Hi,
I'm trying to understand how to force all traffic - except local - from an host, f.e. 172.16.1.100, to go through (be forwarded to?) a specific interface.
I read this Routing all external traffic from one specific machine to a particular WAN interface but the topic it is closed and I really do not understand the solving answer. I'm also trying to understand the static route page https://openwrt.org/docs/guide-user/network/routing/routes_configuration but I found it a little difficult: I - maybe wrongly - expect some parameters to say the packets from which ip source to which ip destination via which interface have to be sent.
Maybe something like:
Hi pavelgl, really thanks for the support (yes I opened yet a similar thread but maybe I want to solve too many problems together, better a little step by step approach).
It is not clear to me why I need both a rule and route as you suggest... and moreover, how openWrt related the rule with the route? Just because I write one after another, or is it the lookup value in rule that should map the option one in the route?
Let me see if I understand, I tried to describe by words:
add a rule for lan zone, for catching packets
from source host 172.16.1.100/32,
with the key/id=100;
add a routem per table with id=100,
for target destination ip 0.0.0.0/0,
to forward through wg0
(considering that packets for local hosts are managed first
and are not impacted by this rule+route).
A static routing table does not look at where a packet came from, it is only concerned with where it needs to go.
In order to route packets from different sources differently, the kernel filtering needs to be set up to tag the packets and send them to a different static route table depending on the source. The vpn-policy-routing package simplifies the configuration of this.
Uhm, so how can the static route filter only packets from specific host? Is this the scope of the rule?
The tagging you say is the "100" value in the rule/route?
I've seen in ohter thread that packages (vpn...) exists, going to read https://docs.openwrt.melmac.net/vpn-policy-routing/ hoping it is easy. By the way, I'm interested in the rule+route approach of this thread.
Hi, finally I have completed the steps before these on the other involved hosts (I thought it was easier...), so I could do these lasts. Couple of doubts: 1) your suggested inserts should be places which file? After, I have to commit and restart network services, right? 2) something have to be done to the wireguard wg0 interface too, such as adding the ip in allowedIps of the peer?
The allowed IPs field in wireguard is simply put an access list. When you receive a packet, the source IP must match the allowed IPs list for that peer. Same thing when you send a packet, the destination must match the allowed IPs for the peer.
Hi Trendy, thanks for the reply, but now I have a further doubt about wireguard config. Based on what you said, if I want that all traffic from my host 172.16.1.100 is routed into the tunnel, I have to put 0.0.0.0/0 in the allowedIps of the peer config in the openWrt wg interface (Actually the allowedIps just included the private ip of the exit of the tunnel on the remote host, 10.0.10.0/24)?
But doing so, I had understood that all traffic of the router goes into the tunnel, not only that from 172.16.1.100... I am misunderstanding something I think. Maybe the rule+route config is enough?
After doing this, you should see two default gateways. The one that uses the wireguard interface should have higher metric (lower priority).
root@OpenWrt:~# ip route show default
default via 192.168.1.1 dev eth0.2 proto static src 192.168.1.254
default dev wg0 proto static scope link metric 100
included the metric suggested, but my routes are (only 1 default?):
default via 192.168.1.254 dev eth0.2 src 192.168.1.74
10.2.1.0/24 dev wg_parents scope link metric 100
10.2.1.2 dev wg_parents scope link metric 100
PUBLIC_IP_OF_THE_PEER via 192.168.1.254 dev eth0.2
172.16.128.0/24 dev br-lan scope link src 172.16.128.1
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.74
sob, there is something more wrong, now the tv device 172.16.128.142 can connect but say no internet (this message appear on my phone too, but It can surf!)
Do not know if related, but from a pc connect to this router I cant reach to the network on other side of the tunnel PC <=> THIS_ROUTER <=> VPS1 <=> OTHER_NETWORK__OPENWRT_ROUTER <=> OTHER_NETWORK_HOST
while the opposite, from OTHER_NETWORK_HOST, works.
