1 # VPN Policy-Based Routing
5 This service allows you to define rules (policies) for routing traffic via WAN or your L2TP, Openconnect, OpenVPN, PPTP or Wireguard tunnels. Policies can be set based on any combination of local/remote ports, local/remote IPv4 or IPv6 addresses/subnets or domains. This service supersedes the ```VPN Bypass``` available on [GitHub](https://github.com/openwrt/packages/blob/master/net/vpnbypass/files/README.md)/[jsDelivr](https://cdn.jsdelivr.net/gh/openwrt/packages@master/net/vpnbypass/files/README.md) service, by supporting IPv6 and by allowing you to set explicit rules not just for WAN interface (bypassing OpenVPN tunnel), but for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels as well.
11 - Any policy can target either WAN or a VPN tunnel interface.
12 - L2TP tunnels supported (with protocol names l2tp\*).
13 - Openconnect tunnels supported (with protocol names openconnect\*).
14 - OpenVPN tunnels supported (with device names tun\* or tap\*).<sup>[1](#footnote1)</sup> <sup>[2](#footnote2)</sup>
15 - PPTP tunnels supported (with protocol names pptp\*).
16 - Wireguard tunnels supported (with protocol names wireguard\*).
18 ### IPv4/IPv6/Port-Based Policies
20 - Policies based on local names, IPs or subnets. You can specify a single IP (as in ```192.168.1.70```) or a local subnet (as in ```192.168.1.81/29```) or a local device name (as in ```nexusplayer```). IPv6 addresses are also supported.
21 - Policies based on local ports numbers. Can be set as an individual port number (```32400```), a range (```5060-5061```), a space-separated list (```80 8080```) or a combination of the above (```80 8080 5060-5061```). Limited to 15 space-separated entries per policy.
22 - Policies based on remote IPs/subnets or domain names. Same format/syntax as local IPs/subnets.
23 - Policies based on remote ports numbers. Same format/syntax and restrictions as local ports.
24 - You can mix the IP addresses/subnets and device (or domain) names in one field separating them by space (like this: ```66.220.2.74 he.net tunnelbroker.net```).
25 - See [Policy Options](#policy-options) section for more information.
27 ### Domain-Based Policies
29 - Policies based on (remote) domain names can be processed in different ways, please review the [Policy Options](#policy-options) section and [Footnotes/Known Issues](#footnotesknown-issues) section, specifically [<sup>#5</sup>](#footnote5) and any other information in that section relevant to domain-based routing/DNS.
31 ### Physical Device Policies
33 - Policies based on a local physical device (like a specially created wlan), please review the [Policy Options](#policy-options) section and [Footnotes/Known Issues](#footnotesknown-issues) section, specifically [<sup>#6</sup>](#footnote6) and any other information in that section relevant to handling physical device.
35 ### DSCP Tag-Based Policies
37 You can also set policies for traffic with specific DSCP tag. On Windows 10, for example, you can mark traffic from specific apps with DSCP tags (instructions for tagging specific app traffic in Windows 10 can be found [here](http://serverfault.com/questions/769843/cannot-set-dscp-on-windows-10-pro-via-group-policy)).
41 If the custom user file includes are set, the service will load and execute them after setting up ip tables and ipsets and processing policies. This allows, for example, to add large numbers of domains/IP addresses to ipsets without manually adding all of them to the config file.
43 Two example custom user-files are provided: ```/etc/vpn-policy-routing.aws.user``` and ```/etc/vpn-policy-routing.netflix.user```. They are provided to pull the AWS and Netflix IP addresses into the ```wan``` ipset respectively.
45 ### Strict Enforcement
47 - Supports strict policy enforcement, even if the policy interface is down -- resulting in network being unreachable for specific policy (enabled by default).
51 - Service can be set to utilize ```dnsmasq```'s ```ipset``` support, which requires the ```dnsmasq-full``` package to be installed (see [How to install dnsmasq-full](#how-to-install-dnsmasq-full)). This significantly improves the start up time because ```dnsmasq``` resolves the domain names and adds them to appropriate ```ipset``` in background. Another benefit of using ```dnsmasq```'s ```ipset``` is that it also automatically adds third-level domains to the ```ipset```: if ```domain.com``` is added to the policy, this policy will affect all ```*.domain.com``` subdomains. This also works for top-level domains as well, a policy targeting the ```at``` for example, will affect all the ```*.at``` domains.
52 - Please review the [Footnotes/Known Issues](#footnotesknown-issues) section, specifically [<sup>#5</sup>](#footnote5) and any other information in that section relevant to domain-based routing/DNS.
56 - Can be fully configured with ```uci``` commands or by editing ```/etc/config/vpn-policy-routing``` file.
57 - Has a companion package (```luci-app-vpn-policy-routing```) so policies can be configured with Web UI.
