Looking for a script that stops vpn policy routing with mwan3

mwan3 is running fine, I have a wan and a backup wwan (4g) When I stop interface wan than the wwan takes over. But I have to manually stop vpn-policy-routing.

How does the script look like that stops vpn-policy-routing when wan is down and start it again when wan is up again. (or even better when the wan can't ping. (I assume that the interface wan stays up in this case) so maybe I need a script with disconnected and connected instead of ifdown and ifup

I just wrote something down below.

if [ "${ACTION}" = "ifdown" ] && [ "${INTERFACE}" = "wan" ] ; then
(/etc/init.d/vpn-policy-routing stop)

if [ "${ACTION}" = "ifup" ] && [ "${INTERFACE}" = "wan" ] ; then
(sleep 10 && /etc/init.d/vpn-policy-routing start)

What is the point of running them both, when they serve the same purpose?
And what is the purpose of stopping vpn-pbr when there is only one interface and you'll send everything through that?

1 Like

Hi @trendy,

I did read that before, so I think I do not understand completely how vpn-pbr is working.

How do I make vpn-pbr handle that when wan is down, is goes to the wwan?
(there is also an vpn (wireguard) connection on al lan users active.


1 Like

I have that in place, but this means in my case, that when the vpn is down it's going to WAN.
So your saying if my wan goes down, it goes to the next interface available, in my case wwan?

wan/eth0.10/xx.xx.56.1 ✓

It will go to the default gateway, whichever is active at that moment.

Ooh ok that simple. So when my wan is down, my wwan is automatically my 'new' default gateway.

Never knew it was this simple :wink: thanks.

There is however still a little issue;

When wan is down it's going to wwan as the new default gateway and back when wan is up.
However my wireguard vpn is going from wan to wwan and that's ok, but it stays on wwan.

When I restart wwan it's fixed. but I need to do this manually.

Is there a rule in vpn-pbr for wireguard?

No, no rule, do I need to add a special rule?

Do you mean something like this, from the readme.

Local Wireguard Server + Wireguard Client (Scenario 2)

Yes, I’m aware that technically there are no clients nor servers in Wireguard, it’s all peers, but for the sake of README readability I will use the terminology similar to the OpenVPN Server + Client setups.

If the Wireguard client is not used as default routing and you create policies to selectively use the Wireguard client, make sure your settings are as following (three dots on the line imply other options can be listed in the section as well). Make sure that the policy mentioned below is at the top of your policies list.

Relevant part of /etc/config/vpn-policy-routing:

config vpn-policy-routing 'config'
  list ignored_interface 'wgserver'
config policy
  option name 'Ignore Local Traffic'
  option interface 'ignore'
  option dest_addr ''

I assume that the destination address is then the range of my Wireguard (

With the rule in place, I see that the wg0 interface restarts after I stop and start wan. But still need to restart wwan to stop it from routing over it.

I think wireguard is adding a static route for the destination, something like:
XXX.XXX.XXX.XXX via dev wlan0 proto static metric 20
which forces the tunneled traffic to go through that gateway. If the interface doesn't go down, it will remain there. So you'd need a rule in pbr to force OUTPUT traffic from the device towards that VPN server to use the wan, but to be able to switchover to wwan when wan is down.

1 Like

Can I do something with a hotplug event?

When wan comes up / or already up but no connection do nothing, when wan comes up / or has a connection then restart wwan.

Or just when wan comes up, the wwan reloads after 10 seconds or so.

something like;

[ "${ACTION}" = "ifup" ] && {
    ifdown wwan && sleep 10 && ifup wwan &

Only this hotplug script offcourse restarts wwan on al events, even on his own.
Can someone tell me howto do this for only wan.

Ok this seems to work, I don't make scripts normally, so tell me if it can be more solid then this.


if [ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ]; then
ifdown wwan && sleep 10 && ifup wwan &

wwan is the backup for wan, so if there is an other event where wan reloads, it's not a problem that wwan reloads.

The only thing that I don’t know. Is wan in ifdown state automatically when there is no internet connection? It looks like it stays up with no internet connection (cable unplugged)

So the script should check if there is a live internet connection otherwise the vpn-pbr doesn’t pick another wan.

I started an other threat for this, because it’s a new issue.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.