OpenWrt Split Tunnel WireGuard Omada Double NAT

I am trying to get split tunneling working with VPN and WAN Policy-Based Routing and so far it is a no go. And I think some of the complication is my double NAT setup and could use some help. Here is my setup.

ISP -> OpenWRT Router (192.168.1.1) running WireGuard -> TP-Link Omada Setup (ER605) (Managed Switch) and (EAPs)

The purpose of this setup was to have a VPN over the whole network and manage my VLANs through Omada. Of course I find it necessary now to avoid the VPN because some sites block me if I try to visit them through it.

I installed VPN and WAN Policy-Based Routing and I have set up a simple test to see if I can get my VLAN 192.168.2.0/24 (from the ER605 on Omada) to bypass the VPN. I changed none of the default settings. Just added the policy and enabled the add-on.

My intention was to load specific sites I cannot reach via the VPN and bypass them by domain name for specific devices on my network. Any help would be greatly appreciated, thanks.

Sorry I put the chicken egg thing out of order:

If the Wireguard tunnel on your router is used as default routing (for the whole internet), sadly no vpn-policy-routing rule will allow it to intercept and properly route the UDP traffic of Wireguard server, please either use the OpenVPN server and configure it to use TCP protocol or use the Scenario 2 below.

Otherwise you'll have to incorporate something like this:

or this

WireGuard Issues in VPN Policy-Based Routing

https://docs.openwrt.melmac.net/vpn-policy-routing/#local-wireguard-server--wireguard-client-scenario-1

A Word About Default Routing

From the author's page
https://docs.openwrt.melmac.net/vpn-policy-routing/#a-word-about-default-routing

and the pictures show the gateways:


https://docs.openwrt.melmac.net/vpn-policy-routing/screenshots/01-status.png


What does your say/show?

I really like the very simple pbr based approach I described above. You just set up the routing table names, then assign those to the interfaces, then set up rules to direct traffic based on source IP to either VPN or wan. You can set up VPN to wan failover and VPN exceptions based on source IP.

I would like to try your solution but I have a couple questions. Thanks.

First is all I have to do for the table part is add a WAN and VPN like you did here under local? No additional routings?

root@OpenWrt:~# cat /etc/iproute2/rt_tables

reserved values

128 prelocal
255 local
254 main
253 default
0 unspec

local

#1 inr.ruhep

1 br-lan
2 br-guest
3 vpn
4 wan

Second I cannot find this section anywhere on my router. Closest is a section called "Static Routes". I am guessing I am either missing and add-on or something has changed in the firmware over time?

Yes correct.

Which OpenWrt version do you have? @vgaetera which OpenWrt versions support the funky new IPv4 rules section you helped develop?

It looks like version OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-22.083.69138-0a0ce2a

Does that use netifd?

If not would you consider upgrading to 22.03 snapshot branch?

22.03 release is around the corner.

1 Like

I was able to locate the latest version I believe. Being new to OpenWRT I am assuming I just use the Sysupgrade download?

The big question I have is will this method you are proposing work with my double NAT setup? For example the traffic will start on my Omada system say 192.168.2.X and out that WAN into the OpenWRT LAN 192.168.1.1 and through the VPN out to the internet.

1 Like

Yes if you are also OpenWrt installed you will do download sysupgrade :+1:

@Lynx you think the 22.03 is soon out ??

I am not very familiar with vlan setups but doesn't OpenWrt have visibility of the source IPs such that you can just specify e.g. that 192.168.2.0/24 is to go out through WAN just like in my example with 192.168.1.8/32 (television) to go out through WAN?

I think you might also just be able to use 'auc' using the appropriate switches:

auc -b 22.03 -B 22.03-SNAPSHOT

That's the latest snapshot build so slightly more up to date than rc5. @hnyman will this work ok for the OP here? Can he keep settings? Am I right about the VPN pbr working in this context?

1 Like

So I have the new version up and running with the Routing option now available. It seems to half work. I can route things through the VPN but when I tried to set the WAN IP4v4 Override and apply it crashes the router. Any suggestions for the WAN overide? Thanks.

image

@trendy any idea why setting the wan table for interface would cause router to crash?

I haven't had the chance to play with the 22.03 settings yet.
However there is an example in the Wiki.

@hartman44 hmm. So I really am not sure why you are seeing this crash. You shouldn't and beyond @trendy I don't know who else to ask. Are you able to output crash data to see what is happening by any chance? Sorry about this glitch, and I am sure we can get it fixed. Ultimately moving over to netifd is the way forward - so this pain now should pay dividends later.

Maybe @jow has some clue?

I have been playing around with this technique and a couple of packages (VPN Bypass and Policy Based Routing). What I am noticing is what I feared. I don't think the OpenWRT router is recognizing the IP addresses from the traffic coming through from my Omada system.

Again my setup is like this:
ISP -> OpenWRT Router (192.168.1.1) running WireGuard -> TP-Link Omada Setup with VLANS i.e.192.168.0.X, 192.168.2.X, 192.168.3.X (ER605) (Managed Switch) and (EAPs)

As I am not well versed in networking any suggestions on how to pass these subnets through so OpenWRT and the policies based on these subnets is recognized?

Start for scratch.. again

If the Wireguard client is not used as default routing and you create policies to selectively use the Wireguard client, make sure your settings are as following (three dots on the line imply other options can be listed in the section as well). Make sure that the policy mentioned below is at the top of your policies list.


The author has his own thread and is active. The ReadMe has troubleshooting tips and ways to push details to the project.


I can see that keeping the Omada untouched is a primary goal and that working on the WAN facing OpenWrt hardware is where you'd like to concentrate.

I just don't understand vlans well enough, but to me the simple LuCi netifd approach seems vastly preferable to the alternative vpn pbr solution.

Sadly not all tunnels are netifd compatible.

So here's a little update on my PBR adventure. After a complete factory reset and installation of 22.03 I am able to at least have a policy to reroute to the WAN from VPN on certain domains via all subnets with VPN being the default route. I still cannot get this to work based on a single IP address or subnet via "Local addresses / devices".

Maybe someone who is familiar with my type of setup can chime in with suggestions on how to get PBR to recognize my subnets behind the OpenWRT router. Thanks.

Again my setup is like this:
ISP -> OpenWRT Router (192.168.1.1) running WireGuard -> TP-Link Omada Setup with VLANS i.e.192.168.0.X, 192.168.2.X, 192.168.3.X (ER605) (Managed Switch) and (EAPs)

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option resolver_ipset 'dnsmasq.ipset'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option webui_enable_column '1'
        option webui_protocol_column '1'
        option webui_chain_column '1'
        option enabled '1'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

config policy
        option interface 'wan'
        option name 'WAN'
        option src_addr '0.0.0.0/0'
        option dest_addr 'newark.com www.kroger.com kroger.com heilind.com'

1 Like