Allow or deny specific IP addresses through VPN interface

So, I followed the guide here:

I now have a persistent connection that all client traffic flows through my Wireguard interface to my AWS Wireguard server.

So, now I need to discriminate traffic. Basically, I want my work laptop( to flow over the Wireguard connection. But I want my son's xbox( to flow over the unencrypted connection.

I suspect I'll need to do something with routing tables and rules, but I'm a little over my head here in terms of devops. I appreciate the expertise and time.


You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.

If it is only one or two devices, you can go with #3, otherwise the easiest way would be #2

1 Like

Thank you. Sounds like PBR is the way to go and I have some reading to do. So, that brings up a specific question about my router's WG config.

Specifically, these two lines:

uci add_list network.wgserver.allowed_ips=""
uci add_list network.wgserver.allowed_ips="::/0"

Does that just mean that any traffic I choose to send to that interface will be allowed?

Also, I assume I should remove the firewall forwarding rules from wan->wg0 since it will be done via PBR?

Thank you for the information @trendy

The vpn connection works and I have internet connectivity from my clients over that connection when all lan traffic is forwarded to my interface (wg0).
I have removed that forwarding rule.
The router still has internet connectivity over the lan connection.

Here is what I've done and basically followed these instructions:

  1. Created a new table called wireguard
  2. Added a new rule from my laptops IP to the table <== ip rule add from table wireguard
  3. Added a new default route. <== ip route add default via <ip_of_the_far_end_of_your_tunnel> dev wg0 table wireguard
    Note Not quite sure what to put for the far end of the tunnel. I have tried my local default gateway as well as the IP address of the wireguard server hosted in AWS.
  4. Flushed the cache

Here is what the config shows now:

root@OpenWrt:~# ip rule list
0: from all lookup local 
32765: from lookup wireguard 
32766: from all lookup main 
32767: from all lookup default

root@OpenWrt:~# ip route show
default dev wg0 proto static scope link via dev eth0.2 proto static dev eth0.2 proto kernel scope link src dev br-lan proto kernel scope link src

root@OpenWrt:~# ip route list table wireguard
default via dev wg0

Unfortunately my laptop still has no internet connectivity.


Try ip route add default dev wg0 table wireguard instead.

It means that all IPs are allowed to and from this tunnel.

No, it will not be done by PBR, you need to keep the firewall rules.

The existence of the wireguard routing table is kind of unnecessary. The main routing default route goes through wireguard tunnel anyway. What you need is a custom routing table via the regular ISP gateway.