I have a WireGuard client setup in my Openwrt and it works:
# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='23.05.2'
DISTRIB_REVISION='r23630-842932a63d'
DISTRIB_TARGET='mvebu/cortexa9'
DISTRIB_ARCH='arm_cortex-a9_vfpv3-d16'
DISTRIB_DESCRIPTION='OpenWrt 23.05.2 r23630-842932a63d'
DISTRIB_TAINTS=''
Before applying any PBR rule I am getting this from a client:
curl ipinfo.io/ip ✔
188.216.xx.xx%
and listening with tcpdump I am getting:
# tcpdump -i any src 192.168.1.111 and dst host ipinfo.io
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:21:58.181179 lan3 In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [S], seq 2694821548, win 32120, options [mss 1460,sackOK,TS val 2508056377 ecr 0,nop,wscale 7], length 0
11:21:58.181179 br-lan In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [S], seq 2694821548, win 32120, options [mss 1460,sackOK,TS val 2508056377 ecr 0,nop,wscale 7], length 0
11:21:58.195881 lan3 In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 1704521063, win 251, options [nop,nop,TS val 2508056392 ecr 363589084], length 0
11:21:58.195881 br-lan In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 1, win 251, options [nop,nop,TS val 2508056392 ecr 363589084], length 0
11:21:58.196019 lan3 In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [P.], seq 0:74, ack 1, win 251, options [nop,nop,TS val 2508056392 ecr 363589084], length 74: HTTP: GET /ip HTTP/1.1
11:21:58.196019 br-lan In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [P.], seq 0:74, ack 1, win 251, options [nop,nop,TS val 2508056392 ecr 363589084], length 74: HTTP: GET /ip HTTP/1.1
11:21:58.332581 lan3 In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 300, win 249, options [nop,nop,TS val 2508056528 ecr 363589221], length 0
11:21:58.332581 br-lan In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 300, win 249, options [nop,nop,TS val 2508056528 ecr 363589221], length 0
11:21:58.332911 lan3 In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [F.], seq 74, ack 300, win 249, options [nop,nop,TS val 2508056529 ecr 363589221], length 0
11:21:58.332911 br-lan In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [F.], seq 74, ack 300, win 249, options [nop,nop,TS val 2508056529 ecr 363589221], length 0
11:21:58.348123 lan3 In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 301, win 249, options [nop,nop,TS val 2508056544 ecr 363589237], length 0
11:21:58.348123 br-lan In IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 301, win 249, options [nop,nop,TS val 2508056544 ecr 363589237], length 0
Now I want to use PBR to redirect some traffic through the WG interface, for instance:
config policy
option name 'ipinfo.io'
option dest_addr 'ipinfo.io'
option interface 'WG0'
option enabled '1
After I applied this I am getting:
curl ipinfo.io/ip ✔
curl: (7) Failed to connect to ipinfo.io port 80 after 2 ms: Couldn't connect to server
# tcpdump -i any src 192.168.1.111 and dst host ipinfo.io
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:22:57.632046 lan3 In IP 192.168.1.111.49992 > 192.186.117.34.bc.googleusercontent.com.80: Flags [S], seq 2893199098, win 32120, options [mss 1460,sackOK,TS val 2508115827 ecr 0,nop,wscale 7], length 0
11:22:57.632046 br-lan In IP 192.168.1.111.49992 > 192.186.117.34.bc.googleusercontent.com.80: Flags [S], seq 2893199098, win 32120, options [mss 1460,sackOK,TS val 2508115827 ecr 0,nop,wscale 7], length 0