How to force all network traffic through Wireguard VPN

pr3259 · November 14, 2022, 5:41pm

I tried the link below, but couldn't get it work.

I have recently set unbound with pihole on a network machine (for DNS and adblocking), and are using it with my OpenWRT router that runs Wireguard VPN. My intention is to have all network traffic going through the VPN. All seems to be working as intended. When I do DNS leak tests on a browser, it only shows me the address of the server I am connected to. So far so good.

Then, one day I was browsing through the LuCI interface, and under Status --> Realtime Graphs --> Connections, I am noticing that some of the devices on the network are contacting servers directly, without going through the VPN.

For example, the machine with unbound/pihole sends a lot of packets to 83.227.86.4, which I understand is related to DNS. Why is this traffic not going through the VPN tunnel?

Could I have a faulty firewall setup? I have a kill-switch, where I have edited my lan firewall zone to remove the wan from the "allow forward to destination zones".

My firewall file is here, and the screenshot is attached.

Anyone have any suggestions on how I can get all traffic to go only through the VPN?

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wg0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WG_firewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'WG_firewall'

trendy · November 14, 2022, 5:52pm

Belongs to both wan and WG_firewall zones.

psherman · November 14, 2022, 5:52pm

If the WG connection is configured properly, it all should go through the tunnel. But, I do see an issue here:

pr3259:

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wg0'

you must remove wg0 from the wan zone. It is already....

and, it looks like @trendy beat me to it!

If this advice doesn't fix the problem, please also post your network config file (redact the keys and any other sensitive info).

krazeh · November 14, 2022, 5:58pm

Why do you think it's not going through the VPN tunnel? Packets still have an end destination to go to, even after passing through the VPN tunnel.

mk24 · November 14, 2022, 6:00pm

That doesn't mean that. The Connection is something that has been NATd, which is based on the final destination IP not the intermediate route-- which may be via VPN or direct via ISP. If your default route is via VPN all Internet usage would be via VPN.

psherman · November 14, 2022, 7:18pm

So glad that you will continue to troll all the wireguard posts... nice to see you put in effort to have zero actual useful contribution in such threads.

pr3259 · November 14, 2022, 8:53pm

Thank you everyone for your comments.

I deleted the

list network 'wg0'

from the wan firewall setup. After the change, the screenshot below is a snapshot connections:

The very first item on the list is the wg0 connection.

What concerns me that there are lines underlined in pink. Do these connections mean some of my traffic is going outside of the VPN? If not, what do they mean?

My thinking is if everything is going through the VPN, I shouldn't see anything in the connections except the first line above. Is my thinking correct on this?

In case it will help, the command wg show gives me the screenshot below.

interface: wg0
  public key: xxxxxxx=
  private key: (hidden)
  listening port: 57630

peer: xxxxxxxxxx=
  endpoint: xxx.xxx.xxx.xxx:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 2 seconds ago
  transfer: 69.03 MiB received, 18.57 MiB sent
  persistent keepalive: every 25 seconds

Thanks

mk24 · November 14, 2022, 8:57pm

Again, anything that is forwarded through your router goes into that list, regardless of whether it was routed through the VPN or the regular WAN.

Your routing table in OpenWrt should show an exception /32 route for the VPN server going to the regular WAN interface. The default for everything else is the VPN tunnel interface.

On a laptop, run a traceroute to those IPs. You should see it going through the VPN, except the first one goes by the ISP as it must.

krazeh · November 14, 2022, 9:18pm

It means the final destination of the connection is that IP address. It has nothing to do with how it gets there.

No.