DNS (vpnzone, 5353)'
option src 'vpnzone'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config redirect 'adblock_wan53'
option name 'Adblock DNS (wan, 53)'
option src 'wan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_wan5353'
option name 'Adblock DNS (wan, 5353)'
option src 'wan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Allow-P2P-USA'
option src 'vpnzone'
option src_dport '58861'
config include 'opennds'
option type 'script'
option path '/usr/lib/opennds/restart.sh'
config include 'pbr'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
option family 'any'
option reload '1'
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd04:52a5:a38a::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint 'AA'
list ip6class 'local'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
config interface 'wan'
option proto 'pppoe'
option device 'eth0'
option username 'REDACTED'
option password 'REDACTED'
option ipv6 'auto'
option hostname 'router'
option force_link '1'
option metric '1'
config interface 'wg0'
option proto 'wireguard'
option private_key 'REDACTED'
option listen_port '51820'
list addresses '10.0.5.1/24'
list addresses 'fd2d:a278:3852::1/64'
config wireguard_wg0
option public_key 'REDACTED'
option description 'ToastyPen10+'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '10.0.5.2/32'
list allowed_ips 'fd2d:a278:3852::2/64'
option preshared_key 'REDACTED'
config wireguard_wg0
option description 'ToastyUFO'
option preshared_key 'REDACTED'
list allowed_ips '10.0.5.3/32'
list allowed_ips 'fd2d:a278:3852::3/64'
option endpoint_port '51820'
option persistent_keepalive '25'
option public_key 'REDACTED'
config wireguard_wg0
option description 'Moto One Action de Liz'
option preshared_key 'REDACTED'
list allowed_ips '10.0.5.4/32'
list allowed_ips 'fd2d:a278:3852::4/64'
option endpoint_port '51820'
option persistent_keepalive '25'
option public_key 'REDACTED'
config wireguard_wg0
option description 'Liz-PC'
option public_key 'REDACTED'
option preshared_key 'REDACTED'
list allowed_ips '10.0.5.5/32'
list allowed_ips 'fd2d:a278:3852::5/64'
option endpoint_port '51820'
option persistent_keepalive '25'
config wireguard_wg0
option description 'Moto One Action de Celia'
option preshared_key 'REDACTED'
list allowed_ips '10.0.5.6/32'
list allowed_ips 'fd2d:a278:3852::6/64'
option endpoint_port '51820'
option persistent_keepalive '25'
option public_key 'REDACTED'
config interface 'Zerotier'
option proto 'none'
option device 'ztrta4adry'
config interface 'wg_usa'
option proto 'wireguard'
option private_key 'REDACTED'
list addresses 'REDACTED'
list addresses 'fc00:bbbb:bbbb:bb01::3:ae43/128'
option peerdns '0'
list dns '10.64.0.1'
option metric '2'
config wireguard_wg_usa
option description 'us240-wireguard'
option public_key 'REDACTED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host 'REDACTED'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
config route6
option target '::/0'
option interface 'wg_usa'
config interface 'wg_uk'
option proto 'wireguard'
option private_key 'REDACTED'
list addresses 'REDACTED'
list addresses 'fc00:bbbb:bbbb:bb01::4:c329/128'
option peerdns '0'
list dns '10.64.0.1'
option metric '3'
config wireguard_wg_uk
option description 'gb15-wireguard'
option public_key 'REDACTED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host 'REDACTED'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
config interface 'wg_spa'
option proto 'wireguard'
option private_key 'REDACTED'
list addresses 'REDACTED/32'
list addresses 'fc00:bbbb:bbbb:bb01::1:debd/128'
option peerdns '0'
list dns '10.64.0.1'
option metric '4'
config wireguard_wg_spa
option description 'es1-wireguard'
option public_key 'REDACTED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host 'REDACTED'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
/etc/config/pbr
config include
option path '/usbstick/vpn-pbr/pbr.userfile.custom'
option enabled '0'
config pbr 'config'
option verbosity '2'
option resolver_ipset 'dnsmasq.ipset'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '1'
option webui_show_ignore_target '1'
option strict_enforcement '1'
option dest_ipset '1'
option src_ipset '1'
option ipv6_enabled '1'
