8355 questions

9839 answers

15618 comments

14039 members

0 votes
111 views 17 comments
by
Hi

Nearly got my router doing as I want thanks to lots of help from here.

I now have a router set up with 192.168.0.1-192.168.0.99 - DHCP and VPN, 192.168.0.100-192.168.0.199 - STATIC and VPN and 192.168.0.200-192.168.0.251 STATIC and ISP

It is the latter I cannot get to work. How do I only route 200-251 as using the ISP connection and not the established Wireguard?

Thanks

1 Answer

0 votes
by

Hello,

You'll have to use split-tunnelling. Look at this ticket first, but with the values you have chosen the rules will be a little more complex..

Regards.

by
So just to confirm

I have read the info and changed my ip reservation to match it, but in reverse. Am I correct in saying the example shown has vpn on high range and isp on low range? Is it just a matter of me swapping the numbers?

are these rules additions to those already in place?

Again thanks for the expert help.
by

Am I correct in saying the example shown has vpn on high range and isp on low range?

The example or the fix ? If it is the fix then the high range goes directly through the wan.

Yes, just swap the numbers in the "config route" section : 192.168.1.0/25 ==> 192.168.1.128/25. Just two choices anyway if you change your mind just swap the rule.

This rule is an addition.

by

So in an atempt to seek clarificaton before messin gup an already working connection: 

Do I just need to: 

config rule
       option in 'lan'
       option src '192.168.0.128/25'
       option lookup 'rt'
       option priority '10'
Or do I need all the instructions in https://wiki.teltonika-networks.com/view/OpenVPN_traffic_split 
Will it matter that this is an OPENVPN example and I am a Wireguard?


or is it this:


config interface 'vpnas'
       option proto 'none'
       option ifname 'Torguard'

config route
       option interface 'vpnas'
       option target '0.0.0.0'
       option netmask '0.0.0.0'
       option table 'rt'
       option gateway '10.13.128.97'

config rule
       option in 'lan'
       option src '192.168.0.128/25'
       option lookup 'rt'
       option priority '10'
by
You have to set

 1 - the route name: echo "5 rt" >> /etc/iproute2/rt_tables

 2 - the interface in use: config interface 'Torguard' ....

3 - the route: config route \n\t option interface 'Torguard' ....

4- and the rule: config rule ....

Regards,
by

1 - the route name: echo "5 rt" >> /etc/iproute2/rt_tables
echo "5 rt" >> /etc/iproute2/rt_tables

 2 - the interface in use: config interface 'Torguard' ....

vi /etc/config/network

config interface 'Torguard'

       option proto 'none'

       option ifname 'Torguard'

3 - the route: config route \n\t option interface 'Torguard' ....

config route

       option interface 'Torguard'

       option target '0.0.0.0'

       option netmask '0.0.0.0'

       option table 'rt'

       option gateway '10.13.128.97'

4- and the rule: config rule ....

config rule

       option in 'lan'

       option src '192.168.0.128/25'

       option lookup 'rt'

       option priority '10'

IS this all I need, I note the tutorial talks of making files exectuable and openvpn file changes- I assume this does not apply. 

Sorry for all the questions but want to get this clear in my mind. 

by
This looks correct, I am not aware of other changes required for Wireguard.
by
Not getting this to work:

So followed exactly as above.

All IP Addresses are staying with VPN. I have tested 192.168.0.200 on PC, used ipconfig /flushdns and ipconfig /renew

My file is:

        option sim '1'

        option pdp '1'

        option method 'nat'

        option pdptype 'ip'

        option peerdns '0'

        option dns '1.1.1.1 1.0.0.1'

        option metric '3'

        option delegate '0'

        option auth 'none'

config interface 'mob1s2a1'

        option proto 'wwan'

        option modem '3-1'

        option sim '2'

        option pdp '1'

        option auto '0'

        option metric '4'

config interface 'Torguard'

        option proto 'wireguard'

        option disabled '0'

        option private_key '+='

        option public_key '#+='

        option listen_port '51820'

        list addresses '10.13.128.97/24'

config wireguard_Torguard 'peer'

        option public_key '/='

        list allowed_ips '0.0.0.0/0'

        option endpoint_host '149.14.224.66'

        option endpoint_port '1443'

        option persistent_keepalive '25'

        option route_allowed_ips '1'

config route

       option interface 'Torguard'

       option target '0.0.0.0'

       option netmask '0.0.0.0'

       option table 'rt'

       option gateway '10.13.128.97'

config rule

       option in 'lan'

       option src '192.168.0.128/25'

       option lookup 'rt'

       option priority '10'
by
What is the output of "ip route show table rt" ?
by
Nothing.

Entry just brings the command line.
by
Did you restart the network after doing the changes ?
by
REbooted router.

I have found that if I add

config interface 'Torguard'

       option proto 'none'

       option ifname 'Torguard'

I do not get any VPN, everything goes through ISP WAN

If I remove, all goes through VPN

When it is removed I get

root@Teltonika-RUTX09:~# ifconfig Torguard

Torguard  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.13.128.97  P-t-P:10.13.128.97  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:174967 errors:0 dropped:0 overruns:0 frame:0

          TX packets:59056 errors:0 dropped:8 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:234133724 (223.2 MiB)  TX bytes:7231020 (6.8 MiB)

root@Teltonika-RUTX09:~# ip route show table rt

default via 10.13.128.97 dev Torguard proto static
by
Yes of course option proto 'none' makes no sense it should be 'wireguard'. Damned.

