Hello,
I have 2 interfaces :
-> LAN1
-> LAN2 (WireGuard Client)
Here is what I want :
When a specific device from LAN1 communicate on internet to a specific IP, I want that to be routed trough the LAN2 interface.
It will permit the specific flow to go trough the VPN tunnel.
How can I do to route a specific device flow from one LAN1 to another LAN2 ?
Thank you for your help.
It is not very clear what you are trying to do.
On LAN1 and LAN2 ports there are lan hosts connected, right? And you have made some policy based routing to redirect the traffic of LAN2 towards some vpn server?
There are connected hosts on LAN1.
LAN2 is WireGuard client. In fact, OpenWRT connects itself as a client to elsewhere WireGuard server.
The connection between WireGuard client and server is UP and running.
I would like a host from LAN1 to send a specific traffic (which is identified by IP) trough LAN2 WireGuard client to the server.
I don't want that traffic to pass trough the normal Internet connection as the other traffics do.
Is it possible ?
I didn't install those packages : vpn-policy-routing luci-app-vpn-policy-routing
It should permit policy based routing, I will try this and see if it helps.
Thanks.
This is a bit weird. Better post the following to get a better understanding.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "5.4.154",
"hostname": "OpenWRT",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C7 v4",
"board_name": "tplink,archer-c7-v4",
"release": {
"distribution": "OpenWrt",
"version": "21.02.1",
"revision": "r16325-88151b8303",
"target": "ath79/generic",
"description": "OpenWrt 21.02.1 r16325-88151b8303"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'eth0.1'
option ipaddr '192.168.20.1'
list dns '1.1.1.1'
list dns '1.0.0.1'
option delegate '0'
config device
option name 'eth0.2'
option macaddr 'ff:ff:ff:ff:ff:ff'
option ipv6 '0'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option description 'LAN'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
option description 'WAN'
config device
option name 'eth0.1'
option type '8021q'
option ifname 'eth0'
option vid '1'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
config interface 'VPN_WG'
option proto 'wireguard'
option private_key 'ifghxligigblixbgxlibixlbgxib'
list addresses '192.168.48.54/32'
option mtu '1360'
option peerdns '0'
list dns '218.15.24.253'
config wireguard_VPN_WG
option public_key '6xhb65g41f6gf46hf4g6hf6fg4h6fgh'
option preshared_key 'x4hg3t8f4thf38g48h4hfhfjhyjgyhjgjyghjy'
list allowed_ips '0.0.0.0/0'
list allowed_ips '192.168.48.25/27'
list allowed_ips '192.168.1.0/24'
option endpoint_host '88.150.152.122'
option endpoint_port '15845'
option persistent_keepalive '25'
config device
option name 'VPN_WG'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '1.1.1.1'
list server '1.0.0.1'
option cachesize '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option force '1'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option disable_ipv6 '1'
option synflood_protect '1'
option flow_offloading '1'
option drop_invalid '1'
config zone 'lan'
option name 'lan'
option output 'ACCEPT'
option forward 'REJECT'
option input 'ACCEPT'
option family 'ipv4'
list network 'lan'
config zone
option name 'WGLAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'VPN_WG'
config zone
option name 'wan'
option output 'ACCEPT'
option input 'DROP'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
option family 'ipv4'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option target 'ACCEPT'
option family 'ipv4'
option src 'wan'
option proto 'udp'
option dest_port '68'
config rule
option name 'WGLAN 2 WAN'
option src 'WGLAN'
option dest 'wan'
option target 'ACCEPT'
config rule
list proto 'udp'
option src 'lan'
option dest 'wan'
option dest_port '123'
option target 'ACCEPT'
option family 'ipv4'
option name 'Allow-LAN-NTP'
config rule
option target 'ACCEPT'
option family 'ipv4'
option src 'lan'
option dest 'wan'
option proto 'icmp'
option name 'Allow-LAN-ICMP'
