2 WAN + 1 Wireguard server instance

celari · February 17, 2025, 10:17am

Hi guys, ask for your support. I'm struggling w/ multi WAN setup:

WAN connected to 1 LAN port
*** VLAN 31 -> DHCP (WAN1, NAT)
*** VLAN 31 -> PPPOE (WAN2, public IP)

I would like to have:

WAN1 as common default gateway
WAN2 for Wireguard server on public IP

by now both WAN are configured as default gateway with different metric (WAN 1 Metric 10 / WAN 2 Metric 20)

Issue:

no Wireguard handshake on WAN2 (public IP) -> if WAN1 disabled, everything works as expected
data is received by WG instance, no response to client
only routing issue; firewall isn't an issue (already double checked)

I tried the following without any positive effect:

PBR
MWAN3 (port based route WAN2, WAN1 default)
tunlink (linked to PPPOE interface)
firewall marking inbound -> IPV4 routing rule based on FW mark

trendy · February 17, 2025, 10:43am

If you need the wan2 only as a Wireguard endpoint, then you only need an IP rule to route the return traffic back to wan2 default gw.

uci add firewall rule
uci set firewall.@rule[-1].name='wg-mark'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src_port='51820'
uci set firewall.@rule[-1].target='MARK'
uci set firewall.@rule[-1].set_mark='123'

uci add network route
uci set network.@route[-1].interface='wan2'
uci set network.@route[-1].target='0.0.0.0/0'
uci set network.@route[-1].table='123'
uci add network rule
uci set network.@rule[-1].lookup='123'
uci set network.@rule[-1].mark='0x123'
uci commit

Adapt the Wireguard port and change the routing table number and mark if you prefer.
Then reboot to apply all the changes and test.

celari · February 17, 2025, 11:52am

thanks for the quick reply.
for understanding: are the incoming WAN packages marked or the outgoing ones from Wireguard?

proposed config didn't solve issue

another thought, I'm using a Wireguard client in parallel (std. port 51820 whereas server utilizes different UDP port)

the funny part, since I blocked incoming and outgoing traffic related to the WAN2 interface the wireguard client seems to redirect traffic to WAN2 but I don't see the server outbound packages being blocked

egc · February 17, 2025, 1:14pm

WireGuard server traffic must use the same route back as it came in to.

Assuming it comes in via WAN2 then make a table with default route via WAN2

config route
	option interface 'wan2'
	option table '123'
	option target '0.0.0.0/0'

then the WireGuard server listen- port number is used as source port to route traffic using table 123
Unfortunately netifd does not know how to handle source or destination ports , the PR I made to do that is still pending so you either mark traffic as @trendy pointed out (but I think the firewall traffic rule to mark sport with the fwmark 0x123 is missing ?) or what I do
just add the rules

ip rule del sport <listen-port-wg-server> table 123
ip rule add sport <listen-port-wg-server> table 123

pavelgl · February 17, 2025, 1:53pm

What @trendy suggested should work with some minor changes.

Set the fwmark to 0x123 because fw4 will convert it to hexadecimal 0x7b.

uci add firewall rule
uci set firewall.@rule[-1].name='wg-mark'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src_port='51820'
uci set firewall.@rule[-1].target='MARK'
uci set firewall.@rule[-1].set_mark='0x123'

Set a next hop in the routing rule.

uci add network route
uci set network.@route[-1].interface='wan2'
uci set network.@route[-1].target='0.0.0.0/0'
uci set network.@route[-1].gateway='A.B.C.D' # ISP default gateway
uci set network.@route[-1].table='123'

celari · February 17, 2025, 3:47pm

Marking the packages didn't work out after severall tries. Hexadecimal conversion is clear.

However, adding the ip rule worked out from scratch

ip rule add sport <listen-port-wg-server> table 116

0:      from all lookup local
0:      from all sport 51820 lookup 116
1:      from all fwmark 0x74 lookup 116
32766:  from all lookup main
32767:  from all lookup default

is the IP rule persistent and covered by the Openwrt config, most propably not?

egc · February 17, 2025, 3:56pm

No it is not, you can add it to Startup/Local startup then at least it is added on startup but better is to make a hotplug script for an interface.

If my PR would have been accepted then you could make a persistent routing rule which does exactly what yo are now doing manually e.g.:

config rule
	# for source port
	option sport '51820'
	option lookup '116'

But until then we have to do with what we have got

I added the PR to my own build and I am actually using it

egc · February 18, 2025, 7:07am

For a hotplug script have a look at:

system · February 28, 2025, 7:08am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.