So i have ordered hardware for an upcoming router which im planning on using openwrt on.
Im trying to learn openwrt things to be somewhat prepared for the real deal.
Ive setup 2 VMs, one is openwrt with x86_64 and one is just Win10 connected to openwrt LAN (host-only network)
openwrt VM is setup:
WAN -> dhcp client from my real router, which im using until i get the hardware and can fix openwrt router
LAN -> dhcp from virtualbox, host-only network
I installed luci-app-wireguard and luci-app-vpn-policy-routing + vpn-policy-routing to test this out, because its a good thing in my current setup, so i want to learn it
I followed mullvad (vpn-provider for my wireguard client) guide: https://mullvad.net/sv/help/running-wireguard-router/ - i did NOT do DHCP/DNS steps because i believe its not needed in my current VM
setup(?)
The wireguard tunnel works and is online.
I want to be able to policy-route some IPs / subnets to WAN, for example.
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'wg_mlvd'
option name 'wg_mlvdzone'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
config forwarding
option dest 'wg_mlvdzone'
option src 'lan'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd61:4966:0236::/48'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0'
config interface 'lan'
option proto 'dhcp'
option ifname 'eth1'
option gateway '192.168.1.42'
config interface 'wg_mlvd'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option force_link '1'
list addresses 'xx.xx.xxx.xxx/32'
config wireguard_wg_mlvd
option endpoint_host 'xxx.xx.xxx.xxx'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
list supported_interface 'wg_mlvd'
list supported_interface 'wan'
option webui_enable_column '1'
option webui_protocol_column '1'
option webui_chain_column '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'Win10-VM'
option src_addr '192.168.214.13'
option proto 'all'
option interface 'wan'
option chain 'PREROUTING'
The thing is if i select proto 'tcp udp', i can ping from the windows 10, but not surf, but ping works, which i find weird.
When selecting proto 'all' nothing works
When selecting interface 'wireguard' it all works, but it doesnt go to WAN then, which is what i want
Please let me know if there is additional information i forgot to mention here, that u need to help me
Appreciate alot if i get help
Thanks
EDIT: I might be wrong but from more testing around, it seems is has to do with firewall and/or allowedips in wireguard peer configuration under interface.
When i set allow forwarding in firewall general rules traffic seems to get through, although it still seems to go through wireguard, even though WAN is set as interface for the policy..
EDIT #2: It seems like i have sorted it out for now, i had incorrect settings in input/output/forward in firewall