Wireguard not directing traffic to device connected directly to router

Hi, I have Wireguard VPN installed on my router and it's working well. The only problem is that my setop box which is running iptv and connected directly to the router via ethernet cable is not clearing the channels. If I remove Wireguard interface it is working again. The setop box is getting a valid ip from Wireguard VPN just not clearing the channels.

I set up Wireguard according to my VPN providers instructions here: https://www.vpnunlimitedapp.com/help/manuals/open-wrt-wireguard-setup

Can you advise whether I need to do anything else to the config to get it working?

Thanks in advance.

opkg update
opkg install vpn-policy-routing
uci set vpn-policy-routing.config.enabled="1"
uci -q delete vpn-policy-routing.config.dest_ipset
uci -q delete vpn-policy-routing.lan_wan
uci set vpn-policy-routing.lan_wan="policy"
uci set vpn-policy-routing.lan_wan.src_addr="IPTV_BOX_IP"
uci set vpn-policy-routing.lan_wan.dest_addr="!192.168.1.0/24"
uci set vpn-policy-routing.lan_wan.interface="wan"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

VPN Policy-Based Routing + Web UI -- Discussion

2 Likes

Hi, Thanks for your reply. I get two error messages, not sure where I'm going wrong?

root@OpenWrt:~# opkg install vpn-policy-routing
Package vpn-policy-routing (0.2.1-13) installed in root is up to date.
root@OpenWrt:~# uci set vpn-policy-routing.config.enabled="1"
root@OpenWrt:~# uci -q delete vpn-policy-routing.lan_wan
root@OpenWrt:~# uci set vpn-policy-routing.lan_wan="policy"
root@OpenWrt:~# uci set vpn-policy-routing.lan_wan.src_addr="192.168.1.216"
root@OpenWrt:~# uci set vpn-policy-routing.lan_wan.dest_addr="!192.168.1.0/24"
root@OpenWrt:~# uci set vpn-policy-routing.lan_wan.interface="wan"
root@OpenWrt:~# uci commit vpn-policy-routing
root@OpenWrt:~# /etc/init.d/vpn-policy-routing restart
ERROR: DNSMASQ ipset support is enabled in vpn-policy-routing, but DNSMASQ is either not installed or installed DNSMASQ does not support ipsets!
Creating table 'wan/eth0.2/192.168.0.1' [✓]
Creating table 'VPNUnlimited/10.100.8.72' [✓]
Routing 'blank' via wan [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth0.2/192.168.0.1
VPNUnlimited/10.100.8.72 [✓]
ERROR: DNSMASQ ipset support is enabled in vpn-policy-routing, but DNSMASQ is either not installed or installed DNSMASQ does not support ipsets!
vpn-policy-routing 0Login incorrect
OpenWrt login: ^C
root@OpenWrt:~#
1 Like

You need to install dnsmasq-full if you want to use the ipset support in dnsmasq anyway.

I have installed the full version of dnsmasq and sent the config over and it's not clearing. My box does get an ip and I can install apps on it from the net the just no channels clearing.

This is what I have as vpn policy routing. Is there any change I need to make?

config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option ipv6_enabled '0'
list supported_interface ''
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'

config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'

config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'

config policy 'lan_wan'
option src_addr '192.168.1.216'
option dest_addr '!192.168.1.0/24'
option interface 'wan'

1 Like

Check the output:

/etc/init.d/vpn-policy-routing support

In addition try to specify your ISP DNS manually on the IPTV box.

You can use this way to find ISP DNS:

ifstatus wan
1 Like

The IPTV channels are now clearing on my box. I installed the vpn policy routing interface for luci on my router and my box ip address, domain etc was already filled in the policy field. I just gave the policy a name and then set it to run and the channels cleared instantly.

Thanks for all you help.

1 Like

I just remembered the Wireguard connection will cause issues with being able to connect to my work VPN. Is there a rule I can apply for my work laptop to bypass the Wireguard VPN and use my normal internet connection?

Add another policy for traffic matching your VPN protocol to use the WAN interface.

I'm not sure, can you provide an example how to do that?

Do I need to add this to VPN policy routing?

1 Like

Yes, that's why you should find out the protocols, ports, destination addresses specific to that VPN traffic in order to separate it from other traffic.