Help config Wireguard Client

Good morning,
I am trying to configure Wireguard Client on my system. so far I can get it to work and connect to the desired server, but I can't get it to only go the IPs that I want with PBR, now everything goes for me and I don't want that, can someone help me?

1 Like

Without any details about your actual current configuration, it is hard to say what is wrong. But my guess is that you just need to change the allowed ips - is it currently 0.0.0.0/0? If so, that would explain why all traffic is going over the tunnel. Instead, you should put the target ips that should traverse the tunnel. If your remote network is 10.20.3.0/24 (just as an example), that should be in the allowed ips field.

1 Like

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
2 Likes
 ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
	"kernel": "4.14.171",
	"hostname": "Home",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "AVM FRITZ!Box 4040",
	"board_name": "avm,fritzbox-4040",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.2",
		"revision": "r10947-65030d81f3",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 19.07.2 r10947-65030d81f3"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd91:31ed:87d2::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.15.1'

config interface 'wan'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.10'
	option gateway '192.168.10.1'
	list dns '192.168.10.1'
	option metric '0'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 4'
	option vid '1'

config interface 'wifi'
	option ifname 'radio0.network1 radio1.network1'
	option type 'bridge'
	option proto 'dhcp'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	option listen_port '52466'
	list addresses '10.0.0.1/24'

config wireguard_wg0
	option public_key ''
	option description 'Florian'
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.2'
	option route_allowed_ips '1'
	option endpoint_host '
	option endpoint_port '52466'

config interface 'vpnclient'
	option ifname 'tun0'
	option proto 'none'

config wireguard_wg0
	option public_key ''
	option description 'Pati'
	option persistent_keepalive '25'
	option endpoint_port '52466'
	list allowed_ips '10.0.0.3'
	option route_allowed_ips '1'
	option endpoint_host ''

config interface 'VpnClient2'
	option ifname 'tun1'
	option proto 'none'

config interface 'wgclient'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '10.66.181.100/32'

config wireguard_wgclient
	option public_key ''
	option description 'wgclient'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	option endpoint_host '45.162.228.186'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'
	option channel '6'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Luan'
	option encryption 'psk-mixed'
	option key ''

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Luan'
	option encryption 'psk-mixed'
	option key ''

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '100'
	option limit '150'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wifi'
	option leasetime '12h'
	option interface 'wifi'
	option start '150'
	option limit '100'

config host
	option mac ''
	option name ''
	option dns '1'
	option ip '192.168.15.11'

config host
	option mac ''
	option name ''
	option dns '1'
	option ip '192.168.15.10'

config host
	option mac ''
	option dns '1'
	option ip '192.168.15.9'
	option name ''

config host
	option mac ''
	option name ''
	option dns '1'
	option ip '192.168.15.12'

config host
	option mac ''
	option name ''
	option dns '1'
	option ip '192.168.15.6'

config host
	option mac ''
	option name ''
	option dns '1'
	option ip '192.168.15.5'

config host
	option mac ''
	option name ''
	option dns '1'
	option ip '192.168.15.7'

config host
	option mac ''
	option name ''
	option dns '1'
	option ip '192.168.15.8'

config host
	option mac ''
	option dns '1'
	option name ''
	option ip '192.168.15.21'

config host
	option mac ''
	option name ''
	option dns '1'
	option ip '192.168.15.15'

config host
	option mac ''
	option dns '1'
	option ip '192.168.15.16'
	option name ''

config host
	option mac ''
	option name ''
	option dns '1'
	option ip '192.168.15.14'

config host
	option mac '
	option name '
	option dns '1'
	option ip '192.168.15.17'

config host
	option mac ''
	option name ''
	option dns '1'
	option ip '192.168.15.18'

config host
	option mac ''
	option dns '1'
	option ip '192.168.15.20'
	option name ''

config host
	option mac 
	option name '
	option dns '1'
	option ip '192.168.15.4'

config host
	option mac '
	option name '
	option dns '1'
	option ip '192.168.15.3'

config host
	option mac '
	option dns '1'
	option ip '192.168.15.2'
	option name ''

config host
	option mac ''
	option name '
	option dns '1'
	option ip '192.168.15.19'

config host
	option mac '
	option name '
	option dns '1'
	option ip '192.168.15.22'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wifi'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'wifi'

config forwarding
	option dest 'wan'
	option src 'wifi'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

config zone
	option name 'OpenVPN'
	option mtu_fix '1'
	option masq '1'
	option output 'ACCEPT'
	option network 'vpnclient'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'OpenVPN'
	option src 'lan'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option network 'VpnClient2'
	option name 'VpnClient2'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

