VPN Policy-Based Routing + Web UI - ARCHIVE #1

I suggest you just change to release, that's what I did.

I'm pleased to report, latest version with web interface configuration of DSCP tag routing is working great for me

If you have access to the packages (like dnsmasq-full, etc) built for your specific snapshot -- install them. If not -- switch from snapshot to the release build.

Have you updated your packages feeds, so your router is aware of what is available to it?

@stangri, how do you add multiple ip ranges to a rule without creating a separate rule for each ip range ?

One IP range per rule I'm afraid.

Packages are now in custom repo (https://stangri.github.io/openwrt-repo/), making installs/updates easier.

Hey @stangri

Really sorry for the late response. Just managed to collect the data for you- been away for sometime. Here you go:

openvpn-policy-routing 4.1.3-3 running on LEDE 17.01.0-rc2
============================================================
Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default         cpc117248-ldry4 0.0.0.0         UG    10     0        0 eth0
default         10.3.28.1       0.0.0.0         UG    20     0        0 tun0
default         10.3.37.1       0.0.0.0         UG    50     0        0 tun1
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
============================================================
IP Tables
iptables: No chain/target/match by that name.
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN /* !fw3: wan (mtu_fix) */ TCPMSS clamp to PMTU
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN /* !fw3: VyprVPN (mtu_fix) */ TCPMSS clamp to PMTU
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN /* !fw3: PIAUK (mtu_fix) */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
============================================================
Domain-based routing settings
dnsmasq.cfg02411c.ipset: /whatismyip.com/tun0route
============================================================
Existing IPSets
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
create tun1route hash:ip family inet hashsize 1024 maxelem 65536
create wanlist list:set size 8
add wanlist wanroute
create tun0list list:set size 8
add tun0list tun0route
create tun1list list:set size 8
add tun1list tun1route
============================================================ 

I hope you figure it out!

A few things which are puzzling about that:

1. I'm not seeing additional tables and their fw_marks in ip rule list.
2. I'm not seeing any OPR_CHAIN rules, looks like the chain didn't get created at all.
3. This might be minor if you restarted/reloaded my service and ran it with support command right away, but if it's been some time since restart until you ran support command it might be indicative of another problem -- dnsmasq should have resolved whatismyip.com and added its IP addresses to the tun0route ipset.

So it looks like OPR is spectacularly failing on your router to set things up. Do you get any errors at all while it's loading/reloading? Can you update to the latest version of OPR and run some things from CLI?

My bad. Actually stopped service then ran it with support option.
I just reran it with support option while it's running now:

openvpn-policy-routing 4.1.3-3 running on LEDE 17.01.0-rc2
============================================================
Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default         cpc117248-ldry4 0.0.0.0         UG    10     0        0 eth0
default         10.3.28.1       0.0.0.0         UG    20     0        0 tun0
default         10.3.37.1       0.0.0.0         UG    50     0        0 tun1
32749:	from all fwmark 0x30000 lookup 202
32750:	from all fwmark 0x20000 lookup 201
32751:	from all fwmark 0x10000 lookup 200
============================================================
IP Tables
OVPBR_MARK  all  --  anywhere             anywhere            [goto]  mark match 0x0/0xff0000
-N OVPBR_MARK
-A OVPBR_MARK -s 192.168.6.0/24 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OVPBR_MARK -s 192.168.5.0/24 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A OVPBR_MARK -s 192.168.4.0/24 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OVPBR_MARK -s 192.168.3.0/24 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OVPBR_MARK -s 192.168.1.0/24 -c 297 28023 -j MARK --set-xmark 0x10000/0xff0000
-A OVPBR_MARK -m set --match-set wanroute dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OVPBR_MARK -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OVPBR_MARK -m set --match-set tun1route dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
============================================================
Domain-based routing settings
dnsmasq.cfg02411c.ipset: /whatismyip.com/tun0route
============================================================
Existing IPSets
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
create tun1route hash:ip family inet hashsize 1024 maxelem 65536
create wanlist list:set size 8
add wanlist wanroute
create tun0list list:set size 8
add tun0list tun0route
create tun1list list:set size 8
add tun1list tun1route
============================================================

To elaborate on the situation, in case you forgot (because it's been a long time), policy-based rules are being honoured while domain-based ones are totally ignored.

For example, for the above config, I still access whatismyip.com via wanroute.

Output from latest version:

