VPN Policy-Based Routing + Web UI -- Discussion

You need to use the OUTPUT chain for this.

1 Like

Thanks that did it!

Is VPN policy based routing or PBR working with the upcoming 22.03 ? Thanks :+1:

I don't use any OpenVPN tunnels and the earliest I could test it would be mid-June. If you can figure out the reason for the delay, do let me know. Did you have this issue with VPR too?

It should, with the iptables installed. I'm still in the dark on the future of dnsmas-full which last time I checked still supported ipset, not nftset. AFAIK, the use of dnsmasq to resolve domains is the more frequently used feature of VPR/pbr than anything else. Once I know what direction dnsmasq-full will be taking in the next release I will update the pbr package to properly support that release, either by requiring the necessary packages in the Makefile or by updating the PROCD script to support default install of OpenWrt.

3 Likes

I flashed a spare R7800 with hnymans latest stable openwrt-22.03 (owrt2203-r19338-ae64d0624c-20220510) build that has iptables installed and then tried installing both VPN policy based routing and PBR. Both fail with the errors pasted below.

opkg install vpn-policy-routing
Installing vpn-policy-routing (0.3.4-8) to root...
Downloading https://downloads.openwrt.org/releases/22.03-SNAPSHOT/packages/arm_cortex-a15_neon-vfpv4/packages/vpn-policy-routing_0.3.4-8_all.ipk
Collected errors:
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.113-1-7d02f6b387e4ac9273545d8a6168f147) for kmod-ipt-ipset
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-ipt-ipset found, but incompatible with the architectures configured
 * satisfy_dependencies_for: Cannot satisfy the following dependencies for vpn-policy-routing:
 * 	kernel (= 5.10.113-1-7d02f6b387e4ac9273545d8a6168f147)
 * opkg_install_cmd: Cannot install package vpn-policy-routing.


opkg install pbr-ipt
Installing pbr-ipt (0.9.4-10) to root...
Downloading https://repo.openwrt.melmac.net/pbr-ipt_0.9.4-10_all.ipk
Collected errors:
 * pkg_hash_check_unresolved: cannot find dependency kernel (= 5.10.113-1-7d02f6b387e4ac9273545d8a6168f147) for kmod-ipt-ipset
 * pkg_hash_fetch_best_installation_candidate: Packages for kmod-ipt-ipset found, but incompatible with the architectures configured
 * satisfy_dependencies_for: Cannot satisfy the following dependencies for pbr-ipt:
 * 	kernel (= 5.10.113-1-7d02f6b387e4ac9273545d8a6168f147)
 * opkg_install_cmd: Cannot install package pbr-ipt.

You will either have to use an official openwrt or build (based in hnyman's sources/ patches) yourself, kernel version dependencies are very strict.

2 Likes

Thanks will muck with it

Hey there!

Just tried migrating over to pbr while on OpenWRT 21.02.3 r16554-1d4dea6d4f and it seems I'm now unable to set up any gateway, while on vpn-pbr only the port forwarding did not work at all.

I get the following error message from the LuCI dashboard:

Failed to set up 'wan/pppoe-wan/REDACTED/fc00:1020:1c:a2fb::1/64
fe80::1/128 \033[0;32m[\xe2\x9c\x93]\033[0m'
Failed to set up 'wg0/10.0.5.1/fd2d:a278:3852::1/64'
Failed to set up 'Zerotier/ztrta4adry/192.168.191.51/REDACTED/88
fcc5:eaac:71ca:f555:e355::1/40
fe80::cc3c:16ff:fee2:5e0b/64'
Failed to set up 'wg_usa/10.66.174.68/fc00:bbbb:bbbb:bb01::3:ae43/128'
Failed to set up 'wg_uk/10.67.195.42/fc00:bbbb:bbbb:bb01::4:c329/128'
Failed to set up 'wg_spa/10.64.222.190/fc00:bbbb:bbbb:bb01::1:debd/128'
iptables -t mangle -A PBR_PREROUTING -g PBR_MARK0x040000 -s 192.168.1.0/24 -m multiport --sport 58861 -m multiport --dport 58861 -m comment --comment P2P

failed to set up any gateway!

