Secondary (virtual) ip address as a vpn gateway

tugrul · June 30, 2022, 6:47pm

Hi,

My actual gateway ip address is 192.168.1.1. I added a new ip address 192.168.1.2 to br-lan interface as secondary ip address as you can see below.

Also I created a WireGuard VPN interface, I associated two interfaces in a new routing table, I created firewall rules.

As you can see main routing table below.

VPN's routing table below.

ip rule list below.

It doesn't prefer VPN's routing table when I set my computer's gateway IP address to 192.168.1.2. But It works well when I add my computer's ip address to rule list like ip rule add from 192.168.1.25 lookup cfwg.

How can I use this setup fluently (without adding client's ip address to the rule list). I was considering to add fwmark to secondary ip address 192.168.1.2 then use it in ip rule list but I could not find any source for this.

Thanks,
Tuğrul

lleachii · June 30, 2022, 9:20pm

Because the SRC IP of any traffic is the originator transmitting host...not its gateway. Just fix your rules accordingly.

Use the subnet 192.168.1.0/24 then.

Well, use inbound interface then (and leave the rule for the IP of the router). BTW, these can be made in OpenWrt syntax. See: https://openwrt.org/docs/guide-user/network/routing/ip_rules

tugrul · July 1, 2022, 12:06am

Both gateway ip addresses (192.168.1.1 and 192.168.1.2) use same interface br-lan as you can see on top of the image. I tried to create another bridge interface br-lan2 and I assigned secondary ip address 192.168.1.2 but it is not getting up. It is failing.

There are some options in MAC VLAN device type but I don't have an idea how they are works.

pavelgl · July 1, 2022, 11:36am

Install the kmod-macvlan kernel module and create an interface.

config device
        option name 'veth'
        option type 'macvlan'
        option ifname 'br-lan'

config interface 'virt'
        option ifname 'veth'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.2'

Attach the virt interface to the lan zone.

Here is an example of the ip rule/route configuration.

config rule
        option in 'virt'
        option lookup '100'

config route
        option target '0.0.0.0/0'
        option interface 'wg0'
        option table '100'

root@OpenWrt:~# ip ru li ta 100
1:      from all iif veth lookup 100

root@OpenWrt:~# ip ro li ta 100
default dev wg0 proto static scope link

tugrul · July 1, 2022, 12:03pm

@pavelgl thank you so much! It works like a charm.

I just added ip rule manually to test because I'm not sure where I should write rule configuration

config rule
        option in 'virt'
        option lookup '100'

(/etc/config/firewall or /etc/config/network) because the doc page ( [OpenWrt Wiki] Routing rules) doesn't have any information.

I did not add default routing rule because wireguard interface adds it automatically when it is up.

pavelgl · July 1, 2022, 12:10pm

In /etc/config/network

system · July 11, 2022, 12:11pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.