config forwarding
	option dest 'VpnClient2'
	option src 'lan'

config zone
	option masq '1'
	option input 'REJECT'
	option forward 'REJECT'
	option mtu_fix '1'
	option output 'ACCEPT'

config forwarding
	option src 'lan'

config zone
	option network 'wgclient'
	option name 'wgclient'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

config forwarding
	option dest 'wgclient'
	option src 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.10.10/24 brd 192.168.10.255 scope global eth1
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.1.3/24 brd 10.8.1.255 scope global tun0
       valid_lft forever preferred_lft forever
16: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wg0
       valid_lft forever preferred_lft forever
18: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.15.1/24 brd 192.168.15.255 scope global br-lan
       valid_lft forever preferred_lft forever
24: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.0.19/24 brd 10.8.0.255 scope global tun1
       valid_lft forever preferred_lft forever
81: wgclient: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.66.181.100/32 brd 255.255.255.255 scope global wgclient
       valid_lft forever preferred_lft forever
default via 192.168.10.1 dev eth1 table 201 
10.0.0.0/24 dev wg0 table 201 proto kernel scope link src 10.0.0.1 
10.0.0.2 dev wg0 table 201 proto static scope link 
10.0.0.3 dev wg0 table 201 proto static scope link 
default via 10.8.1.3 dev tun0 table 202 
10.0.0.0/24 dev wg0 table 202 proto kernel scope link src 10.0.0.1 
10.0.0.2 dev wg0 table 202 proto static scope link 
10.0.0.3 dev wg0 table 202 proto static scope link 
default via 10.8.0.19 dev tun1 table 203 
10.0.0.0/24 dev wg0 table 203 proto kernel scope link src 10.0.0.1 
10.0.0.2 dev wg0 table 203 proto static scope link 
10.0.0.3 dev wg0 table 203 proto static scope link 
default via 10.66.181.100 dev wgclient table 204 
10.0.0.0/24 dev wg0 table 204 proto kernel scope link src 10.0.0.1 
10.0.0.2 dev wg0 table 204 proto static scope link 
10.0.0.3 dev wg0 table 204 proto static scope link 
default via 192.168.10.1 dev eth1 proto static 
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1 
10.0.0.2 dev wg0 proto static scope link 
10.0.0.3 dev wg0 proto static scope link 
10.8.0.0/24 dev tun1 proto kernel scope link src 10.8.0.19 
10.8.1.0/24 dev tun0 proto kernel scope link src 10.8.1.3 
45.162.228.186 via 192.168.10.1 dev eth1 proto static 
77.23.189.91 via 192.168.10.1 dev eth1 proto static 
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.10 
192.168.15.0/24 dev br-lan proto kernel scope link src 192.168.15.1 
broadcast 10.0.0.0 dev wg0 table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev wg0 table local proto kernel scope host src 10.0.0.1 
broadcast 10.0.0.255 dev wg0 table local proto kernel scope link src 10.0.0.1 
broadcast 10.8.0.0 dev tun1 table local proto kernel scope link src 10.8.0.19 
local 10.8.0.19 dev tun1 table local proto kernel scope host src 10.8.0.19 
broadcast 10.8.0.255 dev tun1 table local proto kernel scope link src 10.8.0.19 
broadcast 10.8.1.0 dev tun0 table local proto kernel scope link src 10.8.1.3 
local 10.8.1.3 dev tun0 table local proto kernel scope host src 10.8.1.3 
broadcast 10.8.1.255 dev tun0 table local proto kernel scope link src 10.8.1.3 
local 10.66.181.100 dev wgclient table local proto kernel scope host src 10.66.181.100 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.10.0 dev eth1 table local proto kernel scope link src 192.168.10.10 
local 192.168.10.10 dev eth1 table local proto kernel scope host src 192.168.10.10 
broadcast 192.168.10.255 dev eth1 table local proto kernel scope link src 192.168.10.10 
broadcast 192.168.15.0 dev br-lan table local proto kernel scope link src 192.168.15.1 
local 192.168.15.1 dev br-lan table local proto kernel scope host src 192.168.15.1 
broadcast 192.168.15.255 dev br-lan table local proto kernel scope link src 192.168.15.1 
0:	from all lookup local 
32614:	from all fwmark 0x40000/0xff0000 lookup 204 
32615:	from all fwmark 0x30000/0xff0000 lookup 203 
32616:	from all fwmark 0x20000/0xff0000 lookup 202 
32617:	from all fwmark 0x10000/0xff0000 lookup 201 
32766:	from all lookup main 
32767:	from all lookup default 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::2e3a:fdff:fe04:f072/64 scope link 
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::684f:66e8:6bfa:9b6f/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
18: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd91:31ed:87d2::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::2e3a:fdff:fe04:f071/64 scope link 
       valid_lft forever preferred_lft forever
19: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::2e3a:fdff:fe04:f073/64 scope link 
       valid_lft forever preferred_lft forever
20: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::2e3a:fdff:fe04:f074/64 scope link 
       valid_lft forever preferred_lft forever
24: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::7a7e:2909:cb60:6925/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
fd91:31ed:87d2::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd91:31ed:87d2::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd91:31ed:87d2:: dev br-lan table local proto kernel metric 0 pref medium
local fd91:31ed:87d2::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun1 table local proto kernel metric 0 pref medium
local fe80::2e3a:fdff:fe04:f071 dev br-lan table local proto kernel metric 0 pref medium
local fe80::2e3a:fdff:fe04:f072 dev eth1 table local proto kernel metric 0 pref medium
local fe80::2e3a:fdff:fe04:f073 dev wlan0 table local proto kernel metric 0 pref medium
local fe80::2e3a:fdff:fe04:f074 dev wlan1 table local proto kernel metric 0 pref medium
local fe80::684f:66e8:6bfa:9b6f dev tun0 table local proto kernel metric 0 pref medium
local fe80::7a7e:2909:cb60:6925 dev tun1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev wg0 table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev wgclient table local metric 256 pref medium
0:	from all lookup local 
32766:	from all lookup main 
4200000001:	from all iif lo failed_policy
4200000003:	from all iif eth1 failed_policy
4200000011:	from all iif tun0 failed_policy
4200000016:	from all iif wg0 failed_policy
4200000018:	from all iif br-lan failed_policy
4200000024:	from all iif tun1 failed_policy
4200000081:	from all iif wgclient failed_policy
lrwxrwxrwx    1 root     root            16 Feb 27 22:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Jul 12 11:54 /tmp/resolv.conf
-rw-r--r--    1 root     root            40 Jul 12 11:54 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.10.1

