WireGuard > Route ALL traffic via VPN

nrps1 · August 2, 2020, 11:43am

Hi all,

Really tried hard to work this all out for the last week till the early hours every day, followed must be hundreds of guides and started again multiple times but nothing is working as intended, tried to learn this and just not getting there

Idea - WiFi/LAN to route through the OpenWrt ISP router using Wireguard (creating my own VPN not paying for external ones) thus securing everything internal out and out to internal (such as devices that cannot download clients etc).

What I have > WiFi/LAN routes through unsecured via ISP router, and I can punch in via my Android phone via Wireguard successfully - linking the two seems impossible but surely isn't!

I am a novice to all this, so appreciate any help please! Using LuCI which I prefer, but also SSH when needed. The problems are most guides dont seem to cater specifically for this (not sure why, seems the most obvious option to me?) and if they do, are outdated or not including all info needed.

The latest guide I've chosen and implemented after following the various combined guides to get to this point is:

github.com

stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md#local-wireguard-server--wireguard-client-scenario-1

# VPN Policy-Based Routing

[![HitCount](http://hits.dwyl.com/stangri/openwrt/vpn-policy-routing.svg)](http://hits.dwyl.com/stangri/openwrt/vpn-policy-routing)

## Description

This service allows you to define rules (policies) for routing traffic via WAN or your L2TP, Openconnect, OpenVPN, PPTP or Wireguard tunnels. Policies can be set based on any combination of local/remote ports, local/remote IPv4 or IPv6 addresses/subnets or domains. This service supersedes the ```VPN Bypass``` available on [GitHub](https://github.com/openwrt/packages/blob/master/net/vpnbypass/files/README.md)/[jsDelivr](https://cdn.jsdelivr.net/gh/openwrt/packages@master/net/vpnbypass/files/README.md) service, by supporting IPv6 and by allowing you to set explicit rules not just for WAN interface (bypassing OpenVPN tunnel), but for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels as well.

## Features

### Gateways/Tunnels

- Any policy can target either WAN or a VPN tunnel interface.
- L2TP tunnels supported (with protocol names l2tp\*).
- Openconnect tunnels supported (with protocol names openconnect\*).
- OpenVPN tunnels supported (with device names tun\* or tap\*).<sup>[1](#footnote1)</sup> <sup>[2](#footnote2)</sup>
- PPTP tunnels supported (with protocol names pptp\*).
- Wireguard tunnels supported (with protocol names wireguard\*).

### IPv4/IPv6/Port-Based Policies

This file has been truncated. show original

Please let me know what commands you'd like me to output to assist.

Sorry/thanks!

vgaetera · August 2, 2020, 1:04pm

Typically, you do not need PBR to route all traffic via the VPN.
Here are the WireGuard server and client how-tos.
Post your configuration if you still have questions:

uci show network; uci show firewall

nrps1 · August 2, 2020, 1:59pm

Yes, I tried those guides initially, but they do rely on a somewhat more experienced user to read between the lines I think. I moved on from them a few guides ago! That ultimately led me to a guide that suggested PBR was needed which did seem like over complicating but?

Please see the info you requested below, apologies, there is a lot of it

uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix=
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.0.1'
network.lan.dns='1.1.1.1' '1.0.0.1'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr=
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='pppoe'
network.wan.password='password'
network.wan.ipv6='auto'
network.wan.username='customer'
network.wan.peerdns='0'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr=
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.dns='1.1.1.1' '1.0.0.1'
network.wan6.reqprefix='auto'
network.wan6.reqaddress='try'
network.wan6.peerdns='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='0 6t'
network.wgserver=interface
network.wgserver.proto='wireguard'
network.wgserver.listen_port='51820'
network.wgserver.addresses='10.8.0.1'
network.wgserver.private_key=
network.@wireguard_wgserver[0]=wireguard_wgserver
network.@wireguard_wgserver[0].route_allowed_ips='1'
network.@wireguard_wgserver[0].public_key=
network.@wireguard_wgserver[0].listen_port='51820'
network.@wireguard_wgserver[0].allowed_ips='10.8.0.3/32'
network.@wireguard_wgclient[0]=wireguard_wgclient
network.@wireguard_wgclient[0].allowed_ips='0.0.0.0/0' '::0/0'
network.@wireguard_wgclient[0].endpoint_port='51820'
network.@wireguard_wgclient[0].route_allowed_ips='1'
network.@wireguard_wgclient[0].public_key=
network.wgclient=interface
network.wgclient.proto='wireguard'
network.wgclient.listen_port='51820'
network.wgclient.private_key=
network.wgclient.addresses='10.8.0.2'

uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan wg0'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].forward='REJECT'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='51820'
firewall.@rule[9].name='Allow-Wireguard-Inbound'
firewall.@rule[9].src='*'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'
firewall.@zone[2]=zone
firewall.@zone[2].name='wgclient'
firewall.@zone[2].network='wgclient'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].output='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='wgclient'
firewall.@zone[3]=zone
firewall.@zone[3].name='wgserver'
firewall.@zone[3].network='wgserver'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].masq='1'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='wgserver'
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='wgserver'
firewall.@forwarding[3].dest='lan'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='wgserver'
firewall.@forwarding[4].dest='wgclient'

nrps1 · August 2, 2020, 2:01pm

Worth noting, the traffic flows fine one interface: WGSERVER (android phone <> ISP OpenWrt Router)
interface: wgclient = no traffic at all.

krazeh · August 2, 2020, 2:19pm

What's the endpoint for wgclient?

nrps1 · August 2, 2020, 2:46pm

Both wgserver (working) and wgclient are left blank

nrps1 · August 2, 2020, 2:47pm

krazeh · August 2, 2020, 2:58pm

Where are you expecting the traffic from your LAN to go without an endpoint?

nrps1 · August 2, 2020, 3:16pm

Good question, I did try adding an address with no change, is it right that currently it happily gets out and bypasses wgclient/server though?

What address do you suggest I pop in there?

My apologies,I've been working on this so long with such lack of sleep I'm going cross eyed!!

krazeh · August 2, 2020, 3:22pm

The other end of your wireguard tunnel. Wireguard (like all VPNs) encrypts data between two points, you can't just setup a wireguard interface by itself and expect it to do anything.

nrps1 · August 2, 2020, 3:34pm

Right, I thought setting up zones dealt with that but guessing not. So the other end should hit my wan zone in theory to get out

lan 192.168.0.1/24 > wgclient 10.8.0.2/32 > wan? Should I use my ddns hostname as it's dynamic with isp?

krazeh · August 2, 2020, 3:44pm

Do you have an endpoint device to send the traffic to? I.e. where are you planning for your LAN traffic to go after it leaves your router?

At the moment it sounds like you only have one half of a setup.

nrps1 · August 2, 2020, 3:49pm

Well perhaps this is the issue I'm running into, a misunderstanding of what was possible?

Previously I had a raspberry pi running OpenVPN over a wireless AP, and everything I wanted encrypted on my network I joined to that, which routed to my ISP router and in/out. That pi stopped working, after a day or two of working on it I discovered wireguard and tried it on a Pi4, although still having difficulties. I thought it may be router related, so upgraded the router which broke most things! Then I discovered Openwrt and thought I could use that and get rid of the Pi's entirely to encrypt data, but don't want to pay for an external VPN provider.... Hence where I am now today!

krazeh · August 2, 2020, 3:54pm

Yeah, you can't just encrypt data on your router and send it out to the wider internet. It needs to go to another device where it is decrypted and then passed on to the internet. Whatever setup you previously had with OpenVPN still would've sent the data off to another device for decryption before it went onto the internet.

nrps1 · August 2, 2020, 4:23pm

So to achieve encrypted data out of my house, the only method for doing that would be to subscribe to a VPN provider then basically?

krazeh · August 2, 2020, 4:24pm

Pretty much.

nrps1 · August 2, 2020, 4:47pm

Ah cr#p - been running the openvpn for a year or two assuming i was encrypting everything going out lol, at least it was good for my android phone coming in!

Any recommendations on a VPN with good UK speeds WG compatible please?

tayta · August 3, 2020, 2:11pm

Surfshark are doing good deals at the moment. You can get 2 years for 35.76GBP. It also allows for unlimited devices, and i've been using them for about a year now on various things without issue.

Your speed however will also be affected by your router spec. Mine don't usually go higher than 9mbps on any location config using my BT HomeHub 5, but thats good enough for my 'secure' requirement.

nrps1 · August 3, 2020, 2:45pm

They don't offer wireguard over OpenWrt though when I looked into it, most do not. I'm concerned about the speeds however, as my intention is to route everything, security cameras, consoles, streaming etc etc with quite a few devices and I have a 100mb connection - I don't think my old router will get anywhere near what I need. Think I'll have to scrap this idea and go Raspberry Pi 4 as the gateway

krazeh · August 3, 2020, 3:01pm

Why are you wanting to send everything through a VPN? Is that really necessary?