WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14175 questions

16819 answers

27670 comments

54159 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to wifi openvpn not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus

RTUX11 - WireGuard route all traffic + killSwitch

0 votes
309 views 2 comments
by
Hallo

I'm trying to migrate from GL.Inet to RTUX11.

One thing I need is to route all traffic over WireGuard + KillSwitch.

I'm already failing on the WireGuard...

I'm able to setup the WireGuard connection and routing ONLY when I set as allowed IP's 192.0.0.0/8.

If I set 0.0.0.0/0 (or 0.0.0.0/1 + 128.0.0.0/1) then the WireGuard client on RTUX11 won't connect to my WG server.

It looks like the external IP address (myWgServer.example.domain) is not accessible when allowed IP's is set to 0.0.0.0/0.

Question: does anyone know how to fix it? on GL.Inet there is an option to exclude domain names (myWgServer.example.domain) from VPN routing.

Question 2: any ideas how to realise kill switch functionality on the RUTX?

thanks for any hints!

Lukas
by

Just an update.

I have managed to setup following:

1. WiFi network (magnet-vpn) where all clients are routed over my wireguard VPN (using this Network I'm always at home).

2. Guest WiFi network (magnet-guest) where all clients are routed over WAN and have no access to my home network / vpn.

To setup it, you have to login into shell and execute:

opkg update
opkg install vpn-policy-routing
uci set vpn-policy-routing.config.enabled="1"
while uci -q delete [email protected][0]; do :; done
uci add vpn-policy-routing policy
uci set [email protected][-1].name="Ignore_wireguard_VPN"
uci set [email protected][-1].dest_addr="my.wireguard.hostname.com"
uci set [email protected][-1].interface="ignore"
uci add vpn-policy-routing policy
uci set [email protected][-1].name="Ignore_Guest"
uci set [email protected][-1].src_addr="192.168.46.1/24"
uci set [email protected][-1].interface="ignore"
uci add vpn-policy-routing policy
uci set [email protected][-1].name="AllWireguard"
uci set [email protected][-1].src_addr="0.0.0.0/0"
uci set [email protected][-1].interface="magnets"
uci commit
/etc/init.d/vpn-policy-routing restart

2. create guest network as described here: https://wiki.teltonika-networks.com/view/How_to_set_up_a_guest_WiFi_network_on_RUTX

Please note: I'm using my own subclass: 192.168.46.1. 

3. Important: in wireguard Settings define Allowed IP's as: 0.0.0.0/0 BUT do not enable:Route Allowed IPs option (the vpn-policy-routing Plugin will create these routing entries)

So far I'm happy. will try to setup killswitch today.

 

1 Answer

0 votes
by

Hello,

For the killswitch, you could create a hotplug script that would do the killswitching by yourself, the path to the folder would be: /etc/hotplug.d/iface/18-wireguard

On the exclusion of domain names, you could try referring to this article: https://forum.openwrt.org/t/vpn-policy-based-routing-web-ui-discussion/10389
by
Hi

Thanks for your feedback.

The solution/setup seems to be time consuming.

With Gl.Inet I can setup: dedicated WiFi with Wireguard VPN (to be always "at home") + KillSwitch, dedicated Guest WiFi (for Kidds usage) - all within 5 Minutes.

I'm thinking to send the RTUX12 back and by another GL.Inet with external antennas (GL.iNet GL-X750 Version 2) - it's much user friendly, especially for road (camping) use cases.

Best Regards

Lukas