Multiwan and Wireguard

Killozor · January 25, 2025, 2:21pm

Hi,
I have a question, I am not sure about the exact terminology, but I will try to explain as best.

I use multiwan on Openwrt, this seems to work well. I am using various VPN with wireguard protocol. Why various, because some are for P2P, some location related and some point-to-site to access cloud infrastructure. Basically, I do not want any of my traffic going through wwan without using one VPN.

The issue
I want all my wireguard client to connect directly to my wwan. It seems that some VPN are connecting through other VPN, like so :
VPN_P2S -> VPN_P2P -> wwan
Which would not make any sense. So basically, I think it is the right way to formulate, how can I force my VPN connection to use my wwan gateway?

NB: my wwan gateway might change of address depending on which Wifi I will connect

Bonus question: Is there a way to automatically change metric or weight of a connection based on its latency? (for example if I want to route IPV4 through the best VPN at the moment. I did configure a check link quality that manage to disable bad connection but it does not mean it will use the absolute best one)

egc · January 25, 2025, 2:32pm

You probably have a default route via one of the WG interfaces .
When a WG interface is setting up it automatically routes its endpoint via the existing default route depending on the order on which the interfaces are setup you might run a tunnel in a tunnel.

What you can try is instead of using 0.0.0.0/0 for Allowed IPs use 0.0.0.0/1 and 128.0.0.0/1 this will preserve the default route but still routes everything via the tunnel (if route Allowed IPs is enabled).

Otherwise you can disable the host route and manually make a route for the endpoint via the wwan (No Host routes on the interface > General Settings)

Killozor · January 25, 2025, 3:27pm

Before coming back here I found a solution that seems to work but needs a little bit of setup as I have to config all interface individually :
Add a rule in Multiwan with an only wwan policy with destination address set as the endpoint host of my VPNs.
It does work but I need to do that for every VPN.
I am going to try your method that to me seems better as I do not have to worry about each VPN individually.

Any clue about my bonus question ?

Killozor · January 25, 2025, 3:36pm

It seems to work.
And my VPN now have a decent latency arround 200ms when some was 400ms before, maybe due to tunnel inception

egc · January 25, 2025, 5:24pm

Great it is working.

About your bonus question, I do not have a ready made script but you might be able either to use a hotplug event or even a cron job running to get latencies and then use uci to set metrics

Some inspiration:
This script uses uci to toggle WireGuard tunnels on and off:

github.com

egc112/OpenWRT-egc-add-on/blob/main/wireguard-companion/wireguard-companion.sh

#!/bin/sh
#DEBUG=y    		# comment/uncomment to disable/enable debug mode
#CHECKSERVER=y		# comment/uncomment to disable/enable check if the WG interface is a server by checking if a port is openend


# shellcheck disable=SC3010,SC3037,SC3060,SC3043,SC3003,SC2116,SC2162,SC3045,SC2236
name="wireguard-companion.sh"
version="1.07, 17-june-2024, by egc"
#  purpose: Toggle WireGuard tunnels on/off, show status and log
#  script type: standalone
#  installation:
#   1. Copy wireguard-companion.sh from https://raw.githubusercontent.com/egc112/OpenWRT-egc-add-on/main/wireguard-companion/wireguard-companion.sh to /usr/share
#      either with, from commandline (SSH): curl -o /usr/share/wireguard-companion.sh https://raw.githubusercontent.com/egc112/OpenWRT-egc-add-on/main/wireguard-companion/wireguard-companion.sh
#      or by clicking the download icon in the upper right corner of the script
#   2. Make executable: chmod +x /usr/share/wireguard-companion.sh
#	3. Run from command line with /usr/share/wireguard-companion.sh, most SSH clients will let you run a command on connection, if you use a key to connect, you can have an app like experience
#   4. Debug by removing the # on the second line of this script.
#   5. To automatcally skip WireGuard interfaces which are setup as server, remove the # on the third line of this script, this works by identifying a listen port.
#   6. If you toggle a WG tunnel off the defaulte route via the WAN is not automatically reinstated, to mitigate this use as Allowed IPs `0.0.0.0/1, 128.0.0.0/1` instead of `0.0.0.0/0`
#  usage:

This file has been truncated. show original

This script uses hotplug:

github.com

egc112/OpenWRT-egc-add-on/blob/main/pbr-via-wan/98-pbr-via-wan

#!/bin/sh

# Name: 98-pbr-via-wan
# Version: 1.0.2 24-oct-2024 by egc
# Description: OpenWRT hoptlug script routing a specific sourceport, local IP address or interface etc. via the WAN
# Usage: e.g. When running a concurrent VPN client and VPN server or port forwarding via the WAN and needing to route the port via the WAN back and/or
#	when excluding some local IP addresses from using the VPN
# Installation:
#  Set the VPN client interface as MYINTERFACE, this interface will be used as trigger for this script
#  Remove the first # of the SPORT/IPADDR/ADDLOCALROUTES line to enable it, if desired
#  Adapt the port (e.g. your local VPN server port) and/or local IP addresses you want to route via the WAN
#  Copy script to /etc/hotplug.d/iface/
#  Reboot or restart network (service network restart)

MYINTERFACE="wg0"	# set the interface you are using for your VPN client interface, e.g. wg0 or tun0,
                    # for OpenVPN the tun interface has to be defined in the network config 
#SPORT=51820  # adapt the port number e.g 1194 for OpenVPN 51820 for WireGuard
#IPADDR="192.168.1.2/32 192.168.1.64/26"  # adapt list of IP address with CIDR notation, space delimited
ADDLOCALROUTES=  # uncomment/comment to enable/disable adding local routes to pbr table

This file has been truncated. show original

Have fun

Killozor · January 27, 2025, 6:29pm

After some time I can see it actually did not work, sometimes you make a change and the odds are against you thinking you resolve the problem.
However, setting ip an IPV4 rule asking the incomming interfaces VPNx to go through outcomming interfaces wwan seems to do the trick.
Do you think it is a fluke or could it really be the solution?
Thanks for your precious help!

system · February 6, 2025, 6:30pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.