FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
974 views 6 comments
by anonymous

Hi everyone, so it's been a few days that im trying to achieve this but without any success, so im going to ask for some help. Thanks in advance!

What i would like to make is, pass all the traffic from a specific interface/network through the wireguard tunnel.

First of all some description of my configuration:

I used the WAN interface of the device to create a new interface called LAN_SRV on 192.168.0.x offering DHCP (this is the interface where i want to route all traffic through the Wireguard tunnel), while the LAN is pretty much the stock configuration on 192.168.1.x also offering DHCP.

Wireguard tunnel is configured and correctly working, i can reach the wireguard server and also route all the traffic through it by setting allowed ips to 0.0.0.0/0.

I've tried following the suggestion from this answer https://community.teltonika-networks.com/39990/configure-three-different-clients-route-different-devices customizing the commands to my case:

  • uci set vpn-policy-routing.config.enabled="1"
  • while uci -q delete vpn-policy-routing.@policy[0]; do : ; done
  • uci add vpn-policy-routing policy
  • uci set vpn-policy-routing.@policy[-1].name="Ignore_LAN"
  • uci set vpn-policy-routing.@policy[-1].dest_addr="192.168.1.0/24"
  • uci set vpn-policy-routing.@policy[-1].interface="ignore"
  • uci set vpn-policy-routing.@policy[-1].name="Route_VPN_LAN0"
  • uci set vpn-policy-routing.@policy[-1].src_addr="192.168.0.0/24"
  • uci set vpn-policy-routing.@policy[-1].interface="WG_VPN"
  • uci commit
  • /etc/init.d/vpn-policy-routing restart

And the results are, if i set allowed ips to 0.0.0.0/0, only the interface that is routed to the wireguard tunnel can access internet, the other one is not. If i set the allowd ips to the wireguard network 192.168.10.0/24 there is no internet access on any interface.

Is this a limit with wireguard? As far as i can see others achieved this with other VPN kinds.

Thanks again, and let me know if any more informations are needed.

PS: Merry Christmas and happy holidays!

1 Answer

+1 vote
by anonymous

Hello,

I have not tested this with wireguard yet, however, I've noticed one thing.

According to the list of commands you have posted, it seems that you are editing the same VPN policy. You should create a new policy after you have configured the first one (2 total).

...

...

uci set vpn-policy-routing.@policy[-1].interface="ignore"

uci add vpn-policy-routing policy

uci set vpn-policy-routing.@policy[-1].name="Route_VPN_LAN0"

...

...

Also, delete the existing policies before creating new ones. I recommend you start configuring everything from scratch (maybe factory reset).

while uci -q delete vpn-policy-routing.@policy[0]; do : ; done

Kind Regards,

Andzej

by anonymous

Hello,

Thanks for the answer, i totally missed the add vpn-policy-routing policy command.

Here is the commands that i've sent today:

root@Teltonika-RUTX09:~#  uci add vpn-policy-routing policy
cfg046ff5
root@Teltonika-RUTX09:~# uci set vpn-policy-routing.@policy[-1].name="Ignore_LAN"
root@Teltonika-RUTX09:~# uci set vpn-policy-routing.@policy[-1].dest_addr="192.168.1.0/24"
root@Teltonika-RUTX09:~# uci set vpn-policy-routing.@policy[-1].interface="ignore"
root@Teltonika-RUTX09:~# uci add vpn-policy-routing policy
cfg056ff5
root@Teltonika-RUTX09:~# uci set vpn-policy-routing.@policy[-1].name="Route_VPN_LAN0"
root@Teltonika-RUTX09:~# uci set vpn-policy-routing.@policy[-1].src_addr="192.168.0.0/24"
root@Teltonika-RUTX09:~# uci set vpn-policy-routing.@policy[-1].interface="WG_VPN"
root@Teltonika-RUTX09:~# uci commit
root@Teltonika-RUTX09:~# /etc/init.d/vpn-policy-routing restart

After doing so if i set the allowed ips on the Wireguard peer configuration to 0.0.0.0/0 none of the LANS can access the internet, and had to set it back to 192.168.10.0/24 which is the wireguard network.

I did a test to try to only create the Ignore_LAN policy but the result is the same, no internet access.

Also there is this warning message showing:

WARNING: The 'ignore' target is used by a policy 'Ignore_LAN', but a WebUI setting to show 'ignore' target (webui_show_ignore_target) is disabled!

What does it mean?

