Two Wireguard connections, how to route traffic on each properly?

Hi!

I'm trying to achieve this:

  • Run two Wireguards on OpenWRT
  • Have all devices by default go through Wireguard1
  • Add a few exceptions where some devices go through Wireguard2
  • Have 'killswitch' functionality, i.e. no device can accidentally access internet through normal WAN when WG goes down

My problems:

  • When WG1 goes down, WG2 also seems to go down
  • After reboot, WG2 does not always come back up properly, but shows Data Received/Transmitted as 0 B
  • I am not sure if I am properly preventing any devices using normal WAN connection

I couldn't figure out how to do this setup myself, which I would have preferred so I wouldn't have to rely on additional packages, so I'm using VPN Policy Routing package which is pretty cool.

If it matters, I am also using Adguardhome installed on my OpenWRT router which works as the DNS, according to a guide that I found here on the forums.


WG1 goes down, WG2 follows
I don't quite understand why if WG1 goes down, devices connected to WG2 seem to also stop working, or at least resolving DNS (but I was still able to ping IP addresses?).

I thought VPN Policy Routing would route the chosen devices via WG2 even if WG1 is down?

Or is this inevitable if I have "Route Allowed IPs" ticked on any WG?

VPN Policy, prevent devices from accidental WAN access
There might be some unnecessary rules. My routing logic comes from Asus Merlin router where I set the rules this way on the OpenVPN.

I'm reasoning it so that if I set 192.168.1.0/24 to go through WG1, then VPN Policy's "Strict enforcement" would make doubly sure that those devices can't connect to WAN in any case - even if the default gateway would for some reason change.

I wanted to keep the default route ("Route Allowed IPs"?) as WG1, just so that if VPN Policy crashes or doesn't start for some reason, or gets disabled after updating OpenWRT, the traffic would always go via the WG1 connection.

WG2 not always connecting after reboot
Sometimes after my router reboots, WG2 does not come back up properly; looks like it's connected and handshake is done, but Data Received/Transmitted shows 0 B. If I restart WG2 interface (or clikcon Restart button in 'VPN Policy Routing'), it works.

I'm guessing it might have to do with WG2 using a url to as its peer endpoint address and it can't resolve the address, maybe because WG1 isn't up yet and WG2's connetion seems to be dependent on WG1?


Contents of /etc/config/dhcp
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.1.1#5353'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac 'x'
        option name 'laptop1'
        option dns '1'
        option ip '192.168.1.6'

config host
        option mac 'x'
        option name 'laptop2'
        option dns '1'
        option ip '192.168.1.7'

Contents of /etc/config/network
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wg1'
        option proto 'wireguard'
        option force_link '1'
        option private_key 'x'
        option listen_port '51821'
        list addresses 'ipv4 address'
        list addresses 'ipv6 address'

config wireguard_wg1
        option description 'wg1-first'
        option public_key 'x'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option endpoint_host 'ip address'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'wg2'
        option proto 'wireguard'
        option force_link '1'
        option private_key 'x'
        option listen_port '51822'
        list addresses 'ipv4 address'
        list addresses 'ipv6 address'

config wireguard_wg2
        option description 'wg2-second'
        option public_key 'x'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host 'example.com'
        option endpoint_port '52221'

Contents of /etc/config/firewall
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wgzone_1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg1'

config forwarding
        option src 'lan'
        option dest 'wgzone_1'

config zone
        option name 'wgzone_2'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg2'

config forwarding
        option src 'lan'
        option dest 'wgzone_2'

Contents of /etc/config/vpn-policy-routing
root@OpenWrt:~# cat /etc/config/vpn-policy-routing

config policy
        option interface 'wan'
        option name 'Router allow wan'
        option src_addr '192.168.1.1'

config policy
        option interface 'wg2'
        option name 'Laptop1'
        option src_addr '192.168.1.6'

config policy
        option name 'Laptop2'
        option src_addr '192.168.1.7'
        option interface 'wg2'

config policy
        option name 'All to WG1'
        option src_addr '192.168.1.0/24'
        option interface 'wg1'

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option resolver_ipset 'dnsmasq.ipset'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_protocol_column '0'
        option webui_chain_column '0'
        option webui_show_ignore_target '0'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option webui_enable_column '1'
        option enabled '1'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'



I am likely not understanding something correctly.

I'm a beginner and I'm not much into CLI and rely on Luci, and network terms and concepts occasionally go over my head that I read here on the forums.

Any advise from the wise folk here?

1 Like

https://docs.openwrt.melmac.net/vpn-policy-routing/#wireguard-tunnel

The second VPN may depend on the first one if you alter the default route in the main table.

Disable the LAN to WAN forwarding in the firewall if you need the kill switch feature.

2 Likes

I use mwan3 package for the similar case.

1 Like

I unchecked the "Route Allowed IPs" from WG1 (now it's unchecked on both WG1 and WG2), and removed WAN from LAN in the firewall.

And wow, that does work when I absolutely want to block WAN access from all the devices. Thanks vgaetera.

Earlier when I was trial-and-erroring, I saw this line from the readme doc:

"The service does NOT support the "killswitch" router mode (where if you stop the VPN tunnel, you have no internet connection). For proper operation, leave all the default OpenWrt network and firewall settings for lan and wan intact."

With LAN to WAN forwarding still disabled, is there a quick way to give WAN access to only one specific device in case it's needed, by a firewall rule? VPN Policy Routing's WAN option does not work now, so this kind of situation is probably what the quote above was referring to.

1 Like

Is it a complicated setup to do? I've only glanced at it, but the general consensus seemed to be that mwan3 s a more complicated beast to use or configure.

Just add a firewall rule allowing traffic from a specific IP on LAN to WAN.
This rule can be enabled/disabled on demand.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.