I recently stood up a instance of Streisand in AWS EC2 for Wireguard. I've been able to successfully connect individual clients to Wireguard. Now I'd like to configure a specific network interface to route all traffic through the Wireguard tunnel. I'm relatively new to using OpenWrt so this is a big step for me.
I've found a handful of useful topics on the forum (1, 2, 3) that are pointing me in the direction of using Policy Based Routing. I've tried to follow the steps listed there but still haven't had much luck.
I've tried to setup PBR both manually on the CLI and also using the "VPN Policy Routing" plugin by @stangri (this is what I have configured currently). I'm able to create and connect a Wireguard interface, but any clients I connect to the related WiFi network aren't able to ping out to the Internet.
I feel like I'm missing something very basic here and would appreciate another set of eyes to look over my config to see what I've missed.
I'll try to add as many details as possible to make troubleshooting easier. Please let me know if I should provide anything else. Thanks!
Router HW: Turris Omnia OpenWrt 18.06.2
"wg" is the Wireguard interface. Using Tunnel IP 10.192.122.5
"lan_vpn" is the interface I want to route over the Wireguard tunnel. Using 192.168.10.1/24 internally.
"wan" is the WAN interface pointing to my upstream modem on 192.168.5.1
VPN Policy Routing config
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option strict_enforcement '1'
option boot_timeout '30'
option enabled '1'
config policy
option name 'vpn_lan'
option local_address '192.168.10.0/24'
option interface 'wg'
option chain 'PREROUTING'
option proto 'tcp udp'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8c:fe75:0140::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'lan0 lan1 lan2 lan3 lan4'
option ipaddr '192.168.1.1'
option dns '192.168.1.3'
config interface 'wan'
option ifname 'eth2'
option proto 'static'
option ipaddr '192.168.5.2'
option netmask '255.255.255.0'
option gateway '192.168.5.1'
option metric '1'
config interface 'lan_vpn'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'wg'
option proto 'wireguard'
option private_key '*priv_key*'
list addresses '10.192.122.5/24'
config wireguard_wg
option public_key '*pub_key*'
list allowed_ips '192.168.10.0/24'
option endpoint_host '*public_vpn_endpoint*'
option endpoint_port '51820'
option persistent_keepalive '25'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'lan_vpnzone'
option output 'ACCEPT'
option network 'lan_vpn'
option log '1'
option log_limit '200/minute'
option forward 'ACCEPT'
option input 'ACCEPT'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'wg_zone'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wg'
option log '1'
option log_limit '200/minute'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan_vpnzone'
option name 'wg'
option src_ip '192.168.10.0/24'
option dest 'wg_zone'
config forwarding
option dest 'wg_zone'
option src 'lan_vpnzone'
Kernel routing table
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.5.1 0.0.0.0 UG 1 0 0 eth2
10.192.122.0 * 255.255.255.0 U 0 0 0 wg
*public vpn ip*192.168.5.1 255.255.255.255 UGH 1 0 0 eth2
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.5.0 * 255.255.255.0 U 1 0 0 eth2
192.168.10.0 * 255.255.255.0 U 0 0 0 br-lan_vpn
IP Route Info
root@Router:/tmp/log# ip route list
default via 192.168.5.1 dev eth2 proto static metric 1
10.192.122.0/24 dev wg proto kernel scope link src 10.192.122.5
*vpn_public_ip* via 192.168.5.1 dev eth2 proto static metric 1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.5.0/24 dev eth2 proto static scope link metric 1
192.168.10.0/24 dev br-lan_vpn proto kernel scope link src 192.168.10.1
root@Router:/etc/config# ip route list table local
broadcast 10.192.122.0 dev wg proto kernel scope link src 10.192.122.5
local 10.192.122.5 dev wg proto kernel scope host src 10.192.122.5
broadcast 10.192.122.255 dev wg proto kernel scope link src 10.192.122.5
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 192.168.5.0 dev eth2 proto kernel scope link src 192.168.5.2
local 192.168.5.2 dev eth2 proto kernel scope host src 192.168.5.2
broadcast 192.168.5.255 dev eth2 proto kernel scope link src 192.168.5.2
broadcast 192.168.10.0 dev br-lan_vpn proto kernel scope link src 192.168.10.1
local 192.168.10.1 dev br-lan_vpn proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-lan_vpn proto kernel scope link src 192.168.10.1
root@Router:/etc/config# ip route list table main
default via 192.168.5.1 dev eth2 proto static metric 1
10.192.122.0/24 dev wg proto kernel scope link src 10.192.122.5
*vpn_public_ip* via 192.168.5.1 dev eth2 proto static metric 1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.5.0/24 dev eth2 proto static scope link metric 1
192.168.10.0/24 dev br-lan_vpn proto kernel scope link src 192.168.10.1
root@Router:/tmp/log# cat /etc/iproute2/rt_tables
#
# reserved values
#
128 prelocal
255 local
254 main
253 default
10 wg
0 unspec
#
# local
#
#1 inr.ruhep