Hi stangri, I;m having problems getting Domain-based Policies working. I've got dnsmasq-full installed, and I've got this in the domain policies box
/whatismyipaddress.com/wanroute
i've tried /wan, /wanroute, /eth0, /eth1, /pppoe-wan
anything from interfaces that might work...
nothing works. If i add whatismyipaddress' IP address in the IPv4 based policies, it works...
Thanks
I need output of '/etc/init.d/openvpn-policy-routing support'.
root@LEDE:~# /etc/init.d/openvpn-policy-routing support
openvpn-policy-routing 4.1.5-8 running on LEDE 17.01.1. WAN (IPv4): wan/10.20.23.219.
============================================================
Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default 10.63.10.5 128.0.0.0 UG 0 0 0 tun0
default 10.20.23.219 0.0.0.0 UG 0 0 0 pppoe-wan
32746: from all fwmark 0x20000 lookup 42
32747: from all fwmark 0x10000 lookup 145
table 200:
table 201:
============================================================
IP Tables
OPR_CHAIN all -- anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -p tcp -m multiport --dports 21025 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -p tcp -m multiport --dports 7777 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -s 192.168.1.224/32 -p tcp -m multiport --sports 16180 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -p tcp -m multiport --dports 587 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -p tcp -m multiport --sports 32400 -c 4 212 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set wanroute dst -c 119 8333 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
============================================================
IPv6 Tables
OPR_CHAIN all anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
============================================================
Domain-based routing settings
dnsmasq.cfg02411c.ipset: /whatismyipaddress.com/wanroute
============================================================
Current ipsets
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
add wanroute 66.171.248.181
add wanroute 104.74.49.254
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
create wanlist list:set size 8
add wanlist wanroute
create tun0list list:set size 8
add tun0list tun0route
============================================================
I'm not seeing anything abnormal. Unless your network clients are using a different DNS server, the domain name-based policies should work.
Other people reported similar problem before, scroll thru this page to see how they've overcome it.
They use a pihole, setup on local network - is that causing the issue?
Yes it's definitely a problem. Your clients must use your router's DNS otherwise the domain based routing will not work. But what you could do is to setup router to use pihole for DNS and your clients to use your routers DNS. That way your clients should still be able to get the functionality of pihole with domain based routing working as well.
Thanks so much dziny. That makes much more sense. However, it's still not working for me. Could I please run my settings by you:
I have run ipconfig /flushdns on my PC, flushed cache in browser, restarted router...
Should be /wanroute
4 should be /whatismyipaddress.com/wanroute
skip 1 for now, do it later when you have tested rest of the stuff works
2 is not strictly necessary if you are using DHCP on the router, the router will automatically push itself as DNS server.
You might need to restart dnsmasq on the router after you setup 4.
I hate to be such a newb, but in trying to get domain based policy working i tried heaps of stuff, didn't work, so I tried a fresh install. So install latest LEDE, install openvpn-openssl, setup PIA VPN using this guide, (at this point internet traffic is correctly 100% through VPN, but I have to set DNS server in WAN interface > advanced settings > custom DNS to either PIA DNS address, or PIhole, which uses PIA DNS server), i then install your requirements, and then finally OPR. Nothing else changed or installed (except nano installed). Now nothing works in OPR, domain based routing or IP based routing, which did work before...
What am I missing? I've tried several fresh installs at this point, changing as little as possible sticking to default and just changing whats required, to variations on changing anything I think might help... just so you know I've tried, but I'm failing 
Read through entire topic, seems most useful thing I can do is post all my settings. So apologies, wall of text here: https://paste.ee/p/QMfEA
I have a single domain policy /showip.net/wanroute
But showip.net still says my VPN IP...
I think stangri can help better but I've noticed your routing table is missing metric next to each route. For comparison my table looks like:
default xx.xx.xx.xx 0.0.0.0 UG 10 0 0 eth1.2
default 10.8.0.1 0.0.0.0 UG 20 0 0 tun0
default 10.0.100.5 0.0.0.0 UG 30 0 0 tun1
default 10.22.100.5 0.0.0.0 UG 40 0 0 tun2Update, did another fresh install, sticking only to essential changes, and OPR still doesn't work at all; IP/Port/Domain all do nothing.
