VPN Policy-Based Routing + Web UI - ARCHIVE #1

Community Builds, Projects & Packages
182

I've published updated luci-app which should correctly find running dnsmasq on OpenWrt as well.

Why your LEDE flash didn't take -- I don't know. Maybe you tried flashing while keeping settings which resulted in a bootloop and your router booted into OpenWrt partition after 3 failed attempts to boot.

183

Yeah, I posted on that in the install leed forum. So I will follow up with that. I will updpate my luci-app for now.

184

Hey @stangri

just noticed something the other day and would like to report it; since we use the 'nopull' option to prevent openvpn from routing all traffic to the tunnel, I think this is also affecting the following use case:

I have transmission (a torrent client) installed and running on my router. I want its traffic to pass through one of the tunnels, but I think all traffic originating from the router itself is going through WAN (even though I added a rule in OPBR to forward traffic coming from a certain local port - the one I use for transmission - to go to tun0).

Any idea for an easy workaround?

Thanks!

185

Uhm, I'm not sure if mangle/PREROUTING (which this package is using) is the correct place to make changes for packets originating on the router, I'll need to read up on iptables for that.

186

Alright, I am officially on LEDE now. However, domain policies still do not seem to be working, and as far as I can tell, the port policy is not working. I opened up Local 2000-3000, and remote 1025-65535, hosted a game server that runs on 2302, and people were still trying to connect via my VPN IP it looks like. But, I still will investigate it more to verify.

However, when I set my FireTV with a policy of all traffic to WAN, that seems to work for it. So still some investigating I need to do on my side as well.

Here is a list of my stuff.

/etc/init.d/openvpn-policy-routing reload

root@LEDE:~# /etc/init.d/openvpn-policy-routing reload
creating table wan/eth1/71.231.52.1/wanroute [✓]
creating table wan6/eth1/fe80::e11:67ff:fe02:4822/wanroute6 [✗]
creating table PIA_VPN/tun0/10.42.10.5/tun0route [✓]
routing 'MyPC-WAN' 192.168.1.134 to ...:1025-65535 via wan [✓]
routing 'MyPC-ArmA' 192.168.1.134:2000-3000 to ... via wan [✓]
routing dnsmasq policies ✓
openvpn-policy-routing 4.1.4-22 started wan/71.231.52.1 PIA_VPN/10.42.10.5 ✓

openvpn-policy-routing support

root@LEDE:~# /etc/init.d/openvpn-policy-routing support
openvpn-policy-routing 4.1.4-22 running on LEDE 17.01.0. WAN (IPv4): wan/71.231.52.1. WAN (IPv6): wan6/fe80::e11:67ff:fe02:4822.

Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify

Routes/IP Rules
default 10.42.10.5 128.0.0.0 UG 0 0 0 tun0
default 71.231.52.1 0.0.0.0 UG 0 0 0 eth1
32736: from all fwmark 0x30000 lookup 202
32737: from all fwmark 0x10000 lookup 200

IP Tables
OPR_CHAIN all -- anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -s 192.168.1.134/32 -p tcp -m multiport --sports 2000:3000 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -s 192.168.1.134/32 -p tcp -m multiport --dports 1025:65535 -c 1160 147540 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set wanroute dst -c 51 23042 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000

IPv6 Tables
OPR_CHAIN all anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -m set --match-set wanroute6 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000

Domain-based routing settings
dnsmasq.cfg02411c.ipset: /netflix.com/hulu.com/wanroute

Current ipsets
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
add wanroute 52.43.64.203
add wanroute 52.11.132.127
add wanroute 52.10.25.167
add wanroute 54.201.231.31
add wanroute 52.34.71.54
add wanroute 52.35.234.71
add wanroute 52.32.93.149
add wanroute 52.35.172.200
add wanroute 52.42.223.227
add wanroute 54.191.187.141
add wanroute 54.68.78.109
add wanroute 52.34.49.163
add wanroute 54.213.195.67
add wanroute 52.27.150.17
add wanroute 52.43.203.6
add wanroute 52.32.130.253
add wanroute 52.89.33.48
add wanroute 54.68.31.82
add wanroute 50.112.221.133
add wanroute 52.10.220.231
add wanroute 54.69.239.253
add wanroute 52.10.238.187
add wanroute 52.34.255.169
add wanroute 54.69.16.110
add wanroute 54.149.149.157
add wanroute 54.213.227.62
add wanroute 52.42.124.137
add wanroute 52.10.226.52
add wanroute 52.43.102.20
add wanroute 52.34.65.102
add wanroute 52.88.3.121
add wanroute 52.10.229.2
add wanroute 52.10.243.169
add wanroute 54.187.175.252
add wanroute 52.42.117.224
add wanroute 54.69.13.149
add wanroute 52.11.166.44
add wanroute 52.35.138.233
add wanroute 50.112.169.77
add wanroute 52.34.132.5
add wanroute 52.10.229.23
add wanroute 52.35.239.177
add wanroute 52.89.249.229
add wanroute 54.186.37.251
add wanroute 52.35.196.54
add wanroute 52.34.211.134
add wanroute 52.11.133.199
add wanroute 54.149.33.72
add wanroute 54.69.252.7
add wanroute 52.24.187.172
add wanroute 54.68.184.37
add wanroute 50.112.153.70
add wanroute 52.40.67.30
add wanroute 52.34.230.83
add wanroute 54.244.27.67
add wanroute 54.213.181.54
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
create wanroute6 hash:ip family inet6 hashsize 1024 maxelem 65536
create wanlist list:set size 8
add wanlist wanroute
add wanlist wanroute6
create tun0list list:set size 8
add tun0list tun0route

