Adding a rule and a static route to... route all packets from a host through a specific wireguard interface. How?

wireless · February 22, 2022, 3:05pm

Uhm, so how can the static route filter only packets from specific host? Is this the scope of the rule?

The tagging you say is the "100" value in the rule/route?
I've seen in ohter thread that packages (vpn...) exists, going to read https://docs.openwrt.melmac.net/vpn-policy-routing/ hoping it is easy. By the way, I'm interested in the rule+route approach of this thread.

pavelgl · February 22, 2022, 3:12pm

Take a look at the ip-rule man page. There is a very good description. You do not need to install additional packages for only one host.

wireless · March 27, 2022, 4:14pm

Hi, finally I have completed the steps before these on the other involved hosts (I thought it was easier...), so I could do these lasts. Couple of doubts: 1) your suggested inserts should be places which file? After, I have to commit and restart network services, right? 2) something have to be done to the wireguard wg0 interface too, such as adding the ip in allowedIps of the peer?

trendy · March 27, 2022, 9:18pm

in /etc/config/network

The allowed IPs field in wireguard is simply put an access list. When you receive a packet, the source IP must match the allowed IPs list for that peer. Same thing when you send a packet, the destination must match the allowed IPs for the peer.

wireless · March 27, 2022, 9:47pm

Hi Trendy, thanks for the reply, but now I have a further doubt about wireguard config. Based on what you said, if I want that all traffic from my host 172.16.1.100 is routed into the tunnel, I have to put 0.0.0.0/0 in the allowedIps of the peer config in the openWrt wg interface (Actually the allowedIps just included the private ip of the exit of the tunnel on the remote host, 10.0.10.0/24)?
But doing so, I had understood that all traffic of the router goes into the tunnel, not only that from 172.16.1.100... I am misunderstanding something I think. Maybe the rule+route config is enough?

pavelgl · March 28, 2022, 6:02am

Add a metric to the wireguard interface:

uci -q delete network.wan.metric
uci set network.wg0.metric="100"
uci commit network
/etc/init.d/network restart

After doing this, you should see two default gateways. The one that uses the wireguard interface should have higher metric (lower priority).

root@OpenWrt:~# ip route show default
default via 192.168.1.1 dev eth0.2 proto static src 192.168.1.254
default dev wg0 proto static scope link metric 100

wireless · April 15, 2022, 3:09pm

uhm, finally done the config in the router /etc/config/network

config rule
        option in 'lan'
        option src '172.16.128.142/32'
        option lookup '100'

config route
        option target '0.0.0.0/0'
        option interface 'wg_parents'
        option table '100'

included the metric suggested, but my routes are (only 1 default?):

default via 192.168.1.254 dev eth0.2  src 192.168.1.74
10.2.1.0/24 dev wg_parents scope link  metric 100
10.2.1.2 dev wg_parents scope link  metric 100
PUBLIC_IP_OF_THE_PEER via 192.168.1.254 dev eth0.2
172.16.128.0/24 dev br-lan scope link  src 172.16.128.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.74

sob, there is something more wrong, now the tv device 172.16.128.142 can connect but say no internet (this message appear on my phone too, but It can surf!)

I also post the wireguard section:

config interface 'wg_parents'
        option proto 'wireguard'
        list addresses '10.2.1.2/32'
        option private_key ''
        option metric '100'

config wireguard_wg_parents
        option description 'VPS1'
        option public_key ''
        option preshared_key '='
        option endpoint_host 'PUBLIC_IP_OF_THE_PEER'
        option endpoint_port ''
        option persistent_keepalive '10'
        option route_allowed_ips '1'
        list allowed_ips '10.2.1.0/24'

Do not know if related, but from a pc connect to this router I cant reach to the network on other side of the tunnel
PC <=> THIS_ROUTER <=> VPS1 <=> OTHER_NETWORK__OPENWRT_ROUTER <=> OTHER_NETWORK_HOST
while the opposite, from OTHER_NETWORK_HOST, works.

