No Internet access when using Wireguard VPN

to connect myself from outside, I have had set up Wireguard Interface wg1 and a peer to my mobile. Because I also want to use this VPN tunnel o allow traffic to the wan interface.
Everything went well, I could connect by establishing with Wireguard a VPN to the OpenWRT router in my home, got through this VPN tunnel access to each lan device and also have had access to the Internet with the IP of my home. Great

Then I set up PBR following the instructions found in the Wiki regarding PBR. Because I couldn't get PBR working, I changed dnsmasq by typing „opkg remove dnsmasq && opkg install dnsmasq-full“. After that and a reboot, PBR was working well.

But now, if I'm connected with my mobile via Wireguard to the OpenWRT router in my home, again I have access to each lan device in my home, but Internet connect is blocked. Can't get any connect to Internet websites as I have had before.

My device:

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.110",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}

First just listing the network file. Please let me know, what more information are useful.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd11:7b0e:5f7b::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        option bridge_empty '1'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.50.240'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'xxx'
        option password 'xxx'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan4:t'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan4:t'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan4:t'
        list ports 'lan5:t'

config interface 'Invitados'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.52.1'
        option netmask '255.255.255.0'

config interface 'IOT'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.53.1'
        option netmask '255.255.255.0'

config interface 'Kameras'
        option proto 'static'
        option device 'br-lan.40'
        option ipaddr '192.168.54.1'
        option netmask '255.255.255.0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx'
        list addresses '192.168.50.1/24'

config wireguard_wg0
        option description 'flo-rt240'
        option public_key 'xxx'
        option preshared_key 'xxx'
        list allowed_ips '192.168.60.0/24'
        option endpoint_host 'xxx'
        option endpoint_port '59888'
        option persistent_keepalive '25'
        option route_allowed_ips '1'

config interface 'wg1'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port '51823'
        list addresses '192.168.13.1/24'

config wireguard_wg1
        option description 'S23'
        option public_key 'xxxx'
        option private_key 'xxxx'
        option route_allowed_ips '1'
        list allowed_ips '192.168.13.2/32'

config interface 'wg2'
        option proto 'wireguard'
        option private_key 'xxx'
        list addresses '10.8.0.3/24'
        list addresses 'fdcc:ad94:bacf:61a4::cafe:3/112'
        list dns '1.1.1.1'
        list dns '2606:4700:4700::1111'

config wireguard_wg2
        option public_key 'Ixxxx'
        option preshared_key 'xxxx'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host 'xxx'
        option endpoint_port '51820'
        option persistent_keepalive '0'
        option route_allowed_ips '1'

config wireguard_wg1
        option description 'Tab-S5e'
        option public_key 'xxx'
        option private_key 'xxx'
        list allowed_ips '192.168.13.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

I double-checked each Firewall route etc. which worked well before, but can´t find out, why the router is blocking access to the Internet.

I would appreciate for any help and advice.

Thank you very much!

Neither can we as you did not show the firewall so I would encourage you to show the following

cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show

As I am very good at wild guessing I am guessing that a forward from wg1 to wg2 is missing?

And if you want to access 192.168.60.0/24 you also need a forward from wg1 to wg0

You have a subnet conflict:

The WG interface must be unique/non-overlapping with both the local network(s) and the remote peer networks.

Thank you both very much for your quick reply and help.
@psherman Even for me, it smells like a net conflict, but I can't identify because of missing knowledge. Just to comment, “wg0” is a Site2Site connection to an AVM router where I've got the WireGuard information from AVM side when configuring the S2S connect on the AVM router. Maybe it's a good idea to check the setup on the AVM again with focus to the IP range on the OpenWRT side, will try that.

@egc going through the logs you named, I noticed an ip6 error “unreachable fd11:7b0e:5f7b”. Will try to find out why and paste the output.
As I have a working VPN tunnel to 192.168.60.0/24 from the internet, it is not necessary to get also access from VPN tunnel ending at wg1 on OpenWRT to this network. Just Internet access to get access to internet services with the IP address from this home through an VPN tunnel from outside my home would be great.

