I have 2 Proton VPNs and a VPN to a VPS, all using Wireguard.
I noticed recently when I was ssh'd into the VPS, that the Wireguard endpoint was actually the public address of one of the Proton VPNs. I dropped that VPN and restarted the VPN on the VPS and the endpoint became the other Proton public, so I dropped that as well. Then when I restarted the VPN on the VPS, it finally got the public IP of my ISP.
So my question is, how does Wireguard chose the endpoint?
Some fictitous IPs to maybe help explain.
On OpenWrt
ISP IP 80.80.80.80
Proton1 40.40.40.40
Proton2 50.50.50.50
VPS_VPN 10.10.20.10
On VPS
wg0 10.10.20.1
sudo wg show on the VPS showed 40.40.40.40 as the peer endpoint
if I dropped Proton1 and restarted the VPN, sudo wg show on the VPS showed 50.50.50.50 as the peer endpoint.
It was only when I also dropped Proton2 and restarted the VPN, that sudo wg show on the VPS showed 80.80.80.80 as the peer endpoint.
I am using the 2 Proton VPNs to route outgoing traffic from 3 VLANs currently, Audio, Video and IoT.
I am routing Blink camera traffic from VLAN CCTV to the VPS, as it won't play nice with Proton.
I am using routing tables to achieve this.
I was just wanting to know the mechanism by which Wireguard/OpenWrt was deciding which route to use for the peer when establishing the connection to the VPS
I have been trying to avoid that, as it feels like a black box to me currently, hence my use of routing tables.
I am trying to understand routing mechanisms.
I'm still not sure why it was using the IP of the Proton VPN though.
route on OpenWrt, shows pppoe-wan as the default route for both Proton VPNs and the VPS' VPN, so how did it end up trying to route via the Proton VPN? How was that routing decision made?
The endpoint address of a WireGuard "client" is by default routed via the wan as the endpoint address must be routed outside the tunnel, unless there is something amiss in your setup.
So the route looked like this:
VPS -> VPN -> OpenWrt -> ProtonVPN, whereas I was expecting
VPS -> VPN -> OpenWrt -> ISP
So from the VPS,
admin@vps:~$ sudo wg show
interface: wg0
public key: ********************************************************
private key: (hidden)
listening port: 51820
peer: ********************************************************
endpoint: ProtonVPN_Public_IP_on_OpenWrt:52020
allowed ips: 10.10.20.10/32, 192.168.24.0/21
latest handshake: 1 minute, 7 seconds ago
transfer: 5.14 MiB received, 1.11 MiB sent
I was expecting to see
admin@vps:~$ sudo wg show
interface: wg0
public key: ********************************************************
private key: (hidden)
listening port: 51820
peer: ********************************************************
endpoint: ISP_Public_IP_on_OpenWrt:52020
allowed ips: 10.10.20.10/32, 192.168.24.0/21
latest handshake: 1 minute, 7 seconds ago
transfer: 5.14 MiB received, 1.11 MiB sent
As far as I am aware, my configuration is fine, though as you've probably surmised by now, I have some fairly large holes in my understanding But I am trying...
The 2 Proton VPNs have seperate routing tables (201,202) and the VPS' VPN also has a routing table (203). I was just surprised to see the Proton VPN IP as the peer endpoint on the VPS
Both the Proton VPNs are in firewall zone that masquerades and the VPS is in its own zone that also masquerades
Lets have a look at your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses (192.168.X.X, 10.X.X.X and 172.16-32.X.X) as that is not needed:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show
But I am trying...