OpenWrt / WireGuard / Bypass

Hi,

i am new to OpenWRT and trying to install Wireguard but also want that only some Computers are using the VPN and others can bypass and directly go over lan.

I tried now 2 days to configure this correctly but basically, always fail :slight_smile: - as soon as i activate wireguard i can only access the internet over the vpn and not over wan. if i disable the wireguard interface and restart the wan interface i can access the internet over wan :frowning:

can anyone give me a tip whats wrong in my configuration?

for Wireguard i followed this installation guide:

here my interfaces:

and my firewall settings:

lan
lan ⇒ REJECT accept accept recect no no

wan
WAN ⇒ REJECT reject accept reject yes yes

WGZONE
WGINTERFACE ⇒ REJECT reject accept reject yes yes

Any traffic
From any host in lan with source MAC 00:1D:EC:0D:2D:C0
To any host in WGZONE
Accept forward

Any traffic
From any host in lan
To any host in wan
Accept forward

Sorry i am only allowed to attach one picture...

Thanks
br
AL

here the interface part

here the zones:

and the traffic rule:

You need to add some PBR rules


In the above example I showed how to direct a host to the vpn. You can change it accordingly to force a host via the ISP rather than the vpn.

1 Like

thanks - will try - is ther no gui function to creat such PBR rule?

thanks again
lg
AL

Not that I know of. I think I have seen some experimental policy-based-routing package, but I have never used it myself.

I use vpn-policy-routing and its companion luci app

If they're helpful, I posted my configs here.. I deviated a little from Mullvad's tutorial (e.g. I put the interface in the lan firewall zone rather than creating a new firewall zone), but everything's been working well for me.

2 Likes

@tendy: i tried to add the following lines (2 clients .50 should use vpn, .51 normal WAN):

echo "100 WGINTERFACE" >> /etc/iproute2/rt_tables
echo "101 WAN" >> /etc/iproute2/rt_tables

/etc/config/network:
config rule
option in 'LAN'
option src '192.168.15.50/32'
option lookup '100'

config rule
option in 'LAN'
option src '192.168.15.51/32'
option lookup '101'

config 'route' 'WGINTERFACE route'
option 'interface' 'WGINTERFACE'
option 'target' '0.0.0.0'
option 'netmask' '0.0.0.0'
option 'gateway' '0.0.0.0'
option 'table' '100'

config 'route' 'WAN route'
option 'interface' 'WAN'
option 'target' '0.0.0.0'
option 'netmask' '0.0.0.0'
option 'gateway' '0.0.0.0'
option 'table' '101'

after a reboot wan is not even connecting anymore and if i try to open the interface on the gui its empty. If i remove the lines again the function is back to normal. Can you give me some sample how you think the config should look for my settings?

THANKS
lg
AL

In the rules, try to use small letters for the interfaces rather than capitals.

In the route sections you'll have to either add a valid gateway or omit it, if it is changing every time you connect. Also use small letters if the interface was entered in small letters (verify with command ifstatus lan)

Finally don't forget to add a route for the local network (192.168.15.0/24) otherwise you won't be able to communicate with the router from these hosts.

2 Likes

Hi - THANKS got it working - here my config in case someone is interested:

echo "100 vpnroute" >> /etc/iproute2/rt_tables
echo "101 wanroute" >> /etc/iproute2/rt_tables

/etc/config/network
config rule
option in 'lan'
option src '192.168.15.50/32'
option lookup '100'
.....
.....
config rule
option in 'lan'
option src '192.168.15.0/24'
option lookup '101'

config route 'VPN_route'
option interface 'WGINTERFACE'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '100'

config route 'WAN_route'
option interface 'WAN'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '101'

config route 'lan_route'
option interface 'lan'
option target '192.168.15.0'
option netmask '255.255.255.0'
option gateway '192.168.15.1'
option table '100 101'

and this rules:

THANKS again
lg
AL

1 Like

As per guidelines , please refrain from signing your posts, we know who wrote each post.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.