For fun I tried your older vpn bypass package... ip and port bypassing now works again! domain still doesn't work, but ip and port do!
for fun, uninstalled vpnbypass, installed opr - nothing works
Edit: Woah: so i disabled IPv6 on my lede LAN interface (my isp doesn't support ipv6 and i have ipv6 disabled on my pc already), and now domain based works on vpnbypass!
Hi Stangri,
I need help with Domain-based policies. Also IPV4/Port policies don't work if I set them to route remote address (Local address works fine). I have got dnsmasq-full installed. I suspect it is something on my side because during building lede image (from build generator) a have removed dsnmasq, installed dnsmasq-full, but also removed IPV6 support (-odhcp6c -dnsmasq_full_dhcpv6 -ip6tables -kmod-ipv6). Also disabled ipv6 and dhcpv6 ( uci set dhcp.lan.dhcpv6=disabled; sysctl -w net.ipv6.conf.all.disable_ipv6=1).
Logs (support, DNS-crypt, dnsmasq) :
openvpn-policy-routing 4.1.5-8 running on LEDE 17.01.2. WAN (IPv4): wan/x.x.x.x.
============================================================
Dnsmasq version 2.77 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default some_DNS_name 0.0.0.0 UG 0 0 0 eth0
32690: from all fwmark 0x20000 lookup 42
32691: from all fwmark 0x10000 lookup 145
table 200:
table 201:
============================================================
IP Tables
OPR_CHAIN all -- anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -s x.x.x.x/32 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OPR_CHAIN -s x.x.x.x/32 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OPR_CHAIN -m set --match-set wanroute dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
============================================================
IPv6 Tables
============================================================
Domain-based routing settings
dnsmasq.cfg02411c.ipset: /streamuj.tv/tun0route
============================================================
Current ipsets
create bcp38-ipv4 hash:net family inet hashsize 1024 maxelem 65536
add bcp38-ipv4 10.0.0.0/8
add bcp38-ipv4 192.0.2.0/24
add bcp38-ipv4 169.254.0.0/16
add bcp38-ipv4 198.51.100.0/24
add bcp38-ipv4 240.0.0.0/4
add bcp38-ipv4 192.168.0.0/16
add bcp38-ipv4 203.0.113.0/24
add bcp38-ipv4 127.0.0.0/8
add bcp38-ipv4 172.16.0.0/12
add bcp38-ipv4 0.0.0.0/8
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
add tun0route 37.59.30.111
create wanlist list:set size 8
add wanlist wanroute
create tun0list list:set size 8
add tun0list tun0route
============================================================
config dnscrypt-proxy ns1
option address '127.0.0.1'
option port '5353'
option resolver 'd0wn-nl-ns2'
option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
# ephemeral keys option requires extra CPU cycles and can cause huge system load
# option ephemeral_keys '0'
# more details at https://github.com/jedisct1/dnscrypt-proxy#public-key-client-authentication
# option client_key '/path/to/client_key'
# option syslog '1'
# option syslog_prefix 'dnscrypt-proxy'
# option query_log_file '/path/to/logfile'
# enable cache may speed up dnscrypt-proxy, see https://github.com/jedisct1/dnscrypt-proxy/wiki/Go-faster
# option local_cache '0'
# disable IPv6 may also speed up dnscrypt-proxy, see https://github.com/jedisct1/dnscrypt-proxy/wiki/Go-faster
option block_ipv6 '1'
# Blacklists allow you to block domains, ip, ... see https://github.com/jedisct1/dnscrypt-proxy/wiki/Filtering
# list blacklist 'domains:/path/to/domains-blacklist-file.txt'
# list blacklist 'domains:/path/to/domains-blacklist2-file.txt'
config dnscrypt-proxy ns2
option address '127.0.0.1'
option port '5454'
option resolver 'd0wn-cz-ns1'
option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
option block_ipv6 '1'
# # option ephemeral_keys '0'
# # option client_key ''
config dnscrypt-proxy ns3
option address '127.0.0.1'
option port '5656'
option resolver 'fvz-anytwo'
option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
option block_ipv6 '1'
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option rebind_protection '1'
option rebind_localhost '1'
option authoritative '1'
option leasefile '/tmp/dhcp.leases'
option noresolv '1'
option localservice '1'
option domain 'doma'
option local '/srsen/'
option nonwildcard '1'
list server '127.0.0.1#5353'
list server '127.0.0.1#5454'
list server '127.0.0.1#5656'
list interface 'br-lan'
list notinterface 'eth0'
list notinterface 'tun0'
option nohosts '1'
option filterwin2k '1'
list ipset '/streamuj.tv/tun0route'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '170'
option limit '29'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
In any case, thank you for your great work 
iGz, try the OPR predecessor VPN bypass, also by stangri
I think the main difference is vpn bypass is IPv4 only, and OPR was made to support v6. If you read up you'll see I had major problems getting OPR to work, whereas vpn bypass works great for me (just make sure you disabled v6 in interfaces config)
Hi DropbearNinja,
thanks for your suggestion, but if I understand this correctly it wouldn't work for me, because I need opposite routing : Everything goes though wan, but only some traffic goes though tun0 (VPN).
