Hi @stangri yes this seems to be the case. If I remove the local policy as you suggested, traffic from all the computers in my network now routes over the VPN tunnel. I also noticed the same if I disable the vpn-policy-routing, all traffic goes direct over the VPN tunnel.
I hope this sheds some light on the issue, let me know what I should test next. And thanks again for your help!
D
@Dewey -- if that's the case, you will need some extra settings. I've written a wiki page for "OpenVPN client & server at the same time", but with the wiki re-org, I don't know where it went, try to google it.
@headless-cross -- search this thread (and possibly the archive linked from OP). Someone has posted what it takes to route netflix traffic before.
Hi @stangri thanks for the quick response. This wasn't the issue (I don't need the server component), but upon searching your topic I discovered the term 'redirect-gateway' and 'def1' which lead me to learn that my vpn provider controls the routing when the connection is made. By adding the below to my vpn config and then having your service on everything now works!!!
pull-filter ignore redirect-gateway
route 10.0.0.101 255.255.255.0
I've spent days trying to solve this! As a total noob I don't truely understand why I need the route line AND your policy component in order for it to work but it does and so I'm happy and I learnt a lot in the process 
Thanks again for all your help!! Much appreciated.
D
hi I have a problem with this package. my apple tv uses vpn interface and other clients use wan. when i watch a movie online with iphone the traffic goes through wan correctly but when i stream from iphone to apple tv it uses vpn interface. in this situation traffic is local and come through wan to iphone but it goes through vpn also . I appreciate help me
thanks
Hi all,
I am having an issue where the service does not recognise 'wan' as a valid interface.
/etc/config/vpn-policy-routing:
config policy
option interface 'wan'
option comment 'Local Traffic'
option local_addresses '192.168.52.1/24'
option remote_addresses '192.168.51.1/24'
config policy
option interface 'wan'
option comment 'Der XBOX'
option local_addresses '192.168.52.95'
option local_ports '0-65535'
option remote_addresses '0.0.0.0/0'
option remote_ports '0-65535'
config policy
option comment 'Internet Traffic'
option local_addresses '192.168.52.1/24'
option remote_addresses '0.0.0.0/0'
option interface 'nordvpntun'
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option strict_enforcement '1'
option enabled '1'
option dnsmasq_enabled '1'
/etc/init.d/vpn-policy-routing support:
vpn-policy-routing 0.0.1-25 running on LEDE 17.01.4. WAN (IPv4): lan/dev/192.168.51.254. WAN (IPv6): lan/dev6/::/0.
============================================================
Dnsmasq version 2.78 Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default 10.8.8.1 128.0.0.0 UG 0 0 0 tun0
default 192.168.51.254 0.0.0.0 UG 0 0 0 br-wan
32748: from all fwmark 0x20000 lookup 202
32749: from all fwmark 0x10000 lookup 201
IPv4 Table 201: default via 192.168.51.254 dev br-wan
IPv4 Table 202: default via 10.8.8.1 dev tun0
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.52.0/24 -m comment --comment Internet_Traffic -c 103998 50208846 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set lan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create lan hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
/etc/init.d/vpn-policy-routing reload
Creating table 'lan/br-lan/192.168.51.254' [✓]
Creating table 'nordvpntun/tun0/10.8.8.1' [✓]
Routing 'Local Traffic' via wan [✗]
Routing 'Der XBOX' via wan [✗]
Routing 'Internet Traffic' via nordvpntun [✓]
vpn-policy-routing 0.0.1-25 started on lan/br-lan/192.168.51.254 nordvpntun/tun0/10.8.8.1 with errors [✗]
ERROR: policy 'Local Traffic' has an unknown interface: wan!
ERROR: policy 'Der XBOX' has an unknown interface: wan!
vpn-policy-routing 0.0.1-25 monitoring interfaces: lan nordvpntun [✓]
In ifconfig, I have a br-wan interface, and under the interfaces section in LEDE, WAN appears as a network along with LAN and NORDVPNTUN. I have tried manually editing the config file changing 'wan' to 'br-wan', but that does not solve the issue.
Any advice appreciated.
Thanks.
Last few posters -- I'm not ignoring you guys (and girls, as the case may be), but May turned out to be very eventful for me.
