or
for me the better way, with trafic on the tunnel
Information about the point of now
Interfaces
lan - Switch.10 with WLAN (phy1-ap0)
Gast - Switch.20 with WLAN (phy2-ap0)
VPN - Switch.30 with WLAN (phy0-ap0)
Firewall
lan => wan
Gast => wan
VPN => wan
wan => drop
trafic-rules
DNS for Gast
DHCP for Gast
DNS for VPN
DHCP for VPN
Every VLAN works fine, so far.
Every VLAN has WAN connection.
Every WLAN get the right IP from the VLAN.
Now change for Wireguard with that howto
My Steps
Interface wg0 - Import configuration with file from Surfshark
Firewall - tunnel
peer
Allowed IPs from the VLAN VPN in my Case (192.168.30.0/24), not 0.0.0.0/0
Route Allowed IP checked
Firewall
tunnel => DROP, Masquerading
change VPN from => WAN to => tunnel, WAN
After changes lan and Gast works fine, connection via WAN.
VPN no connect to everywhere.
I guess there is missing 1 or 2 little points to solved.
Has everyone a nearly configuration and can help me?
If you want internet access via your WG client you have to use 0.0.0.0/0 for allowed IPs
But what is it you exactly want to accomplish?
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
lan with internet connection, no connection to Gast or VPN.
Gast with internet connection, no connection to lan or VPN.
VPN with VPN internet connection, no connection to lan or Gast.
Sure, that was my idea. if i get 0.0.0.0/0 no VLAN has connection to the internet.
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '_____::/48'
config interface 'lan'
option device 'Switch.10'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'Switch'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config bridge-vlan
option device 'Switch'
option vlan '10'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config bridge-vlan
option device 'Switch'
option vlan '20'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
config bridge-vlan
option device 'Switch'
option vlan '30'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
config interface 'Gast'
option proto 'static'
option device 'Switch.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'VPN'
option proto 'static'
option device 'Switch.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
config device
option name 'Switch.20'
option type '8021q'
option ifname 'Switch'
option vid '20'
option ipv6 '1'
config interface 'wg0'
option proto 'wireguard'
option private_key '________'
list addresses '____/16'
list dns '162.252.172.57'
list dns '149.154.159.92'
config wireguard_wg0
option description 'lu-ste.conf'
option public_key '____'
option endpoint_host '____surfshark.com'
option endpoint_port '51820'
option private_key '______'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.30.0/24'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'Gast'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'Gast'
config zone
option name 'VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'VPN'
option mtu_fix '1'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'Gast'
option dest 'wan'
config rule
option name 'G-DHCP'
list proto 'udp'
option src 'Gast'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'V-DHCP'
list proto 'udp'
option src 'VPN'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'G-DNS'
option src 'Gast'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'V-DNS'
option src 'VPN'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'tunnel'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wg0'
config forwarding
option src 'VPN'
option dest 'tunnel'
config forwarding
option src 'VPN'
option dest 'wan'
ip route show
default via 192.168.222.1 dev wan proto static src 192.168.222.13
10.____/16 dev wg0 proto kernel scope link src 10.____
__________ via 192.168.222.1 dev wan proto static
192.168.10.0/24 dev Switch.10 proto kernel scope link src 192.168.10.1
192.168.20.0/24 dev Switch.20 proto kernel scope link src 192.168.20.1
192.168.30.0/24 dev wg0 proto static scope link
192.168.222.0/24 dev wan proto kernel scope link src 192.168.222.13
wg show
interface: wg0
public key: _________________
private key: (hidden)
listening port: 33077
peer: _____________________
endpoint: _____________:51820
allowed ips: 192.168.30.0/24
latest handshake: 51 seconds ago
transfer: 35.73 KiB received, 159.94 KiB sent
persistent keepalive: every 25 seconds
For a setup with simple requirements, I like @egc's manual approach (and use it, or the flipped "VPN everywhere except..." version) on several devices rather than messing around with the PBR package. One custom routing table and then a single rule for each included (or excluded) local network. It's simple and easy to see exactly what's happening.