list icmp_type 'echo-request'
config rule
option target 'ACCEPT'
option family 'ipv4'
option src 'lan'
option dest 'wan'
option dest_port '80 443'
option name 'Allow-LAN-HTTP(S)'
config rule
option target 'DROP'
option src 'lan'
option dest 'wan'
option name 'Drop-LAN-2-WAN'
list proto 'all'
config rule
option name 'DROP-WAN-2-Device'
list proto 'all'
option src 'wan'
option target 'DROP'
config rule
option name 'DROP-WAN-2-Zones'
list proto 'all'
option src 'wan'
option dest '*'
option target 'DROP'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Device IP address
#IP="192.168.100.150"
#IP="192.168.40.197"
# Log traffic device => router
#iptables -A input_rule -s "$IP" -m limit --limit 100/sec -j LOG --log-prefix "router:"
#iptables -A input_rule -s "$IP" -m limit --limit 100/sec -j LOG --log-prefix "LAN3:"
#iptables -A output_rule -s "$IP" -m limit --limit 100/sec -j LOG --log-prefix "LAN3:"
#iptables -A forwarding_rule -s "$IP" -m limit --limit 100/sec -j LOG --log-prefix "LAN3:"
# Log traffic device => internet
#iptables -A forwarding_rule -s "$IP" -m limit --limit 100/sec -j LOG --log-prefix "internet:"
#iptables -A output_rule -s "$IP" -m limit --limit 100/sec -j LOG --log-prefix "WAN:"
#iptables -A forwarding_rule -s "$IP" -m limit --limit 100/sec -j LOG --log-prefix "WAN:"
#iptables -A output_rule -s "$IP" -m limit --limit 100/sec -j LOG --log-prefix "WAN:"
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.20.1/24 brd 192.168.20.255 scope global eth0.1
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.10.74/24 brd 192.168.10.255 scope global eth0.2
valid_lft forever preferred_lft forever
19: VPN_WG: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1360 qdisc noqueue state UNKNOWN qlen 1000
inet 192.168.48.54/32 brd 255.255.255.255 scope global VPN_WG
valid_lft forever preferred_lft forever
default via 192.168.10.1 dev eth0.2 src 192.168.10.74
88.150.152.122 via 192.168.10.1 dev eth0.2
192.168.10.0/24 dev eth0.2 scope link src 192.168.10.74
192.168.20.0/24 dev eth0.1 scope link src 192.168.20.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.10.0 dev eth0.2 table local scope link src 192.168.10.74
local 192.168.10.74 dev eth0.2 table local scope host src 192.168.10.74
broadcast 192.168.10.255 dev eth0.2 table local scope link src 192.168.10.74
broadcast 192.168.20.0 dev eth0.1 table local scope link src 192.168.20.1
local 192.168.20.1 dev eth0.1 table local scope host src 192.168.20.1
broadcast 192.168.20.255 dev eth0.1 table local scope link src 192.168.20.1
local 192.168.48.54 dev VPN_WG table local scope host src 192.168.48.54
BusyBox v1.33.2 (2022-01-18 14:09:15 UTC) multi-call binary.
Usage: ip [OPTIONS] address|route|link|neigh|rule [ARGS]
OPTIONS := -f[amily] inet|inet6|link | -o[neline]
ip addr add|del IFADDR dev IFACE | show|flush [dev IFACE] [to PREFIX]
ip route list|flush|add|del|change|append|replace|test ROUTE
ip link set IFACE [up|down] [arp on|off] [multicast on|off]
[promisc on|off] [mtu NUM] [name NAME] [qlen NUM] [address MAC]
[master IFACE | nomaster]
ip neigh show|flush [to PREFIX] [dev DEV] [nud STATE]
ip rule [list] | add|del SELECTOR ACTION
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'eth0.1'
option ipaddr '192.168.20.1'
list dns '1.1.1.1'
list dns '1.0.0.1'
option delegate '0'
config device
option name 'eth0.2'
option macaddr 'ff:ff:ff:ff:ff:ff'
option ipv6 '0'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option description 'LAN'
option ports '0t 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
option description 'WAN'
config device
option name 'eth0.1'
option type '8021q'
option ifname 'eth0'
option vid '1'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
config interface 'VPN_WG'
option proto 'wireguard'
option private_key 'ifghxligigblixbgxlibixlbgxib'
list addresses '192.168.48.54/32'
option mtu '1360'
option peerdns '0'
list dns '218.15.24.253'
config wireguard_VPN_WG
option public_key '6xhb65g41f6gf46hf4g6hf6fg4h6fgh'
option preshared_key 'x4hg3t8f4thf38g48h4hfhfjhyjgyhjgjyghjy'