trendy · April 15, 2022, 7:25pm

First you need the ip -4 ro list table all to see the other routing tables.
Second you allow only the 10.2.1.0/24 over the WG tunnel, so you are blackholing the TV with this source route.

wireless · April 15, 2022, 8:22pm

So, I should add the tv ip, 172.16.128.142/32, to the allowedIPs of the peer?

trendy · April 15, 2022, 9:18pm

No, you need to allow 0.0.0.0/0 in wireguard_wg_parents peer config and disable route_allowed_ips.

wireless · April 15, 2022, 9:40pm

But adding 0.0.0.0/0 wont force the routing of all packets inside the tunnel from every host connected to the router? Or this is just avoided disabling the route_allowed_ips and the reason why you said that?

trendy · April 15, 2022, 9:59pm

It is avoided by disabling routing.

wireless · April 16, 2022, 5:04pm

uhm, I did only it - without rule and route - but now I cannot connect to the router from outside via wireguard vpn anymore.
I'm taking the car and going there to reset the previous config and trying to repeat the steps from the beginning (add the rule, the route, the metric, modifying wireguard). Damn, it is cool but difficult

wireless · April 16, 2022, 6:59pm

this is the last config I did following your suggested steps, but I cannot connect to the router from outside via the vpn itself and the tv cannot reach internet

config interface 'wg_parents'
        option proto 'wireguard'
        list addresses '10.2.1.2/32'
        option private_key '='
        option metric '100'

config wireguard_wg_parents
        option description 'VPS1'
        option public_key '='
        option preshared_key '='
        option endpoint_host 'public_ip_of_the_vps'
        option endpoint_port '53821'
        option persistent_keepalive '10'
        list allowed_ips '0.0.0.0/0'

config rule
        option in 'lan'
        option src '172.16.128.142/32'
        option lookup '100'

config route
        option target '0.0.0.0/0'
        option interface 'wg_parents'
        option table '100'

and this the ip route output:

root@D7800:/etc/config# ip -4 ro list table all
default dev wg_parents table 100 scope link  metric 100
default via 192.168.1.254 dev eth0.2  src 192.168.1.74
10.2.1.2 dev wg_parents scope link  metric 100
VPS_PUBLIC_IP via 192.168.1.254 dev eth0.2
172.16.128.0/24 dev br-lan scope link  src 172.16.128.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.74
local 10.2.1.2 dev wg_parents table local scope host  src 10.2.1.2
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 172.16.128.0 dev br-lan table local scope link  src 172.16.128.1
local 172.16.128.1 dev br-lan table local scope host  src 172.16.128.1
broadcast 172.16.128.255 dev br-lan table local scope link  src 172.16.128.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.74
local 192.168.1.74 dev eth0.2 table local scope host  src 192.168.1.74
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.74

while the following config is ok except of course that tv packets are not routed into the tunnel

config interface 'wg_parents'
        option proto 'wireguard'
        list addresses '10.2.1.2/32'
        option private_key '='

config wireguard_wg_parents
        option description 'VPS1'
        option public_key '='
        option preshared_key '='
        option endpoint_host 'public_ip_of_the_vps'
        option endpoint_port '53821'
        option persistent_keepalive '10'
        option route_allowed_ips '1'
        list allowed_ips '10.2.1.0/24'

these are the firewall zones:

Maybe help, this https://forum.openwrt.org/uploads/default/original/3X/b/3/b3a8ff8a9d6e755b1cab41fe0e95c9e1e66167a1.png is what I'm trying to obtain (the picture does not show that I also need to reach router@site_1 that is the router I'm config here).
Finally, I also post the wireguard config on the vps, it a little strange because there are several vpn on it, but this should not matter


[Interface]
Address = 10.2.1.1/32
ListenPort = 
PrivateKey = 
PostUp = ip rule add not from 10.2.1.1/32 table main
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip rule del not from 10.2.1.1/32 table main
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

#parent router
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.2.1.2/32

#smartphone
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.2.1.200/32

#my backup ar150 router
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.2.1.234/32, 0.0.0.0/0

trendy · April 16, 2022, 7:25pm

It's getting too complicated and I have spotted already a lot of discrepancies.

