No sorry mate, essential app you've created though, really, amazing!!!
Thank you
Hi, I hope this is the right place to ask this. Please direct me the right discussion if I'm wrong.
First, thanks for this add-on. It was what I was looking for a long time without having to setup my own routing rules.
I have, perhaps, an unique network setup for which I'm trying to expand its functionality. I have two VPN tunnels: an OpenVPN and a tinc. OpenVPN interface is what allows me to tunnel to remote office. Tinc, on the other hand, is what links a bunch other local networks together such that we can all see each other as if we are all local.
I have one computer locally that needs to be connected to the office all the time. Using this "VPN Policy-Based Routing" add-on, all traffic from this computer is directed to the OpenVPN interface (which works great!). However, this severs the computer from accessing the tinc interface (understandably). I tried adding a policy to direct traffic to certain IP range to go through tinc interface (since this add-on seems to detect it) from this computer's IP, but it did not work.
One clue perhaps is that that is no "Table" created for the tinc interface?
If I didn't set policy to direct all traffic from this computer to OpenVPN, then this computer can see all other hosts from other networks. So, I know the tinc and the route I set for it is working. Is the trick perhaps getting this application to recognize tinc? I'm not sure what the problem is. Sorry for my basic network knowledge. I hope someone can enlighten me.
rebels is the name of the tinc interface.
tun0 is the name of the OpenVPN interface.
192.168.1.102 is the IP address of the computer in question.
192.168.0.1/24 is the IP range of the hosts through tinc.
ifconfig
br-lan Link encap:Ethernet HWaddr 62:38:E0:D8:D0:11
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31556187 errors:0 dropped:0 overruns:0 frame:0
TX packets:37448738 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6403573097 (5.9 GiB) TX bytes:63278764418 (58.9 GiB)
eth0 Link encap:Ethernet HWaddr 62:38:E0:D8:D0:11
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27021179 errors:0 dropped:0 overruns:0 frame:0
TX packets:32906113 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:6833664273 (6.3 GiB) TX bytes:47159364955 (43.9 GiB)
Interrupt:37
eth0.1 Link encap:Ethernet HWaddr 62:38:E0:D8:D0:11
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26789812 errors:0 dropped:94 overruns:0 frame:0
TX packets:32905736 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6337828729 (5.9 GiB) TX bytes:47027714051 (43.7 GiB)
eth1 Link encap:Ethernet HWaddr 60:38:E0:D8:D0:11
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:137933046 errors:0 dropped:0 overruns:0 frame:0
TX packets:38260432 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:71628657396 (66.7 GiB) TX bytes:8498547982 (7.9 GiB)
Interrupt:36
eth1.2 Link encap:Ethernet HWaddr 60:38:E0:D8:D0:11
inet addr:xxx.xxx.xxx.150 Bcast:xxx.xxx.xxx.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:107701787 errors:0 dropped:0 overruns:0 frame:0
TX packets:38250207 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:67598057626 (62.9 GiB) TX bytes:8344831148 (7.7 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:69025 errors:0 dropped:0 overruns:0 frame:0
TX packets:69025 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11565429 (11.0 MiB) TX bytes:11565429 (11.0 MiB)
rebels Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.1 P-t-P:192.168.1.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:973 errors:0 dropped:0 overruns:0 frame:0
TX packets:151716 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:552697 (539.7 KiB) TX bytes:4941500 (4.7 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.36.0.14 P-t-P:10.36.0.13 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:14351913 errors:0 dropped:0 overruns:0 frame:0
TX packets:8370470 errors:0 dropped:443 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:17307236251 (16.1 GiB) TX bytes:549450947 (523.9 MiB)
wlan0 Link encap:Ethernet HWaddr 62:38:E0:D8:D0:22
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3081450 errors:0 dropped:0 overruns:0 frame:0
TX packets:7110371 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:415870005 (396.6 MiB) TX bytes:9821893232 (9.1 GiB)
wlan1 Link encap:Ethernet HWaddr 62:38:E0:D8:D0:33
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2212578 errors:0 dropped:0 overruns:0 frame:0
TX packets:5300067 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:178657630 (170.3 MiB) TX bytes:7670412847 (7.1 GiB)
ip -4 route
default via xxx.xxx.xxx.1 dev eth1.2 proto static src xxx.xxx.xxx.150
10.36.0.13 dev tun0 proto kernel scope link src 10.36.0.14
xxx.xxx.xxx.0/23 dev eth1.2 proto kernel scope link src xxx.xxx.xxx.150
192.168.0.0/24 dev rebels scope link
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
/etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.0.2-3 running on Lede SNAPSHOT. WAN (IPv4): wan/dev/xxx.xxx.xxx.1.
