How to Keep VPN Routing Persistent After Reboot

Hi

I am trying to route traffic from specific clients on my OpenWRT router through a WireGuard VPN, while leaving the rest of the clients to use the default internet connection. The VPN connection is set up and working correctly, but if I reboot, the rules are not saved.

If I execute manually

ip rule del from all iif br-lan lookup vpn
ip rule add from 10.23.45.100/32 table vpn
ip route add default dev wg0 table vpn

Everything works fine the client I add is routed through the VPN and the others are not, but after a reboot do not work.

I have already tried adding the routing commands to the /etc/rc.local file and using a cronjob with the @reboot directive to make the rules persistent after reboot, but the changes do not persist after restarting the router.

Any suggestions on how to make these routing rules persistent after reboot?

Thanks in advance!

Use PBR:
https://openwrt.org/docs/guide-user/network/routing/pbr

Either the full PBR app or if you have simple needs netifd e.g. see:

Or use e.g. this:

config route
	option interface 'wg_mullv_se'
	option table '102'
	option target '0.0.0.0/0'

config rule
	# for ip source:
	option src '192.168.30.0/24'
	# destination e.g. from all to dest
	option dest '25.52.71.40/32'
	# for interface
	#option in 'lan'
	# for proto
	option ipproto 'icmp`
	option lookup '102'

2 Likes

You can also use config rule and config route in /etc/config/network to set up multiple routing tables and rules for how they are used. PBR may be easier to understand but you're already using tables directly.

2 Likes

Thanks to everyone for the help. I tried the rules option without success, and before installing PBR (which is probably the best solution to scale the number of clients), I continued trying to run the commands at startup, since I already had everything configured and working, but it wouldn’t persist after a reboot.

I created this file, and for now, everything is working after a reboot.

root@OpenWrt:~# cat /etc/hotplug.d/iface/30-wgclients 
#!/bin/sh

ip rule del from all iif br-lan lookup vpn
ip rule add from 10.23.45.100/32 table vpn
ip route add default dev wg0 table vpn

The route:

uci add network route
uci set network.@route[-1].interface='wg'
uci set network.@route[-1].target='0.0.0.0/0'
uci set network.@route[-1].table='vpn'

The wg is the UCI name of the interface, not the device.
The rule:

uci add network rule
uci set network.@rule[-1].src='10.23.45.100/32'
uci set network.@rule[-1].lookup='vpn'

The first rule looks weird because you are deleting some rule. So you can just omit creating it instead of deleting it at boot.
Finally run a uci commit network; service network restart