Wireguard tunnel, how to use local internet?

Hi, I set up a wireguard connection using this script:

Everything works, from what I have seen it creates a new interface but not a new firewall zone.
How can I make it so that when I connect remotely to the WireGuard server, the client doesn't use the server's internet connection but takes advantage of that network where the client is?
If I remember correctly, before with OpenVPN I had a dedicated zone in the firewall section that served only the OpenVPN device.
I did some tests but couldn't solve the issue, every time I connect on the internet I am seen cno the server ip.

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:0a3b:bd52::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.0.0.1'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan'
        option device 'eth0.2'
        option proto 'pppoe'
        option username '***'
        option password '***'
        option ipv6 'auto'
        option mtu '1492'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key '***'
        option listen_port '56789'
        list addresses '10.8.0.1/24'
        option mtu '1420'

config wireguard_wg_lan
        option public_key '***'
        option preshared_key '***'
        option description '1_lan_PC_1'
        list allowed_ips '10.8.0.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key '***'
        option preshared_key '***'
        option description '2_lan_PC_2'
        list allowed_ips '10.8.0.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key '***'
        option preshared_key '***'
        option description '3_lan_Phone_1'
        list allowed_ips '10.8.0.4/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg_lan'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config rule 'wg'
        option name 'Allow-WireGuard-lan'
        option src 'wan'
        option dest_port '56789'
        option proto 'udp'
        option target 'ACCEPT'

Client configuration

[Interface]
PrivateKey = ***
Address = 10.8.0.2/32
DNS = 10.8.0.1

[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ***:56789
PersistentKeepalive = 25

Any help even in finding the right direction is welcome

J

Change the allowed ips on the remote (“client”) peer to 10.0.0.0/24 and it should only send traffic for that subnet though the tunnel. The rest should be routed to that peer’s local upstream/internet

1 Like

Thank you, @psherman
It was so simple, never thought that I can do that only on the client configuration!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.