VPN Policy-Based Routing + Web UI - ARCHIVE #1

Community Builds, Projects & Packages
82

That's encouraging news!

I hope @nidstigator can retest as well with the newest build.

83

Hey man, just thought I'd chime in here and say that I've updated to your latest build this evening and tried adding a domain-based rule to my already working policy-based setup (2 tuns, 1 wan) and it didn't work. Site still gets accessed via wanroute for me.

84

Bummer. I hoped the last update would solve your issue too. Did you reboot the router after an update?

85

Yes. Any specific debug info you would like me to provide later this evening?

86

If you could submit the paste (/etc/init.d/openvpn-policy-routing support -p) or PM me information from /etc/init.d/openvpn-policy-routing support, I'd have a look. It's unlikely I'll see there something earth-shattering there you won't, but every little bit helps.

87

I am a newbie but have managed to compile LEDE with make menuconfig but have been trying for 10s of hours to get this package installed in OpenWRT.

I am missing basic concepts I believe. I have googled & googled but still no luck.

Can someone give me the exact text to put into "Software - Custom Feeds" so I can get the openvpn-policy-routing and luci-app-openvpn-policy-routing packages installed in my WRT1900AC LEDE router?

Also, how can I add this to the make menuconfig? I think I need the feed on the config file but I tried many versions of the path to the packages but no luck also.

I ultimately want to have some of my IPs go through OpenVPN VPN and some not. I believe this package is exactly what I need but have not been able to get it installed.

88

Oh, these two packages are not in the feeds yet. I've sent a PR, but I need to figure out the way to handle IPv6 policies and there's a matter of it not working for one of the forum members, so those issues need to be addressed before the packages are in the feed.

First post in this thread has the link to download pre-compiled IPK files.

Or you may want to check out vpnbypass -- it has been accepted and is available in the master snapshots (but not in 17.01).

89

Thanks, got it working with a install from /tmp. Will set it up tomorrow.

90

Hello,

first I have to say thank you for this in long time missing function! Brilliant!
I just found it during the search because I have a problem with the openvpn app.

I don get the tun interface when connected through openvpn on the wrt1900acs running the latest stable lede build (17).
If I start the openvpn connection manually by "openvpn --config path/to/ovpn.file --auth-user-pass path/to/user-pass.file" than everything is fine and I have the tun adapter when typing ifconfig.

If I start the same vpn through the luci openvpn app than I don have the iface tun comming up.

Thought now having to options, one to start the tunnel as service which I don get done when trying to start through rc.local and the second to get the tun iface through lucy app. (preffered).

Just to inform, i use extroot.

Here some config:

/etc/config/openvpn:

config openvpn 'ExpressVPN'
    option client '1'
    option reneg_sec '0'
    option verb '3'
    option persist_tun '1'
    option persist_key '1'
    option log '/mnt/sda2/log/expressvpn-openvpn.log'
    option auth_user_pass '/etc/openvpn/userpass.txt'
    option proto 'udp'
    option cipher 'AES-256-CBC'
    option auth 'SHA512'
    option sndbuf '524288'
    option rcvbuf '524288'
    option tls_client '1'
    option tun_mtu '1500'
    option ns_cert_type 'server'
    option route_delay '2'
    option fast_io '1'
    option tls_remote 'verify-x509-name Server name-prefix'
    option comp_lzo 'adaptive'
    list remote 'germany-frankfurt-2-ca-version-2.expressnetw.com 1195'
    option remote_random '0'
    option resolv_retry 'infinite'
    option script_security '2'
    option ca '/etc/openvpn/ca.crt'
    option key '/etc/openvpn/client.key'
    option tls_auth '/etc/openvpn/ta.key'
    option cert '/etc/openvpn/client.crt'
    option pull '1'
    option nobind '1'
    option dev 'tun0'

/etc/config/network:

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'

/etc/config/firewall:

  config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'lan'
        option dest 'vpn'
        option name 'vpn'
        option family 'ipv4'

OVPN client file (removed certificates):

dev tun
fast-io
persist-key
persist-tun
nobind
remote fqdn from server 1195

remote-random
pull
comp-lzo
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass

So why is the tun interface not coming up using lucy openvpn and what do I have to do to fix this OR how do I get the vpn running as service?

Thank you and kindly regards!

91

Hi,

Thank you for this very useful package, I have just installed openvpn-policy-routing_4.1.3-5_all.ipk and luci-app-openvpn-policy-routing_git-17.027.48745-f5461669a-1_all.ipk on TL-WDR4300 running LEDE 17.01.0, I am getting the following error, how can i fix this?

Sat Mar 4 21:21:12 2017 user.notice openvpn-policy-routing [14218]: service waiting for wan gateway...
Sat Mar 4 21:21:15 2017 user.notice openvpn-policy-routing [14218]: service waiting for wan gateway...
Sat Mar 4 21:21:17 2017 user.notice openvpn-policy-routing [14218]: ERROR: service could not discover wan gateway!