People with the br-wan and other not properly identified interfaces -- please post more about your devices/configurations and the output of ifconfig and ip -4 route.
I could be mistaken, but afaik, the phone doesn't stream to apple tv. the phone sends an URL to the apple tv, so that apple tv would start its own stream. Hence, the VPN interface.
It's a Linksys WRT1900AC running LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685). WAN is connected through the 'Internet' (ethernet) port.
ifconfig:
br-lan Link encap:Ethernet HWaddr 94:10:3E:18:65:0E
inet addr:192.168.52.254 Bcast:192.168.52.255 Mask:255.255.255.0
inet6 addr: fe80::9610:3eff:fe18:650e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:671762 errors:0 dropped:0 overruns:0 frame:0
TX packets:582673 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:362855157 (346.0 MiB) TX bytes:206603684 (197.0 MiB)
br-wan Link encap:Ethernet HWaddr 94:10:3E:18:65:0E
inet addr:192.168.51.246 Bcast:192.168.51.255 Mask:255.255.255.0
inet6 addr: fe80::9610:3eff:fe18:650e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:648502 errors:0 dropped:0 overruns:0 frame:0
TX packets:684236 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:230737905 (220.0 MiB) TX bytes:407024539 (388.1 MiB)
eth0 Link encap:Ethernet HWaddr 94:10:3E:18:65:0E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:692926 errors:0 dropped:0 overruns:0 frame:0
TX packets:581763 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:373263482 (355.9 MiB) TX bytes:205876159 (196.3 MiB)
Interrupt:27
eth1 Link encap:Ethernet HWaddr 94:10:3E:18:65:0E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:648503 errors:0 dropped:0 overruns:0 frame:0
TX packets:684236 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:239816987 (228.7 MiB) TX bytes:407024539 (388.1 MiB)
Interrupt:28
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1893 (1.8 KiB) TX bytes:1893 (1.8 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.8.171 P-t-P:10.8.8.171 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:580172 errors:0 dropped:0 overruns:0 frame:0
TX packets:685727 errors:0 dropped:4053 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:197674015 (188.5 MiB) TX bytes:361362822 (344.6 MiB)
wlan0 Link encap:Ethernet HWaddr 94:10:3E:18:65:0F
inet6 addr: fe80::9610:3eff:fe18:650f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1604 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:307878 (300.6 KiB)
wlan1 Link encap:Ethernet HWaddr 94:10:3E:18:65:10
inet6 addr: fe80::9610:3eff:fe18:6510/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1053 errors:0 dropped:0 overruns:0 frame:0
TX packets:2598 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:306866 (299.6 KiB) TX bytes:1068971 (1.0 MiB)
ip -4 route
0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.51.254 dev br-wan proto static src 192.168.51.246
10.8.8.0/24 dev tun0 proto kernel scope link src 10.8.8.171
45.248.79.132 via 192.168.51.254 dev br-wan
128.0.0.0/1 via 10.8.8.1 dev tun0
192.168.51.0/24 dev br-wan proto kernel scope link src 192.168.51.246
192.168.51.254 dev br-wan proto static scope link src 192.168.51.246
192.168.52.0/24 dev br-lan proto kernel scope link src 192.168.52.254
I have been using this service for more than a year with great success. However my ISP has started throttling UDP traffic to fight VoIP and has affected OPENVPN. To bypass this throttling I have moved openvpn to tcp and the speed was dramatically reduced. To improve speed, I modified openvpn configuration:
- Protocol: from udp to tcp
- Cyper: from AES-256 to none
Then I have tunneled the openvpn link over shadowsocks proxy to maintain encrypted secured communications. This configuration has improved my speed noticeably and now it is even faster that the speed I had with UDP only. Now I want to have 3 routes:
- Route #1: devices that use openvpn over shadowsocks (VoIP devices)
- Route #2: shadosocks only (only bypass geolocation services for some devices)
- Route #3: direct WAN.
I managed to get this working by starting the services in order:
(1) shadowsocks - witch implements its own access control and policy routing. It will route through shadowsocks or directly to interned based on the cofigured policies.
(2) VPN policy routing, including on the policies ONLY those devices that will be routed via openvpn.