61 - Doesn't stay in memory, creates the routing tables and ```iptables``` rules/```ipset``` entries which are automatically updated when supported/monitored interface changes.
62 - Proudly made in :maple_leaf: Canada :maple_leaf: , using locally-sourced electrons.
64 ## Screenshots (luci-app-vpn-policy-routing)
67 ![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-status.png "Service Status")
69 Configuration - Basic Configuration
70 ![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-config-basic.png "Basic Configuration")
72 Configuration - Advanced Configuration
73 ![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-config-advanced.png "Advanced Configuration")
75 Configuration - WebUI Configuration
76 ![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-config-webui.png "WebUI Configuration")
79 ![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-policies.png "Policies")
82 ![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-dscp.png "DSCP Tagging")
84 Custom User File Includes
85 ![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-userfiles.png "Custom User File Includes")
89 On start, this service creates routing tables for each supported interface (WAN/WAN6 and VPN tunnels) which are used to route specially marked packets. For the ```mangle``` table's ```PREROUTING```, ```FORWARD```, ```INPUT``` and ```OUTPUT``` chains, the service creates corresponding ```VPR_*``` chains to which policies are assigned. Evaluation and marking of packets happen in these ```VPR_*``` chains. If enabled, the service also creates the remote/local ipsets per each supported interface and the corresponding ```iptables``` rule for marking packets matching the ```ipset```. The service then processes the user-created policies.
91 ### Processing Policies
93 Each policy can result in either a new ```iptables``` rule or, if ```src_ipset``` or ```dest_ipset``` are enabled, an ```ipset``` or a ```dnsmasq```'s ```ipset``` entry.
95 - Policies with local MAC-addresses, IP addresses or local device names can be created as ```iptables``` rules or ```ipset``` entries.
96 - Policies with local or remote ports are always created as ```iptables``` rules.
97 - Policies with local or remote netmasks can be created as ```iptables``` rules or ```ipset``` entries.
98 - Policies with **only** remote IP address or a domain name can be created as ```iptables``` rules or ```dnsmasq```'s ```ipset``` or an ```ipset``` (if enabled).
100 ### Policies Priorities
102 - If support for ```src_ipset``` and ```dest_ipset``` is disabled, then only ```iptables``` rules are created. The policy priority is the same as its order as listed in Web UI and ```/etc/config/vpn-policy-routing```. The higher the policy is in the Web UI and configuration file, the higher its priority is.
103 - If support for ```src_ipset``` and ```dest_ipset``` is enabled, then the ```ipset``` entries have the highest priority (irrelevant of their position in the policies list) and the other policies are processed in the same order as they are listed in Web UI and ```/etc/config/vpn-policy-routing```.
104 - If there are conflicting ```ipset``` entries for different interfaces, the priority is given to the interface which is listed first in the ```/etc/config/network``` file.
105 - If set, the ```DSCP``` policies trump all other policies, including the ```ipset``` ones.
109 Please make sure that the [requirements](#requirements) are satisfied and install ```vpn-policy-routing``` and ```luci-app-vpn-policy-routing``` from Web UI or connect to your router via ssh and run the following commands:
113 opkg install vpn-policy-routing luci-app-vpn-policy-routing
116 If these packages are not found in the official feed/repo for your version of OpenWrt/LEDE Project, you will need to add a custom repo to your router following instructions on [GitHub](https://github.com/stangri/openwrt_packages/blob/master/README.md#on-your-router)/[jsDelivr](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/README.md#on-your-router) first.
120 This service requires the following packages to be installed on your router: ```ipset```, ```resolveip```, ```ip-full``` (or a ```busybox``` built with ```ip``` support), ```kmod-ipt-ipset``` and ```iptables```.
122 To satisfy the requirements, connect to your router via ssh and run the following commands:
125 opkg update; opkg install ipset resolveip ip-full kmod-ipt-ipset iptables
128 ### How to install dnsmasq-full
130 If you want to use ```dnsmasq```'s ```ipset``` support, you will need to install ```dnsmasq-full``` instead of the ```dnsmasq```. To do that, connect to your router via ssh and run the following command:
133 opkg update; opkg remove dnsmasq; opkg install dnsmasq-full;
136 ### Unmet dependencies
138 If you are running a development (trunk/snapshot) build of OpenWrt on your router and your build is outdated (meaning that packages of the same revision/commit hash are no longer available and when you try to satisfy the [requirements](#requirements) you get errors), please flash either current OpenWrt release image or current development/snapshot image.
