OpenWrt Forum Archive

Topic: OpenVPN Policy-Based Routing + Web UI -- testers needed

The content of this topic has been archived on 29 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

This thread is no longer monitored. Please ask any questions at https://forum.lede-project.org/t/openvp … eded/1422.

As the VPNBypass package was well received but was lacking ability to explicitly route specific traffic via OpenVPN tunnel instead of bypassing it, I've written a policy-based routing service.

Please make sure to go over README or at least its Known Issues section.

Both openvpn-policy-routing and luci-app-openvpn-policy-routing are available from my own repository: https://stangri.github.io/openwrt-repo/.

I'd welcome any feedback!

(Last edited by stangri on 10 May 2017, 07:16)

From version 3.0, openvpn-policy-routing supports multiple OpenVPN tunnels.

thanks. trying to install now, will report back

(Last edited by marktomlinson32 on 11 Feb 2017, 08:07)

From version 3.1 supports strict enforcement of policies when their gateway is down (resulting in network unreachable for affected policies).

Could be used if you want to ensure that the specific policy (I've only tested it with a single local IP) is routed thru specific gateway and has no connectivity when that gateway is down.

ok, so i have got it installed, but seem to have an issue..
for some reason  what ever combination of ip i put in for ip4/port based policies... it's coming up invalid and as such not saving.  for example.. 192.168.2.13
any ideas?

https://s8.postimg.org/58o18i0th/Capture.jpg

marktomlinson32 wrote:

ok, so i have got it installed, but seem to have an issue..
for some reason  what ever combination of ip i put in for ip4/port based policies... it's coming up invalid and as such not saving.  for example.. 192.168.2.13
any ideas?

Sorry about that, I was experimenting with datatypes and validation and accidentally pushed the ipk to github. Please redownload and force-reinstall it with:

opkg --force-reinstall install luci-app-openvpn-policy-routing_git-17.027.48745-f5461669a-1_all.ipk

PS. IPv6 is not working yet.

(Last edited by stangri on 23 Feb 2017, 08:25)

When doing an opkg update I get the following:

Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.gz.
Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.sig.
Signature check failed.

I'm running OpenWrt CC 15.05.1 and followed your instructions. Is there a problem with your build process? Any ideas? I'm excited to try your luci-app, the screenshots look like exactly what I'm looking for!

(Last edited by deese.john on 30 Mar 2017, 06:35)

Can you post commands and the output of:

echo -e -n 'untrusted comment: public key 7ffc7517c4cc0c56\nRWR//HUXxMwMVnx7fESOKO7x8XoW4/dRidJPjt91hAAU2L59mYvHy0Fa\n' > /tmp/stangri-repo.pub
opkg-key add /tmp/stangri-repo.pub

And then run opkg update again.

PS. I couldn't figure out why the forum software breaks the first line, it should all be one line:
echo -e -n 'untrusted comment: public key 7ffc7517c4cc0c56\nRWR//HUXxMwMVnx7fESOKO7x8XoW4/dRidJPjt91hAAU2L59mYvHy0Fa\n' > /tmp/stangri-repo.pub

(Last edited by stangri on 31 Mar 2017, 01:38)

EDIT: Resolved, appears to have been an issue with my VPN, turned off VPN and it worked after that. Leaving for just in case.

When trying to do the repo add, I get the following


Collected errors:
 * opkg_download: Failed to download https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.gz, wget returned 4.
 * opkg_download: Failed to download https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.sig, wget returned 4.

(Last edited by kocrachon on 31 Mar 2017, 02:48)

I am currently running into two issues. 1) I cannot get domain policy to work. and 2) I cannot get remote-port policy to work. If I do a policy on just an IP/IP range, it seems fine.

Version info

    root@OpenWrt:~# opkg list-installed | grep policy
    luci-app-openvpn-policy-routing - git-17.080.69173-773734e27-4
    openvpn-policy-routing - 4.1.4-21

For the domain policy

    opkg update; opkg remove dnsmasq; opkg install ipset iptables dnsmasq-full
    Package ipset (6.24-1) installed in root is up to date.
    Package iptables (1.4.21-2) installed in root is up to date.
    Package dnsmasq-full (2.76-1) installed in root is up to date.

I go to domains, and I have this as my "Domains Policies"

/whatismyipaddress.com/hulu.com/netflix.com/wanroute

Netflix still prevents me, and the whatiymyipaddress still shows my VPN IP.

As for my remote-port based policy.

Basically, I have remote ports 1001-65535 set to WAN for my local desktop. Some things, like EC2 instances, properly work with my WAN ip if I set my security group /firewall settings to allow my WAN IP. But stuff like Teamspeak and Steam, seem to still be using my VPN IP. I am not sure where this might be comming from.
One example, with my VPN on, my steam speeds are slow because of my VPN provider for whatever reason. It slowls builds up. But when I turn off my VPN, my speeds sky rocket. VPN provider issue aside, Steam is supposed to be using the following ports.

27000 through 27037

All of these should be included in my broad IP selection of 1001-65535 to WAN. So I am not sure what the issue is.

