Wireguard Server not reachable with Policy-Based-Routing

Hi @stangri,

I have installed pbr on my router and have been experimenting with it. I first tested this router within my home network and everything seemed to work fine. Even the Wireguard server, I could connect from the WAN side of the router to it. I also created a webserver as a test and opened port 8080. That also worked and I decided to the internet.

Once connected to the internet everything seems to be working fine again except the webserver and the Wireguard server. I did a portscan on my router and saw that the ports 61580 and 8080 are 'filtered'.
If I disable PBR and stop my Wireguard client connection the ports are reachable again, so it's not an issue with my internet provider. I have no idea why the ports are now filtered/closed and I cannot connect to them anymore.

With the PBR installation I have chosen the option Local Wireguard Server + Wireguard Client (Scenario 1) from these instruction https://docs.openwrt.melmac.net/pbr/

Here are the contents of my /var/pbr-support file:

pbr 0.9.4-10 running on OpenWrt 21.02.3.
============================================================
Dnsmasq version 2.85  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         *               0.0.0.0         U     10     0        0 wgclient
default         82-73-92-1.cabl 0.0.0.0         UG    20     0        0 eth0.100

IPv4 Table 201: default via [redacted] dev eth0.100 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 
192.168.200.2 dev wgserver proto static scope link 
IPv4 Table 201 Rules:
30000:	from all fwmark 0x10000/0xff0000 lookup wan

IPv4 Table 202: default via 10.2.0.2 dev wgclient 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 
192.168.200.2 dev wgserver proto static scope link 
IPv4 Table 202 Rules:
29999:	from all fwmark 0x20000/0xff0000 lookup wgclient
============================================================
Mangle IP Table: PREROUTING
-N PBR_PREROUTING
-A PBR_PREROUTING -p tcp -m multiport --dports 9200 -m comment --comment Policy_cfg036ff5 -c 27 1358 -g PBR_MARK0x010000
-A PBR_PREROUTING -p udp -m multiport --dports 9200 -m comment --comment Policy_cfg036ff5 -c 0 0 -g PBR_MARK0x010000
============================================================
Mangle IP Table: OUTPUT
-N PBR_OUTPUT
-A PBR_OUTPUT -p udp -m multiport --sports 61820 -m comment --comment Wireguard_Server -c 3 528 -g PBR_MARK0x010000
-A PBR_OUTPUT -p tcp -m multiport --sports 8080 -m comment --comment http -c 0 0 -g PBR_MARK0x010000
============================================================
Mangle IP Table MARK Chain: PBR_MARK0x010000
-N PBR_MARK0x010000
-A PBR_MARK0x010000 -c 26416 1846726 -j MARK --set-xmark 0x10000/0xff0000
-A PBR_MARK0x010000 -c 26416 1846726 -j RETURN
============================================================
Mangle IP Table MARK Chain: PBR_MARK0x020000
-N PBR_MARK0x020000
-A PBR_MARK0x020000 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A PBR_MARK0x020000 -c 0 0 -j RETURN
============================================================
Current ipsets
create pbr_wan_dst_ip_cfg066ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
add pbr_wan_dst_ip_cfg066ff5 165.227.63.200
add pbr_wan_dst_ip_cfg066ff5 206.189.214.49
add pbr_wan_dst_ip_cfg066ff5 159.89.129.146
add pbr_wan_dst_ip_cfg066ff5 142.93.81.166
add pbr_wan_dst_ip_cfg066ff5 159.65.77.153
add pbr_wan_dst_ip_cfg066ff5 159.89.142.52
add pbr_wan_dst_ip_cfg066ff5 138.68.28.244
add pbr_wan_dst_ip_cfg066ff5 104.248.79.120
create pbr_wan_dst_ip_cfg046ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
add pbr_wan_dst_ip_cfg046ff5 52.38.7.23
add pbr_wan_dst_ip_cfg046ff5 142.93.81.166
add pbr_wan_dst_ip_cfg046ff5 65.9.85.36
add pbr_wan_dst_ip_cfg046ff5 138.68.28.244
add pbr_wan_dst_ip_cfg046ff5 65.9.85.77
add pbr_wan_dst_ip_cfg046ff5 65.9.85.51
add pbr_wan_dst_ip_cfg046ff5 104.248.79.120
add pbr_wan_dst_ip_cfg046ff5 65.9.85.19
add pbr_wan_dst_ip_cfg046ff5 65.9.85.27
add pbr_wan_dst_ip_cfg046ff5 65.9.85.24
add pbr_wan_dst_ip_cfg046ff5 65.9.85.20
add pbr_wan_dst_ip_cfg046ff5 65.9.85.60
add pbr_wan_dst_ip_cfg046ff5 65.9.85.75
add pbr_wan_dst_ip_cfg046ff5 65.9.85.104
add pbr_wan_dst_ip_cfg046ff5 159.65.77.153
add pbr_wan_dst_ip_cfg046ff5 65.9.85.116
add pbr_wan_dst_ip_cfg046ff5 65.9.85.59
add pbr_wan_dst_ip_cfg046ff5 206.189.214.49
add pbr_wan_dst_ip_cfg046ff5 65.9.85.41
add pbr_wan_dst_ip_cfg046ff5 159.89.142.52
add pbr_wan_dst_ip_cfg046ff5 65.9.85.65
add pbr_wan_dst_ip_cfg046ff5 65.9.85.3
add pbr_wan_dst_ip_cfg046ff5 65.9.85.49
add pbr_wan_dst_ip_cfg046ff5 65.9.85.112
add pbr_wan_dst_ip_cfg046ff5 65.9.85.64
add pbr_wan_dst_ip_cfg046ff5 65.9.85.38
add pbr_wan_dst_ip_cfg046ff5 35.167.0.110
add pbr_wan_dst_ip_cfg046ff5 159.89.129.146
add pbr_wan_dst_ip_cfg046ff5 54.214.122.194
add pbr_wan_dst_ip_cfg046ff5 65.9.85.40
add pbr_wan_dst_ip_cfg046ff5 44.241.103.184
add pbr_wan_dst_ip_cfg046ff5 165.227.63.200
add pbr_wan_dst_ip_cfg046ff5 65.9.85.121
add pbr_wan_dst_ip_cfg046ff5 65.9.85.4
add pbr_wan_dst_ip_cfg046ff5 54.68.102.112
add pbr_wan_dst_ip_cfg046ff5 65.9.85.125
add pbr_wan_dst_ip_cfg046ff5 65.9.85.30
add pbr_wan_dst_ip_cfg046ff5 35.162.209.77
add pbr_wan_dst_ip_cfg046ff5 65.9.85.56
============================================================

