I'll update the README to reflect this.
I am.
Post must be 10 characters.
Hi Stangri,
Im getting the following error message when running OPR with an ipv6 rule:
ERROR: openvpn-policy-routing 4.1.4-25 unknown fw_mark for ipv6/wan!
The setup is a NAT6 with both DHCPv6 native and an OpenVPN tunnel with ipv6 adressing.
Route Inet6:
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
::/0 fe80::ca0e:14ff:feac:15d6 UG 4096 2 49 eth0
2001:67c:1350:107::/64 :: U 256 0 0 tun0
2000::/3 :: U 1024 2 31271 tun0
dd64:136e:c623::/64 :: U 1024 2 472093 br-lan
dd64:136e:c623::/48 :: !n 2147483647 0 0 lo
fe80::/64 :: U 256 2 37 br-lan
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 wlan0
fe80::/64 :: U 256 0 0 wlan1
fe80::/64 :: U 256 0 0 tun0
::/0 :: !n -1 1 609884 lo
::1/128 :: Un 0 3 81 lo
2001:67c:1350:107::/128 :: Un 0 1 0 lo
2001:67c:1350:107::7/128 :: Un 0 3 1791 lo
2a02:810c:c640:1b5c:2e30:33ff:fe9c:b85f/128 :: Un 0 3 23 lo
dd64:136e:c623::/128 :: Un 0 1 0 lo
dd64:136e:c623::1/128 :: Un 0 3 5001 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::2e30:33ff:fe9c:b85e/128 :: Un 0 3 725 lo
fe80::2e30:33ff:fe9c:b85f/128 :: Un 0 3 11 lo
fe80::2e30:33ff:fe9c:b860/128 :: Un 0 1 0 lo
fe80::2e30:33ff:fe9c:b861/128 :: Un 0 1 0 lo
fe80::72e7:d90e:1e9b:6216/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 2 793 br-lan
ff00::/8 :: U 256 2 27 eth0
ff00::/8 :: U 256 2 356 wlan0
ff00::/8 :: U 256 2 356 wlan1
ff00::/8 :: U 256 0 0 tun0
::/0 :: !n -1 1 609884 lo
Hi Stangri,
I discovered that in a multi zone setup (lan, dmz, vpn, wan), in order to allow traffic from lan to dmz and back while using OPR, I had to add the following to my firewall config:
iptables -t mangle -I PREROUTING -s 172.30.40.0/24 -d 172.30.45.0/24 -j ACCEPT /dmz to lan/
iptables -t mangle -I PREROUTING -s 172.30.45.0/24 -d 172.30.40.0/24 -j ACCEPT /lan to dmz/
this bypasses OPR for the matched traffic. Could this be handled more gracefuly?
You probably know more about multi-zone setup than I do, but maybe you can try putting these rules in OPR_CHAIN instead of PREROUTING chain (experiment with putting them at the top/bottom).
As far as ipv6 error is concerned, I'd appreciate if you PM me (or just use built-in paste.ee upload feature) the output of /etc/init.d/openvpn-policy-routing support (run /etc/init.d/openvpn-policy-routing for help).
Would it be possible to allow for commas in port policies? --dports allows for non-contiguous ranges, split by comma - at the moment there only seems to be a translation from - to : when catering for ranges.
As en example, Battle.net would require an end result of --dports 1119:1120,3478:3479,3724,4000,5060:5062,6112:6120,6250 - at the moment that requires 7 different entries in the config. Not essential, obviously, but it might clean a few things up.
I'm using Luci standard port field and it has its own requirements. Maybe
consider raising a bug for Luci?
Fair enough, I'll have a look and see if there's a simple change that can be made. Cheers!
You would likely need to craft a new datatype for LuCI...
There are "port" and "portrange"
I haven't checked yet, I would think that the firewall config would have something similar already.
Looks like that could be achieved by combining "list" and "portrange" datatypes.
Firewall seems to use "list(neg(portrange))"
Not quite sure what the "neg" modifier there does.
1 Like
@hnyman thanks for that - I'll look into it.
@stangri - a different query - I've got an openvpn tunnel set up with dev pia0 and dev_type tun - the result is a tunnel interface but not one with a tun interface name prefix. With the alternate name, it doesn't show up in the gateway dropdown in the rules table - changing it to tun0 does. Are generic tunnel interfaces able to be added, or do I need to look at swapping to tunX permanently?
@tzarc that's the only way I know to figure out if the interface is a VPN interface. If you see/know of an elegant way out, please advise.