list allowed_ips '0.0.0.0/0'
list allowed_ips '192.168.48.25/27'
list allowed_ips '192.168.1.0/24'
option endpoint_host '88.150.152.122'
option endpoint_port '15845'
option persistent_keepalive '25'
config device
option name 'VPN_WG'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '1.1.1.1'
list server '1.0.0.1'
option cachesize '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option force '1'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option disable_ipv6 '1'
option synflood_protect '1'
option flow_offloading '1'
option drop_invalid '1'
config zone 'lan'
option name 'lan'
option output 'ACCEPT'
option forward 'REJECT'
option input 'ACCEPT'
option family 'ipv4'
list network 'lan'
config zone
option name 'WGLAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'VPN_WG'
config zone
option name 'wan'
option output 'ACCEPT'
option input 'DROP'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
option family 'ipv4'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option target 'ACCEPT'
option family 'ipv4'
option src 'wan'
option proto 'udp'
option dest_port '68'
config rule
option name 'WGLAN 2 WAN'
option src 'WGLAN'
option dest 'wan'
option target 'ACCEPT'
config rule
list proto 'udp'
option src 'lan'
option dest 'wan'
option dest_port '123'
option target 'ACCEPT'
option family 'ipv4'
option name 'Allow-LAN-NTP'
config rule
option target 'ACCEPT'
option family 'ipv4'
option src 'lan'
option dest 'wan'
option proto 'icmp'
option name 'Allow-LAN-ICMP'
list icmp_type 'echo-request'
config rule
option target 'ACCEPT'
option family 'ipv4'
option src 'lan'
option dest 'wan'
option dest_port '80 443'
option name 'Allow-LAN-HTTP(S)'
config rule
option target 'DROP'
option src 'lan'
option dest 'wan'
option name 'Drop-LAN-2-WAN'
list proto 'all'
config rule
option name 'DROP-WAN-2-Device'
list proto 'all'
option src 'wan'
option target 'DROP'
config rule
option name 'DROP-WAN-2-Zones'
list proto 'all'
option src 'wan'
option dest '*'
option target 'DROP'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.20.1/24 brd 192.168.20.255 scope global eth0.1
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.10.74/24 brd 192.168.10.255 scope global eth0.2
valid_lft forever preferred_lft forever
19: VPN_WG: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1360 qdisc noqueue state UNKNOWN qlen 1000
inet 192.168.48.54/32 brd 255.255.255.255 scope global VPN_WG
valid_lft forever preferred_lft forever
default via 192.168.10.1 dev eth0.2 src 192.168.10.74
88.150.152.122 via 192.168.10.1 dev eth0.2
192.168.10.0/24 dev eth0.2 scope link src 192.168.10.74
192.168.20.0/24 dev eth0.1 scope link src 192.168.20.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.10.0 dev eth0.2 table local scope link src 192.168.10.74
local 192.168.10.74 dev eth0.2 table local scope host src 192.168.10.74
broadcast 192.168.10.255 dev eth0.2 table local scope link src 192.168.10.74
broadcast 192.168.20.0 dev eth0.1 table local scope link src 192.168.20.1
local 192.168.20.1 dev eth0.1 table local scope host src 192.168.20.1
broadcast 192.168.20.255 dev eth0.1 table local scope link src 192.168.20.1
local 192.168.48.54 dev VPN_WG table local scope host src 192.168.48.54
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
On the table above :
I want the traffic of a specific LAN connected host to go trough the VPN only.
Can you help me please ?
Thank you.
WG is routed over wan interface. You need to do policy based routing. Since LAN1 and LAN2 both belong to the lan interface, you can either create another vlan for the LAN2 port, or specify the IP addresses that are connected on LAN2 and divert them to the WG tunnel. A few remarks:
I've got a somewhat similar setup. Some caveats though:
Here's the simplified setup:
Internet ==> 10.0.0.1/24 [GW] ==> 10.0.0.2/24 [WRT]
Let's say normally DHCP will be given out in range of 10.0.0.100 -- 10.0.0.250. However some devices have static leases configured, all in the range of 10.0.0.48/29 (10.0.0.49 to 10.0.0.54).
