I want to access my VDSL2 Netgear DM200 Modem from my PC through my LEDE WRT3200AC Router. DM200 is setup in Bridge Mode for the PPPOE connection to my ISP with the WRT3200AC doing all the login etc..
I tried an entry in OPR for the interface name (DSLModem) of the DSL Modem connection but it is still blocked.
Setup:
WRT3200AC IP = Static IP 192.168.2.1
DSL Modem DM200 = Static IP 192.168.5.1
OpenVPN = 2 VPNs with both setup with "route_nopull" option so WAN remains the default route.
Static IPs assigned in the WRT3200AC for all connected machines on my LAN
Settings I changed/added that work (can access DM200 GUI at 192.168.5.1) when OPR Disabled:
OPR has strict enforcement https://github.com/stangri/openwrt-packages/tree/openvpn-policy-routing/net/openvpn-policy-routing/files#strict-enforcement
I tested it on previous versions but it wasn't working for me. Now I use separate iptables rules with ipset match like
iptables -t filter -N tunnel0_enforce
iptables -A tunnel0_enforce -o tun0 -j ACCEPT
iptables -A tunnel0_enforce -j DROP
iptables -t filter -I FORWARD -m set --match-set tunnel0group src -j tunnel0_enforce
It also allows me create enforcement chains for each tunnel separately.
Alex, thank you for your feedback, you seem to have a much better grip on itables than I do, if there's anything OPR is doing inefficiently, please let me know.
Ok, everything works until I enable OPR.
After doing so, no inet connection.
And it doesn't matter if āUse DNS servers advertised by peerā is ticked or if I put other dns server(s) in wan settings.
Also having DNS entries in the āDNS forwardingsā doesn't change anything.
Active routes field after enavling OPR lookslike this:
wan 0.0.0.0/0 81.217.146.1 0 201
torguard_vpn 0.0.0.0/0 10.22.0.9 0 202
torguard_vpn 0.0.0.0/1 10.22.0.9 0 main
wan 0.0.0.0/0 81.217.146.1 0 main
torguard_vpn 10.22.0.9 0 main
wan 81.217.146.0/24 0 main
wan 81.217.146.1 0 main
torguard_vpn 128.0.0.0/1 10.22.0.9 0 main
lan 192.168.1.0/24 0 main
..any idea how can I deal with this error and install the OPR? Thank you!
Collected errors:
check_data_file_clashes: Package libustream-mbedtls wants to install file /lib/libustream-ssl.so
But that file is already provided by package * libustream-openssl
First of all, OPR does not depend on libustream, so that's a weird error. Were you installing anything else besides OPR? Second, you can try to force-install OPR ignoring dependencies: opkg install --nodeps openvpn-policy-routing.
I use hnyman's LEDE Reboot SNAPSHOT r4786 version (for now).
Besides what's there by default, I have OpenVPN installed (obviously), and DNSCrypt-Proxy package. I have tried before to use your VPNBypass, but I couldn't make it working, so I have uninstalled it... Now trying to install OPR, and Ive got that error. It looks like your repo is not being installed (following your OpenVPN Policy-Based Routing guides from Github/github.io), as it doesn't show up in Luci when searching for it.
Any impact trying to force installing OPR ignoring the dependencies?
(I prefer to use Luci, as I am not good with terminal commands.)
That's unfortunate, it's a great idea and I'd like to use your package. Could it be router dependent or firmware dependt?
I have a Linksys Wrt-1200acs v2 router with david's LEDE build: https://davidc502sis.dynamic-dns.net/releases/
Are there logs I could provide? Are they all in the system protocol tab, I saw entries from OPR there but not much info.
I'll also ask the maintainer of my custom build if something could hinder your package to work.
So, I've managed to install OPR (for some reasons unknown to me, the repo was added in the Feeds after #, and without src/ in front. But then I've moved it to a new line adding src/ in front, and it was working).
Now, I've got this errors. Any idea? To me, it looks like OPR is not choosing the right WAN interface, but some other interface I have, even if in the dropbox I have chosen WAN.
