Browse Source

Merge pull request #12069 from stangri/master-vpn-policy-routing

vpn-policy-routing: bugfix: remove non-ASCII from log; update README
lilik-openwrt-22.03
Rosen Penev 5 years ago
committed by GitHub
parent
commit
d654eedc8f
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 85 additions and 46 deletions
  1. +1
    -1
      net/vpn-policy-routing/Makefile
  2. +44
    -16
      net/vpn-policy-routing/files/README.md
  3. +40
    -29
      net/vpn-policy-routing/files/vpn-policy-routing.init

+ 1
- 1
net/vpn-policy-routing/Makefile View File

@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=vpn-policy-routing
PKG_VERSION:=0.2.1
PKG_RELEASE:=7
PKG_RELEASE:=9
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.net>


+ 44
- 16
net/vpn-policy-routing/files/README.md View File

@ -2,7 +2,7 @@
## Description
This service allows you to define rules (policies) for routing traffic via WAN or your L2TP, Openconnect, OpenVPN, PPTP or Wireguard tunnels. Policies can be set based on any combination of local/remote ports, local/remote IPv4 or IPv6 addresses/subnets or domains. This service supersedes the [VPN Bypass](https://github.com/openwrt/packages/blob/master/net/vpnbypass/files/README.md) service, by supporting IPv6 and by allowing you to set explicit rules not just for WAN interface (bypassing OpenVPN tunnel), but for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels as well.
This service allows you to define rules (policies) for routing traffic via WAN or your L2TP, Openconnect, OpenVPN, PPTP or Wireguard tunnels. Policies can be set based on any combination of local/remote ports, local/remote IPv4 or IPv6 addresses/subnets or domains. This service supersedes the ```VPN Bypass``` available on [GitHub](https://github.com/openwrt/packages/blob/master/net/vpnbypass/files/README.md)/[jsDelivr](https://cdn.jsdelivr.net/gh/openwrt/packages@master/net/vpnbypass/files/README.md) service, by supporting IPv6 and by allowing you to set explicit rules not just for WAN interface (bypassing OpenVPN tunnel), but for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels as well.
## Features
@ -56,25 +56,25 @@ Two example custom user-files are provided: ```/etc/vpn-policy-routing.aws.user`
## Screenshots (luci-app-vpn-policy-routing)
Service Status
![screenshot](https://raw.githubusercontent.com/stangri/openwrt_packages/master/screenshots/vpn-policy-routing/screenshot04-status.png "Service Status")
![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-status.png "Service Status")
Configuration - Basic Configuration
![screenshot](https://raw.githubusercontent.com/stangri/openwrt_packages/master/screenshots/vpn-policy-routing/screenshot04-config-basic.png "Basic Configuration")
![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-config-basic.png "Basic Configuration")
Configuration - Advanced Configuration
![screenshot](https://raw.githubusercontent.com/stangri/openwrt_packages/master/screenshots/vpn-policy-routing/screenshot04-config-advanced.png "Advanced Configuration")
![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-config-advanced.png "Advanced Configuration")
Configuration - WebUI Configuration
![screenshot](https://raw.githubusercontent.com/stangri/openwrt_packages/master/screenshots/vpn-policy-routing/screenshot04-config-webui.png "WebUI Configuration")
![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-config-webui.png "WebUI Configuration")
Policies
![screenshot](https://raw.githubusercontent.com/stangri/openwrt_packages/master/screenshots/vpn-policy-routing/screenshot04-policies.png "Policies")
![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-policies.png "Policies")
DSCP Tagging
![screenshot](https://raw.githubusercontent.com/stangri/openwrt_packages/master/screenshots/vpn-policy-routing/screenshot04-dscp.png "DSCP Tagging")
![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-dscp.png "DSCP Tagging")
Custom User File Includes
![screenshot](https://raw.githubusercontent.com/stangri/openwrt_packages/master/screenshots/vpn-policy-routing/screenshot04-userfiles.png "Custom User File Includes")
![screenshot](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/screenshots/vpn-policy-routing/screenshot04-userfiles.png "Custom User File Includes")