Is there anything else I should try to get pbr up and running?

I'll attach the required config files below:

/etc/config/dhcp


config dnsmasq
	option domainneeded '1'
	option noresolv '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option logdhcp '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option dnsforwardmax '2300'
	option min_cache_ttl '270'
	list address '/router/192.168.1.1'
	list address '/status.client/192.168.1.1'
	option sequential_ip '1'
	option dnssec '1'
	option allservers '1'
	option confdir '/tmp/dnsmasq.d'
	option enable_tftp '1'
	option tftp_root '/usbstick/tftp'
	list doh_backup_server '127.0.0.1#1053'
	list doh_backup_server '::1#1053'
	option rebind_protection '0'
	option port '5353'
	option cachesize '5000'

config boot 'linux'
	option filename 'pxelinux.0'
	option serveraddress '192.168.1.1'
	option servername 'router'
	list dhcp_option '209,pxelinux.cfg/default'
	option force '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'
	list dns 'fd04:52a5:a38a:aa::1'
	list dhcp_option_force '114,http://status.client'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'OVERNET-ASUSWRT'
	option ip '192.168.1.2'
	option mac 'REDACTED'

config host
	option name 'UNDERNET-ASUSWRT'
	option ip '192.168.1.3'
	option mac 'REDACTED'

config host
	option name 'SteamLink'
	option ip '192.168.1.5'
	option mac 'REDACTED'

config host
	option name 'HomePrinter'
	option ip '192.168.1.6'
	option mac 'REDACTED'

config host
	option name 'SamsungLEDBedroom'
	option ip '192.168.1.7'
	option mac 'REDACTED'

config host
	option name 'BedroomTV'
	option ip '192.168.1.8'
	option mac 'REDACTED'

config host
	option name 'HabitaciondeCeliaTV'
	option ip '192.168.1.9'
	option mac 'REDACTED'

config host
	option name 'SaladeEstar'
	option ip '192.168.1.10'
	option mac 'REDACTED'

config host
	option name 'NSW-ETH'
	option ip '192.168.1.11'
	option mac 'REDACTED'

config host
	option name 'NSW-WiFi'
	option ip '192.168.1.12'
	option mac 'REDACTED'

config host
	option name 'MotoOneActiondeCelia'
	option ip '192.168.1.100'
	option mac 'REDACTED'

config host
	option name 'LIZ-PC'
	option ip '192.168.1.115'
	option mac 'REDACTED'

config host
	option mac 'REDACTED'
	option name 'Note10PlusdeLiz'
	option dns '1'
	option ip '192.168.1.110'
	option hostid '110'

config host
	option name 'ToastySport'
	option ip '192.168.1.211'
	option mac 'REDACTED'

config host
	option name 'TOASTYUFO-WiFi'
	option ip '192.168.1.250'
	option mac 'REDACTED'

config host
	option name 'TOASTYUFO-GbE'
	option ip '192.168.1.251'
	option mac 'REDACTED'

config host
	option name 'TOASTYTUF-UGREEN'
	option mac 'REDACTED'
	option ip '192.168.1.253'

config host
	option name 'HomePrinter'
	option duid 'REDACTED'
	option mac 'REDACTED'
	option hostid '6'

config host
	option name 'SaladeEstar'
	option duid 'REDACTED'
	option mac 'REDACTED'
	option hostid '10'

config host
	option name 'TOASTYTUF-GbE'
	option duid 'REDACTED'
	option mac 'REDACTED'
	option hostid '251'

config host
	option name 'ToastySport'
	option duid 'REDACTED'
	option mac 'REDACTED'
	option hostid '211'

config host
	option ip '192.168.1.116'
	option mac 'REDACTED'
	option name 'LIZ-PC-ETH'
	option dns '1'

config host
	option name 'TOASTYTUF-KILLER'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.252'
	option duid 'REDACTED'

config host
	option name 'SaladeEstar'
	option duid 'REDACTED'
	option mac 'REDACTED'
	option hostid '10'

