VPN Policy Routing with Wiregurad


I just moved my setup from a Pi4 to a Openpi r4s and am struggling getting VPN policy routing setup and working again.

I have a wireguard interface setup and working (Currently getting internet through this interface).

I can't however get VPN Policy Routing to route anything to the WAN interface.
I've followed the how to install steps over at https://docs.openwrt.melmac.net/vpn-policy-routing/#how-to-install

I am however getting two service errors
iptables -t mangle -A VPR_PREROUTING -g VPR_MARK0x010000 -s DEVICE_NAME -m comment --comment DEVICE_SHORT_NAME

I am trying to do the routing based on device name not setting static ip's.

Any help greatly appreciated :slight_smile:

I should also mention I have tried with ip addresses instead of device names. I do not get the service errors with those, but any device set to use the wan gateway doesn't recieve internet at all at that point.

The Bad News:

If the Wireguard tunnel on your router is used as default routing (for the whole internet), sadly no vpn-policy-routing rule will allow it to intercept and properly route the UDP traffic of Wireguard server, please either use the OpenVPN server and configure it to use TCP protocol or use the Scenario 2 below.

Ah that makes sense, am I naive in thinking I can set my wan as the default interface and then selectively route devices?

I'm not seeing any obvious way of doing this however.

I'm no expert, and feel I'm not capable in helping troubleshooting your issue, but you can have OpenWrt route all default traffic via the WAN and a few selected devices only via WireGuard, as this is exactly what I'm doing.

Maybe you should try restarting from scratch and have OpenWrt in it's default config, which routes all Internet traffic via the WAN interface.

Then you can install and configure WireGuard as a client to your WireGuard connection, after which you need to also add the WG0 interface to the WAN firewall zone.

Once that's operational, you can add VPN-Policy-Routing and it's Luci app companion, making sure the default gateway is still the WAN inteface (you may need to Restart the service once or twice after each router reboot, for it's Luci interface to correctly show the checkmark beside the default gateway...).

From then on, all you need to do is different policies to different LAN clients. At least, the above is a summary of what I did, and got it working the way I wanted and that seem to align with your requirements...

Below you can find the contents of cat vpn-policy-routing:

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option dest_ipset '0'
	option resolver_ipset 'dnsmasq.ipset'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver wgserver'
	option iptables_rule_option 'append'
	option procd_reload_delay '1'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_chain_column '0'
	option webui_show_ignore_target '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option enabled '1'
	option boot_timeout '40'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option src_addr 'xx:xx:xx:xx:xx:xx'
	option interface 'wg0'
	option name 'device_x'

config policy
	option name 'device_y'
	option src_addr 'yy:yy:yy:yy:yy:yy'
	option interface 'wan'