Closed bluewalk closed 3 years ago
Looks like issue #88 is on the right track, has there been progress including this in udm-utilities?
I'm pretty new to Linux networking configuration, and very intrigued by this setup! Do you have (or know of) a guide for configuring PBR for specific IPs, VLANs, or ports+protocols?
SturdyErde, I don't have a guide, but I do have a fully functional PBR VPN script for UDM/P here that uses the built-in openvpn. It supports forcing by IP, VLAN, ports, etc. You can look at how the script is made if you want to learn how it's done.
Basically it's really simple: (1) Mark your packets from specific sources with a fwmark with iptables, (2) Add an ip rule to route this fwmark to a custom routing table, and (3) Add the VPN routes to the custom routing table.
bluewalk, the OS removes custom ip rules when the lease/IP changes. You can just run a script to watch the ip rule and re-add it, as was done in the PR you linked. In my PBR script, I just poll every second to re-add the rule if it's missing, and there isn't any additional CPU usage, so polling isn't an issue.
@SturdyErde I'm basically doing the same as @peacey described above. I create a chain to exclude all private ips and mark the ones going out to 0.0.0.0/0. With an ip rule i route traffic with that mark to my wireguard vm that runs the connection to nordvpn. His script has all the info you need to set it up easily 👍
@peacey Ah so that's the reason why it happens, a lease renew from my provider. I had a look at you repo and I'm definitely gonna borrow some stuff from your updown.sh script :)
There's a lot there that I will need to assimilate through my learning engine, but definitely looks like it's worth the time! Thanks for sharing your script.
First of all, nice job with on-boot-script. Made my UDM Pro work the same as my USG4 did with redirecting DNS+NTP and nordvpn rerouting.
Speaking of the latter, I have an iptables chain setup to mark outgoing traffic to non internal ip's which then is used with PBR through my nordvpn gateway (
ip rule add fwmark 100 table nordvpn
) this works perfectly. But today it suddenly stopped working, after checking the iptables are still there, the routes on the table are still there but the rule was gone.After searching I found:
How would one continue to make
ip rule
"persistent"? on-boot-script does not execute after every change I think?Cheers