All traffic routed via VPN interface

Hey everyone,

I set up Wireguard VPN yesterday and it's working great. However all traffic is routed through the VPN interface. I don't want that because it breaks some stuff in my network, auch as VoIP.
I've tried basically everything to revert it back to using my normal WAN interface for the traffic but it either goes through the VPN or doesn't get through at all.
Maybe this is super easy to resolve but I really can't wrap my head around why it's doing that. I tried looking for old posts but couldn't find any.
I followed these instructions so my settings are the same:

If anyone could hint me at what could possibly cause this, I'd be very glad!
(This is my very first post here so if I'd be glad to know if asking this way is alright or whether more screenshots/informed is needed)

Thanks in advance!

https://openwrt.org/docs/guide-user/network/routing/pbr

Did you make a backup of the OpenWrt settings BEFORE you started to install and set up Wireguard?

If yes, just restore the pre-Wireguard settings if you wish to completely remove the Wireguard setup.

Otherwise, any reason why you can't just reset the OpenWrt device and set it up from scratch?

This looks interesting, thanks! I'll check it out

I have a backup from a while ago but before resetting I want to try to solve the issue first.

It's probably a firewall issue.

Post your /etc/config/network and /etc/config/firewall using the </> formatting.

It probably contains wrong setting or reference to non-existent wireguard interface. If you compare them to the old backup you made, you may be able to spot the difference. (If you are a windows user, you can use winrar to open the backup file to extract its contents. Use notepad++ to view the file)

ps. did you remember to undo the DNS changes?

As @frollic already said you need Policy Based Routing
e.g.: https://docs.openwrt.melmac.net/pbr/

One tip Disable route allowed IPs in the Peer section, now everything is routed via the WAN unless specifically routed via the VPN.

You can do the PBR with the full package or even with some rules as per the link of @frollic

if you need help report back but then start with sharing the following settings:
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show

/etc/config/network

        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3a:5e84:63b1::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'c8:7f:54:23:10:f2'

config device
        option name 'lan2'
        option macaddr 'c8:7f:54:23:10:f2'

config device
        option name 'lan3'
        option macaddr 'c8:7f:54:23:10:f2'

config device
        option name 'lan4'
        option macaddr 'c8:7f:54:23:10:f2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.178.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth1'
        option macaddr 'c8:7f:54:23:10:f2'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'

config interface 'wan6'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'KEY'
        option listen_port '51820'
        list addresses '192.168.3.1/24'

config wireguard_wg0
        option description 'Martin_VPN'
        option preshared_key 'KEY'
        list allowed_ips '192.168.3.2/32'
        option route_allowed_ips '1'
        option public_key 'KEY'
        option private_key 'KEY'

config wireguard_wg0
        option description 'Anton_VPN'
        option public_key 'KEY'
        option preshared_key 'KEY'
        list allowed_ips '192.168.3.3/32'
        option route_allowed_ips '1'

config wireguard_wg0
        option description 'ASUS_TUF'
        option public_key 'KEY'
        option preshared_key 'KEY'
        list allowed_ips '192.168.3.4/32'
        option route_allowed_ips '1'

config route
        option interface 'wg0'
        option target '192.168.3.0/24'

config wireguard_wg0
        option description 'Anton Laptop'
        option public_key 'KEY'
        option private_key 'KEY'
        option preshared_key 'KEY'
        list allowed_ips '192.168.3.6/32'
        option route_allowed_ips '1'

config interface 'ivpn0'
        option proto 'wireguard'
        option private_key 'KEY'
        list dns '172.16.0.1'
        list addresses '172.16.35.68/32'
        list addresses 'fd00:4956:504e:ffff::ac10:2344/128'

config wireguard_ivpn0
        option description 'DE-Frankfurt-de3-gw'
        option public_key 'CugQQtD8YJKRwS5IukNWkMcyqOzlOxfGRPhGeQRAb2Y='
        option endpoint_host '146.70.160.170'
        option endpoint_port '58237'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'

config route
        option interface 'ivpn0'
        option target '192.168.5.0/24'

/etc/config/firewall

        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'ivpn0'
        option masq '1'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'wan'
        option dest 'lan'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-WireGuard-IVPN'
        list proto 'udp'
        option src 'wan'
        option dest_port '58237'
        option target 'ACCEPT'```

Some more information, just in case.
Also some things I've tried:

When disabling "Route allowed IP's" in the VPN Peer settings, I lose internet connection.