I'll test something similar tomorrow I am burned.
by
Had another look but can't wait to get this solved.
by
Only the config route and config rule should be relevant. Do you have at least one device in each range usable for testing?
by

OKay VPN range all okay

.128 upwards is not connecting.

Tracert with LAN ISP only

  1     2 ms     1 ms     1 ms  Teltonika-RUTX09.com [192.168.0.1]

  2    90 ms    47 ms    47 ms  10.13.0.1

  3    60 ms    71 ms    83 ms  te0-0-1-2.332.agr11.lon13.atlas.cogentco.com [149.14.224.65]

  4   110 ms    60 ms    83 ms  te0-3-0-3.ccr42.lon13.atlas.cogentco.com [154.54.39.21]

  5    44 ms    59 ms    63 ms  be2871.ccr21.lon01.atlas.cogentco.com [154.54.58.186]

  6     *        *        *     Request timed out.

  7  Transmit error: code 1231.

Trace complete.

TRACERT with VPN IP

C:\Users\gboyd>tracert google.com

Tracing route to google.com [216.58.212.206]

over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  Teltonika-RUTX09.com [192.168.0.1]

  2    46 ms    46 ms    46 ms  10.13.0.1

  3    54 ms    45 ms    49 ms  te0-0-1-2.332.agr11.lon13.atlas.cogentco.com [149.14.224.65]

  4    44 ms    55 ms    46 ms  te0-3-0-3.ccr42.lon13.atlas.cogentco.com [154.54.39.21]

  5    48 ms    46 ms    53 ms  be2871.ccr21.lon01.atlas.cogentco.com [154.54.58.186]

  6    58 ms    40 ms    57 ms  tata.lon01.atlas.cogentco.com [130.117.15.178]

  7    40 ms    48 ms    44 ms  72.14.217.89

  8   211 ms   100 ms   202 ms  209.85.249.149

  9   391 ms   308 ms   213 ms  209.85.252.181

 10   919 ms   100 ms   100 ms  lhr25s27-in-f14.1e100.net [216.58.212.206]

config interface 'loopback'

        option ifname 'lo'

        option proto 'static'

        option ipaddr '127.0.0.1'

        option netmask '255.0.0.0'

config globals 'globals'

        option ula_prefix 'fd94:7dcb:d35d::/48'

config interface 'lan'

        option type 'bridge'

        option ifname 'eth0'

        option proto 'static'

        option netmask '255.255.255.0'

        option ip6assign '60'

        option dns '1.1.1.1 1.0.0.1'

        option metric '0'

        option ipaddr '192.168.0.1'

config interface 'wan'

        option ifname 'eth1'

        option proto 'dhcp'

        option auto '0'

        option metric '1'

config interface 'wan6'

        option ifname 'eth1'

        option proto 'dhcpv6'

        option auto '0'

        option metric '2'

config switch

        option name 'switch0'

        option reset '1'

        option enable_vlan '1'

config switch_vlan

        option device 'switch0'

        option vlan '1'

        option ports '2 3 4 0'

config switch_vlan

        option device 'switch0'

        option vlan '2'

        option ports '5 0'

config interface 'mob1s1a1'

        option proto 'wwan'

option modem '3-1'

        option sim '1'

        option pdp '1'

        option method 'nat'

        option pdptype 'ip'

        option peerdns '0'

        option dns '1.1.1.1 1.0.0.1'

        option metric '3'

        option delegate '0'

        option auth 'none'

config interface 'mob1s2a1'

        option proto 'wwan'

        option modem '3-1'

        option sim '2'

        option pdp '1'

        option auto '0'

        option metric '4'

config interface 'Torguard'

        option proto 'wireguard'

        option private_key '+='

        option public_key '+='

        option listen_port '51820'

        list addresses '10.13.128.97/24'

        option disabled '0'

config wireguard_Torguard 'peer'

        option public_key '/='

        list allowed_ips '0.0.0.0/0'

        option endpoint_host '149.14.224.66'

        option endpoint_port '1443'

option persistent_keepalive '25'

        option route_allowed_ips '1'

config route

        option interface 'Torguard'

        option target '0.0.0.0'

        option netmask '0.0.0.0'

        option table 'rt'

        option gateway '10.13.128.97'

config rule

        option in 'lan'

        option src '192.168.0.128/25'

        option lookup 'rt'

        option priority '10'

Might be a silly question but should a rule priority be added to stop VPN taking priority:?

root@Teltonika-RUTX09:~# ip rule

0:      from all lookup local

10:     from 192.168.0.128/25 iif br-lan lookup rt

32766:  from all lookup main

32767:  from all lookup default

by
Be careful not to post keys, please edit your previous comment.

tracert failures may not be significant network nodes may not propagate UDP packets for obscure reasons.

Redo the test with ping www.yahoo.com or some other well known server.
by
Hi

ALL keys are truncated.

Dnsleaktest is still showing the VPN address when local ip is within the LAN range.