Wireguard bypass for specific application

Hello guys,

First of all, thanks for supporting OpenWRT!

Asking for your help in configuring firewall/wireguard.

Currently I do have Wireguard interface on a router, which is proxying everything from my network.
And when wireguard is down - internet is not accessible.
I have devices that have software, that uses range of ports, request upnp mapping, and listen on those ports.

I would like to change it in this way:

  1. Wireguard should not be the default interface, but used only conditionally.
  2. I want to use wireguard only for connections coming only from/to that software. How? Using port rules? For example it works on ports 6000-6010.

Here are some rough steps to follow

  1. Stop using that wireguard as the default interface
  2. Mark those packets you want to flow through the wireguard interface with iptables rules, something like the following may work
iptables -t mangle -A PREROUTING -m multiport --dports 6000:6010 -j MARK --set-xmark 0xc8/0xffffffff
iptables -t mangle -A OUTPUT -m multiport --dports 6000:6010 -j MARK --set-xmark 0xc8/0xffffffff
  1. Route those marked packets through the wireguard interface
ip rule add fwmark 0xc8 lookup 200
ip route add default wg0 table 200
1 Like

Thanks.
And how can I "stop using as default"?
When I drop wireguard interface - everything is working fine.
If I create an interface and it is not working (for example vpn provider is down) - internet is not working as well.
I assume it's creating some route on interface creation...

Not sure how the wg iface was made. Can you share with us the content of /etc/config/network? with sensitive info redacted of course. While at it, output if command ip route show may also help

root@OpenWrt:~# ip route show
default dev wg0 proto static scope link 
5.253.1.1 via 87.206.1.1 dev eth0.2 proto static 
87.206.1.1/22 dev eth0.2 proto kernel scope link src 87.206.2.1 
185.213.1.1 via 87.206.1.1 dev eth0.2 proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 

and

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6e:ea7c:5863::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '50:64:2b:ad:99:11'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'wg0'
	option proto 'wireguard'
	option force_link '1'
	option private_key 'key'
	list addresses '10.64.1.1/32'
	list addresses 'fc00:bbbb:bbbb:bb01::1:/128'

config wireguard_wg0
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	option public_key 'key'
	option endpoint_host 'endpoint_ip'

I have applied iptables rules and added a rule.
But how do I disable wg0 as the default route for everybody?

After I removed 'route_allowed_ips' I can use wan directly, even when wg0 is up, but it looks that wg0 is not used at all.

routes look like this:

root@OpenWrt:~# ip route show
default via 87.206.44.1 dev eth0.2 proto static src 87.206.45.165 
5.253.206.210 via 87.206.44.1 dev eth0.2 proto static 
87.206.44.0/22 dev eth0.2 proto kernel scope link src 87.206.45.165 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 

What can I do or check?

@elgatito, welcome to the community!

:confused:

Do or check what?

With no route to it, it cannot be used. It will continue to handshake if solicited by the far-end, though.

Check that application is going through wireguard. Or firewall matches the rule and tries applies a mark.

What should I add to configure it?

The title says "bypass". You are currently bypassing.

  • If you want to use the WG interface, re-add the routes.
  • If you want to only use it for certain ports:
    • you'll have to make an ip table with a default routing rule using WG
    • you'll have to make a ip rule for dport to use that rule
    • you may also need to make sport ip rule for the reply traffic

Removing route_allowed_ips has done the 1st step.

As for the later two steps in my original post, they should be doable through LuCI.

I want to use WG only for routes, matched by "ip rule".

So, currently, when I uncheck "route_allowed_ips" - I see this route is not created:

default dev wg0 proto static scope link 

And I have added iptables rules to place a mark.
Now it looks like it does not know how to get to WG or from WG to wan?

If I enable "route_allowed_ips" it will again become WG as the default route for anything.

default via 87.206.44.1 dev eth0.2 proto static src 87.206.45.165 
5.253.206.210 via 87.206.44.1 dev eth0.2 proto static 

In my understanding this means default route is using wan, and I have a route from WG to wan, but I'm missing route from lan to WG?

I have added rules in this way:

# iptables -t mangle -A PREROUTING -p tcp --sport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A PREROUTING -p udp --sport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A PREROUTING -p tcp --dport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A PREROUTING -p udp --dport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A OUTPUT -p udp --dport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A OUTPUT -p tcp --dport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A OUTPUT -p tcp --sport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# iptables -t mangle -A OUTPUT -p udp --sport 6881:6899 -j MARK --set-xmark 0xc8/0xffffffff
# ip rule add fwmark 0xc8 lookup 202

Have these routes:

# ip route
default via 87.206.1.1 dev eth0.2 proto static src 87.206.1.2 
37.120.1.1 via 87.206.1.1 dev eth0.2 proto static 
87.206.1.0/22 dev eth0.2 proto kernel scope link src 87.206.1.2 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
# ip route show table 202
default via 10.64.1.2 dev wg0 

I see this in firewall stats:

Chain PREROUTING (Policy: ACCEPT, Packets: 14742, Traffic: 49.77 MB)
Pkts.	Traffic	Target	Prot.	In	Out	Source	Destination	Options
0	0.00 B	MARK	tcp	*	*	0.0.0.0/0	0.0.0.0/0	tcp spts:6881:6899 MARK set 0xc8
224	36.64 KB	MARK	udp	*	*	0.0.0.0/0	0.0.0.0/0	udp spts:6881:6899 MARK set 0xc8
4	240.00 B	MARK	tcp	*	*	0.0.0.0/0	0.0.0.0/0	tcp dpts:6881:6899 MARK set 0xc8
250	49.30 KB	MARK	udp	*	*	0.0.0.0/0	0.0.0.0/0	udp dpts:6881:6899 MARK set 0xc8

Chain OUTPUT (Policy: ACCEPT, Packets: 562, Traffic: 142.55 KB)
Pkts.	Traffic	Target	Prot.	In	Out	Source	Destination	Options
0	0.00 B	MARK	udp	*	*	0.0.0.0/0	0.0.0.0/0	udp dpts:6881:6899 MARK set 0xc8
0	0.00 B	MARK	tcp	*	*	0.0.0.0/0	0.0.0.0/0	tcp dpts:6881:6899 MARK set 0xc8
0	0.00 B	MARK	tcp	*	*	0.0.0.0/0	0.0.0.0/0	tcp spts:6881:6899 MARK set 0xc8
0	0.00 B	MARK	udp	*	*	0.0.0.0/0	0.0.0.0/0	udp spts:6881:6899 MARK set 0xc8

Like I do not catch those packets.
Why?

Packet marking should be working as seen from the stats counters.

Not sure initially how your firewall rules are configured to allow lan forwarding to wg0, but typically it should contain the following settings

  • Create a new firewall zone wgz and place wg0 in it
  • Zone wgz should have masquerade enabled if reverse path from remote endpoint to local is not available
  • Allow zone forwarding from zone lan to zone wgz

In case it still does not click, please share content of /etc/config/firewall

Actually counters were reset. Then I massively used the application, so most of megabytes from PREROUTING traffic was from that application, but as you see, it shows that only few kilobytes were marked.

Doesn't it mean that it was not marked by firewall at all?

Network up/down can cause firewall reload which will have counters reset. See if there are such messages in logread output. Note that on a working system, we do not expect networks bumping up and down frequently.

That said, as long as the counters were increasing, the rules for marking were working.

How have you defined, that application uses only this port range? Add standard ports for http,https, and check result.

I have checked connections list on the router, where I see that device with application is making connections and is using that ports.

Check for http, https, or ssh ports.

1 Like