(note: I do not know why, but Lede is reporting XIF as the WAN interface in the Overview page instead of the actual WAN.)
user.notice openvpn-policy-routing [10338]: ERROR: service is not enabled!
user.notice openvpn-policy-routing [10338]: service monitoring interfaces: [ā]
daemon.err modprobe: xt_set is already loaded
daemon.err modprobe: ip_set is already loaded
daemon.err modprobe: ip_set_hash_ip is already loaded
user.notice openvpn-policy-routing [10392]: Creating table 'VPN/tun11/100.xx.x.1/::/0' [ā]
user.notice openvpn-policy-routing [10392]: Creating table 'XIF/br-XIF/192.168.1.2/fe80::/64' [ā]
user.notice openvpn-policy-routing [10392]: Routing 'OPR' via wan [ā]
user.notice openvpn-policy-routing [10392]: service started on VPN/tun11/100.x.x.1/::/0 XIF/br-XIF/192.168.1.2/fe80::/64 with errors [ā]
user.notice openvpn-policy-routing [10392]: ERROR: policy 'OPR' has unknown interface: wan!
user.notice openvpn-policy-routing [10392]: service monitoring interfaces: VPN XIF [ā]
I have a question:
I have some port forwardings from WAN to local LAN device. (Need to acces local device port from WAN)
And a openVPN routing for local LAN device to go outbound using a OpenVPN.
Why does the portf orwaring does not work? Do i need to add aditional configs?
Thanks,
Example: config/firewall
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option dest_ip '10.0.1.99'
option dest_port '9999'
option name 'Test'
option proto 'tcp'
option src_dport '9999'
Thanks for your work, this package is really helpful! Unfortunately you can't tell from the package name that it also supports WIreGuard.
Does "Local addresses/devices" also take hostnames or just ips? I copied a hostname from DHCP Leases, but it doesn't seem to do anything.
Edit: The routing doesn't work for some domains like netflix.com. Netflix has a huge ip range and I noticed that when I run resolveip netflix.com on the router it lists other ips than nslookup netflix.com. I did a few traceroute netflix.com on my laptop and most of the time it picks an ip that resolveip doesn't list and the policy doesn't trigger.
Hi, complete newbie (to routing/tables etc, but long-time programmer) here. This looks like a great package, and I'm desperate to get it to work! I'll try to keep this short...
Completely new install of lede 17.01.4 on Raspberry Pi 2, OpenVPN client, DDNS, everything working fine.
The initial error I get from OPR is:
ERROR: policy 'ALL Via WAN' has unknown interface: wan!
The lower caps 'wan' looks suspicious - the WAN interface config displays in uppper caps in LuCl, so I edited the OPR config file via SCP to upper-caps:
The second error (unknown fw_mark) must be something to do with the subnet mask, no combination of address/mask works for me.
Specifying a huge list of ; delimited hosts works without error.
The case-sensitive wan/WAN is still a problem; i have to SCP/SSH to the router and manually edit the OPR config file every time I make an update in LuCl.
Other than that, working great now!! Thank you so much.
@Michael123 -- I've only done very limited testing with wireguard, I would appreciate if you share your experience with wg and this package. I would also be grateful if you posted sanitized wg config from your router. Every time I've tried to set up a wg tunnel it took over the default routing and became WAN, ruining the package logic.
I think it works fine except the issue with some domains as mentioned.
I have a Linksys WRT1200AC router and WireGuard is pretty fast. I just did a speed test and I got 90 Mbps download (100 Mbps without) while one core was at ~50% load and the other at ~15%. I don't remember the speeds with OpenVPN and I currently don't have it installed. I assume that my results fit the benchmarks from https://www.wireguard.com/performance/.
WireGuard doesn't have a separate config file, does it? I think it only adds something to /etc/config/network.
The endpoint IP is the same as resolveip de1-wireguard.mullvad.net.
Did you check Route Allowed IPs? That sets the WireGuard interface as default route. I have it unchecked and WireGuard is only used for policies with WIREGUARD as interface and not WAN.
Edit: An enable checkbox for every policy would be nice. If I want to temporarily disable a policy I always have to delete it and recreate it later.