VPN client(Wireguard) as WAN for guest network

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I'm rather new to OpenWRT so I apologize if this is a basic question. I've searched and more questions were raised than answered.

Here is my goal configuration:

WAN <===> LAN 192.168.1.0/24
Wireguard_Client <===> GUEST_LAN 192.168.100.0/24

The WG configuration works and I can connect to my upstream VPN provider IF I set the WG client's "Allowed IPs" setting to 0.0.0.0/0, but then it kills my regular WAN. Then, when I restart the router with the WG turned off, my regular connections works again.

From what I can tell, I need PBR with a default gateway for each WAN int.

That's where I am stuck. I tried the method described here (iproute2 scripts for handling a secondary routing table) but it doesn't seem to work even though I believe i've defined the two routing tables properly.

I now see options for mwan3 and vpn-policy-routing and they look better than that.

Basically, although I feel like I am getting close, i'm overwhelmed and hoping someone could help me take the next step to completing this setup. Hopefully it's just one or two static routes to fix this.

Here are some outputs for troubleshooting purposes:

/etc/iproute2/rt_tables

root@OpenWrt:/etc/iproute2# cat rt_tables
#
# reserved values
#
128	prelocal
255	local
254	main
253	default
0	unspec
100     guest
#
# local
#
#1	inr.ruhep

/etc/hotplug.d/iface/99-WGINTERFACE

root@OpenWrt:/etc/hotplug.d/iface# cat 99-WGINTERFACE 
#!/usr/bin/env sh

if=WGINTERFACE
table=guest

dev=$DEVICE

if [ "$INTERFACE" == "$if" ]; then
  if [ "$ACTION" == "ifup" ]; then
    ip route add default dev $dev table $table proto static
  fi
fi

/etc/hotplug.d/iface/99-guest

root@OpenWrt:/etc/hotplug.d/iface# cat 99-guest  
#!/usr/bin/env sh

if=GUEST_LAN

dev=$DEVICE
table=$INTERFACE

if2dev() {
  dev=$(uci get network.$1.ifname)
  [ $(echo $dev | wc -w) -gt 1 ] && dev=br-$1
  echo $dev
}

if [ "$INTERFACE" == "$if" ]; then
  if [ "$ACTION" == "ifup" ]; then
    ip rule add iif $dev lookup $table
  elif [ "$ACTION" == "ifdown" ]; then
    # Workaround for missing $DEVICE when interface is going down
    dev=$(if2dev $if)
    ip rule del iif $dev lookup $table
  fi
fi

/etc/config/firewall

root@OpenWrt:/etc/config# cat firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'GUEST_LAN'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'GUEST_LAN'

config zone
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'
	option name 'WGINTERFACE'
	option network 'WGINTERFACE'

config rule
	option src_port '68'
	option src 'GUEST_LAN'
	option name 'Allow-Guest-DHCPv4-Input'
	option family 'ipv4'
	option target 'ACCEPT'
	option dest_port '67'
	list proto 'udp'

config forwarding
	option dest 'WGINTERFACE'
	option src 'GUEST_LAN'

/etc/config/network
Scrubbed for privacy

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXXXXXX'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.40'
	option force_link '0'

config interface 'wan'
	option proto 'pppoe'
	option ipv6 'auto'
	option peerdns '0'
	list dns 'XXXX'
	option ifname 'eth1.20'
	option password 'XXXXXXXX'
	option username 'XXXXXXXX'

config interface 'wan6'
	option proto 'dhcpv6'
	list dns 'XXXXXXXX'
	option reqprefix 'auto'
	option reqaddress 'try'
	option peerdns '0'
	option ifname 'eth1.20'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '5t'
	option vid '1000'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '20'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '40'
	option ports '0 1 2 3 5t'

config interface 'WGINTERFACE'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXX='
	list addresses '10.64.X.XX/32'
	list addresses 'fc00:bbbb:bbbb:bb01::1:74c/128'

config wireguard_WGINTERFACE
	option route_allowed_ips '1'
	option public_key 'XXXXXXXXXXXXXXXXXXXXXXX='
	option description 'Mullvad'
	option endpoint_host 'X.X.X.X'
	option endpoint_port '51820'
	list allowed_ips '0.0.0.0/0'

config interface 'GUEST_LAN'
	option proto 'static'
	option type 'bridge'
	option netmask '255.255.255.0'
	option ifname 'eth0.1000'
	option ipaddr '192.168.100.1'

Your expert look would be excellent. Hope I did enough DD to make this quesion worth your time.

