Need help understanding client routing:
I have successfully set up s2s wireguard connection between two OpenWrt routers. I used the automated script from here.
Now I have the following setup:
Router A - ip: 192.168.31.1, subnet: 192.168.31.0/24, interface: wg_s2s_usa, wg peer Allowed IPs: 192.168.8.0/24, Route Allowed IPs: enabled
Router B - ip: 192.168.8.1, subnet: 192.168.8.0/24, interface: wg_s2s_mar, wg peer Allowed IPs: 192.168.31.0/24, Route Allowed IPs: enabled wg_s2s_* interfaces are assigned to the lan zone.
The wg s2s itself is working, clients A can ping/ssh router/clients B and vice-versa. Currently clients A have internet access through WAN with ISP A. Clients B - ISP B.
What I'd want to achieve next is:
(for testing) route all clients A through B to get them under ISP B (aka regular vpn).
route particular clients from A through B, let's say based on their LAN ip or MAC
Currently, no matter what I do, it only breaks something. Tried to change "Allowed IPs" to 0.0.0.0/0 - it breaks internet connection and I can't ping the other router/clients anymore. Also tried disabling "Route Allowed IPs" and configuring PBR to use wg_s2s_* but also no luck. I think I'm missing something, but I'm new to this and don't know which way to look. Should I even consider PBR for (2) use case? Please help
assign server IP addresses in wg_s2s_* interfaces:
A: 192.168.31.1/16
B: 192.168.8.1/16
Change allowed IPs for peers on both routers to: 0.0.0.0/0
Uncheck Route Allowed IPs
Add extra routing rules (example values for router A):
create a new table in: /etc/iproute2/rt_tables, add a new line: 200 vpn_mar
add a rule for this table: ip route replace default via 192.168.8.1 table vpn_mar
to route a single client: ip rule add from 192.168.31.105 table vpn_mar
to remove: ip rule del from 192.168.31.105 table vpn_mar
Note:
Instead of modifying the second real router in a different country, I was experimenting with a travel router I have at home: GL.iNet GL-X750.
For some reason I have to leave Route Allowed IPs in its WG peers configuration enabled. And on my main router I need to uncheck it - it doesn't work the other way. I guess it might be because GL-X750 is using an older OpenWrt version - 19.07, whereas my main router is on 23.05. Also GL-X750 comes with lots of predefined configs out of the box, so it also might be a conflict somewhere.
Also, I was able to achieve the same result by marking the traffic with nftables:
ip rule add fwmark 0x1 table vpn_mar
nft add table inet classify
nft add set inet classify vpn_mar_set { type ipv4_addr \;}
nft add chain inet classify mangle_prerouting "{ type filter hook prerouting priority mangle; policy accept; }"
nft add rule inet classify mangle_prerouting ip saddr @vpn_mar_set counter ct mark set 1
nft add rule inet classify mangle_prerouting ip saddr @vpn_mar_set counter meta mark set ct mark
// nft add element inet classify vpn_mar_set {192.168.31.105}
// nft delete element inet classify vpn_mar_set {192.168.31.105}
I'm also using nftables for another thing - to mark clients for a public wg vpn I'm running together with my s2s. Basically I'm using another mark to route packets to it, and also re-using a set to re-route :53 DNS requests to the vpn provider's server to avoid leaks. So I just find it handy to use both sets in a single separate classify table.