[WRT] is a 'peer' of WireGuard server somewhere on the web, let's call that server [WG].
I want all traffic from any LAN device with an IP within 10.0.0.48/29 to be routed to Wireguard server.
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.0.0.2'
option gateway '10.0.0.1'
option delegate '0'
option device 'br-lan'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
option sendredirects '0'
option ipv6 '0'
option rpfilter 'loose'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
list addresses '192.168.100.3'
option peerdns '0'
list dns '1.1.1.1'
option delegate '0'
config wireguard_wg0
option description 'wg_server'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
list allowed_ips '0.0.0.0/0'
option endpoint_host '198.51.100.50'
option endpoint_port '60000'
option persistent_keepalive '21'
config route
option interface 'wg0'
option target '192.168.100.0/24'
config route
option interface 'wg0'
option target '0.0.0.0/0'
option table '105'
option gateway '192.168.100.3'
config rule
option in 'lan'
option src '10.0.0.48/29'
option lookup '105'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
list dhcp_option '3,10.0.0.1'
list dhcp_option '121,192.168.100.0/24,10.0.0.2'
list dhcp_option '6,1.1.1.1,1.0.0.1'
list ra_flags 'none'
config tag 'tag1'
option dhcp_option '6,1.1.1.2,9.9.9.9'
option dhcp_option '3,10.0.0.2'
config host
option name 'some_device_1'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '10.0.0.49'
option tag 'tag1'
config host
option name 'some_device_2'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '10.0.0.50'
option tag 'tag1'
config zone
option name 'wg0'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
list network 'wg0'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config forwarding
option src 'lan'
option dest 'wg0'
config nat
option name 'WG'
option target 'MASQUERADE'
option src_ip '10.0.0.48/29'
option src '*'
list proto 'all'
option device 'wg0'
list dhcp_option '3,10.0.0.1' - says to advertise default gateway of 10.0.0.1 to DHCP clients
list dhcp_option '121,192.168.100.0/24,10.0.0.2' - advertise a static route to DHCP clients; wireguard LAN subnet 192.168.100.0/24 is reached via 10.0.0.2 [WRT]. This is so my LAN devices have a way to reach WireGuard peers in 192.168.100.0/24
The section below create special tag for some devices and advertises default gateway of 10.0.0.2 to them [WRT]. Then some devices have the static lease configured and tagged to apply the custom default gateway rule.
config tag 'tag1'
option dhcp_option '6,1.1.1.2,9.9.9.9'
option dhcp_option '3,10.0.0.2'
config host
option name 'some_device_1'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '10.0.0.49'
option tag 'tag1'
So now I know which devices need to route via WireGuard to reach the internet (only those with an IP within 10.0.0.48/29). All these devices have the [WRT] setup as the default gateway now by means of dnsmasq.
I created route and called it table 105 basically saying "send all traffic to 192.168.100.3 via wg0 interface"
config route
option interface 'wg0'
option target '0.0.0.0/0'
option table '105'
option gateway '192.168.100.3'
I then created a rule, saying "any traffic originating from LAN with a source IP of 10.0.0.48/29 - lookup table 105"
config rule
option in 'lan'
option src '10.0.0.48/29'
option lookup '105'
I NAT any LAN from 10.0.0.48/29, rewriting the source IP to router's wg0 interface IP (192.168.100.3). For my purposes, NAT'ing is not a problem, I dont really need devices from wireguard subnet reaching my LAN.
config nat
option name 'WG'
option target 'MASQUERADE'
option src_ip '10.0.0.48/29'
option src '*'
list proto 'all'
option device 'wg0'
So in brief: most of the LAN devices get advertised gefault gateway of 10.0.0.1 - which is my ISP provided gateway; thus completely bypassing my OpenWRT box for anything layer 3. These devices do get advertised a route, so they can reach just the wireguard LAN.
However some devices are configured to have static leases in 10.0.0.48/29 range, these get advertised 10.0.0.2 as their gateway - which is my OpenWRT box.
OpenWRT box has a rule to route any traffic from 10.0.0.48/29 devices via wireguard interface. This traffic is NAT'ed, rewriting the source IP to the IP of the wg0 interface on the WRT box.
Sorry for a lengthy post, but I really hope it helps or at least gives you some ideas.