Hello all,
I did install the latest openwrt + wireguard + upnp.
I assigned the VPN interface to Wan firewall zone, and then on vpn route policy add-on if i route my vlan to Wan instead of vpn i still get the vpn ip and not the opposite.
How do i make sure than only one Vlan will be using the vpn while the other 2 have normal internet connection?
I did read the pages and tutorials all around but for me they are not working.
Thanks in advance.
Bill
April 20, 2022, 5:37am
2
VPN Policy-Based Routing is a service supporting multiple types of VPN Connections (Openconnect, OpenVPN, PPTP and Wireguard) allowing you to create policies to use either VPN tunnel or WAN as a gateway. More information (requirements, full features list, etc.) on the service is available in the README .
Gateways/Tunnels
Any policy can target either WAN or a VPN tunnel interface.
L2TP tunnels supported (with protocol names l2tp*).
Openconnect tunnels supported (with protocol names openconne…
Better visibility as user posting to the correct thread get notifications of new post queries.
c0s
April 20, 2022, 7:06am
3
you need add vlan info into the wireguard config file using cli or web,then you run the command ip r or route command you wii see you vlan route info
1 Like
trendy
April 20, 2022, 9:14am
4
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export pbr; uci export vpn-policy-routing
1 Like
BusyBox v1.33.2 (2022-02-16 20:29:10 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 21.02.2, r16495-bf0c965af0
-----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; uci export pbr; uci export vpn-policy-routing
{
"kernel": "5.4.179",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Xiaomi Mi Router 3G",
"board_name": "xiaomi,mi-router-3g",
"release": {
"distribution": "OpenWrt",
"version": "21.02.2",
"revision": "r16495-bf0c965af0",
"target": "ramips/mt7621",
"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd51:cb68:358c::/48'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option broadcast '1'
option peerdns '0'
list dns '10.2.0.1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
config device
option type '8021q'
option ifname 'lan1'
option vid '10'
option name 'vlan10'
config device
option type '8021q'
option ifname 'lan2'
option vid '20'
option name 'vlan20'
config device
option type 'bridge'
option name 'br-all'
list ports 'eth0'
list ports 'lan1'
list ports 'lan2'
option bridge_empty '1'
config bridge-vlan
option device 'br-all'
option vlan '10'
list ports 'eth0:t'
list ports 'lan1:u*'
config bridge-vlan
option device 'br-all'
option vlan '20'
list ports 'eth0:t'
list ports 'lan2'
config interface 'Vlan10'
option device 'br-all.10'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'Vlan20'
option proto 'static'
option device 'br-all.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wifi30tv'
option proto 'static'
option device 'br-wifi.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config device
option type '8021q'
option ifname 'wlan0'
option vid '30'
option name 'wifi30tv'
config device
option type 'bridge'
option name 'br-wifi'
list ports 'eth0'
list ports 'lan1'
list ports 'lan2'
option bridge_empty '1'
config bridge-vlan
option device 'br-wifi'
option vlan '30'
list ports 'eth0:t'
list ports 'lan2:u*'
config bridge-vlan
option device 'br-wifi'
option vlan '40'
list ports 'eth0:t'
list ports 'lan1:u*'
config bridge-vlan
option device 'br-wifi'
option vlan '50'
list ports 'eth0:t'
list ports 'lan2'
config device
option type '8021q'
option ifname 'wlan1'
option vid '40'
option name 'wifi40'
config interface 'WIFI405G'
option proto 'static'
option ipaddr '192.168.40.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option device 'br-wifi.40'
config device
option type '8021q'
option ifname 'wlan0'
option vid '50'
option name 'wifi50'
config interface 'wifiguest50'
option proto 'static'
list dns '1.1.1.1'
list dns '1.0.0.1'
option netmask '255.255.255.0'
option device 'br-wifi.50'
option ipaddr '192.168.50.1'
config interface 'VPN'
option proto 'wireguard'
option private_key 'UKNX8zSEyjjmaE0ENMtLrLMT1NPJpytuzoe8jVibCFg='
list addresses '10.2.0.2/32'
option peerdns '0'
list dns '10.2.0.1'
option defaultroute '0'
option auto '0'
config wireguard_VPN
option public_key 'UZDH3oGQ0AwqAMjRAfTpeRfpgaDgl4YZwx8BpkbrFnU='