Need some help from an OPR & DNS expert.
I have set up OpenVPN with 2 VPNs (UK & NLD) using PIA VPNs with the OpenVPN Client in LEDE. I also set up OPR to use static IPs to route through WAN or the VPNs as needed. Most go through WAN as per normal but I need a few static IPs to go through the VPNs.
I had to set “route_nopull” (Don't pull routes automatically) for both VPNs since I want normal traffic to go through WAN (not VPN) and certain static IPs through one of the VPNs as set in OPR. All is working as it should, except DNS.
When “route_nopull” was not set, it gave me a lot of routing problems and would stop working at all. When “route_nopull” is set it ignores the routes pushed by the server including DNS settings.
I set the “Network – DHCP & DNS - DNS forwardings” via LUCI to the PIA DNS servers 209.222.18.222 & 209.222.18.218. I deleted all other DNS sever entries for interfaces etc.. and in WAN interface I unchecked the use DNS advertised by peer so the ISP DNS is not used.
When I check for DNS Leak with https://www.dnsleaktest.com/ it shows the PIA servers but from USA not one of the VPN countries. When I do a “tracert” on a Win10 PC assigned to one of the VPNs it seems that all is going the VPN as would be expected.
How do I confirm that the DNS requests are going through the VPN and not through the WAN for those static IPs assigned to a VPN?
How do I setup the DNS/VPN/Interfaces combinations to make sure that if a static IP set in OPR for a VPN has its DNS request go through the VPN and not the WAN?
I have
route 208.67.222.222 255.255.255.255 vpn_gatewayin my openvpn config file and a similar one for 8.8.8.8 in another VPN config file (different one).
This ensures DNS requests go via the appropriate VPN interface. The way you can check which interface is used is simple via ping. You can route ping via specific interface via
ping -Itun0 8.8.8.8If you change tun0 to say eth0.2 if will route the ping via eth0.2 interface (which is my wan port). You'll see different numbers, my ping via tun0 is approximately 28ms while wan (eth0.2) is faster around 20ms. Then just try ping 8.8.8.8 (without specifying the interface) and it should go out via the default route. The response should basically tell you which interface was used, if I see numbers around 20ms it must have been wan if around 28ms it was tun0 (vpn).
I've been at a very spotty coverage area for a while, but I've tried to stay up-to-date with recent posts.
Thanks to @DropbearNinja and @dziny for helping out fellow OPR users.
I concur that some of the OPR problems might be due to the faulty IPv6 support, so in 4.1.5-9 I've tried to implement changes that IPv6-related code is only executed if the ipv6_enabled option is set to 1 in config. This is a temporary measure to get OPR working in dual-stack configuration until I work out IPv6 kinks.
UPDATE: Mullvad folks have provided me with a 6-months account. I've tested out wireguard and it doesn't seem trivial to support it in OPR. Wireguard interface doesn't seem to have tun_flags or anything else which would ID it as a wireguard interface in /sys/devices/virtual/net/$ifname/. If anyone can shed some light on how to ID the wireguard interface, please let me know. Either way, IPv6 support has to come first before I look into wg again.