Changing firewall stuff doesn't seem to have much of an effect. However when removing "Masquerading" from the VPN-Zone I lose internet connection too.

ubus call system board

{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX4200",
        "board_name": "asus,tuf-ax4200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}

ip route show

default dev ivpn0 scope link
146.70.160.170 via 192.168.2.1 dev eth1
192.168.2.0/24 dev eth1 scope link  src 192.168.2.2
192.168.3.0/24 dev wg0 scope link
192.168.3.2 dev wg0 scope link
192.168.3.3 dev wg0 scope link
192.168.3.4 dev wg0 scope link
192.168.3.6 dev wg0 scope link
192.168.5.0/24 dev ivpn0 scope link
192.168.178.0/24 dev br-lan scope link  src 192.168.178.1

ip route show table all

default dev ivpn0 scope link
146.70.160.170 via 192.168.2.1 dev eth1
192.168.2.0/24 dev eth1 scope link  src 192.168.2.2
192.168.3.0/24 dev wg0 scope link
192.168.3.2 dev wg0 scope link
192.168.3.3 dev wg0 scope link
192.168.3.4 dev wg0 scope link
192.168.3.6 dev wg0 scope link
192.168.5.0/24 dev ivpn0 scope link
192.168.178.0/24 dev br-lan scope link  src 192.168.178.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 172.16.35.68 dev ivpn0 table local scope host  src 172.16.35.68
local 192.168.2.2 dev eth1 table local scope host  src 192.168.2.2
broadcast 192.168.2.255 dev eth1 table local scope link  src 192.168.2.2
local 192.168.3.1 dev wg0 table local scope host  src 192.168.3.1
broadcast 192.168.3.255 dev wg0 table local scope link  src 192.168.3.1
local 192.168.178.1 dev br-lan table local scope host  src 192.168.178.1
broadcast 192.168.178.255 dev br-lan table local scope link  src 192.168.178.1
fd00:4956:504e:ffff::ac10:2344 dev ivpn0  metric 256
fd3a:5e84:63b1::/64 dev br-lan  metric 1024
unreachable fd3a:5e84:63b1::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev phy0-ap0  metric 256
fe80::/64 dev phy1-ap0  metric 256
fe80::/64 dev eth1  metric 256
local ::1 dev lo table local  metric 0
local fd00:4956:504e:ffff::ac10:2344 dev ivpn0 table local  metric 0
anycast fd3a:5e84:63b1:: dev br-lan table local  metric 0
local fd3a:5e84:63b1::1 dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev phy0-ap0 table local  metric 0
anycast fe80:: dev phy1-ap0 table local  metric 0
anycast fe80:: dev eth1 table local  metric 0
local fe80::74fa:8dff:fe94:2962 dev eth0 table local  metric 0
local fe80::c87f:54ff:fe23:10f3 dev phy0-ap0 table local  metric 0
local fe80::ca7f:54ff:fe23:10f2 dev br-lan table local  metric 0
local fe80::ca7f:54ff:fe23:10f2 dev phy1-ap0 table local  metric 0
local fe80::ca7f:54ff:fe23:10f2 dev eth1 table local  metric 0
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev wg0 table local  metric 256
multicast ff00::/8 dev phy0-ap0 table local  metric 256
multicast ff00::/8 dev phy1-ap0 table local  metric 256
multicast ff00::/8 dev eth1 table local  metric 256
multicast ff00::/8 dev ivpn0 table local  metric 256

ip rule show

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

wg show

interface: wg0
  public key: lWUoMiIE3xY7V9r53AnkMkJQ1zFVVOHIBLL2lJgoNCo=
  private key: (hidden)
  listening port: 51820

