Routing only a subset of my local LAN through Wireguard

Hi Folks,

Newbie here. I've been struggling to set up OpenWRT in my home, but so far having a lot of fun. However, I've been getting complaints from the GF about messing with the internet so I figured I might as well ask the experts rather than keep poking around to figure out stuff.

I'm trying to achieve a setup as the one I'm sharing in the image below:

I want to route everything on 10.128.128.0/24 through Wireguard so that everything comes out to WAN through the VPS2. I'm guessing this is not too hard to do but I haven't been successful so far. I'm trying to make it so that from the POV of my home servers, their WAN IP is that of VPS. For 192.168.1.0/24 everything should stay the same. Additionally, VPS1 connects to some servers in 10.128.128.0/24 through Wireguard and port forwarding, these servers should still be able to connect to VPS1 when. I guess here I need to set up a rule to allow UDP connections to vps1_ip on the wireguard port, as well as the wireguard interfaces.

I have been using this guide from the documentation, but so far haven't been successful.

I hope someone here can give me a hand. Many thanks.

P.S.: feel free to criticize any inefficiency or blunder in my setup so far if you feel like it, I'm looking to learn as much as possible from the community!

Network file:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'EDITED'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'WAN'
	option proto 'pppoe'
	option device 'br-lan'
	option username 'EDITED'
	option password 'EDITED'
	option ipv6 'auto'

config interface 'SERVERS'
	option proto 'static'
	option device 'eth1'
	option ipaddr '10.128.128.1'
	option netmask '255.255.255.0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'EDITED'
	list addresses '10.255.2.2/32'
	option listen_port '51820'

config wireguard_wg0
	option description 'PersonalProxy'
	option public_key 'EDITED'
	list allowed_ips '10.0.0.100/32'
	option route_allowed_ips '1'
	option endpoint_port '51820'
	option endpoint_host 'EDITED'

I quick try:
Make a routing table (102) with default route via the wg0 interface (/etc/config/network)
Make a rule which points the servers subnet to use this routing table
Do not enable default routing via the WG interface , by disabling: "Use default gateway" in the GUI of WG interface (or add option defaultroute '0' to the wg interface)

config route
	option interface 'wg0'
	option table '102'
	option target '0.0.0.0/0'

config rule
	option src '10.128.128.0/24'
	option lookup '102'

Alternatively use the full PBR package: https://docs.openwrt.melmac.net/pbr/

Edit: make a backup before doing this and reboot after changing settings

2 Likes

Thanks for your tip @egc, unfortunately I couldn't get it to work. I can connect my router to WG and receive pings from bidirectionally, but I can't manage to have my servers route traffic through the interface. For example ping 1.1.1.1 yields:

PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 10.128.128.1 icmp_seq=1 Destination Port Unreachable

I will try with PBR and hope for the best.

Thanks!

Make 2 LAN subnets, like what network segmentation is for.