Question regarding PBR order when setting up VPN Client

[MvW]

For those who followed my previous adventures, I've set up one client, just to make sure that I'm not taking too big steps. Everything seems to work fine so far, but I just want to verify something.

I was wondering: when filling the PBR-table, does the order matter? I've entered all clients, including the router and the AIMesh Node, in order. So from the lowest last octet to the hightest last octet. But I don't even know whether that's necessary. All clients specified are being directed to the WAN, including for the router and the node. The list is closed with 192.x.x.0/24, to make sure directed towards the VPN.

And a last question: are these PBR rules stored in a file I can edit directly (specifically if the order does matter) with nano, because deleting the table every time almost completely because I forget one in the right order (yes, I have OCD*) is rather time consuming.]

*No seriously, I do, I'm officially diagnosed

 

[eibgrad]

The order as specified in the list does NOT matter. It's an unordered list. What does matter is the network interface chosen. Those rules which specify the WAN always take precedence over those that specify the VPN.

So …

192.168.1.0/24 VPN
192.168.1.1 WAN

and …

192.168.1.1 WAN
192.168.1.0/24 VPN

… are exactly the same. Either way, 192.168.1.1 is going to get routed out the WAN since it has precedence based on network interface, NOT its ordering in the list.

When you add additional OpenVPN clients (2, 3, …), the low-numbered VPN clients take precedence over the higher-numbered VPN clients.

So you don't need to worry about how the lists are ordered, but more importantly which VPN client takes precedence over the other should there be any overlap/redundancy in your rules between multiple VPN clients.

 

[eibgrad]

P.S. If you want/need to verify any of this, you can use ssh to dump the ip rules created from your routing policy rules and see for yourself.

ip rule show

Low-numbered rules (left-most column) always take precedence over high-numbered rules in that dump. Each rule points to a particular routing table (main, ovnpc1, ovpnc2, etc.). And you can dump those as well using ssh.

ip route show table main
ip route show table ovpnc1
ip route show table ovpnc2
...

If you start rummaging through these data structures, a lot of this starts to make more sense, and it eliminates much of the mystery.

 

[ColinTaylor]

From the wiki:

The "Iface" field (short for Interface) lets you determine if matching traffic should be sent through the VPN tunnel or through your regular Internet access (WAN). This allows you to define exceptions (WAN rules being processed before the VPN rules).