Hi there, i currently have OpenWRT setup as Server and Client. I used to have a PBR setup with it and it worked wonders, the only issue i was having was to access my LAN servers from the outside, so i went back to stock and build it again. Now, My Server is working as intended and i can access the LAN, on the other hand, I only want to route some hosts through the wg-client interface but im having issues with it. I've read that i can set 'Allowed-IPs' to just the host(s) i want to route but that didnt work as i expected. Do i need to use PBR to route only some hosts to the wg-client interface? If so, how can i still access my LAN from some wg-server clients but not from others?
Current configs:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd92:98c7:a866::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr '62:38:e0:d6:7f:68'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2a07:a8c0::76:4e9f'
list dns '2a07:a8c1::76:4e9f'
config interface 'wg_server'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '51820'
list addresses '10.0.100.1/24'
config wireguard_wg_server
option description 'user1'
option public_key 'xxx'
option private_key 'xxx'
option preshared_key 'xxx'
list allowed_ips '10.0.100.2/32'
option route_allowed_ips '1'
config wireguard_wg_server
option description 'user2'
option public_key 'xxx'
option private_key 'xxx'
option preshared_key 'xxx'
list allowed_ips '10.0.100.3/32'
option route_allowed_ips '1'
config wireguard_wg_server
option description 'user3'
option public_key 'xxx'
option private_key 'xxx'
option preshared_key 'xxx'
list allowed_ips '10.0.100.4/32'
option route_allowed_ips '1'
config wireguard_wg_server
option description 'Admin'
option public_key 'xxx'
option private_key 'xxx'
option preshared_key 'xxx'
list allowed_ips '10.0.100.5'
option route_allowed_ips '1'
config interface 'wg_client'
option proto 'wireguard'
option private_key 'xxx
list addresses '10.2.0.2/32'
list dns '10.2.0.1'
config wireguard_wg_client
option description 'Imported peer configuration'
option public_key 'xxx'
option endpoint_host '138.199.50.107'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0
Firewall:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg_server'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HomeVPN'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '10.0.100.1'
option dest_port '51820'
config rule
option name 'Allow_wg-server_access_to_Server01'
option src 'lan'
option dest 'lan'
list dest_ip '192.168.0.191'
option target 'ACCEPT'
list src_ip '10.0.100.3'
list proto 'all'
config rule
option name 'Deny_wg-server_LAN_Access'
option src 'lan'
option dest 'lan'
option target 'REJECT'
list src_ip '10.0.100.3'
list src_ip '10.0.100.4'
list proto 'all'
config zone
option name 'WgClient'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wg_client'
config forwarding
option src 'lan'
option dest 'WgClient'
10.0.100.3 can access just one host inside the LAN but 10.0.100.4 cant. Admin and user1 can access the whole LAN.