Create a SSID/Interface that will use a commercial VPN

I have the goal configuring my OW router/firewall to allow a device connected to particular SSID or plugged into a specific physical port use the to use a commercial VPN's server.

I am thinking this will require me to:

  1. Create a new wg interface and configure it with the commercial VPN's credentials
  2. Configure PBR to allow all traffic on the intended interface by IP range to use the wg interface

Am I missing anything conceptually?

I should note that when complete, I will have two wireguard interfaces. One wg0 allows me access to my home network when I am away. The new one wg1 will be the one connected to the commercial VPN provider.

Below is my current /etc/config/network and I plan to use the 'homeoffice' interface as the one that will use the newly created wireguard interface.

Does this look right to achieve my goal?

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:692b:58dc::/48'
	option packet_steering '1'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'br-lan.5'
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option ipv6 '0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:t'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'guest'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '10.9.7.1'
	option netmask '255.255.255.0'

config interface 'homeoffice'
	option device 'br-lan.4'
	option proto 'static'
	option ipaddr '10.9.6.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '10.9.5.1'
	option netmask '255.255.255.0'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.9.8.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '14500'
	list addresses '10.200.200.200/24'
	option private_key 'xxx'
	option delegate '0'

config wireguard_wg0
	option description 'me'
	list allowed_ips '10.200.200.201/32'
	option route_allowed_ips '1'
	option public_key 'xxx'
	option preshared_key 'yyy'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'aaa'
	list addresses '10.100.100.103/24'

config wireguard_wg1
	option description 'MT6000'
	option public_key 'bbb'
	option preshared_key 'ccc'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'my.vpn.provider.com'
	option endpoint_port '47100'
	option persistent_keepalive '25'

That looks good.

But take note your wg server (wg0) needs the WAN to be default gateway (or have its port routed via the WAN)
To make sure you do not set the WG client (wg1) as default gateway disable "Use default gateway" on the Advanced page of the wg1 interface ( option defaultroute '0')

Then you use PBR to route the interface of your choice via wg1

1 Like

I added the option defaultroute '0' to my config interface 'wg1' section.

I then created this in /etc/config/pbr:

config policy
	option src_addr '10.9.6.0/24'
	option interface 'wg1'
	option name 'wg1 redirect'

When I connect to the homenetwork interface however, I cannot browse the web. Do I need to config anything in my firewall? I thought pbr would take care of the routing.

/etc/config/pbr
config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'dnsmasq.nftset'
	list resolver_instance '*'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	option nft_file_support '0'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '0'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '1'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.wg_server_and_client'
	option enabled '0'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option src_addr '10.9.6.0/24'
	option interface 'wg1'
	option name 'wg1 redirect'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'lxc'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lxc'

config zone
	option name 'wg0'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'homeoffice'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'homeoffice'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'modem'
	list network 'wan'

config zone
	option name 'wg1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg1'

config forwarding
	option src 'wg1'
	option dest 'wan'

config forwarding
	option src 'homeoffice'
	option dest 'wg1'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'homeoffice'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'lan'
	option dest 'lxc'

config forwarding
	option src 'lxc'
	option dest 'wan'

config forwarding
	option src 'wg0'
	option dest 'iot'

config forwarding
	option src 'wg0'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'allow-wireguard'
	option proto 'udp'
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '14500'
	option family 'ipv4'

config rule
	option src 'wg0'
	option target 'ACCEPT'
	option name 'wg dhcp and dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'

config rule
	option src 'homeoffice'
	option target 'ACCEPT'
	option name 'homeoffice dhcp dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'
	option family 'ipv4'

config rule
	option src 'guest'
	option target 'ACCEPT'
	option name 'guest dhcp dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'

config rule
	option src 'iot'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '67 68 123'
	option name 'iot dhcp and ntpd'
	option family 'ipv4'

config rule
	option src 'wg0'
	option dest 'iot'
	option dest_port '80 554 9000'
	option target 'ACCEPT'
	option name 'wg camera access'

config rule
	list proto 'udp'
	option src 'lxc'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'pi-hole-dns lxc to input'

config rule
	list proto 'udp'
	option src 'guest'
	option dest 'lxc'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'pi-hole-dns guest to lxc'

config rule
	list proto 'udp'
	option src 'wg0'
	option dest 'lxc'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'pi-hole-dns guest to wg'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option dest_ip '10.0.4.250'
	option dest 'lxc'
	option dest_port '53'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'iot'
	option src_dport '53'
	option dest 'lxc'
	option dest_ip '10.0.4.250'
	option dest_port '53'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'guest'
	option src_dport '53'
	option dest 'lxc'
	option dest_ip '10.0.4.250'
	option dest_port '53'

config include
	option enabled '1'
	option type 'script'
	option path '/etc/snort/snort-table.sh'
	option fw4_compatible '1'

config ipset
	option name 'allowtraffic'
	option family 'ipv4'
	list match 'dest_ip'
	option enabled '0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

Assuming you are wanting access to your whole network when connecting from outside simply add the wg0 interface to the LAN zone.

As you already use PBR to route one interface via the tunnel you can simplify this by just adding wg1 to the WAN zone.

This simplifies things very much

I do not think you need the following rule:

When you are connected you are already inside and when adding the WG0 interface to the LAN zone you piggy back on this, besides I can understand you want DNS but DHCP?

Many thanks for your advice.