openvpn-policy-routing 4.1.4-12 running on LEDE 17.01.0-rc2. WAN (IPv4): wan/80.3.240.1.
============================================================
Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default         cpc117248-ldry4 0.0.0.0         UG    10     0        0 eth0
default         10.3.28.1       0.0.0.0         UG    20     0        0 tun0
default         10.3.37.1       0.0.0.0         UG    50     0        0 tun1
32754:	from all fwmark 0x30000 lookup 202
32755:	from all fwmark 0x20000 lookup 201
32756:	from all fwmark 0x10000 lookup 200
============================================================
IP Tables
OPR_CHAIN  all  --  anywhere             anywhere            [goto]  mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -s 192.168.6.0/24 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OPR_CHAIN -s 192.168.5.0/24 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A OPR_CHAIN -s 192.168.4.0/24 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OPR_CHAIN -s 192.168.3.0/24 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -s 192.168.1.0/24 -c 354 38517 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set wanroute dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OPR_CHAIN -m set --match-set tun1route dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
============================================================
IPv6 Tables
OPR_CHAIN  all      anywhere             anywhere            [goto]  mark match 0x0/0xff0000
-N OPR_CHAIN
============================================================
Domain-based routing settings
dnsmasq.cfg02411c.ipset: /whatismyip.com/tun0route
============================================================
Current ipsets
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
create tun1route hash:ip family inet hashsize 1024 maxelem 65536
create wanlist list:set size 8
add wanlist wanroute
create tun0list list:set size 8
add tun0list tun0route
create tun1list list:set size 8
add tun1list tun1route
============================================================

Thank you for the follow up. The rules seem to be in order, however I'm still not seeing dnsmasq adding whatismyip.com IP address to the tun0route.

Did you run the support command before or after trying to access whatismyip.com?

@stangri After!

The problem seems to be with dnsmasq not adding whatismyip.com IP addresses to ipset.

Can you please try two things:

• Add whatismyip.com ip addresses to ipset manually and then try again to access it

  ipset add tun0route 104.27.192.92
  ipset add tun0route 104.27.193.92

• Add showip.net (or some other web-site you haven't accessed before) ip address to ipset manually and then try to access it

ipset add tun0route 23.253.100.206

will do when I get home tonight and report back!
Also, worth mentioning that I love using OPBR for policy-based domains. So convenient. Thanks a lot for all your work!!!

It could be worth your time to populate the ipset with a few more domain names in dhcp/dnsmasq config to confirm if it at all works. On my box, dnsmasq actually starts filling ipset with the ip addresses just after dnsmasq restart, without waiting for them to be accessed.

Does the ipset make it into the actual dnsmasq config: grep route /var/etc/dnsmasq.conf.* ?

Setting ip addresses for whatismyip.com as per your post works correctly- i access whatismyip.com via tun0 now.

Also:

Following the ipset commands, I can't see the ips added to /etc/config/dhcp or /var/etc/dnsmasq.conf

EDIT:
Sorry, just noticed you're talking about domains. Yes, I can see the ipset for domains in dnsmasq.conf:
ipset=/showip.com/tun0route
ipset=/hbonow.com/tun0route

and dhcp config:

    list ipset '/showip.com/tun0route'
    list ipset '/hbonow.com/tun0route'

Khm, so it's definitely dnsmasq not populating ipsets with the proper ip addresses, despite having ipset support. I'm out of ideas why it's not doing its job. You can try switching to the built-in domain names-based policies, they should work then. More info is at the bottom of the README.

Okay. I will give it a shot later.

Just as a last attemtp, i am posting the entries from the system log when DNSMasq starts, and my dhcp config file along with dnsmasq.conf. Note that the domain-based entries in OBPR were removed before capturing these logs/configs, but just posting them here in case you think something looks odd or unusual.

Log:

Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: started, version 2.76 cachesize 150
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: DNS service limited to local subnets
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: DHCP, IP range 192.168.6.100 -- 192.168.6.249, lease time 12h
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: DHCP, IP range 192.168.5.100 -- 192.168.5.249, lease time 12h
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: DHCP, IP range 192.168.4.100 -- 192.168.4.249, lease time 12h
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: DHCP, IP range 192.168.3.100 -- 192.168.3.249, lease time 1h
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using local addresses only for domain lan
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: reading /tmp/resolv.conf.auto
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using local addresses only for domain lan
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: read /etc/hosts - 4 addresses
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: read /tmp/hosts/dhcp.cfg02411c - 1 addresses
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: read /etc/ethers - 0 addresses

DHCP config:

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'Guest'
option start '100'
option limit '150'
option interface 'Guest'
option leasetime '1h'
list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'USVPN'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'USVPN'
list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'UKVPN'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'UKVPN'
list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'virtualinterface'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'virtualinterface'
list dhcp_option '6,8.8.8.8,8.8.4.4'

DNSmasq config:(var/etc/dnsmasq.conf.*):

conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq

dhcp-range=lan,192.168.1.100,192.168.1.249,255.255.255.0,12h
dhcp-option=lan,6,8.8.8.8,8.8.4.4
no-dhcp-interface=eth0
dhcp-range=Guest,192.168.3.100,192.168.3.249,255.255.255.0,1h
dhcp-option=Guest,6,8.8.8.8,8.8.4.4
dhcp-range=USVPN,192.168.4.100,192.168.4.249,255.255.255.0,12h
dhcp-option=USVPN,6,8.8.8.8,8.8.4.4
dhcp-range=UKVPN,192.168.5.100,192.168.5.249,255.255.255.0,12h
dhcp-option=UKVPN,6,8.8.8.8,8.8.4.4
dhcp-range=virtualinterface,192.168.6.100,192.168.6.249,255.255.255.0,12h
dhcp-option=virtualinterface,6,8.8.8.8,8.8.4.4

DNSMasq config (/etc/dnsmasq.conf):

EMPTY/All commented out

Thanks for the help.