Implementing Policy-Based Routing for Tailscale and WireGuard on OpenWRT

AHthishurts · June 11, 2023, 6:00am

Hello OpenWRT community,

I am currently trying to set up policy-based routing on my OpenWRT device to allow Tailscale and WireGuard to coexist. I've been following this guide which is quite helpful, but it's written for a Linux system and I'm having trouble translating the iptables commands to OpenWRT's firewall rules.

Here's a brief summary of what I'm trying to achieve:

I have both Tailscale and WireGuard (proto, utils, etc) installed on my OpenWRT device. Both are up and running.
I want to set up policy-based routing so that traffic from certain IP addresses or subnets goes through the Tailscale interface, while all other traffic goes through the WireGuard interface.
The guide I'm following uses iptables to mark packets and set up routing rules based on these marks. I understand that OpenWRT uses a different system for managing firewall rules, and I'm not sure how to translate these iptables commands to OpenWRT.

I would appreciate any advice or guidance on how to achieve this. Specifically, I have a few questions:

How can I translate the iptables commands used in the guide to OpenWRT's firewall rules? Are there any tools or scripts available that can help with this?
Are there any specific considerations or potential issues I should be aware of when setting up policy-based routing on OpenWRT, especially with Tailscale and WireGuard?
Is there a way to test or debug the routing rules once they're set up, to ensure that traffic is being routed correctly?

Thank you in advance for your help!

egc · June 11, 2023, 7:04am

Instead of iptables you can use ip rule

Let's say you have made a table 11 using tailscale and you have a client 192.168.1.11 which you want to use this table then:
ip rule add from 192.168.1.11/32 table 11

You can use CIDR notation to group the clients.

This is simple and fast.

There is also an OpenWRT PBR package which you might have a look at:

Testing can be done wit ping and traceroute (tracert from Windows)

kinhsman · September 16, 2023, 7:17pm

The PBR package does not work for tailscale traffic, it only works for wireguard traffic

stangri · September 17, 2023, 3:02am

I was under impression that pbr works for tailscale just as well as wireguard.

kinhsman · September 18, 2023, 3:31am

Well, the problem is tailscale table priority (5270) is always lower value than the PBR tables(30000-30001), so it always get prioritized before it even hit the PBR decision:

root@LAM_BUT:~# ip rule show
0:      from all lookup local
5210:   from all fwmark 0x80000/0xff0000 lookup main
5230:   from all fwmark 0x80000/0xff0000 lookup default
5250:   from all fwmark 0x80000/0xff0000 unreachable
5270:   from all lookup 52
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wanb
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_tailscale
32766:  from all lookup main
32767:  from all lookup default
root@LAM_BUT:~#

The only way to make it work is to change the priority to be higher value than the BPR tables, however this change is not persistent and you will have to do it everytime you reboot the OpenWRT router.

vgaetera · September 18, 2023, 4:23am

It is best for someone who actively uses Tailscale to report an issue against the respective package asking to add a UCI option for disabling its built-in PBR, meanwhile here's a workaround:
https://openwrt.org/docs/guide-user/network/routing/pbr_app#support_tailscale

stangri · September 18, 2023, 8:04pm

I wanted to post about wan_ip_rules_priority setting for pbr, but @vgaetera beat me to it.

I've also realized the setting description was missing from the pbr README, so I've recently added it there.

kzaoaai · September 18, 2023, 9:08pm

I'm guessing this will only work if --exit-node=<exit-node-ip> is active?

MatteoDXB · October 1, 2023, 3:58am

Is this change persistent?

I would like to reach a similar goal, having a sub-class of IP dedicated to Wiregard and another to Tailscale, in order to have 3 different wifi, so that I can control better the traffic with PBR:
ISP - 192.168.1.1/24
Wireguard - 192.168.2.1/24
Tailscale - 192.168.3.1/24

By creating a bridge that includes the wifi and then assign the bridge to the interface I could do for wireguard, but due to the issue above, there was no way to make it work with Tailscale.

AHthishurts · October 12, 2023, 5:37am

Did you find a solution?

MatteoDXB · October 13, 2023, 5:11pm

Nope, even by using the workaround suggested, for me does not work.

I wrote to the Tailscale tech support linking this specific thread and asking if they can support in adding option to remove the PBR.

They have been SUPER kind and told me that, despite they can't guarantee, they will check into it.

kzaoaai · October 13, 2023, 5:45pm

Please keep us posted! My intended use case is almost identical to yours.

AHthishurts · October 16, 2023, 3:28am

I have no idea if this will help you, but I found a solution that worked for me. If this is wrong in some security way please let me know lol

Can someone correct my PBR? Tailscale

kzaoaai · October 20, 2023, 5:18am

Not necessarily wrong, but it achieves a different goal.

MatteoDXB · October 22, 2023, 9:42am

The only working solution I identified so far is to have a dedicated router for tailscale and another for all the rest. When the tailscale network is needed the tailscale wifi is selected.