## How It Works
@ -105,7 +105,7 @@ opkg update
opkg install vpn-policy-routing luci-app-vpn-policy-routing
```
If these packages are not found in the official feed/repo for your version of OpenWrt/LEDE Project, you will need to [add a custom repo to your router](https://github.com/stangri/openwrt_packages/blob/master/README.md#on-your-router) first.
If these packages are not found in the official feed/repo for your version of OpenWrt/LEDE Project, you will need to add a custom repo to your router following instructions on [GitHub](https://github.com/stangri/openwrt_packages/blob/master/README.md#on-your-router)/[jsDelivr](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/README.md#on-your-router) first.
### Requirements
@ -647,7 +647,7 @@ config rule
#### Netflix Domains
The following policy should route US Netflix traffic via WAN. For capturing international Netflix domain names, you can refer to [these getdomainnames.sh-specific instructions](https://github.com/Xentrk/netflix-vpn-bypass#ipset_netflix_domainssh) and don't forget to adjust them for OpenWrt. This may not work if Netflix changes things. For more reliable US Netflix routing you may want to consider using [custom user files](#custom-user-files).
The following policy should route US Netflix traffic via WAN. For capturing international Netflix domain names, you can refer to the getdomainnames.sh-specific instructions on [GitHub](https://github.com/Xentrk/netflix-vpn-bypass/blob/master/README.md#ipset_netflix_domainssh)/[jsDelivr](https://cdn.jsdelivr.net/gh/Xentrk/openwrt_packages@master/netflix-vpn-bypass/README.md#ipset_netflix_domainssh) and don't forget to adjust them for OpenWrt. This may not work if Netflix changes things. For more reliable US Netflix routing you may want to consider using [custom user files](#custom-user-files).
```text
config policy
@ -780,8 +780,12 @@ config vpn-policy-routing 'config'
### A Word About Default Routing
Service does not alter the default routing. Depending on your VPN tunnel settings (and settings of the VPN server you are connecting to), the default routing might be set to go via WAN or via VPN tunnel. This service affects only routing of the traffic matching the policies. If you want to override default routing, set the following:
Service does not alter the default routing. Depending on your VPN tunnel settings (and settings of the VPN server you are connecting to), the default routing might be set to go via WAN or via VPN tunnel. This service affects only routing of the traffic matching the policies. If you want to override default routing, follow the instructions below.
#### OpenVPN tunnel configured via uci (/etc/config/openvpn)
Set the following to the appropriate section of your ```/etc/config/openvpn```:
- For OpenVPN 2.4 and newer client config:
```text
@ -800,7 +804,31 @@ Service does not alter the default routing. Depending on your VPN tunnel setting
option route_allowed_ips '0'
```
- Routing Wireguard traffic requires setting `rp_filter = 2`. Please refer to [issue #41](https://github.com/stangri/openwrt_packages/issues/41) for more details.
#### OpenVPN tunnel configured with .ovpn file
Set the following to the appropriate section of your ```.ovpn``` file:
- For OpenVPN 2.4 and newer client ```.ovpn``` file:
```text
pull_filter 'ignore "redirect-gateway"'
```
- For OpenVPN 2.3 and older client ```.ovpn``` file:
```text
route_nopull '1'
```
#### Wireguard tunnel
- For your Wireguard (client) config:
```text
option route_allowed_ips '0'
```
- Routing Wireguard traffic may require setting `net.ipv4.conf.wg0.rp_filter = 2` in `/etc/sysctl.conf`. Please refer to [issue #41](https://github.com/stangri/openwrt_packages/issues/41) for more details.
### A Word About HTTP/3 (QUICK)
@ -810,9 +838,9 @@ If you want to target traffic using HTTP/3 protocol, you can use the ```AUTO```
Some browsers, like [Mozilla Firefox](https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_about-dns-over-https) or [Google Chrome/Chromium](https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html) have [DNS-over-HTTPS proxy](https://en.wikipedia.org/wiki/DNS_over_HTTPS) built-in. Their requests to web-sites cannot be affected if the ```dnsmasq.ipset``` is set for the ```dest_ipset``` option. To fix this, you can try either of the following:
