Hello,
I'm just beginning to use policy based routing with package vpn Policy routing.
In first step, vpn is working. Bypassing of clients in local subnet is also working. Now I tried to set bypass for netflix clients at remote subnets but was not successful.
My setup is Wireless Router (192.168.4.0) -> VPN Router (192.168.3.0) -> Internet Router (192.168.1.0)
I was able to successfully set bypass for clients in vpn router subnet 192.168.3.0, but I was not able to bypass Clients of subnet 192.168.4.0. It seems to me as if they are all "masqued" as "192.168.3.1" which is the gateway to "192.168.4.1". Unfortunately my knowledge of networking is very limited so I have no idea if I'm pointing into the right direction.
Please suggest if you need any further information. Here's status of vpn-policy routing page
I'm using GUI
Service Status [vpn-policy-routing 0.3.2-20]
Service Status
Running
Service Gateways
wan/eth0/192.168.1.1
vyprvpn/tun0/10.2.23.28 ✓
I would greatly appreciate your support
kind regards
Use ssh to connect to the device.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
uci export vpn-policy-routing
1 Like
Thanks trendy for that superfast reply. Please keep in mind that I'm just learning about network configurations. so if you see any configuration that is nonsense or at least not best practise, don't hesitate to remark
here's the output
{
"kernel": "4.14.221",
"hostname": "OpenWrt",
"system": "AMD G-T40E Processor",
"model": "PC Engines APU",
"board_name": "pc-engines-apu",
"release": {
"distribution": "OpenWrt",
"version": "19.07.7",
"revision": "r11306-c4a6851c72",
"target": "x86/64",
"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd16:abae:84eb::/48'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1'
option delegate '0'
config interface 'wan'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option broadcast '192.168.1.255'
option ipaddr '192.168.1.2'
option gateway '192.168.1.1'
list dns '192.168.2.1'
config interface 'vyprvpn'
option ifname 'tun0'
option proto 'none'
config route
option target '192.168.2.0'
option netmask '255.255.255.0'
option interface 'wan'
option gateway '192.168.1.1'
config route
option target '192.168.178.0'
option netmask '255.255.255.0'
option interface 'wan'
option gateway '192.168.178.10'
option metric '0'
config route
option gateway '192.168.1.2'
option interface 'wan'
option target '0.0.0.1'
option netmask '0.0.0.0'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option network 'wan'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'vypr_fw'
option input 'REJECT'
option mtu_fix '1'
option network 'vyprvpn'
option masq '1'
config forwarding
option dest 'vypr_fw'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
package vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option interface 'wan'
option name 'duden'
option dest_addr 'duden.com'
config policy
option interface 'wan'
option name '4.1'
option dest_addr '192.168.4.1/25'
root@OpenWrt:~#
This route is not necessary, you have default route on the wan interface.
This route is wrong, you cannot have the gateway part of the target.
This is wrong.
This is not correct. You can either use .4.1/32 for only one host, or .4.0/25 for the 126 hosts.
Other than that, there is no route for 192.168.4.0/24, so the router will use the default route over wan to reach it. Where is this .4.0 network?
1 Like
Hello trendy,
thanks a lot for your comments. I try to understand them.
config route
option gateway '192.168.1.2'
option interface 'wan'
option target '0.0.0.1'
option netmask '0.0.0.0'
So then please tell me which is the correct definition of the default route to the wan then?
My understanding was that by that syntax everything except more detailed definitions is routed through Port 192.168.1.2 which is connected to 192.168.1.1 which is connected to internet.....
Thanks!
Good evening,
I just realized, that there might be some misunderstanding on my side concerning
remote addresses/domains and local addresses/devices in policy based vpn routing
"Remote address" means "target address" correct?
So when router is based in 192.168.3.0 this means I only can use clients from this subnet for policy routing sources? Does this mean that I can't use clients in subnet 192.168.4.0 as source in policy based routing to be routed through wan (instead of vpn tunnel)?
Am I right? Hopefully my description was understandable 
You have it already.
No, the options you used are wrong. The gateway should be 192.168.1.1, which is the next hop router. The target should be 0.0.0.0 for the whole internet. Netmask is correct for the whole internet.
Yes
You can define the source address as 192.168.4.0/24 and route it through the wan interface.