Here you are and thanx in advance for helping:
Regards,
Mario
1 Like
uci set network.wifi1.type="bridge"
uci set network.wifi2.type="bridge"
uci set network.wifi1a.type="bridge"
uci commit network
/etc/init.d/network restart
uci set firewall.@zone[5].masq="1"
uci set firewall.@zone[5].mtu_fix="1"
uci commit firewall
/etc/init.d/firewall restart
uci set vpn-policy-routing.lan_vpn.src_addr="192.168.10.0/24"
uci set vpn-policy-routing.lan_vpn.dest_addr="!192.168.10.0/24"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart
Thanx for the suggestion and help. I did it as described but it looks like a step back. wifi2 - the free wifi - doesn't allow any connections anymore and wifi1 - set as wireguard tunnel - connects but doesn't allow any internet traffic.
I posted with the above commands another pastbin here https://pastebin.com/qwsYtvVw
May I also ask for a favor: I would appreciate any explanation for changes to better understand why the change is necessary and maybe how to identify the error. (and to avoid need for help next time as I (and outher readers) hopefully better understand the problems.)
But the response times and quality of support here is awsome!!
Regards,
Mario
1 Like
Weird, perhaps it's related to some hardware-specific wireless issues.
Try to disable extra Wi-Fi interfaces/SSIDs, save the changes and restart the router.
Test Wi-Fi interfaces separately, only enabling one at a time.
This can help in some cases:
uci set dhcp.lan.force="1"
uci set dhcp.wifi1.force="1"
uci set dhcp.wifi2.force="1"
uci set dhcp.wifi1a.force="1"
uci commit dhcp
/etc/init.d/dnsmasq restart
Are you connecting to your own VPN server, or a commercial VPN provider?
- Bridging is the recommended method to attach a wireless interface to a network.
- Masquerading helps to resolve routing issues.
- Routing policy should be applied to the source subnet.
After letting rest my device for some hours its working normal now. If no device was connected over some hours it takes some time before internet is available after connection. I will have a look.
It's my private server within my home network. Access over DynDNS provider and forwarded ports on my ISP router.
What else to tell:
After establishing the vpn routing:
PBR showed an error with the wireguard gateway X.X.X.16 (I'm still uncertain, shouldn't it be the X.X.X.1 address
from the wireguard server subnet? After disabling the routing policy, the error disappeared, but nevertheless, internet was not accessible all the time with the wireguard wifi network.
Regards,
Mario
1 Like
Then we should also check the server side, post to pastebin.com redacting the private parts:
ip address show; ip route show table all; ip rule show; \
sudo wg show; sudo iptables-save; sudo nft list ruleset; \
sysctl net 2> /dev/null | grep -e forward
Make sure to apply these workarounds on the client side:
1 Like
I will give it a try. Will take some time as we renew parts of our flat.
Best you can do with COVID lockdown 
1 Like
Here we are:
Add 1: Handshake worked
Add 2: Using my S10 (not parallel to the openwrt device we are talking about) with the wireguard app is working with the same credentials perfectly.
Regards
Mario
1 Like
Disable the WG zone masquerading on both client and server.
Add the client side subnet to the peer's allowed IPs on the server.
Temporarily disable MWAN, PBR and GL.iNet-specific firewall scripts on the server.
1 Like
Disabling masquerading was easy - but no effect, Same for the subnet.
I am a bit reluctant to change firewall script on the server.
As it is working with my mobile phone and laptop without any problem, the
wrong setting must be on the client side of the wireguard settings in my openwrt travel router?
I am still struggling that a pure wireguard setting is working with a static rule from my peer IP X.X.X.16 to the wireguard server IP X.X.X1. With PBR enabled, the wg standard gateway is X.X.X.16 and I can not change this to X.X.X.1.
Looks as if we are stuck.
Currently this looks like a server side problem.
But it's a headache to troubleshoot GL.iNet devices. 
There's quite a lot of customization compared to the vanilla OpenWrt.
It's difficult to analyze and predict the possible implications.
Try to isolate the issue by redirecting all traffic from the client to the tunnel.
1 Like
I try to set up a vanilla openwrt device with a wg server the next days.
Maybe we can then transfer settings to the GL.iNet device.