140 ## Service Configuration Settings
142 As per screenshots above, in the Web UI the ```vpn-policy-routing``` configuration is split into ```Basic```, ```Advanced``` and ```WebUI``` settings. The full list of configuration parameters of ```vpn-policy-routing.config``` section is:
144 |Web UI Section|Parameter|Type|Default|Description|
145 | --- | --- | --- | --- | --- |
146 |Basic|enabled|boolean|0|Enable/disable the ```vpn-policy-routing``` service.|
147 |Basic|verbosity|integer|2|Can be set to 0, 1 or 2 to control the console and system log output verbosity of the ```vpn-policy-routing``` service.|
148 |Basic|strict_enforcement|boolean|1|Enforce policies when their interface is down. See [Strict enforcement](#strict-enforcement) for more details.|
149 |Basic|dest_ipset|string|none|Enable/disable use of one of the ipset options for compatible remote policies (policies with only a remote hostname and no other fields set). This speeds up service start-up and operation. Currently supported options are ```none```, ```ipset``` and ```dnsmasq.ipset``` (see [Use DNSMASQ ipset](#use-dnsmasq-ipset) for more details). Make sure the [requirements](#requirements) are met.|
150 |Basic|src_ipset|boolean|0|Enable/disable use of ```ipset``` entries for compatible local policies (policies with only a local IP address or MAC address and no other fields set). Using ```ipset``` for local IPs/MACs is faster than using ```iptables``` rules, however it makes it impossible to enforce policies priority/order. Make sure the [requirements](#requirements) are met.|
151 |Basic|ipv6_enabled|boolean|0|Enable/disable IPv6 support.|
152 |Advanced|supported_interface|list/string||Allows to specify the space-separated list of interface names (in lower case) to be explicitly supported by the ```vpn-policy-routing``` service. Can be useful if your OpenVPN tunnels have dev option other than tun\* or tap\*.|
153 |Advanced|ignored_interface|list/string||Allows to specify the space-separated list of interface names (in lower case) to be ignored by the ```vpn-policy-routing``` service. Can be useful if running both VPN server and VPN client on the router.|
154 |Advanced|boot_timeout|number|30|Allows to specify the time (in seconds) for ```vpn-policy-routing``` service to wait for WAN gateway discovery on boot. Can be useful on devices with ADSL modem built in.|
155 |Advanced|iptables_rule_option|append/insert|append|Allows to specify the iptables parameter for rules: ```-A``` for ```append``` and ```-I``` for ```insert```. Append is generally speaking more compatible with other packages/firewall rules. Recommended to change to ```insert``` only to enable compatibility with the ```mwan3``` package.|
156 |Advanced|iprule_enabled|boolean|0|Add an ```ip rule```, not an ```iptables``` entry for policies with just the local address. Use with caution to manipulate policies priorities.|
157 |Advanced|icmp_interface|string||Set the default ICMP protocol interface (interface name in lower case). Use with caution.|
158 |Advanced|append_src_rules|string||Append local IP Tables rules. Can be used to exclude local IP addresses from destinations for policies with local address set.|
159 |Advanced|append_dest_rules|string||Append local IP Tables rules. Can be used to exclude remote IP addresses from sources for policies with remote address set.|
160 |Advanced|wan_tid|integer|201|Starting (WAN) Table ID number for tables created by the ```vpn-policy-routing``` service.|
161 |Advanced|wan_mark|hexadecimal|0x010000|Starting (WAN) fw mark for marks used by the ```vpn-policy-routing``` service. High starting mark is used to avoid conflict with SQM/QoS, this can be changed by user. Change with caution together with ```fw_mask```.|
162 |Advanced|fw_mask|hexadecimal|0xff0000|FW Mask used by the ```vpn-policy-routing``` service. High mask is used to avoid conflict with SQM/QoS, this can be changed by user. Change with caution together with ```wan_mark```.|
163 |Web UI|webui_enable_column|boolean|0|Shows ```Enable``` checkbox column for policies, allowing to quickly enable/disable specific policy without deleting it.|
164 |Web UI|webui_protocol_column|boolean|0|Shows ```Protocol``` column for policies, allowing to specify the protocol for ```iptables``` rules for policies.|
165 |Web UI|webui_supported_protocol|list|0|List of protocols to display in the ```Protocol``` column for policies.|
166 |Web UI|webui_chain_column|boolean|0|Shows ```Chain``` column for policies, allowing to specify ```PREROUTING``` (default), ```FORWARD```, ```INPUT```, or ```OUTPUT``` chain for ```iptables``` rules for policies.|
167 |Web UI|webui_sorting|boolean|1|Shows the Up/Down buttons for policies, allowing you to move a policy up or down in the list/priority.|
168 ||wan_dscp|integer||Allows use of [DSCP-tag based policies](#dscp-tag-based-policies) for WAN interface.|
169 ||{interface_name}_dscp|integer||Allows use of [DSCP-tag based policies](#dscp-tag-based-policies) for a VPN interface.|
173 Default configuration has service disabled (use Web UI to enable/start service or run ```uci set vpn-policy-routing.config.enabled=1; uci commit vpn-policy-routing;```).
