Add interface to wireguard-client (mullvad); routing problem

Hello,

so i got a pretty standard openwrt setup:

  • Guest WiFi (can only access wan)
  • Wireguard VPN Server (can access lan and wan)
  • DMZ on one port (can only access wan, but accessible from lan)

I want to route all traffic from the DMZ (or guest) interface through a wireguard-client (privided my mullvad). This works if i set the wireguard-peer to route all allowed IPs, but this gets me no internet on all other devices. Can someone point me in the right direction in how to setup routing?

/etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd92:bf32:6513::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.153.200.1'
	option ip6assign '64'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option peerdns '0'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'
	option reqprefix '56'

config interface 'GUEST'
	option proto 'static'
	option ipaddr '10.153.202.1'
	option netmask '255.255.255.0'
	option device 'br-guest'
	option ip6assign '64'
	option ip6hint 'abcd'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'lan1'

config interface 'VPN'
	option proto 'wireguard'
	option private_key 'XXX'
	list addresses '10.153.201.1/24'
	option listen_port '51820'

config wireguard_VPN
	option description 'iPhone'
	option public_key 'XXX'
	list allowed_ips '10.153.201.2/32'

config wireguard_VPN
	option description 'iPad'
	list allowed_ips '10.153.201.3/32'
	option public_key 'XXX'

config wireguard_VPN
	option description 'macbook'
	option public_key 'XXX'
	list allowed_ips '10.153.201.4/24'

config interface 'DMZ'
	option proto 'static'
	option ipaddr '10.153.203.1'
	option netmask '255.255.255.0'
	option device 'br-dmz'

config device
	option type 'bridge'
	option name 'br-dmz'
	list ports 'lan2'

config interface 'mullvad'
	option proto 'wireguard'
	list addresses 'XXX'
	option force_link '1'
	option private_key 'XXX'
	option auto '0'

config wireguard_mullvad
	option public_key 'XXX'
	option endpoint_host 'XXX'
	option endpoint_port '51820'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'lan'
	list network 'VPN'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'GuestZone'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'GUEST'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config rule
	option name 'Guest DHCP and DNS'
	option src 'GuestZone'
	option target 'ACCEPT'
	option dest_port '53 67 68 547'

config rule
	option src 'DMZ'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option name 'DMZ DHCP and DNS'

config rule
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

config zone
	option name 'DMZ'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'DMZ'
	option input 'REJECT'

config rule
	option name 'Guest IPv6 ICMP input'
	list proto 'icmp'
	option src 'GuestZone'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'DMZ'

config forwarding
	option src 'DMZ'
	option dest 'wan'


EDIT: Ok, i think i got it working with vpn-policy-routing. Is there a way to route without the need to install this package?

it can be achieved with a set of rules/routes to match the dmz traffic and send it to mullvad interface. The key is not to route allowed ips on the mullvad peer, so that the default gateway remains via the wan.

When i apply such a rule, the device inside the DMZ is not reachable anymore (from the lan zone). Do i have to apply another rule to reach it again?

You need to add more routes in the new routing table for all the networks you need it to reach.

1 Like

But i want to reach the device inside the DMZ from my lan-zone. Do i have to create another rule with another table + route? I am confused...

Here the relevant part of my /etc/config/network:

config rule                            
        option in 'DMZ'                
        option src '10.153.203.1/24'   
        option lookup '100'            
                                       
config route                                   
        option interface 'mullvad'     
        option target '0.0.0.0/0'      
        option metric '200'            
        option table '100'

Option src is wrong, either .1/32 or .0/24 . You can also omit it, it will match to all traffic coming in from dmz.

config route                                   
        option interface 'lan'     
        option target '10.153.200.0/24'               
        option table '100'
1 Like

No idea why, but this works. Thank you very much!

Do you have some links where i can read up on this? For example, i first thought you made a mistake with the 10.153.200.0/24 IP, but the chain seems to go backward, from the DMZ to the lan-zone.

You can read on subnetting, especially the role of network address and the subnet mask to identify a subnet.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.