WireGuard split tunnel without PBR package

Jip-Hop · October 8, 2022, 11:14am

Continuing the discussion from Set different Upstream for specific source IP I'm trying to replicate the Policy Based Routing / Split Tunneling setup posted by @Lynx. But I can't get it working yet.

Fresh install of OpenWrt 22.03.0 r19685-512e76967f / LuCI openwrt-22.03 branch git-22.245.77528-487e58a on Belkin RT3200 / Linksys E8450 (UBI).

Via SSH:

cat << EOF >> /etc/iproute2/rt_tables
1 br-lan
2 vpnclient
3 wan
EOF
opkg update
opkg install luci-app-wireguard
reboot

Network -> Interfaces -> Add new interface... -> Name: vpnclient, Protocol: WireGuard VPN -> Create interface -> Load configuration... -> Drag and drop VPN provider config file -> Advances Settings -> Override IPv4 routing table: vpnclient -> Firewall Settings: Create / Assign firewall-zone: wan -> Save

Interfaces -> LAN -> Edit -> Override IPv4 routing table: br-lan -> Save
Interfaces -> WAN -> Edit -> Override IPv4 routing table: wan -> Save

Save & Apply
Reboot

Network -> Routing -> IPv4 Rules -> Add -> Priority: 14000, Incoming interface: lan, Table: vpnclient -> Save
Save & Apply
Reboot

Now I can't reach the internet anymore. If I instead choose Table: wan (instead of vpnclient) then I can reach the internet (but obviously not through the VPN provider).

If I undo the Override IPv4 routing table settings for each interface, check Route Allowed IPs in the WireGuard peer, Save & Apply and restart the VPNCLIENT interface then internet connectivity works and I verified it's going through the VPN provider with ipleak.net. But I want to use PBR so I can better decide which ip addresses are supposed to be routed through the VPN.

What am I doing wrong?

Lynx · October 8, 2022, 11:41am

Maybe look at output of:

ip route show table vpnclient

And:

ip rule

Jip-Hop · October 8, 2022, 11:51am

root@OpenWrt:~# ip rule
0:	from all lookup local 
10000:	from 192.168.1.1 lookup br-lan 
10000:	from 192.168.20.206 lookup wan 
10000:	from 10.169.xx.xx2 lookup vpnclient 
14000:	from all iif br-lan lookup vpnclient 
20000:	from all to 192.168.1.1/24 lookup br-lan 
20000:	from all to 192.168.20.206/24 lookup wan 
20000:	from all to 10.169.xx.xx2 lookup vpnclient 
32766:	from all lookup main 
32767:	from all lookup default 
90007:	from all iif lo lookup wan 
90010:	from all iif lo lookup br-lan 
90011:	from all iif lo lookup vpnclient 
root@OpenWrt:~# ip route show table vpnclient
10.169.xx.xx2 dev vpnclient scope link

boredhominid · October 8, 2022, 11:53am

Here's how I do it personally:

1- Create a firewall zone for wireguard and forward all your lan traffic to it.
/etc/config/firewall

...
config zone
        option name 'wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wireguard_interface'

config forwarding
        option src 'lan'
        option dest 'wg'
...

you can check mullvad tutorial on how to set wireguard on openwrt

2- Add a routing table (novpn) to /etc/iproute2/rt_tables and assign it to a static route through the wan interface
/etc/iproute2/rt_tables

#
# reserved values
#
128     prelocal
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
10      novpn

/etc/config/network

...
config route
        option interface 'wan'
        option target '0.0.0.0/0'
        option table 'novpn'
...

3- Add the routing rules you desire to bypass the main routing table and lookup the novpn table
/etc/config/network

...
config rule
        option in 'loopback'
        option lookup 'novpn'
        option uidrange '123-123'
...

for more rules check the wiki.
now by default traffic goes through wireguard except for the rules you define in /etc/config/network

Lynx · October 8, 2022, 11:58am

Hmm, I have:

root@OpenWrt:~# ip route show table vpn
default dev vpn scope link
xx.xx.xx.xx dev vpn scope link

Also from memory I think I also needed IPv6 in allowed IPs for some reason:

Jip-Hop · October 8, 2022, 1:45pm

Thanks for replying! When I follow the mullvad tutorial, all my traffic goes through the WireGuard VPN. So far so good!

But when I follow your next suggestions, I'm unable to bypass the VPN. In /etc/config/network I have:

config route
        option interface 'wan'
        option target '0.0.0.0/0'
        option table 'novpn'

config rule
        option lookup 'novpn'
        option in 'lan'
        option src '192.168.1.201/32'

192.168.1.201 is the ip address of my laptop which I'm trying to bypass the VPN (for testing purposes). But with this rule enabled I can no longer access the internet...

