OPR does nothing to affect the actual name resolution. Whatever server you instruct dnsmasq to use for whatever domains will be used by dnsmasq outside of OPR control.

Why on earth would you want to do that? I understand the need of hiding DNS requests and either securing then via crypto (dnscrypt) or sending then via VPN tunnel (or both). But fail to see any reason for what you want to do.
I suspect it also falls into category of "impossible" as it would require a complete redesign of dnsmasq.

The reason is as follows:
my vpn provider only allows access to its DNS servers if the request is coming from same IP range as the current VPN server you are connected to. And every VPN server provides its own DNS server.
Now when I connect to say the Danish VPN server, then the Danish DNS server is added to dnsmasq. When I now open a second VPN connection to the French VPN server, then the Danish DNS server inside dnsmasq.conf.auto is overwritten with the French one. Consequently all DNS requests from the Danish connection will fail, as the Danish server will refuse the requests from the French IP range.

Furthermore all policies bypassing the VPN altogether and going the straight WAN route will also fail in their DNS requests. This is my reasoning as to why policy-routing so far fails for my setup. Or am I missing something?
I think, now that I read about dnscrypt, that I could use a dnscrypt server for all my requests, solving my problem. But that is also one more provider who is able to track your traffic.

Also, now that you've told that DNS handling is completely done by dnsmasq I should probably go to different thread with question. Thank you in any case for trying to help me!

@Kaisen, that's a very good question. I've been asked before if it's possible to simulate just the smart dns proxy instead of routing all geo-sensitive traffic over VPN tunnel with this package and sadly, I don't understand enough about inner workings of DNS/DNS leaks and smart dns proxies to address this need.

I know there's a block-outside-dns setting for newer versions of OpenVPN, however I'm not sure how well it will work with multiple tunnels on the same router.

What you describe actually has a solution. What it needs is to manually add into your router's routing table a line which instructs that any connection to the IP address of your danish DNS goes through the danish tunnel, a similar entry for your french server etc. Ideally this is done when openvpn connection is setup. Remember, we use lines

route-nopull
route 0.0.0.0 0.0.0.0 vpn_gateway 20

to avoid pulling routing from openvpn server and then the second line sets up a default routing via the openvpn (with metric 20). You can add extra lines here if you want, say xx.yy.zz.ww is the IP of DNS of your openvpn provider. Something like

route xx.yy.zz.ww 255.255.255.255 vpn_gateway

should instruct your router to put all packets (including DNS requests) to xx.yy.zz.ww though your openvpn tunnel.

@stangri
I know about that setting. However, it was introduced to specifically avoid Windows 10 DNS leaks (yay for Win10 security!) and I think that's the only use case where it applies. See: https://community.openvpn.net/openvpn/ticket/605

@dziny
Thank you so much, that's the answer I was hoping for! I'm not sure I have the time to mash together a script to modify the routing table this weekend, but I'm letting you know when I do & if it worked.

@stangri

Just wanted to touch base on my end, since you were out of town.

Are there other things I should check as to why my domain-based policies are not working?

Here is my DHCP config

root@LEDE:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list ipset '/netflix.com/hulu.com/wanroute'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

And my support

root@LEDE:~# /etc/init.d/openvpn-policy-routing support
openvpn-policy-routing 4.1.4-22 running on LEDE 17.01.0. WAN (IPv4): wan/71.231.52.1. WAN (IPv6): wan6/fe80::e11:67ff:fe02:4822.

Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify

Routes/IP Rules
default 10.45.10.5 128.0.0.0 UG 0 0 0 tun0
default 71.231.52.1 0.0.0.0 UG 0 0 0 eth1
32736: from all fwmark 0x30000 lookup 202
32737: from all fwmark 0x10000 lookup 200

IP Tables
OPR_CHAIN all -- anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -s 192.168.1.150/32 -c 15 5567 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -s 192.168.1.134/32 -p tcp -m multiport --dports 1001:65535 -c 14 1185 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set wanroute dst -c 139 116910 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000

IPv6 Tables
OPR_CHAIN all anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -m set --match-set wanroute6 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000

Domain-based routing settings
dnsmasq.cfg02411c.ipset: /netflix.com/hulu.com/wanroute