We know the subnets in use locally on this router. What are the subnet(s) on the remote peer? All subnets must be unique. In the case of a site-to-site configuration, there are a minimum 3 unique subnets: local, wireguard tunnel, remote. They must be mutually non-overlapping. If there are multiple subnets on either side, those also must not conflict with those on the far side of the tunnel. In your config, either the local lan subnet or the WG subnet must be changed.

Thank you, I've got that now . I changed the local IP adress on the OpenWrt for wg0 from 192.168.50.1/24, which is part of the local net, to 192.168.98.1/24, which is not on use, neither on the OpenWrt nor the S2S AVM. At the moment S2S is working like before, will test now all other connections and routing rules.

Great! Glad it is working now! Once you've confirmed that everything is working as expected...

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

Nearly working Regarding access from outside by mobile via Wireguard VPN tunnel to local device and over the router to the internet with the home´s IP is working like a charm. Many thanx to all of you, even if I´ve learned a lot from that.

But : wg2 is configured as client to a WireGuard Server on the internet, to route some country specific traffic using the PBR package following the rules configured in PBR.

This worked as expected until I changed the wg0 IP address to a unique one as communicated upstairs.

After just this change, which doesn't affect the by PBR rules using interface wg2, the rules are ignored and all Internet traffic was going out over wg2 instead of standard wan interface: So, i have setup wan interface “Use gateway metric” with 10 and wg2 with 20 to get wan interface as default like before.

After that, each Internet traffic is going out over wan interface but PBR rules are ignored. I'm testing PBR with curl like explained in this video, and for example the rule for website https://ipinfo.io which is configured to go out over wg2
curl https://ipinfo.com
gives me the local IP and not the IP oft he Wireguard server in the internet.

I'm confused because I just changed the IP from wg0 and didn't touch any routing rule. I also went through the logs named by @egc without getting an idea why PBR rules now are ignored. Before I paste tons of logs, any idea why PBR rules are ignored, even the service is up and running?

I think it is better to address the real problem instead of using a workaround.

Unfortunately without seeing your configs it is just wild guessing.

But if you do not want a WireGuard interface with a peer with Allowed IPs of 0.0.0.0/0 to have a default route via its interface then do not enable Route Allowed IPs.

Thank you again for your help. After tripplechecking the configuration, the problem is the same as described. PBR is not working, each Internet traffic is going out over wan interface.
Thank you again for your offer to help me to check the config, please find them below:

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.110",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx:7b0e:5f7b::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        option bridge_empty '1'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.50.240'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'xxxx'
        option password 'xxxx'
        option ipv6 'auto'
        option metric '10'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'
        option metric '10'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan4:t'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan4:t'
        list ports 'lan5:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan4:t'
        list ports 'lan5:t'

config interface 'Invitados'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.52.1'
        option netmask '255.255.255.0'

config interface 'IOT'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.53.1'
        option netmask '255.255.255.0'

config interface 'Kameras'
        option proto 'static'
        option device 'br-lan.40'
        option ipaddr '192.168.54.1'
        option netmask '255.255.255.0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key xxx
        list addresses '192.168.98.1/24'

config wireguard_wg0
        option description 'flo-rt240'
        option public_key xxxx
        option preshared_key xxxx
        list allowed_ips '192.168.60.0/24'
        option endpoint_host xxx
        option endpoint_port '59888'
        option persistent_keepalive '25'
        option route_allowed_ips '1'

config interface 'wg1'
        option proto 'wireguard'
        option private_key xxxx
        option listen_port '51823'
        list addresses '192.168.13.1/24'

config wireguard_wg1
        option description 'S23'
        option public_key xxxx
        option private_key xxxx
        option route_allowed_ips '1'
        list allowed_ips '192.168.13.2/32'

config interface 'wg2'
        option proto 'wireguard'
        option private_key xxxx
        list addresses '10.8.0.3/24'
        list addresses 'xxxx:ad94:bacf:61a4::cafe:3/112'
        list dns '1.1.1.1'
        list dns '2606:4700:4700::1111'
        option metric '20'

config wireguard_wg2
        option public_key xxx
        option preshared_key xxx
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host xxx
        option endpoint_port '51820'
        option persistent_keepalive '0'
        option route_allowed_ips '1'

config wireguard_wg1
        option description 'Tab-S5e'
        option public_key xxxx
        option private_key xxxx
        list allowed_ips '192.168.13.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