Any idea why?

root@OpenWrt:~# ip rule
0:	from all lookup local 
1:	from 192.168.1.201 iif br-lan lookup novpn 
32766:	from all lookup main 
32767:	from all lookup default 
root@OpenWrt:~# ip route show table novpn
default dev wan scope link

Jip-Hop · October 8, 2022, 2:02pm

Should Route Allowed IPs in the Peer settings be checked or unchecked if I follow your method?

Lynx · October 8, 2022, 2:20pm

I believe so and I also have use default gateway ticked.

Jip-Hop · October 8, 2022, 2:30pm

When I check Route Allowed IPs in the peer settings and follow method by @Lynx again.

root@OpenWrt:~# ip rule
0:	from all lookup local 
10000:	from 192.168.1.1 lookup lan 
10000:	from 192.168.20.206 lookup wan 
10000:	from 10.169.xx.xx2 lookup vpn_client 
14000:	from 192.168.1.201/24 iif br-lan lookup wan 
15000:	from all iif br-lan lookup vpn_client 
20000:	from all to 192.168.1.1/24 lookup lan 
20000:	from all to 192.168.20.206/24 lookup wan 
20000:	from all to 10.169.xx.xx2 lookup vpn_client 
32766:	from all lookup main 
32767:	from all lookup default 
40000:	from all iif br-lan lookup wan 
90007:	from all iif lo lookup wan 
90010:	from all iif lo lookup lan 
90011:	from all iif lo lookup vpn_client 
root@OpenWrt:~# ip route show table vpn_client
default dev vpn_client scope link 
10.169.xx.xx2 dev vpn_client scope link

When I try to bypass the VPN for a specific source ip address it can't reach the internet any more...

Disabling the first rule in this screenshot will fix internet connectivity (but VPN is not bypassed).

Lynx · October 8, 2022, 2:36pm

'ip route show table wan'?

Jip-Hop · October 8, 2022, 2:39pm

ip route show table wan
default via 192.168.20.1 dev wan  src 192.168.20.206 
192.168.20.0/24 dev wan scope link

Lynx · October 8, 2022, 2:42pm

I don't know why this is not working for you now. @trendy any ideas?

boredhominid · October 8, 2022, 2:59pm

I think you should add a firewall rule to allow traffic from that IP to wan since all lan traffic is forwarded by default to wg zone.

in /etc/config/firewall

config rule
        option name 'test'
        list proto 'all'
        option src 'lan'
        list src_ip '192.168.1.201'
        option dest 'wan'
        option target 'ACCEPT'

Jip-Hop · October 8, 2022, 3:16pm

I started from scratch, following the mullvad tutorial to setup the WireGuard VPN. Then I ran pbr setup from the PBR with netifd wiki page. I think this method is very close to the one Lynx described.

Still didn't work for me. But with your test firewall rule, I can now bypass the VPN for this LAN ip address!

However I don't want to add a firewall rule for each PBR exemption I setup...

Do you have a suggestion for a better firewall setup?

Edit: the firewall rule also works with the manual method I tried in my initial post.

boredhominid · October 8, 2022, 3:32pm

you don't have to add a separate rule for every IP.
you can list multiple IPs in the same rule

config rule
        option name 'test'
        list proto 'all'
        option src 'lan'
        list src_ip '192.168.1.201'
        list src_ip '192.168.1.212'
        list src_ip '192.168.1.251'
        option dest 'wan'
        option target 'ACCEPT'

And I think ? you can even use CIDR notation to specify a range of IPs

Jip-Hop · October 8, 2022, 3:40pm

Thanks a lot! Glad I now know the issue was caused by my firewall config. Instead of adding an ACCEPT rule for certain ips/ranges, any reason why I wouldn't just do:

?

boredhominid · October 8, 2022, 3:44pm

Yes , that would work also. Just be mindful that if the wireguard interface stops working all your traffic will go through wan. And take a look here though I don't know if it's still necessary.

Lynx · October 9, 2022, 9:44pm

I just put vpn in wan zone.

Jip-Hop · October 14, 2022, 12:23pm

I'm now trying your suggested method to route all traffic from a single interface (vlan) through wan (bypass VPN). I confirmed this vlan worked before setting up the VPN. But with the VPN and PBR rules it's not yet working for me.

config route
        option interface 'wan'
        option target '0.0.0.0/0'
        option table 'novpn'

config rule
        option lookup 'novpn'
        option in 'novpn'

The VPN setup works. Traffic from LAN goes through VPN provider. Ping from novpn vlan is not working. Traceroute 8.8.8.8 shows ip address of OpenWrt Router, then my ISP router, then stops.

ip rule
0:	from all lookup local 
1:	from all iif br-lan.10 lookup novpn 
32766:	from all lookup main 
32767:	from all lookup default

ip route show table novpn
default dev wan scope link

Did I miss something?

Just out of curiosity since the PBR setup from the PBR with netifd wiki page is working well for me.

system · October 24, 2022, 12:23pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.