VPN Policy-Based Routing + Web UI

Hello,

I have a problem. I have pbr v.1.1.1-7 installed on my router with OpenWrt 22.03.5.

My intention was to redirect all traffic to WAN, Wireguard wg1 or OperVPN tun0 depending on the Remote addresses / domains.

In particular only some domains shall be routed to wg1, some other to tun0, all the rest to WAN.

To be honest I tried with two wireguard VPN, but in that case I had 10.14.0.2/16 address for both and I thougt the problem was there, so I tried with wg1 and tun0 but I have the same unexpected behavior... it seems like sometime everything is routed on tun0, sometime everything seems to be routed to wan and there is a big mess...

Can someone hel me? Thanks in advance for any hint you could give me

I attach hereafter some config files:

/etc/config/dhcp

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'LGwebOSTV'
        option ip '192.168.3.174'
        option mac 'XX:XX:XX:XX:XX:XX'

/etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'Wireguard'
        option src 'wan'
        option src_dport '51820'
        option dest_port '51820'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'AllowSSH'
        option src '*'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'AllowRA'
        option src '*'
        option dest_port '80'
        option target 'ACCEPT'

config zone
        option name 'wireguard'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        list network 'wg0'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config forwarding
        option src 'wireguard'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config redirect
        option name 'Allow-transparent-Squid'
        option proto 'tcp'
        option target 'DNAT'
        option src 'lan'
        option src_ip '!192.168.1.249'
        option src_dip '!192.168.1.249'
        option src_dport '80'
        option dest 'lan'
        option dest_ip '192.168.1.249'
        option dest_port '3128'
        option enabled '0'

config zone
        option name 'Surfshark'
        option output 'ACCEPT'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'lan'
        list network 'wg0'
        list network 'wg1'
        list network 'ov0'

config forwarding
        option src 'Surfshark'
        option dest 'lan'

config forwarding
        option src 'Surfshark'
        option dest 'wan'

config forwarding
        option src 'Surfshark'
        option dest 'wireguard'

config forwarding
        option src 'lan'
        option dest 'Surfshark'

config forwarding
        option src 'wan'
        option dest 'Surfshark'

config forwarding
        option src 'wireguard'
        option dest 'Surfshark'

config zone
        option name 'Nothing'
        option forward 'REJECT'
        option input 'REJECT'
        option output 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'lan'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'Nothing'

config forwarding
        option src 'wan'
        option dest 'Nothing'

/etc/config/pbr

root@OpenWrt:~# cat /etc/config/pbr

config pbr 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        option resolver_set 'dnsmasq.ipset'
        option enabled '1'
        option strict_enforcement '0'
        option rule_create_option 'insert'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'Youtube'
        option interface 'wg1'
        option src_addr '0.0.0.0/0'
        option dest_addr 'youtu.be youtube.com youtube.it youtu whatsmyip.org www.youtube.com googlevideo.com youtubei.googleapis.com ytimg.com suggestqueries.google.com youtube-nocookie.com ggpht.com ad.doubleclick.net '

config policy
        option src_addr '0.0.0.0/0'
        option name 'paramount'
        option dest_addr 'paramount paramountplus.com www.whatismyip.com'
        option interface 'ov0'

config policy
        option name 'AllWan'
        option interface 'wan'
        option src_addr '0.0.0.0/0'

and finally /etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde1:c45a:db35::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.3.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 5 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 0'

config interface 'wg0'
        option proto 'wireguard'
        option force_link '1'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxx='
        option listen_port '51820'
        list addresses '10.0.0.1/32'
        option mtu '1350'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config wireguard_wg0
        option description 'Francesca'
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxx='
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxx='
        list allowed_ips '10.0.0.7/32'
        option persistent_keepalive '25'
        option route_allowed_ips '1'

config interface 'wg1'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxx='
        option mtu '1350'
        option force_link '1'
        list dns 'XXX.XXX.XXX.XX'
        list dns 'XXX.XXX.XXX.XX'
        list addresses '10.14.0.2/16'

config wireguard_wg1
        option description 'Imported peer configuration'
        list allowed_ips '0.0.0.0/0'
        option public_key xxxxxxxxxxxxxxxxxxxxxxxxxxx=
        option endpoint_host 'al-tia.prod.surfshark.com'
        option endpoint_port '51820'
        option persistent_keepalive '25'

config interface 'ov0'
        option proto 'none'
        option device 'tun0'

Through a policy I route some websites on the VPN interface and rest on WAN. I noticed last time that when the router restarted it seems that the policy would not work right away unless I do stop/start pbr service again, but maybe that's just me.

You can drop a comment on the pbr package discussion thread about this though

Thanks a lot for your hint, but unfortunately this does not work for me.

I want to add something more. I have no problem when I only have two interfaces where to route traffic, for example WAN and wg1 (policies work in this case), but as soon as I add the third interface (wg2 or tun0) I have strange behavior in routing.

Hello, thanks to great support of @egc this has been fixed.

In order to debug better I upgraded to OpenWRT 23.05.5 which provides with PBR 1.1.6-22.

Later on, in order to streamline,ì, I upgrade to the latest PBR 1.1.8-r4, instructions:

Welcome to docs.openwrt.melmac.net!

Welcome to docs.openwrt.melmac.net!

stangri’s OpenWrt Packages Documentation.

By default, my OpenVPN config was routing all the traffic to VPN, in order to avoid this, in the OpenVPN config I added:

pull-filter ignore "redirect-gateway"

I attach hereafter some configuration that were used

/etc/config/firewall

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd03:5f62:e0bd::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option force_link '1'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXX='
	option listen_port '51820'
	list addresses '10.0.0.1/32'
	option mtu '1350'
	list dns '9.9.9.9'
	list dns '1.0.0.1'

config wireguard_wg0
	option description 'Jolly'
	option public_key 'XXXXXXXXXXXXXXXXXXXXXXXX='
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXX='
	list allowed_ips '10.0.0.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXX='
	option mtu '1350'
	option force_link '1'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	list addresses '10.14.0.2/16'

config wireguard_wg1
	option description 'Imported peer configuration'
	list allowed_ips '0.0.0.0/0'
	option public_key 'XXXXXXXXXXXXXXXXXXXXXXXX='
	option endpoint_host 'XXXXXXXXXXXXXXXXXXXXXXXX.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config interface 'ov0'
	option proto 'none'
	option device 'tun0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

cat /etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'
	list network 'wg0'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wg1'
	list network 'ov0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

cat /etc/config/pbr

root@OpenWrt:~# cat /etc/config/pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'dnsmasq.nftset'
	list resolver_instance '*'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '0'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config dns_policy
	option name 'Redirect Local IP DNS'
	option src_addr '192.168.1.5'
	option dest_dns '1.1.1.1'
	option enabled '0'

config policy
	option name 'Policy1'
	option interface 'wg1'
	option dest_addr 'url1.com url2.net url3.org'

config policy
	option name 'Policy2'
	option dest_addr 'url4.com url5.net url6.org'
	option interface 'ov0'

Important. At the beginning I had some issue as I used dest_addr like www.google.com (this is just an example), removing 'www.' fixed for me...

I hope this will help

Does anyone know if version 24.10.0-rc5, the pbr is having problems, because I can't connect to my vps in version 24.10.0-rc5 after I updated.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.