I have a wireguard interface on OpenWrt that I wish to keep standalone, meaning that I don't want all my WAN traffic to go via the tunnel.

However I wish that OpenWrt responds to incoming internet traffic via the wireguard tunnel if the request came via wireguard and not the WAN. I may be missing something with my setup because tcpdump is showing me that ICMP packets are coming in to the wireguard interface but leaving the router on WAN (default IPv6 route).

I am trying to stay away from setting up wireguard as my default IPv6 gateway, is there a setting somewhere that can easily "if traffic came from wg0 - replies to those packets should go via wg0 interface regardless of default route'?

# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option masq6 '1'
        option masq6_privacy '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled ''\''0'\'''

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-Ping-WG'
        option src 'WGMIA'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP-WG'
        option src 'WGMIA'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6-WG'
        option src 'WGMIA'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD-WG'
        option src 'WGMIA'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input-WG'
        option src 'WGMIA'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward-WG'
        option src 'WGMIA'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled ''\''0'\'''

config rule
        option name 'Allow-IPSec-ESP-WG'
        option src 'WGMIA'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP-WG'
        option src 'WGMIA'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config zone
        option name 'wgmia'
        option forward 'REJECT'
        list network 'WGMIA'
        option output 'ACCEPT'
        option masq '1'
        option input 'ACCEPT'

network

# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdde:104a:0f59::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 3 2 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '11'
        option ports '6t 4'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '0t'
        option vid '200'

config interface 'WGMIA'
        option proto 'wireguard'
        option private_key 'nope'
        list addresses '10.100.100.12/24'
        list addresses '2602:xx:xx:xx:8888::12/112'
        option mtu '1350'

config wireguard_WGMIA
        option public_key 'notyours'
        option description 'dddd'
        option endpoint_port '88'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option preshared_key 'notyours'
        option endpoint_host 'xx'
        option persistent_keepalive '19'

config interface 'opnsense'
        option proto 'none'
        option type 'bridge'
        option ifname 'eth1.11'

ip 6 routes

# ip -6 r
default from 2607:xx:920c:6de6:xx:59c3:0:xx via fe80::e7c:zz:6ecc dev eth0.2 proto static metric 512 pref medium
default from 2607:xx:xx::/64 via fe80::e7c:28ff:fe8d:6ecc dev eth0.2 proto static metric 512 pref medium
2602:xx:xx:8888::/112 dev WGMIA proto kernel metric 256 pref medium
unreachable 2607:xx:xx:d88f::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
2607:xx:xx:6de6::/64 dev eth0.2 proto static metric 256 pref medium
2607:xx:xx:6de6::/64 via fe80::e7c:xx:6ecc dev eth0.2 proto static metric 512 pref medium
unreachable 2607:xx:xx:6de6::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
unreachable 2607:xx:xx:7a91::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
unreachable 2607:xx:xx:x::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
fdde:104a:f59::/64 dev br-lan proto static metric 1024 pref medium
fdde:104a:f59:4::/62 via fe80::d4:36ff:febd:ea5a dev br-lan proto static metric 1024 pref medium
unreachable fdde:104a:f59::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-opnsense proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan0-1 proto kernel metric 256 pref medium
default via fe80::e7c:28ff:fe8d:6ecc dev eth0.2 proto ra metric 1024 expires 1471sec mtu 1500 hoplimit 64 pref medium

uci set network.@wireguard_WGMIA[0].route_allowed_ips="1"
uci set network.WGMIA.ip4table="1"
uci set network.WGMIA.ip6table="1"
uci commit network
/etc/init.d/network restart

https://openwrt.org/docs/guide-user/network/routing/pbr_netifd

Fix mismatch case for all rules:

Fix syntax:

Also add traffic forwardings/rules between LAN and VPN.

Thank you!

So I learned that 'ip4table' and 'ip6table' basically allow each interface to have its own routing table?

ip -6 r

it now shows two default gateways (wireguard now has its own)
My ICMP ping and tests from the internet to the IPv6 of the wireguard client now succeed https://tools.keycdn.com/ipv6-ping

Do these look alright? This seems to be what you mean about forwarding zones?

Screenshot 2021-04-11 005751757×896 74.8 KB

Yep, it should result in the following:

• Move the VPN interface to a separate routing table.
• Automatically create the routing rules.

The idea behind the method is explained here:

Thanks - would the settings you suggested need to be changed or removed later if I were to add 'vpn-policy-routing' package and Luci UI?

I have Plex Media Server and other things that I am considering opening up to the internet - but their external traffic should only be coming in from wireguard via a port forward rule. I do have NAT6 and NAT inside my LAN.

I think vpn-policy-routing may add some cool features but looks like it may not be needed if I want to port forward port 32400 traffic coming from wireguard interface to the LAN.

But since 'vpn-policy-routing' also seems to create routing tables - I wonder if I later decide to play with it if I need to come back and remove the settings that were added.

The built-in rules configured above provide dynamic routing.
The VPR app can statically set up the routing direction by source/destination host/port.
It has a higher priority than the built-in rules.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.