Trouble Wireguard to specific IP not working

Hey there,

My network is as follows:

Raspberry pi - 192.168.0.10 ---> managed Switch 192.168.0.100 ---> AP
---> unmanaged Switch and AP

I have these 2 Vlans on the managed switch and both of them work ok.

Now i need to set up Wireguard to one single ip on my network.

So i tried set it up as a new Vlan -- fails, no matter what there's no internet connection on the new Vlan even with or without VPN.

So i tried Wireguard and then allowed ip 192.168.0.206 ( which is the one i want to have vpn only) nothing happens.

Then i tried vpn policy routing app, but i saw many people had issues with it on the latest build, so i removed it and installed PBR.

on PBR it's set as follows:

Lan 192.168.0.10 Forward to >>>WAN
VPN Device 192.168.0.206 Forward to >>>VPN WIREGUARD

When i do that, the vpn device have no internet at all...

So i guess the routing table from wireguard is all messed up, i need instructions on how to do it from 0 because i did spend 48 hours trying without success and on previous builds all i needed to do was a simple vpn route policy.

here's how the network config is:

/etc$ cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5e:ff10:9e59::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.10'
	list dns '192.168.0.10'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'
	option name 'br-lan2'

config interface 'WAN'
	option proto 'dhcp'
	option device 'br-lan2'
	option force_link '1'
	option broadcast '1'
	option peerdns '0'
	list dns '192.168.0.10'

config interface 'WAN6'
	option proto 'dhcpv6'
	option device 'br-lan2'
	option force_link '1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '192.168.0.10'

config interface 'VPN'
	option proto 'wireguard'
	option private_key '******************************************'
	list addresses '10.2.0.2/32'
	option peerdns '0'
	list dns '10.2.0.1'

config wireguard_VPN
	option description 'Ed-NL_8.conf'
	option public_key '****************************************
	option endpoint_host '***************************'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

If you could be so kind that would be great, thanks in advance :slight_smile:

Is your wireguard tunnel correctly configured?
Does it allow 192.168.0.206 as source address?
Does it have default route?

Hello,

Yes it does, but i dont seem to isolate the 206 correctly.

It's always for all or nothing.

Can you give me an example on how to route it manually ? I think that's where the issue is!

Set a metric for the wireguard interface

uci set network.VPN.metric='100'
uci commit network; /etc/init.d/network restart
ip rule add from 192.168.0.206 table 100 prio 1
ip route add default dev VPN table 100

If it works, add the ip rule/route to /etc/config/network

uci add network rule
uci set network.@rule[-1].lookup='100'
uci set network.@rule[-1].src='192.168.0.206/32'
uci set network.@rule[-1].priority='1'

uci add network route
uci set network.@route[-1].target='0.0.0.0/0'
uci set network.@route[-1].table='100'
uci set network.@route[-1].interface='VPN'
3 Likes

Hello that works but there's a problem, when i set add network rule and add network route it doesnt work.

I checked and the network file at etc/config isn't changed after inserting the commands, any idea?

And if i may ask why do i need a rule and a route? The rule states that for table which we named 100 the source will be the ip of the vpn client with priority 1, so that means the route for that table which is assigned to that address need's to be done to set the target right?

And what if i want to add more Ip's as source? Do i need to create more tables? Thanks in advance :slight_smile:

You will not see any changes in /etc/config/network before running uci commit changes, or alternatively you can see the current network configuration running uci export network.
Don't forget to restart the network service after making the changes.

The ip rule specifies which routing table to lookup (100) if the rule's selector matches (source IP address 192.168.0.206). A lower priority number means a higher processing priority and the rules are processed in ascending number order.

After creating the ip rule, you need to populate routing table 100 with the corresponding ip route(s).

You just need to create several ip rules pointing to routing table 100 with the necessary source ip addresses.

If the addresses are consecutive, you can use CIDR notation.
For example, 192.168.0.204/30 will cover addresses from 204 to 207.

1 Like

Very nice, it works like a charm thank you very much.

May i also ask how to enable a kill switch for that one?

Because what i understood is enough to just have it on a separated firewall zone and then if it fails no internet from wan comes so should be ok right?

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci add_list firewall.vpn.network="vpn"
uci del_list firewall.wan.network="vpn"
uci -q delete firewall.@forwarding[0]
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci commit firewall
/etc/init.d/firewall restart

This guide is for the general case where all lan clients are using the vpn service and if the vpn service is down, no one can access the Internet.

Also note that you can't just copy/paste the commands.
They must be adapted to your configuration.
For example, your wireguard interface name is in uppercase (which is not best practice).

You need firewall rules that prohibit the specified vpn clients from making outbound connections via the wan interface.

uci add firewall include
uci set firewall.@include[-1].type='nftables'
uci set firewall.@include[-1].path='/etc/kill_switch.nft'
uci set firewall.@include[-1].position='chain-pre'
uci set firewall.@include[-1].chain='forward'

cat << "EOF" > /etc/kill_switch.nft
oifname "br-lan2" ip saddr 192.168.0.206 counter reject
EOF
uci commit firewall
fw4 restart

Create as many rules as needed in /etc/kill_switch.nft listing all source IP addresses.

1 Like

Gotcha thank you :slight_smile:

1 Like