Routing all external traffic through vpn-client on different device?

Hi so, in my quest for a network for my needs I have cheated a bit with openwrt.
These days I use this very fine indeed firmware and of late, it's wireguard capabilities.

Alas;

A WNDR3700 does not bestow me the oompf to utilize the full bandwidth of my internetshookup. Sure, I can buy a Gl. iNet GL B1300 for ~€90 and that would be ok.

However, I already got a Odroid N2 with CoreELEC that does'nt really stretch it's legs.
CoreELEC do come with wireguard (or at least the 'nightly') and iptables.

  • Questions:

How do I route all my external going traffic to the wireguard client(which connects to my VPN-provider) on the N2, and then goes out in that wast sea of the internets?

Say;
openwrt is: 192.168.1.1
N2 is: 192.168.1.3
A eth connected SOC:192.168.1.2
(MySSID)radio0 with various clients all in 192.168.1.x

And I have my openwrt-router bridge connected as a wireless client (WWAN/radio1) to an AP from my isp.

Push a custom default gateway with DHCP options, or utilize policy-based routing.

1 Like

Thanks for replying, could you expand your answer a bit?

By dhcp, do you suggest using the N2 as gateway... ?

How would you go about the policy routing?

The simplest method is to use the device which runs a VPN client as your default gateway.
You can change it on your current DHCP server with custom DHCP options as mentioned above.
Or you can disable the current DHCP server and delegate its role to your VPN client.

1 Like

If it's this simple, dang I'm simple.

Thanks.

Well, my other DHCP clients was not at all impressed with my feat of getting wireguard going on another device.

As I told them by:

uci add_list dhcp.lan.dhcg_option=3,192.168.42.3

uci commit dhcp

Where do I go from here?

The gateway for LAN clients should have an IP address from the LAN pool.
You should use the LAN IP address of the WG client.

1 Like

Yes they are all on the same 192.168.99.0/24.

You have a typo here, it should be dhcp_option.

It does not match your settings from above:

1 Like

Corrected.

Section: /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option start '100'
        option limit '150'
        option leasetime '15m'
        list dhcp_option '6,192.168.42.1'
        list dhcp_option '3,192.168.42.3'
1 Like

Hm nope. On 192.168.1.3 I get:

wg0 inet addr:172.21.79.97 

And it works:
I see my external IP by:
nslookup myip.opendns.com resolver1.opendns.com
And the grace of ping is bestowed upon me:

ping google.com
PING google.com (172.217.20.110): 56 data bytes
64 bytes from 172.217.20.110: seq=0 ttl=120 time=77.531 ms

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Without:

{
        "kernel": "5.4.50",
        "hostname": "ImAllOutOfLove",
        "system": "Atheros AR7161 rev 2",
        "model": "Netgear WNDR3700 v2",
        "board_name": "netgear,wndr3700-v2",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r13768-f632747704",
                "target": "ath79/generic",
                "description": "OpenWrt SNAPSHOT r13768-f632747704"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'boinc/48'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.42.1'
        option ifname 'eth0'
        list dns '192.168.42.1'

config device 'lan_eth0_dev'
        option name 'eth0'
        option macaddr 'ImSoLostWithOutYou'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option blinkrate '2'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

config switch_port
        option device 'switch0'
        option port '1'
        option led '6'

config switch_port
        option device 'switch0'
        option port '2'
        option led '9'

config switch_port
        option device 'switch0'
        option port '5'
        option led '2'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '192.168.42.1'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:11.0'
        option channel '10'
        option country 'IKnowYouWereRightBelievingForSoLong'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'IamAllOutOfLoveWhatAmIWithoutYou'
        option encryption 'psk2'
        option key 'IcantBeToLateToSayIWasWrong'
        option network 'lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:12.0'
        option htmode 'HT20'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'sta'
        option ssid 'IWantYouToComeBackAndCarryMeHome'
        option key 'AwayFromThisLongLonelyNights'
        option encryption 'psk2'
        option network 'wwan'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '0'
        option localservice '1'
        option rebind_protection '0'
        option dnsforwardmax '9000'
        option noresolv '1'
        option localuse '1'
        option cachesize '0'
        list server '127.0.0.42#4242'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option start '100'
        option limit '150'
        option leasetime '15m'
        list dhcp_option '6,192.168.42.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config hosts be here like ImReachingForYouAreYouFeelingItToo

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.42.1/24 brd 192.168.42.255 scope global br-lan
       valid_lft forever preferred_lft forever
16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.43.243/24 brd 192.168.43.255 scope global wlan0
       valid_lft forever preferred_lft forever
default via 192.168.43.1 dev wlan0 proto static src 192.168.43.243
192.168.42.0/24 dev br-lan proto kernel scope link src 192.168.42.1
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.243
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.42.0 dev br-lan table local proto kernel scope link src 192.168.42.1
local 192.168.42.1 dev br-lan table local proto kernel scope host src 192.168.42.1
broadcast 192.168.42.255 dev br-lan table local proto kernel scope link src 192.168.42.1
broadcast 192.168.43.0 dev wlan0 table local proto kernel scope link src 192.168.43.243
local 192.168.43.243 dev wlan0 table local proto kernel scope host src 192.168.43.243
broadcast 192.168.43.255 dev wlan0 table local proto kernel scope link src 192.168.43.243
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

With:
I guess its the same but:

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option start '100'
        option limit '150'
        option leasetime '15m'
        list dhcp_option '6,192.168.42.1'
        list dhcp_option '3,192.168.42.3'

Remove that from lan and wwan, you are supposed to add there third nameservers reachable from the interfaces.