92

Thanks for trying it. Does it happen on boot or when you manually start the service?

93

Hi stangri,

I could not get it start on boot, only manually, the same error started appearing from the time i installed the packages

root@WDR4300:/tmp# opkg install openvpn-policy-routing_4.1.3-5_all.ipk luci-app-openvpn-policy-routing_git-17.027.48745-f5461669a-1_all.ipk
Installing openvpn-policy-routing (4.1.3-5) to root...
Installing luci-app-openvpn-policy-routing (git-17.027.48745-f5461669a-1) to root...
Configuring openvpn-policy-routing.
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
openvpn-policy-routing 4.1.3-5 waiting for wan gateway...
ERROR: openvpn-policy-routing 4.1.3-5 could not discover wan gateway!
Configuring luci-app-openvpn-policy-routing.
root@WDR4300:/tmp#

94

Please paste the output of ...

ubus list

... probably you don't have a network.interface.wan ...

95

This is it, I have a wireless wan interface "wwan"

root@WDR4300:~# ubus list
dhcp
hostapd.wlan0
hostapd.wlan1
log
network
network.device
network.interface
network.interface.lan
network.interface.loopback
network.interface.vpn
network.interface.wwan
network.wireless
service
session
system
uci

96

OK, to get it working for you please edit /etc/init.d/openvpn-policy-routing. Search for network.interface.wan and replace it with network.interface.wwan.

This is only quick & dirty for your configuration and not a generic solution. That's said, I don't know the current code base and don't use this package ... you have been warned! :wink:

97

Dirk, thank you very much for your help! I'll also need to rewrite the part of the code which processes interfaces since wan is also hardcoded there.

@nart I'll push the fixed build which should work with your configuration sometime this weekend after I test it.

98

Based on feedback from @dibdot and @nart, build 4.1.4-1 detects WAN interface name.
@nart -- please try 4.1.4-1.

CALL FOR HELP: if your VPN provider supports IPv6, please PM me the ifconfig output for the VPN interface, like ifconfig tun0. Thanks!

99

hi guys,

thank you for your replies, i installed the new version, and got the following error, (note: i kept the configuration file of the old version)

Sun Mar 5 14:45:00 2017 daemon.err modprobe: xt_set is already loaded
Sun Mar 5 14:45:00 2017 daemon.err modprobe: ip_set is already loaded
Sun Mar 5 14:45:00 2017 daemon.err modprobe: ip_set_hash_ip is already loaded
Sun Mar 5 14:45:00 2017 user.notice openvpn-policy-routing [4541]: creating table wwan/wlan2/192.168.100.1 ipset=wwanroute [✓]
Sun Mar 5 14:45:00 2017 user.notice openvpn-policy-routing [4541]: creating table vpn/tun0/172.16.1.1 ipset=tun0route [✓]
Sun Mar 5 14:45:01 2017 user.notice openvpn-policy-routing [4541]: routing 'test1' via wan (192.168.1.200 to ...) [✗]
Sun Mar 5 14:45:01 2017 user.notice openvpn-policy-routing [4541]: ERROR: ipt -t mangle -I OVPBR_MARK 1 -j MARK --set-mark /0xff0000 -s 192.168.1.200
Sun Mar 5 14:45:01 2017 user.notice openvpn-policy-routing [4541]: routing 'test2' via wan (192.168.1.139 to ...) [✗]
Sun Mar 5 14:45:01 2017 user.notice openvpn-policy-routing [4541]: ERROR: ipt -t mangle -I OVPBR_MARK 1 -j MARK --set-mark /0xff0000 -s 192.168.1.139
Sun Mar 5 14:45:01 2017 user.notice openvpn-policy-routing [4541]: routing domain-based policies with dnsmasq [✓]
Sun Mar 5 14:45:01 2017 user.notice openvpn-policy-routing [4541]: service started wwan/192.168.100.1 vpn/172.16.1.1 [✓]

I did a test case on the old version (4.1.3-5) before removing it, where I changed the interface name to "wan" in the following files (network, wireless & firewall) and rebooted, it worked fine. Then i rolled-back the change to test the new version.

On another topic, I was trying the bypass netflix from my VPN but couldn't manage, has anyone managed to do that? i had this domain rule (/netflix.com/nflxext.com/nflximg.net/nflxvideo.net/wanroute), but netflix was returning this message "You seem to be using an unblocker or proxy. Please turn off any of these services and try again. For more help, visit netflix.com/proxy"

100

Fixed in 4.1.4-2.

Problem was this: creating table wwan/wlan2/192.168.100.1 ipset=wwanroute. With the new build it should create ipset=wanroute for your WAN interface (even if you name your WAN interface wwan).

1 Like
101

I have updated to version 4.1.4-3, the issue has been fixed :slight_smile:

Thanks stangri and dibdot