--------------------------------------------------
cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'xxxx::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'IOT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        list device 'br-lan.30'

config zone
        option name 'Invitados'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        list device 'br-lan.20'
        option mtu_fix '1'

config zone
        option name 'Kameras'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'br-lan.40'
        list network 'Kameras'

config forwarding
        option src 'Invitados'
        option dest 'wan'

config rule
        option src 'Invitados'
        option name 'Invitados-DNS'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'IOT'
        option name 'IOT-DNS'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'Kameras'
        option name 'Kameras-DNS'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'Invitados'
        option name 'Invitados-DHCP'
        option dest_port '67 68'
        option target 'ACCEPT'

config rule
        option src 'IOT'
        option name 'IOT-DHCP'
        option dest_port '67 68'
        option target 'ACCEPT'

config rule
        option src 'Kameras'
        option name 'Kameras-DHCP'
        option dest_port '67 68'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '80'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.50.4'
        option dest_port '81'
        list proto 'tcp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '443'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.50.4'
        option dest_port '443'

config zone
        option name 'wg0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config forwarding
        option src 'wg0'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wg0'

config zone
        option name 'wg1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg1'
        option masq '1'
        option mtu_fix '1'

config redirect
        option dest 'wg1'
        option target 'DNAT'
        option name 'wg1-51823'
        list proto 'udp'
        option src 'wan'
        option src_dport '51823'
        option dest_ip '192.168.50.240'
        option dest_port '51823'

config forwarding
        option src 'wg1'
        option dest 'lan'

config forwarding
        option src 'wg1'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'Kameras'

config forwarding
        option src 'Kameras'
        option dest 'lan'

config forwarding
        option src 'IOT'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'IOT'

config zone
        option name 'wg2'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg2'

config forwarding
        option src 'lan'
        option dest 'wg2'

ip route show

default via 172.30.96.1 dev pppoe-wan proto static metric 10
default dev wg2 proto static scope link metric 20
10.8.0.0/24 dev wg2 proto static scope link metric 20
79.208.109.160 via 172.30.96.1 dev pppoe-wan proto static metric 10
87.106.80.244 via 172.30.96.1 dev pppoe-wan proto static metric 10
172.30.96.1 dev pppoe-wan proto kernel scope link src 185.205.58.41
192.168.13.0/24 dev wg1 proto kernel scope link src 192.168.13.1
192.168.13.2 dev wg1 proto static scope link
192.168.13.3 dev wg1 proto static scope link
192.168.50.0/24 dev br-lan.1 proto kernel scope link src 192.168.50.240
192.168.52.0/24 dev br-lan.20 proto kernel scope link src 192.168.52.1
192.168.53.0/24 dev br-lan.30 proto kernel scope link src 192.168.53.1
192.168.54.0/24 dev br-lan.40 proto kernel scope link src 192.168.54.1
192.168.60.0/24 dev wg0 proto static scope link
192.168.98.0/24 dev wg0 proto kernel scope link src 192.168.98.1

ip -6 route show

xxxx:7b0e:5f7b::/64 dev br-lan.1 proto static metric 1024 pref medium
unreachable xxxx:7b0e:5f7b::/48 dev lo proto static metric 2147483647 pref medium
xxxx:ad94:bacf:61a4::cafe:0/112 dev wg2 proto static metric 20 pref medium
xxxx::/64 dev eth0 proto kernel metric 256 pref medium
xxxx::/64 dev br-lan proto kernel metric 256 pref medium
xxxx::/64 dev br-lan.1 proto kernel metric 256 pref medium
xxxx::/64 dev br-lan.20 proto kernel metric 256 pref medium
xxxx::/64 dev br-lan.30 proto kernel metric 256 pref medium
xxxx::/64 dev br-lan.40 proto kernel metric 256 pref medium
xxxx::/64 dev eth1 proto kernel metric 256 pref medium
default dev wg2 proto static metric 20 pref medium