I also tried hosting a game server on port 2302, and when people connect, it shows them the VPN IP, so it seems my remote-port based routing is not working as intended?

    root@OpenWrt:~# opkg list_installed | grep dnsmasq
    dnsmasq-full - 2.76-1
    root@OpenWrt:~# grep ipset /etc/config/dhcp
            list ipset '/hulu.com/netflix.com/nhl.com/whatismyipaddress.com/wanroute'

openvpn-policy-routing file

    config openvpn-policy-routing 'config'
            option strict_enforcement '1'
            option verbosity '2'
            option enabled '1'

    config domain-policy
            list ipset '/hulu.com/netflix.com/wanroute'
            list ipset '/whatismyipaddress.com/wanroute'

    config policy
            option gateway 'wan'
            option comment 'FireTV'
            option local_addrs '192.168.1.150'

    config policy
            option gateway 'wan'
            option comment 'MyPC-WAN'
            option remote_ports '1001-65535'

My DHCP Config

    config dnsmasq
            option domainneeded '1'
            option boguspriv '1'
            option filterwin2k '0'
            option localise_queries '1'
            option rebind_protection '1'
            option rebind_localhost '1'
            option local '/lan/'
            option domain 'lan'
            option expandhosts '1'
            option nonegcache '0'
            option authoritative '1'
            option readethers '1'
            option leasefile '/tmp/dhcp.leases'
            option resolvfile '/tmp/resolv.conf.auto'
            option localservice '1'
            list ipset '/hulu.com/netflix.com/nhl.com/whatismyipaddress.com/wanroute'

    config dhcp 'lan'
            option interface 'lan'
            option start '100'
            option limit '150'
            option leasetime '12h'
            option dhcpv6 'server'
            option ra 'server'
            list dhcp_option '6,209.222.18.222,209.222.18.218'
            option ra_management '1'

    config dhcp 'wan'
            option interface 'wan'
            option ignore '1'

    config odhcpd 'odhcpd'
            option maindhcp '0'
            option leasefile '/tmp/hosts/odhcpd'
            option leasetrigger '/usr/sbin/odhcpd-update'

My DNSMasq config

    # auto-generated config file from /etc/config/dhcp
    conf-file=/etc/dnsmasq.conf
    dhcp-authoritative
    domain-needed
    localise-queries
    read-ethers
    bogus-priv
    expand-hosts
    local-service
    domain=lan
    server=/lan/
    ipset=/hulu.com/netflix.com/nhl.com/whatismyipaddress.com/wanroute
    dhcp-leasefile=/tmp/dhcp.leases
    resolv-file=/tmp/resolv.conf.auto
    stop-dns-rebind
    rebind-localhost-ok
    dhcp-broadcast=tag:needs-broadcast
    addn-hosts=/tmp/hosts
    conf-dir=/tmp/dnsmasq.d
    user=dnsmasq
    group=dnsmasq




    dhcp-range=lan,192.168.1.100,192.168.1.249,255.255.255.0,12h
    dhcp-option=lan,6,209.222.18.222,209.222.18.218
    no-dhcp-interface=br-wan

(Last edited by kocrachon on 31 Mar 2017, 05:20)

I've been doing it in one line, so I don't believe that is the problem.

root@OpenWrt:~# echo -e -n 'untrusted comment: public key 7ffc7517c4cc0c56\nRWR/
/HUXxMwMVnx7fESOKO7x8XoW4/dRidJPjt91hAAU2L59mYvHy0Fa\n' > /tmp/stangri-repo.pub
root@OpenWrt:~# opkg-key add /tmp/stangri-repo.pub
root@OpenWrt:~# opkg update
Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.gz.
Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.sig.
Signature check failed.
Remove wrong Signature file.

Here is the key

root@OpenWrt:~# cat /etc/opkg/keys/7ffc7517c4cc0c56
untrusted comment: public key 7ffc7517c4cc0c56
RWR//HUXxMwMVnx7fESOKO7x8XoW4/dRidJPjt91hAAU2L59mYvHy0Fa
deese.john wrote:

I've been doing it in one line, so I don't believe that is the problem.

root@OpenWrt:~# echo -e -n 'untrusted comment: public key 7ffc7517c4cc0c56\nRWR/
/HUXxMwMVnx7fESOKO7x8XoW4/dRidJPjt91hAAU2L59mYvHy0Fa\n' > /tmp/stangri-repo.pub
root@OpenWrt:~# opkg-key add /tmp/stangri-repo.pub
root@OpenWrt:~# opkg update
Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.gz.
Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/Packages.sig.
Signature check failed.
Remove wrong Signature file.

Here is the key

root@OpenWrt:~# cat /etc/opkg/keys/7ffc7517c4cc0c56
untrusted comment: public key 7ffc7517c4cc0c56
RWR//HUXxMwMVnx7fESOKO7x8XoW4/dRidJPjt91hAAU2L59mYvHy0Fa

Khm, that's a pickle, let me consult with guru devs and get back to you.


@kocrachon -- let's continue that on LEDE forum.

deese.john wrote:

I've been doing it in one line, so I don't believe that is the problem.

While I'm trying to figure why OpenWrt errors out on the signature you can turn off signature verification by doing:

sed -i 's/option check_signature 1/option check_signature 0/' /etc/opkg.conf

(Last edited by stangri on 31 Mar 2017, 09:07)

I'm seeing the same error (Signature check failed.) using openwrt 15.05.  Tried to turn off signature checking.  Still an error.
FYI.  When I try to access /stangri/openwrt-repo/master from a browser, I get an error 400: Invalid request.

novowest wrote:

Tried to turn off signature checking.  Still an error.

What error? Can you post your /etc/opkg.conf?

novowest wrote:

FYI.  When I try to access /stangri/openwrt-repo/master from a browser, I get an error 400: Invalid request.

Probably because there's no /stangri/openwrt-repo/master on your computer?

The discussion might have continued from here.