Route Wireguard traffic with specific WAN

Hi Team,
Could anyone please help me with the below scenario?

I have an OpenWRT device with wireguard-tools installed.I have a couple of WANs running on my device with mwan3 support.
I have established two wireguard(wg1 & wg2) connections with one OpenWRT VM running in AWS with a public subnet.

The thing is I need to route wg1 traffic via 1 WAN and wg2 traffic via the other WAN in my device.
How can I achieve this case?

I have also tried to achieve this above scenario using vpn-policy-routing
But it doesn't work's fine.

Thanks in advance for your valuable help.

What about adding static routes using interface-based routing?

ip r add {wg1 server ip} dev eth1
ip r add {wg2 server ip} dev eth2

You may need to remove the automatically created routes for wgX server IPs.

@AndrewZ
Thanks for your reply!!!
Yes, that's possible,
But consider our topology is something like this.
image

If I add route means, it will be like

ip route add 34.215.109.116 dev eth1 metric 10
ip route add 34.215.109.116 dev eth2 metric 11

With different metric only it is possible to add route for same destination IP.
even If I add like this the first route is via eth1.So all my wiregaurd traffic will go through eth1 only.
am I ryt?

Right, in this case it will be a failover between the two links.
I cannot experiment right now, so I'm just thinking loudly. What if you set the different fixed source ports for the clients and use that port as a criteria in the firewall rule?

You have the rules for specific protocol (UDP) and port number, but ping uses icmp, so you need to use something like nmap instead of ping,

But All the Wireguard traffic will be sent as UDP traffic ryt?
So I decided to make it as udp as protocol.
If you see in the tcpdump packet capture, the wireguard packets would be udp.

My bad. I mean if you want to test your policy routing without wireguard then you will need something like nmap.

How shall I use nmap for this scenario?

nmap is just a test tool, you can run it like this:
nmap -sU -g {source port} -p {server port} {server ip}

But here you can probably find a solution for your specific use case: Custom firewall rule to route one lan ip to wan2 - #7 by ne20002

But here you can probably find a solution for your specific use case: Custom firewall rule to route one lan ip to wan2 - #7 by ne20002

::
Seems This will be helpful,
As per their configuration, Are they doing this in the firewall config file?

config route
	option table '210'
	option netmask '0.0.0.0'
	option target '0.0.0.0'
	option gateway '192.168.34.71'
	option interface 'wg1'

config route6
	option target '::/0'
	option table '210'
	option gateway 'fd42:0:0:34::71'
	option interface 'wg1'

config rule
	option src '192.168.47.31/32'
	option priority '210'
	option lookup '210'

config rule6
	option src 'fd42:0:0:47::31/128'
	option priority '210'
	option lookup '210'

Because I wonder whether Openwrt firewall-config have config route section

That goes into /etc/config/network
The whole idea as I see it: you need a firewall rule to mark the traffic you care about, then in the routing rule you refer to that marking instead of source ip.
See Adding a rule and a static route to... route all packets from a host through a specific wireguard interface. How?

2 Likes

This topic has a solution at: Route Wireguard traffic to specific WAN based on port number - #2 by pavelgl