ip route show table all

default via 192.168.98.1 dev wg0 table pbr_wg0
default via 172.30.96.1 dev pppoe-wan table pbr_wg0 proto static metric 10
79.208.109.160 via 172.30.96.1 dev pppoe-wan table pbr_wg0 proto static metric 10
87.106.80.244 via 172.30.96.1 dev pppoe-wan table pbr_wg0 proto static metric 10
172.30.96.1 dev pppoe-wan table pbr_wg0 proto kernel scope link src 185.205.58.41
192.168.13.0/24 dev wg1 table pbr_wg0 proto kernel scope link src 192.168.13.1
192.168.13.2 dev wg1 table pbr_wg0 proto static scope link
192.168.13.3 dev wg1 table pbr_wg0 proto static scope link
192.168.50.0/24 dev br-lan.1 table pbr_wg0 proto kernel scope link src 192.168.50.240
192.168.52.0/24 dev br-lan.20 table pbr_wg0 proto kernel scope link src 192.168.52.1
192.168.53.0/24 dev br-lan.30 table pbr_wg0 proto kernel scope link src 192.168.53.1
192.168.54.0/24 dev br-lan.40 table pbr_wg0 proto kernel scope link src 192.168.54.1
default via 10.8.0.3 dev wg2 table pbr_wg2
default via 172.30.96.1 dev pppoe-wan table pbr_wg2 proto static metric 10
79.208.109.160 via 172.30.96.1 dev pppoe-wan table pbr_wg2 proto static metric 10
87.106.80.244 via 172.30.96.1 dev pppoe-wan table pbr_wg2 proto static metric 10
172.30.96.1 dev pppoe-wan table pbr_wg2 proto kernel scope link src 185.205.58.41
192.168.13.0/24 dev wg1 table pbr_wg2 proto kernel scope link src 192.168.13.1
192.168.13.2 dev wg1 table pbr_wg2 proto static scope link
192.168.13.3 dev wg1 table pbr_wg2 proto static scope link
192.168.50.0/24 dev br-lan.1 table pbr_wg2 proto kernel scope link src 192.168.50.240
192.168.52.0/24 dev br-lan.20 table pbr_wg2 proto kernel scope link src 192.168.52.1
192.168.53.0/24 dev br-lan.30 table pbr_wg2 proto kernel scope link src 192.168.53.1
192.168.54.0/24 dev br-lan.40 table pbr_wg2 proto kernel scope link src 192.168.54.1
default via 172.30.96.1 dev pppoe-wan proto static metric 10
default dev wg2 proto static scope link metric 20
10.8.0.0/24 dev wg2 proto static scope link metric 20
79.208.109.160 via 172.30.96.1 dev pppoe-wan proto static metric 10
87.106.80.244 via 172.30.96.1 dev pppoe-wan proto static metric 10
172.30.96.1 dev pppoe-wan proto kernel scope link src 185.205.58.41
192.168.13.0/24 dev wg1 proto kernel scope link src 192.168.13.1
192.168.13.2 dev wg1 proto static scope link
192.168.13.3 dev wg1 proto static scope link
192.168.50.0/24 dev br-lan.1 proto kernel scope link src 192.168.50.240
192.168.52.0/24 dev br-lan.20 proto kernel scope link src 192.168.52.1
192.168.53.0/24 dev br-lan.30 proto kernel scope link src 192.168.53.1
192.168.54.0/24 dev br-lan.40 proto kernel scope link src 192.168.54.1
192.168.60.0/24 dev wg0 proto static scope link
192.168.98.0/24 dev wg0 proto kernel scope link src 192.168.98.1
local 10.8.0.3 dev wg2 table local proto kernel scope host src 10.8.0.3
broadcast 10.8.0.255 dev wg2 table local proto kernel scope link src 10.8.0.3
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 185.205.58.41 dev pppoe-wan table local proto kernel scope host src 185.205.58.41
local 192.168.13.1 dev wg1 table local proto kernel scope host src 192.168.13.1
broadcast 192.168.13.255 dev wg1 table local proto kernel scope link src 192.168.13.1
local 192.168.50.240 dev br-lan.1 table local proto kernel scope host src 192.168.50.240
broadcast 192.168.50.255 dev br-lan.1 table local proto kernel scope link src 192.168.50.240
local 192.168.52.1 dev br-lan.20 table local proto kernel scope host src 192.168.52.1
broadcast 192.168.52.255 dev br-lan.20 table local proto kernel scope link src 192.168.52.1
local 192.168.53.1 dev br-lan.30 table local proto kernel scope host src 192.168.53.1
