Route only some hosts through Wireguard Client interface

Hi there, i currently have OpenWRT setup as Server and Client. I used to have a PBR setup with it and it worked wonders, the only issue i was having was to access my LAN servers from the outside, so i went back to stock and build it again. Now, My Server is working as intended and i can access the LAN, on the other hand, I only want to route some hosts through the wg-client interface but im having issues with it. I've read that i can set 'Allowed-IPs' to just the host(s) i want to route but that didnt work as i expected. Do i need to use PBR to route only some hosts to the wg-client interface? If so, how can i still access my LAN from some wg-server clients but not from others?

Current configs:


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd92:98c7:a866::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '62:38:e0:d6:7f:68'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2a07:a8c0::76:4e9f'
        list dns '2a07:a8c1::76:4e9f'

config interface 'wg_server'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port '51820'
        list addresses '10.0.100.1/24'

config wireguard_wg_server
        option description 'user1'
        option public_key 'xxx'
        option private_key 'xxx'
        option preshared_key 'xxx'
        list allowed_ips '10.0.100.2/32'
        option route_allowed_ips '1'

config wireguard_wg_server
        option description 'user2'
        option public_key 'xxx'
        option private_key 'xxx'
        option preshared_key 'xxx'
        list allowed_ips '10.0.100.3/32'
        option route_allowed_ips '1'

config wireguard_wg_server
        option description 'user3'
        option public_key 'xxx'
        option private_key 'xxx'
        option preshared_key 'xxx'
        list allowed_ips '10.0.100.4/32'
        option route_allowed_ips '1'

config wireguard_wg_server
        option description 'Admin'
        option public_key 'xxx'
        option private_key 'xxx'
        option preshared_key 'xxx'
        list allowed_ips '10.0.100.5'
        option route_allowed_ips '1'

config interface 'wg_client'
        option proto 'wireguard'
        option private_key 'xxx
        list addresses '10.2.0.2/32'
        list dns '10.2.0.1'

config wireguard_wg_client
        option description 'Imported peer configuration'
        option public_key 'xxx'
        option endpoint_host '138.199.50.107'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0

Firewall:


config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_server'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HomeVPN'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.0.100.1'
        option dest_port '51820'

config rule
        option name 'Allow_wg-server_access_to_Server01'
        option src 'lan'
        option dest 'lan'
        list dest_ip '192.168.0.191'
        option target 'ACCEPT'
        list src_ip '10.0.100.3'
        list proto 'all'

config rule
        option name 'Deny_wg-server_LAN_Access'
        option src 'lan'
        option dest 'lan'
        option target 'REJECT'
        list src_ip '10.0.100.3'
        list src_ip '10.0.100.4'
        list proto 'all'

config zone
        option name 'WgClient'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wg_client'

config forwarding
        option src 'lan'
        option dest 'WgClient'

10.0.100.3 can access just one host inside the LAN but 10.0.100.4 cant. Admin and user1 can access the whole LAN.

Probably.

What is the wg_client interface doing? Is it a connection to a commercial VPN service, for example? Or is it a connection to a remote location where you want to access services and such (i.e. a site-to-site VPN)?

If it is a commercial VPN, you want PBR.

If it is a site-to-site, you can just specify the addresses/networks at the other site that should be accessable from your network. All clients on your network would be able to use the tunnel to reach those resources, but the tunnel would only be used traffic specifically destined for said resources; the rest would egress through your regular wan.

1 Like

Its a commercial VPN, so PBR it is.. Now, having PBR installed and configured, how can i still access the LAN from the outside for, lets say user1 and Admin, but restrict access to user3 and allow user2 to some hosts only?

You will need PBR to steer the 'server' type config through the standard wan (and not the commercial VPN 'client' config).

The user level restrictions can be achieved with the firewall (it might also be possible to do with PBR). You'll setup an allow- or block-list of resources on your lan as the destination, and the IP addresses of user2 and user3 as the source (and then of course drop/reject or allow as appropriate).

1 Like

Thanks for the quick reply, let me try that and i'll report back.

Problem solved! Thanks @psherman ! On my previous setup i had the default route on PBR to the wg-client, so i started adding routes and routes and it became a mess with the time. But now its working as intended with the default route through wan, so i just route the things i need through the wg-client.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.