Source-IP routing rule to vpn tunnel

Hi guys! Please advice how implement logic of source-ip routing on OpenWRT 22.03.2 ?
Have a regular WAN uplink and Wireguard wg0 VPN uplink where traffic routes there based on IP/subnet ipset list with using mark routing.

Inside LAN have a specific device which need to route all it's traffic inside wg0 tunnel... Is it possible to do this somehow?
PS tried setup Network -> Routing-> Ipv4 rules with entry like this:

config rule
        option src '192.168.0.74/24'
        option out 'wg0'
        option in 'lan'

but unfortunately traffic from this 192.168.0.74 client still routes via WAN:

 >tracert google.com
  1     3 ms     1 ms    <1 мс  OpenWrt.lan [192.168.0.1]
  2     4 ms     5 ms     3 ms  172.xx.xx.1
  ...

PS in case of requesting IP from pre-defined ipset the same 192.168.0.74 client routes via wg0

tracert 157.240.247.174
  1    33 ms     1 ms     1 ms  OpenWrt.lan [192.168.0.1]
  2    82 ms    81 ms    81 ms  10.7.0.1
  ...

Is there any way to implement source-ip routing or some tricky firewall rule? Thanks in advice!

You need a set of rules/routes for the wg connection. And you don't need the option out 'wg0' . Also the source is wrong. Use either .74/32 for a single host or .0/24 for the whole subnet.

2 Likes

Thanks a lot it is really working!
Will describe a how-to case
0. bind a MAC of device to static-dhcp

/etc/config/dhcp
config host
        option ip '192.168.0.74'
        option mac 'xx:xx:xx:xx:xx:xx'
  1. add entry inside routing table
/etc/iproute2/rt_tables
`100     allwg`
  1. add new route like this
    ip route add table allwg default dev wg0

  2. made a hotplug.d script to auto-apply route

    /etc/hotplug.d/iface/30-allwg
    #!/bin/sh
    ip route add table allwg default dev wg0
  1. made a routing rule for my example source IP to allwg
   /etc/config/network
   config rule
        option src '192.168.0.74/32'
        option lookup 'allwg'
  1. made a 0.0.0.0 route rule to allwg table
   /etc/config/network
   config route
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '100'
        option table 'allwg'
        option interface 'wg0'
1 Like

I also wrote a how-to of sorts on this here:

Steps 2 and 3 are not needed. There is also a mismatch of the IP in step 0 and step 4.

1 Like

Fixed typo with IP. Thanks anyway I got a solution and it works fine!

any reason why PBR wasn't advised here ?

It is overkill for one IP.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.