config host
	option name 'LIZ-PC'
	option duid 'REDACTED'
	option mac 'REDACTED'
	option hostid 'be2'

config host
	option name 'TOASTYTUF-UGREEN'
	option duid 'REDACTED'
	option mac 'REDACTED'

config host
	option name 'SaladeEstar'
	option duid 'REDACTED'

config host
	option name 'HomePrinter'
	option duid 'REDACTED'

config host
	option name 'StereoSaladeEstar'
	option ip '192.168.1.13'
	option mac 'REDACTED'

config host
	option name 'BedroomTVPlug'
	option ip '192.168.1.14'
	option mac 'REDACTED'

config host
	option name 'BedroomLamp'
	option ip '192.168.1.15'
	option mac 'REDACTED'

config host
	option name 'OfficeFan'
	option ip '192.168.1.16'
	option mac 'REDACTED'

config host
	option name 'ToastyUltra22'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.210'
	option hostid '210'

/etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan_6'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'vpnzone'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option masq6 '1'
	option masq6_privacy '1'
	option mtu_fix '1'
	list network 'wg_usa'
	list network 'wg_uk'
	list network 'wg_spa'

config forwarding
	option src 'lan'
	option dest 'vpnzone'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'
	option reload '1'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config rule
	option name 'AllowNGINXPMAdmin'
	option src_port '81'
	option dest 'lan'
	option dest_port '81'
	option target 'ACCEPT'
	option src 'lan'
	list dest_ip '172.18.0.2'

config redirect
	option target 'DNAT'
	option name 'RProxy-Admin'
	option src 'lan'
	option src_dport '81'
	option dest 'lan'
	option dest_port '81'
	option dest_ip '172.18.0.2'

config redirect
	option target 'DNAT'
	option name 'RProxy'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_port '80'
	option dest_ip '172.18.0.2'

config redirect
	option target 'DNAT'
	option name 'RProxy-SSL'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_port '443'
	option dest_ip '172.18.0.2'

config redirect 'adblock_wan853'
	option src 'wan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'
	option name 'AGH DNS over TLS'
	option dest 'lan'
	option dest_ip '192.168.1.1'

config redirect
	option target 'DNAT'
	option name 'AGH DNS over QUIC'
	option src 'wan'
	option src_dport '784'
	option dest 'lan'
	option dest_ip '192.168.1.1'
	option dest_port '784'

config rule
	option name 'RClone-GUI'
	option src 'lan'
	option src_port '5572'
	option dest 'lan'
	option dest_port '5572'
	option target 'ACCEPT'
	list dest_ip '192.168.1.1'
	list dest_ip 'fd04:52a5:a38a::1'

config rule
	option name 'HomeAssistant'
	option src 'lan'
	option src_port '8123'
	option dest 'lan'
	option dest_port '8123'
	option target 'ACCEPT'
	list dest_ip '192.168.1.1'
	list dest_ip 'fd04:52a5:a38a::1'

config rule
	option name 'Allow-NFS-RPC'
	option src 'lan'
	option proto 'tcp udp'
	option dest_port '111'
	option target 'ACCEPT'

config rule
	option name 'Allow-NFS'
	option src 'lan'
	option proto 'tcp udp'
	option dest_port '2049'
	option target 'ACCEPT'

config rule
	option name 'Allow-NFS-Lock'
	option src 'lan'
	option proto 'tcp udp'
	option dest_port '32777:32780'
	option target 'ACCEPT'

config rule
	option name 'Tautulli'
	option src 'lan'
	option src_port '8181'
	option dest 'lan'
	list dest_ip '172.18.0.5'
	option dest_port '8181'
	option target 'ACCEPT'

config rule
	option name 'PiHole-Admin'
	option src_port '82'
	option dest 'lan'
	option dest_port '82'
	option target 'ACCEPT'
	option src 'lan'
	list dest_ip '192.168.1.1'
	list dest_ip 'fd04:52a5:a38a::1'

config nat
	option name 'PiHole-DNAT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	option src 'lan'
	option dest_ip '192.168.0.2'
	option dest_port '80'
	option target 'SNAT'
	option snat_ip '192.168.1.1'
	option snat_port '82'

