Wireguard and PBR breaking internet

satansflipflops · September 17, 2025, 7:34am

Goal: Trying to get one single device to connect through to Wireguard.

Issue: PBR is not listening to my settings whatsoever no matter what configuration I give it. I even opened up the Firewall entirely for wg0 to see if it was the problem, however, no. For context, I am using odhcpd for my DHCP; dnsmasq is not installed, and DNS goes to AdguardHome automatically by DHCP.

/etc/config/dhcp:


config dhcp 'lan'
	option interface 'lan'
	option start '2'
	option limit '250'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config odhcpd 'odhcpd'
	option maindhcp '1'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'PC'
	option ip '10.0.0.2'
	option mac 'xxx'

config host
	option name 'AP'
	option ip '10.0.0.3'
	option mac 'xxx'

/etc/config/firewall:


config defaults
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name 'wg0'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wg0'

/etc/config/network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '10.0.0.1/24'
	list dns '10.0.0.1'
	option delegate '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '10.0.0.1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxx'
	list addresses 'xxxx'
	list dns '10.0.0.1'
	option mtu '1420'

config wireguard_wg0
	option description 'Imported peer configuration'
	option public_key 'xxxx'
	option endpoint_host 'xxxx'
	option endpoint_port '51820'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '0'      # Yes I have tried both whitelisting my entire LAN and whitelisting only the device with this, neither works.

/etc/config/pbr:


config pbr 'config'
	option debug_dnsmasq '0'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	list resolver_instance '*'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_trigger_delay '5000'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config policy
	option name 'PC'
	option src_addr '10.0.0.2/32'
	option interface 'wg0'

config policy
	option name 'Other Requests'
	option src_addr '10.0.0.0/24'
	option interface 'wan'

PuppyWRT · September 17, 2025, 7:47am

let puppy think about this…

dibdot · September 17, 2025, 7:48am

For what did you need the PBR package? PBR is primarily a Linux a kernel feature, just configure the policy manually.

satansflipflops · September 17, 2025, 7:50am

Last I knew, it was required since OpenWRT didn’t ship with one. Was it implemented in a recent kernel? If not, then someone in the past gave misinformation in a post.

How should I go about doing that without the PBR package?

egc · September 17, 2025, 8:06am

Start by removing this policy:

You already route everything via the WAN by disabling Route Allowed IPs which is fine.

You over redacted the list address as it normally is a private FRC1918 address, this can be important as it can overlap your existing LAN address:

Reboot after making the changes

Then show output of service PBR status

How I setup WireGuard:
OpenWRT Client WireGuard Client Setup Guide

How I setup manual PBR:
OpenWRT Policy Based Routing Guide

dibdot · September 17, 2025, 8:22am

Just do the following:

Add a new routing table in /etc/iproute2/rt_tables, e.g.:

#
# reserved values
#
255	local
254	main
253	default
0	unspec
#
# local
#
1	wg_route

Configure the routing table in /etc/network, e.g.:

config route 'wg_route'
              option interface 'wg0'          # name of your vpn interface
              option target '0.0.0.0'
              option netmask '0.0.0.0'
              option gateway '10.8.0.1'    # gateway of your vpn interface
              option table 'wg_route'

Set/activate the rule for testing on the cli, e.g. for traffic coming from 192.168.1.100:

ip rule add from 192.168.1.100 table wg_route

If it works put this rule to your rc.local or - better - write a small hotplug script

satansflipflops · September 17, 2025, 8:43am

Here is what I have, and it is now working thanks to your guide. After unchecking Route Allowed IPs in the peer config and using option metric to make WAN the default, I did the following below:

At the end of my /etc/config/network:

config rule
	option src '10.0.0.2/32'
	option lookup '100'
	option priority '2000'

config route
        option interface 'lan'
        option target    '10.0.0.0/24'
        option table     '100'

config route
	option interface 'wg0'
	option target '0.0.0.0/0'
	option metric '20'
	option mtu '1420'
	option table '100'

Much easier and cleaner than the PBR package, and now everything works properly. I did add the LAN portion to protect all other LAN destinations from being accidentally tunnelled. Regardless, thank you kindly.

satansflipflops · September 17, 2025, 8:45am

Puppy is still thinking. Better luck next time.

egc · September 17, 2025, 8:51am

That is not necessary , the WAN should already be default

That is a good idea , before you could do it all with netifd (like you have done now) i used a script which always copied local routes to the tables.

BTW I have implemented the full PBR app a number of times and it always worked for me

satansflipflops · September 17, 2025, 9:35am

For some reason, the PBR app never works as intended every time I try to use it, even when I follow someone else’s exact settings. Unsure why; technology doesn’t like me at all.

I removed the option metric part from the WAN, and kept the metric set to 20 for the wg0 interface.

egc · September 17, 2025, 9:44am

You can actually also remove that too

The PBR app is huge it can support e.g. unbound, Adguard, tor etc. but not everything is thoroughly tested so if you have an "interesting" setup e.g. Adguard and ODHCPD and no DNSMasq, it is not impossible you run into a bug.
But the BPR app is used by many users without a problem but as said YMMV.

I recently had a discussion with Stangri, the PBR developer, about feature creep

system · September 27, 2025, 9:45am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.