Thank you, changed to same datatype in luci-app-openvpn-policy-routing_git-17.080.69173-773734e27-7_all.ipk. Don't want to touch live router, but it didn't seem to generate any luci errors while loading existing policies.
@stangri: I have the following files present in /sys (changing depending on the interface name):
/sys/devices/virtual/net/tun0/tun_flags/sys/devices/virtual/net/pia0/tun_flags
Perhaps a check on the existence of the tun_flags file for each interface? Shouldn't be too many to loop though.
@tzarc -- please try updating to openvpn-policy-routing_4.1.5-5_all.ipk and luci-app-openvpn-policy-routing_git-17.141.68918-5ca3864-8_all.ipk, it should detect your tunnel interfaces whatever the device name prefix is.
You would have to manually edit your current policies to reflect change in the gateway names.
Awesome! I'll give it a go tonight and report back. Thanks!
Curiosity got the better of me.
Seems to work fine for the most part, but when attempting to start/restart the service I get an error:
Thu May 25 16:03:12 2017 user.notice openvpn-policy-routing [11552]: ERROR: service unknown policy gateway (pia0)!
Corresponding /etc/init.d/openvpn-policy-routing support output is here: https://pastebin.com/38f4hH29
Default routing is set up to go through pia0route under normal circumstances, so I'd gather the default openvpn routes being pushed out routing is kicking in for it to be working correctly. Either way, much closer than before, and no problem specifying it in the luci-app page. Let me know if you want me to muck about with anything on my end. Cheers!
This patch seems to give me all-green output: https://pastebin.com/DxjsBsQW
Not sure if you've got a cleaner fix, but it works for me! Thanks again.
EDIT:
Unfortunately, I've had to swap back to vpnbypass as for some reason traffic over wanroute stops working after a few minutes. I'm effectively using it the same as vpnbypass, with all rules except for the last set up as wanroute, and the final as tun0route.
If you'd like any diagnostics I can throw OPR back on at any point - let me know if there's anything specific you'd like checked and I'll try and sort it out.
1 Like
I've just installed OpenVPN and your policy based routing package.
I can start the Openvpn tunnel, and the tunnel tun0 is connected.
/etc/config/network looks like:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd2:d824:7631::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option xfer_mode 'ptm'
option line_mode 'vdsl'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.129.1'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '34:8a:ae:a3:36:6a'
config interface 'wan'
option proto 'pppoe'
option ipv6 'auto'
option username 'xxxxxxxxxx'
option password 'xxxxxx'
option _orig_ifname 'ptm0'
option _orig_bridge 'false'
option ifname 'ptm0.101'
config device 'wan_dev'
option name 'ptm0'
option macaddr '34:8a:ae:a3:36:6b'
config interface 'wan6'
option ifname 'pppoe-wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 4 6t'
config interface 'tun0'
option ifname 'tun0'
option proto 'none'
option auto '1'
what I can't seem to do is to set the routing up to tun0 in the Luci OpenVPN Routing interface. Clearly I've missed out an important step ... (maybe the firewall setup?)
Please could you help me resolve this.
Thanks
David
It looks like the openvpn-policy-routing service wasn't running ...
Now however I can't get anything to connect over the VPN (probably my bad) - can't even do DNS.
When the tunnel is running I see:
root@LEDE:/etc/config# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.70.10.5 128.0.0.0 UG 0 0 0 tun0
default lo0.central10.p 0.0.0.0 UG 0 0 0 pppoe-wan
10.70.10.1 10.70.10.5 255.255.255.255 UGH 0 0 0 tun0
10.70.10.5 * 255.255.255.255 UH 0 0 0 tun0
104.238.169.85 lo0.central10.p 255.255.255.255 UGH 0 0 0 pppoe-wan
128.0.0.0 10.70.10.5 128.0.0.0 UG 0 0 0 tun0
192.168.129.0 * 255.255.255.0 U 0 0 0 br-lan
195.166.130.250 * 255.255.255.255 UH 0 0 0 pppoe-wan
OpenVPN config:
config openvpn 'PIA_VPN'
option client '1'
option dev 'tun'
option proto 'udp'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option cipher 'AES-128-CBC'
option auth 'SHA1'
option tls_client '1'
option remote_cert_tls 'server'
option auth_user_pass '/etc/openvpn/.secret'
option comp_lzo 'yes'
option verb '3'
option reneg_sec '0'
option crl_verify '/etc/openvpn/crl.rsa.2048.pem'
option ca '/etc/openvpn/ca.rsa.2048.crt'
option disable_occ '1'
option port '1198'
list remote '5.63.151.156'
list remote '104.238.169.85'
option enabled '1'
Thanks
Dave