Luci vpn-policy-routing to target single device

I'm trying to get my head around what vpn-policy-routing does and how to use it to target one device in my house to use my wireguard interface.

At the moment, I have a wireguard interface which when it is running means my whole network runs through the VPN.

When I have luci-vpn-policy-routing enabled, I see no change in behaviour, so presumably I need to set my network's default route some way? And then target the individual client to use my wg0?
How would I go about that?

Any help greatly appreciated!


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix '<redacted>'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'

config interface 'WAN'
	option proto 'dhcp'
	option device 'eth1.20'
	option macaddr '<redacted>'

config interface 'wg0'
	option proto 'wireguard'
	option auto '0'
	option private_key '<redacted>'
	list addresses ''

config wireguard_wg0
	option description '<redacted>'
	option public_key '<redacted>'
	list allowed_ips ''
	option route_allowed_ips '1'
	option endpoint_host '<redacted>'
	option endpoint_port '51820'
	option persistent_keepalive '25'

Success! Finally, after doing some more reading, I have gotten my required behaviour.

The key was reading this page with more care: and specifically the default routing section.

It details the two things needed. Firstly, unticking "route allowed ips" from the interface. At this point, traffic all flowed through WAN. However, my rules VPN-Policy-Routing were not being routed to wg0.

The key was to add net.ipv4.conf.wg0.rp_filter = 2 in /etc/sysctl.conf

Once that was done, it all worked.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.