I tend to only push the source when I'm ready to send a PR, so it will likely not contain the newest version or is recommended to be used until the package is accepted into official repo, but here you go: https://github.com/stangri/openwrt-packages/tree/vpn-policy-routing/net/vpn-policy-routing
In essence -- just use the vpn-policy-routing branch of my openwrt-packages.
> root@OpenWrt:~# /etc/init.d/vpn-policy-routing status
> vpn-policy-routing 0.0.1-18 running on Lede SNAPSHOT. WAN (IPv4): wan/dev/192.168.0.1. WAN (IPv6): wan/dev6/fe80::/64.
> ============================================================
> Dnsmasq version 2.79rc1 Copyright (c) 2000-2018 Simon Kelley
> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify
> ============================================================
> Routes/IP Rules
> default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1.2
> 32729: from all fwmark 0x10000 lookup 201
> 32730: from all fwmark 0x20000 lookup 202
> IPv4 Table 201: default via 192.168.0.1 dev eth1.2
> IPv4 Table 202:
> ============================================================
> IP Tables PREROUTING
> -N VPR_PREROUTING
> -A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
> ============================================================
> Current ipsets
> create wan hash:net family inet hashsize 1024 maxelem 65536 comment
> create pia hash:net family inet hashsize 1024 maxelem 65536 comment
> ============================================================That's not normal, with the VPN down, can you please post the output of:
dev=tun0
gw4="$(ip -4 route | grep -m1 ${dev} | awk '{print $3}')"; echo "$gw4";
gw4=$(ifconfig "$dev" 2>/dev/null | grep 'inet addr:' | grep 'P-t-P' | awk '{print $3}' | awk -F ":" '{print $2}'); echo "$gw4";Are l2tp tunnels supported?
Tunnels are made by xl2tpd by specifing proto 'l2tp' in /etc/config/network.
Awesome thanks. Any idea on when the package will be accepted into the official OpenWRT repo?
Do you also have the source of the luci package somewhere?
Please upgrade to vpn-policy-routing 0.0.1-18b01, test and let me know. Luci app version 17 should also support L2TP.
The only roadblock is user testing wherever it works with IPv6.
Check the openwrt-luci repo on my github and use the vpn-policy-routing branch.
I don't think the vpn was stopped when I ran the command. If I uncheck 'Enabled' under open vpn and hit stop. The VPN connection still starts right back up.
Not sure if the uTorrent uses a single static port. Maybe that's why it's not working. Otherwise I'm sorry, I have no idea.
Thanks @stangri, I will try another solution 
Great program, thanks for making life easier for us average folk 
0.0.1-18b01 works with l2tp.
I don't know what's the difference between gateway and interface in policy settings. Examples in README uses gateway. For me it doesn't work. Changing gateway to interface works.
Thanks for the report, README was outdated, fixed now. 
If you have a github account -- please let me know.
I have github, username is same as here - tymmej.
As I compile images myself it would be great if you could provide feed or repository with source code.
Thanks, I'll add you next time I update README.
The sources are available from https://github.com/stangri/openwrt_packages/. @simtre -- ignore my earlier post, I'll be moving to this new repo.
The main issue with ipv6 is getting ipv6 vpn to work with the router in the first place. Most commercial vpns will give a single ipv6 address which cannot be used on the router unless you do NAT. Those commercial ipv6 ips are meant only to be used on the client directly. You need to send a separate /64 to the router which it can use for assigning ips to the clients. I have the ability to do this now since my server has a /48, but I don't know what config or changes will be needed at the server and the router. I would like to try this out, but I can't promise a timeline.
I'm not sure, but I think I have one problem:
Restarting vpn-policy-routing clears ipsets. When client opens site which has policy (remote domain) it goes through default gateway. For me it looks like dnsmasq has IP address of domain in cache and does not add it to ipset (I checked vpn-policy-routing status). Restarting dnsmasq does not help. Rebooting router helps.
Should I use reload instead of restart? Is there any way to force dnsmasq to add IP addresses to ipset?
Jakub,
I'd suspect the client cache is the reason for this behaviour. AFAIK restarting dnsmasq clears its cache. If you find evidence to the contrary, please let me know. dnsmasq should start filling ipsets again on request from a client or when idle.
What I was doing yesterday:
It was maximum 3 minutes from 2nd to last step.
Policy was:
remote_addresses 'ipinfo.io'
interface 'l2tp'
I'll test it again afternoon.
I'm having a really bad time trying to make my scenario working: an SSID (192.168.1.0/24) routed through WAN and another SSID (192.168.2.0/24) routed through an OpenVPN tun0.
The clients on the VPN SSID get the IP address, but there's no Internet available for them. Also, the tun0 interface has "RX: 0 B (0 Pkts.)", while the TX keeps on increasing.
My doubt is that is a firewall rule missing, but I'm not sure about it and I honestly don't know what else to do.
I post here my configuration, hoping that somebody could help me
/etc/config/network
...
config interface 'VPN_tun'
option proto 'none'
option ifname 'tun0'
option auto '1'
config interface 'VPN_wifi'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
...
/etc/config/firewall
...
config zone
option name 'VPN_wifi'
option network 'VPN_wifi'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
config rule
option name 'Allow DNS Queries from VPN_wifi'
option src 'VPN_wifi'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule
option name 'Allow DHCP request from VPN_wifi'
option src 'VPN_wifi'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'VPN_tun'
option src 'VPN_wifi'
config zone
option name 'VPN_tun'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'VPN_tun'
...
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option strict_enforcement '1'
option enabled '1'
config policy
option local_addresses '192.168.1.0/24'
option interface 'wan'
option comment 'WAN'
config policy
option comment 'VPN'
option local_addresses '192.168.2.0/24'
option interface 'VPN_tun'
I really hope somebody could help me.
Thanks in advance
Try to add forwarding from lan to vpn.
In configured my vpn as described in step 4 here: https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client.
It doesn't work. Also, I forgot to add in the previous post the VPN_wifi -> VPN_tun forwarding rule.
I solved the issue, anyway. However, I have no idea how