broadcast 192.168.53.255 dev br-lan.30 table local proto kernel scope link src 192.168.53.1
local 192.168.54.1 dev br-lan.40 table local proto kernel scope host src 192.168.54.1
broadcast 192.168.54.255 dev br-lan.40 table local proto kernel scope link src 192.168.54.1
local 192.168.98.1 dev wg0 table local proto kernel scope host src 192.168.98.1
broadcast 192.168.98.255 dev wg0 table local proto kernel scope link src 192.168.98.1
unreachable default dev lo table pbr_wg0 metric 1024 pref medium
xxxx:ad94:bacf:61a4::cafe:0/112 dev wg2 table pbr_wg2 proto static metric 20 pref medium
default dev wg2 table pbr_wg2 proto static metric 20 pref medium
default dev wg2 table pbr_wg2 metric 128 pref medium
xxxx:7b0e:5f7b::/64 dev br-lan.1 proto static metric 1024 pref medium
unreachable xxxx:7b0e:5f7b::/48 dev lo proto static metric 2147483647 pref medium
xxxx:ad94:bacf:61a4::cafe:0/112 dev wg2 proto static metric 20 pref medium
xxxx::/64 dev eth0 proto kernel metric 256 pref medium
xxxx::/64 dev br-lan proto kernel metric 256 pref medium
xxxx::/64 dev br-lan.1 proto kernel metric 256 pref medium
xxxx::/64 dev br-lan.20 proto kernel metric 256 pref medium
xxxx::/64 dev br-lan.30 proto kernel metric 256 pref medium
xxxx::/64 dev br-lan.40 proto kernel metric 256 pref medium
xxxx::/64 dev eth1 proto kernel metric 256 pref medium
default dev wg2 proto static metric 20 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast xxxx:7b0e:5f7b:: dev br-lan.1 table local proto kernel metric 0 pref medium
local xxxx:7b0e:5f7b::1 dev br-lan.1 table local proto kernel metric 0 pref medium
anycast xxxx:ad94:bacf:61a4::cafe:0 dev wg2 table local proto kernel metric 0 pref medium
local xxxx:ad94:bacf:61a4::cafe:3 dev wg2 table local proto kernel metric 0 pref medium
anycast xxxx:: dev eth0 table local proto kernel metric 0 pref medium
anycast xxxx:: dev br-lan.20 table local proto kernel metric 0 pref medium
anycast xxxx:: dev br-lan.1 table local proto kernel metric 0 pref medium
anycast xxxx:: dev br-lan table local proto kernel metric 0 pref medium
anycast xxxx:: dev br-lan.30 table local proto kernel metric 0 pref medium
anycast xxxx:: dev br-lan.40 table local proto kernel metric 0 pref medium
anycast xxxx:: dev eth1 table local proto kernel metric 0 pref medium
local xxxx::9683:c4ff:fea8:d1c9 dev eth1 table local proto kernel metric 0 pref medium
local xxxx::9683:c4ff:fea8:d1cb dev eth0 table local proto kernel metric 0 pref medium
local xxxx::9683:c4ff:fea8:d1cb dev br-lan.20 table local proto kernel metric 0 pref medium
local xxxx::9683:c4ff:fea8:d1cb dev br-lan.1 table local proto kernel metric 0 pref medium
local xxxx::9683:c4ff:fea8:d1cb dev br-lan table local proto kernel metric 0 pref medium
local xxxx::9683:c4ff:fea8:d1cb dev br-lan.30 table local proto kernel metric 0 pref medium
local xxxx::9683:c4ff:fea8:d1cb dev br-lan.40 table local proto kernel metric 0 pref medium
multicast xxxx::/8 dev br-lan.1 table local proto kernel metric 256 pref medium
multicast xxxx::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast xxxx::/8 dev wg1 table local proto kernel metric 256 pref medium
multicast xxxx::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast xxxx::/8 dev br-lan.20 table local proto kernel metric 256 pref medium
multicast xxxx::/8 dev br-lan.30 table local proto kernel metric 256 pref medium
multicast xxxx::/8 dev br-lan.40 table local proto kernel metric 256 pref medium
multicast xxxx::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast xxxx::/8 dev wg0 table local proto kernel metric 256 pref medium
multicast xxxx::/8 dev wg2 table local proto kernel metric 256 pref medium