list allowed_ips '0.0.0.0/0'
option endpoint_host '37.120.236.3'
option endpoint_port '51820'
option persistent_keepalive '25'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Vlan10'
option interface 'Vlan10'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
option dhcpv6 'server'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
config dhcp 'Vlan20'
option interface 'Vlan20'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'hybrid'
list dns '2606:4700:4700::1001'
list dns '2606:4700:4700::1111'
list ra_flags 'none'
config dhcp 'wifi30tv'
option interface 'wifi30tv'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'relay'
list ra_flags 'none'
config dhcp 'WIFI405G'
option interface 'WIFI405G'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'hybrid'
list dns '2606:4700:4700::1001'
list dns '2606:4700:4700::1111'
list ra_flags 'none'
config dhcp 'wifiguest50'
option interface 'wifiguest50'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
option dhcpv6 'hybrid'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'Vlan10'
list network 'Vlan20'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'VPN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option target 'DNAT'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option enabled '0'
config zone
option name 'Guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wifiguest50'
config forwarding
option src 'Guest'
option dest 'wan'
config rule
option src 'Guest'
option target 'ACCEPT'
option name 'Guest DNS and DHCP'
option dest_port '53 67 68'
config zone
option name 'WIFI'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'WIFI405G'
list network 'wifi30tv'
config forwarding
option src 'WIFI'
option dest 'wan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
uci: Entry not found
package vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option webui_protocol_column '1'
option enabled '1'
option webui_chain_column '1'
option webui_show_ignore_target '1'
option ipv6_enabled '0'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option interface 'wan'
option name 'VLAN10'
option src_addr '192.168.10.1'
option proto 'all'
trendy
April 20, 2022, 4:09pm
7
Using public internet resolvers under internal interfaces doesn't force lan devices to use them, you should use option 6 in dhcp for that.
Address 192.168.10.1
belongs to the router, so I am not sure how did you test the policy routing. If you need all the lan to use the wan, then change it to 192.168.10.0/24
1 Like
Thanks for the input, i was not aware of the option 6, now will do.
Regarding the addresses, VLAN10 is the one you saw, Vlan20 192.168.20.x... and so it goes.
The router is indeed 192.168.10.1 which is also the first network...
Well i tried enabling it but when it enabled everything gets vpn address and if i disable it nothing get's it working, my wan port is connected to a modem on bridge mode which is at 192.168.0.1, i'm afraid i cant set it static.
Waiting to hear
trendy
April 20, 2022, 4:44pm
9
Could you explain which addresses do you want to use the wan?
Some from the lan? All of the lan? Other private networks too?
Wan is on same network as the modem 192.168.0.232...
Wan is DHCP client, if i set it static i lose connection....What would you set it like ?
trendy
April 20, 2022, 4:54pm
11
I am referring to this .10.1
1 Like
This one is static, thats the first Vlan.
The idea is to use the vpn on the Vlan 20 so that would be 192.168.20.1
trendy
April 20, 2022, 6:01pm
14
That is what I am trying to explain, in the vpr policy the src_addr must be 192.168.20.0/24
1 Like
trendy:
192.168.20.0/24
Yeup now i cant connect to my vpn anymore....puff Something isnt'r working as it should here
Ok i'm back to the game but now how do i route the vpn then? I still could not make it!
Where do i set the source IP? if i put allowed ip 192.168.20.0/24 i have no connection at all.
c0s
April 21, 2022, 5:12am
17
network - interface - edit wg interface - peer - add peer -allow ip or network ,add your vlan info
1 Like
Thanks for the answer, that's exactly what i did, when i do it i have no connection at all.
What could be wrong?
c0s
April 21, 2022, 8:18am
19
do you add iptables rule about wg?
1 Like
trendy
April 21, 2022, 10:40am
20
Post again the configurations to see how it looks like.
1 Like