============================================================
Dnsmasq version 2.80test2 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default xxx.xxx.xxx.1 0.0.0.0 UG 0 0 0 eth1.2
32736: from all fwmark 0x30000 lookup 203
32737: from all fwmark 0x20000 lookup 202
32738: from all fwmark 0x10000 lookup 201
IPv4 Table 201: default via xxx.xxx.xxx.1 dev eth1.2
IPv4 Table 202: default via 192.168.1.1 dev br-lan
IPv4 Table 203: default via 10.36.0.13 dev tun0
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.102/32 -m comment --comment Naboo-Office -c 50035 4339908 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s 192.168.1.102/32 -d 192.168.0.0/24 -m comment --comment Naboo-Tinc -c 5 420 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set rebels dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create rebels hash:net family inet hashsize 1024 maxelem 65536 comment
create openvpn hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [รข]
Did you manually configure VPR to support the rebels/tinc interface or did it auto-detect it?
I'm far from being an expert on routing in general, but I find it confusing that tinc interface has IP/PTP of 192.168.1.1. I wonder what IP range do you have configured in network.lan.ipaddr?
But i digress, judging by the counters some traffic is being marked for Naboo-Tinc (-c 5 420).
Thanks for your reply. I let VPR auto-detect it. (It was in the dropdown Interface selection Luci VPR). I did not even realize there is a way to manually configure VPR. Is there a manual on how to manually configure VPR?
Perhaps it's just VPR not detecting tinc interface correctly?
network.lan.ipaddr is set to 192.168.1.1
If you look at the ifconfig rebels both the inet addr and PtP are 192.168.1.1, should they not be 192.168.0.1?
Thank you for the reply. I think it is correct being on 192.168.1.1. The way tinc works, to the best of my knowledge (which is limited 
), you specify the IP address of the machine that's running tincd.
I admit it looks kinda funny but all the tinc documentations show the setup that way. To make the idea more concrete, all other hosts on the network (the ones that are not 192.168.1.102) can access all the hosts on 192.168.0.1/24 through tinc, and vice versa. So I think in terms of tinc setup, it works fine. I should also mention that tinc adds a route during startup as well:
route add -net 192.168.0.0 dev rebels
Which I think routes traffic that targets 192.168.0.0/24 to rebels, which is my tinc interface.
I think I'm messing up the setup for VPR. I just don't how or what. 
How do I manually configure VPR with an interface that it doesn't detect at all or correctly? Perhaps I can investigate from there?
README has a description of all settings.
is it possible to include a firewall zone rule for LAN to WAN but force all traffic from 1 device to use VPN and stop any leaks using this?
If you're good with firewall rules and need only one device router via vpn, you may not even need this.
I am a bit lost here. I have followed the guides and I believe I have it configured properly, but everything I do does not result in a successful bypass of the vpn connection. I am attaching the requested info below. "ERROR: Failed to set up 'wan/eth1.2/0.0.0.0'" Looks suspicious and I'm not sure how to adjust that. Any advice on how to proceed from here would be greatly appreciated.
