[Solved] - Route only LAN traffic to tunnel

Hello everyone,
I have a site to site VPN connection between 2 OpenWRT routers. This is the guide that I have followed:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extra

Server side LAN
192.168.1.0/24
Client side LAN
192.168.3.0/24

On the OpenWRT client router, all the traffic is route to the wireguard interface:

root@WG-Client:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 wg0
default         10.0.1.1        0.0.0.0         UG    100    0        0 eth0.2
10.0.1.0        *               255.255.255.0   U     100    0        0 eth0.2
WireguadServerPublicIP  10.0.1.1        255.255.255.255 UGH   100    0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 wg0
192.168.3.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.9.0     *               255.255.255.0   U     0      0        0 wg0

10.0.1.1 is the WAN router of my network.

Can you tell me how do I route only the traffic for the server side LAN 192.168.1.0/24 to the tunnel and other traffic will still go to my WAN interface

root@WG-Client:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd08:1ff1:4e8e::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.3.1'
network.lan.dns='1.1.1.1' '8.8.8.8'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr='0c:b6:d2:d6:86:14'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.metric='100'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='0c:b6:d2:d6:86:17'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 0t'
network.LTE=interface
network.LTE.proto='dhcp'
network.LTE.ifname='usb0'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key=''
network.wg0.addresses='192.168.9.2/24' 'fdf1:7610:d152:3a9c::2/64'
network.wgserver=wireguard_wg0
network.wgserver.public_key='
network.wgserver.preshared_key=''
network.wgserver.endpoint_port='51820'
network.wgserver.route_allowed_ips='1'
network.wgserver.persistent_keepalive='25'
network.wgserver.allowed_ips='0.0.0.0/0' '::/0' '192.168.1.0/24'
network.wgserver.endpoint_host='WireguardServerPublicIP'

Thank you in advance!

1 Like
# Client
uci del_list network.wgserver.allowed_ips="0.0.0.0/0"
uci del_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart
3 Likes

Thank you, vgaetera. It works when I remove the ranges from the WG allowed IPs.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.