Multi-Wireguard VPN (specify gateway)

mets · December 2, 2023, 9:35pm

Hi all and thanks in advance. I've read a number of articles that are similar but haven't been able to find the solution that I am in search of.

Background:
Using PBR, I want to be able to route some traffic out of a 2nd WG connection while defaulting traffic over WG1. The issue is that the 2nd WG connection uses the WG1 default gateway and I would like it to be out of the WAN interface (not tunnel in a tunnel). I haven't seen a way to specify WG2 VPN to use the ISP WAN interface.

┌─────────────────┐
│  WAN (ISP)      ├───►
├─────────────────┤
│  WG1 (Default)  ├───►
├─────────────────┤
│  WG2 (PBR)      ├───►
└─────────────────┘

Configs

# WAN
config interface 'wan'
	option device 'br-wan'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '192.168.1.1'

# WG2
config interface 'XXX_VPN'
	option proto 'wireguard'
	option private_key 'XXXXX'
	list dns '192.168.1.1'
	option defaultroute '0'
	list addresses '10.13.13.2'

# WG2
config wireguard_XXX_VPN
	option description 'XXX'
	option public_key 'XXXXX'
	option private_key 'XXXXX'
	option preshared_key 'XXXXX'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'XXX.XXX.134.XXX'
	option endpoint_port '51820'
	option persistent_keepalive '25'

# WG1
config interface 'XXXXX_SEC'
	option proto 'wireguard'
	option private_key 'XXXXX'
	list addresses '10.2.0.2/32'
	list dns '192.168.1.1'

# WG1
config wireguard_XXXXX_SEC
	option description 'XXX-1-SEC'
	option public_key 'XXXXX'
	option private_key 'XXXXX'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'XXX.XXX.158.XXX'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option disabled '1'

egc · December 2, 2023, 10:01pm

Not sure if this will work, but for wg1 use for allowed IPs: 0.0.0.0/1 and 128.0.0.0/1

For wg2 set route allowed ips to 0

mets · December 2, 2023, 10:19pm

Thank you @egc that seems to be what is needed. The tunnel now connects out of the ISP interface.

May I impose a bit more and ask how this works / what I've done?

mets · December 2, 2023, 10:30pm

I think I understand the technique - split the full address space because I'm using 192 locally and the WG CIDRs are 10.

vgaetera · December 2, 2023, 10:36pm

tunlink combined with custom metrics or custom routing tables to hold multiple default routes.

mets · December 2, 2023, 11:05pm

Thank you @vgaetera As it isn't an available option in Luci I missed it.

egc · December 3, 2023, 7:52am

Well there are far more knowledgeable people here but I will give you my two cents (and I am sure someone will correct me if I am wrong)

My idea was to preserve the normal default route via the WAN but override it with the allowed IPs of the WG1 tunnel (This is what OpenVPN is usually doing).
The allowed IPs specified cover every IP but the more specific routes with the /1 netmask will override the default /0 route via the WAN.
Using metrics is the more modern way to do it.
.
So the default route via the WAN is still there so that the endpoint address of the WG server is routed via the existing default route (=WAN).

For the second WG2 tunnel the route allowed IPs is turned off so that no routing at all is made.
This is not needed as there is an extra table created for WG2 by PBR which will have a default route via that tunnel anyway and you can use the PBR package to use that WG2 table by specifying your LAN client to use that WG2 table.

Alternative is to disable route allowed IPs for both tunnels but then you have the main routing table using the WAN as default and you have to specify all clients to use the routing table for WG1 or WG2.

mets · December 3, 2023, 10:43am

Got it - thank you for that!

system · December 13, 2023, 10:44am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.