Hello,
so i got a pretty standard openwrt setup:
- Guest WiFi (can only access wan)
- Wireguard VPN Server (can access lan and wan)
- DMZ on one port (can only access wan, but accessible from lan)
I want to route all traffic from the DMZ (or guest) interface through a wireguard-client (privided my mullvad). This works if i set the wireguard-peer to route all allowed IPs, but this gets me no internet on all other devices. Can someone point me in the right direction in how to setup routing?
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd92:bf32:6513::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.153.200.1'
option ip6assign '64'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option peerdns '0'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option reqprefix '56'
config interface 'GUEST'
option proto 'static'
option ipaddr '10.153.202.1'
option netmask '255.255.255.0'
option device 'br-guest'
option ip6assign '64'
option ip6hint 'abcd'
config device
option type 'bridge'
option name 'br-guest'
list ports 'lan1'
config interface 'VPN'
option proto 'wireguard'
option private_key 'XXX'
list addresses '10.153.201.1/24'
option listen_port '51820'
config wireguard_VPN
option description 'iPhone'
option public_key 'XXX'
list allowed_ips '10.153.201.2/32'
config wireguard_VPN
option description 'iPad'
list allowed_ips '10.153.201.3/32'
option public_key 'XXX'
config wireguard_VPN
option description 'macbook'
option public_key 'XXX'
list allowed_ips '10.153.201.4/24'
config interface 'DMZ'
option proto 'static'
option ipaddr '10.153.203.1'
option netmask '255.255.255.0'
option device 'br-dmz'
config device
option type 'bridge'
option name 'br-dmz'
list ports 'lan2'
config interface 'mullvad'
option proto 'wireguard'
list addresses 'XXX'
option force_link '1'
option private_key 'XXX'
option auto '0'
config wireguard_mullvad
option public_key 'XXX'
option endpoint_host 'XXX'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'lan'
list network 'VPN'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'GuestZone'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'GUEST'
config forwarding
option src 'GuestZone'
option dest 'wan'
config rule
option name 'Guest DHCP and DNS'
option src 'GuestZone'
option target 'ACCEPT'
option dest_port '53 67 68 547'
config rule
option src 'DMZ'
option dest_port '53 67 68'
option target 'ACCEPT'
option name 'DMZ DHCP and DNS'
config rule
option name 'Wireguard'
list proto 'udp'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
config zone
option name 'DMZ'
option output 'ACCEPT'
option forward 'REJECT'
list network 'DMZ'
option input 'REJECT'
config rule
option name 'Guest IPv6 ICMP input'
list proto 'icmp'
option src 'GuestZone'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'DMZ'
config forwarding
option src 'DMZ'
option dest 'wan'
EDIT: Ok, i think i got it working with vpn-policy-routing. Is there a way to route without the need to install this package?