I had a typo in my post above (now corrected). It should have read: " When I connect to the homenetwork interface however, I cannot browse the web. Do I need to config anything in my firewall? I thought pbr would take care of the routing."

I made this change, but I am still unable to browse the web when connected to the homenetwork interface.

Regarding the potentially superfluous rule, you might be right. Once we get the wg1 interface playing nice, I will remove that rule and see if everything still works.

When you connect to your WG server (from outside e.g. with your phone on cellular)

  1. can you make a connection ?
  2. can you connect to your router?
  3. can you ping/tracert e.g. 8.8.8.8
  4. can you ping/tracert google.com

Let see your current config:

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show

OK... I am not sure what changed but upon rebooting, the setup seems to be working as intended. Would you mind reviewing and commenting on anything you see that might present a misconfiguration?

Note - I added a the following to /etc/config/pbr based on this thread.

option secure_reload '1'
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:692b:58dc::/48'
	option packet_steering '1'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'br-lan.5'
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option ipv6 '0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:t'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'guest'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '10.9.7.1'
	option netmask '255.255.255.0'

config interface 'homeoffice'
	option device 'br-lan.4'
	option proto 'static'
	option ipaddr '10.9.6.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'iot'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '10.9.5.1'
	option netmask '255.255.255.0'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.9.8.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '14500'
	list addresses '10.200.200.200/24'
	option private_key 'xxx'
	option delegate '0'

config wireguard_wg0
	option description 'me'
	list allowed_ips '10.200.200.201/32'
	option route_allowed_ips '1'
	option public_key 'xxx'
	option preshared_key 'yyy'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'aaa'
	list addresses '10.100.100.103/24'
	option defaultroute '0'
	option delegate '0'
	list dns '10.0.4.250'

config wireguard_wg1
	option description 'MT6000'
	option public_key 'bbb'
	option preshared_key 'ccc'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'my.vpn.provider.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'lxc'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lxc'

config zone
	option name 'wg0'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'homeoffice'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'homeoffice'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'modem'
	list network 'wan'
	list network 'wg1'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'homeoffice'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'lan'
	option dest 'lxc'

config forwarding
	option src 'lxc'
	option dest 'wan'

config forwarding
	option src 'wg0'
	option dest 'iot'

config forwarding
	option src 'wg0'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'homeoffice'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'allow-wireguard'
	option proto 'udp'
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '14500'
	option family 'ipv4'

config rule
	option src 'wg0'
	option target 'ACCEPT'
	option name 'wg dhcp and dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'

config rule
	option src 'homeoffice'
	option target 'ACCEPT'
	option name 'homeoffice dhcp dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'
	option family 'ipv4'

config rule
	option src 'guest'
	option target 'ACCEPT'
	option name 'guest dhcp dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'

config rule
	option src 'iot'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '67 68 123'
	option name 'iot dhcp and ntpd'
	option family 'ipv4'

config rule
	option src 'wg0'
	option dest 'iot'
	option dest_port '80 554 9000'
	option target 'ACCEPT'
	option name 'wg camera access'

config rule
	list proto 'udp'
	option src 'lxc'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'pi-hole-dns lxc to input'

config rule
	list proto 'udp'
	option src 'guest'
	option dest 'lxc'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'pi-hole-dns guest to lxc'

config rule
	list proto 'udp'
	option src 'wg0'
	option dest 'lxc'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'pi-hole-dns guest to wg'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option dest_ip '10.0.4.250'
	option dest 'lxc'
	option dest_port '53'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'iot'
	option src_dport '53'
	option dest 'lxc'
	option dest_ip '10.0.4.250'
	option dest_port '53'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'guest'
	option src_dport '53'
	option dest 'lxc'
	option dest_ip '10.0.4.250'
	option dest_port '53'

config include
	option enabled '1'
	option type 'script'
	option path '/etc/snort/snort-table.sh'
	option fw4_compatible '1'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

/etc/config/pbr
config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'dnsmasq.nftset'
	list resolver_instance '*'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	option nft_file_support '0'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '0'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '1'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option secure_reload '1'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.wg_server_and_client'
	option enabled '0'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option src_addr '10.9.6.0/24'
	option interface 'wg1'
	option name 'wg1 redirect'

The firewall rules for you WG server are very restrictive, you cannot connect to your router, you only can connect to iot and wan.

Of course that is fine if you only want that :slight_smile:

This firewall rule seems redundant as you already allow traffic from wg0 to iot zone

If your connected WG client uses DNS from the router you need this rule for DNS (as you have INPUT on WG0 zone set to REJECT) but DHCP seems superfluous

Again, many thanks for the expert review!

Yes, I like the restrictive rules for wg0. I will try disabling the two rules you called out and if I experience breakage. Note that I have pihole running in a linux container on the lxc zone so I thought I would need the dns rule.

This rule is an INPUT rule so allowing traffic to the router itself.
So you need it (for port 53) if you have set the PiHole as DNS server on the clients which connect to your WG server and assuming the PiHole is running/reachable on your router.

So conceptually, wg1 just sits there waiting for pbr to route to it and without pbr, that interface would just sit there sending keep alive packets and nothing else?

Yes that is correct.

To answer your next question, can you disable keep alive? Yes you can.
It takes a little bit longer when you start using wg1, but WG is rather quick so you measure it in ms sec, I once tried to time it and it was below 1 sec. but YMMV

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.