peer: jFkI/Ou5Ncuy0vFxIs8d99awlTybmQmaeBFDmRU3Vjg=
  preshared key: (hidden)
  endpoint: 146.70.160.174:47702
  allowed ips: 192.168.3.3/32
  latest handshake: 11 hours, 54 minutes, 22 seconds ago
  transfer: 116.56 MiB received, 1.69 GiB sent

peer: UeYdb4qv3PMJxn6yzi+dtImlU4yQ0b6rc97xk6xQYhw=
  preshared key: (hidden)
  allowed ips: 192.168.3.2/32

peer: tZCZxA5gICuYx+m0V+rpYX93bT0ouZpreZ68dHjeKGA=
  preshared key: (hidden)
  allowed ips: 192.168.3.4/32

peer: jgOICw6qi9cXTXAuI+KavgOmSIY7em6VkzhVdyffWU4=
  allowed ips: (none)

peer: BPyYlpIxjlWSx7krUQmtMUdMzxAVjDyGSOe98LORCVY=
  preshared key: (hidden)
  allowed ips: 192.168.3.8/32

interface: ivpn0
  public key: 2pnrGIavZqKbdR7b3yHeHrrJAa3OFdJlfrSyXoHX6RQ=
  private key: (hidden)
  listening port: 55673

peer: CugQQtD8YJKRwS5IukNWkMcyqOzlOxfGRPhGeQRAb2Y=
  endpoint: 146.70.160.170:58237
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 49 seconds ago
  transfer: 114.53 MiB received, 210.85 MiB sent
```
(the last one (or two?) is the problematic one, the other ones are just VPNs for connecting my devices to the home network from external)

You are running a WG server and a WG client so you need PBR anyway otherwise it will not work.

The WG server interface is missing in the firewall, add it to the LAN zone, e.g. add:
list network wg0 to the LAN firewall zone

For the WG client you set a separate zone which is OK but then you have to set a forward rule from this zone to the wan:

config forwarding 'vpn_wan'
        option src 'vpn'
        option dest 'wan'

You can delete the following:

This one is exposing everything

Edit: Reboot afterwards and check if your WG client works and after stopping the WG client and rebooting if the WG server works

Well yeah, it might be weird cause at some point I just messed with the settings and tried to have WAN and LAN traffic be routed without the VPN Zone.

I deleted that stuff and added the WG server to LAN.

Now, what's the simplest way that I can set up PBR?
Basically, I want it to work like this:
Net A: 192.168.178.0/24
Net B: 192.168.3.0/24
Net C: 192.168.5.0/24

All traffic from Net A should be routed directly to WAN (without VPN). (Most importantly right now, cause that's still not working)

VPN connections from WAN should become clients in Net B.
Net B and Net A are routed with unicast so all the clients can talk to each other.

All clients in Net C should only be allowed to make WAN connections through the VPN (-> WG interface).
Net C can talk to the clients in Net A and B as well. (But it shouldn't be able to talk to the gateway in those Nets to avoid that it creates WAN traffic without going through VPN).

I hope this makes sense... Would be great to get some hints on how to do that....

The most important part is that you disable Route Allowed IPs on the WG client.

This will stop default routing via the WG client.

This allows you to use the WG server and Net A and Net B will use the WAN.

Then Install the PBR package from my link and with that you can easily route Net C via the WG client.

You might need some additional firewall rules but first get this working

Do it step by step and after each step reboot or do:

service network restart
service firewall restart

Make backups so that you can go back to a working solution

Oh and WG server clients do not become clients of a subnet (B) but clients of your router on their own subnet, if you want to restrict those client then place the wg0 interface on its own zone just like you did with the WG client, but as said step by step

Yeah, but when disabling Route Allowed IPs I lose internet connection. The WG client can't perform a handshake to its server anymore and I can't reach the internet.
Should I try to delete it?

Okay so good news! I replaced the firewall with the old backup version I had and now its working again! Thanks for the help so far!