lan zone is not forwarding to wg_parents zone.
normally wan zone shouldn't forward to any other zone. Likewise wg_parents isn't expected to forward to wan, unless you access the internet from the OpenWrt.
The tv IP is not in the allowed IPs list in the vps.
I cannot understand from the diagram which router is which.
You probably want to change the netmask of the wg interface to /24 since you are not adding a static route anymore for the 10.2.1.0/24 subnet.

wireless · April 16, 2022, 10:47pm

Hi trendy, thanks again for the patience. I simplified the situation because other pieces work and I - wrongly - thought that I could just ask for the last thing I was missing to do.
Said so, I'll try to give a better and bigger picture.
I try to answer to your notes.

ok, I thought that the forwarding lan => wg_parents was a needed config on router (A, in the pic), even if I have not done anything similar in the past... I thought that lan => wan and wan => wg_parents should have worked. I probably tested it (I've done hundred tests!), but I will do this. Have I to masquerade something? Should I just add the wg_parents in the forwarded zone?
I remember that if I do not enamble wan=>wg_something and viceversa, I cannot reach the router via wireguard. Maybe you rise a discrepancy because I have not tell that WAN interface is connected to the modem/router of the ISP, as in the diagram? EDIT: no, just remembered, maybe: this was needed only on my secondary router named B in the schema, so it can route packages from wg interface to the wan interface that is connected to the main router, so I can reach it.. by the way, without it should I add a firewall traffic rule to accept incoming traffic from wg otherwise I can connect to luci...?
the tv IP should not - I think - in the allowed IP of the VPS, how can the VPS know something about an host that is doubled natted? Similar situation I have with notebook: it can access to router A via the tunnel of the reverse proxy peer in mine lan, but the VPS knows nothing about the notebook.
hope the new diagram is better
Where?

Without modifing the initial config, with the notebook on my lan as said I can reach the openWrt router A on the other side, at my parents lan; connecting to the VPS via smartphone, all traffic )to not peer hosts) is routed first to the "exchange" peer Node B inside my lan and then from it to the internet, passing outside the modem/router of my lan itself (checking online, it has seen as it had my modem/router IP). The particular config of the wg interface on the VPS (this, if I remember: ip rule add not from 10.2.1.1/32 table main) is due to the fact that the VPS itself manage other VPN.

If I add 0.0.0.0/0 in the AllowedIP of the vps-peer in the router A wireguard config and remove the route_allowed_ips, I cannot reach my parents' router anymore... maybe I just need to add the firewall rules?

Summarizing:
the router A should be configured

config interface 'wg_parents'
        option proto 'wireguard'
        list addresses '10.2.1.2/32'
        option private_key '='
        option metric '100'

config wireguard_wg_parents
        option description 'VPS1'
        option public_key '='
        option preshared_key '='
        option endpoint_host 'public_ip_of_the_vps'
        option endpoint_port '53821'
        option persistent_keepalive '10'
        list allowed_ips '0.0.0.0/0'

config rule
        option in 'lan'
        option src '172.16.128.142/32'
        option lookup '100'

config route
        option target '0.0.0.0/0'
        option interface 'wg_parents'
        option table '100'

and I need to add lan =>wg_parents in firewall zones, selecting
input=?, output=?, forward =? and masquerading=?

tomorrow morning I will test it and post here the result.
Thanks for reading and supporting, really.

trendy · April 16, 2022, 11:25pm

No need to masq. I didn't get the other one.

No, the INPUT is accept, so you don't need any allow rules.

If it is not in the allowed IPs, then you must SNAT/Masquerade the packets.

wireless · April 17, 2022, 11:00am

I miss something, if I add 0.0.0.0/0 in the allowedIPs and 10.2.1.0/24 in the IpAddress of wireguard I cant connect to router A from the smartphone via the VPS.

