Step by step guide for VPN & split tunneling

Recently installed openWRT

On my x86 router I have

1 wan port

Used to get out to the internet

1 lan port
Used for Connected to a switch for clients to receive DHCP leases and connect clients to the internet as well as each other

What I need help with:

Because my VPN providers info is kind of outdated for this topic,

I need a "step by step" guide (OpenWRT 23.05.3) for:

-setting up wireguard VPN provider (to which I have
the config file (.conf)) in a way that allows me to funnel the traffic of only one lan IP address through it

-While maintaining The internet services of all other clients through the regular Wan internet connection

Please understand, this split tunneling must be done on one physical interface

You can use PBR, there is a very elaborate guide for it see:

Thank you for your reply.

Unfortunately, this documentation only covers PBR and doesn't actually show you how to implement the wireguard tunnel to VPN service provider based on its tables of content.

I'm looking for a solution that helps me configure My device as a wireguard client to my VPN providers server in a way that will allow things like PBR to actually be useful

Because when I set it up the first time, the wireguard gateway became the default gateway and then try to figure out PBR it didn't work.(Unknown error)

To summarize
Only thing that happened was the wireguard tunnel became the default gateway and PBR didn't make a difference that's it

PBR does not alter the default gateway (it is in paragraph 10 FAQ, but I can understand you do not want to read the whole guide)

For WireGuard you can disable the default gateway in two ways:
Interfaces > WG interface (/etc/config/network)

  1. In the Peers section, disable "Route Allowed IPs" (option route_allowed_ips '0')
    or my favorite way
  2. Under Advanced settings > "Use Default Gateway" > disable/untick
    (`option defaultroute '0' )

I was able to figure it out.

After loading the file by dragging and dropping the wireguard config file in LUCI GUI, Which of course came after installing the Luci app Wireguard In setting up the interface using the drag-and-drop method with the config file making minor changes such as allowed IP routing check

and going through the typical process of setting up what I usually do

this time I still set the allowed IP and route allowed IP's

set the persistent to 25

I changed two things in interfaces in the WAN interface I removed the VPNs DNS and replaced it with a regular one like Google Quad nine or even 1.1.1.1

but the biggest helper was changing the metrics. I gave The WAN metric with a better priority than the VPN( neither looks set by default) save changes

I turned off the VPN interface and restarted the router

note that I already had policy-based routing installed also known as PBR luci app

After rebooting, It's finally started defaulting to the WAN.

Restart the VPN interface a.k.a. turning it back on

now all that was left was to set the PBR As needed

A device that I didn't want using a installed client for (Windows or other operating systems) the router would be configured with the PBR such as letting it know to Pre-route all traffic to that specific VPN interface Based on IP address assigned and it has worked perfectly.(Though this means you would have to statically configure the IP address or if that's too cumbersome Due to DHCP you could use the Mac address instead)

Tip to make sure you understand which devices Belongs to which policy: name the policy based on the device In the VPN it's connected to As this will make it easier to turn off more

important note: On most VPN providers instructions the intention is to cover your entire network so they'll tell you to turn off or uncheck the box in the fire zone when it comes to forwarding traffic from the lan to the Internet.

if you want to split tunnel, you might not want to do that. you want to make sure to leave both the WAN & VPN available for the local area network To forward traffic to

The zone should show:

lan----> wan
vpn

not just:

lan----> vpn

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.