First you need the ip -4 ro list table all to see the other routing tables.
Second you allow only the 10.2.1.0/24 over the WG tunnel, so you are blackholing the TV with this source route.
But adding 0.0.0.0/0 wont force the routing of all packets inside the tunnel from every host connected to the router? Or this is just avoided disabling the route_allowed_ips and the reason why you said that?
uhm, I did only it - without rule and route - but now I cannot connect to the router from outside via wireguard vpn anymore.
I'm taking the car and going there to reset the previous config and trying to repeat the steps from the beginning (add the rule, the route, the metric, modifying wireguard). Damn, it is cool but difficult
this is the last config I did following your suggested steps, but I cannot connect to the router from outside via the vpn itself and the tv cannot reach internet
root@D7800:/etc/config# ip -4 ro list table all
default dev wg_parents table 100 scope link metric 100
default via 192.168.1.254 dev eth0.2 src 192.168.1.74
10.2.1.2 dev wg_parents scope link metric 100
VPS_PUBLIC_IP via 192.168.1.254 dev eth0.2
172.16.128.0/24 dev br-lan scope link src 172.16.128.1
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.74
local 10.2.1.2 dev wg_parents table local scope host src 10.2.1.2
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 172.16.128.0 dev br-lan table local scope link src 172.16.128.1
local 172.16.128.1 dev br-lan table local scope host src 172.16.128.1
broadcast 172.16.128.255 dev br-lan table local scope link src 172.16.128.1
broadcast 192.168.1.0 dev eth0.2 table local scope link src 192.168.1.74
local 192.168.1.74 dev eth0.2 table local scope host src 192.168.1.74
broadcast 192.168.1.255 dev eth0.2 table local scope link src 192.168.1.74
while the following config is ok except of course that tv packets are not routed into the tunnel
It's getting too complicated and I have spotted already a lot of discrepancies.
lan zone is not forwarding to wg_parents zone.
normally wan zone shouldn't forward to any other zone. Likewise wg_parents isn't expected to forward to wan, unless you access the internet from the OpenWrt.
The tv IP is not in the allowed IPs list in the vps.
I cannot understand from the diagram which router is which.
You probably want to change the netmask of the wg interface to /24 since you are not adding a static route anymore for the 10.2.1.0/24 subnet.
Hi trendy, thanks again for the patience. I simplified the situation because other pieces work and I - wrongly - thought that I could just ask for the last thing I was missing to do.
Said so, I'll try to give a better and bigger picture.
I try to answer to your notes.
ok, I thought that the forwarding lan => wg_parents was a needed config on router (A, in the pic), even if I have not done anything similar in the past... I thought that lan => wan and wan => wg_parents should have worked. I probably tested it (I've done hundred tests!), but I will do this. Have I to masquerade something? Should I just add the wg_parents in the forwarded zone?
the tv IP should not - I think - in the allowed IP of the VPS, how can the VPS know something about an host that is doubled natted? Similar situation I have with notebook: it can access to router A via the tunnel of the reverse proxy peer in mine lan, but the VPS knows nothing about the notebook.
hope the new diagram is better
Where?
Without modifing the initial config, with the notebook on my lan as said I can reach the openWrt router A on the other side, at my parents lan; connecting to the VPS via smartphone, all traffic )to not peer hosts) is routed first to the "exchange" peer Node B inside my lan and then from it to the internet, passing outside the modem/router of my lan itself (checking online, it has seen as it had my modem/router IP). The particular config of the wg interface on the VPS (this, if I remember: ip rule add not from 10.2.1.1/32 table main) is due to the fact that the VPS itself manage other VPN.
If I add 0.0.0.0/0 in the AllowedIP of the vps-peer in the router A wireguard config and remove the route_allowed_ips, I cannot reach my parents' router anymore... maybe I just need to add the firewall rules?
anymore.