177 Each policy may have a combination of the options below, the ```name``` and ```interface``` options are required.
179 The ```src_addr```, ```src_port```, ```dest_addr``` and ```dest_port``` options supports parameter negation, for example if you want to **exclude** remote port 80 from the policy, set ```dest_port="!80"``` (notice lack of space between ```!``` and parameter).
181 |Option|Default|Description|
183 |**name**||Policy name, it **must** be set.|
184 |enabled|1|Enable/disable policy. To display the ```Enable``` checkbox column for policies in the WebUI, make sure to select ```Enabled``` for ```Show Enable Column``` in the ```Web UI``` tab.|
185 |**interface**||Policy interface, it **must** be set.|
186 |src_addr||List of space-separated local/source IP addresses, CIDRs, hostnames or mac addresses (colon-separated). You can also specify a local physical device (like a specially created wlan) prepended by an ```@``` symbol.|
187 |src_port||List of space-separated local/source ports or port-ranges.|
188 |dest_addr||List of space-separated remote/target IP addresses, CIDRs or hostnames/domain names.|
189 |dest_port||List of space-separated remote/target ports or port-ranges.|
190 |proto|auto|Policy protocol, can be any valid protocol from ```/etc/protocols``` for CLI/uci or can be selected from the values set in ```webui_supported_protocol```. To display the ```Protocol``` column for policies in the WebUI, make sure to select ```Enabled``` for ```Show Protocol Column``` in the ```Web UI``` tab.<br/>Special cases: ```auto``` will try to intelligently insert protocol-agnostic policy and fall back to TCP/UDP if the protocol must be selected for specific policy; ```all``` will always insert a protocol-agnostic policy (which may fail depending on the policy).|
191 |chain|PREROUTING|Policy chain, can be either ```PREROUTING```, ```FORWARDING```, ```INPUT``` or ```OUTPUT```. This setting is case-sensitive. To display the ```Chain``` column for policies in the WebUI, make sure to select ```Enabled``` for ```Show Chain Column``` in the ```Web UI``` tab.|
193 ### Custom User Files Include Options
195 |Option|Default|Description|
197 |**path**||Path to a custom user file (in a form of shell script), it **must** be set.|
198 |enabled|1|Enable/disable setting.|
202 #### Single IP, IP Range, Local Machine, Local MAC Address
204 The following policies route traffic from a single IP address, a range of IP addresses, a local machine (requires definition as DHCP host record in DHCP config), a MAC-address of a local device and finally all of the above via WAN.
208 option name 'Local IP'
209 option interface 'wan'
210 option src_addr '192.168.1.70'
213 option name 'Local Subnet'
214 option interface 'wan'
215 option src_addr '192.168.1.81/29'
218 option name 'Local Machine'
219 option interface 'wan'
220 option src_addr 'dell-ubuntu'
223 option name 'Local MAC Address'
224 option interface 'wan'
225 option src_addr '00:0F:EA:91:04:08'
228 option name 'Local Devices'
229 option interface 'wan'
230 option src_addr '192.168.1.70 192.168.1.81/29 dell-ubuntu 00:0F:EA:91:04:08'
236 The following policy routes LogMeIn Hamachi zero-setup VPN traffic via WAN.
240 option name 'LogmeIn Hamachi'
241 option interface 'wan'
242 option dest_addr '25.0.0.0/8 hamachi.cc hamachi.com logmein.com'
247 The following policy routes standard SIP port traffic via WAN for both TCP and UDP protocols.
251 option name 'SIP Ports'
252 option interface 'wan'
253 option dest_port '5060'
254 option proto 'tcp udp'
257 #### Plex Media Server
259 The following policies route Plex Media Server traffic via WAN. Please note, you'd still need to open the port in the firewall either manually or with the UPnP.
263 option name 'Plex Local Server'
264 option interface 'wan'
265 option src_port '32400'
268 option name 'Plex Remote Servers'
269 option interface 'wan'
270 option dest_addr 'plex.tv my.plexapp.com'
273 #### Emby Media Server
275 The following policy route Emby traffic via WAN. Please note, you'd still need to open the port in the firewall either manually or with the UPnP.
279 option name 'Emby Local Server'
280 option interface 'wan'
281 option src_port '8096 8920'
284 option name 'Emby Remote Servers'
285 option interface 'wan'
286 option dest_addr 'emby.media app.emby.media tv.emby.media'
289 #### Local OpenVPN Server + OpenVPN Client (Scenario 1)
291 If the OpenVPN client on your router is used as default routing (for the whole internet), make sure your settings are as following (three dots on the line imply other options can be listed in the section as well).