Version Info:
BusyBox v1.28.3 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 18.06.0-rc1, r7090-d2aa3a1b62
-----------------------------------------------------
Output of: uname -a
Linux OpenWrt 4.14.50 #0 SMP Fri Jun 22 10:22:57 2018 armv7l GNU/Linux
Output of: cat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 1 (v7l)
BogoMIPS : 1866.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x4
CPU part : 0xc09
CPU revision : 1
processor : 1
model name : ARMv7 Processor rev 1 (v7l)
BogoMIPS : 1866.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x4
CPU part : 0xc09
CPU revision : 1
Hardware : Marvell Armada 380/385 (Device Tree)
Revision : 0000
Serial : 0000000000000000
Output of: cat /etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option strict_enforcement '1'
option enabled '1'
option dnsmasq_enabled '1'
config policy
option interface 'wan'
option comment 'am.i.mullvad.net'
option remote_addresses 'am.i.mullvad.net'
config policy
option interface 'wan'
option comment 'i.mullvad.net'
option remote_addresses 'i.mullvad.net'
config policy
option interface 'wan'
option comment 'mullvad.net'
option remote_addresses 'mullvad.net'
config policy
option interface 'wan'
option comment 'ipleak.net'
option remote_addresses 'ipleak.net'
config policy
option comment 'Desktop'
option local_addresses '192.168.99.136'
option interface 'WGINTERFACE'
Output of: /etc/init.d/vpn-policy-routing status
vpn-policy-routing 0.0.2-4 running on OpenWrt 18.06.0-rc1. WAN (IPv4): wan/dev/73.58.24.1.
============================================================
Dnsmasq version 2.80test2 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default * 0.0.0.0 U 0 0 0 WGINTERFACE
IPv4 Table 201: unreachable default
IPv4 Table 201 Rules:
32695: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.99.28.153 dev WGINTERFACE
IPv4 Table 202 Rules:
32694: from all fwmark 0x20000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.99.136/32 -m comment --comment Desktop -c 1224 343453 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set WGINTERFACE dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create WGINTERFACE hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
DNSMASQ ipsets
ipset=/am.i.mullvad.net/wan # am.i.mullvad.net
ipset=/i.mullvad.net/wan # i.mullvad.net
ipset=/mullvad.net/wan # mullvad.net
ipset=/ipleak.net/wan # ipleak.net
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [โ]
Output of: /etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth1.2/0.0.0.0' [โ]
Creating table 'WGINTERFACE/WGINTERFACE/10.99.28.153' [โ]
Routing 'am.i.mullvad.net' via wan [โ]
Routing 'i.mullvad.net' via wan [โ]
Routing 'mullvad.net' via wan [โ]
Routing 'ipleak.net' via wan [โ]
Routing 'Desktop' via WGINTERFACE [โ]
vpn-policy-routing 0.0.2-4 started on WGINTERFACE/WGINTERFACE/10.99.28.153 with errors [โ]
ERROR: Failed to set up 'wan/eth1.2/0.0.0.0'
vpn-policy-routing 0.0.2-4 monitoring interfaces: wan WGINTERFACE [โ]
the device names used by this, is it the hostname that LEDE reoports in its DHCP table?
i cant seem to get it working with names only IPs.
It does look suspicious, I've changed the WAN detection code recently, because the built-in OpenWrt function calls WAN the interface with default routing (which could very well be a VPN tunnel if it's set up this way).
Can you please PM/post the output of ifconfig and ip -4 route?
That works only if you add host with the MAC address/IP/name assignment to the DHCP config. Otherwise, the service is started before devices connect and it wouldn't know how to resolve the name.
Yes I have some static DHCP leases via device MAC in the router.
However it wont add the policies to IPtables.
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option strict_enforcement '1'
option enabled '1'
config policy
option comment 'Laptop'
option interface 'wan'
option local_addresses 'laptop'
config policy
option interface 'wan'
option comment 'NUC'
option local_addresses 'NUC'
config policy
option interface 'wan'
option comment 'pixel2'
option local_addresses 'pixel2'
vpn-policy-routing 0.0.2-4 running on OpenWrt SNAPSHOT. WAN (IPv4): wan/dev/172.16.11.44.
