FOR TIPS, gUIDES & TUTORIALS

Question

Hi everyone, so it's been a few days that im trying to achieve this but without any success, so im going to ask for some help. Thanks in advance!

What i would like to make is, pass all the traffic from a specific interface/network through the wireguard tunnel.

First of all some description of my configuration:

I used the WAN interface of the device to create a new interface called LAN_SRV on 192.168.0.x offering DHCP (this is the interface where i want to route all traffic through the Wireguard tunnel), while the LAN is pretty much the stock configuration on 192.168.1.x also offering DHCP.

Wireguard tunnel is configured and correctly working, i can reach the wireguard server and also route all the traffic through it by setting allowed ips to 0.0.0.0/0.

I've tried following the suggestion from this answer https://community.teltonika-networks.com/39990/configure-three-different-clients-route-different-devices customizing the commands to my case:

uci set vpn-policy-routing.config.enabled="1"
while uci -q delete [email protected][0]; do : ; done
uci add vpn-policy-routing policy
uci set [email protected][-1].name="Ignore_LAN"
uci set [email protected][-1].dest_addr="192.168.1.0/24"
uci set [email protected][-1].interface="ignore"
uci set [email protected][-1].name="Route_VPN_LAN0"
uci set [email protected][-1].src_addr="192.168.0.0/24"
uci set [email protected][-1].interface="WG_VPN"
uci commit
/etc/init.d/vpn-policy-routing restart

And the results are, if i set allowed ips to 0.0.0.0/0, only the interface that is routed to the wireguard tunnel can access internet, the other one is not. If i set the allowd ips to the wireguard network 192.168.10.0/24 there is no internet access on any interface.

Is this a limit with wireguard? As far as i can see others achieved this with other VPN kinds.

Thanks again, and let me know if any more informations are needed.

PS: Merry Christmas and happy holidays!

AndzejJ · Answer 1 · 2022-12-27T07:18:58+0000

commented Dec 27, 2022 by lothgar

Hello,

Thanks for the answer, i totally missed the add vpn-policy-routing policy command.

Here is the commands that i've sent today:

r[email protected]:~# uci add vpn-policy-routing policy
cfg046ff5
[email protected]:~# uci set [email protected][-1].name="Ignore_LAN"
[email protected]:~# uci set [email protected][-1].dest_addr="192.168.1.0/24"
[email protected]:~# uci set [email protected][-1].interface="ignore"
[email protected]:~# uci add vpn-policy-routing policy
cfg056ff5
[email protected]:~# uci set [email protected][-1].name="Route_VPN_LAN0"
[email protected]:~# uci set [email protected][-1].src_addr="192.168.0.0/24"
[email protected]:~# uci set [email protected][-1].interface="WG_VPN"
[email protected]:~# uci commit
[email protected]:~# /etc/init.d/vpn-policy-routing restart

After doing so if i set the allowed ips on the Wireguard peer configuration to 0.0.0.0/0 none of the LANS can access the internet, and had to set it back to 192.168.10.0/24 which is the wireguard network.

I did a test to try to only create the Ignore_LAN policy but the result is the same, no internet access.

Also there is this warning message showing:

WARNING: The 'ignore' target is used by a policy 'Ignore_LAN', but a WebUI setting to show 'ignore' target (webui_show_ignore_target) is disabled!

What does it mean?

Kind Regards,

Lorenzo

commented Dec 28, 2022 by AndzejJ

commented Dec 28, 2022 by lothgar

Hi Andzej,

So here is what i've done today:

uci add vpn-policy-routing policy
cfg046ff5
[email protected]:~# uci set [email protected][-1].name="Ignore_LAN"
[email protected]:~# uci set [email protected][-1].src_addr="192.168.1.0/24"
[email protected]:~# uci set [email protected][-1].interface="ignore"
[email protected]:~# uci commit
[email protected]:~# /etc/init.d/vpn-policy-routing restart

Just to try if i can get this network excluded from the wireguard tunnel, but the results are the same, if i set the wireguard allowed ips to 0.0.0.0/0 internet is unreachable.

This should route 192.168.1.0/24 network via which WAN? Im using an LTE connection (SIM1).

As i said before the WAN interface is used to create a different network 192.168.0.0/24.

EDIT: forgot to mention that i've deleted all previous rules before adding this one.

Thanks again for the help.

Lorenzo

commented Dec 28, 2022 by AndzejJ

commented Dec 29, 2022 by lothgar

Hi Andzej,

So as you asked here is a schema of what i want to achieve:

As you suggested i tried setting allowed ips to 0.0.0.0/1 and 128.0.0.0/1 but it didn't help.

I somehow managed to achieve what i wanted to by disabling the "Route allowed IPs" from the webui in the wireguard peer settings. By doing this everything started working as intended, at least until this morning.

Today i found that the tunnel wasn't working anymore and the devices on the 192.168.0.0/24 network could't connect to the internet obviusly (the vpn policy routes the traffic through the tunnel).

There was one more strange thing, i couldn't connect to the VPS either from both networks (cant ping the public ip address or connect with SSH) this IP is the remote server used in the wireguard peer configuration.

So the first thing i tried was rebooting both RUTX09 and the VPS, after that the wg command wasn't showing any handshake and the ping towards the VPS still wasn't working.

I tried to remove the gateway in the interface that i had to create in order to enable the vpn policy (WG_VPN), and the handshake was made. But the traffic wasn't being routed outside the VPN so i re-added the gateway, and things started working as yesterday.

If i reboot the device the problem persists and have to remove/add the gateway on the interface to make things work, its like the RUTX09 is trying to reach the public ip address of the vps through the tunnel, but the tunnel is not up yet, because it cant reach the ip through it?

Im gonna share my configuration so you have a clear view of what im doing:

The created interface WG_VPN:

Tunnel settings (keys censored):

The RUTX09 firmware version is RUTX_R_00.07.00.

And here is the "uci show vpn-policy-routing" output:

[email protected]:~# uci show vpn-policy-routing
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='0'
vpn-policy-routing.config.resolver_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.procd_reload_delay='1'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_show_ignore_target='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.enabled='1'
[email protected][0]=include
vpn-policy-[email protected][0].path='/etc/vpn-policy-routing.netflix.user'
[email protected][0].enabled='0'
[email protected][1]=include
vpn-pol[email protected][1].path='/etc/vpn-policy-routing.aws.user'
[email protected][1].enabled='0'
[email protected][0]=policy
[email protected][0].name='Route_VPN_LAN0'
[email protected][0].src_addr='192.168.0.0/24'
[email protected][0].interface='WG_VPN'

Thanks again for the precious help.

Kind Regards,

Lorenzo

commented Dec 30, 2022 by AndzejJ

FOR TIPS, gUIDES & TUTORIALS

Most popular tags

RUTX09 route specific interface traffic through wireguard tunnel

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.