hi guys how are you? i hope well, i come again with some questions,may be you could help me..i have on incoming wireguard vpn conection,which i use to connect to my home network from the ouside,and i'm wondering if i could add another one outgoing with an external provider like proton,nordvpn etc.if so i have to create another firewall zone wright? thanks a lot.
You can just create another instance same way as first one but with new name and configure as you want.
1 Like
How should I configure the firewall and zone to avoid overlapping with the incoming VPN? Can the priority between the outgoing VPN and the wan be modified if the outgoing VPN is deactivated?
On the other hand, when I connect from outside to my local local network through the incoming VPN, at the time of going out to the Internet, would I come out with the IP of the outgoing VPN connection? sory for my engish. but thanks a lot!
So you have to create new zone new interface and add new peers. For example /etc/config/network:
#fist interface is wg0 so:
config interface 'wg1'
option proto 'wireguard'
option private_key 'bfidfiofhhoisoishoshoisfohofoissvoijodsoivsosijsoijsoisvj=='
option listen_port '54321'
list addresses '10.10.0.1/24'
#peers for first interface is wireguard_wg0 so for next shoould be wg1
config wireguard_wg1
option public_key 'publickeylalalalalalalalalalalalalalalaal='
option route_allowed_ips '1'
list allowed_ips '10.10.0.10/32'
option persistent_keepalive '25'
And some firewall:
config zone
option name 'wgtwo'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'wg1'
config forwarding
option src 'wgtwo'
option dest 'wan'
# and other forwarding eq wgtwo<>lan, wg<>wgtwo etc.
config rule
option src 'wan'
option target 'ACCEPT'
option proto 'udp'
option dest_port '54321' #you have to enable this udp port in firewall
option name 'wireguardtwo'
Its only basic settings. Other settings according to your needs.
thanks a lot...at 23.05.5 we can upload de config file wright? masquerading and mss enabled wright? thanks again
config forwarding
option src 'wgtwo'
option dest 'wan'
this part is a traffic rule wright?
Its just an example. You can name your zone as you want.
And forwarding as you want.
Review yours first instance settings in /etc/config/network/ and /etc/config/firewall
I don't like luci and uci so I prefer edit config files using vi or nano. Or using Winscp
i understand,but it's something like you posted....gives me an idea on how to congifure.thanks.
I typing direct from my head so you need review it. I did something like that a few years ago. You can ask ChatGPT for details.
The basic redirecting all Internet usage to a VPN service will break the vpn in that you're also running. You will need to set up conditional routing to have both work. But do get the vpn out working by itself first.
hey, I have run into the same issue. I have set up my openwrt router to connect to a vpn and route my home traffic through it.
Now I want to tunnel into my openwrt router on a different interface (wireguard) with no success.
Any hints?
The solution is simple...
Policy Based Routing. You need to create a policy that allows the responses to inbound connections (on your normal wan) to be routed back through that same interface. By default, the traffic would normally be routed via the other tunnel, so the policy will allow you to specify appropriately.
Okay, thank you - I have tried to do this:
config policy
option src_addr '10.10.10.1/24'
option interface 'wan'
option name 'incoming_wg'
The ip address is the ip given for my wireguard (incoming) interface. However, I do not think this works. What am I doing wrong ?
Try 10.10.10.0/24
No luck there. This is the config in /etc/config/network:
config interface 'wg0'
option proto 'wireguard'
list addresses '10.10.10.1/24'
option private_key '***'
list dns '1.1.1.1'
list dns '8.8.8.8'
option listen_port '51820'
config wireguard_wg0
option description 'phone'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '10.10.10.2/32'
option public_key '***'
option private_key '***'
I have also tried 10.10.10.2/32, also no luck..
will try with a complete reboot later (so far I have tried 'service pbr restart')...
just to add - seems obvious though. I want to access other hosts on the network when connected to my wireguard server at home.
See my notes, you need the WireGuard server setup guide, check your settings, there is also a paragraph about running a concurrent WireGuard server and client (yes you need PBR to do that)
Basically just install the PBR app but you need at least version 1.1.8-r10
sorry, I could not make that much sense out of it - just install pbr app and it figures out things by itself?
Anyway, I think I will open a new topic instead and post my configs there. btw: you have private keys in your pdf on github?
Yes that is the idea 
thanks - I think this is the final push I needed for installing vanilla openwrt on my turris omnia. So far I have been happy with the turris os, but it seems that the pbr package in the turris repo is quite old.