Question

I have setup 2 x Wireguard VPNs and would like to route all traffic from VLAN 10 (192.168.10.1/24) to Wireguard config 1 (77.87.x.x)and all traffic from VLAN 20 (192.168.20.1/24) to Wireguard config 2 (178.80.x.x)

Both VLANs have their own DHCP and are working but all traffic is being router through the first Wireguard config.

I have set route allowed IPs to enabled on both and the allowed IPs on both are 0.0.0.0/0. If I change 0.0.0.0/0 to the subnet of the VLAN I get no internet connection.

I almost want to do 1:1 Nat but with 2 x VPN instead of 2 x public IPs.

Answer 1

Hello,

To make this work I'd recommend installing OpenWRT package called "vpn-policy-routing". With this package you can easily create rules and assign specific interfaces as the default gateway for desired LAN subnets (VLANS) while keeping your primary WAN connection as the default gateway for other subnets, not within the range of VPN policy routing rules. 

Note: I'd highly recommend having local access to the router before perming any further configuration

To start things off, please login to the router via CLI (SSH) [wiki article covering this procedure] and issue the following commands:

opkg update

opkg install vpn-policy-routing

Note: the "opkg update" may throw some errors at the end of its output, it's completely fine to ignore them.

Once VPN policy routing is installed, proceed with creating VLANs, then create VPN tunnels and assign their peers. When creating VPN tunnels and peers, make sure to set specific fields to the following values:

In the "General Setup"

Listen port: any value between 1024–65535, must be unique for each individual tunnel configuration

IP addresses: IPv4 address of the tunnel on Teltonika router side. Each tunnel must be under its own subnet to make no conflicts occur

In the "Advanced Setup"

Metric: must be higher than the default gateway (WAN) interface. For example, 50.

MTU: default is 1420, adjust if necessary depending on the other end of the tunnel to match this value on both ends (peers)

Proceed to the peer configuration, in the "General Setup"

Public key: peer (other end) public key

Allowed IPs: 0.0.0.0/0

Peer configuration, "Advanced Setup"

Description: custom description about this peer

Preshared key: configure only if required/setup on the other end, otherwise leave empty

Endpoint host: public IPv4 address of the peer

Endpoint port: port which the peer is listening on 

Persistent keep alive: recommended to set to 30 to make sure tunnel stays online even when no client is using tunnel

Configure the second WG tunnel identically, except with different IPs, listening port and public key.

Once done, proceed back to the CLI (SSH) and run the following commands:

Note: make sure to replace WG interface names and subnet IPs in case they differ on your end.

Note: you can check how WG interfaces are named by issuing command "wg" (without quotation marks) in the CLI (SSH).

uci set vpn-policy-routing.config.enabled='1'

while uci -q delete vpn-policy-routing.@policy[0]; do :; done

uci add vpn-policy-routing policy

uci set vpn-policy-routing.@policy[-1].dest_addr="10.20.30.0/24 172.20.30.0/24"

uci set vpn-policy-routing.@policy[-1].interface="ignore"

uci add vpn-policy-routing policy

uci set vpn-policy-routing.@policy[-1].src_addr="10.20.30.0/24"

uci set vpn-policy-routing.@policy[-1].interface="WireGuard interface name #1"

uci add vpn-policy-routing policy

uci set vpn-policy-routing.@policy[-1].src_addr="172.20.30.0/24"

uci set vpn-policy-routing.@policy[-1].interface="WireGuard interface name #2"

uci commit

/etc/init.d/vpn-policy-routing restart

Once done, the default gateway for other LAN subnets will still be the default WAN connection, however, for subnet 10.20.30.0/24 the default gateway will be WireGuard interface #1 and for subnet 172.20.30.0/24 the default gateway will be WireGuard interface #2. I've tested this on my end and everything seemed to be in order. Let me know if this works for you.

Best regards,

Tomas.