Best way to configure my outgoing and incoming VPN?

I will start with an introduction explaining the reasons why I intend to install a VPN: nothing illegal.
You can skip it to get to the point of the reason for my query.

For some months now we have been having problems in Spain with IP blocking and hiding of DNS domains
by ISPs.

The football league association has won some court rulings against cloudflare due to illegal video retransmissions of soccer matches.
It seems that the only solution the judge or ISPs have come up with is to block certain IP addresses during matches to prevent pirates from making illegal retransmissions.
The bad thing is that behind those addresses (many of cloudflare but not only) there are hundreds and thousands of internet services of companies that have nothing to do with soccer or with this illegal activity.
So you stop being able to watch any video from vimeo, to order pizzas from burger king and things like that.
A whole nonsense.

Being able to avoid these blocks is my main motivation, although it seems more and more appropriate to navigate without ISPs or others meddling in what you do or don't do.

NOW LET'S GET TO THE POINT BY EXPLAINING THE REASON FOR MY QUERY

I have hired protonVPN as a VPN service to be able to surf the Internet as securely as possible and with a greater degree of anonymity.

This service allows access using the wireguard protocol configured in our openWRT router.

I have created an interface with this protocol and configured it to access the protonVPN server.

Then I have configured the firewall so that all the local network traffic is directed to this interface instead of the wan.
This is the image of my interfaces

This is the image of the zone configuration:

iot is an internal network for IOT devices, which cannot access the internet and can only access and be accessed from the local network.

guest is a guest network associated to a wifi network that has no access to the local network or iot and goes directly to the internet through the wan without going through the VPN.

As I said everything works correctly when browsing from within the network.

THE PROBLEM COMES WHEN I WANT TO CONNECT TO MY NETWORK from the outside.

I have a wireguard interface (wgVPN) configured to accept wirewuard connections in standard port 51280.
That interface is added to the "lan" firewall zone together with the "lan" interface.

I have a firewall traffic rule to direct traffic from wan zone in port 51280 to the router in same port

When I was not using the protonVPN everything worked OK.
But once I have activated it and redirected traffic from lan zone ton protonVPN zone instead of wan, I cannot access de wgVPN server anymore from outside.

I would like to access the wgVPN wireguard server from my ISP IP in the wan interface as I was able to do prior to activating the protonVPN.

Thanks for your help.

You connect to your home via the WAN interface and that traffic should also go out via the WAN interface but it does not as your default route is via the Proton VPN.

So you have to route traffic from the WireGuard server (e.g the listen port) back via the WAN with some form of Policy Based Routing (PBR).

The easiest might be to install the PBR app, make sure you use version 1.1.8:

The PBR app will do this automatically so no need to configure anything, just make sure your WireGuard Client does not have a listen port configured

Netifd does no support sport yet my PR is pending but you can also use something like:

Thank you a lot.
I understand, the problem is not that the traffic does not reach the wgVPN interface from the outside but that it answers through the protonVPN tunnel and thus from another IP.

I am not sure to understand the solution, you seem to say that installing PBR would be enough as it will detect the problems and provide by itself the apporpiate policy.

Would it affect other configuration of my network?

Another solution would probably be connect to the wgVPN interface through the protonVPN tunnel itself, connecting to the protonVPN IP?

Correct

Correct

Yes that is possible as, I think, proton allows port forwarding via the VPN, but this is difficult to setup and does not work if proton is not operational/disabled.

So using PBR is my preferred solution.

1 Like

I have installed PBR and the luci interface modules.

I have tried to connect from my mobile device using mobile 4G but it does not work.

It worked witout the protonvpn being activated.

This is the pate of PBR

That is an old version see my earlier post

Make sure that only your WireGuard server has a listen port and not the client, the listen port is used to route traffic via the wan as can be shown by ip rule show if PBR is active.
Make sure to reboot after installing

Oh, sorry, I installed it through luci and asumed it was going up to date.

But I am on openWRT 23.05.2 may be I need to upgrade to 24.10.1

But that is something I am always afraid of, to not brick my device.
Some time ago I had problems after upgrading as there was a heavy change in how interfaces worked.

I will ask if there might be problems in this router for upgrading.

For pbr you do not have to upgrade the whole router, you can upgrade the package per the instructions.
I do think that you should at least upgrade to 23.05.5 but if possible to 24.10.1

I have upgraded to 23.05.5 but it has the old version.
Upgrading to 24.10 is not so easy it cannot be done via luci unattended sysupgrade and will take a while.

Will see if I can upgrade pbr only, and will defer upgrading to 24.10 till later when internet is not so neede.

1 Like

I could finally upgrade the router to 24.10.

I have installed pbr and as you said it has version 1.1.8 and after install everything works, it has detected that the wiregueard vpn needs to access the wan interface.

Now I can connect to home then the VPN is working. Thanks a lot.
This forum is great.

But now I have some doubts about using PBR and what is it for.

Does it completly replace the routing module that cames with the standard firmware?
Should I use it instead network/routing and firewall rules or it provides functionality over them?

It does not do anything if you do not configure any rules besides routing the the listen port of the WireGuard server back via the WAN, that can also be switched off but is enabled by default.

It also does not replace anything it is just a tool for Policy Based Routing.

So no need to worry.

Glad your problem is solved :slight_smile:

2 Likes

Great, thank you.

Indeed YOU solved the problem, I just follow your guidance.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.