VPN policy based routing possible?


#1

I am considering buying a Turris Omnia router. At the moment I am using a Linksys WRT1900ACS with LEDE firmware and OpenVPN client with policy based routing with the package:

Is it possible to use VPN policy based routing with Turris Omnia “out of the box”, or if not, can the VPN policy based routing LEDE package from stangri be installed?

Thank you for the support!


Added ExpressVPN to openVPN config. Works but ignores 'enabled' forces me to always use VPN
How to set up Openvpn client on Turris Omnia?
IPSec tunneled traffic
#2

Out of the box is not working since the TO repo is currently different from upstream OpenWRT.

The current stable TO firmware is based on OpenWrt omnia 15.05 r47055 / LuCI 49c3edd5861fd032fa8379ceda525c27a908a114 branch (git-17.212.24321-49c3edd)

Just ran

opkg update; opkg install ca-certificates wget libopenssl
echo -e -n 'untrusted comment: LEDE usign key of Stan Grishin\nRWR//HUXxMwMVnx7fESOKO7x8XoW4/dRidJPjt91hAAU2L59mYvHy0Fa\n' > /tmp/stangri-repo.pub && opkg-key add /tmp/stangri-repo.pub
! grep -q 'stangri_repo' /etc/opkg/customfeeds.conf && echo 'src/gz stangri_repo https://raw.githubusercontent.com/stangri/openwrt-repo/master' >> /etc/opkg/customfeeds.conf
opkg update

and then from the LuCI inerface installed both - vpn-policy-routing and luci-app-vpn-policy-routing, which went without a hitch.

Mind you that I had ipset resolveip ip-full kmod-ipt-ipset iptables already installed and dnsmasq removed and dnsmasq-full installed previously.

Have not tested whether it works though, pending some setup of wireguard as choice of VPN


#3

Hi n8v8r

Thanks for the quick reply. That sounds promising!


#4

The app received an update yesterday through the TO (feed) updater and that went ok too.

Just got around of actually testing it and albeit some error showing in the log (below) it is working (well), that is based on wireguard VPN and utilizing ipset and no iptables. The routes (and related tables) are showing in the LuCI status page.
And it pays to read through the how it works of the Readme as I missed at first

The policy priority is the same as its order as listed in Web UI and /etc/config/vpn-policy-routing. The higher the policy is in the Web UI and configuration file, the higher its priority is.

Had the lan subnet at the top and wondering why particular clients were not routed the other way. Dropping the lan subnet to the bottom of the order set it right and now partiular clients are routed one way and the remainder of the lan subnet another.

Thank you for creating awareness of this app in this forum, it makes routing so much easier…!

notice [32269]: Creating table ‘lan/br-lan/0.0.0.0’ [✗]
notice [32269]: Routing ‘’ via wan [✗]
notice [32269]: service started on wan/pppoe-wan/<ip.redacted> wg0/wg0/<ip.redacted> with errors [✗]
notice [32269]: ERROR: Failed to set up 'lan/br-lan/0.0.0.0’
ERROR: policy comment is empty!


#5

The bottom of README has the list of things to do in case of problems – can you PM me those?


#6

@stangri Thank you foremost for this usefull app and secondly for making the effort of registering in this forum.

PM sent


#7

I ordered a Turris Omnia 2GB WLAN today. I’ll report how good VPN PBR is working after I have set it up!


#8

The error I reported was based on a misconception I had about some setting and @stangri sorted it out, thus no further error showing.

And it got another update today.


#9

I received my Turris Omnia 2GB WLAN today and configured VPN with policy based routing (PBR).

Two issues:

  1. to get PBR routing working after a reboot of the router I have to press “save and apply” under the “policy based routing” settings, before that nothing is routed through the VPN tunnel

  2. when installing dnsmasq-full I get the error:

Blockquote

WARNING: You probably just removed a package that was installed as part of a user list or the basic system. This package will return durring the next updater run. We suggest you disable the user list instead.
Installing dnsmasq-full (2.78-2) to root…

Blockquote

Does anybody have the same issues?


#10

(Just wanted to add to my previous post: I’m using Turris OS version 3.10, that was installed automatically when I set up the router)


#11

The dnsmaqs warning is by design of TO, not sure how such things are handled in OpenWRT.
For it not to return (TO may force some of those basics back) it needs a /etc/updater/conf.d/user.lua file with content Uninstall("dnsmasq")

The first point might due to that PBR is starting at boot prior the ovpn tun is up.

Other than that you got it actually working?


#12

As soon as its started after boot by manually clicking "save and apply* it seems to be running fine. But I have a simple configuration with only one client going through the tunnel and the rest through WAN:

Local IP 192.168.1.110 VPN
IP Range 192.168.1.0/24 WAN


#13

I am curious what would happen to PBR if the tunnel is interrupted for some reason and comes back online, i.e. whether it would require to click save and apply

To anwser that question -

vpn-policy-routing: service monitoring interfaces:


#14

Just had a look into the syslog and PBR is starting prior the ovpn tun is up and thus failing to create a routing table for the tun iface at boot time


#15

is there any way to solve this issue? With the older Turris OS this wasn’t an issue?


#16

Did not try OpenVPN with the previous firmware only Wireguard.

How did it work with the other router you initially mentioned (Linksys WRT1900ACS with LEDE firmware)?


#17

If I remember correctly that wasn’t an issue
Upto now OpenVPN connection an PBR still functional (since 12h)


#18

Perhaps worthing noting that icmp and udp are not routed through the vpn iface designated by PBR, even with

/etc/config/vpn-policy-routing
  config vpn-policy-routing 'config'
	option udp_proto_enabled '1'

#19

How can I find out what traffic goes through the tunnel and which isn’t?


#20

packet capture https://openwrt.org/docs/guide-user/firewall/capture-filter-inspect-packets on the router, or a tool like wireshark on one/any/all of the clients connecting to the outbound vpn interface on the router.

Latter (on the client) though may capture only the traffic of the client it is running on but not the entire vpn traffic on the router.