Im on the learning curve with openwrt, and my next step is wanting to have a wireguard connection, and what i believe is PBR so that i can select a few devices to use the interface not everything, and also a few websites to go via the interface as well.
I found this article thats shown me how to get the details needed, but from what i see it would end up with everything going out via Wireguard, which isnt what i want. At what point can i stop the guide and end up with a connected wireguard but without routing anything through it.
Once i have that bit set up i will look into the PBR set up.
Cheers people and happy 2026.
egc
January 1, 2026, 1:47pm
2
How I setup WireGuard:WireGuard Client Setup Guide
You should be able to simply Import the WireGuard config you have made at Surfsharks website
Do not Enable Route Allowed IPs and there will not be a default route via the VPN and then you can use PBR to route whatever you want via the WG VPN.
Or manually:
OpenWRT Policy Based Routing (PBR)
2 Likes
Thank you @egc that's helped, I now have a wireguard interface set up, nothings using it yet as I'll leave PBR for another day.
Config saved incase I mess the next bit up.
Murder mystery evening with the wife, and a few games of moving out on the switch with the kids calling for the night ahead.. so until tomorrow… thank you kindly.
2 Likes
Right then, i think ive got the wireguard interface running, and my 2 required devices using it via PBR, can someone check the outputs for me and tell me if anything looks wrong? It appears to be working but when im running the torrent checker the first few ips are surfshark, so its working, but then it reverts to my actual ip?
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '0004d8c535fcfbc348aab12644297716798c'
option ula_prefix 'fd30:441f:decd::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
list ipaddr '192.168.1.1/24'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg_surfshark_uk'
option proto 'wireguard'
option private_key '****************************************************************='
list addresses '10.14.0.2/16'
list dns '162.252.172.57'
list dns '149.154.159.92'
config wireguard_wg_surfshark_uk
option description 'openwrt wireguard config.conf'
option public_key '*****************************************************************='
list allowed_ips '0.0.0.0/0'
option endpoint_host 'uk-gla.prod.surfshark.com'
option endpoint_port '51820'
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wg_surfshark_uk'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Plex'
list proto 'tcp'
option src 'wan'
option src_dport '32400'
option dest_ip '192.168.1.6'
option dest_port '32400'
pbr.config=pbr
pbr.config.enabled='1'
pbr.config.fw_mask='00ff0000'
pbr.config.ignored_interface='vpnserver'
pbr.config.ipv6_enabled='0'
pbr.config.lan_device='br-lan'
pbr.config.nft_rule_counter='0'
pbr.config.nft_set_auto_merge='1'
pbr.config.nft_set_counter='0'
pbr.config.nft_set_flags_interval='1'
pbr.config.nft_set_flags_timeout='0'
pbr.config.nft_set_policy='performance'
pbr.config.nft_user_set_counter='0'
pbr.config.procd_boot_trigger_delay='5000'
pbr.config.procd_reload_delay='0'
pbr.config.resolver_instance='*'
pbr.config.resolver_set='dnsmasq.nftset'
pbr.config.strict_enforcement='1'
pbr.config.uplink_interface='wan'
pbr.config.uplink_interface6='wan6'
pbr.config.uplink_ip_rules_priority='30000'
pbr.config.uplink_mark='00010000'
pbr.config.verbosity='2'
pbr.config.webui_supported_protocol='all' 'tcp' 'udp' 'tcp udp' 'icmp'
pbr.config.config_compat='19'
pbr.config.config_version='1.2.1-r41'
pbr.@include[0]=include
pbr.@include[0].path='/usr/share/pbr/pbr.user.dnsprefetch'
pbr.@include[0].enabled='0'
