Wireguard tunnels

hi floks how are you? i hope well, this time i came back with some trouble with wireguard instances....i have 2 instances,one with protonvpn and the second one used to connect to my home network from outside configured with duckdns, the pronlem is that when i enable my proton wireguard interface the incoming one does not connect.i assume that this is because the router takes the protonvpn ip, is there a way to force the router to connect to internet trough the wan and not de protonvpn wireguard interface? is there a way to to configure some certain hosts to connect trough protonvpn? thanks a lot.

1 Like

That is expected.
Traffic coming in via the WAN must also go out via the WAN.

The Magic words are PBR (Policy Based Routing)
To route e.g. your WG servers source port back via the WAN.

You can use the full PBR package : https://docs.openwrt.melmac.net/pbr/

But if you really want all traffic via the Proton VPN except for the WG servers return traffic then that might be overkill

You can use a hotplug script see: https://github.com/egc112/OpenWRT-egc-add-on/blob/main/pbr-via-wan/readme.md

Or the very simple alternative solution mentioned.

Normally you create a routing table in /etc/config/network but there is no rule for sport/dport yet :frowning:

actually i run all traffic trough via vpn, when i go out and need to connect from outside i disable vpn enabling the second one. ...basicly as you say it's impossible to do what i want?

If you do it like that disabling the VPN client and then enabling the server everything should work.

But if you enable the client and server simultaneously you have to use some form of PBR

It should only take one rule: Any UDP with a source interface of wan, source port of the wg server process listen_port, goes by wan so that connections from a remote machine are properly answered. Everything else continues to default to the client tunnel.

thanks for the info! i was reading about pbr is there a good tutorial to configure it? thanks a lot!

Sure you can read everything about the full PBR package at:

One Qus about PBR, I want to have one AP and one wifi SSID for the WireGuard vpn, Now the WireGuard server will have two config one is to connect USA, another one is for connecting the WireGuard to the Japan. I do not want to use both at a same time but i want to change the servers if i want to anytime. And i would love to the set the WireGuard server on the router same access point and want to connect the WireGuard on router from internet, Can the PBR package handle this?

thanks! i'll see if i can find a tutorial to configure it well.

as far as i can see the clients conected to the AP use protonvpn wireguard connection.

With two (or more) outgoing tunnels I'd use a different approach. Leave both tunnels up all the time but do not set route_allowed_ips on either, so that the default routing table remains via wan. Then use pbr source based rules to route what you want into each tunnel.

With this approach an incoming tunnel will continue to work without special rules, since the default is for the router itself (including the Wireguard server process) to connect directly to the Internet via the local wan.

1 Like

What clients? Also can you share your config what you made it work?


I'ts more weird than what it was before, i think you remember i had issue with the routing that time i didn't need to use the PBR package for it, But i think i do have to use now but it's just confusing and weird.

config rule
        option in 'wf_wireguard'
        option lookup '102'

config route
        option interface 'wireguard_usa'
        option target '0.0.0.0/0'
        option table '102'
        option source '10.2.0.2/24'

config route
        option interface 'wireguard_usa'
        option target '0.0.0.0/0'
        option table '102'
        option source '10.2.0.1'

I have config now like this for that, which is not enough for it. Can't i use the normal routing for what i want without using the PBR package?

thanks for reply, first i have an access point with two clients that connects to the eeuu vpn according to your first question. going to the second post,really wired you can configure certein ip to route trough wan o vpn? thanks a lot.

Yes, I can, Right now i have 4 access point, one is disabled tho, But other one has the protonvpn wireguard access with different wifi ssid, which i connect to wifi ssid and get the vpn access. @mk24 helped me a lot to set things up, and without the PBR package it just works.
But now i want to set the PBR package for it, because i want to have an wireguard server client.

I asked before tho.

i'am looking something lke pbr,because protonvpn overrides my home local vpn,when proton is enabled my local vpn goes down. i tried to configure a ssid with protonvpn...but i couldn't find how.

So is PBR working for you now? If so please share the config.

not yet,i can't find a working configuration. by the way how do you make a "wan" connection on an access point? is to separate ssid with my protonvpn and another one with the wan.... with vlans? i ask because i have a tplink-tlwa1201 running openwrt too.

I actually have an config for it. Here. I think it is a good guide which you can follow. But again I didn't used the PBR package for this.

The access point is connected to a lan network (not the original lan, but a new one set up like a guest lan). The routing is configured to route from there to a wan-like network-- either the local wan (unencrypted Internet) or a VPN tunnel. In order for different lans to route to different wans, source-conditional routing is required with multiple routing tables. The multiple tables can be configured directly as @Linux-DADDY did, or managed more abstractly through the pbr package.