Kind Regards,

Lorenzo

by anonymous

Hi,

Change dest_addr in this:

  • uci set vpn-policy-routing.@policy[-1].dest_addr="192.168.1.0/24"

To src_addr, like:

  • uci set vpn-policy-routing.@policy[-1].src_addr="192.168.1.0/24"

Traffic from 192.168.1.0/24 network will be routed via WAN. You can configure the second policy to route 0.0.0.0/0 to WG_VPN. This will essentially route all of the other traffic via the Wireguard tunnel.

You can ignore the WebUI warning, as this is an openwrt package and is not available in RUTX09 WebUI. However, the policies should work when configured via CLI.

Kind Regards,

Andzej

by anonymous

Hi Andzej,

So here is what i've done today:

  • uci add vpn-policy-routing policy
  • cfg046ff5
  • root@Teltonika-RUTX09:~# uci set vpn-policy-routing.@policy[-1].name="Ignore_LAN"
  • root@Teltonika-RUTX09:~# uci set vpn-policy-routing.@policy[-1].src_addr="192.168.1.0/24"
  • root@Teltonika-RUTX09:~# uci set vpn-policy-routing.@policy[-1].interface="ignore"
  • root@Teltonika-RUTX09:~# uci commit
  • root@Teltonika-RUTX09:~# /etc/init.d/vpn-policy-routing restart

Just to try if i can get this network excluded from the wireguard tunnel, but the results are the same, if i set the wireguard allowed ips to 0.0.0.0/0 internet is unreachable.

This should route 192.168.1.0/24 network via which WAN? Im using an LTE connection (SIM1).

As i said before the WAN interface is used to create a different network 192.168.0.0/24.

EDIT: forgot to mention that i've deleted all previous rules before adding this one.

Thanks again for the help.

Lorenzo

by anonymous

Hi,

You can execute command 'wg' in CLI/SSH and it will show you Wireguard information. There should be a handshake. 

Regarding 0.0.0.0/0, it seems like it is common. There are some threads on this forum. Could you try to set two IPs: 0.0.0.0/1 and 128.0.0.0/1 instead of a single 0.0.0.0/0 and see if that works?

You can see the routes if you run 'ip route' command. You will be able to see your WAN interface on top, where the dafault route is.

The command 'uci show vpn-policy-routing' can be used to see your VPN policies. 

Also, which firmware version are you using? Could you share more information about your configuration? Maybe a topology?

Kind Regards,

Andzej

by anonymous

Hi Andzej,

So as you asked here is a schema of what i want to achieve:

As you suggested i tried setting allowed ips to 0.0.0.0/1 and 128.0.0.0/1 but it didn't help.

I somehow managed to achieve what i wanted to by disabling the "Route allowed IPs" from the webui in the wireguard peer settings. By doing this everything started working as intended, at least until this morning.

Today i found that the tunnel wasn't working anymore and the devices on the 192.168.0.0/24 network could't connect to the internet obviusly (the vpn policy routes the traffic through the tunnel).

There was one more strange thing, i couldn't connect to the VPS either from both networks (cant ping the public ip address or connect with SSH) this IP is the remote server used in the wireguard peer configuration.

So the first thing i tried was rebooting both RUTX09 and the VPS, after that the wg command wasn't showing any handshake and the ping towards the VPS still wasn't working.

I tried to remove the gateway in the interface that i had to create in order to enable the vpn policy (WG_VPN), and the handshake was made. But the traffic wasn't being routed outside the VPN so i re-added the gateway, and things started working as yesterday.

If i reboot the device the problem persists and have to remove/add the gateway on the interface to make things work, its like the RUTX09 is trying to reach the public ip address of the vps through the tunnel, but the tunnel is not up yet, because it cant reach the ip through it?

Im gonna share my configuration so you have a clear view of what im doing:

  • The created interface WG_VPN:

  • Tunnel settings (keys censored):
The RUTX09 firmware version is RUTX_R_00.07.00.
And here is the "uci show vpn-policy-routing" output:
root@Teltonika-RUTX09:~# uci show vpn-policy-routing
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='0'
vpn-policy-routing.config.resolver_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.procd_reload_delay='1'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_show_ignore_target='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp'                          'all'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].name='Route_VPN_LAN0'
vpn-policy-routing.@policy[0].src_addr='192.168.0.0/24'
vpn-policy-routing.@policy[0].interface='WG_VPN'
Thanks again for the precious help.
Kind Regards,
Lorenzo

by anonymous
Hi,

Check messages. I have sent you a private message.

Kind Regards,

Andzej