list supported_interface 'pppoe-wan'
list supported_interface 'wg_usa'
list supported_interface 'wg_uk'
list supported_interface 'wg_spa'
option enabled '1'
config policy
option name 'P2P'
option proto 'all'
option interface 'wg_usa'
option src_port '58861'
option src_addr '192.168.1.0/24'
option dest_port '58861'
config masqipset
option src_addr '192.168.1.210/32 192.168.1.67/32'
option interface 'wireguard_vpn_usa'
option ipset_name 'disney'
config masqipset
option src_addr '192.168.1.210/32 192.168.1.67/32'
option interface 'wireguard_vpn_usa'
option ipset_name 'netflix'
config asnipset
option src_addr '192.168.1.210/32 192.168.1.67/32'
option interface 'wireguard_vpn_usa'
option ipset_name 'asnnetflix'
config asnipset
option src_addr '192.168.1.210/32 192.168.1.67/32'
option interface 'wireguard_vpn_usa'
option ipset_name 'asndisney'
config policy
option name 'VRV'
option interface 'wg_usa'
option dest_addr '65.9.148.84 65.9.148.128 65.9.148.62 65.9.148.37 65.9.148.101 65.9.148.122 65.9.148.121 65.9.148.28 65.9.148.10 65.9.148.117 65.9.148.121 65.9.148.110 65.9.150.59 99.86.100.73 99.86.100.97 99.86.100.50 99.86.100.20 13.249.48.71 13.249.48.89 13.249.48.23 13.249.48.29'
option proto 'all'
option src_addr '192.168.1.252'
option enabled '0'
config policy
option name 'Disney+'
option dest_addr '54.218.188.255 34.218.145.143 54.71.61.241 13.248.150.189 76.223.18.1 139.104.192.37'
option interface 'wg_usa'
option proto 'all'
option src_addr '192.168.1.0/24'
option enabled '0'
config policy
option name 'USATest'
option enabled '0'
option interface 'wan'
option proto 'all'
option src_addr '192.168.1.0/24'
config policy
option name 'RTVE'
option dest_addr '217.15.42.90 184.25.229.23 51.81.66.107 51.81.243.73 138.199.8.197 143.244.35.226 143.244.35.226 138.199.8.197 51.81.243.73 51.81.66.107 143.244.35.226 138.199.8.197 189.254.81.67 189.254.81.89 199.232.94.137'
option interface 'wg_spa'
option proto 'all'
option src_addr '192.168.1.0/24'
option enabled '0'
Output of /etc/init.d/pbr support (I think this one's broken, perhaps a carryover?)
/usbstick 83Β° /etc/init.d/pbr support
Syntax: /etc/init.d/pbr [command]
Available commands:
start Start the service
stop Stop the service
restart Restart the service
reload Reload configuration files (or restart if service does not implement reload)
enable Enable service autostart
disable Disable service autostart
enabled Check if service is started on boot
netifd Installs/uninstalls netifd support
status Generates output required to troubleshoot routing issues
Use '-d' option for more detailed output
Use '-p' option to automatically upload data under VPR paste.ee account
WARNING: while paste.ee uploads are unlisted, they are still publicly available
List domain names after options to include their lookup in report
version Show version information
reload_interfaceReload specific interface only
running Check if service is running
status Service status
trace Start with syscall trace
Output of /etc/init.d/pbr reload
with verbosity setting set to 2
/usbstick 76Β° /etc/init.d/pbr reload
Creating table 'wan/pppoe-wan/REDACTED/fc00:1020:1c:a2fb::1/64
fe80::1/128' [β]
Creating table 'wg0/10.0.5.1/fd2d:a278:3852::1/64' [β]
Creating table 'Zerotier/ztrta4adry/192.168.191.51/REDACTED/88
REDACTED/40
fe80::cc3c:16ff:fee2:5e0b/64' [β]
Creating table 'wg_usa/REDACTED/REDACTED/128' [β]
Creating table 'wg_uk/REDACTED/REDACTED/128' [β]
Creating table 'wg_spa/REDACTED/REDACTED/128' [β]
Routing 'P2P' via wg_usa [β]
pbr 0.9.4-10 monitoring interfaces: wan wg0 Zerotier wg_usa wg_uk wg_spa
ERROR: Failed to set up 'wan/pppoe-wan/REDACTED/fc00:1020:1c:a2fb::1/64
fe80::1/128 [β]'
ERROR: Failed to set up 'wg0/10.0.5.1/fd2d:a278:3852::1/64'
ERROR: Failed to set up 'Zerotier/ztrta4adry/REDACTED/REDACTED/88
REDACTED/40
REDACTED/64'
ERROR: Failed to set up 'wg_usa/REDACTED/fc00:bbbb:bbbb:bb01::3:ae43/128'
ERROR: Failed to set up 'wg_uk/REDACTED/fc00:bbbb:bbbb:bb01::4:c329/128'
ERROR: Failed to set up 'wg_spa/REDACTED/fc00:bbbb:bbbb:bb01::1:debd/128'
ERROR: iptables -t mangle -A PBR_PREROUTING -g PBR_MARK0x040000 -s 192.168.1.0/24 -m multiport --sport 58861 -m multiport --dport 58861 -m comment --comment P2P
ERROR: failed to set up any gateway!