The problem comes when shadowsocks server restarts and rewrites the ip tables. the devices that were routed using vpn-policy-routing loose internet connection until I manually restart the service.
Is there a way add dependencies to other services (like shadowsocks) so that when this service is restarted, vpn-policy-routing is also restarted?.
Similar to openvpn restart, that will trigger a vpn-policy router restart right afterwards.
It is also not ideal to manage policies via two services/luci interfaces. so any idea that could help to define clearer routing policies would be welcome.
Khm, the br-wan part is intriguing. Can you please post your /etc/config/network?
I'm not familiar with shadowsocks, I'm guessing it doesn't create its own interface -- does it?
Maybe ucitrack could help, sadly I don't have time to look into it.
Surely.
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde6:4fb7:e5c8::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option dns '192.168.52.252'
option ipaddr '192.168.52.254'
option gateway '192.168.51.254'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option delegate '0'
option type 'bridge'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
option reqaddress 'none'
option reqprefix 'no'
option auto '0'
option delegate '0'
option defaultroute '0'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
option delegate '0'
option auto '1'
If you think it would help, I can try deleting the extant configuration and try setting that interface up again.
Thanks.
Are you really bridging multiple ifnames for WAN? If not, try removing the quoted line from WAN interface and rebooting the router.
I wasn't - I suspect that's the default configuration to support IPv6 traffic. I added the 'wan' interface under advanced settings, so I have managed to change the errors I'm getting.
A reload command now gives:
Creating table 'lan/br-lan/192.168.51.254' [✓]
Creating table 'wan/eth1/0.0.0.0' [✗]
Creating table 'nordvpntun/tun0/10.8.8.1' [✓]
Routing 'Der XBOX' via wan [✓]
Routing 'Internet Traffic' via nordvpntun [✓]
vpn-policy-routing 0.0.1-25 started on lan/br-lan/192.168.51.254 nordvpntun/tun0/10.8.8.1 with errors [✗]
ERROR: Failed to set up 'wan/eth1/0.0.0.0'
vpn-policy-routing 0.0.1-25 monitoring interfaces: lan wan nordvpntun [✓]
That said, everything appears to be working.
Looks like VPR is detecting your LAN interface as WAN. Probably due to having gateway manually configured for that interface.
I have updated the gateway and WAN detection logic in 0.0.2-1, that build might work better for you.
I'm trying to get a simple setup working, and have used vpn-policy-routing instead of mwan3 since it seems to be the future.
My goal is to have a network with VPN for some devices for Amazon Prime US and Netflix US, whilst another network will go directly via the WAN port.
I've got the network going via VPN working ok, however the non-VPN network then cannot access Netflix? Is this a known problem? I want both networks to be able to access Netflix, one via the VPN (US) and one without (local Netflix library).
Is this a known issue? Are there workarounds for my situation?
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option strict_enforcement '1'
option dnsmasq_enabled '1'
option udp_proto_enabled '1'
option enabled '1'
config policy
option interface 'wan'
option local_addresses '192.168.50.0/24'
option comment 'default'
config policy
option local_addresses '192.168.55.0/24'
option interface 'nordvpn_us'
option comment 'vpn_us'
ip -4 route
default via 187.X.X.X dev pppoe-wan proto static metric 10
187.X.X.X dev pppoe-wan proto kernel scope link src 191.X.X.X
192.168.50.0/24 dev br-lan proto kernel scope link src 192.168.50.1
192.168.55.0/24 dev wlan0-1 proto kernel scope link src 192.168.55.1
I also have difficulty connecting to Amazon.com on the non-VPN network.
Could there be some issue with DNS leaking?
Awesome, I appreciate that - any idea of when you will have it in your repo?
For reference, a factory reset of the router and reconfiguration of everything has fixed all my issues.
Thanks all.
Hi, can someone produce a full guide for someone who has no understanding of networking on how to set up two wifi networks, one with a OpenVPN client and one without, on LEDE? I will gladly pay someone to help me with setup.
I just pushed the vpn-policy-routing 0.0.2-3 to my repo, where you can specify a "physical device" (like wlan1 or wlan0-1) as the "local address/device". I haven't tested it yet tho.
Anyone on 18.06 (either snapshot or rc1) has tested this with the flow_offloading (either sw or hw) enabled?