ip rule show

0:      from all lookup local
29998:  from all fwmark 0x20000/0xxxxx00 lookup pbr_wg2
30000:  from all fwmark 0x10000/0xxxxx00 lookup pbr_wg0
32766:  from all lookup main
32767:  from all lookup default

wg show

interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 43434

peer: xxxx
  preshared key: (hidden)
  endpoint: 79.208.109.160:59888
  allowed ips: 192.168.60.0/24
  latest handshake: 32 seconds ago
  transfer: 6.97 KiB received, 6.69 KiB sent
  persistent keepalive: every 25 seconds

interface: wg2
  public key: xxxx
  private key: (hidden)
  listening port: 44418

peer: xxx
  preshared key: (hidden)
  endpoint: 87.106.80.244:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 28 seconds ago
  transfer: 5.12 KiB received, 5.36 KiB sent

interface: wg1
  public key: xxxx
  private key: (hidden)
  listening port: 51823

peer: xxx
  allowed ips: 192.168.13.2/32

peer: xxx
  allowed ips: 192.168.13.3/32
  persistent keepalive: every 25 seconds

Thank you for each help and advice!

Remove option metric '10':

Remove option metric '20'

disable Route Allowed IPs i.e. change to 0

Reboot, after a reboot everything should go via the WAN by default and you can use Policy based routing to route clients you want via wg2

Note that there is only forwarding from lan zone to wg2 so you can only use clients on your lan to use wg2

As you are also using IPv6 better use the MAC address of your lan client or the interface e.g. @lan) as PBR source as that also covers IPv6 routing.

Make sure you enable IPv6 in the PBR config

If that does not work then we should see your PBR settings in which case please show:

cat /etc/config/pbr
service pbr restart
service pbr status
cat /var/run/pbr.nft

Hi, thank you very much. I'm sorry about to let you know, there might some more misconfigured from my side. I did exactly what you said, after a reboot each traffic went over the lan interface. Perfect. But since this changes, wg2 is not making a handshake with the Wireguard server in the internet, so I have to solve this problem first before continue checking PBR.
To fund out what prevents wg2 making a handshake with the Wireguard server, I started from scratch, changing one by one of your advices:

First I just removed the metric command, wg2 handshake is working well, but all internet traffic is going out over wg2 instead over lan interface.

Then changing

option route_allowed_ips '1'

to

option route_allowed_ips '0'

prevents wg2 to do a handshake with the Wireguard server.

I tried something regarding the firewall rules, like e.g. adding wan to the wg2 zone, allowing input / output / forwarding etc., but it didn't solved the problem. I couldn't solve it, so I have the system with the config files as posted above but including the changes given by you.

Maybe a problem with DNS access from wg2?

You have set your DNS to publicly available DNS servers so that should not be a problem.

You might want to set persistent keep alive to 25 but that should not stop getting a handshake, (of course you have to route some traffic through the tunnel otherwise it will not show any traffic but it should show connected).

Instructions for a proper setup see:
WireGuard Client Setup Guide

The only thing you have to do different is to keep Route Allowed IPs Disabled.
Enabled means everything routed via the WG tunnel and that is not what you want

Setting

Persistant Keep Alive

to 25 solved the problem with the handshake, Great, thank you very much.

