Setup Wireguard+PBR

tony_montana · September 23, 2025, 5:43pm

Hello everybody.

I want to run PBR along with wireguard.

Now my firewall that is not configured correctly, and all traffic goes through the wg0 interface. I want given DNS in PBR to work through wg0. Please tell me how to configure firewall.

Then I'll try to set it up PBR myself.

My configs:

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'lan'

config zone
        option name 'wg0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wg0'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wg0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wg0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc5:642c:723b::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'
        option delegate '0'

config device
        option name 'eth1'
        option ipv6 '0'

config interface 'wan'
        option proto 'static'
        option device 'eth1'
        option ipaddr '192.168.0.3'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        list dns '8.8.8.8'
        option delegate '0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '*'
        list addresses '*'
        list dns '*'

config wireguard_wg0
        option public_key '*'
        option private_key '*'
        option preshared_key '*'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '*'
        option endpoint_port '*'

egc · September 23, 2025, 5:58pm

Remove network wg0:

Otherwise it is setup correctly.

What is it you are trying to accomplish?

Oh and redacting private RFC1918 ip addresses makes it difficult to give optimal support

tony_montana · September 23, 2025, 6:13pm

Your suggestion doesn't change anything. all traffic uses Wireguard...

Client is connect to gateway 192.168.0.2(br-lan) and all traffic going via Wireguard.
When using gateway 192.168.0.3(eth1) not connected.

I want to set up dynamic routing. For example: going to Google via Wireguard, Yahoo not.

egc · September 23, 2025, 6:32pm

Your lan and wan are in the same subnet.

If you want this set up as a regular router so with its wan connected to up stream then use another subnet for you lan.

e.g. 192.168..1.1 for you lan.

If you do not want default routing via WireGuard then disable route allowed IPs

tony_montana · September 23, 2025, 6:39pm

Okay, I'll try. For example lan 192.168.1 wan 192.168.0. Client choose gateway wan(192.168.0)? Lan interface (192.168.1) using only for management?

If i write necessary addresses in "allowed IPs" this will result in static routes. iam right?

egc · September 23, 2025, 7:02pm

It routes traffic with a destination of the allowed ips via the interface and allows that traffic to enter, this might not be what you need for PBR

tony_montana · September 23, 2025, 7:10pm

Yes, you're right. What parameter should I use for allowedips when routing via pbr?

egc · September 23, 2025, 7:22pm

For Policy Based Routing you just keep the Allowed IPs at 0.0.0.0/0 and use PBR, see:

tony_montana · October 10, 2025, 12:40pm

Method via allowedips does not work. Thus, all traffic will be redirected to the tunnel, I need DNS routing!

Maybe I'm not expressing myself correctly and you don't understand me? My task is extremely simple, I need to make routing through DNS, so that clients who used OpenWRT as a gateway could go to certain https sites through the tunnel. I am not a network engineer and do not have high knowledge of English, due to which the manual received from you does not show me a solution. Therefore, I ask for your help.

How many network adapters does OpenWRT need, and which one should be used as the gateway for clients? 192.168.0.2(br-lan) or 192.168.0.3(eth1)?
What firewall settings are required? Which adapter requires which setting.
What settings are required for peer?

Сhatgpt and similar tools do not provide the necessary answer.Unfortunately, I can't devote time to solving this problem without interruptions, and I forget some details, so I need your help. Thx!

_bernd · October 10, 2025, 12:46pm

Nitpick. Dynamic routing is ospf, bgp, Babel, olsr etc But not some wanky scripts fiddling with static routes.

egc · October 10, 2025, 1:57pm

If you only want traffic to some sites via the VPN but all other traffic via the WAN then use as Allowed IPs: 0.0.0.0/0 but disable Route Allowed IPs

Now you need to use Policy Based routing to route the sites of your choice via the VPN.

Install the PBR app: https://docs.openwrt.melmac.ca/pbr

Make a rule in the PBR app and under Remote address/Domains add your URL's of choice this is an example where the domains e.g. ipleak.net etc. are routed via my mullvad VPN:

Note that e.g. streaming services like Netflix etc. are using a multitude of domains and you have to get them all.

Some pointers from the pbr read.me:

Use DNSMASQ nft sets Support

The pbr package can be configured to utilize dnsmasq’s nft sets support, which requires the dnsmasq-full package with nft sets support to be installed (see How to install dnsmasq-full). This significantly improves the start up time because dnsmasq resolves the domain names and adds them to the appropriate nft set in background. dnsmasq’s nft set also automatically adds third-level domains to the set: if domain.com is added to the policy, this policy will affect all *.domain.com subdomains. This also works for top-level domains (TLDs) as well, a policy targeting the at TLD for example, will affect all the *.at domains.

Please review the Footnotes/Known Issues section, specifically #5 and #7 and any other information in that section relevant to domain-based routing/DNS.

Also see the paragraph about dest_address: https://docs.openwrt.melmac.ca/pbr/#PolicyOptions