============================================================
Dnsmasq version 2.80test2 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 10.4.0.1 128.0.0.0 UG 0 0 0 tun0
default xx.xx.xx.xx 0.0.0.0 UG 0 0 0 pppoe-wan
IPv4 Table 201: default via xx.xx.xx.xx dev pppoe-wan
IPv4 Table 201 Rules:
32749: from all fwmark 0x10000 lookup 201
IPv4 Table 202: default via 10.4.44.204 dev tun0
IPv4 Table 202 Rules:
32748: from all fwmark 0x20000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set vpn0 dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create vpn0 hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Creating table 'wan/pppoe-wan/xx.xx.xx.xx' [โ]
Creating table 'vpn0/tun0/10.4.44.204' [โ]
Routing 'Laptop' via wan [โ]
Routing 'NUC' via wan [โ]
Routing 'pixel2' via wan [โ]
vpn-policy-routing 0.0.2-4 started on wan/pppoe-wan/xx.xx.xx.xx vpn0/tun0/10.4.44.204 [โ]
vpn-policy-routing 0.0.2-4 monitoring interfaces: wan vpn0 [โ]
Is dnsmasq being used for both DHCP assignment and DNS resolution? DHCP config please.
Also, resolveip laptop, resolveip NUC, resolveip pixel2.
PS. You can create a single policy "Local devices" and list (space separated) all you local device names there.
Do post the things I've asked for before, but also check if 0.0.2-5 behaves any better.
I am using DNSMasq for DHCP but DNSCrypt for DNS.
ipresolve is not working for any of them so that explains it. So I cant use dnscrypt and hostnames for devices?
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
option allservers '1'
list server '127.0.0.1#5353'
option strictorder '1'
config dhcp 'lan'
option interface 'lan'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option start '10'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config host
option name 'Diskstation'
option dns '1'
option mac 'xx'
option ip '192.168.1.74'
option leasetime 'infinite'
config host
option name 'NUC'
option dns '1'
option mac 'xx'
option ip '192.168.1.135'
option leasetime 'infinite'
config host
option name 'laptop'
option dns '1'
option mac 'xx'
option ip '192.168.1.72'
config host
option name 'pixel2'
option dns '1'
option mac 'xxxx'
option ip '192.168.1.115'
I checked 0.0.2-5 and it is the same result for me. Hopefully the below information will help.
I followed this guide https://mullvad.net/en/guides/running-wireguard-router/ to setting up my wireguard install.
Output of: ifconfig
WGINTERFACE Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.XXX.XXX.153 P-t-P:10.XXX.XXX.153 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:57911 errors:0 dropped:0 overruns:0 frame:0
TX packets:90882 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28222556 (26.9 MiB) TX bytes:38326096 (36.5 MiB)
br-lan Link encap:Ethernet HWaddr 62:38:E0:CB:9F:20
inet addr:192.168.99.1 Bcast:192.168.99.255 Mask:255.255.255.0
inet6 addr: fe80::6038:e0ff:fecb:9f20/64 Scope:Link
inet6 addr: 2601:940:c001:5319::1/64 Scope:Global
inet6 addr: fdb7:32e0:52f7::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:130449 errors:0 dropped:0 overruns:0 frame:0
TX packets:82949 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47185804 (44.9 MiB) TX bytes:30347376 (28.9 MiB)
eth0 Link encap:Ethernet HWaddr 62:38:E0:CB:9F:20
inet6 addr: fe80::6038:e0ff:fecb:9f20/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3988 errors:0 dropped:0 overruns:0 frame:0
TX packets:6593 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:445691 (435.2 KiB) TX bytes:7019639 (6.6 MiB)
Interrupt:37
eth0.1 Link encap:Ethernet HWaddr 62:38:E0:CB:9F:20
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3944 errors:0 dropped:0 overruns:0 frame:0
TX packets:6574 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:371757 (363.0 KiB) TX bytes:6990528 (6.6 MiB)
eth1 Link encap:Ethernet HWaddr 60:38:E0:CB:9F:20
inet6 addr: fe80::XXXX:XXXX:XXXX:9f20/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:82407 errors:0 dropped:0 overruns:0 frame:0
TX packets:127843 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:35346727 (33.7 MiB) TX bytes:57365723 (54.7 MiB)
Interrupt:36
eth1.2 Link encap:Ethernet HWaddr 60:38:E0:CB:9F:20
