Routing issues

ldp · March 1, 2025, 10:11am

Hi. I'm trying to route tagged traffic through the wg_vps interface.

Interface configuration:

config interface 'wg_vps'
    option proto 'wireguard'
    option private_key '****'
    list addresses '10.8.1.2/32'
    list dns '8.8.8.8'
    option nohostroute '1'
    option defaultroute '0'

Peer configuration:

config wireguard_wg_vps
    option description 'vps'
    option public_key '****'
    option persistent_keepalive '20'
    option endpoint_host '*.*.*.*'
    option endpoint_port '52326'

I created a routing table named "vpn" and added a rule:

config rule
    option priority '100'
    option lookup 'vpn'
    option mark '0x1'

And a route:

config route
    option interface 'wg_vps'
    option target '0.0.0.0/0'
    option table 'vpn'

After that, when I check the routing table:

root@OpenWrt:~# ip route show table vpn
default dev wg_vps proto static scope link

The marked traffic is indeed routed through wg_vps, but I get a "Destination host unreachable" error.

However, the tunnel works well with manually added allowed_ips

option route_allowed_ips '1'
list allowed_ips '172.217.168.46/32'

What am I missing?

lleachii · March 1, 2025, 10:17am

Are you saying you don't allow 0.0.0.0/0 - only the single IP?

egc · March 1, 2025, 10:21am

You have rules in place to actually mark the traffic?

It can help if we can see your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show

Note instead of making a table with default route:

You can also use Option4table and Option6Table (on the Interface Advanced tab: Override IPv4/6 routing table ) which will create a vpn table with default route.
In that case make sure you enable the default route via the vpn with Allowed IPs: 0.0.0.0/0, ::/0 and Enabling Route Allowed IPs

ldp · March 1, 2025, 12:22pm

Sure

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "OpenWrt",
        "system": "UBNT_E300 (CN7030p1.2-1000-AAP)",
        "model": "Ubiquiti EdgeRouter 4",
        "board_name": "ubnt,edgerouter-4",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "octeon/generic",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd57:d4b:590d::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'lan0'
        option proto 'dhcp'

config interface 'wg_vps'
        option proto 'wireguard'
        option private_key '****'
        list addresses '10.8.1.2/32'
        list dns '8.8.8.8'
        option nohostroute '1'
        option defaultroute '0'

config wireguard_wg_vps
        option description 'vps'
        option public_key '****'
        option persistent_keepalive '20'
        option endpoint_host '*.*.*.*'
        option endpoint_port '52326'

config rule
        option priority '100'
        option lookup 'vpn'
        option mark '0x1'
        option disabled '1'

config route
        option interface 'wg_vps'
        option target '0.0.0.0/0'
        option table 'vpn'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn_client'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wg_vps'

config forwarding
        option src 'lan'
        option dest 'vpn_client'

config ipset
        option name 'vpn'
        option family 'ipv4'
        list match 'dest_net'

config rule
        option name 'mark_vpn'
        option family 'ipv4'
        list proto 'all'
        option src 'lan'
        option ipset 'vpn'
        option dest '*'
        option target 'MARK'
        option set_mark '0x1'

root@OpenWrt:~# ip route show
default via *.*.*.* dev lan0 proto static src *.*.*.*
*.*.*.*/22 dev lan0 proto kernel scope link src *.*.*.*
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

root@OpenWrt:~# ip route show
default via *.*.*.* dev lan0 proto static src *.*.*.*
*.*.*.*/22 dev lan0 proto kernel scope link src *.*.*.*
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
root@OpenWrt:~# ip route show table all
default dev wg_vps table vpn proto static scope link
default via *.*.*.* dev lan0 proto static src *.*.*.*
*.*.*.*/22 dev lan0 proto kernel scope link src *.*.*.*
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
local *.*.*.* dev lan0 table local proto kernel scope host src *.*.*.*
broadcast *.*.*.* dev lan0 table local proto kernel scope link src *.*.*.*
local 10.8.1.2 dev wg_vps table local proto kernel scope host src 10.8.1.2
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
fd57:d4b:590d::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd57:d4b:590d::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev lan0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd57:d4b:590d:: dev br-lan table local proto kernel metric 0 pref medium
local fd57:d4b:590d::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev lan0 table local proto kernel metric 0 pref medium
local fe80::1ae8:29ff:febc:33e6 dev lan0 table local proto kernel metric 0 pref medium
local fe80::1ae8:29ff:febc:33e7 dev br-lan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev lan0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg_vps table local proto kernel metric 256 pref medium

root@OpenWrt:~# ip rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

root@OpenWrt:~# wg show
interface: wg_vps
  public key: ****
  private key: (hidden)
  listening port: 47841

peer: ****
  endpoint: ****
  latest handshake: 5 seconds ago
  transfer: 11.82 KiB received, 33.13 KiB sent
  persistent keepalive: every 20 seconds

lleachii · March 1, 2025, 12:26pm

ldp:

config rule
        option name 'mark_vpn'
        option family 'ipv4'
        list proto 'all'
        option src 'lan'
        option ipset 'vpn'
        option dest '*'
        option target 'MARK'
        option set_mark '0x1'

Is there a reason you added an ipset to your mark rule?

Are you trying to specify traffic by their DST IP?
If so, why do you mark too?

egc · March 1, 2025, 12:42pm

Change 10.8.1.2/32 to 10.8.1.2/24
You can remove option nohostroute '1' and remove option defaultroute '0'

ldp:

config interface 'wg_vps'
        option proto 'wireguard'
        option private_key '****'
        list addresses '10.8.1.2/32'   <<< change to /24
        list dns '8.8.8.8'
        option nohostroute '1'   <<< can be removed
        option defaultroute '0'   <<< can be removed

You have to add Allowed IPs '0.0.0.0/0:

ldp:

config wireguard_wg_vps
        option description 'vps'
        option public_key '****'
        option persistent_keepalive '20'
        option endpoint_host '*.*.*.*'
        option endpoint_port '52326'
        list allowed_ips '0.0.0.0/0'     <<< add this

I see that ip rule for marked traffic is disabled.

If you want to route e.g. your lan via the tunnel you can also use a rule like:

config rule
	option in 'lan'
    option lookup 'vpn'

In which case you do not have to mark the traffic first

ldp · March 1, 2025, 1:16pm

Why does it matter? I can't set any other IP

For testing purposes. I forgot to turn it back

I want to route only traffic to the hosts from the list.

Thanks, with this option, everything works as I planned. But I'd rather not rely on routing by wg rules as I want to move away from wg in the future. Everything has been working for me for the last few years without this option. May be I need to add some route?

Can you please explain what it does in this case?

ldp · March 1, 2025, 1:23pm

Yep

If I understand correctly, I am marking packets where dst ip is ip from this list. Am I wrong?

egc · March 1, 2025, 1:32pm

With a /24 there automatically will be a local route made (10.8.1.0/24) very useful if you e.g. have a DNS server in that subnet or for debugging or if you want to connect to other peers etc. and it does not hurt so I would always do this (using a /24 address) (but that is just me )

Enabling this will stop making a route to the WG endpoint via the wan, which is necessary if you have a default route via the WG tunnel.
In your case, where you do not have a default route via the tunnel, you actually do not need a host route but for me it is good practice to have it anyway (but that is just me)

ldp · March 1, 2025, 1:54pm

Oh, that's exactly what I was looking for. Thanks!

system · March 11, 2025, 1:54pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.