293 Relevant part of ```/etc/config/vpn-policy-routing```:
296 config vpn-policy-routing 'config'
297 list ignored_interface 'vpnserver'
301 option name 'OpenVPN Server'
302 option interface 'wan'
304 option src_port '1194'
305 option chain 'OUTPUT'
308 The network/firewall/openvpn settings are below.
310 Relevant part of ```/etc/config/network``` (**DO NOT** modify default OpenWrt network settings for neither ```wan``` nor ```lan```):
313 config interface 'vpnclient'
315 option ifname 'ovpnc0'
317 config interface 'vpnserver'
319 option ifname 'ovpns0'
323 Relevant part of ```/etc/config/firewall``` (**DO NOT** modify default OpenWrt firewall settings for neither ```wan``` nor ```lan```):
327 option name 'vpnclient'
328 option network 'vpnclient'
329 option input 'REJECT'
330 option forward 'ACCEPT'
331 option output 'REJECT'
337 option dest 'vpnclient'
340 option name 'vpnserver'
341 option network 'vpnserver'
342 option input 'ACCEPT'
343 option forward 'REJECT'
344 option output 'ACCEPT'
348 option src 'vpnserver'
352 option src 'vpnserver'
356 option src 'vpnserver'
357 option dest 'vpnclient'
360 option name 'Allow-OpenVPN-Inbound'
361 option target 'ACCEPT'
364 option dest_port '1194'
367 Relevant part of ```/etc/config/openvpn```:
370 config openvpn 'vpnclient'
372 option dev_type 'tun'
375 option remote 'some.domain.com 1197' # DO NOT USE PORT 1194 for VPN Client
378 config openvpn 'vpnserver'
381 option server '192.168.200.0 255.255.255.0'
385 #### Local OpenVPN Server + OpenVPN Client (Scenario 2)
387 If the OpenVPN client is **not** used as default routing and you create policies to selectively use the OpenVPN client, make sure your settings are as following (three dots on the line imply other options can be listed in the section as well).
389 Relevant part of ```/etc/config/vpn-policy-routing```:
392 config vpn-policy-routing 'config'
393 list ignored_interface 'vpnserver'
394 option append_src_rules '! -d 192.168.200.0/24'
398 The network/firewall/openvpn settings are below.
400 Relevant part of ```/etc/config/network``` (**DO NOT** modify default OpenWrt network settings for neither ```wan``` nor ```lan```):
403 config interface 'vpnclient'
405 option ifname 'ovpnc0'
407 config interface 'vpnserver'
409 option ifname 'ovpns0'
413 Relevant part of ```/etc/config/firewall``` (**DO NOT** modify default OpenWrt firewall settings for neither ```wan``` nor ```lan```):
417 option name 'vpnclient'
418 option network 'vpnclient'
419 option input 'REJECT'
420 option forward 'ACCEPT'
421 option output 'REJECT'
427 option dest 'vpnclient'
430 option name 'vpnserver'
431 option network 'vpnserver'
432 option input 'ACCEPT'
433 option forward 'REJECT'
434 option output 'ACCEPT'
438 option src 'vpnserver'
442 option src 'vpnserver'
446 option src 'vpnserver'
447 option dest 'vpnclient'
450 option name 'Allow-OpenVPN-Inbound'
451 option target 'ACCEPT'
454 option dest_port '1194'
457 Relevant part of ```/etc/config/openvpn```:
460 config openvpn 'vpnclient'
462 option dev_type 'tun'
465 option remote 'some.domain.com 1197' # DO NOT USE PORT 1194 for VPN Client
466 list pull_filter 'ignore "redirect-gateway"' # for OpenVPN 2.4 and later
467 option route_nopull '1' # for OpenVPN earlier than 2.4
470 config openvpn 'vpnserver'
473 option server '192.168.200.0 255.255.255.0'
477 #### Local Wireguard Server + Wireguard Client (Scenario 1)
479 Yes, I'm aware that technically there are no clients nor servers in Wireguard, it's all peers, but for the sake of README readability I will use the terminology similar to the OpenVPN Server + Client setups.
481 If the Wireguard tunnel on your router is used as default routing (for the whole internet), make sure your settings are as following (three dots on the line imply other options can be listed in the section as well).
