Ring Doorbell has to bypass wg VPN

My Amazon Ring Doorbell will not connect unless I disconnect the wireguard interface. I currently have 2 configs - 1 with VPN and one without. The doorbell connects fine when I an without VPN, but as soon as I connect the VPN, it drops off line. I am (almost) certain it's only Amazon blocking known VPNs.

I'm trying to make IP address 192.168.1.126 (or its mac address) connect directly to the internet, bypassing the VPN.

Here are my details for the wg setup:

ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "ASUS RT-AX53U",
	"board_name": "asus,rt-ax53u",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd39:9176:ef7d::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '9.9.9.9'
	list dns '149.112.112.112'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'

config interface 'WGINTERFACE'
	option proto 'wireguard'
	option private_key 'Y................k='
	option listen_port '51820'
	list addresses '10.5.0.2/32'
	list dns '103.86.96.100'
	list dns '103.86.99.100'

config wireguard_WGINTERFACE
	option description 'NordVPN-au760.conf'
	option public_key 'f......................s='
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host 'au760.nordvpn.com'
	option endpoint_port '51820'
	option route_allowed_ips '1'

===================
cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WGZONE'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'WGINTERFACE'
wg show
interface: WGINTERFACE
  public key: bW9/qM/WXeEwWrHc3O+lYaH5pwKP39D7yFuz9NDsGR8=
  private key: (hidden)
  listening port: 51820

peer: f..........................s=
  endpoint: 144.48.38.171:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 9 seconds ago
  transfer: 14.23 GiB received, 1.69 GiB sent
  persistent keepalive: every 25 seconds

config forwarding
	option src 'lan'
	option dest 'WGZONE'

https://openwrt.org/docs/guide-user/network/routing/pbr

Thanks. So from what I (mis)understand, I find my gateway (which is the IP address dynamically allocated to me by my ISP) then create a custom routing table:

default via 202.144.173.160 dev wan 

then add the route using

ip rule add from 192.168.1.126 table custom_table

Then add a route:

ip route add default via 202.144.172.1 dev wan table custom_table

... and then I lose internet access on the device completely.

Unless you first made a named table you better use numbers for the table e.g.

ip route add default via 202.144.172.1 dev wan table 99
ip rule add from 192.168.1.126 table 99
root@OpenWrt:~# ip route show table 99
default via 202.144.172.1 dev wan 

As soon as I do

ip rule add from 192.168.1.126 table 99

... I lose internet access from 192.168.1.126. Obviously something else somewhere interfering.

You can check if the rule is in place with:
ip rule show

If the rule is in place then your firewall is blocking LAN > WAN access.
Add to /etc/config/firewall:

config forwarding
	option src 'lan'
	option dest 'wan'

Instead of the above rule, you can make it more selective by making a traffic rule e.g.:

config rule
	option name 'allow_ip'
	list proto 'all'
	option src 'lan'
	list src_ip ' 192.168.1.126'
	option dest 'wan'
	option target 'ACCEPT'

Thank you so much. For other newbies, I put the rule at the top of /etc/config/firewall and did

/etc/init.d/firewall restart
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.