I have a router with multiple WAN connections, with one of them being a connection to a private corporate network which blocks virtually any connection to the Internet.
I create a WireGuard tunnel from that router to my home router, and by default, OpenWrt creates a route to my home router address via the corporate network gateway, and it blocks the WireGuard connection.
With the unrestricted PPPoE connection to my ISP being defined in myisp uci section, I tried to edit WireGuard peer with option tunlink, but it still binds my home router IP address to the corporate network gateway:
I also tried myisp instead of @myisp but it does not work either. The result is always like this:
root@OpenWrt:~# ip route show
[...]
<home_router_ip_addr> via 172.16.0.254 dev veth0 proto static metric 500
[...]
I know I can remove the option gateway in the configuration of the corporate interface. But that gateway still allows some basic Internet services and I want to keep it as the last resort in case all WANs are down. Also, my configuration has a lot of WAN connections, and by removing that gateway, OpenWrt will fallback to a another random one for the WireGuard connection. I want it to use the specific myisp interface only.
I don't see any indication that this option is supported for Wireguard (both as a regular Wireguard config option nor as an option for the way that OpenWrt deals with the protocol).
The only thing I see about using tunlink is with respect to GRE protocols, and I don't think that applies to Wireguard:
EDIT: I was mistaken... see the next post from @Livy .
Binding a service to a particular interface does not mean that packets will be routed to it. That is determined by the routing table(s). The firewall must also permit it. The option to bind to a particular interface is seldom necessary when a proper firewall is in place.
Probably the policy routing package or even a simple /32 route can be used to send packets to your house public IP (which would be the encrypted packets) via a particular WAN. Another approach would be to have the corporate connection only handle corporate LAN IPs.
Note that what you are doing presents a big security risk to the company. Any malware on your router or PC would have access to corporate secrets as well as unrestricted use of the Internet.
Binding a service to a particular interface does not mean that packets will be routed to it.
I can see this option works very well with GRE tunnel. I have been using it for a while.
even a simple /32 route can be used to send packets to your house public IP (which would be the encrypted packets) via a particular WAN
In reality, my home router does not have static IP address and needs to use DDNS. I don't think DDNS domain name will work with static route.
Note that what you are doing presents a big security risk to the company. Any malware on your router or PC would have access to corporate secrets as well as unrestricted use of the Internet.
My home network is more secured than this so called "corporate" network. The fact that it allows anything to connect to it is undeniable proof of its security status. And I don't type doas apk add malware.exe nor sudo apt install malware.exe on my PC. In short, I know what I am doing, and have to configure the firewall properly to block unauthorized access from this unsecured network to my home network.
