--- name: openwrt-vpn-routing description: "Design and implement OpenWrt VPN routing with xray/sing-box/WireGuard/OpenVPN, DNS, split tunneling, GeoIP, ASN, and selective tunnel by destination IP. Use when: openwrt vpn routing, policy based routing, split tunneling openwrt, xray routing rules, sing-box route rules, geoip asn tunnel policy." argument-hint: "Confirmed topology and tunnel policy from discovery stage" --- # OpenWrt VPN Routing Design and produce concrete configuration for advanced OpenWrt VPN routing. ## Inputs Required - Discovery summary from `openwrt-network-discovery` - Chosen VPN stack and endpoint details - Explicit tunnel policy (IP/domain/GeoIP/ASN) ## Procedure ### Step 1 - Select Control Plane Choose one primary routing controller: - `pbr` package for policy-based routing - native `ip rule` + custom routing tables - service-level route control in xray/sing-box Document why the selected approach fits the request. ### Step 2 - Build Tunnel and Interface Mapping Define: - tunnel interface lifecycle and startup order - firewall zones and forwarding path - metric priorities and failover behavior ### Step 3 - Implement Selective Routing Implement selective tunnel behavior for: - static destination IP sets - domain groups resolved into nft/ipset targets - GeoIP categories - ASN-based destination grouping Ensure LAN bypass and management-plane safety are explicit. ### Step 4 - Configure DNS Path Set DNS so route policy and resolver path are consistent: - resolver selection for tunneled and non-tunneled traffic - anti-leak controls - optional encrypted DNS ### Step 5 - Produce Config and Commands Provide practical snippets for: - `/etc/config/network` - `/etc/config/firewall` - `/etc/config/pbr` (if used) - xray or sing-box route blocks - validation commands ## Validation Checklist - `ip rule show` - `ip route show table ` - `nft list ruleset` - test destination inside and outside tunnel policy - DNS resolver path checks ## Output Format ```md ## VPN Routing Plan ### Architecture - ... ### Config Snippets - file: ... - snippet: ... ### Apply Order 1. ... 2. ... 3. ... ### Validation - ... ```