I've published updated luci-app which should correctly find running dnsmasq on OpenWrt as well.
Why your LEDE flash didn't take -- I don't know. Maybe you tried flashing while keeping settings which resulted in a bootloop and your router booted into OpenWrt partition after 3 failed attempts to boot.
just noticed something the other day and would like to report it; since we use the 'nopull' option to prevent openvpn from routing all traffic to the tunnel, I think this is also affecting the following use case:
I have transmission (a torrent client) installed and running on my router. I want its traffic to pass through one of the tunnels, but I think all traffic originating from the router itself is going through WAN (even though I added a rule in OPBR to forward traffic coming from a certain local port - the one I use for transmission - to go to tun0).
Uhm, I'm not sure if mangle/PREROUTING (which this package is using) is the correct place to make changes for packets originating on the router, I'll need to read up on iptables for that.
Alright, I am officially on LEDE now. However, domain policies still do not seem to be working, and as far as I can tell, the port policy is not working. I opened up Local 2000-3000, and remote 1025-65535, hosted a game server that runs on 2302, and people were still trying to connect via my VPN IP it looks like. But, I still will investigate it more to verify.
However, when I set my FireTV with a policy of all traffic to WAN, that seems to work for it. So still some investigating I need to do on my side as well.
Here is a list of my stuff.
/etc/init.d/openvpn-policy-routing reload
root@LEDE:~# /etc/init.d/openvpn-policy-routing reload
creating table wan/eth1/71.231.52.1/wanroute [✓]
creating table wan6/eth1/fe80::e11:67ff:fe02:4822/wanroute6 [✗]
creating table PIA_VPN/tun0/10.42.10.5/tun0route [✓]
routing 'MyPC-WAN' 192.168.1.134 to ...:1025-65535 via wan [✓]
routing 'MyPC-ArmA' 192.168.1.134:2000-3000 to ... via wan [✓]
routing dnsmasq policies ✓
openvpn-policy-routing 4.1.4-22 started wan/71.231.52.1 PIA_VPN/10.42.10.5 ✓
openvpn-policy-routing support
root@LEDE:~# /etc/init.d/openvpn-policy-routing support
openvpn-policy-routing 4.1.4-22 running on LEDE 17.01.0. WAN (IPv4): wan/71.231.52.1. WAN (IPv6): wan6/fe80::e11:67ff:fe02:4822.
Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
Routes/IP Rules
default 10.42.10.5 128.0.0.0 UG 0 0 0 tun0
default 71.231.52.1 0.0.0.0 UG 0 0 0 eth1
32736: from all fwmark 0x30000 lookup 202
32737: from all fwmark 0x10000 lookup 200
IP Tables
OPR_CHAIN all -- anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -s 192.168.1.134/32 -p tcp -m multiport --sports 2000:3000 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -s 192.168.1.134/32 -p tcp -m multiport --dports 1025:65535 -c 1160 147540 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set wanroute dst -c 51 23042 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
IPv6 Tables
OPR_CHAIN all anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -m set --match-set wanroute6 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
Not necessarily but if you're using a static IP assignment from your normal dhcp range there might be collisions. I'm don't know if dnsmasq can see a static IP on the network (from dns requests) and then exclude it from automatic assignments.
I won't have an opportunity to look at the code or research the "on router" packet management for a few days/week.
@stangri About connbytes, firstly, I found it difficult to write rules for iptables, and secondly, I read this discussion which confirmed that it's not possible. I should have known that it's not possible to switch gateway when traffic is incoming.
Thanks for this amazing package. I have been looking for a solution for a very long time. : )
Made a small change to the luci app logic. On top of the other checks for dnsmasq (if it's active and running) -- it now checks if the dnsmasq supports ipset as well.
If everything is kosher with dnsmasq -- luci app allows you to edit ipset in the /etc/config/dhcp file. Otherwise you're editing ipset in the /etc/config/openvpn-policy-routing file.
So I'm copying my question from the vpn bypass thread over here:
I am wondering how the dns server is managed. Right now I've got a script which is run after succesful OpenVPN connect to put the VPN dns server into the resolv.conf.auto. (Because it is not done automatically by the OpenVPN client.)
If I were now to try multiple vpn tunnels (or just a rule for lan->wan, bypassing the vpn altogether) using policy routing I don't understand how these different dns servers would be managed using the resolv.conf.auto. Would anyone be able to shed some light into this?
So as far as the domain-based rules in OPR are concerned -- the domain-based rules turn into the IP addresses in the ipset. If you use dnsmasq then it inserts the IP addresses into the ipset upon request or when it's idle. If you use internally-managed domain policies (if your dnsmasq doesn't support ipset or if dnsmasq isn't running) the domain names are resolved and their IP addresses are added to the ipset when you start the service which can take some time.
After re-reading your question I see that it is more about how dnsmasq handles the config files. I'm sorry I recommended you ask this question in the OPR thread, it's probably more of a generic dnsmasq question.
I'm guessing that the manual manipulation of the resolve.conf file is to force dnsmasq to use the DNS server of your OpenVPN provider (to prevent DNS leaks). Again, I'm guessing you can have a script work for just a single tunnel and force dnsmasq to use DNS servers of that specific provider.
You're correct, I'm using that script to use the DNS server of my VPN provider to avoid DNS leaks.
Now, using routing-policy, I could establish several connections to my VPN provider and use, for example, a connection to a US server to specifically route netflix/youtube traffic via that connection (to avoid geoblocking).
Now what I don't understand is whether the traffic routed via that connection (using policy-routing) would also use the DNS server from that VPN connection. To put my question into clearer words: where does policy-routing get the DNS servers from? Can it use different DNS servers for different routing policies?