Nevertheless, thanx for the support so far.
1 Like
OK, here we are.
I have set up an plain vanilla openwrt device with wireguard server - no other default configs changed. I added some peers, set up port forwarding to the device on my ISP router and connecting my android S10 works fine.
(just as remark: during the install I get an error installing the pure wireguard package, but wireguard-tools etc. are working).
here are my setting (it's OK to see all wg credentials as I will set up all new afterwards ...)
network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd11:4ffb:5b98::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '80:3f:5d:9d:04:98'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'wg0'
option proto 'wireguard'
option private_key 'SEiMsidULbmm7JZkZAPRFwvi3vyMGrM48z0H+4VJzkM='
option listen_port '51820'
list addresses '10.10.0.1/24'
config wireguard_wg0
option description 'Client1'
option public_key 'IILT8BMCVjTsfV9JjXZsCZYXk4pKEgLw52s+6aljLUU='
list allowed_ips '10.10.0.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'xxx.xxx.de'
option endpoint_port '51824'
config wireguard_wg0
option description 'Client2'
option public_key 'mGgJNJ9VgpVZkd3WXZgF6nDIz8JTH0PfRr1EGIuyXEA='
list allowed_ips '10.10.0.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'xxx.xxx.de'
option endpoint_port '51824'
config wireguard_wg0
option description 'Client3'
option public_key 'uPdPL1NeJBC5QQbvaHkcrBk5anFMXeHi+5dDomjmiEU='
list allowed_ips '10.10.0.4/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'xxx.xxx.de'
option endpoint_port '51824'
config wireguard_wg0
option description 'Client4'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '10.10.0.5/32'
option public_key 'fBFVwY5kbec0J/OV45IH44a3rcfaDs0lwWrgF3tg3R8='
option endpoint_host 'xxx.xxx.de'
option endpoint_port '51824'
config wireguard_wg0
option description 'Client5'
option public_key 'VjYTWhuJyg5tr4xPP3L5mwD94R75GuP8W7FpBvdOhhA='
list allowed_ips '10.10.0.6/32'
option persistent_keepalive '25'
option route_allowed_ips '1'
option endpoint_host 'xxx.xxx.de'
option endpoint_port '51824'
firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-Web-WAN'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'Allow-SSH-WAN'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'Allow-SSL-WAN'
option src 'wan'
option dest_port '443'
option target 'ACCEPT'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51820'
option name 'Allow-Wireguard-Inbound'
That was router B.
On my main router A I can establish the handshake to router B and get an refresh every 2 min.
But I have not traffic or can use the wireless connections to get to the internet. Same situation as with the wireguard router from GL.iNet described above. So given the settings off my one-time, temporary router above, how would my router A have to configured that one wifi go direct to wan -> ISP router and the second one to router B via wireguard tunnel and then to wan -> ISP router???
I highly appreciate any ideas.
Regards,
Mario
1 Like
This part is missing:
Then check the diagnostics:
# Server
opkg update
opkg install tcpdump
tcpdump -evni any icmp
# Client
ping 10.10.0.1
ping host_in_server_lan
OK, here is my progress
Adding the client side subnet enabled interent access. However, if I am connected to my wifi with wg, I can't get access to any local SSL sites, only normal sites. I also don't get access to samba shares.
If I connect to my second wifi, I don't get internet access but acces to local ssl sites and also the samba shares.
I dont know, if it is a DNS problem.
Anything I can upload to check?
Regards,
Mario
- Does the routing work over the WG for other protocols?
- Can you access/ping hosts on the remote local network?
- Can you access/ping HTTP/HTTPS sites on the internet over the WG?
- How is HTTPS and DNS configured for the local sites?
- Have you set up any port redirects for HTTPS?
OK, I have set up a 3rd device (all the same model Wavelink / WLR 755)cond
Again with a plan vanilla installation. I set up the 2 wifi but instead of separate zone, I added both to lan.
Set up Wireguard with the same credentials as above (router 1), as you can see. But no VPN Based Routing.
