PBR - WG interface stopped

Aisfkhan · February 4, 2025, 3:49pm

hey guys

i set wg interface it was working fine without PBR
but after setiing the PBR and then rebooted the router it automatically set the default gateway to wg interface which i dont want to.

then i add in the network file below lines to avoid wg for default gateway.

To unset a WireGuard tunnel as default route, set the following to the appropriate section of your /etc/config/network:

For your WireGuard (client) config:

option route_allowed_ips '0'

after than i reboot now my wan interface is my default gateway but wg interface stopped.

anyone please help me.

lleachii · February 4, 2025, 4:28pm

Since you don't want the WG for your default traffic, what is your intentded result after configuring PBR?

Aisfkhan · February 4, 2025, 4:32pm

yes im sure i just need some site to go through wg.

otherwise if all traffic goes through wg tunnel my banking apps wont work also games which require latency will have latency issue too

lleachii · February 4, 2025, 4:44pm

Do you know the IP ranges of destinations you wish to egress via the VPN tunnel?

Aisfkhan · February 4, 2025, 4:48pm

umm literally no.

like "tiktok live" is banned in my country and all of that other websites

if i create policy like ( tiktok.com/ ) to use wg interface it will work?

i also configured dnsmasq-full too.

egc · February 4, 2025, 5:59pm

A lot of information can be found in the pbr read.me

It is possible that those domains also check your DNS and you need to take care you do not have a DNS leak.
Some information can be found here, there is a paragraph about Domain based routing: https://github.com/egc112/OpenWRT-egc-add-on/blob/main/stop-dns-leak/README.md#different-dns-servers-and-routing-per-domain

General information about setting up a WireGuard client:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/client
and my own notes:

Aisfkhan · February 5, 2025, 11:01am

thank you so much bro i managed to get both interfaces working.

but now im facing other issue,
my default gateway is WAN but when i created policy for for a domain set it to wan interface it use wg tunnel.

also after creating a policy pbr stopped and i have to manually start it.

egc · February 5, 2025, 11:19am

Well if your default gateway is the WAN you should not need a policy for routing domains via the WAN as that already is the default unless ..... you have another policy which routes via the vpn.

Policies are routed in order so you could change the order of the policies so that the domain based routing comes first (in the GUI you can drag the config item)

Furthermore you can not have duplicate items in your PBR policies, only the first item which is hit will be routed.

Aisfkhan · February 5, 2025, 11:24am

yes i was also thinking that if the default gateway is wan than why there is an option to chose wan for policies.

egc · February 5, 2025, 11:35am

For when you have other policies routing via the VPN.
Suppose you route your LAN client via the VPN but you do want some destination to go out via the WAN. In that case you make a policy to route that destination out via the WAN and make sure that policy comes first so before the policy which routes the LAN client via the VPN

Aisfkhan · February 5, 2025, 12:11pm

For when you have other policies routing via the VPN.
Suppose you route your LAN client via the VPN but you do want some destination to go out via the WAN. In that case you make a policy to route that destination out via the WAN and make sure that policy comes first so before the policy which routes the LAN client via the VPN
[/quote]

ahh i got it now.

can you please also help me in one more thing.

the main reason im doing it because of whatsapp calling feature.

i live overseas and in my country everyone is using whatsapp calling and the country i'm residing in here only whatsapp calling is banned other than that whatsapp do work fine like texting sending pics videos.

i configured whatsapp/com/10.2.0.1 in dhcp and dns and also created policy as per instruction but still the calling feature doesnt work.

im sorry for asking too much.

egc · February 5, 2025, 12:21pm

WhatsApp uses an in-house company content delivery network (CDN). The CDN delivers content to very edge of the network and is often hosted inside Internet Service Provider (ISP) networks.

Bottom line only using whatsapp.com will probably not suffice

The only thing you can do do is default route via the VPN and then only route domains you want or clients which do not use whatsapp route via the WAN

Aisfkhan · February 5, 2025, 12:29pm

okay i will try another way of PBR ie wg default gateway.

and will try to make domain based policies for banking apps and games which use wan interface.

thankyou so much

system · February 15, 2025, 12:29pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.