Two lans two Gateways (split tunneling)

Hi all,

I have some troubles trying to achieve a conf in my wrt1900ac.

This is the current scenario:
if name: lan(br-lan.1) > 192.168.77.0/24
if name: plan(br-lan.22) > 172.16.77.0/24

if name: wan (internet)
if name: wgnor0 (VPN to NordVpn intended to be "wan2")

What I tried to achieve is to split the traffic of both networks, lan will go out of Wan as any other usual conf, "plan" will go out of wgnor0 (intended to be wan2).

I tried to achieve this with policy routing based on the manual shared in the community several times, and even with the PBR package but I can't get to make it work and I scrapped all conf to start from scratch.

Usually in the manual that use Wireguard or split tunneling I always see that they send all traffic from the lan to the vpn as GW, and then they leave out of the tunnel some specific hosts, but that is not what i want to achieve. I want to split completely both lans like they are independent networks and with independent wan(gateways). Can someone point me in the right direction? Is PBR the best solution?

Thanks

for IPV in 4 6
do
uci set network.lan.ip${IPV}table="1"
uci set network.plan.ip${IPV}table="2"
uci set network.wgnor0.ip${IPV}table="3"
uci -q delete network.plan_vpn${IPV%4}
uci set network.plan_vpn${IPV%4}="rule${IPV%4}"
uci set network.plan_vpn${IPV%4}.in="plan"
uci set network.plan_vpn${IPV%4}.lookup="3"
uci set network.plan_vpn${IPV%4}.priority="30000"
done
uci commit network
service network restart
1 Like

Hi vgaetera,

Thanks for your reply I understand the conf you shared, but this line what is for?

uci -q delete network.plan_vpn${IPV%4}

I don't have a plan_vpn in my files so i guess it will do nothing in my case, what is this line intended for?

It makes sure the relevant UCI section contains only the listed options in case you decide to re-apply the configuration after some customization, i.e. it helps achieve a predictable and reproducible result.

I imagine was for cleaning before applying the new conf. I applied the conf and still not getting it to work. This is how it looks like now.

config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.77.1'
option netmask '255.255.255.0'
option delegate '0'
option ip4table '1'

config interface 'plan'
option proto 'static'
option device 'br-lan.22'
option ipaddr '172.17.77.1'
option netmask '255.255.255.0'
option ip4table '3'

config interface 'wgnor0'
option proto 'wireguard'
option private_key XXX
list addresses '10.5.0.2/32'
list dns 'X.X.X.X'
option ip4table '4'

config wireguard_wgnor0
option description 'XXX.nordvpn.com'
option public_key XXXX
option endpoint_host 'XXX.nordvpn.com'
list allowed_ips '0.0.0.0/0'

config rule 'plan_vpn4'
option lookup '4'
option priority '30000'
option in 'plan'

128 prelocal
255 local
254 main
253 default
0 unspec
1 br-lan.1
3 br-lan.22
4 wgnor0

I'm not sure about the Wireguard part, how should be configured the list allowed_ips '0.0.0.0/0' ? I have checked and I the connection is stablished with nordvpn, so that is not an issue.

uci set network.@wireguard_wgnor0[0].route_allowed_ips="1"
uci commit network
service network restart
1 Like

config wireguard_wgnor0
option description 'XXX.nordvpn.com'
option public_key 'XXXX'
option endpoint_host 'XXX.nordvpn.com'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'

Same still no traffic on the Plan to the wg.

What about the firewall?
This seems fine also? Notice I allow all traffic between WG and plan and will lower the bar later when it works, just don't want the firewall to be causing problem in the meantime.

config zone
option name 'plan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'plan'
option log '1'
option masq '1'
option mtu_fix '1'

config zone
option name 'WGServ'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option family 'ipv4'
list network 'wg0'

config zone
option name 'wgnord'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wgnor0'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'plan'
option dest 'wgnord'

config forwarding
option src 'wgnord'
option dest 'plan'

Just to bring some more info, when I enable the firewall log I see the traffic is tried to be pushed to the wan.20 interface which is the internet GW no the VPN.

