VPN problems and port forwarding with VPN on

Hey all. After years of using my own router (Mercusys MR70X) as an AP for my VR headset, I decided to migrate from my ISP router setup to it and flash OpenWRT on it for more flexibility, and most importantly VPN support.

As a first order of business I set up port forwarding for the services I run on my devices connected to the OpenWRT-powered MR70X, such as HTTP(S) and Minecraft, and that worked perfectly.

Then I decided to migrate my AmneziaWG (fork of Wireguard) VPN profile to the OpenWRT router for the sake of simplicity. This is where I started running into problems. I set up the AWG interface according to the official documentation, and it does work (notice the higher ping):

Ping output
root@OpenWrt:~# ping -I alanvpn openwrt.org
PING openwrt.org (64.226.122.113): 56 data bytes
64 bytes from 64.226.122.113: seq=0 ttl=50 time=74.420 ms
64 bytes from 64.226.122.113: seq=1 ttl=50 time=74.328 ms
64 bytes from 64.226.122.113: seq=2 ttl=50 time=73.400 ms
^C
--- openwrt.org ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 73.400/74.049/74.420 ms
root@OpenWrt:~# ping openwrt.org
PING openwrt.org (64.226.122.113): 56 data bytes
64 bytes from 64.226.122.113: seq=0 ttl=52 time=48.805 ms
64 bytes from 64.226.122.113: seq=1 ttl=52 time=48.113 ms
64 bytes from 64.226.122.113: seq=2 ttl=52 time=56.769 ms
^C
--- openwrt.org ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 48.113/51.229/56.769 ms
root@OpenWrt:~#

Should I set up zone forwarding from lan to whatever zone my VPN belongs to (with wan disabled), my internet connection dies for all the devices on LAN (but not for OpenWRT):

Ping output and zone settings
polyzium@asrock-ryzen ~ % ping openwrt.org
PING openwrt.org (64.226.122.113) 56(84) bytes of data.
From _gateway (192.168.1.1) icmp_seq=1 Destination Port Unreachable
From _gateway (192.168.1.1) icmp_seq=2 Destination Port Unreachable
From _gateway (192.168.1.1) icmp_seq=3 Destination Port Unreachable
From _gateway (192.168.1.1) icmp_seq=4 Destination Port Unreachable
^C
--- openwrt.org ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3005ms

My firewall zone settings:

Turning on "Route Allowed IPs" in the peer settings of my AmneziaWG/Wireguard interface and rebooting the router fixes this problem and the VPN connection does work, but the router no longer listens on connections from wan so it can accept connections from users, thus rendering port forwarding useless. So, I tried routing lan back to wan and that makes the internet connection die again with the same "Destination Port Unreachable" error when my WAN internet should just work!

Next I tried PBR. The way it works is very weird and usually ends up messing up packets on both sides, as if it's confused. My only solution to this is to manually route a crapton of IPs to the VPN using PBR, but I want full network routing (0.0.0.0/0), which again confuses the hell out of PBR.

After long 2 days of googling I have been stuck with a router with no VPN to offer to the connected devices, considering that I am in a country with strict censorship policies (this is also why I have to use AmneziaWG compared to vanilla WG as vanilla WG is blocked here using DPI).

I want both full VPN routing and port forwarding from WAN to work at the same time. I feel like this is a cry for help. I apologize if this sounds like a rant, but this process has frustrated me, especially over the course of 2 days.

You must create a pbr policy for each port forwarding rule, using as the source port the port on which the service is listening.

https://forum.openwrt.org/t/port-forwarding-in-through-a-wan-ip-with-active-wireguard-connection-to-lan-ip/

1 Like

Hey, thanks for the reply. Unfortunately the steps you described don't seem to work, as I still cannot reach my website from another network (timeout) over HTTPS (port 443) with VPN routing enabled on the hoster's side.

I set up my policies like this:

Screenshot

Is there something I am doing wrong?

Use the image button to move the HTTPS policy above the VPN one.

BTW, if option route_allowed_ips is set to 1, the VPN policy is not needed.

1 Like

That seems to work! I can now reach my website and use the VPN at the same time comfortably. So now I need to add an additional rule here for every port forwarding rule in the Firewall section. Thanks once again!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.