I am trying to get split tunneling working with VPN and WAN Policy-Based Routing and so far it is a no go. And I think some of the complication is my double NAT setup and could use some help. Here is my setup.
The purpose of this setup was to have a VPN over the whole network and manage my VLANs through Omada. Of course I find it necessary now to avoid the VPN because some sites block me if I try to visit them through it.
I installed VPN and WAN Policy-Based Routing and I have set up a simple test to see if I can get my VLAN 192.168.2.0/24 (from the ER605 on Omada) to bypass the VPN. I changed none of the default settings. Just added the policy and enabled the add-on.
My intention was to load specific sites I cannot reach via the VPN and bypass them by domain name for specific devices on my network. Any help would be greatly appreciated, thanks.
If the Wireguard tunnel on your router is used as default routing (for the whole internet), sadly no vpn-policy-routing rule will allow it to intercept and properly route the UDP traffic of Wireguard server, please either use the OpenVPN server and configure it to use TCP protocol or use the Scenario 2 below.
Otherwise you'll have to incorporate something like this:
I really like the very simple pbr based approach I described above. You just set up the routing table names, then assign those to the interfaces, then set up rules to direct traffic based on source IP to either VPN or wan. You can set up VPN to wan failover and VPN exceptions based on source IP.
I would like to try your solution but I have a couple questions. Thanks.
First is all I have to do for the table part is add a WAN and VPN like you did here under local? No additional routings?
root@OpenWrt:~# cat /etc/iproute2/rt_tables
reserved values
128 prelocal
255 local
254 main
253 default
0 unspec
local
#1 inr.ruhep
1 br-lan
2 br-guest 3 vpn 4 wan
Second I cannot find this section anywhere on my router. Closest is a section called "Static Routes". I am guessing I am either missing and add-on or something has changed in the firmware over time?
I was able to locate the latest version I believe. Being new to OpenWRT I am assuming I just use the Sysupgrade download?
The big question I have is will this method you are proposing work with my double NAT setup? For example the traffic will start on my Omada system say 192.168.2.X and out that WAN into the OpenWRT LAN 192.168.1.1 and through the VPN out to the internet.
I am not very familiar with vlan setups but doesn't OpenWrt have visibility of the source IPs such that you can just specify e.g. that 192.168.2.0/24 is to go out through WAN just like in my example with 192.168.1.8/32 (television) to go out through WAN?
I think you might also just be able to use 'auc' using the appropriate switches:
auc -b 22.03 -B 22.03-SNAPSHOT
That's the latest snapshot build so slightly more up to date than rc5. @hnyman will this work ok for the OP here? Can he keep settings? Am I right about the VPN pbr working in this context?
So I have the new version up and running with the Routing option now available. It seems to half work. I can route things through the VPN but when I tried to set the WAN IP4v4 Override and apply it crashes the router. Any suggestions for the WAN overide? Thanks.
@hartman44 hmm. So I really am not sure why you are seeing this crash. You shouldn't and beyond @trendy I don't know who else to ask. Are you able to output crash data to see what is happening by any chance? Sorry about this glitch, and I am sure we can get it fixed. Ultimately moving over to netifd is the way forward - so this pain now should pay dividends later.
I have been playing around with this technique and a couple of packages (VPN Bypass and Policy Based Routing). What I am noticing is what I feared. I don't think the OpenWRT router is recognizing the IP addresses from the traffic coming through from my Omada system.
Again my setup is like this:
ISP -> OpenWRT Router (192.168.1.1) running WireGuard -> TP-Link Omada Setup with VLANS i.e.192.168.0.X, 192.168.2.X, 192.168.3.X (ER605) (Managed Switch) and (EAPs)
As I am not well versed in networking any suggestions on how to pass these subnets through so OpenWRT and the policies based on these subnets is recognized?
If the Wireguard client is not used as default routing and you create policies to selectively use the Wireguard client, make sure your settings are as following (three dots on the line imply other options can be listed in the section as well). Make sure that the policy mentioned below is at the top of your policies list.
The author has his own thread and is active. The ReadMe has troubleshooting tips and ways to push details to the project.
I can see that keeping the Omada untouched is a primary goal and that working on the WAN facing OpenWrt hardware is where you'd like to concentrate.
So here's a little update on my PBR adventure. After a complete factory reset and installation of 22.03 I am able to at least have a policy to reroute to the WAN from VPN on certain domains via all subnets with VPN being the default route. I still cannot get this to work based on a single IP address or subnet via "Local addresses / devices".
Maybe someone who is familiar with my type of setup can chime in with suggestions on how to get PBR to recognize my subnets behind the OpenWRT router. Thanks.
Again my setup is like this:
ISP -> OpenWRT Router (192.168.1.1) running WireGuard -> TP-Link Omada Setup with VLANS i.e.192.168.0.X, 192.168.2.X, 192.168.3.X (ER605) (Managed Switch) and (EAPs)