Wireguard, Policy-Based-Routing and LAN-Access

Hi all

I’m quite new to OpenWRT and Linux but have already come quite a long way trying to implement my ideas - dozens of times thanks to very helpful replies on this forum. So thanks for that

I use my Archer C7 as both a Wireguard „server“ and „client“. I was already able to route both my LAN traffic as well as my mobile traffic through the Wireguard „client“ interface on my router, using Pi-Hole as my DNS server. Implementing scenario #2 of the Policy-Based-Routing Manual (thanks to @trendy for pointing me in the right direction in this thread) was the solution here.

However, with this setup I cannot remotely (i.e. by laptop or phone through Wireguard tunnel and interface „wgserver“) access my local hosts such as my self-hosted nextcloud-server or my Pi-Hole’s admin-page. My PBR-settings seem to be the problem here - as soon as I disable PBR those hosts become accessible. I have also tried to disable „Route allowed IPs“ under /etc/config/network config wireguard_wgserver and adding the following to my config as was suggested by @lleachii in this thread.

I would appreciate any tipps pointing me in the right direction.

Thank you and all the best

red

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd27:a87c:b871::/48'

config device
	option name 'br-lan'
		option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.1.126'

config device
	option name 'eth0.2'
	option macaddr 'XXX'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0.10'
	option peerdns '0'
	list dns '192.168.1.126'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '192.168.1.126'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '10'
	option ports '0t 1t'

config interface 'vpn'
	option proto 'wireguard'
	option private_key ‚XXXXXXX‘
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'
	option peerdns '0'
	list dns '192.168.1.126'

config interface 'wgclient'
	option proto 'wireguard'
	option private_key ‚XXXXXXX‘
	option mtu '1412'
	list addresses ‚XXX.XXX.XXX.XXX‘
	option peerdns '0'
	list dns '192.168.1.126'

config wireguard_wgclient 'wgserver'
	option endpoint_port ‚YYY‘
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option description 'IVPN_ZURICH'
	option public_key ‚YYYYYYY‘
	option endpoint_host ‚YYY.YYY.YYY.YYY‘

config wireguard_vpn
	option description 'iPhone'
	option public_key ‚ZZZZZZZ‘
	option route_allowed_ips '0'
	list allowed_ips '192.168.9.2/32'

config route
	option interface 'vpn'
	option target '192.168.9.0'
	option netmask '255.255.255.0'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wgclient'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

/etc/network/vpn-policy-routing

config policy
	option name 'LAN_OVER_WGC'
	option interface 'wgclient'
	option src_addr '192.168.1.1/24'

config policy
	option name 'WG_MEMBERS_OVER_WGC'
	option src_addr '192.168.9.1/24'
	option interface 'wgclient'

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option dest_ipset '0'
	option resolver_ipset 'dnsmasq.ipset'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option procd_reload_delay '1'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_chain_column '0'
	option webui_show_ignore_target '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option enabled '1'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

The route is not needed.

Remove it from wan, wan6, and wg interfaces. It is reachable from lan and it is enough to be there.

Masquerade is not necessary in lan zone.

These are wrong. Either you'll include the whole subnet with .0/24 or just one address with .1/32

here you should include the vpn interface which is basically the vpnserver.

Hi @trendy

Wow, what an absolute legend you are! After implementing your suggested changes, everything works just as smoothly as I had been hoping for - after days of trial and error...

So, huge THANK YOU and all the best to you

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.