Wed Oct 18 14:27:23 2023 kern.warn kernel: [52342.830060] reject plan forward: IN=br-lan.22 OUT=wan.20 MAC=00:25:9xxxx SRC=172.17.77.122 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=65337 DF PROTO=ICMP TYPE=8 CODE=0 ID=823 SEQ=864

which means the traffic is not being routed to the correct GW

Check on OpenWrt:

ip -4 route show table all; ip -4 rule show; wg show
ip route get 8.8.8.8 iif br-lan.22 from 172.17.77.122

192.168.77.0/24 dev br-lan.1 table br-lan.1 proto static scope link
172.17.77.0/24 dev br-lan.22 table br-lan.22 proto static scope link
default dev wgnor0 table wgnor0 proto static scope link
10.5.0.2 dev wgnor0 table wgnor0 proto static scope link
default via 82.xxxxxx.1 dev wan.20 proto static src 82.213.xxxxxx

82.213.xxxxx/19 dev wan.20 proto kernel scope link src 82.xxxxxx
138.199.47.169 via 82.xxxxxxx dev wan.20 proto static
local 10.5.0.2 dev wgnor0 table local proto kernel scope host src 10.5.0.2
local 82.xxxxx dev wan.20 table local proto kernel scope host src 82.xxxxxx
broadcast 82.xxxx.255.255 dev wan.20 table local proto kernel scope link src 82.xxxxxx
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.17.77.1 dev br-lan.22 table local proto kernel scope host src 172.17.77.1
broadcast 172.17.77.255 dev br-lan.22 table local proto kernel scope link src 172.17.77.1
local 192.168.77.1 dev br-lan.1 table local proto kernel scope host src 192.168.77.1
broadcast 192.168.77.255 dev br-lan.1 table local proto kernel scope link src 192.168.77.1

0: from all lookup local
10000: from 192.168.77.1 lookup br-lan.1
10000: from 172.17.77.1 lookup br-lan.22
10000: from 10.5.0.2 lookup wgnor0
20000: from all to 192.168.77.1/24 lookup br-lan.1
20000: from all to 172.17.77.1/24 lookup br-lan.22
20000: from all to 10.5.0.2 lookup wgnor0
32766: from all lookup main
32767: from all lookup default
90032: from all iif lo lookup br-lan.1
90034: from all iif lo lookup br-lan.22
90036: from all iif lo lookup wgnor0
interface: wgnor0
public key: xxxxxxxxxxx
private key: (hidden)
listening port: 37871

peer: xxxxxxxxxxx
endpoint: xxxxxx:51820
allowed ips: 0.0.0.0/0

ip route get 8.8.8.8 iif br-lan.22 from 172.17.77.2
result:
8.8.8.8 from 172.17.77.2 via 82.213.224.1 dev wan.20
cache iif br-lan.22

A properly connected WireGuard interface must list the latest handshake parameter.

let me double check that. Thanks

1 Like

As I suspect there was no handshake because there was no initial traffic in the interface wgnor0.

I caused traffic with

ping -I wgnor0 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=115 time=69.241 ms
64 bytes from 8.8.8.8: seq=1 ttl=115 time=22.153 ms

and there you have the handshake

peer: FXXXXXXXXXX
endpoint: 138.XXXXXX:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 13 seconds ago
transfer: 1.34 KiB received, 1.43 KiB sent

Is not the tunnel, is that the plan is not routed to the wgnor0, just sent over to the wan.22 for a reason I don't end to understand

The routing rule is missing in your runtime configuration.
Restart the network service or reboot router and check again.
If the issue persists, there must be a problem in your network config.

Thats strange, you are right, but is definitely in the conf of the uci

config rule 'plan_vpn4'
option lookup 'wgnor0'
option priority '30000'
option in 'plan'

Will restart in a bit and report back

1 Like

You are good! :cowboy_hat_face: Now it works!

I remove the rule and created it from scratch and now it works as it should. Thanks for your help.

1 Like

One question for fine tuning, should I keep this in the firewall rules or can I get rid of it?

That's typically necessary only for upstream zones like WAN or commercial VPN.

One more question do i need to keep the PBR package installed? or i can get rid of it?

This is built-in functionality, extra packages are not required.