VPN policy based routing possible?


Just discovered what is apparently the culprit for the kernel panic - a potential conflict with a SQM instance enabled on the wg iface

config queue
	option debug_logging '0'
	option qdisc 'fq_codel'
	option enabled '1'
	option interface 'wg0'
	option download '90000'
	option upload '19000'
	option verbosity '0'
	option qdisc_advanced '0'
	option script 'piece_of_cake.qos'
	option linklayer 'none'


This been fixed in the latest release 0.0.2-31


Using TOS 3.11.1 and vpn-policy-routing 0.0.2-34, I configured this routing policy:

config vpn-policy-routing 'config'
        option verbosity '2'
        option ipv6_enabled '0'
        option ipset_enabled '1'
        option dnsmasq_enabled '0'
        option strict_enforcement '1'
        option enabled '1'

config policy
        option interface 'wan'
        option name 'DMZ HTTPS Server'
        option local_ports '443'
        option remote_addresses ''
        option remote_ports '0-65535'
        option local_addresses ''

The two rules for WAN and VPN are correctly created in the routing policy database:

$ ip rule
32752:  from all fwmark 0x20000 lookup 202
32753:  from all fwmark 0x10000 lookup 201

but the firewall rule to mark IP packets coming from is not set. Looking at /var/log/messages, there is this error:

2018-12-28 00:43:49 notice [3138]: ERROR: iptables -t mangle -I VPR_PREROUTING 1 -j MARK --set-xmark 0x010000/0xff0000 -s  -p tcp -m multiport --sport 443 -d  -p tcp -m multiport --dport 0:65535 -m comment --comment DMZ_HTTPS_Server

When I run manually the iptables command reported in the error, I get:

iptables v1.6.1: multiple -p flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

Isolate VPN on Guest WiFI Network

Since ‘0-65535’ covers all ports such can be omitted (deleted thus) and the error should be gone.

Seems that ipt does not like/accept the -p flag twice (sport | dport) in the same rule.