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik
Please edit your post accordingly. Thank you! :slight_smile:

Other than that, you should change the default gateway from wgclient to eth0.100. Just remove the route_allowed_ips from wg client peer configuration.

In the setup instructions the following code is in the /etc/config/pbr file. Does this not suggest that it is possible to have acces to a wgserver while the wireguard tunnel is used as default route? I could change the setup so that the WAN connection is the default route, but since I would like almost all traffic to go through the wireguard tunnel it seems to me that using the wireguard tunnel as a default route to be more logical?

config policy
  option name 'Wireguard Server'
  option interface 'wan'
  option proto 'udp'
  option src_port '61820'
  option chain 'OUTPUT'

It seems more logical, but there is some issue with locally generated traffic not matching the pbr rules properly.

It's been long overdue, but I've updated documentation to state that this case is not supported.

2 Likes

Which case will not be supported @stangri

Ohh! yeah Got the point.
:slightly_frowning_face:, So With VPN policy routing I cant route wireguard traffic to a specific wan.
Are there any possibilities that I could achieve my requirement?

The case where the VPN is a default gateway and you need to route the UDP traffic for any local server, be it wireguard (which is UDP only) or an OpenVPN server configured to use UDP or any other server handling UDP traffic.

And @Dasha is well on the way of untangling a difficult task.

Thank you both for instruments to make our routers more productive and fixes demonstrated that achieve goals.

Hey @Bill,
Welcome back...
I am trying all the possible ways to make my requirements work. :smiling_face_with_tear:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.