inet addr:73.XXX.XXX.55 Bcast:73.XXX.XXX.255 Mask:255.255.248.0
inet6 addr: fe80::XXXX:XXXX:XXXX:9f20/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:58217 errors:0 dropped:0 overruns:0 frame:0
TX packets:90912 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29911075 (28.5 MiB) TX bytes:42146312 (40.1 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:94 errors:0 dropped:0 overruns:0 frame:0
TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8655 (8.4 KiB) TX bytes:8655 (8.4 KiB)
wlan0 Link encap:Ethernet HWaddr 60:38:E0:CB:9F:22
inet6 addr: fe80::6238:e0ff:fecb:9f22/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:119322 errors:0 dropped:0 overruns:0 frame:0
TX packets:65372 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47785182 (45.5 MiB) TX bytes:8626611 (8.2 MiB)
wlan1 Link encap:Ethernet HWaddr 60:38:E0:CB:9F:21
inet6 addr: fe80::6238:e0ff:fecb:9f21/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7177 errors:0 dropped:0 overruns:0 frame:0
TX packets:12907 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:799815 (781.0 KiB) TX bytes:16555683 (15.7 MiB)
wlan2 Link encap:Ethernet HWaddr 60:38:E0:CB:9F:23
inet6 addr: fe80::6238:e0ff:fecb:9f23/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:802 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Output of: ip -4 route
default dev WGINTERFACE proto static scope link
66.XXX.XXX.170 via 73.XXX.XXX.1 dev eth1.2 proto static
73.XXX.XXX.0/21 dev eth1.2 proto kernel scope link src 73.XXX.XXX.55
192.168.99.0/24 dev br-lan proto kernel scope link src 192.168.99.1
I attempted to censor personal information in the output. If I left something / you needed blocked info, let me know and I will fix it. I would like to keep the whole conversation public so that others may benefit from our troubleshooting.
Lastly, I did a bit of experimenting with the WGINTERFACE and found out if I change
option route_allowed_ips '1'
to
option route_allowed_ips '0'
I can perform the opposite of the expected result. Meaning I can go into vpn-policy and add sites and devices that will then be routed through the WGINTERFACE while everything else is routed through my normal wan. Obviously this is not expected behavior.
Should be fixed in 0.0.2-6.
This is an absolutely expected behaviour. The route_allowed_ips actually sets the default routing (for allowed ips, which is probably 0.0.0.0 in your wireguard config) to wireguard AFAIK. So if you disable it, default routing stays on WAN and then you can manually configure the policies for WG traffic.
I'm using dnsmasq with https_dns_proxy and I also have list server '127.0.0.1#5053' in my dhcp config file, however the local device names are getting resolved on the router.
If you can get resolveip working for local devices on the router, VPR will work with local device names.
I am happy to report this is the case!
Output of: /etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth1.2/73.XXX.XXX.1/fe80::256:XXXX:XXXX:cc22' [โ]
Creating table 'WGINTERFACE/WGINTERFACE/10.XXX.XXX.153/::/0' [โ]
Routing 'Desktop' via wan [โ]
vpn-policy-routing 0.0.2-6 started on wan/eth1.2/73.XXX.XXX.1/fe80::256:XXXX:XXXX:cc22 WGINTERFACE/WGINTERFACE/10.XXX.XXX.153/::/0 [โ]
vpn-policy-routing 0.0.2-6 monitoring interfaces: wan wan6 WGINTERFACE [โ]
However, I am out of my depth here. I have updated the application and set one rule up for a desktop(192.168.99.136) on my lan. The problem is that as long as that rule is enabled the desktop is prohibited from accessing the broader internet. Local access to other devices on my lan work fine. Is there any recommendation you can give so that I may troubleshoot this?
Have you tried disabling IPv6 support in VPR?
Tried and failed.
ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 192.168.99.1: Destination port unreachable.
Reply from 192.168.99.1: Destination port unreachable.
Reply from 192.168.99.1: Destination port unreachable.
Reply from 192.168.99.1: Destination port unreachable.
Ping statistics for 1.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
This is the output from that desktop when I enable VPR.