OpenWrt / WireGuard / Bypass

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

i am new to OpenWRT and trying to install Wireguard but also want that only some Computers are using the VPN and others can bypass and directly go over lan.

I tried now 2 days to configure this correctly but basically, always fail :slight_smile: - as soon as i activate wireguard i can only access the internet over the vpn and not over wan. if i disable the wireguard interface and restart the wan interface i can access the internet over wan :frowning:

can anyone give me a tip whats wrong in my configuration?

for Wireguard i followed this installation guide:

here my interfaces:

image
image.png1138×1204 115 KB

and my firewall settings:

lan
lan ⇒ REJECT accept accept recect no no

wan
WAN ⇒ REJECT reject accept reject yes yes

WGZONE
WGINTERFACE ⇒ REJECT reject accept reject yes yes

Any traffic
From any host in lan with source MAC 00:1D:EC:0D:2D:C0
To any host in WGZONE
Accept forward

Any traffic
From any host in lan
To any host in wan
Accept forward

Sorry i am only allowed to attach one picture...

Thanks
br
AL

2

here the interface part

image
image.png591×1024 159 KB

3

here the zones:

image
image.png800×585 85.6 KB

4

and the traffic rule:

image
image.png799×249 54.4 KB

5

You need to add some PBR rules

In the above example I showed how to direct a host to the vpn. You can change it accordingly to force a host via the ISP rather than the vpn.

1 Like
6

thanks - will try - is ther no gui function to creat such PBR rule?

thanks again
lg
AL

7

Not that I know of. I think I have seen some experimental policy-based-routing package, but I have never used it myself.

8

I use vpn-policy-routing and its companion luci app

If they're helpful, I posted my configs here.. I deviated a little from Mullvad's tutorial (e.g. I put the interface in the lan firewall zone rather than creating a new firewall zone), but everything's been working well for me.

2 Likes
9

@tendy: i tried to add the following lines (2 clients .50 should use vpn, .51 normal WAN):

echo "100 WGINTERFACE" >> /etc/iproute2/rt_tables
echo "101 WAN" >> /etc/iproute2/rt_tables

/etc/config/network:
config rule
option in 'LAN'
option src '192.168.15.50/32'
option lookup '100'

config rule
option in 'LAN'
option src '192.168.15.51/32'
option lookup '101'

config 'route' 'WGINTERFACE route'
option 'interface' 'WGINTERFACE'
option 'target' '0.0.0.0'
option 'netmask' '0.0.0.0'
option 'gateway' '0.0.0.0'
option 'table' '100'

config 'route' 'WAN route'
option 'interface' 'WAN'
option 'target' '0.0.0.0'
option 'netmask' '0.0.0.0'
option 'gateway' '0.0.0.0'
option 'table' '101'

after a reboot wan is not even connecting anymore and if i try to open the interface on the gui its empty. If i remove the lines again the function is back to normal. Can you give me some sample how you think the config should look for my settings?

THANKS
lg
AL

10

In the rules, try to use small letters for the interfaces rather than capitals.

In the route sections you'll have to either add a valid gateway or omit it, if it is changing every time you connect. Also use small letters if the interface was entered in small letters (verify with command ifstatus lan)

Finally don't forget to add a route for the local network (192.168.15.0/24) otherwise you won't be able to communicate with the router from these hosts.

2 Likes
11

Hi - THANKS got it working - here my config in case someone is interested:

echo "100 vpnroute" >> /etc/iproute2/rt_tables
echo "101 wanroute" >> /etc/iproute2/rt_tables

/etc/config/network
config rule
option in 'lan'
option src '192.168.15.50/32'
option lookup '100'
.....
.....
config rule
option in 'lan'
option src '192.168.15.0/24'
option lookup '101'

config route 'VPN_route'
option interface 'WGINTERFACE'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '100'

config route 'WAN_route'
option interface 'WAN'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '101'

config route 'lan_route'
option interface 'lan'
option target '192.168.15.0'
option netmask '255.255.255.0'
option gateway '192.168.15.1'
option table '100 101'

and this rules:

image
image.png799×435 101 KB

THANKS again
lg
AL

1 Like
12

As per guidelines , please refrain from signing your posts, we know who wrote each post.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

13

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.