Current ipsets
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
add wanroute 52.33.212.252
add wanroute 52.11.98.206
add wanroute 54.69.99.111
add wanroute 52.37.33.45
add wanroute 52.35.172.200
add wanroute 52.43.203.6
add wanroute 54.69.239.253
add wanroute 54.69.16.110
add wanroute 23.45.228.193
add wanroute 52.27.65.137
add wanroute 52.34.132.5
add wanroute 52.35.239.177
add wanroute 54.186.37.251
add wanroute 52.37.56.128
add wanroute 52.26.74.145
add wanroute 52.11.133.199
add wanroute 54.69.252.7
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
create wanroute6 hash:ip family inet6 hashsize 1024 maxelem 65536
create wanlist list:set size 8
add wanlist wanroute
add wanlist wanroute6
create tun0list list:set size 8
add tun0list tun0route

You also wanted to discuss testing some IPv6 stuff with me I believe.

I have a WRT1900AC (static 192.168.2.1) using LEDE-STABLE Reboot 17.01-SNAPSHOT r3286-0f23e80 setup as PPPOE through a Netgear DM200 DSL Modem (static 192.168.5.1) setup in bridge mode.

I have installed OpenVPN Routing and it works great.

With the VPN off and no OpenVPN Routing I can reach the DM200 status page with the following procedure:

Created an new interface via the GUI I called “DSL_MODEM” with the following config result:

config interface 'DSL_Modem'
option proto 'static'
option ifname 'eth1.2'
option ipaddr '192.168.5.2'
option netmask '255.255.255.0'

Then in the GUI tab “Firewall Settings” I set it as the same Firewall Zone as “WAN” and WAN6” so it is now listed as “WAN WAN6 DSL_Modem”.

This works good and I can access the DSL DM200 status page via Chrome at its static IP of 192.168.5.1.

When I turn on the VPN and use the OpenVPN Routing this does not work any longer.

I tried to add an entry to the OpenVPN Routing GUI with what I thought may work but no luck. I could only select the Gateways of “wan” or “tun0”. “DSL_Modem” was not selectable as a Gateway. Did some trial and error with the settings, but could not manage to get it to work.

Can someone point me in the right direction?

My full network config file is:

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option ipaddr '192.168.2.1'

config interface 'wan'
option ifname 'eth1.2'
option _orig_ifname 'eth1.2'
option _orig_bridge 'false'
option proto 'pppoe'
option username 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option password 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option ipv6 'auto'
option delegate '0'
option peerdns '0'
option dns '208.67.222.222 4.2.2.1 8.8.8.8'

config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
option reqaddress 'none'
option reqprefix 'no'
option auto '0'
option delegate '0'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'

config interface 'myvpn'
option proto 'none'
option ifname 'tun0'
option delegate '0'

config interface 'DSL_Modem'
option proto 'static'
option ifname 'eth1.2'
option ipaddr '192.168.5.2'
option netmask '255.255.255.0'

+++++++++++++++++++

My full firewall config file is:

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 tun0 DSL_Modem'

config forwarding
option src 'lan'
option dest 'wan'

config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'VPN_FW'
option input 'REJECT'
option masq '1'
option network 'myvpn'
option mtu_fix '1'

config forwarding
option dest 'VPN_FW'
option src 'lan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

@Kocrachon please try also adding ipset with '/wanroute6' at the end instead of 'wanroute'.

@FCS001FCS there's probably more elegant way, but have you tried adding remote IP policy for ip: 192.168.5.1 and WAN?

@FCS001FCS there's probably more elegant way, but have you tried adding remote IP policy for ip: 192.168.5.1 and WAN?

@stangri How is that done? I am a real newbie when it comes to firewall and routes etc.. Can it be done by the GUI (LUCI) or must it be a command line thing?

Looks like that worked!

So now the last thing I need to figure out the policy based routing, and Im hoping maybe you can help me out with it.

I currently have remote ports 1025-65535 set to go WAN (I basically only want to block ISP from seeing HTTP and other critical traffic). However, it seems like this works for the initial 'connection', but does not work for the continued connection due to ephemeral ports.

For example, I have a Linux server, and a Windows server. The Linux server is set to allow only my VPN IP, because its still within the 0-1024 range. This works fine, I do my SSH connection.

My Windows server allows my ISP IP, because its outside of the 0-1024 range (3389) and when I establish the connection, it works fine.

However, I start running into issues with things like video games and downloading tools. Because after the initial connection is made on the port, everything goes to ephemeral ports, and at that point, all the traffic is routing through the VPN againm, I believe because my speeds through these tools are super slow due to my VPN.

