VPN policy based routing possible?

anon50890781 · October 17, 2018, 1:08pm

Just discovered what is apparently the culprit for the kernel panic - a potential conflict with a SQM instance enabled on the wg iface

config queue
	option debug_logging '0'
	option qdisc 'fq_codel'
	option enabled '1'
	option interface 'wg0'
	option download '90000'
	option upload '19000'
	option verbosity '0'
	option qdisc_advanced '0'
	option script 'piece_of_cake.qos'
	option linklayer 'none'

anon50890781 · December 5, 2018, 11:03pm

This been fixed in the latest release 0.0.2-31

Phil · December 28, 2018, 7:39pm

Using TOS 3.11.1 and vpn-policy-routing 0.0.2-34, I configured this routing policy:

config vpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        option ipset_enabled '1'
        option dnsmasq_enabled '0'
        option strict_enforcement '1'
        option enabled '1'

config policy
        option interface 'wan'
        option name 'DMZ HTTPS Server'
        option local_ports '443'
        option remote_addresses '0.0.0.0/0'
        option remote_ports '0-65535'
        option local_addresses '192.168.2.1/24'

The two rules for WAN and VPN are correctly created in the routing policy database:

$ ip rule
...
32752:  from all fwmark 0x20000 lookup 202
32753:  from all fwmark 0x10000 lookup 201
...

but the firewall rule to mark IP packets coming from 192.168.2.1/24 is not set. Looking at /var/log/messages, there is this error:

2018-12-28 00:43:49 notice [3138]: ERROR: iptables -t mangle -I VPR_PREROUTING 1 -j MARK --set-xmark 0x010000/0xff0000 -s 192.168.2.1/24  -p tcp -m multiport --sport 443 -d 0.0.0.0/0  -p tcp -m multiport --dport 0:65535 -m comment --comment DMZ_HTTPS_Server

When I run manually the iptables command reported in the error, I get:

iptables v1.6.1: multiple -p flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

anon50890781 · December 28, 2018, 9:41pm

Since ‘0-65535’ covers all ports such can be omitted (deleted thus) and the error should be gone.

Seems that ipt does not like/accept the -p flag twice (sport | dport) in the same rule.

anon50890781 · August 9, 2019, 3:24pm

@stangri vpn-policy-routing 0.0.7-15 seems to have introduced a bug of sorts

Whilst the other report seems to be on a OpenVPN node my node with WG is exhibiting the same issue

/etc/init.d/vpn-policy-routing restart

vpn-policy-routing 0.0.7-15 stopped [✓]
Creating table ‘wan/xxx.233.237.160 peer xxx.46.104.107’ [✗]
Creating table ‘wg0/192.168.45.2’ [✓]
Routing ‘oc-ssh’ via wan [✓]
Routing ‘oc-vps-cp’ via wan [✓]
Routing ‘oc-vnc’ via wan [✓]
Routing ‘stv’ via wan [✓]
Routing ‘1750e’ via wan [✓]
Routing ‘dvb-c’ via wan [✓]
Routing ‘to.lan’ via wg0 [✓]
vpn-policy-routing 0.0.7-15 started on wg0/192.168.45.2 with errors [✗]
ERROR: Failed to set up ‘wan/xxx.233.237.160 peer xxx.46.104.107’
vpn-policy-routing 0.0.7-15 monitoring interfaces: wan wg0 [✓]

stangri · August 10, 2019, 2:21am

dg1sek · October 21, 2019, 8:41am

What is the status of this?

Is the vpn-policy-routing (https://github.com/stangri/openwrt_packages/tree/master/vpn-policy-routing) package now working with latest Turris OS (4.0.1)?

If so, is there any remaining reason why the repo is not added to the list of repo’s queried by Turris OS luci ?

(Just trying to understand if it’s a good idea for me to do that manually on my system or if there are remaining things that need to be fixed to make it stable. I’d like to do IP source address based routing for my Android Set Top Box.)

anon50890781 · October 21, 2019, 12:16pm

It is an external repo and not included in OpenWrt. The package source features an extensive README of how to get things rolling.

p4p4 · November 15, 2019, 7:21pm

When I try to update to the newest VPN PBR routing I get the following error. Does somebody else have the same issue?

Blockquote ## Error from 2019/11/15 13:37:clock430:
Updater failed:
inconsistent: Package luci-app-vpn-policy-routing requires package luci-compat that is not available.

anon50890781 · November 15, 2019, 8:44pm

I can confirm this currently being exhibited on a TOS4.x node. For some reason the package luci-compat would seem to be absent at the upstream ^[1] repo and thus not being available throuhg the TOS repo either.
Probably best to lodge a package request with upstream development.

^[1] https://downloads.openwrt.org/releases/18.06.5/packages/arm_cortex-a9_vfpv3/

dg1sek · November 19, 2019, 8:34am

I have the same problem. Assuming that this will be fixed in a future release, is there a way to work around this?

I keep getting several emails per day notifying me that “luci-compat” is not available.
As I understood it, luci-compat has been added in a recent openwrt upgrade?

I tried to manually upgrade luci-app-vpn-policy routing with
opkg --nodeps install luci-app-vpn-policy-routing
but that didn’t help.

anon50890781 · November 19, 2019, 8:49am

switch to the HBT branch or compile the package and install it locally.

Pepe · November 19, 2019, 11:32am

As @anon50890781 advised you might want to use HBT branch (RC) by using switch-branch hbt or you may try HBK. Why this happened, you can take a look here: