Wireguard set for specific applications (route issue, solution provided)

I want traffic of specific applications to go through wireguard tunnel using iptables mark and ip rule, and I find someone has encountered the exactly same problem.

The problem is: after setting up iptables and ip rule, the router itself can go through wireguard tunnel, but devices from lan can't (ping timeout, traceroute no reply).

I have checked many times firewall rules do not block any traffic from/to lan. In deed, it's due to missing rules in the new table.

To solve that problem, create 90-wgroute in /etc/hotplug.d/iface, replace ipip6 with your own table name or id, and replace wg with your wireguard interface name.

#!/bin/sh
if [[ "$ACTION" = ifup && "$INTERFACE" = wg ]]; then
	sleep 1
	i=ipip6
	ip route | grep link | while read ROUTE
	do
		[ -z "$(ip route show table $i | grep "$ROUTE")" ] && ip route add $ROUTE table $i && logger "Found a missing route in table $i, add it."
	done
fi

There's a more canonical method:

  • Assign the VPN interface to a custom routing table.
  • Add a policy to look up the routing table for the matching traffic.
  • Add a firewall rule to mark specific traffic if necessary.

https://openwrt.org/docs/guide-user/network/ip_rules#examples

1 Like