Even PBR is not working because of routing problems which I can see now in the logs, I will try to solve it. If have solved it, I will post it here for other users as a howto.
Let´s cross fingers

Thank you very much!

Can´t get PBR working. With reference to your help above I could see the error message in the terminal, even if with reference to the LuCi interface everything up and running:

root@OpenWrt:~# service pbr restart
Resetting chains and sets [✓]
Removing routing for 'wg0/192.168.98.1/::/0' [✓]
Removing routing for 'wg2/10.8.0.3/xxx:ad94:bacf:61a4::cafe:3/112' [✓]
pbr 1.2.0-r6 (fw4 nft file mode) stopped [✓]
Using uplink IPv4 interface (on_start): wan [✓]
Found uplink IPv4 gateway (on_start): 172.30.96.1 [✓]
Using uplink IPv6 interface (on_start): wan6 [✓]
Processing environment (on_start) [✓]
Setting up routing for 'wg0/192.168.98.1/::/0' [✓]
Setting up routing for 'wg2/10.8.0.3/xxx:ad94:bacf:61a4::cafe:3/112' [✓]
Routing 'ipinfo wg test' via wg2 [✓]
Routing 'Tagesschau' via wg2 [✓]
Installing fw4 nft file [✓]
Setting interface trigger for wan6 [✓]
Setting interface trigger for wg0 [✓]
Setting interface trigger for wg2 [✓]
pbr 1.2.0-r6 monitoring interfaces: wan6 wg0 wg2
pbr 1.2.0-r6 (fw4 nft file mode) started with gateways:
wg0/192.168.98.1/::/0
wg2/10.8.0.3/xxx:ad94:bacf:61a4::cafe:3/112
ERROR: Command failed: ip -4 route add default via 172.30.96.1 dev pppoe-wan proto static table 256!
ERROR: Command failed: ip -4 route add default via 172.30.96.1 dev pppoe-wan proto static table 257!
ERROR: Errors encountered, please check https://docs.openwrt.melmac.ca/pbr/1.2.0/#ErrorMessagesDetails!

Following the link link in the error message didn't got me any hint to solve the problem.

Because I found the referred IPs 172.30.96.1 and 172.30.96.1 in the routing table (see upstairs earlier posted), I found some discussions regarding similar problems on Google. As I understood the comments on Google, this error message is referring, that the IP still exists in the routing table. Also, I don't know where these IPs are coming from or where and why they are configured on my router.

Output from the other commands:

root@OpenWrt:~# service pbr status

pbr - environment
pbr 1.2.0-r6 installed on OpenWrt 24.10.4.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip daddr { 34.117.59.81 } tcp dport { 443 }  goto pbr_mark_0x020000 comment "ipinfo wg test"
add rule inet fw4 pbr_prerouting ip daddr { 34.110.152.241 }  goto pbr_mark_0x020000 comment "Tagesschau"
add rule inet fw4 pbr_prerouting ip6 daddr { 2600:1901:0:1b60:: }  goto pbr_mark_0x020000 comment "Tagesschau"

pbr chains - policies
        chain pbr_forward { # handle 72
        }
        chain pbr_input { # handle 73
        }
        chain pbr_output { # handle 74
        }
        chain pbr_postrouting { # handle 76
        }
        chain pbr_prerouting { # handle 75
                ip daddr 34.117.59.81 tcp dport 443 goto pbr_mark_0x020000 comment "ipinfo wg test" # handle 3021
                ip daddr 34.110.152.241 goto pbr_mark_0x020000 comment "Tagesschau" # handle 3022
                ip6 daddr 2600:1901:0:1b60:: goto pbr_mark_0x020000 comment "Tagesschau" # handle 3023
        }
        chain pbr_dstnat { # handle 71
        }

pbr chains - marking
        chain pbr_mark_0x010000 { # handle 3015
                meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 3016
                return # handle 3017
        }
        chain pbr_mark_0x020000 { # handle 3018
                meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 3019
                return # handle 3020
        }

pbr nft sets

pbr tables & routing
IPv4 table 256 pbr_wg0 route:
default via 192.168.98.1 dev wg0
IPv4 table 256 pbr_wg0 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wg0

