Route traffic from interface LAN via WAN, and from interface VPN1 via Wireguard

I had a similar problems as described in Route traffic only from a specific VLAN through Wireguard interface
I have created two interfaces (connected to different ports and wifi). Traffic from interface lan should be forwarded via wan, and traffic from interface vpn1 should be forwarded via wireguard interface wg1
Fortunately, @vgaetera proposed a solution, that worked for me also. But I have no clue, why it worked.
Can anybody explain what the ipv4 (and ipv6) rules in luci "Network/routing" does?

The solution was:

for IPV in 4 6
do
uci set network.lan.ip${IPV}table="main"
uci set network.vpn1.ip${IPV}table="main"
uci set network.wg1.ip${IPV}table="default"
uci -q delete network.wg1_rule${IPV%4}
uci set network.wg1_rule${IPV%4}="rule${IPV%4}"
uci set network.wg1_rule${IPV%4}.in="vpn1"
uci set network.wg1_rule${IPV%4}.lookup="default"
uci set network.wg1_rule${IPV%4}.priority="30000"
done
uci commit network
/etc/init.d/network restart

After the changes above, my /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd68:57b6:7991::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.166.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ip4table 'main'
	option ip6table 'main'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 1 4'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 3 2'
	option vid '2'

config device
	option type 'bridge'
	option name 'br-vlan2'
	list ports 'eth0.2'

config interface 'vpn1'
	option proto 'static'
	option device 'br-vlan2'
	option ipaddr '192.168.165.1'
	option netmask '255.255.255.0'
	option ip4table 'main'
	option ip6table 'main'

config interface 'wg1'
	option proto 'wireguard'
	option private_key '<REDACTED>'
	list addresses '10.15.0.2/32'
	option ip4table 'default'
	option ip6table 'default'

config wireguard_wg1
	option description 'Vestervang'
	option public_key '<REDACTED>'
	option endpoint_host '<REDACTED>'
	option persistent_keepalive '25'
	option endpoint_port '52899'
	option route_allowed_ips '1'
	list allowed_ips '10.15.0.1/32'
	list allowed_ips '0.0.0.0/0'

config rule 'wg1_rule'
	option in 'vpn1'
	option lookup 'default'
	option priority '30000'

config rule6 'wg1_rule6'
	option in 'vpn1'
	option lookup 'default'
	option priority '30000'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'wg1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg1'
	option masq '1'
	option mtu_fix '1'
	option log '1'

config zone
	option name 'vpn1'
	option output 'ACCEPT'
	list network 'vpn1'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'

config forwarding
	option src 'vpn1'
	option dest 'wg1'


... and then som standard Allow-rules

After the change, the output of route changed

default         192.168.91.5    0.0.0.0         UG    0      0        0 eth1
77.33.93.47     192.168.91.5    255.255.255.255 UGH   0      0        0 eth1
192.168.91.0    *               255.255.255.0   U     0      0        0 eth1
192.168.165.0   *               255.255.255.0   U     0      0        0 br-vlan2
192.168.166.0   *               255.255.255.0   U     0      0        0 br-lan

Before
the was a entry for default route via wg1

The change was that under wireguard interface wg1, advanced settings in luci there is an option for overriding the routing table for the interface. This was set to a different routing table than the standard one, default instead of main)

So under "Routing" you set IPv4 and IPv6 rules that make in this case all incoming traffic on the interface vpn1 (that is in my case the VLAN interface) point to the routing table "default". This will make the traffic be routed through the wireguard interface wg1 because it has that routing table configured.

I thought first you make all ths happen under the Routing tab, but you have to create a new routing table or use another one other than main, and then set the interface to use that one under advanced settings.

You can see the exact changes reflected in your /etc/config/network. The firewall should not have anything to do with this other than allowing forwarding between the zones. The solution proposed by @vgaetera only changes the network config, not the config of the firewall.

Thank you for your help @GasGas277
I was not aware of the concept of multiple routing tables, but your explanation helped me to catch up.

You're welcome! Nice to help.

@GasGas277 Thanks Jerry, i was hours on the net before finding this simple and elegant solution.
Some videos use policy based routing, which sounds like it may work, but sounds more complicated.
Well, thanks, and i hope others find this. Also maybe the need for this "fix" may go away over time.
Torsten

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.