I now have a persistent connection that all client traffic flows through my Wireguard interface to my AWS Wireguard server.
So, now I need to discriminate traffic. Basically, I want my work laptop(192.168.1.197) to flow over the Wireguard connection. But I want my son's xbox(192.168.1.200) to flow over the unencrypted connection.
I suspect I'll need to do something with routing tables and rules, but I'm a little over my head here in terms of devops. I appreciate the expertise and time.
The vpn connection works and I have internet connectivity from my clients over that connection when all lan traffic is forwarded to my interface (wg0).
I have removed that forwarding rule.
The router still has internet connectivity over the lan connection.
Here is what I've done and basically followed these instructions:
Created a new table called wireguard
Added a new rule from my laptops IP to the table <== ip rule add from 192.168.1.197 table wireguard
Added a new default route. <== ip route add default via <ip_of_the_far_end_of_your_tunnel> dev wg0 table wireguard Note Not quite sure what to put for the far end of the tunnel. I have tried my local default gateway as well as the IP address of the wireguard server hosted in AWS.
Flushed the cache
Here is what the config shows now:
root@OpenWrt:~# ip rule list
0: from all lookup local
32765: from 192.168.1.197 lookup wireguard
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~# ip route show
default dev wg0 proto static scope link
3.14.33.131 via 10.0.0.1 dev eth0.2 proto static
10.0.0.0/24 dev eth0.2 proto kernel scope link src 10.0.0.65
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
root@OpenWrt:~# ip route list table wireguard
default via 10.0.0.1 dev wg0
Unfortunately my laptop still has no internet connectivity.
It means that all IPs are allowed to and from this tunnel.
No, it will not be done by PBR, you need to keep the firewall rules.
The existence of the wireguard routing table is kind of unnecessary. The main routing default route goes through wireguard tunnel anyway. What you need is a custom routing table via the regular ISP gateway.