VPN policy routing break port forward

I've set up Wireguard client and port forwards from it's network to LAN IPs. Everything work fine.
But as i need some devices to go through VPN and some - past it, while staying in same LAN subnet, i installed vpn-policy-routing. Which do the thing, but while it's active nor port forwards nor ping (of wg interface IP) works. Vpnbypass is same.

So, what i need:

  • keep all local devices in same subnet
  • route internet access of select devices through/past VPN
  • be able to do port frowards from VPN to any device (regardless of it's gateway)

I see a lot of similar topics, but no real solution. Is there any way to make it work properly?

This is tricky, as you will have asymmetric routing if traffic comes from VPN but returns from WAN, and will result in dropped packets due to invalidity. Packets must return the same interface they came in.

1 Like

I don't think it could be an issue, as everything happens inside router? I wasnt clear, i meant "gateway" as VPN/notVPN route.
Device don't need to know from which actual network connection were established, it recieves packets from router ( and answer back.

It is not that simple.
When a device wants to send a packet to the internet, will send it to router. The router will decide based on your rules in VPN-PBR which connection this packet will go out from. And reply will return from the same connection, since it will be NATed to the interface IP.
When you have an incoming connection from the ISP connection the device will receive a packet with source IP of the sender on the internet and will reply back to that IP as destination. If the policy however uses the vpn connection then this packet will be NATed to a different source IP and the destination on the internet will discard it.


Nonono, my case is not that complex. I don't need access from anywhere, just from my VPN subnet. So theoretically my VPN connection is just another WAN, and without policy routing it works so. I have access to LAN devices regardless of what router's default gateway is set to (vpn or isp). I had no problems doin exactly the same with mwan3, portforwarding through multiple WANs and VLANs while assigning different gateways. Maybe that's it, just use mwan3?

Still I fail to understand what you want, so could you give an example?
Let's say that you have vpn and wan for upstream links. HostA with IP is set to use vpn and hostB with uses wan. What port forward do you want to configure?

1 Like

From VPN to both.

Can you give an example of what you want to happen in practice? What are you trying to achieve as the end result (or, in other words, why do you want to be able to port forward from the VPN to hosts that use the WAN gateway)?

1 Like

I think i described what i need already? I don't have proper IPs available, all of my uplinks are behind several layers of NAT, thus i need VPN for remote control. That's not a problem, but i also need some LAN clients to use VPN for everything and some - for certain things, as 2$ VPS speed is quite limited.

Hosts using VPN will not have problem and will work.
For the hosts using the wan, you need to make some rules in VPN-PBR to route packets with source port/protocol same as the one you have forwarded via vpn.
So if for example you are forwarding port 1500 tcp from vpn to host, which uses wan, then you need to add a rule in VPN-PBR for source 1500 tcp to go via vpn. This rule needs precedence over the general rule for wan.

1 Like

I guess policy routing insert itself before any forwards...
Well, i just checked and mwan3 does exactly what i need, no extra fiddling required, but i wanted more flexible policies.

They are not connected. PBR is marking packets in mangle table to match specific ip rules and get routed with a custom routing table. Port forwarding takes place in nat table of iptables.

1 Like