Bypass all traffic from one port through wireguard

Hello. I spend a lot of time doing this.
I have a router with 3 common ports and one wan port.
One of the common ports connected to device that I want to go through WG.

device ip: 172.16.0.240
openwrt ip: 172.16.0.1
wg ip client: 10.200.200.3
wg ip server: 10.200.200.1

ping from device to 172.16.0.1 and 10.200.200.3 going fine, but 10.200.200.1 and 8.8.8.8 have error

ping 10.200.200.1
PING 10.200.200.1 (10.200.200.1) 56(84) bytes of data.
From 172.16.0.1 icmp_seq=1 Destination Port Unreachable

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 172.16.0.1 icmp_seq=1 Destination Port Unreachable

ping google.com
PING google.com (142.250.185.142) 56(84) bytes of data.
From _gateway (172.16.0.1) icmp_seq=1 Destination Port Unreachable

note: another network(lan -> wan) working fine

I can't find an error, please help me.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf3:xxxx:xxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.31.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wireguard'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxx'
	list addresses '10.200.200.3'

config wireguard_wireguard
	option description 'ru'
	option public_key 'xxxxxxxxxxxxxxxxx'
	option endpoint_host 'x.x.x.x'
	option persistent_keepalive '25'

config device
	option type 'bridge'
	option name 'br-lan-vpn'
	list ports 'lan3'
	option bridge_empty '1'

config interface 'lan_vpn'
	option proto 'static'
	option device 'br-lan-vpn'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.0'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'lan_vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan_vpn'

config zone
	option name 'wg'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wireguard'
	option masq '1'

config forwarding
	option src 'lan_vpn'
	option dest 'wg'

config rule
	option name 'Allow wireguard out'
	option dest 'wan'
	list dest_ip 'x.x.x.x'
	option dest_port '51820'
	option target 'ACCEPT'

config include 'pbr' <- pbr was removed, but it still here
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: miireg: <> mtu 0 qdisc noop state DOWN group default qlen 1000
    link/netrom 
3: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 28:d1:27:70:c6:2e brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.11/24 brd 192.168.2.255 scope global wan
       valid_lft forever preferred_lft forever
    inet6 fe80::2ad1:27ff:fe70:c62e/64 scope link 
       valid_lft forever preferred_lft forever
4: lan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether 28:d1:27:4e:12:5a brd ff:ff:ff:ff:ff:ff
5: lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether 28:d1:27:4e:12:5a brd ff:ff:ff:ff:ff:ff
6: lan3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan-vpn state UP group default qlen 1000
    link/ether 28:d1:27:4e:12:5a brd ff:ff:ff:ff:ff:ff
7: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 28:d1:27:4e:12:5c brd ff:ff:ff:ff:ff:ff
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 28:d1:27:4e:12:5a brd ff:ff:ff:ff:ff:ff
    inet 192.168.31.1/24 brd 192.168.31.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdf3:900a:d16a::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::2ad1:27ff:fe4e:125a/64 scope link 
       valid_lft forever preferred_lft forever
11: br-lan-vpn: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 28:d1:27:4e:12:5a brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.1/24 brd 172.16.0.255 scope global br-lan-vpn
       valid_lft forever preferred_lft forever
    inet6 fe80::2ad1:27ff:fe4e:125a/64 scope link 
       valid_lft forever preferred_lft forever
13: phy2-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 28:d1:27:4e:12:5a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2ad1:27ff:fe4e:125a/64 scope link 
       valid_lft forever preferred_lft forever
14: phy1-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 28:d1:27:4e:12:5b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2ad1:27ff:fe4e:125b/64 scope link 
       valid_lft forever preferred_lft forever
15: wireguard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.200.200.3/32 brd 255.255.255.255 scope global wireguard
       valid_lft forever preferred_lft forever

ip ro

default via 192.168.2.1 dev wan proto static src 192.168.2.11 
172.16.0.0/24 dev br-lan-vpn proto kernel scope link src 172.16.0.1 
185.204.2.57 via 192.168.2.1 dev wan proto static 
192.168.2.0/24 dev wan proto kernel scope link src 192.168.2.11 
192.168.31.0/24 dev br-lan proto kernel scope link src 192.168.31.1 

PBR is the way to achieve your goals. Why did you remove it?

I don't know how to do it with pbr. I want to achieve it with the default configuration.

If you only want the single device with local IP address 172.16.0.240 to be routed through WireGuard, you can do this manually by adding one custom routing table and one custom rule.

To make the custom routing table in LuCI, go to Network -> Routing and click "Add" in the "Static IPv4 Routes" tab. Select "wireguard" as the interface, "unicast" as the route type, "0.0.0.0/0" as the target, and "[WireGuard-gateway-IP]" as the gateway under "General Settings". Then set a new table number under "Advanced Settings", say "100" for example, and leave everything else alone, then hit "Save".

Then go to the "IPv4 Rules" tab and "Add" a new rule. Rule type "unicast", incoming interface "br-lan-vpn" (if I'm interpreting your config correctly), source "172.16.0.240/32", and table "100" (or whatever number you used above). Leave everything else alone and hit "Save".

Save and apply all of that. I don't actually know if it's necessary to reboot the router to make it take effect properly, but may as well.

I didn't scan through the rest of your firewall, you may need to adjust other rules to suit, but that should be the basic setup to get started.

1 Like

Thank you. I've added these rules but it doesn't help.

Now I'm trying to use PBR, but no luck

cat /etc/config/pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config policy
	option name 'wg'
	option src_addr '0.0.0.0/0'
	option interface 'wireguard'
	option src_port '0-65535'
	option chain 'output' // prerouting, forward - doesn't help

I'm sorry, there was an error in my previous post due to the forum formatting. It may have been the problem.

In the new routing table, you need to set the gateway to the gateway address of your WireGuard tunnel (in my previous post this accidentally appeared to be empty because I formatted it wrong and the forum software disappeared it).

If it doesn't work with that corrected, then I'm baffled.

Thank you.
I've tried any IP for "[WireGuard-gateway-IP]", but nothing helps.

Maybe this is crazy, but have you successfully connected to the WG "server" with any other device? Just to rule out a problem on that end?

EDIT: Also double-check your time and date on both ends; WG is fussy about that.

No device is connected through this router. But from my linux PC everything is fine.
If I change the firewall from lan_vpn -> wg to lan_vpn -> wan (image below)
everything starts working but of course without wireguard

wireguard interface looks like is working (image)

I don't know how to check wg tunnel, does it really work or not



My first thought would be to install WireGuard on the PC and try to connect to the server from that.

It's working without any problem on PC.

Wait... is it only ping that's affected/failing? Does the tunnel actually work for its intended purpose? As you said, your screenshots really do suggest that the tunnel is being established and data is passing over it, and you've proven that the server works fine by connecting from your PC directly.

Not only ping, for example curl don't work
this setup should work for any connections not only ping or curl

curl google.com
curl: (7) Failed to connect to google.com port 80 after 26 ms: Couldn't connect to server

I solved my problem when I changed Static IPv4 Route gateway to 10.200.200.3 previously it was 10.200.200.1

Thank you

1 Like

That's great! Sorry that I didn't think of checking that...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.