config rule
	option name 'Transmission-GUI'
	option src 'lan'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '192.168.1.1'
	list dest_ip 'fd04:52a5:a38a::1'
	option src_port '9091'
	option dest_port '9091'

config rule
	option name 'NGINXPM-DB'
	option src 'lan'
	list src_ip '172.18.0.2'
	option src_port '3306'
	option dest 'lan'
	list dest_ip '172.18.0.3'
	option dest_port '3306'
	option target 'ACCEPT'

config rule
	option name 'Adguard-Admin'
	option src 'wan'
	option src_port '82'
	option dest 'lan'
	option dest_port '82'
	option target 'ACCEPT'
	list dest_ip '172.18.0.6'
	list dest_ip '2001:3984:3989::6'

config rule 'wg'
	option dest_port '51820'
	option target 'ACCEPT'
	option name 'Allow-WireGuard-lan'
	list proto 'tcp'
	list proto 'udp'
	option src 'wan'

config defaults
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-ZeroTier-Inbound'
	list proto 'udp'
	option src 'wan'
	option dest_port '9993'
	option target 'ACCEPT'

config zone
	option name 'mesh'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'Zerotier'

config forwarding
	option src 'mesh'
	option dest 'lan'

config forwarding
	option src 'mesh'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'mesh'

config forwarding
	option src 'wan'
	option dest 'mesh'

config redirect 'adblock_docker53'
	option name 'Adblock DNS (docker, 53)'
	option src 'docker'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_docker853'
	option name 'Adblock DNS (docker, 853)'
	option src 'docker'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_docker5353'
	option name 'Adblock DNS (docker, 5353)'
	option src 'docker'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_lan853'
	option name 'Adblock DNS (lan, 853)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_lan5353'
	option name 'Adblock DNS (lan, 5353)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect 'adblock_vpnzone53'
	option name 'Adblock DNS (vpnzone, 53)'
	option src 'vpnzone'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_vpnzone853'
	option name 'Adblock DNS (vpnzone, 853)'
	option src 'vpnzone'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_vpnzone5353'
	option name 'Adblock DNS (vpnzone, 5353)'
	option src 'vpnzone'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect 'adblock_wan53'
	option name 'Adblock DNS (wan, 53)'
	option src 'wan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_wan5353'
	option name 'Adblock DNS (wan, 5353)'
	option src 'wan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Allow-P2P-USA'
	option src 'vpnzone'
	option src_dport '58861'

config include 'opennds'
	option type 'script'
	option path '/usr/lib/opennds/restart.sh'

config include 'pbr'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'
	option family 'any'
	option reload '1'

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd04:52a5:a38a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint 'AA'
	list ip6class 'local'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'wan'
	option proto 'pppoe'
	option device 'eth0'
	option username 'REDACTED'
	option password 'REDACTED'
	option ipv6 'auto'
	option hostname 'router'
	option force_link '1'
	option metric '1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port '51820'
	list addresses '10.0.5.1/24'
	list addresses 'fd2d:a278:3852::1/64'

config wireguard_wg0
	option public_key 'REDACTED'
	option description 'ToastyPen10+'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '10.0.5.2/32'
	list allowed_ips 'fd2d:a278:3852::2/64'
	option preshared_key 'REDACTED'

config wireguard_wg0
	option description 'ToastyUFO'
	option preshared_key 'REDACTED'
	list allowed_ips '10.0.5.3/32'
	list allowed_ips 'fd2d:a278:3852::3/64'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option public_key 'REDACTED'

config wireguard_wg0
	option description 'Moto One Action de Liz'
	option preshared_key 'REDACTED'
	list allowed_ips '10.0.5.4/32'
	list allowed_ips 'fd2d:a278:3852::4/64'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option public_key 'REDACTED'