Here are my settings (again, publishing confidential credentials is OK as I will change it again later).
network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3a:56f9:e867::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '80:3f:5d:96:9e:34'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'wg0'
option proto 'wireguard'
option private_key '6NpFFAZ4taAsja0V42Op7E5n7P2wM4YgoRXseZx+qXg='
list addresses '10.10.0.6/32'
config wireguard_wg0
option public_key 'aKEn1KedXp4N0URY0ed1+5ehnvzDuWfVD5vAJ1+AVkk='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option route_allowed_ips '1'
option endpoint_host 'xxxx.xxx.de'
option endpoint_port '51824'
option persistent_keepalive '25'
firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
What shall I say: Now all internal, external, ssl-sites are working.
So what is the difference to solution with router one with separate zones ...
Any help appreciated and thanx in advance.
Just a small update:
Trying to develop my 3rd device with pure, working wireguard connection to a dual network device, was not successful. I installed vpn-policy-routing, looking as follows, but my wifi gets no internet connection:
Here are my settings:
network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3a:56f9:e867::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '80:3f:5d:96:9e:34'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config wireguard_wg0
option public_key 'aKEn1KedXp4N0URY0ed1+5ehnvzDuWfVD5vAJ1+AVkk='
option endpoint_host 'xxxx.xxx.de'
option endpoint_port '51824'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
list allowed_ips '192.168.10.0/24'
list allowed_ips '192.168.20.0/24'
config interface 'wifi1'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ipaddr '192.168.20.1'
config interface 'wg0'
option proto 'wireguard'
option private_key '6NpFFAZ4taAsja0V42Op7E5n7P2wM4YgoRXseZx+qXg='
list addresses '10.10.0.6/32'
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-Web-WAN'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'Allow-SSL-WAN'
option src 'wan'
option dest_port '443'
option target 'ACCEPT'
config rule
option name 'Allow-SSH-WAN'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
config zone
option name 'wg0'
option output 'ACCEPT'
list device 'wg0'
option forward 'REJECT'
option masq '1'
option input 'ACCEPT'
config zone
option name 'wifi1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wifi1'
config forwarding
option src 'wifi1'
option dest 'wan'
vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option ipv6_enabled '1'
option webui_enable_column '1'
option webui_protocol_column '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option interface 'wan'
option name 'lan'
option src_addr '192.168.10.1/24'
option proto 'all'
config policy
option interface 'wan'
option name 'wifi'
option src_addr '192.168.20.1/24'
option proto 'all'
I have to miss something ...
Ok, finally I made it. I just changed the setting a little bit. I was not aware that I can use multiple SSIDs for one radio.
So I was able to create 2 wifi networks for each radio (2.4G and 5 G). By labeling the networks accordingly I can distinguish between protected and unprotected networks.
Both unprotected networks are attached to lan with static address, both protected networks are attached to a separate network wifiwg. lan and wifiwg have their own, identically named zones and forwarded to wan zone.
The wireguard interface is assigned to the wan zone and route allowed IPs is unchecked.
Installing vpn policy routing should show the wan gateway as standard and wireguard with its peer IP not.
I added a rule that all IPs from the wigiwg network (192.168.30.0/24) are routed to the wireguard interface.
That's all.
Here are the configs:
network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3a:56f9:e867::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '80:3f:5d:96:9e:34'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config wireguard_wg0
option endpoint_host 'xxx.xxx.de'
option persistent_keepalive '25'
option public_key 'XXXXX='
option endpoint_port 'XXXXX'
list allowed_ips '0.0.0.0/0'
list allowed_ips '192.168.30.0/24'
option description 'LAN02'
config interface 'wg0'
option proto 'wireguard'
option private_key 'XXXX='
list addresses '10.10.0.33/32'
config interface 'wifiwg'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ipaddr '192.168.30.1'
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
list network 'wan'
list network 'wan6'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'wifiwg'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'wifiwg'
option forward 'ACCEPT'
config forwarding
option src 'wifiwg'
option dest 'wan'
vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option webui_protocol_column '1'
option enabled '1'
option ipv6_enabled '0'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option proto 'all'
option interface 'wg0'
option name 'wifiwg'
option src_addr '192.168.30.0/24'
Thanx to all so far and hopefully other will benefit from this.
It only remains for me to say: I learned a lot and despite a long way, the success is a pleasant reward.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.