Wireguard split tunneling

Installing and Using OpenWrt Network and Wireless Configuration
1

I would like to route my Wireguard VPN traffic trough the SSID UniFi-VPN and route the traffic from SSID UniFi-WIFI directly over the WAN interface without the Wireguard VPN but I don't get it to work.

Modem (China Telecom 192.168.1.1) > Edgerouter x (OpenWRT 192.168.2.1) > Unifi nanoHD (On port 2 from my Edgerouter X)

SSID UniFi-WIFI (LAN 192.168.2.0/24)
SSID UniFi-VPN (VLAN20 192.168.3.0/24)

if I connect to the different SSID's then my ip adres changes to an ip from that subnet. My VPN is working now on both subnets.

Now all my internet traffic from both SSID's are going trough the VPN. How do I get the traffic from SSID UniFi-WIFI to bypass the vpn? I tried it with the option in wireguard with Route Allowed IP's and then specify the subnet 192.168.3.0/24 or the ip adres from my laptop 192.168.3.207 but then all internet traffic seems to stop working. Also I tried Luci Policy Routing and specify to route the traffic from the subnet 192.168.2.0/24 trough the WAN interface and the traffic from 192.168.3.0/24 trough the Wireguard interface.But then also the internet traffic seems to stop working. What do I do wrong? Thanks for any help!

Firewall zones

Interfaces

Route Allowed IPs

Switch vlans

Wireguard Interface - firewall

1 Like
2

https://docs.openwrt.melmac.net/vpn-policy-routing/#wireguard-tunnel
And create a policy for the source subnet that you want to route to the VPN.

1 Like
3

So I installed Luci policy based routing and make a rule? have you looked at the images in my post?

1004×298

1 Like
4

You can omit the local/remote ports and remote addresses.
The WAN policy is redundant assuming that you have disabled gateway redirection for WG.

5

It seems to be working now when I omit the local/remote ports and remote addresses.

What do you mean exactly with the WAN policy and disabling gateway redirection for WG?

Thanks a lot!

1 Like
6

Assuming that you have disabled the WG peer option "Route Allowed IPs".
Hosts from the 192.168.3.0/24 subnet should be routed to the VPN.
Everything else goes to WAN by default, so the second policy is not necessary.

7

Its still on, but it seems the be working fine now, afraid to turn it off and make it stop working.

8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.