config wireguard_wg0
	option description 'Liz-PC'
	option public_key 'REDACTED'
	option preshared_key 'REDACTED'
	list allowed_ips '10.0.5.5/32'
	list allowed_ips 'fd2d:a278:3852::5/64'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config wireguard_wg0
	option description 'Moto One Action de Celia'
	option preshared_key 'REDACTED'
	list allowed_ips '10.0.5.6/32'
	list allowed_ips 'fd2d:a278:3852::6/64'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option public_key 'REDACTED'

config interface 'Zerotier'
	option proto 'none'
	option device 'ztrta4adry'

config interface 'wg_usa'
	option proto 'wireguard'
	option private_key 'REDACTED'
	list addresses 'REDACTED'
	list addresses 'fc00:bbbb:bbbb:bb01::3:ae43/128'
	option peerdns '0'
	list dns '10.64.0.1'
	option metric '2'

config wireguard_wg_usa
	option description 'us240-wireguard'
	option public_key 'REDACTED'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host 'REDACTED'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config route6
	option target '::/0'
	option interface 'wg_usa'

config interface 'wg_uk'
	option proto 'wireguard'
	option private_key 'REDACTED'
	list addresses 'REDACTED'
	list addresses 'fc00:bbbb:bbbb:bb01::4:c329/128'
	option peerdns '0'
	list dns '10.64.0.1'
	option metric '3'

config wireguard_wg_uk
	option description 'gb15-wireguard'
	option public_key 'REDACTED'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host 'REDACTED'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config interface 'wg_spa'
	option proto 'wireguard'
	option private_key 'REDACTED'
	list addresses 'REDACTED/32'
	list addresses 'fc00:bbbb:bbbb:bb01::1:debd/128'
	option peerdns '0'
	list dns '10.64.0.1'
	option metric '4'

config wireguard_wg_spa
	option description 'es1-wireguard'
	option public_key 'REDACTED'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host 'REDACTED'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

/etc/config/pbr


config include
	option path '/usbstick/vpn-pbr/pbr.userfile.custom'
	option enabled '0'

config pbr 'config'
	option verbosity '2'
	option resolver_ipset 'dnsmasq.ipset'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option procd_reload_delay '1'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option webui_enable_column '1'
	option webui_protocol_column '1'
	option webui_chain_column '1'
	option webui_show_ignore_target '1'
	option strict_enforcement '1'
	option dest_ipset '1'
	option src_ipset '1'
	option ipv6_enabled '1'
	list supported_interface 'pppoe-wan'
	list supported_interface 'wg_usa'
	list supported_interface 'wg_uk'
	list supported_interface 'wg_spa'
	option enabled '1'

config policy
	option name 'P2P'
	option proto 'all'
	option interface 'wg_usa'
	option src_port '58861'
	option src_addr '192.168.1.0/24'
	option dest_port '58861'

config masqipset
	option src_addr '192.168.1.210/32 192.168.1.67/32'
	option interface 'wireguard_vpn_usa'
	option ipset_name 'disney'

config masqipset
	option src_addr '192.168.1.210/32 192.168.1.67/32'
	option interface 'wireguard_vpn_usa'
	option ipset_name 'netflix'

config asnipset
	option src_addr '192.168.1.210/32 192.168.1.67/32'
	option interface 'wireguard_vpn_usa'
	option ipset_name 'asnnetflix'

config asnipset
	option src_addr '192.168.1.210/32 192.168.1.67/32'
	option interface 'wireguard_vpn_usa'
	option ipset_name 'asndisney'

config policy
	option name 'VRV'
	option interface 'wg_usa'
	option dest_addr '65.9.148.84 65.9.148.128 65.9.148.62 65.9.148.37 65.9.148.101 65.9.148.122 65.9.148.121 65.9.148.28 65.9.148.10 65.9.148.117 65.9.148.121 65.9.148.110 65.9.150.59 99.86.100.73 99.86.100.97 99.86.100.50 99.86.100.20 13.249.48.71 13.249.48.89 13.249.48.23 13.249.48.29'
	option proto 'all'
	option src_addr '192.168.1.252'
	option enabled '0'

config policy
	option name 'Disney+'
	option dest_addr '54.218.188.255 34.218.145.143 54.71.61.241 13.248.150.189 76.223.18.1 139.104.192.37'
	option interface 'wg_usa'
	option proto 'all'
	option src_addr '192.168.1.0/24'
	option enabled '0'