You have no allowed_ips in the section wireguard_wgclient.
Add IPs/networks that you need to route to.

2 Likes

now I don't have any. Mullvad was saying to put 0.0.0.0/0, and I don't want the whole internet. I tried to put the IP of some device at home, but I did not get it to work. What I want to achieve is to send from PBR ip's to the wgclient interface and only these go through that vpn

if I put for example the ip of my mobile 192.168.xx.x, it works well for me, I don't have internet. or is it because I have to add some DNS?

???

Your wording is quite confusing. Nonetheless, I'll give an example of changing Google DNS (8.8.8.8) to use the tunnel.

config route
	option target '8.8.8.8'
	option netmask '255.255.255.255'
	option interface 'VpnClient2'

(I don't use the PBR app, so I can't help with the config via that method.)

That should work - as long as you're not implying an asymmetric route at the remote end.

I am not trying to configure vpnclient1 or 2, these 2 work for me at the moment, but I am not satisfied that they work with google's DNS.
I try to configure configure wgclient.

Apologies, I thought I selected the correct interface. Simply choose the appropriate one. The route config is still valid.

:confused:

I merely used 8.8.8.8 as an example, I apologize for any confusion.

The option allowed_ips acts as an internal firewall for the tunnel, so you need to add the whole range 0.0.0.0/1 and 128.0.0.0/1 to be able to access the internet.
On the other hand, if you don't want to use WG as a default route, disable the option route_allowed_ips or utilize policy-based routing.

3 Likes

So I have to put allowed_ips :?
0.0.0.0/1, 128.0.0.0/1

uci set network.@wireguard_wgclient[0].route_allowed_ips="0"
uci -q delete network.@wireguard_wgclient[0].allowed_ips
uci add_list network.@wireguard_wgclient[0].allowed_ips="0.0.0.0/1"
uci add_list network.@wireguard_wgclient[0].allowed_ips="128.0.0.0/1"
uci commit network
/etc/init.d/network restart
3 Likes

I hadn't said it yet. Thank you very much for your help in solving the problem.
At the moment it seems that everything works as I had imagined, I can send ip's from PBR and it works great. At the moment I can even say that the Wireguard Client is better for speed than OpenVpn with NordVpn.
Thank you very much for your help to the others who have been encouraged to help me.
Now it comes back to me to correctly use the DNS of both Mullvad and NordVpn

3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.