Now I can't reach the internet anymore. If I instead choose Table: wan (instead of vpnclient) then I can reach the internet (but obviously not through the VPN provider).
If I undo the Override IPv4 routing table settings for each interface, check Route Allowed IPs in the WireGuard peer, Save & Apply and restart the VPNCLIENT interface then internet connectivity works and I verified it's going through the VPN provider with ipleak.net. But I want to use PBR so I can better decide which ip addresses are supposed to be routed through the VPN.
root@OpenWrt:~# ip rule
0: from all lookup local
10000: from 192.168.1.1 lookup br-lan
10000: from 192.168.20.206 lookup wan
10000: from 10.169.xx.xx2 lookup vpnclient
14000: from all iif br-lan lookup vpnclient
20000: from all to 192.168.1.1/24 lookup br-lan
20000: from all to 192.168.20.206/24 lookup wan
20000: from all to 10.169.xx.xx2 lookup vpnclient
32766: from all lookup main
32767: from all lookup default
90007: from all iif lo lookup wan
90010: from all iif lo lookup br-lan
90011: from all iif lo lookup vpnclient
root@OpenWrt:~# ip route show table vpnclient
10.169.xx.xx2 dev vpnclient scope link
192.168.1.201 is the ip address of my laptop which I'm trying to bypass the VPN (for testing purposes). But with this rule enabled I can no longer access the internet...
Any idea why?
root@OpenWrt:~# ip rule
0: from all lookup local
1: from 192.168.1.201 iif br-lan lookup novpn
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~# ip route show table novpn
default dev wan scope link
When I check Route Allowed IPs in the peer settings and follow method by @Lynx again.
root@OpenWrt:~# ip rule
0: from all lookup local
10000: from 192.168.1.1 lookup lan
10000: from 192.168.20.206 lookup wan
10000: from 10.169.xx.xx2 lookup vpn_client
14000: from 192.168.1.201/24 iif br-lan lookup wan
15000: from all iif br-lan lookup vpn_client
20000: from all to 192.168.1.1/24 lookup lan
20000: from all to 192.168.20.206/24 lookup wan
20000: from all to 10.169.xx.xx2 lookup vpn_client
32766: from all lookup main
32767: from all lookup default
40000: from all iif br-lan lookup wan
90007: from all iif lo lookup wan
90010: from all iif lo lookup lan
90011: from all iif lo lookup vpn_client
root@OpenWrt:~# ip route show table vpn_client
default dev vpn_client scope link
10.169.xx.xx2 dev vpn_client scope link
When I try to bypass the VPN for a specific source ip address it can't reach the internet any more...
Disabling the first rule in this screenshot will fix internet connectivity (but VPN is not bypassed).
I started from scratch, following the mullvad tutorial to setup the WireGuard VPN. Then I ran pbr setup from the PBR with netifd wiki page. I think this method is very close to the one Lynx described.
Still didn't work for me. But with your test firewall rule, I can now bypass the VPN for this LAN ip address!
However I don't want to add a firewall rule for each PBR exemption I setup...
Do you have a suggestion for a better firewall setup?
Edit: the firewall rule also works with the manual method I tried in my initial post.
you don't have to add a separate rule for every IP.
you can list multiple IPs in the same rule
config rule
option name 'test'
list proto 'all'
option src 'lan'
list src_ip '192.168.1.201'
list src_ip '192.168.1.212'
list src_ip '192.168.1.251'
option dest 'wan'
option target 'ACCEPT'
And I think ? you can even use CIDR notation to specify a range of IPs
Thanks a lot! Glad I now know the issue was caused by my firewall config. Instead of adding an ACCEPT rule for certain ips/ranges, any reason why I wouldn't just do:
Yes , that would work also. Just be mindful that if the wireguard interface stops working all your traffic will go through wan. And take a look here though I don't know if it's still necessary.
I'm now trying your suggested method to route all traffic from a single interface (vlan) through wan (bypass VPN). I confirmed this vlan worked before setting up the VPN. But with the VPN and PBR rules it's not yet working for me.
The VPN setup works. Traffic from LAN goes through VPN provider. Ping from novpn vlan is not working. Traceroute 8.8.8.8 shows ip address of OpenWrt Router, then my ISP router, then stops.
ip rule
0: from all lookup local
1: from all iif br-lan.10 lookup novpn
32766: from all lookup main
32767: from all lookup default
ip route show table novpn
default dev wan scope link
Did I miss something?
Just out of curiosity since the PBR setup from the PBR with netifd wiki page is working well for me.