config policy
	option name 'USATest'
	option enabled '0'
	option interface 'wan'
	option proto 'all'
	option src_addr '192.168.1.0/24'

config policy
	option name 'RTVE'
	option dest_addr '217.15.42.90 184.25.229.23 51.81.66.107 51.81.243.73 138.199.8.197 143.244.35.226 143.244.35.226 138.199.8.197 51.81.243.73 51.81.66.107 143.244.35.226 138.199.8.197 189.254.81.67 189.254.81.89  199.232.94.137'
	option interface 'wg_spa'
	option proto 'all'
	option src_addr '192.168.1.0/24'
	option enabled '0'

Output of /etc/init.d/pbr support (I think this one's broken, perhaps a carryover?)

/usbstick 83Β° /etc/init.d/pbr support
Syntax: /etc/init.d/pbr [command]

Available commands:
        start           Start the service
        stop            Stop the service
        restart         Restart the service
        reload          Reload configuration files (or restart if service does not implement reload)
        enable          Enable service autostart
        disable         Disable service autostart
        enabled         Check if service is started on boot
        netifd          Installs/uninstalls netifd support
        status          Generates output required to troubleshoot routing issues
                Use '-d' option for more detailed output
                Use '-p' option to automatically upload data under VPR paste.ee account
                        WARNING: while paste.ee uploads are unlisted, they are still publicly available
                List domain names after options to include their lookup in report
        version         Show version information
        reload_interfaceReload specific interface only
        running         Check if service is running
        status          Service status
        trace           Start with syscall trace

Output of /etc/init.d/pbr reload with verbosity setting set to 2

/usbstick 76Β° /etc/init.d/pbr reload
Creating table 'wan/pppoe-wan/REDACTED/fc00:1020:1c:a2fb::1/64
fe80::1/128' [βœ—]
Creating table 'wg0/10.0.5.1/fd2d:a278:3852::1/64' [βœ—]
Creating table 'Zerotier/ztrta4adry/192.168.191.51/REDACTED/88
REDACTED/40
fe80::cc3c:16ff:fee2:5e0b/64' [βœ—]
Creating table 'wg_usa/REDACTED/REDACTED/128' [βœ—]
Creating table 'wg_uk/REDACTED/REDACTED/128' [βœ—]
Creating table 'wg_spa/REDACTED/REDACTED/128' [βœ—]
Routing 'P2P' via wg_usa [βœ—]
pbr 0.9.4-10 monitoring interfaces: wan wg0 Zerotier wg_usa wg_uk wg_spa
ERROR: Failed to set up 'wan/pppoe-wan/REDACTED/fc00:1020:1c:a2fb::1/64
fe80::1/128 [βœ“]'
ERROR: Failed to set up 'wg0/10.0.5.1/fd2d:a278:3852::1/64'
ERROR: Failed to set up 'Zerotier/ztrta4adry/REDACTED/REDACTED/88
REDACTED/40
REDACTED/64'
ERROR: Failed to set up 'wg_usa/REDACTED/fc00:bbbb:bbbb:bb01::3:ae43/128'
ERROR: Failed to set up 'wg_uk/REDACTED/fc00:bbbb:bbbb:bb01::4:c329/128'
ERROR: Failed to set up 'wg_spa/REDACTED/fc00:bbbb:bbbb:bb01::1:debd/128'
ERROR: iptables -t mangle -A PBR_PREROUTING -g PBR_MARK0x040000  -s 192.168.1.0/24 -m multiport  --sport 58861 -m multiport  --dport 58861 -m comment --comment P2P

ERROR: failed to set up any gateway!

If I need to provide any other detail, please don't hesitate to tell me so.

Thanks for the help!