483 Relevant part of ```/etc/config/vpn-policy-routing```:
486 config vpn-policy-routing 'config'
487 list ignored_interface 'wgserver'
491 option name 'Wireguard Server'
492 option interface 'wan'
494 option src_port '61820'
495 option chain 'OUTPUT'
498 The recommended network/firewall settings are below.
500 Relevant part of ```/etc/config/network``` (**DO NOT** modify default OpenWrt network settings for neither ```wan``` nor ```lan```):
503 config interface 'wgclient'
504 option proto 'wireguard'
507 config wireguard_wgclient
508 list allowed_ips '0.0.0.0/0'
509 list allowed_ips '::0/0'
510 option endpoint_port '51820'
511 option route_allowed_ips '1'
514 config interface 'wgserver'
515 option proto 'wireguard'
516 option listen_port '61820'
517 list addresses '192.168.200.1'
520 config wireguard_wgserver
521 list allowed_ips '192.168.200.2/32'
522 option route_allowed_ips '1'
526 Relevant part of ```/etc/config/firewall``` (**DO NOT** modify default OpenWrt firewall settings for neither ```wan``` nor ```lan```):
530 option name 'wgclient'
531 option network 'wgclient'
532 option input 'REJECT'
533 option forward 'ACCEPT'
534 option output 'REJECT'
540 option dest 'wgclient'
543 option name 'wgserver'
544 option network 'wgserver'
545 option input 'ACCEPT'
546 option forward 'REJECT'
547 option output 'ACCEPT'
551 option src 'wgserver'
555 option src 'wgserver'
559 option src 'wgserver'
560 option dest 'wgclient'
563 option name 'Allow-WG-Inbound'
564 option target 'ACCEPT'
567 option dest_port '61820'
570 #### Local Wireguard Server + Wireguard Client (Scenario 2)
572 Yes, I'm aware that technically there are no clients nor servers in Wireguard, it's all peers, but for the sake of README readability I will use the terminology similar to the OpenVPN Server + Client setups.
574 If the Wireguard client is **not** used as default routing and you create policies to selectively use the Wireguard client, make sure your settings are as following (three dots on the line imply other options can be listed in the section as well).
576 Relevant part of ```/etc/config/vpn-policy-routing```:
579 config vpn-policy-routing 'config'
580 list ignored_interface 'wgserver'
581 option append_src_rules '! -d 192.168.200.0/24'
585 The recommended network/firewall settings are below.
587 Relevant part of ```/etc/config/network``` (**DO NOT** modify default OpenWrt network settings for neither ```wan``` nor ```lan```):
590 config interface 'wgclient'
591 option proto 'wireguard'
594 config wireguard_wgclient
595 list allowed_ips '0.0.0.0/0'
596 list allowed_ips '::0/0'
597 option endpoint_port '51820'
600 config interface 'wgserver'
601 option proto 'wireguard'
602 option listen_port '61820'
603 list addresses '192.168.200.1/24'
606 config wireguard_wgserver
607 list allowed_ips '192.168.200.2/32'
608 option route_allowed_ips '1'
612 Relevant part of ```/etc/config/firewall``` (**DO NOT** modify default OpenWrt firewall settings for neither ```wan``` nor ```lan```):
616 option name 'wgclient'
617 option network 'wgclient'
618 option input 'REJECT'
619 option forward 'ACCEPT'
620 option output 'REJECT'
626 option dest 'wgclient'
629 option name 'wgserver'
630 option network 'wgserver'
631 option input 'ACCEPT'
632 option forward 'REJECT'
633 option output 'ACCEPT'
637 option src 'wgserver'
641 option src 'wgserver'
645 option src 'wgserver'
646 option dest 'wgclient'
649 option name 'Allow-WG-Inbound'
650 option target 'ACCEPT'
653 option dest_port '61820'
658 The following policy should route US Netflix traffic via WAN. For capturing international Netflix domain names, you can refer to the getdomainnames.sh-specific instructions on [GitHub](https://github.com/Xentrk/netflix-vpn-bypass/blob/master/README.md#ipset_netflix_domainssh)/[jsDelivr](https://cdn.jsdelivr.net/gh/Xentrk/openwrt_packages@master/netflix-vpn-bypass/README.md#ipset_netflix_domainssh) and don't forget to adjust them for OpenWrt. This may not work if Netflix changes things. For more reliable US Netflix routing you may want to consider using [custom user files](#custom-user-files).
662 option name 'Netflix Domains'
663 option interface 'wan'
664 option dest_addr 'amazonaws.com netflix.com nflxext.com nflximg.net nflxso.net nflxvideo.net dvd.netflix.com'
667 #### Example Custom User Files Includes
671 option path '/etc/vpn-policy-routing.netflix.user'
674 option path '/etc/vpn-policy-routing.aws.user'
677 #### Basic OpenVPN Client Config
679 There are multiple guides online on how to configure the OpenVPN client on OpenWrt "the easy way", and they usually result either in a kill-switch configuration or configuration where the OpenVPN tunnel cannot be properly (and separately from WAN) routed, either way, incompatible with the VPN Policy-Based Routing.
681 Below is the sample OpenVPN client configuration for OpenWrt which is guaranteed to work. If you have already deviated from the instructions below (ie: made any changes to any of the ```wan``` or ```lan``` configurations in either ```/etc/config/network``` or ```/etc/config/firewall```), you will need to start from scratch with a fresh OpenWrt install.