This is not needed, it advertises itself as nameserver anyway.

Option 3 for gateway is properly configured too. You can renew the dhcp on a lan host and verify by checking the routing table.

1 Like

Like so;
/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'five/48'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.42.1'
	option ifname 'eth0'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr 'cat'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option blinkrate '2'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_port
	option device 'switch0'
	option port '1'
	option led '6'

config switch_port
	option device 'switch0'
	option port '2'
	option led '9'

config switch_port
	option device 'switch0'
	option port '5'
	option led '2'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'

And;
/etc/config/dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '0'
	option localservice '1'
	option rebind_protection '0'
	option dnsforwardmax '9000'
	option noresolv '1'
	option localuse '1'
	option cachesize '0'
	list server '127.0.0.42#4242'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '100'
	option limit '150'
	option leasetime '15m'
	list dhcp_option '6,192.168.42.1'
	list dhcp_option '3,192.168.42.3'
	
config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config hosts here

?

You may remove this, as it is the default behavior.
Other than that it looks fine.

1 Like

Leave it that way for testing but you probably want to revisit the issue since it is a DNS leak-- The clients still use the ISP's DNS so the names of the sites they visit can be monitored by the ISP or anyone eavesdropping the ISP line.

1 Like

Still no go, can't ping anything:

        "kernel": "5.4.50",
        "hostname": "Himma",
        "system": "Atheros AR7161 rev 2",
        "model": "Netgear WNDR3700 v2",
        "board_name": "netgear,wndr3700-v2",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r13768-f632747704",
                "target": "ath79/generic",
                "description": "OpenWrt SNAPSHOT r13768-f632747704"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'f'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.42.1'
        option ifname 'eth0'

config device 'lan_eth0_dev'
        option name 'eth0'
        option macaddr 'e'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option blinkrate '2'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

config switch_port
        option device 'switch0'
        option port '1'
        option led '6'

config switch_port
        option device 'switch0'
        option port '2'
        option led '9'

config switch_port
        option device 'switch0'
        option port '5'
        option led '2'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:11.0'
        option channel '10'
        option country 'Space'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'wrt'
        option encryption 'psk2'
        option key ''
        option network 'lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:12.0'
        option htmode 'HT20'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'sta'
        option ssid 'isp ap'
        option key ''
        option encryption 'psk2'
        option network 'wwan'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '0'
        option localservice '1'
        option rebind_protection '0'
        option dnsforwardmax '9000'
        option noresolv '1'
        option localuse '1'
        option cachesize '0'
        list server '127.0.0.42#4242'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option start '100'
        option limit '150'
        option leasetime '15m'
        list dhcp_option '3,192.168.42.3'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.42.1/24 brd 192.168.42.255 scope global br-lan
       valid_lft forever preferred_lft forever
16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.43.243/24 brd 192.168.43.255 scope global wlan0
       valid_lft forever preferred_lft forever
default via 192.168.43.1 dev wlan0 proto static src 192.168.43.243
192.168.42.0/24 dev br-lan proto kernel scope link src 192.168.42.1
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.243
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.42.0 dev br-lan table local proto kernel scope link src 192.168.42.1
local 192.168.42.1 dev br-lan table local proto kernel scope host src 192.168.42.1
broadcast 192.168.42.255 dev br-lan table local proto kernel scope link src 192.168.42.1
broadcast 192.168.43.0 dev wlan0 table local proto kernel scope link src 192.168.43.243
local 192.168.43.243 dev wlan0 table local proto kernel scope host src 192.168.43.243
broadcast 192.168.43.255 dev wlan0 table local proto kernel scope link src 192.168.43.243
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Where do you see it leaks, and to what ip?

The to be gateway-device has the following iptables:
/etc/iptables/home.v4

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]
:private-subnets - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tether -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -j private-subnets
-A FORWARD -i tether -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o tether -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -j private-subnets
-A private-subnets -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

/etc/iptables/public.v4

# Netfilter rules for public "untrusted" networks
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow tethered Wifi AP
-A INPUT -i tether -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i tether -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i tether -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i tether -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o tether -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Block DOCKER
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A DOCKER-USER -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

And I can make my own and save it in:
/storage/.config/iptables/rules.v4 for ipv4