I've been struggling to set up a VPN for my guest network for the past few days but haven't been successful yet. I would really appreciate it if you could help me resolve this issue.
Here is what I have done so far:
-
Added a wireless guest network according to this tutorial. If I forward the guest zone to wan, it works as expected.
-
Added a WireGuard interface and firewall zone for my WG client. I'm not sure what the best way of testing this is but when I run
# Restart services
/etc/init.d/log restart; /etc/init.d/network restart; sleep 10
# Log and status
logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
as instructed in this tutorial, the log says that the client is up.
I think what's missing right now is to use VPN PBR to define a policy for all this to work. What I have tried so far in LuCI is the following configuration:
- Local addresses: 192.168.41.1/24
- Protocol: TCP/UDP
- Chain: PREROUTING
- Interface: my WG interface
However, using this configuration, I can't connect to the internet on my guest network.
Should I modify the PBR policy or use any additional configuration to make this work?
i learned howto use policy routing on routerOS. There are some pretty decent Mikrotik RouterOS dual wan configs that would give you the iptables syntax required to make this work.
I know it does work because I did an openwrt load balancer using policy routing just the other day via LuCi.
From what I recall it was mark the packets, then there was another rule where you specify the routing gateway.
I've since wiped that config, so I can't even go back and re-read it for you. Basically you treat it exactly like a secondary WAN connection, so mwan3 might also help you do this.
1 Like
Thank you. I'm an OpenWrt noob and was trying to use the VPN PBR package to simplify this process.
This part of the README seems to be very close to what I'm looking for.
I think your suggestion requires a much deeper understanding of the subject, which I don't have at this point. Anyway, I'll keep looking to see if I can make sense of some of things you explained.
Thanks!
So from the very basics of what you're trying to do.
- Using an IPTables Rule match packets you want to exit the VPN and MARK them with an appropriate mark
- Using another IPTables rule where you match packets based on the MARK from above and send them to the apropriate routing table.
It's a complicated thing, but I think it can be done via the LuCi gui.
1 Like
I think the configuration example in this thread also does this exact thing. I haven't seen the VPN PBR Package before though, but it's likely doing the same thing.
2 Likes