Thank you!
Lane

1 Like
2
3

I managed to have a similar scenario to work for me with openvpn, if I am not wrong when WG is up all the traffic is routed via the vpn gateway. In any case vpn-routing-policy or vpnbypass is needed, I would go for vpnbypass and basically apply it to the lan network.

the config file would look something like this

config vpnbypass 'config'
option enabled '1'
list localsubnet '192.168.1.1/24'

without changing nothing in your firewal/network config files it should work, make sure ipset and dnsmasq-full...etc are installed.

Let me know if it works

5

Unfortunately, doing the following, (based on your link above) didn't work. I did:

uci set vpn-policy-routing.config.enabled="1"
uci -q delete vpn-policy-routing.config.dest_ipset
uci -q delete vpn-policy-routing.lan_vpn
uci set vpn-policy-routing.lan_vpn="policy"
uci set vpn-policy-routing.lan_vpn.src_addr="192.168.100.0/24"
uci set vpn-policy-routing.lan_vpn.dest_addr="!192.168.100.0/24"
uci set vpn-policy-routing.lan_vpn.interface="WGINTERFACE"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

I did notice, however, that in Luci's "status==>routes" page under IPv4-Routes, that WGINTERFACE still has a default route under the "main" routing table. This is getting messy...but i'm still pretty sure this can be fixed by specifying or removing the right route. I just don't know how...

By the way, how can I create collapsable text for code snippets like I see on other posts?

7

https://docs.openwrt.melmac.net/vpn-policy-routing/#a-word-about-default-routing

Gear button > Hide Details

1 Like
8

Success!

Under the link you recommended, there is advice (against the official Mullvad VPN with OpenWRT guide) to turn OFF "Route Allowed IPs" under WGINTERFACE>>Edit>>Peers.


For your Wireguard (client) config:


option route_allowed_ips '0'
1 Like
9

not sure what etiquette is here for choosing "solution". Feels weird adding it to my own post. Anyway, you led me to the answer. thank you very much!

1 Like
10

While everything works with IPv4. Turns out that this somehow destroyed my IPv6 connectivity on my main LAN / IPv6 WAN...

Any ideas?

11

Post the output redacting the private parts:

uci show network
12

It may be useful to note that my IPv6 (DCHP6 client) appears to be connected under Luci>>Network>>Interfaces>>WAN6 but no longer shows under Luci>>Status>>Overview>>IPv6 Upstream.

I only need IPv6 for my regular LAN.

uci show network output 
root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='XXXXXXXX::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ifname='eth0.40'
network.lan.force_link='0'
network.wan=interface
network.wan.proto='pppoe'
network.wan.ipv6='auto'
network.wan.peerdns='0'
network.wan.dns='XXX.XXX.XXX.XXX'
network.wan.ifname='eth1.20'
network.wan.password='XXXXXXXXXXX'
network.wan.username='XXXXXXXXXXXXXX'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.dns='XXXX::XXXX'
network.wan6.reqprefix='auto'
network.wan6.reqaddress='try'
network.wan6.peerdns='0'
network.wan6.ifname='eth1.20'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='5t'
network.@switch_vlan[0].vid='1000'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.@switch_vlan[1].vid='20'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='3'
network.@switch_vlan[2].vid='40'
network.@switch_vlan[2].ports='0 1 2 3 5t'
network.WGINTERFACE=interface
network.WGINTERFACE.proto='wireguard'
network.WGINTERFACE.private_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
network.WGINTERFACE.addresses='X.X.X.X/32' 'XXXX::XXXX/128'
network.@wireguard_WGINTERFACE[0]=wireguard_WGINTERFACE
network.@wireguard_WGINTERFACE[0].public_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
network.@wireguard_WGINTERFACE[0].description='Mullvad'
network.@wireguard_WGINTERFACE[0].endpoint_host='XXX.XXX.XXX.XXX' 
network.@wireguard_WGINTERFACE[0].endpoint_port='51820'
network.@wireguard_WGINTERFACE[0].allowed_ips='0.0.0.0/0'
network.GUEST_LAN=interface
network.GUEST_LAN.proto='static'
network.GUEST_LAN.type='bridge'
network.GUEST_LAN.netmask='255.255.255.0'
network.GUEST_LAN.ifname='eth0.1000'
network.GUEST_LAN.ipaddr='192.168.100.1'
1 Like
13

Then it looks like a separate issue unrelated to the VPN/PBR.

14

thanks. i'll start another topic

1 Like
15

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.