VPN route policy not working



BusyBox v1.33.2 (2022-02-16 20:29:10 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02.2, r16495-bf0c965af0
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; uci export pbr; uci export vpn-policy-routing
{
        "kernel": "5.4.179",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 3G",
        "board_name": "xiaomi,mi-router-3g",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.2",
                "revision": "r16495-bf0c965af0",
                "target": "ramips/mt7621",
                "description": "OpenWrt 21.02.2 r16495-bf0c965af0"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd51:cb68:358c::/48'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option broadcast '1'
        option peerdns '0'
        list dns '10.2.0.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '10'
        option name 'vlan10'

config device
        option type '8021q'
        option ifname 'lan2'
        option vid '20'
        option name 'vlan20'

config device
        option type 'bridge'
        option name 'br-all'
        list ports 'eth0'
        list ports 'lan1'
        list ports 'lan2'
        option bridge_empty '1'

config bridge-vlan
        option device 'br-all'
        option vlan '10'
        list ports 'eth0:t'
        list ports 'lan1:u*'

config bridge-vlan
        option device 'br-all'
        option vlan '20'
        list ports 'eth0:t'
        list ports 'lan2'

config interface 'Vlan10'
        option device 'br-all.10'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'Vlan20'
        option proto 'static'
        option device 'br-all.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wifi30tv'
        option proto 'static'
        option device 'br-wifi.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config device
        option type '8021q'
        option ifname 'wlan0'
        option vid '30'
        option name 'wifi30tv'

config device
        option type 'bridge'
        option name 'br-wifi'
        list ports 'eth0'
        list ports 'lan1'
        list ports 'lan2'
        option bridge_empty '1'

config bridge-vlan
        option device 'br-wifi'
        option vlan '30'
        list ports 'eth0:t'
        list ports 'lan2:u*'

config bridge-vlan
        option device 'br-wifi'
        option vlan '40'
        list ports 'eth0:t'
        list ports 'lan1:u*'

config bridge-vlan
        option device 'br-wifi'
        option vlan '50'
        list ports 'eth0:t'
        list ports 'lan2'

config device
        option type '8021q'
        option ifname 'wlan1'
        option vid '40'
        option name 'wifi40'

config interface 'WIFI405G'
        option proto 'static'
        option ipaddr '192.168.40.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option device 'br-wifi.40'

config device
        option type '8021q'
        option ifname 'wlan0'
        option vid '50'
        option name 'wifi50'

config interface 'wifiguest50'
        option proto 'static'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option netmask '255.255.255.0'
        option device 'br-wifi.50'
        option ipaddr '192.168.50.1'

config interface 'VPN'
        option proto 'wireguard'
        option private_key 'UKNX8zSEyjjmaE0ENMtLrLMT1NPJpytuzoe8jVibCFg='
        list addresses '10.2.0.2/32'
        option peerdns '0'
        list dns '10.2.0.1'
        option defaultroute '0'
        option auto '0'

config wireguard_VPN
        option public_key 'UZDH3oGQ0AwqAMjRAfTpeRfpgaDgl4YZwx8BpkbrFnU='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '37.120.236.3'
        option endpoint_port '51820'
        option persistent_keepalive '25'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Vlan10'
        option interface 'Vlan10'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'
        option dhcpv6 'server'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config dhcp 'Vlan20'
        option interface 'Vlan20'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'hybrid'
        list dns '2606:4700:4700::1001'
        list dns '2606:4700:4700::1111'
        list ra_flags 'none'

config dhcp 'wifi30tv'
        option interface 'wifi30tv'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'relay'
        list ra_flags 'none'

config dhcp 'WIFI405G'
        option interface 'WIFI405G'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'hybrid'
        list dns '2606:4700:4700::1001'
        list dns '2606:4700:4700::1111'
        list ra_flags 'none'

config dhcp 'wifiguest50'
        option interface 'wifiguest50'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'
        option dhcpv6 'hybrid'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Vlan10'
        list network 'Vlan20'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'VPN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'
        option enabled '0'

config zone
        option name 'Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wifiguest50'

config forwarding
        option src 'Guest'
        option dest 'wan'

config rule
        option src 'Guest'
        option target 'ACCEPT'
        option name 'Guest DNS and DHCP'
        option dest_port '53 67 68'

config zone
        option name 'WIFI'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'WIFI405G'
        list network 'wifi30tv'

config forwarding
        option src 'WIFI'
        option dest 'wan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
uci: Entry not found
package vpn-policy-routing

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option resolver_ipset 'dnsmasq.ipset'
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option webui_enable_column '1'
        option webui_protocol_column '1'
        option enabled '1'
        option webui_chain_column '1'
        option webui_show_ignore_target '1'
        option ipv6_enabled '0'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

config policy
        option interface 'wan'
        option name 'VLAN10'
        option src_addr '192.168.10.1'
        option proto 'all'