[SOLVED] Help me with wireguard on other interfaces

I'm trying to separate the traffic from the vpn to leave it only on lan (10.4.4.1/24), but I can't. all other subnets/vlan are without internet

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdbc:108a:fec5::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.4.4.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	list dns '208.67.222.222'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-vlan20'
	list ports 'lan4'
	option igmp_snooping '1'

config bridge-vlan
	option device 'br-vlan20'
	option vlan '20'
	list ports 'lan4'

config interface 'vlan20'
	option proto 'static'
	option device 'br-vlan20.20'
	option ipaddr '10.5.5.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-guest'

config interface 'guestwifi'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option device 'br-guest'

config interface 'wg0'
	option proto 'wireguard'
	option peerdns '0'
	option private_key 'WNbOK3FRkchua0Qf+uAnzIsy2VOa+4KLfdPlkqREVV8='
	list addresses '10.2.0.2/32'
	option delegate '0'

config wireguard_wg0
	option description 'WG-Connection'
	option public_key 'HHCcDMr2GBrbE0JamghbVfVfvcNDTdob/IOniVcklF4='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host '172.83.43.135'
	option endpoint_port '51820'
	option persistent_keepalive '25'

/etc/config/dhcp/


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option quietdhcp '1'
	option filterwin2k '1'
	option nonegcache '1'
	option dnsforwardmax '300'
	option cachesize '1000'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan20'
	option interface 'vlan20'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.2,1.0.0.2'

config dhcp 'guestwifi'
	option interface 'guestwifi'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.2'

/etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'lan'
	option forward 'REJECT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vlan20'
	option output 'ACCEPT'
	list network 'vlan20'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	list proto 'udp'
	option src 'vlan20'
	option dest_port '67'
	option target 'ACCEPT'
	option name 'Allow-VLAN20-DHCP'

config rule
	option name 'Allow-VLAN20-DNS'
	option src 'vlan20'
	option dest_port '53'
	option target 'ACCEPT'

config zone
	option name 'wifiguest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guestwifi'

config forwarding
	option src 'wifiguest'
	option dest 'wan'

config rule
	option name 'Allow-Guest-DHCP'
	list proto 'udp'
	option src 'wifiguest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Allow-Guest-DNS'
	option src 'wifiguest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Deny-All-Proto-Guest'
	list proto 'all'
	option src 'wifiguest'
	option target 'REJECT'

config rule
	option name 'Remote-Access-LAN-to-VLAN20'
	option src 'lan'
	option dest 'vlan20'
	option target 'ACCEPT'

config zone
	option name 'protonvpn'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'wireguard'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wireguard'

config forwarding
	option src 'vlan20'
	option dest 'wan'

config forwarding
	option src 'vlan20'
	option dest 'wireguard'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

/etc/config/vpn-policy


config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option dest_ipset '1'
	option webui_chain_column '1'
	option enabled '1'
	option webui_enable_column '1'
	option webui_protocol_column '1'
	option resolver_ipset 'dnsmasq.ipset'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option name 'vlan20'
	option interface 'wan'
	option src_addr '10.5.5.1/24'
	option proto 'all'

config policy
	option interface 'wan'
	option name 'guestwifi'
	option src_addr '192.168.4.1/24'
	option proto 'all'

I would suggest keeping the default gateways and setup the network(s) you want to use VPN as follows:

Hope this helps.

This rule connected networks without internet with wireguard. But I just want to leave my lan with wireguard and take it from the other subnets

Fixed!!!

I follow this post
https://www.gastonotero.com/blog/creating-a-vpn-only-lan-in-openwrt

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.