Actually the config is the following. It enables me to reach the router A from the smartphone via wg_parents, but the tv at my parents' home cannot connect (I have no detailed messages here, just the network error in youtube app).
firewall zone


config zone
        option name 'wg_parents'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg_parents'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wg_parents'

config forwarding
        option src 'wg_parents'
        option dest 'lan'

maybe I should do something in the advanced config?

The following is the /etc/config/network related part:

config interface 'wg_parents'
        option proto 'wireguard'
        option private_key ''
        option metric '100'
        list addresses '10.2.1.2/24'

config wireguard_wg_parents
        option description 'VPS1'
        option public_key ''
        option preshared_key ''
        option endpoint_host ''
        option endpoint_port ''
        option persistent_keepalive '10'
        list allowed_ips '10.2.1.0/24'

config rule
        option in 'lan'
        option src '172.16.128.142/32'
        option lookup '100'

config route
        option target '0.0.0.0/0'
        option interface 'wg_parents'
        option table '100'

this is the ip output:

root@D7800:/etc/config# ip -4 ro list table all
default dev wg_parents table 100 scope link  metric 100
default via 192.168.1.254 dev eth0.2  src 192.168.1.74
10.2.1.0/24 dev wg_parents scope link  metric 100
VPS__PUBLIC_IP via 192.168.1.254 dev eth0.2
172.16.128.0/24 dev br-lan scope link  src 172.16.128.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.74
broadcast 10.2.1.0 dev wg_parents table local scope link  src 10.2.1.2
local 10.2.1.2 dev wg_parents table local scope host  src 10.2.1.2
broadcast 10.2.1.255 dev wg_parents table local scope link  src 10.2.1.2
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 172.16.128.0 dev br-lan table local scope link  src 172.16.128.1
local 172.16.128.1 dev br-lan table local scope host  src 172.16.128.1
broadcast 172.16.128.255 dev br-lan table local scope link  src 172.16.128.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.74
local 192.168.1.74 dev eth0.2 table local scope host  src 192.168.1.74
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.74

trendy · April 17, 2022, 11:06am

Don't use IP .0

Again the same issue, you send everything from tv to WG, but WG allowed IPs are limited to 10.2.1.0/24.

lan zone doesn't need to be masqueraded.

wireless · April 17, 2022, 11:08am

ok, put the right 0.0.0.0/0 and 10.2.1.2/24, now I can reach the router A from wg_parents but, the tv says it is connected but cannot reach internet. EDIT: after a restart, tv wont connect. Crying.

config interface 'wg_parents'
        option proto 'wireguard'
        option private_key ''
        option metric '100'
        list addresses '10.2.1.2/24'

config wireguard_wg_parents
        option description 'VPS1'
        option public_key ''
        option preshared_key ''
        option endpoint_host ''
        option endpoint_port '53821'
        option persistent_keepalive '10'
        list allowed_ips '0.0.0.0/0'

config rule
        option in 'lan'
        option src '172.16.128.142/32'
        option lookup '100'

config route
        option target '0.0.0.0/0'
        option interface 'wg_parents'
        option table '100'

and the routing tables

root@D7800:/etc/config# ip -4 ro list table all
default dev wg_parents table 100 scope link  metric 100
default via 192.168.1.254 dev eth0.2  src 192.168.1.74
10.2.1.0/24 dev wg_parents scope link  metric 100
public_vps_ip via 192.168.1.254 dev eth0.2
172.16.128.0/24 dev br-lan scope link  src 172.16.128.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.74
broadcast 10.2.1.0 dev wg_parents table local scope link  src 10.2.1.2
local 10.2.1.2 dev wg_parents table local scope host  src 10.2.1.2
broadcast 10.2.1.255 dev wg_parents table local scope link  src 10.2.1.2
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 172.16.128.0 dev br-lan table local scope link  src 172.16.128.1
local 172.16.128.1 dev br-lan table local scope host  src 172.16.128.1
broadcast 172.16.128.255 dev br-lan table local scope link  src 172.16.128.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.74
local 192.168.1.74 dev eth0.2 table local scope host  src 192.168.1.74
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.74