shinobu/router: Route select protocols directly
This commit is contained in:
parent
7a7b385b44
commit
642fea6b8e
|
@ -122,7 +122,7 @@ in
|
||||||
{
|
{
|
||||||
routingPolicyRuleConfig = {
|
routingPolicyRuleConfig = {
|
||||||
Family = "both"; # default is only ipv4
|
Family = "both"; # default is only ipv4
|
||||||
FirewallMark = 51820;
|
FirewallMark = cfg.vpnBypassFwMark;
|
||||||
InvertRule = "yes";
|
InvertRule = "yes";
|
||||||
Table = 51820;
|
Table = 51820;
|
||||||
Priority = 10;
|
Priority = 10;
|
||||||
|
@ -152,14 +152,6 @@ in
|
||||||
Priority = 9;
|
Priority = 9;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
# VPN bypass
|
|
||||||
{
|
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
Family = "both"; # welcome in the year 2023, where ipv4 is the default
|
|
||||||
FirewallMark = cfg.vpnBypassFwMark;
|
|
||||||
Priority = 9;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
# plastic router
|
# plastic router
|
||||||
{
|
{
|
||||||
routingPolicyRuleConfig = {
|
routingPolicyRuleConfig = {
|
||||||
|
|
|
@ -11,7 +11,8 @@ let
|
||||||
} " = ";
|
} " = ";
|
||||||
|
|
||||||
passthru = {
|
passthru = {
|
||||||
WG_UPSTREAM_ENDPOINT = cfg.wg-upstream.endpoint.address;
|
WG_UPSTREAM_ENDPOINT_ADDRESS = cfg.wg-upstream.endpoint.address;
|
||||||
|
WG_UPSTREAM_ENDPOINT_PORT = cfg.wg-upstream.endpoint.port;
|
||||||
VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
|
VPN_BYPASS_MARK = cfg.vpnBypassFwMark;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -2,9 +2,6 @@ define NAT_LAN_IFACES = { "br-lan" }
|
||||||
define NAT_WAN_IFACES = { "wg-upstream" }
|
define NAT_WAN_IFACES = { "wg-upstream" }
|
||||||
define PHYSICAL_WAN = "enp1s0"
|
define PHYSICAL_WAN = "enp1s0"
|
||||||
define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
|
define MASQUERADE_IFACES = { $NAT_WAN_IFACES, $PHYSICAL_WAN }
|
||||||
define VUEKO_V4 = 168.119.176.53
|
|
||||||
define VUEKO_V6 = 2a01:4f8:c012:2f4::1
|
|
||||||
define VUEKO_PORT = 51820
|
|
||||||
define PLASTIC_ROUTER_V4 = 192.168.0.1
|
define PLASTIC_ROUTER_V4 = 192.168.0.1
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
|
@ -61,8 +58,19 @@ table inet vpn-bypass {
|
||||||
}
|
}
|
||||||
|
|
||||||
chain common {
|
chain common {
|
||||||
ip daddr $VUEKO_V4 udp dport $VUEKO_PORT mark set $VPN_BYPASS_MARK counter
|
tcp dport {
|
||||||
ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set $VPN_BYPASS_MARK counter
|
22, # SSH
|
||||||
|
443, # HTTPS
|
||||||
|
465, # SMTPS
|
||||||
|
993, # IMAPS
|
||||||
|
2022, # SSH
|
||||||
|
2222, # SSH
|
||||||
|
} mark set $VPN_BYPASS_MARK counter
|
||||||
|
udp dport {
|
||||||
|
1637, # wg
|
||||||
|
51820, # wg
|
||||||
|
64738, # mumble
|
||||||
|
} mark set $VPN_BYPASS_MARK counter
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -96,7 +104,7 @@ table inet restrict-wan {
|
||||||
|
|
||||||
# accept connections to selected endpoints
|
# accept connections to selected endpoints
|
||||||
# VPN (wg-upstream)
|
# VPN (wg-upstream)
|
||||||
oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT counter accept # only this is used
|
oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT_ADDRESS udp dport $WG_UPSTREAM_ENDPOINT_PORT counter accept # only this is used
|
||||||
# destinations configured in VPN bypass
|
# destinations configured in VPN bypass
|
||||||
oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept
|
oifname $PHYSICAL_WAN mark $VPN_BYPASS_MARK counter accept
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue