I'll have to run a few tests... I can't do that now, but I'll try to do it a bit later and report back. Someone else may be able to answer in the meantime.
Ok, once again, thanks.
Can I assume you are using the Mullvad Connection Check and it is reporting the two OpenDNS ipās you entered in your wan interface settings are Leaking?
Add this to the dnsmasq section
option noresolv '1'
This will probably break dns on the router itself when the tunnel is down, but it should prevent the leaking dns.
Exactly, the two openDNS servers are leaking.
Thanks, but that is no solution, i would just go back to my initial issue, which was the reason of the topic.
In /etc/config/network
under config wireguard_mullvad section...
try adding option route_allowed_ips '1'
then restart your wireguard interface
If i add that to the wireguard config, i can no longer use Vpn-Policy-routing module.
All my traffic will be routed through the tunnel, and i don't want that.
Your DNS isnāt leaking.
If you replace your OpenDNS ipās with Mullvad DNS servers they provide, your DNS leak will magically disappear.
As long as ONLY the ipās reported in the Mullvad leak check are the the OpenDNS ipās you entered there is no leak.
VPN-policy-based-routing requires that. Everything goes through the tunnel, then you set up policy rules to route the devices you donāt want to go through the tunnel.
Yes, you're correct, but then i will be in the same situation of the initial Topic. No internet connectivity in the router side, not being able to ping or update packages, etc.
In VPN-policy-routing Readme,
they state for allowing the module to work i have to set Route Allowed ips to 0.
And if i add that config option, i'm no longer able to bypass the VPN in some devices with the module VPN-policy-routing.
So the Wireguard client is not used as default routing, did you follow:
@psherman seems to have you set for everything up to this point so I think weāre down to vpn-policy-routing.
Letās take a look at VPN-PBR config
uci export vpn-policy-routing | head -n35
Make sure you have a check on your Wan in Service Gateways and your Mullvad client is also listed in your Service Gateways.
Yes, i followed.
Yes, everything is right.
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'teste'
Hello again,
No ideas from anyone?
I thought this was a simple issue, seems it isn't, i wonder how all the people using Wireguard client for VPN does.
Add option route_allowed_ips '1' to your WG peers in /etc/config/network.
/etc/init.d/network restart
LuCI/VPN/Vpn Policy Routing select Enable Show Enabled Column under Web UI Configuration. Save/Apply.
ADD a policy. Give it a name, enter your local ip (this device), un-check Enabled. Save/Apply.
Check Enabled, select your WG interface, Save/Apply. Go to 'whatismyip.com' - it should be Mullvad.
Ok, that solved the DNS problem.
Don't know why it didn't work before, cause i already had tried that.
But that broke the default routing through my WAN, so i had to weak a bit the VPN-PBR policies.
I had a policy for the subnet as x.x.x.128/25 and made my DHCP server start at 129.
Then i set statics ips for all the devices that i wanted to route through the VPN under 128.
And, voilĆ”!
Thanks a lot for all the help.
Take a good read at A Word About Default Routing in the doc.
I'm a newbie, i've read that section 10 times at least, that's why i changed route allowed hosts to 0.
But if you can explain me better it would be great.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.