Wireguard setup for only 1 network

SharkScout · May 2, 2024, 12:41pm

I am trying to setup wireguard for only 1 network.

So my /etc/config/network looks like this:

# lan1 routes normally to wan
config interface 'lan1'              
        option proto 'static'        
        option netmask '255.255.255.0'
        option ipaddr '192.168.30.1'   
        option device 'br-lan1'

#lan2 should route everything to wireguard interface
config interface 'lan2'              
        option proto 'static'        
        option netmask '255.255.255.0'
        option ipaddr '192.168.40.1'   
        option device 'br-lan2'

# wireguard setup
config interface 'wg0'                                             
        option proto 'wireguard'                  
        option private_key 'XXX'
        list addresses '192.168.50.1/24'

config wireguard_wg0                                            
        option description 'wireguard peer config'                        
        option public_key 'XXX' 
        option endpoint_host XXX
        option endpoint_port XXX

If I were to add the following config:

        option allowed_ips '0.0.0.0/0' 
        option route_allowed_ips '1'

then I believe all traffic from any network would route to the wireguard interface wg0. This is not what I want.

I want only to route all traffic from lan2 to the interface wg0 instead of the wan. How can I do that?

Is PBR the only solution?

egc · May 2, 2024, 1:07pm

PBR is indeed a solution: https://docs.openwrt.melmac.net/pbr/

Alternatively you can setup manually e.g.:
https://openwrt.org/docs/guide-user/network/routing/pbr_netifd
or with a script e.g.:

SharkScout · May 2, 2024, 1:13pm

Ok, thanks for confirming.

I want to install it manually. I've tried to add the route in a few different ways, but I've failed to achieve the desired effect.

I've tried things like:

config route
        option interface 'lan2'
        option target '192.168.50.1' # wireguard local interface IP
        option netmask '255.255.255.0'
        option gateway 'XXX' IP from wireguard remote server

but this failed.

Would you be able to point me to the right direction?

egc · May 2, 2024, 1:27pm

The way I would do it is:

Create a routing table with default route via the VPN:
Luci: Interfaces > VPN interface > Advanced setting: Override IPv4 interface and Add custom table 100
You will now have arouting table 100 with default via the VPN

Create a rule to let the interface/ipaddresses use table 100, below some examples:
Luci: Routing > IPv4 Rules:

Guest wifi
Incoming interface: guestwifi
Table: 100

/etc/config/network
config rule
	option in 'guestwifi'
	option lookup '100'

Client IP
Source: 192.168.2.15/32
Table :100

config rule
	option src '192.168.2.15/32'
	option lookup '100'

SharkScout · May 2, 2024, 3:26pm

Thanks, I'll try that.

why do we need table 100?

Can I simply add the following rule:

config rule
	option in 'lan2'
	option out 'w0'

Alternatively, could I simply add the following config to the firewall? Will the firewall then actively forward the packets?

# /etc/config/firewall
config forwarding
    option src 'lan2'
    option dest 'wg0'

krazeh · May 2, 2024, 3:53pm

No, rules determine which route to use, they don't route directly. Routes are in tables. Adding table 100 (the number isn't particularly important) allows you to have a different default route that you can use a rule to send traffic through.

Not if you want it to work...

egc · May 2, 2024, 3:57pm

You need a table with a default route via the VPN, I arbitrarily call that table 100.

The firewall does not actively forward routes it only blocks/allow traffic.

SharkScout · May 2, 2024, 8:13pm

Thanks again for all the clear explanation.

When I add the ipv4 table 100 with option ip4table '100', it creates the following additional rules:

$ip rule
0: from all lookup local
10000: from 192.168.50.1 lookup 100
20000: from all to 192.168.50.1 lookup 100
32766: from all lookup main
32767: from all lookup default
91538: from all iif lo lookup 100

The 2 first rules seem great, exactly what I need.

However the last rule seem quite wrong. I do not want all loopback to go to the vpn.

I'm pretty sure this rule is never actually applied, but why would it even be added?

Also, the table 100 is like this:

ip route show table 100
192.168.50.1 dev wg0 scope link

I was expected to contain a default value, that directs all unspecified IPs to wg0.
As it is now, I am not sure that, say, 192.168.50.2 will be redirected to the wg0 vpn interface?

Should I add something like:

config route
    option interface 'wg0'
    option target '0.0.0.0'
    option netmask '0.0.0.0'
    option gateway 'Wireguard-server-ip'
    option table '100'

to /etc/config/network ?

egc · May 3, 2024, 7:46am

The lo stands for loopback, a virtual network interface for local usage, it is there for completeness, but you will likely not use it anyway.

Please leave "Route allowed IPs" and "Use default gateway" enabled the "Override IPv4 routing table" will already take care of disabling default routing in the main routing table.

Restart the network service: service network restart and there should be a default gateway in table 100.

Do not forget the rule to assign a client on your network to use table 100 e.g.:

config rule
	option src '192.168.2.15/32'
	option lookup '100'

SharkScout · May 3, 2024, 10:48am

Fantastic, it's all working now!

Thanks a lot for your help. It all seems straight forward once it's under your eyes.

system · May 13, 2024, 10:50am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.