1. Disable the DNS-over-HTTPS support in your browser and use the OpenWrt's [net/https-dns-proxy](https://github.com/openwrt/packages/tree/master/net/https-dns-proxy) package with optional [https-dns-proxy luci app](https://github.com/openwrt/luci/tree/master/applications/luci-app-https_dns_proxy). You can then continue to use ```dnsmasq.ipset``` setting for the ```dest_ipset``` in VPN Policy Routing.
1. Disable the DNS-over-HTTPS support in your browser and use the OpenWrt's ```net/https-dns-proxy``` (README on [GitHub](https://github.com/openwrt/packages/tree/master/net/https-dns-proxy)/[jsDelivr](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/https-dns-proxy/files/README.md)) package with optional ```https-dns-proxy``` WebUI/luci app. You can then continue to use ```dnsmasq.ipset``` setting for the ```dest_ipset``` in VPN Policy Routing.
2. Continue using DNS-over-HTTPS in your browser (which, by the way, also limits your options for router-level AdBlocking as described [in ```dnsmasq.ipset``` option description here](https://github.com/openwrt/packages/tree/master/net/simple-adblock/files#dns-resolution-option)), you than would either have to disable the ```dest_ipset``` or switch it to ```ipset```. Please note, you will lose all the benefits of [```dnsmasq.ipset```](#use-dnsmasq-ipset) option.
2. Continue using DNS-over-HTTPS in your browser (which, by the way, also limits your options for router-level AdBlocking as described in ```dnsmasq.ipset``` option description here of ```net/simple-adblock``` README on [GitHub](https://github.com/openwrt/packages/tree/master/net/simple-adblock/files#dns-resolution-option)/[jsDelivr](https://cdn.jsdelivr.net/gh/stangri/openwrt_packages@master/simple-adblock/files/README.md#dns-resolution-option)), you than would either have to disable the ```dest_ipset``` or switch it to ```ipset```. Please note, you will lose all the benefits of [```dnsmasq.ipset```](#use-dnsmasq-ipset) option.
### A Word About Cloudflare's 1.1.1.1 App
@ -843,4 +871,4 @@ WARNING: while paste.ee uploads are unlisted/not indexed at the web-site, they a
## Thanks
I'd like to thank everyone who helped create, test and troubleshoot this service. Without contributions from [@hnyman](https://github.com/hnyman), [@dibdot](https://github.com/dibdot), [@danrl](https://github.com/danrl), [@tohojo](https://github.com/tohojo), [@cybrnook](https://github.com/cybrnook), [@nidstigator](https://github.com/nidstigator), [@AndreBL](https://github.com/AndreBL), [@dz0ny](https://github.com/dz0ny), rigorous testing/bugreporting by [@dziny](https://github.com/dziny), [@bluenote73](https://github.com/bluenote73), [@buckaroo](https://github.com/pgera), [@Alexander-r](https://github.com/Alexander-r), [n8v8R](https://github.com/n8v8R), [psherman](https://forum.openwrt.org/u/psherman), multiple contributions from [dl12345](https://github.com/dl12345), [trendy](https://forum.openwrt.org/u/trendy) and feedback from other OpenWrt users it wouldn't have been possible. Wireguard/IPv6 support is courtesy of [Mullvad](https://www.mullvad.net), [IVPN](https://www.ivpn.net/) and [WireVPN](https://www.wirevpn.net).
I'd like to thank everyone who helped create, test and troubleshoot this service. Without contributions from [@hnyman](https://github.com/hnyman), [@dibdot](https://github.com/dibdot), [@danrl](https://github.com/danrl), [@tohojo](https://github.com/tohojo), [@cybrnook](https://github.com/cybrnook), [@nidstigator](https://github.com/nidstigator), [@AndreBL](https://github.com/AndreBL), [@dz0ny](https://github.com/dz0ny), rigorous testing/bugreporting by [@dziny](https://github.com/dziny), [@bluenote73](https://github.com/bluenote73), [@buckaroo](https://github.com/pgera), [@Alexander-r](https://github.com/Alexander-r), [n8v8R](https://github.com/n8v8R), [psherman](https://forum.openwrt.org/u/psherman), multiple contributions from [dl12345](https://github.com/dl12345), [trendy](https://forum.openwrt.org/u/trendy) and feedback from other OpenWrt users it wouldn't have been possible. Wireguard/IPv6 support is courtesy of [Mullvad](https://www.mullvad.net) and [IVPN](https://www.ivpn.net/).

