I'm trying to VPNify my fire tv stick which is kind of a hassle because neither the fire tv nor my archer c6 can sustain more then 20 Mbits of bandwidth when running a wireguard client.
My current setup is "Route traffic from IP X to wireguard client on openwrt" which is too slow. I have a RasPi 4 laying around though that should be able to do the job. What I imagined could be possible is to route traffic from ip X to the raspi, accept the packages at the raspi somehow, put them through the wireguard and send them back to the router.
TV -> Router (OpenWRT) -> RasPi (Wireguard) -> Router (OpenWRT) -> Internet
This sounds plausible but I'm kind of unsure what is the right approach: static route or policy based routing? and how do I get my raspi to accept the packages that are routed to it and send them off to Wireguard client?
I would very much appreciate some pointers in the right direction. Thanks!
Is your issue that your overall internet bandwidth is being compromised? With policy based routing, you can configure your router such that only traffic from the FireTV stick (and any other specific devices) goes through the tunnel, and the rest goes through your regular wan.
That's probably the most straightforward approach.
I have a pbr that routes only my fire tv through wireguard, the problem is that the 20mbits are not enough to stream 4k content. and i cant achieve more throughput with my archer c6 due to cpu limitations (any magic hacks always welcome though)
how would this work? let's say i connect the pi to lan 1. if i configure lan 1 as a second wan and use it as a gateway, i could then setup the raspi as this gateway. but how would the return path work then, e.g. how would i get my wireguard packages back to the router?
Ok... power is back and I have a few minutes to describe my idea.
What you'll do is set your Raspberry Pi as a lan device. It doesn't need a wan interface. Configure Wireguard and make sure it connects as expected to your commercial VPN service. The allowed IPs field for the peer config section on your Pi should be 0.0.0.0/0 and route allowed IPs enabled.
Then, on your main router, you'll setup a PBR rule that specifically routes traffic from your FireTV stick to the Pi's address. Once traffic is directed to the Pi, the default gateway on the Pi will actually be the WG tunnel itself, so the FireTV data will go through the tunnel as you desire.
thanks for the reply! i'm sorry but i can't quite follow yet: from what i understand for pbr you always specifiy an interface as a target that will accept the packages and route them further. how can i get a separate interface for the pi?
in my own experimentation i set up a vlan called "pilan" with the pi as gateway and a tagged ethernet port on "pilan" and the standard "lan" vlan so that i could forward the packages to "pilan", then route on the pi from "pilan" to the vpn which would then go to "lan" from where it goes to the internet. but from your description it sounds like vlans aren't actually necessary. can you explain what i would have to do to avoid a separate vlan just to get the destination interface in pbr?
The VLAN method is probably fine here, too. I actually am not an expert on PBR, so I don't really know the ins and outs..
But fundamentally, all you are trying to do is set the pi as the gateway for the FireTV. This could even be done directly on the FireTV if it allows you to configure the network manually (static IP).
I agree with @psherman, pointing the gateway of the Fire TV to the Pi is the easiest.
To make sure you do not have a DNS leak also set the DNS on the Fire TV to a trusted Public DNS service e.g. 9.9.9.9.
The DNS route will then automatically follow the route via the Pi/WireGuard.