DHCP config

root@LEDE:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
list ipset '/netflix.com/hulu.com/wanroute'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'

My config file itself

config openvpn-policy-routing 'config'
        option strict_enforcement '1'
        option verbosity '2'
        option enabled '1'

config policy
        option gateway 'wan'
        option comment 'MyPC-WAN'
        option local_addrs '192.168.1.134'
        option remote_ports '1025-65535'

config policy
        option gateway 'wan'
        option comment 'MyPC-ArmA'
        option local_addrs '192.168.1.134'
        option local_ports '2000-3000

And, in case it helps, my OpenVPN config

config openvpn 'piaUS'
               option dev 'tun'
                option nobind '1'
                option verb '3'
                option fast_io '1'
                option persist_tun '1'
                option persist_key '1'
                option client '1'
                option proto 'udp'
                option tls_client '1'
                option remote_cert_tls 'server'
                option cipher 'aes-256-cbc'
                option auth 'sha256'
                option ca 'ca.rsa.4096.crt'
                option keepalive '10 120'
                list remote 'us-siliconvalley.privateinternetaccess.com'
                option comp_lzo 'adaptive'
                option auth_user_pass ''
                option resolv_retry 'infinite'
                option reneg_sec '0'
                option disable_occ '1'
                option enabled '1'
                option crl_verify 'crl.rsa.4096.pem'
                option port '1197'
187

There's no fixed assignment of the IP to your PC in the dhcp config. Are you sure it has the IP address indicated in the policy?

188

I have that IP assigned static on the host. Do I also need to do DHCP reservation for the mac address of the host for it to work?

189

Thanks. Let me know if you need any help testing this if you decide to implement it!

190

Not necessarily but if you're using a static IP assignment from your normal dhcp range there might be collisions. I'm don't know if dnsmasq can see a static IP on the network (from dns requests) and then exclude it from automatic assignments.

I won't have an opportunity to look at the code or research the "on router" packet management for a few days/week.

191

So I should attempt to set my IP to a static not within the auto assign range? Should I do it via reservations or just through windows itself?

192

I do IP-by-mac assignments on my router and I think it's a neater way. That shouldn't really affect this package operation tho.

193

@stangri About connbytes, firstly, I found it difficult to write rules for iptables, and secondly, I read this discussion which confirmed that it's not possible. I should have known that it's not possible to switch gateway when traffic is incoming.

Thanks for this amazing package. I have been looking for a solution for a very long time. : )

194

Hey @stangri! Any plans for implementing routing for packages originating from router?

195

Might take me a few weeks to find time to research. I also need to error-proof the code as well, I'll let you know.

196

Made a small change to the luci app logic. On top of the other checks for dnsmasq (if it's active and running) -- it now checks if the dnsmasq supports ipset as well.

If everything is kosher with dnsmasq -- luci app allows you to edit ipset in the /etc/config/dhcp file. Otherwise you're editing ipset in the /etc/config/openvpn-policy-routing file.

197

So I'm copying my question from the vpn bypass thread over here:

I am wondering how the dns server is managed. Right now I've got a script which is run after succesful OpenVPN connect to put the VPN dns server into the resolv.conf.auto. (Because it is not done automatically by the OpenVPN client.)
If I were now to try multiple vpn tunnels (or just a rule for lan->wan, bypassing the vpn altogether) using policy routing I don't understand how these different dns servers would be managed using the resolv.conf.auto. Would anyone be able to shed some light into this?

198

So as far as the domain-based rules in OPR are concerned -- the domain-based rules turn into the IP addresses in the ipset. If you use dnsmasq then it inserts the IP addresses into the ipset upon request or when it's idle. If you use internally-managed domain policies (if your dnsmasq doesn't support ipset or if dnsmasq isn't running) the domain names are resolved and their IP addresses are added to the ipset when you start the service which can take some time.

After re-reading your question I see that it is more about how dnsmasq handles the config files. I'm sorry I recommended you ask this question in the OPR thread, it's probably more of a generic dnsmasq question.

I'm guessing that the manual manipulation of the resolve.conf file is to force dnsmasq to use the DNS server of your OpenVPN provider (to prevent DNS leaks). Again, I'm guessing you can have a script work for just a single tunnel and force dnsmasq to use DNS servers of that specific provider.

199

Another option would be to use dnscrypt to prevent dns leaks.

1 Like
200

Would that hide the original (source) IP, just as well as the dns requests themselves?

201

You're correct, I'm using that script to use the DNS server of my VPN provider to avoid DNS leaks.
Now, using routing-policy, I could establish several connections to my VPN provider and use, for example, a connection to a US server to specifically route netflix/youtube traffic via that connection (to avoid geoblocking).

Now what I don't understand is whether the traffic routed via that connection (using policy-routing) would also use the DNS server from that VPN connection. To put my question into clearer words: where does policy-routing get the DNS servers from? Can it use different DNS servers for different routing policies?