+ 40
- 29
net/vpn-policy-routing/files/vpn-policy-routing.init View File

@ -1,5 +1,5 @@
#!/bin/sh /etc/rc.common
# Copyright 2017-2019 Stan Grishin (stangri@melmac.net)
# Copyright 2017-2020 Stan Grishin (stangri@melmac.net)
# shellcheck disable=SC2039,SC1091,SC2018,SC2019
PKG_VERSION='dev-test'
@ -13,8 +13,7 @@ readonly __FAIL__='\033[0;31m[\xe2\x9c\x97]\033[0m'
readonly __PASS__='\033[0;33m[-]\033[0m'
readonly _ERROR_='\033[0;31mERROR\033[0m'
readonly _WARNING_='\033[0;33mWARNING\033[0m'
# readonly readmeURL="https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing/files/README.md"
readonly readmeURL="https://github.com/stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md"
readonly readmeURL="https://github.com/openwrt/packages/tree/master/net/vpn-policy-routing/files/README.md"
export EXTRA_COMMANDS='support'
export EXTRA_HELP=" support Generates output required to troubleshoot routing issues
@ -28,6 +27,7 @@ readonly serviceName="$packageName $PKG_VERSION"
readonly PID="/var/run/${packageName}.pid"
readonly dnsmasqFile="/var/dnsmasq.d/${packageName}"
readonly userFile="/etc/${packageName}.user"
readonly sharedMemoryOutput="/dev/shm/$packageName-output"
create_lock() { [ -e "$PID" ] && return 1; touch "$PID"; }
remove_lock() { [ -e "$PID" ] && rm -f "$PID"; }
trap remove_lock EXIT
@ -45,17 +45,19 @@ str_extras_to_space() { echo "$1" | tr ';{}' ' '; }
output() {
# Can take a single parameter (text) to be output at any verbosity
# Or target verbosity level and text to be output at specifc verbosity
local msg
local msg memmsg logmsg
if [ $# -ne 1 ]; then
if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
fi
[ -t 1 ] && printf "%b" "$1"
msg="${1//$serviceName /service }";
if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then
logger -t "${packageName:-service} [$$]" "$(printf "%b" "${logmsg}${msg}")"
logmsg=''
[ -s "$sharedMemoryOutput" ] && memmsg="$(cat "$sharedMemoryOutput")"
logmsg="$(printf "%b" "${memmsg}${msg}" | sed 's/\x1b\[[0-9;]*m//g')"
logger -t "${packageName:-service} [$$]" "$(printf "%b" "$logmsg")"
rm -f "$sharedMemoryOutput"
else
logmsg="${logmsg}${msg}"
printf "%b" "$msg" >> "$sharedMemoryOutput"
fi
}
is_installed() { [ -s "/usr/lib/opkg/info/${1}.control" ]; }
@ -243,6 +245,9 @@ ipt_cleanup() {
for i in PREROUTING FORWARD INPUT OUTPUT; do
while iptables -t mangle -D $i -m mark --mark 0x0/0xff0000 -j VPR_${i} >/dev/null 2>&1; do : ; done
done
for i in PREROUTING FORWARD INPUT OUTPUT; do
while iptables -t mangle -D $i -j VPR_${i} >/dev/null 2>&1; do : ; done
done
}
# shellcheck disable=SC2086
@ -313,7 +318,7 @@ insert_tor_policy() {
local comment="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto="$7" chain="${8:-PREROUTING}"
local mark=$(eval echo "\$mark_${iface//-/_}")
[ -z "$mark" ] && processPolicyError="${processPolicyError}${_ERROR_}: Unknown fw_mark for ${iface}##"
param="-t mangle $insertOption VPR_${chain} 1 -j MARK --set-xmark ${mark}/${fwMask}"
param="-t mangle $insertOption VPR_${chain} -j MARK --set-xmark ${mark}/${fwMask}"
[ -n "$laddr" ] && param="$param -s $laddr"
[ -n "$lport" ] && param="$param -p tcp -m multiport --sport ${lport//-/:}"
[ -n "$raddr" ] && param="$param -d $raddr"
@ -331,6 +336,9 @@ insert_policy() {
is_ipv6 "$raddr" && return 0
fi
if is_ipv4 "$laddr" && is_ipv6 "$raddr"; then return 0; fi