If I need to provide any other detail, please don't hesitate to tell me so.
Thanks for the help!
Hi there,
I'm a newbie in Openwrt.
I installed vpn-policy-routing and luci-app-vpn-policy-routing on Openwrt on Raspberry Pi 4.
When I tried to add a policy on luci, I only got the vpn tunnel to select for the interface, which is impossible to set up flexible rules.
Anyone advice ?
openwrt version:
ImmortalWrt 18.06-k5.4-SNAPSHOT r11981-b14737143f (2022-04-29) / LuCI openwrt-18.06-k5.4 branch (git-22.115.13609-67ed2ee)
Kernel Version: 5.4.162
Vpn client: Openvpn
You can find the official documentation here: https://docs.openwrt.melmac.net/vpn-policy-routing
Unfortunately it appears you are using firmware that is not from the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
You may find that the best options are:
- Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
- Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
- Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
Hi RuralRoots,
Thanks for the advice.
I have just installed the official version of Openwrt from the URL you mentioned:
OpenWrt R22.5.5 / LuCI Master (git-22.121.65028-2a5da72)
But after I installed the vpn routing policy package and tried to add a policy, I still had only VPN tunnel to select for the interface.
I don't have too much configuration on the Openwrt on the newly flashed Pi 4.
If you need any further detail , please let me know.
Thanks again.
Letβs start with your settings.
Also, in LuCI/VPN/VPN Policy Routing what do you show for Service Gateways active/checked?
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
uci export dhcp
uci export network
uci export firewall
uci export vpn-policy-routing
Here is the output:
uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option noresolv '0'
option port '53'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config srvhost
option srv '_vlmcs._tcp'
option target 'OpenWrt'
option port '1688'
option class '0'
option weight '100'
uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd79:1931:6f09::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option dns '8.8.8.8'
option _orig_ifname 'eth0 wlan0'
option _orig_bridge 'true'
option ifname 'eth1'
option ipaddr '192.168.40.1'
option gateway '192.168.40.1'
config interface 'VPN'
option proto 'none'
option ifname 'tun0'
option auto '1'
config interface 'WAN'
option ifname 'eth0'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option proto 'pppoe'
option username 'hidden_username'
option password 'hidden_password'
option ipv6 'auto'
option keepalive '0'
uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '0'
option flow_offloading_hw '0'
option fullcone '0'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'mia'
option type 'script'
option path '/etc/mia.include'
option reload '1'
config include 'shadowsocksr'
option type 'script'
option path '/var/etc/shadowsocksr.include'
option reload '1'
config include 'unblockmusic'
option type 'script'
option path '/var/etc/unblockmusic.include'
option reload '1'
config rule 'kms'
option name 'kms'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1688'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'VPN'
option family 'ipv4'
option input 'REJECT'
option name 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
uci export vpn-policy-routing
package vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
Change to option enabled β1β
in /etc/config/vpn-policy-routing
, then issue /etc/init.d/vpn-policy-routing restart
.
/etc/init.d/vpn-policy-routing restart
Creating table 'VPN/tun0/10.8.8.14' [β]
Creating table 'WAN/pppoe-WAN/100.64.0.1' [β]
vpn-policy-routing 0.3.4-8 monitoring interfaces: VPN WAN [β]
vpn-policy-routing 0.3.4-8 started with gateways:
VPN/tun0/10.8.8.14 [β]
WAN/pppoe-WAN/100.64.0.1
OK, your default route sends everything to VPN tunnel. You should be good to go setting up your policies.
Yes, VPN client works, vpn-policy-routing works with no errors.
The problem is everything is routed to VPN .
I need some devices to bypass VPN and go to WAN, as examples in the document .
But I don't have any interface to choose expect VPN when adding policy.
In LuCI/VPN/VPN Policy Routing/Web UI Configuration enable Show Enabled Column - Save/Apply.
Add a policy and using your device select enable, add its ip, select *interface - WAN - Save Apply.
Now if you go to whatismyip.com you should see your wan ip.
Hi there,
I'm using VPN PBR everyday in non-stop mode and I mentioned that time to time it stops working... It's very annoying, I'm thinking of to create some script that monitors the PBR service and restarts it if something went wrong. But may be another ideas? How to get the root cause of this annoying issue?
Provide enough details other than "stops working" i.e. when, what exactly happens, observations, any messages/logs, vpn-policy-routing support details on occurence of the failure. You can't create 'some' script to monitor something without knowing where to look.