How to set up Wireguard VPN on a single port with Policy-Based Routing?

linhphx · January 9, 2024, 2:48am

Hi,

I'm a new OpenWrt user and I want to use a Wireguard client on port 4, while ports 1, 2, and 3 should be dedicated to regular internet usage.

Here's my current configuration:

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9b:3636:204e::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.96.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config device
        option name 'eth0.2'
        option type '8021q'
        option ifname 'eth0'
        option vid '2'
        option macaddr '10:6F:3F:0C:14:A4'
        option mtu '1500'

config interface 'lan4'
        option proto 'static'
        option device 'eth0.2'
        option ipaddr '192.168.97.1'
        option netmask '255.255.255.0'

config interface 'wg'
        option proto 'wireguard'
        option force_link '1'
        option private_key 'xxxxx'
        list addresses '10.14.0.2/16'

config wireguard_wg
        option public_key 'xxxxx'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 'sg-sng.prod.surfshark.com'
        option endpoint_port '51820'

After that, I applied Policy-Based Routing (PBR) to direct traffic through port 4 as shown in the screenshots.

Everything is working; however, there is an issue when clients connect to ports 1, 2, and 3 for internet usage. When they try to watch YouTube videos, the loading is very slow, taking about 1 to 2 minutes for the video to start playing. Additionally, if they need to use VPN services on Windows by installing software like Surfshark, Mullvad, etc., they are unable to do so.

Please help me fix this issue. Thank you!

spindoctor · January 9, 2024, 4:43am

Your Default Gateway is set to the VPN. You'll want that to be the WAN. Read the README section from status page on PBR.

Commercial VPN's normally don't require the client to enable 'route allowed IP's' to be enabled.

egc · January 9, 2024, 6:54am

Usually commercial VPNs (and other VPNs) need route allowed IPs enabled but indeed not in this case when using PBR and you want default route via the WAN.

So if you disable Route allowed IPs and remove the no_vpn from the PBR you should be good as all traffic will use the WAN except the traffic from 192.168.97.1/24

You might also want to add:
option persistent_keepalive '25' to the WG Peer so that the end result will be:

linhphx:

config wireguard_wg
        option public_key 'xxxxx'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'sg-sng.prod.surfshark.com'
        option endpoint_port '51820'
        option persistent_keepalive '25'

linhphx · January 9, 2024, 7:18am

Thank you, it's working now. However, there is still an issue with DNS.

When I connect to ports 1, 2, 3, and 4, they all return DNS results that do not correspond to the DNS of that country.

Port 4 with VPN Wireguard USA:

Port 1,2,3 without VPN:

egc · January 9, 2024, 8:46am

Assuming you have the normal setup using DNSMasq, then all your clients will use DNSMasq and DNSMasq sits on the router and the router is using the WAN.

You did not specify a DNS server on your WAN so automatically the WAN will get the DNS server from the ISP.

Most users do not want the ISP DNS servers in that case on the WAN interface > Advanced settings uncheck Use DNS servers Advertised by Peer and add DNS servers under custom DNS servers e.g. 9.9.9.9 and 1.0.0.1
See the last three options on my wan interface

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.0.0.1'
	list dns '9.9.9.9'

Now you still have all clients using these DNS servers which are routed via the WAN, if you want to have Split DNS e.g. each clients use a DNS server which is routed according to the client than see DNS option 6 at:

You probably have an interface lan4 in /etc/config/dhcp (e.g. config dhcp 'lan4')?
If so under that interface add: `list dhcp_option '6,9.9.9.9,1.0.0.1'
This should add those DNS server to all clients of that subnet and those clients will then automatically route those DNS server via their own route in this case via the VPN.

linhphx · January 9, 2024, 8:59am

thank you so much, I have learned a lot from you.

system · January 19, 2024, 9:00am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.