if is_ipv6 "$laddr" && is_ipv4 "$raddr"; then return 0; fi
if [ -z "$mark" ]; then
processPolicyError="${processPolicyError}${_ERROR_}: Unknown fw_mark for ${iface}##"
return 0
@ -597,19 +605,21 @@ table_create(){
fi
if [ -n "$remoteIpset" ]; then
if ips 'create' "${iface}" 'hash:net comment' && ips 'flush' "${iface}"; then
ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}" dst $appendRemotePolicy -j MARK --set-xmark "${mark}/${fwMask}" || s=1
for i in PREROUTING FORWARD INPUT OUTPUT; do
ipt -t mangle -I VPR_${i} -m set --match-set "${iface}" dst -j MARK --set-xmark "${mark}/${fwMask}" || s=1
done
else
s=1
fi
fi
if [ "$localIpset" -ne 0 ]; then
if ips 'create' "${iface}_ip" 'hash:net comment' && ips 'flush' "${iface}_ip"; then
ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}_ip" src $appendLocalPolicy -j MARK --set-mark "${mark}/${fwMask}" || s=1
ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}_ip" src -j MARK --set-mark "${mark}/${fwMask}" || s=1
else
s=1
fi
if ips 'create' "${iface}_mac" 'hash:mac comment' && ips 'flush' "${iface}_mac"; then
ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}_mac" src $appendLocalPolicy -j MARK --set-mark "${mark}/${fwMask}" || s=1
ipt -t mangle -I VPR_PREROUTING -m set --match-set "${iface}_mac" src -j MARK --set-mark "${mark}/${fwMask}" || s=1
else
s=1
fi
@ -781,7 +791,7 @@ start_service() {
for i in PREROUTING FORWARD INPUT OUTPUT; do
ipt -t mangle -N "VPR_${i}"
ipt -t mangle "$insertOption" "$i" -m mark --mark "0x00/${fwMask}" -j "VPR_${i}"
ipt -t mangle "$insertOption" "$i" -m mark --mark "0x0/${fwMask}" -j "VPR_${i}"
done
output 1 'Processing Interfaces '
@ -844,7 +854,7 @@ stop_service() {
if create_lock; then
load_package_config
for i in PREROUTING FORWARD INPUT OUTPUT; do
ipt -t mangle -D "${i}" -m mark --mark "0x00/${fwMask}" -j "VPR_${i}"
ipt -t mangle -D "${i}" -m mark --mark "0x0/${fwMask}" -j "VPR_${i}"
ipt -t mangle -F "VPR_${i}"; ipt -t mangle -X "VPR_${i}";
done
config_load 'network'; config_foreach process_interface 'interface' 'destroy'
@ -865,22 +875,23 @@ stop_service() {
# shellcheck disable=SC2119
service_triggers() {
local n
is_enabled || return 1
procd_open_validate
validate_config
validate_policy
validate_include
procd_close_validate
procd_add_reload_trigger 'firewall' 'openvpn' 'vpn-policy-routing'
procd_open_trigger
for n in $ifSupported; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} reload; done;
# output "$serviceName monitoring interfaces: $ifSupported\\n"; # output_okn;
# for n in $ifAll; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} reload; done;
# output "$serviceName monitoring ALL interfaces: $ifAll"; output_okn;
procd_close_trigger
local n
is_enabled || return 1
procd_open_validate
validate_config
validate_policy
validate_include
procd_close_validate
procd_add_reload_trigger 'firewall' 'openvpn' 'vpn-policy-routing'
procd_open_trigger
for n in $ifSupported; do procd_add_reload_interface_trigger "$n"; procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} reload; done;
procd_close_trigger
if [ "$verbosity" -eq 2 ]; then
output "$serviceName monitoring interfaces: $ifSupported.\\n"
fi
}
input() { local data; while read -r data; do echo "$data" | tee -a /var/${packageName}-support; done; }


Loading…
Cancel
Save