pbr.@include[1]=include
pbr.@include[1].path='/usr/share/pbr/pbr.user.aws'
pbr.@include[1].enabled='0'
pbr.@include[2]=include
pbr.@include[2].path='/usr/share/pbr/pbr.user.netflix'
pbr.@include[2].enabled='0'
pbr.@dns_policy[0]=dns_policy
pbr.@dns_policy[0].name='Redirect Local IP DNS'
pbr.@dns_policy[0].src_addr='192.168.1.5'
pbr.@dns_policy[0].dest_dns='192.168.1.1'
pbr.@dns_policy[0].enabled='0'
pbr.@dns_policy[0].dest_dns_port='53'
pbr.@policy[0]=policy
pbr.@policy[0].name='Synology DSM'
pbr.@policy[0].src_addr='00:11:32:E5:BE:FF'
pbr.@policy[0].interface='wg_surfshark_uk'
pbr.@policy[1]=policy
pbr.@policy[1].name='FireTV'
pbr.@policy[1].src_addr='FC:E9:D8:F5:64:97'
pbr.@policy[1].interface='wg_surfshark_uk'
pbr.@policy[2]=policy
pbr.@policy[2].name='Ignore Local Requests'
pbr.@policy[2].interface='ignore'
pbr.@policy[2].dest_addr='10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
pbr.@policy[2].enabled='0'
pbr.@policy[3]=policy
pbr.@policy[3].name='Plex/Emby Local Server'
pbr.@policy[3].interface='wan'
pbr.@policy[3].src_port='8096 8920 32400'
pbr.@policy[3].enabled='0'
pbr.@policy[4]=policy
pbr.@policy[4].name='Plex/Emby Remote Servers'
pbr.@policy[4].interface='wan'
pbr.@policy[4].dest_addr='plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
pbr.@policy[4].enabled='0'
egc
January 3, 2026, 3:53pm
8
You can test from your local client e.g your synology nas by surfing to ipleak.net
If you have an IPv6 leak add to the WireGuard peer
Thebroughfamily:
list allowed_ips '::0/0'
For a DNS leak you can use a dns policy
Otherwise I do not see any glaring omissions
It's just strange how the Synology starts showing non wireguard IP addresses in the torrent checker?
egc
January 3, 2026, 4:02pm
10
Add keepalive to the wireguard peer so that it should always be up. reboot and check from the routers console with
wg show
That you are connected e.g have a handshake and bidirectional traffic.
If that works then check your Mac address your nas can use a random mac
endpoint: 185.108.105.141:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 38 seconds ago
transfer: 63.46 MiB received, 2.79 MiB sent
persistent keepalive: every 25 seconds
That bit correct now then?
Still does the same so I can't trust it, will turn it off for now and try another day...
I notice on the PBR section it mentions "internal version mismatch"
luci-app-pbr-1.2.0-r2 noarch {feeds/luci/feeds/luci/applications/luci-app-pbr} (AGPL-3.0-or-later) [installed]
pbr-1.2.1-r41 noarch {feeds/packages/feeds/packages/net/pbr} (AGPL-3.0-or-later) [installed]
So i wonder if thats the issue?
mk24
January 3, 2026, 7:54pm
13
Surfshark does not support IPv6 inside the tunnel (i.e. any Internet connection via Surfshark is V4 only) so you need to disable IPV6 on the whole LAN, or at least on all LAN machines that will be using the VPN, so they do not use your direct IPv6 connection. That would use your real ISP v6 address to the destination site thus it is a leak.
Kept tinkering to try fix it, ended up nuking the lot and having to restore from back up
Will have another go tomorrow maybe
I will remember that for my next attempt, the Synology has ipv6 turned off as I need a static address for file hosting.
egc
January 5, 2026, 2:05pm
16
Not sure it was not when using opkg but apk is much more picky ( I do not know which you are using)
You can upgrade luci-app-pbr from Stans:
echo 'https://apk.openwrt.melmac.ca/packages.adb' >> /etc/apk/repositories.d/customfeeds.list
wget https://apk.openwrt.melmac.ca/apk.openwrt.melmac.ca.pem -O /etc/apk/keys/apk.openwrt.melmac.ca.pem
apk update
then you can use LuCi to remove existing luci-app-pbr and add the correct version again