683 Relevant part of ```/etc/config/vpn-policy-routing```:
686 config vpn-policy-routing 'config'
687 list supported_interface 'vpnc'
691 The recommended network/firewall settings are below.
693 Relevant part of ```/etc/config/network``` (**DO NOT** modify default OpenWrt network settings for neither ```wan``` nor ```lan```):
696 config interface 'vpnc'
698 option ifname 'ovpnc0'
701 Relevant part of ```/etc/config/firewall``` (**DO NOT** modify default OpenWrt firewall settings for neither ```wan``` nor ```lan```):
706 option network 'vpnc'
707 option input 'REJECT'
708 option forward 'REJECT'
709 option output 'ACCEPT'
718 If you have a Guest Network, add the following to the ```/etc/config/firewall```:
726 Relevant part of ```/etc/config/openvpn``` (configure the rest of the client connection for your specifics by either referring to an existing ```.ovpn``` file or thru the OpenWrt uci settings):
729 config openvpn 'vpnc'
732 option dev_type 'tun'
737 ## Footnotes/Known Issues
739 1. <a name="footnote1"> </a> See [note about multiple OpenVPN clients](#multiple-openvpn-clients).
741 2. <a name="footnote2"> </a> If your ```OpenVPN``` interface has the device name different from tun\* or tap\*, is not up and is not explicitly listed in ```supported_interface``` option, it may not be available in the policies ```Interface``` drop-down within WebUI.
743 3. <a name="footnote3"> </a> If your default routing is set to the VPN tunnel, then the true WAN interface cannot be discovered using OpenWrt built-in functions, so service will assume your network interface ending with or starting with ```wan``` is the true WAN interface.
745 4. <a name="footnote4"> </a> The service does **NOT** support the "killswitch" router mode (where if you stop the VPN tunnel, you have no internet connection). For proper operation, leave all the default OpenWrt ```network``` and ```firewall``` settings for ```lan``` and ```wan``` intact.
747 5. <a name="footnote5"> </a> When using the ```dnsmasq.ipset``` option, please make sure to flush the DNS cache of the local devices, otherwise domain policies may not work until you do. If you're not sure how to flush the DNS cache (or if the device/OS doesn't offer an option to flush its DNS cache), reboot your local devices when starting to use the service and/or when connecting data-capable device to your WiFi.
749 6. <a name="footnote6"> </a> When using the policies targeting physical devices, make sure you have the following packages installed: ```kmod-br-netfilter```, ```kmod-ipt-physdev``` and ```iptables-mod-physdev```.
751 ### Multiple OpenVPN Clients
753 If you use multiple OpenVPN clients on your router, the order in which their devices are named (tun0, tun1, etc) is not guaranteed by OpenWrt/LEDE Project. The following settings are recommended in this case.
755 For ```/etc/config/network```:
758 config interface 'vpnclient0'
760 option ifname 'ovpnc0'
762 config interface 'vpnclient1'
764 option ifname 'ovpnc1'
767 For ```/etc/config/openvpn```:
770 config openvpn 'vpnclient0'
772 option dev_type 'tun'
776 config openvpn 'vpnclient1'
778 option dev_type 'tun'
783 For ```/etc/config/vpn-policy-routing```:
786 config vpn-policy-routing 'config'
787 list supported_interface 'vpnclient0 vpnclient1'
791 ### A Word About Default Routing
793 Service does not alter the default routing. Depending on your VPN tunnel settings (and settings of the VPN server you are connecting to), the default routing might be set to go via WAN or via VPN tunnel. This service affects only routing of the traffic matching the policies. If you want to override default routing, follow the instructions below.
795 #### OpenVPN tunnel configured via uci (/etc/config/openvpn)
797 Set the following to the appropriate section of your ```/etc/config/openvpn```:
799 - For OpenVPN 2.4 and newer client config:
802 list pull_filter 'ignore "redirect-gateway"'
805 - For OpenVPN 2.3 and older client config:
808 option route_nopull '1'
811 - For your Wireguard (client) config:
814 option route_allowed_ips '0'
817 #### OpenVPN tunnel configured with .ovpn file
819 Set the following to the appropriate section of your ```.ovpn``` file:
821 - For OpenVPN 2.4 and newer client ```.ovpn``` file:
824 pull_filter 'ignore "redirect-gateway"'
827 - For OpenVPN 2.3 and older client ```.ovpn``` file:
833 #### Wireguard tunnel
835 - For your Wireguard (client) config:
838 option route_allowed_ips '0'
841 - Routing Wireguard traffic may require setting `net.ipv4.conf.wg0.rp_filter = 2` in `/etc/sysctl.conf`. Please refer to [issue #41](https://github.com/stangri/openwrt_packages/issues/41) for more details.