IPv6 table 256 pbr_wg0 route:
unreachable default dev lo metric 1024 pref medium
IPv6 table 256 pbr_wg0 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wg0

IPv4 table 257 pbr_wg2 route:
default via 10.8.0.3 dev wg2
IPv4 table 257 pbr_wg2 rule(s):
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg2

IPv6 table 257 pbr_wg2 route:
default dev wg2 metric 128 pref medium
IPv6 table 257 pbr_wg2 rule(s):
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg2

root@OpenWrt:~# cat /etc/config/pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        list resolver_instance '*'
        option ipv6_enabled '1'
        option rule_create_option 'add'
        option procd_boot_trigger_delay '5000'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list ignored_interface 'wan'

config include
        option path '/usr/share/pbr/pbr.user.dnsprefetch'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config dns_policy
        option name 'Redirect Local IP DNS'
        option src_addr '192.168.1.5'
        option dest_dns '1.1.1.1'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'ipinfo wg test'
        option dest_addr 'ipinfo.io'
        option dest_port '443'
        option proto 'tcp'
        option interface 'wg2'

config policy
        option name 'Tagesschau'
        option dest_addr 'tagesschau.de'
        option interface 'wg2'
        option proto 'tcp'

root@OpenWrt:~# cat /var/run/pbr.nft
#!/usr/sbin/nft -f

add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip daddr { 34.117.59.81 } tcp dport { 443 }  goto pbr_mark_0x020000 comment "ipinfo wg test"
add rule inet fw4 pbr_prerouting ip daddr { 34.110.152.241 }  goto pbr_mark_0x020000 comment "Tagesschau"
add rule inet fw4 pbr_prerouting ip6 daddr { 2600:1901:0:1b60:: }  goto pbr_mark_0x020000 comment "Tagesschau"

HHhhmmmmm

It looks like you can ignore the error.

When using URL's as destination in PBR just using the URL is enough. Do not add port and/or protocol so remove that

In general using URL's is not always giving the desired results, as companies can have more than one ip address linked to the URL and often geographically different and e.g. streaming media also use a lot of related (sub)domains so you have to catch them all.

For testing use this URL ipleak.net instead of ipinfo.io and use e.g. this rule:

config policy
        option name 'test'
        option dest_addr 'ipleak.net'
        option interface 'wg2'

Furthermore to have better results you need to install dnsmasq-full (and of course use DNSMasq as primary resolver) and use nft-set as PBR resolver, see:

Below a snippet, make sure you consult the footnotes 5 and 7 as stated

Use DNSMASQ nft sets Support

• The pbr package can be configured to utilize dnsmasq’s nft sets support, which requires the dnsmasq-full package with nft sets support to be installed (see How to install dnsmasq-full). This significantly improves the start up time because dnsmasq resolves the domain names and adds them to the appropriate nft set in background. dnsmasq’s nft set also automatically adds third-level domains to the set: if domain.com is added to the policy, this policy will affect all *.domain.com subdomains. This also works for top-level domains (TLDs) as well, a policy targeting the at TLD for example, will affect all the *.at domains.
• Please review the Footnotes/Known Issues section, specifically #5 and #7 and any other information in that section relevant to domain-based routing/DNS.

Looks like, that it is working. You are right, it's better to test with ipleak.net.

I followed the instructions installing PBR together with dnsmasq-full. Without dnsmaq-full it will not work on newer OpenWRT versions.

After a lot of testings over the weekend, for me, it looks like, before starting creating a specific rule it's a good idea to first analyze the website to get the information from which sources the traffic is coming from which creates the whole website shown on your browser and then after that start creating a set of rules or maybe a more complex user file.

Thank you very much for your help. Hope it also helps other users getting PBR up and running. I will mark the thread as solved.

Thanks @denmik , glad you got it working.

I am preparing a write up on Domain based routing which will also deal with the problems you encountered and solved

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.