Hello,
I'm rather new to OpenWRT so I apologize if this is a basic question. I've searched and more questions were raised than answered.
Here is my goal configuration:
WAN <===> LAN 192.168.1.0/24
Wireguard_Client <===> GUEST_LAN 192.168.100.0/24
The WG configuration works and I can connect to my upstream VPN provider IF I set the WG client's "Allowed IPs" setting to 0.0.0.0/0, but then it kills my regular WAN. Then, when I restart the router with the WG turned off, my regular connections works again.
From what I can tell, I need PBR with a default gateway for each WAN int.
That's where I am stuck. I tried the method described here (iproute2 scripts for handling a secondary routing table) but it doesn't seem to work even though I believe i've defined the two routing tables properly.
I now see options for mwan3 and vpn-policy-routing and they look better than that.
Basically, although I feel like I am getting close, i'm overwhelmed and hoping someone could help me take the next step to completing this setup. Hopefully it's just one or two static routes to fix this.
Here are some outputs for troubleshooting purposes:
/etc/iproute2/rt_tables
root@OpenWrt:/etc/iproute2# cat rt_tables
#
# reserved values
#
128 prelocal
255 local
254 main
253 default
0 unspec
100 guest
#
# local
#
#1 inr.ruhep
/etc/hotplug.d/iface/99-WGINTERFACE
root@OpenWrt:/etc/hotplug.d/iface# cat 99-WGINTERFACE
#!/usr/bin/env sh
if=WGINTERFACE
table=guest
dev=$DEVICE
if [ "$INTERFACE" == "$if" ]; then
if [ "$ACTION" == "ifup" ]; then
ip route add default dev $dev table $table proto static
fi
fi
/etc/hotplug.d/iface/99-guest
root@OpenWrt:/etc/hotplug.d/iface# cat 99-guest
#!/usr/bin/env sh
if=GUEST_LAN
dev=$DEVICE
table=$INTERFACE
if2dev() {
dev=$(uci get network.$1.ifname)
[ $(echo $dev | wc -w) -gt 1 ] && dev=br-$1
echo $dev
}
if [ "$INTERFACE" == "$if" ]; then
if [ "$ACTION" == "ifup" ]; then
ip rule add iif $dev lookup $table
elif [ "$ACTION" == "ifdown" ]; then
# Workaround for missing $DEVICE when interface is going down
dev=$(if2dev $if)
ip rule del iif $dev lookup $table
fi
fi
/etc/config/firewall
root@OpenWrt:/etc/config# cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'GUEST_LAN'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
option network 'GUEST_LAN'
config zone
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
option name 'WGINTERFACE'
option network 'WGINTERFACE'
config rule
option src_port '68'
option src 'GUEST_LAN'
option name 'Allow-Guest-DHCPv4-Input'
option family 'ipv4'
option target 'ACCEPT'
option dest_port '67'
list proto 'udp'
config forwarding
option dest 'WGINTERFACE'
option src 'GUEST_LAN'
/etc/config/network
Scrubbed for privacy
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXXXXXX'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0.40'
option force_link '0'
config interface 'wan'
option proto 'pppoe'
option ipv6 'auto'
option peerdns '0'
list dns 'XXXX'
option ifname 'eth1.20'
option password 'XXXXXXXX'
option username 'XXXXXXXX'
config interface 'wan6'
option proto 'dhcpv6'
list dns 'XXXXXXXX'
option reqprefix 'auto'
option reqaddress 'try'
option peerdns '0'
option ifname 'eth1.20'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '5t'
option vid '1000'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '20'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '40'
option ports '0 1 2 3 5t'
config interface 'WGINTERFACE'
option proto 'wireguard'
option private_key 'XXXXXXXXXXXXXXXXXXXXXX='
list addresses '10.64.X.XX/32'
list addresses 'fc00:bbbb:bbbb:bb01::1:74c/128'
config wireguard_WGINTERFACE
option route_allowed_ips '1'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXX='
option description 'Mullvad'
option endpoint_host 'X.X.X.X'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
config interface 'GUEST_LAN'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ifname 'eth0.1000'
option ipaddr '192.168.100.1'
Your expert look would be excellent. Hope I did enough DD to make this quesion worth your time.
Thank you!
Lane