I'm setting up a WireGuard VPN client on a WRT3200ACM router running OpenWrt 23.05.5. My goal is to have multiple SSIDs with different VPN settings. Such that 1 ssid uses 1 VPN connection to a Canada based endpoint, the other SSID to a New York based endpoint, and all wired clients no VPN at all. Currently, I'm just trying to get one of these functional and I have an issue where clients connected to a VPN-enabled SSID can't access the internet, despite the WireGuard connection appearing to be established.
Setup Details:
WireGuard interface name: wgclient_ca
VPN-enabled SSID network: gianellevpn
the router is downstream from the ISP Wifi router
Current Status:
WireGuard connection establishes successfully
Clients on gianellevpn network can obtain IP addresses and resolve DNS
Clients cannot load web pages or access internet services
Configurations:
WireGuard interface:
wg show
interface: wgclient_ca
public key: (hidden)
private key: (hidden)
listening port: 41961
peer: (hidden)
endpoint: [2606:6080:2001:24::117]:1276
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 58 seconds ago
transfer: 3.04 MiB received, 5.12 KiB sent
persistent keepalive: every 25 seconds
Routing table
ip route show
default via 10.0.0.1 dev wan proto static src 10.0.0.95
10.0.0.0/24 dev wan proto kernel scope link src 10.0.0.95
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.20.0/24 dev br-gianellevpn proto kernel scope link src 192.168.20.1
Firewall zones (relevant)
config zone
option name 'gianellevpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'gianellevpn_net'
config zone
option name 'fw_wgcli_ca'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wgclient_ca'
config forwarding
option src 'gianellevpn'
option dest 'fw_wgcli_ca'
config forwarding
option src 'gianellevpn'
option dest 'wan'
What I've Tried:
Verified WireGuard connection status
Checked firewall rules and zones. The client can reach the internet only in wan is included in the forward zone of the wireguard firewall zone.
Questions:
Is my routing configuration correct for directing gianellevpn traffic through the WireGuard interface?
Do I need additional firewall rules or zone configurations?
Are there any specific settings required for masquerading or NAT with this setup?
How can I troubleshoot where exactly the traffic is getting blocked?
Any guidance or suggestions would be greatly appreciated. Let me know if you need any additional information.
Thank you for your suggestion. I did enable PBR and create a rule for the subnet I want to route through the WireGuard interface. However, I've observed unexpected behavior. It doesn't seem to matter that I enabled a pbr rule, traceroute command move packets from the ssid to the nexthop router (Wifi ISP Router)
current PBR configuration:
IP Rules:
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
PBR Status:
/etc/init.d/pbr status
pbr - environment
pbr 1.1.6-22 running on OpenWrt 23.05.5.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.20.0/24 } goto pbr_mark_0x020000 comment "canada_vpn_policy"
pbr chains - policies
chain pbr_forward { # handle 43
}
chain pbr_input { # handle 44
}
chain pbr_output { # handle 45
}
chain pbr_postrouting { # handle 47
}
chain pbr_prerouting { # handle 46
ip saddr 192.168.20.0/24 goto pbr_mark_0x020000 comment "canada_vpn_policy" # handle 726
}
chain pbr_dstnat { # handle 42
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 124
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 722
return # handle 723
}
chain pbr_mark_0x020000 { # handle 127
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 724
return # handle 725
}
pbr nft sets
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 table 256 route:
IPv4 table 256 rule(s):
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 table 257 route:
IPv4 table 257 rule(s):
I'm puzzled by this behavior.
Why doesn't the PBR rule alone seem to affect the routing as expected? Could it have anything to do with the errors in pbr status?
Why does including 'wan' in the WireGuard interface's firewall zone, allow the intended lan clients to reach the internet (but not through the VPN)?
You are also using a rather old PBR version so I would advice you to upgrade PBR to start with, see: https://docs.openwrt.melmac.net/
Furthermore if that does not help, Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show
cat /etc/config/pbr
service pbr status
cat /var/run/pbr.nft
nft -c -f /var/run/pbr.nft
I was having radio problems with later versions of openwrt on this linksys WRT3200ACM, so I downgraded all the way to 22.03.2.
My intent was to have just one specific network (gianelle) be VPN enabled. But at this point, it would be an incremental win if I could get any network working through the VPN. So ive parked the pbr stuff for now.
WireGuard interface (wg0) is up and configured.
Default route is set to wg0.
WAN interface (eth0) has a DHCP-assigned IP (10.0.0.94/24) from upstream ISP Wifi router.
and a rule to bind interface gianelle with this table:
config rule
# for interface
option in 'gianelle'
option lookup '102'
Interface gianelle already has a forward to the VPN zone in the firewall but not to the WAN so this interface will only work via the VPN and not via the wan if that is your intent then fine
Reboot your router and test.
If it does not work please show the following and redact keys, passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show
Again not sure if this will work on your old build.
I've resolved the main issues. So now LAN traffic goes through the regular WAN connection, Gianelle network traffic is routed through the WireGuard VPN. Both networks can access the internet and local resources as intended.
Here's a summary of what worked and some lessons learned:
Key Changes:
Removed unnecessary firewall rules and removed PBR configurations.
Modified WireGuard configuration:
Set option route_allowed_ips '0' (crucial change)
Implemented a custom routing table for my VPN-enabled network (gianelle)
Added a rule to direct gianelle traffic to the new routing table.
Lessons Learned:
The route_allowed_ips option is an obscure but extremely impactful setting. Setting it to '0' prevents WireGuard from overwriting the default route table. This option is enabled by default in the OpenWrt.org WireGuard sample configs. None of the OpenWrt WireGuard pages seem to adequately cover its significance. It can override other routing configurations, making troubleshooting difficult.
Interplay between LuCI and CLI:
I wasn't consistently committing changes and restarting services after modifications. And I was making modifications back in forth in the cli and luci.
You can accomplish my intended topology with just routing tables. PBR would be needed if I need to do more complex things like have clients on a VPN enabled network, not use VPN for something like Netflix. So for now I can keep things simple.
Version-specific issues:
What also made troubleshooting difficult was packet loss issues in newer OpenWrt versions (+22.x) on my current hardware (Linksys WRT3200ACM) - on BOTH lan and wlan connections. I need to upgrade my router in the near future. I'm considering a move to a GL.iNet Flint 2.
I hope these insights prove valuable to others tackling similar issues. The route_allowed_ips setting, in particular, deserves more attention in the documentation, IMO.
Thank you again to the community (and egc) for your help.