843 ### A Word About HTTP/3 (QUICK)
845 If you want to target traffic using HTTP/3 protocol, you can use the ```AUTO``` as the protocol (the policy will be either protocol-agnostic or ```TCP/UDP```) or explicitly use ```UDP``` as a protocol.
847 ### A Word About DNS-over-HTTPS
849 Some browsers, like [Mozilla Firefox](https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_about-dns-over-https) or [Google Chrome/Chromium](https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html) have [DNS-over-HTTPS proxy](https://en.wikipedia.org/wiki/DNS_over_HTTPS) built-in. Their requests to web-sites cannot be affected if the ```dnsmasq.ipset``` is set for the ```dest_ipset``` option. To fix this, you can try either of the following:
851 1. Disable the DNS-over-HTTPS support in your browser and use the OpenWrt's ```net/https-dns-proxy``` (README on [GitHub](https://github.com/openwrt/packages/tree/master/net/https-dns-proxy)/[jsDelivr](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/https-dns-proxy/files/README.md)) package with optional ```https-dns-proxy``` WebUI/luci app. You can then continue to use ```dnsmasq.ipset``` setting for the ```dest_ipset``` in VPN Policy Routing.
853 2. Continue using DNS-over-HTTPS in your browser (which, by the way, also limits your options for router-level AdBlocking as described in ```dnsmasq.ipset``` option description here of ```net/simple-adblock``` README on [GitHub](https://github.com/openwrt/packages/tree/master/net/simple-adblock/files#dns-resolution-option)/[jsDelivr](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/simple-adblock/files/README.md#dns-resolution-option)), you than would either have to disable the ```dest_ipset``` or switch it to ```ipset```. Please note, you will lose all the benefits of [```dnsmasq.ipset```](#use-dnsmasq-ipset) option.
855 ### A Word About Cloudflare's 1.1.1.1 App
857 Cloudflare has released an app for [iOS](https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627) and [Android](https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone), which can also be configured to route traffic thru their own VPN tunnel (WARP+).
859 If you use Cloudlfare's VPN tunnel (WARP+), none of the policies you set up with the VPN Policy Routing will take effect on your mobile device. Disable WARP+ for your home WiFi to keep VPN Policy Routing affecting your mobile device.
861 If you just use the private DNS queries (WARP), [A Word About DNS-over-HTTPS](#a-word-about-DNS-over-HTTPS) applies. You can also disable WARP for your home WiFi to keep VPN Policy Routing affecting your mobile device.
865 Please head to [OpenWrt Forum](https://forum.openwrt.org/t/vpn-policy-based-routing-web-ui-discussion/10389) for discussions of this service.
869 If things are not working as intended, please include the following in your post:
871 - content of ```/etc/config/dhcp```
872 - content of ```/etc/config/firewall```
873 - content of ```/etc/config/network```
874 - content of ```/etc/config/vpn-policy-routing```
875 - the output of ```/etc/init.d/vpn-policy-routing support```
876 - the output of ```/etc/init.d/vpn-policy-routing reload``` with verbosity setting set to 2
878 If you don't want to post the ```/etc/init.d/vpn-policy-routing support``` output in a public forum, there's a way to have the support details automatically uploaded to my account at paste.ee by running: ```/etc/init.d/vpn-policy-routing support -p```. You need to have the following packages installed to enable paste.ee upload functionality: ```curl libopenssl ca-bundle```.
880 WARNING: while paste.ee uploads are unlisted/not indexed at the web-site, they are still publicly available.
884 I'd like to thank everyone who helped create, test and troubleshoot this service. Without contributions from [@hnyman](https://github.com/hnyman), [@dibdot](https://github.com/dibdot), [@danrl](https://github.com/danrl), [@tohojo](https://github.com/tohojo), [@cybrnook](https://github.com/cybrnook), [@nidstigator](https://github.com/nidstigator), [@AndreBL](https://github.com/AndreBL), [@dz0ny](https://github.com/dz0ny), rigorous testing/bugreporting by [@dziny](https://github.com/dziny), [@bluenote73](https://github.com/bluenote73), [@buckaroo](https://github.com/pgera), [@Alexander-r](https://github.com/Alexander-r), [n8v8R](https://github.com/n8v8R), [psherman](https://forum.openwrt.org/u/psherman), [@Vale-max](https://github.com/Vale-max), multiple contributions from [dl12345](https://github.com/dl12345) and [trendy](https://forum.openwrt.org/u/trendy) and feedback from other OpenWrt users it wouldn't have been possible. Wireguard/IPv6 support is courtesy of [Mullvad](https://www.mullvad.net) and [IVPN](https://www.ivpn.net/).