I want to use a wireguard VPN depending on the device (for privacy reasons), but I have trouble setting it up.
I cannot get the traffic to go through the VPN without setting route_allowed_ips to 1 on the VPN peer. When I do set route_allowed_ips, all traffic from ALL devices goes through the VPN.
I thought, if I set up the firewall forwarding like this:
vpn -> lan
lan -> wan
that route_allowed_ips would only apply for devices that are routed through lan. But that doesn't seem to be the case. Honestly, I don't even understand where exactly the routes are set once you change route_allowed_ips?
I setup a firewall rule:
config rule
option name 'Allow iPhone to VPN'
option src 'lan'
list src_ip '192.168.1.158'
option dest 'vpn'
option target 'ACCEPT'
list proto 'all'
With the above setup, the iPhones traffic goes through the VPN correctly. However, other devices don't have internet access any longer.
Yeah, I've tried pbr, but I don't really comprehend what the setup would look like.
In pbr, I setup a rule for the iPhone device to use the VPN interface.
But what about the other settings? I didn't manage to route only the iPhone traffic through the VPN and still allow other devices to connect without the VPN.
Sorry, I don't get it. What exactly do I need to change in order to apply the VPN only to certain devices and still let other devices through without the VPN?
Yeah, but when I don't enable that, no traffic goes through the VPN at all. Nomatter what I do. I tried to route devices through the VPN interface using pbr or the firewall.
The firewall is not doing the routing, the firewall can prevent traffic via the LAN if you have setup a Kill switch e.g removing Forwarding from LAN to WAN
Actually, it does work now I disabled route_allowed_ips and enabled pbr.
One more thing, though: On my iPhone, which is the device set in pbr to go through the VPN interface, the IP is from my VPN, but DNS is not. How can I stop DNS leaking?
And is there a way to set a kill-switch for specific devices? For example, when I reboot the router and pbr is not starting fast enough, there might be leaks
PBR has settings specifically for DNS.
See the manual
If you also have implemented IPv6 use the MAC address as that will take care of both IPv6 and IPv4
There are other ways to do it as well see:
Sure make a firewall traffic rule for your specific device to block WAN access
iptables are not used any more current, builds use fw4 with nftables.
The DNS policy actually uses nftables to redirect DNS.
To rule out that you did not set a valid DNS server on the interface use the following DNS Policy , I use 1.1.1.1 but use a well known DNS server which is not otherwise in use.
Use the MAC address and set an IPv4 and IPv6 DNS server on the wg0 interface then you can use the MAC address as source and the wg0 interface as destination for just one DNS policy rule.
Then actually two DNS redirect rules are automatically made.
One with your IPv4 address to an IPv4 DNS server and one with your IPv6 address to the IPv6 DNS server.
One last question: So right now I have set up the VPN only for one device. But actually I want it the other way around: Route every to the router connected device through the VPN, but not the router itself. Is that possible to set up?
@egc Perfect. I almost got everything working exactly the way I wanted it to now. To get completely rid of DNS leaks I had to set noresolv to 1. I then set the DNS of the wan/wan6 interfaces to Cloudflare DNS and added a pbr rule for the router itself there, too. The only problem now is that the router itself does not use the Cloudflare DNS for some reason? (I also tried @eth1 instead of the router ip in Router itself uses WAN DNS)
pbr:
config policy
option name 'All LAN devices use VPN'
option src_addr '@br-lan'
option interface 'wg0'
config dns_policy
option name 'Router itself uses WAN DNS'
option src_addr '192.168.1.1'
option dest_dns 'wan'
config dns_policy
option name 'All LAN devices use VPN DNS'
option src_addr '@br-lan'
option dest_dns 'wg0'
config rule
option name 'No WAN/WAN6 for connected devices'
list proto 'all'
option src '*'
option dest 'wan'
option target 'REJECT'
config rule
option name 'Router still allowed to access WAN/WAN6'
list proto 'all'
option src '*'
list src_ip '192.168.1.1'
option dest 'wan'
option target 'ACCEPT'
I think the problem is that the pbr rules for some reason can't target the router itself? I added this rule for testing and it didn't work:
First you have to carefully plan what you want to do regarding DNS.
Your default route is via the WAN assuming you are using DNSMasq for DNS resolution then DNSMasq will just follow the default route so DNS resolution is via the WAN
For your VPN clients you want DNS resolution via the VPN and this DNS Policy will take care of that, provide you have set an IPv4 and IPv6 DNS server on the WG interface then those DNS servers are used by your VPN clients and it is routed via the VPN
Clients using the WAN will just use DNSMasq and DNS is routed via the WAN so effectively you have Split DNS.
The router itself by default is also using DNSMasq for DNS resolution (this is configurable with option localuse if this is set to 0 it disables the use of DNSMasq , the router will then use the DNS servers set on the interfaces)
noresolv is only instructing DNSMasq not to use the DNS server set on the interfaces, in which case you have to add a DNS server under DHCP and DNS > Forwards > DNS Forwards
So it is not related to any routing or DNS leak
If you want a PBR rule to have effect on a process on the router (DNSMasq, DNS resolution) you have to use a PBR Policy on the OUTPUT chain.
Bottom line, first carefully plan what you want, you can make it very complicated but not sure if you should want that
I disabled 