However, if I open up my ephemeral ports to go through my WAN, 'Im pretty sure that then exposes all of my HTTP/HTTPS traffic to my ISP at that point, correct?

I may be wrong and need to do some additional testing, but just wanted to possibly get some input. Im still trying to find applications that show me my IP and traffic so I can better verify this info.

You can do it with this package's Web UI.

Thanks, I'll append the README on the ipset names. It's less than ideal, but looks like there's no way around separate ipset names for ipv4 and ipv6 (in this case wanroute and wanroute6).

My only guess would be that you probably need to configure IPv6 policies as well as IPv4 policies.

I still run into some issues with IPv6.

root@LEDE:~# /etc/init.d/openvpn-policy-routing reload
creating table wan/eth1/71.231.52.1/wanroute [✓]
creating table wan6/eth1/fe80::e11:67ff:fe02:4822/wanroute6 [✗]
creating table PIA_VPN/tun0/10.54.10.5/tun0route [✓]
routing 'FireTV' 192.168.1.150 to ... via wan [✓]
routing 'MyPC-VPN' 192.168.1.134 to ...:1025-65535 via wan [✓]
routing 'FireTV' 192.168.1.150 to ... via wan [✓]
routing 'MyPC-LAN' 192.168.1.134:1025-65535 to ... via wan [✓]
routing 'Steam1' 192.168.1.1/24 to 162.254.192.0/20 via wan [✓]
routing 'Steam2' 192.168.1.1/24 to 192.69.96.0/22 via wan [✓]
routing 'Steam3' 192.168.1.1/24 to 205.185.194.0/24 via wan [✓]
routing 'Steam4' 192.168.1.1/24 to 205.196.6.0/24 via wan [✓]
routing 'Steam5' 192.168.1.1/24 to 205.196.6.0/24 via wan [✓]
routing 'Steam6' 192.168.1.1/24 to 208.64.200.0/22 via wan [✓]
routing 'Steam7' 192.168.1.1/24 to 208.64.203.0/24 via wan [✓]
routing 'Steam8' 192.168.1.1/24 to 208.78.164.0/22 via wan [✓]
routing 'Steam9' 192.168.1.1/24 to 208.78.164.0/23 via wan [✓]
routing 'Steam10' 192.168.1.1/24 to 208.78.167.0/21 via wan [✓]
routing 'SteamIPv6' to [2620:f9::/48] via wan
ERROR: ip6tables -t mangle -I OPR_CHAIN 1 -j MARK --set-xmark 0x020000/0xff0000 -d [2620:f9::/48]
[✓]
routing dnsmasq policies ✓✓✓✓
openvpn-policy-routing 4.1.4-22 started wan/71.231.52.1 PIA_VPN/10.54.10.5 ✓

OK, if I understand you correctly it can be done with OpenVPN Routing via its GUI (LUCI App).

I will try again but do you have any instructions on how this can be done because I tried but could not get it to work?

@Kocrachon -- thanks for your report. Is 2620:f9::/48 a valid IPv6 address/mask?

@FCS001FCS -- post what you've done and output of support and I'll see what I can do.

Should be yes, I stole it from here.

Maybe it's my script adding the brackets which from my previous reading seem to be required.

Can you check if ip6tables -t mangle -I OPR_CHAIN 1 -j MARK --set-xmark 0x020000/0xff0000 -d 2620:f9::/48 generates an error?

What is "support" and how do I get its output?

I have a question about ipv6. How does it work if only one of the vpn tunnels is ipv6 capable and the rest are not. Will it work?

Oh, sorry, I've referred to it before, but the thread is rather long now. It's /etc/init.d/openvpn-policy-routing support and if you just run /etc/init.d/openvpn-policy-routing you'll get information about additional options.

No IPv6 tables/rules are created if your ISP doesn't support IPv6 because then I can't get the default IPv6 prefix to route. If your ISP supports IPv6 (as in you get IPv6 prefix assigned on WAN by your ISP) and one of your tunnels supports IPv6 you can create IPv6 policies. If you have strict mode enabled and assign a policy to non-IPv6 tunnel it should result in address not reachable for the policy.

I don't have any experience with IPv6 and when I created this package I didn't even think about IPv6, but someone made a very valid point that we're well into 21st century and legacy-IP only package shouldn't be accepted to official feed/repo, so I've tried my best to add support to IPv6. While I can't offer much support for IPv6 issues, I'd gladly receive any actionable feedback and implement changes in the package.