Hi there,
I'm a newbie in Openwrt.
I installed vpn-policy-routing and luci-app-vpn-policy-routing on Openwrt on Raspberry Pi 4.
When I tried to add a policy on luci, I only got the vpn tunnel to select for the interface, which is impossible to set up flexible rules.
Anyone advice ?
openwrt version:
ImmortalWrt 18.06-k5.4-SNAPSHOT r11981-b14737143f (2022-04-29) / LuCI openwrt-18.06-k5.4 branch (git-22.115.13609-67ed2ee)
Kernel Version: 5.4.162
Vpn client: Openvpn

You can find the official documentation here: https://docs.openwrt.melmac.net/vpn-policy-routing

Unfortunately it appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Hi RuralRoots,
Thanks for the advice.
I have just installed the official version of Openwrt from the URL you mentioned:
OpenWrt R22.5.5 / LuCI Master (git-22.121.65028-2a5da72)
But after I installed the vpn routing policy package and tried to add a policy, I still had only VPN tunnel to select for the interface.
I don't have too much configuration on the Openwrt on the newly flashed Pi 4.
If you need any further detail , please let me know.
Thanks again.

Let’s start with your settings.

Also, in LuCI/VPN/VPN Policy Routing what do you show for Service Gateways active/checked?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

uci export dhcp
uci export network
uci export firewall
uci export vpn-policy-routing

Here is the output:
uci export dhcp

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '0'
        option port '53'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config srvhost
        option srv '_vlmcs._tcp'
        option target 'OpenWrt'
        option port '1688'
        option class '0'
        option weight '100'

uci export network

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd79:1931:6f09::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '8.8.8.8'
        option _orig_ifname 'eth0 wlan0'
        option _orig_bridge 'true'
        option ifname 'eth1'
        option ipaddr '192.168.40.1'
        option gateway '192.168.40.1'

config interface 'VPN'
        option proto 'none'
        option ifname 'tun0'
        option auto '1'

config interface 'WAN'
        option ifname 'eth0'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto 'pppoe'
        option username 'hidden_username'
        option password 'hidden_password'
        option ipv6 'auto'
        option keepalive '0'

uci export firewall

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '0'
        option flow_offloading_hw '0'
        option fullcone '0'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 WAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'mia'
        option type 'script'
        option path '/etc/mia.include'
        option reload '1'

config include 'shadowsocksr'
        option type 'script'
        option path '/var/etc/shadowsocksr.include'
        option reload '1'

config include 'unblockmusic'
        option type 'script'
        option path '/var/etc/unblockmusic.include'
        option reload '1'

config rule 'kms'
        option name 'kms'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '1688'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'VPN'
        option family 'ipv4'
        option input 'REJECT'
        option name 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

uci export vpn-policy-routing

package vpn-policy-routing

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option resolver_ipset 'dnsmasq.ipset'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_enable_column '0'
        option webui_protocol_column '0'
        option webui_chain_column '0'
        option webui_show_ignore_target '0'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

Change to option enabled β€˜1’ in /etc/config/vpn-policy-routing, then issue /etc/init.d/vpn-policy-routing restart.

/etc/init.d/vpn-policy-routing restart

Creating table 'VPN/tun0/10.8.8.14' [βœ“]
Creating table 'WAN/pppoe-WAN/100.64.0.1' [βœ“]
vpn-policy-routing 0.3.4-8 monitoring interfaces: VPN WAN [βœ“]
vpn-policy-routing 0.3.4-8 started with gateways:
VPN/tun0/10.8.8.14 [βœ“]
WAN/pppoe-WAN/100.64.0.1

OK, your default route sends everything to VPN tunnel. You should be good to go setting up your policies.

Yes, VPN client works, vpn-policy-routing works with no errors.
The problem is everything is routed to VPN .
I need some devices to bypass VPN and go to WAN, as examples in the document .

But I don't have any interface to choose expect VPN when adding policy.

https://forum.openwrt.org/uploads/default/original/3X/4/3/43eb056127e94d2ad2e2ad0d81c6bf7adbe86516.jpeg

In LuCI/VPN/VPN Policy Routing/Web UI Configuration enable Show Enabled Column - Save/Apply.

Add a policy and using your device select enable, add its ip, select *interface - WAN - Save Apply.

Now if you go to whatismyip.com you should see your wan ip.