Route traffic required to re-establish Wireguard VPN through WAN instead of VPN when WG server IP changes

Hi all,

new here but have been using OpenWrt based devices for a while.

I own a GL.inet AR300M which I use as a router for all our family's devices when we are travelling.

The router connects to WAN either via the WiFi, LAN or USB tethering to an Android smartphone. The router will connect to a Wireguard server at our home (Opnsense) to provide access to our home network.

The challenge is that our home network is behind a dynamic IP address that will change every 24 hours (as many ISPs still do). The home firewall registers the IP address with a dynamic DNS service.

I have been using the GL.inet firmware previously but wasn't entirely happy with the sometimes somewhat unpredictable behavior of the modifications that the manufacturer made to the underlying OpenWrt.

So I took the plunge and installed vanilla OpenWrt 21.02.2 and it's been great so far.

I have two scenarios that I need to cover:

A) The travel router only routes traffic to our home network IP range via the Wireguard tunnel and automatically updates the Wireguard tunnel with the new WAN IP of our home router when the IP changes.

B) The travel router routes ALL traffic via the Wireguard tunnel and automatically updates the Wireguard tunnel with the new WAN IP of our home router when the IP changes.

I have managed to get (A) working fully with the help of wireguard_watchdog. As in the Wireguard tunnel reconnecting as soon as the Dynamic DNS name of our home router resolves to the new/changed IP address.

I am struggling with (B). As all traffic is routed over the Wireguard tunnel, DNS resolution of the Dynamic DNS name of our home router doesn't work then the home routers WAN IP changes and the tunnel stops working.

I have looked at VPN policy-based routing and think that could solve this issue:

  • Route traffic to home router domain name via WAN
  • Route traffic to (Cloudflare DNS) used to resolve home router domain name via WAN
  • Route all other traffic via VPN

Looking at the VPN policy-based routing UI in Luci I noticed that I have to specify which WAN interface to use. This could be either one of WWAN, WAN or TETHERING depending on where the travel router is used.

I was thinking of programmatically creating VPN policy-based routing configuration at the time when the Wireguard tunnel is established. I know that uci can be used for this approach. Is there any place where I can hook the code into, e.g. when the interface comes up or down?

Also, if there are any other ideas how to solve I'd be most happy to hear them.

Thank you for your comments!

Use a public dns to resolve your ddns.

Thank you for your reply.

I am already doing that, as in setting the following option for DNSMASQ:

The problem is that the default gateway is set to the Wireguard tunnel to route ALL traffic through the VPN. Traffic to the public DNS server is routed through the Wireguard tunnel which is not working once the IP of the home router changes.

Traffic to the public dns to resolve the new domain name needs to be routed via WAN instead of the VPN.

uci add network route
uci set network.@route[-1].interface='wan'
uci set network.@route[-1].target=''
uci commit network
ifup wan