Wireguard bypass for specific application

elgatito · August 5, 2020, 1:13pm

root@OpenWrt:~# uci show network; uci show firewall; uci show vpn-policy-routing
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdc3:39e2:7169::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr='50:64:2b:ad:99:1c'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6t'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.addresses='10.66.209.111/32'
network.wg0.private_key='F6Sx8CzGO1n/owv4IpslZ84Z9YLkGKOe2rwP7J17111='
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='9v9VK6f98rFS2iZvYxqTvNWeeT34EYn6TRRZqNC2111='
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].endpoint_host='37.120.156.111'
network.@wireguard_wg0[0].allowed_ips='0.0.0.0/1' '::0/1' '128.0.0.0/1'
network.@wireguard_wg0[0].route_allowed_ips='1'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].network='wg0'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].name='wg0'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].forward='ACCEPT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wg0'
firewall.@forwarding[1].src='lan'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.supported_interface=''
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.boot_timeout='15'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].name='80'
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].dest_port='443'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].name='443'
vpn-policy-routing.@policy[1].interface='wan'
vpn-policy-routing.@policy[1].dest_port='80'
vpn-policy-routing.@policy[2]=policy
vpn-policy-routing.@policy[2].name='libtorrent'
vpn-policy-routing.@policy[2].interface='wg0'
vpn-policy-routing.@policy[2].src_port='6800-7000'
root@OpenWrt:~#

elgatito · August 5, 2020, 1:22pm

It seems I have managed to make it.
Added traffic rules for firewall:

config rule
        option src '*'
        option name 'to wan'
        option target 'ACCEPT'
        list proto 'all'
        option dest 'wan'

config rule
        option src '*'
        option name 'to wg0'
        option dest 'wg0'
        option target 'ACCEPT'
        list proto 'all'

Now when I select 80/443 to wg0 - I see my wireguard IP.
When I select to wan - I see my real IP.

If that the right rule for firewall?

vgaetera · August 5, 2020, 1:23pm

They currently use wan:

elgatito:

vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].name='80'
vpn-policy-routing.@policy[0].interface='wan'
vpn-policy-routing.@policy[0].dest_port='443'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].name='443'
vpn-policy-routing.@policy[1].interface='wan'
vpn-policy-routing.@policy[1].dest_port='80'

Also, you probably should hide/change the private key.

elgatito · August 5, 2020, 1:26pm

That was before I set the final version. I tried both ways, neither worked. Forwarding to non-standard interface caused timeouts.

vgaetera · August 5, 2020, 1:39pm

It allows wg0 to wan and wan to wg0 which doesn't seem right.

These forwardings should be sufficient:

elgatito:

firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wg0'
firewall.@forwarding[1].src='lan'

If not, then something is wrong.

elgatito · August 5, 2020, 1:41pm

That is why I created this topic. Because, obvious, right, way won't work.
Forwardings were there, proper policies created, packets captured in PREROUTING, but not getting further.

vgaetera · August 5, 2020, 1:48pm

Perhaps you should check the runtime firewall rule set as well as traffic counters:

iptables-save -c

elgatito · August 5, 2020, 1:56pm

In the beginning of this topic I have posted all the logs and rules, and they "looked good".

system · August 15, 2020, 1:56pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.