In OpenVPN I only have a few IP's that are accessible through the VPN and if the VPN drops it kills that connection.
Firewall Commands:
iptables -I FORWARD -s 192.168.1.2 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.3 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.4 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.5 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.6 -o $(nvram get wan_iface) -j DROP
This above is not working with Wireguard. However there is a "Policy Based Routing" option in the Wireguard configuration window. I'm not finding any information on how to configure that, and any help would be greatly appreciated
Thank you in advance... _________________ Michael Steele
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Tue Jul 20, 2021 16:02 Post subject:
WireGuard documentation (just like OpenVPN) is a sticky in this forum
Links also in my signature
The OpenVPN and WireGuard built-in killswitch is intelligent, meaning if you use PBR they should block only the PBR clients, (recent builds that is) so you do not need any firewall rules.
It is experimental so always check if it is working as advertised (or simply add your own for safety as you did)
The Client setup guide, page 8: Options settings, will tell you more.
In Wireguard Tunneling there is a PBR option box that did work, as listed below, and tested. Any IP outside the below goes out through my default ISP IP.
Now I'm assuming I can tick the Kill switch box in Tunneling and it will know to kill the IP's that are listed in the PBR option? _________________ Michael Steele
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Tue Jul 20, 2021 17:07 Post subject:
Night Prowler wrote:
It has been several years since I messed with any of this as I just upgraded to an R9000 from an R7000 router.
How would I go about testing the kill switch?
I'm guessing that if the kill switch was not ticked then it would just roll over to the normal non-VPN connection out, correct?
My PBR is: 192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.5, 192.168.1.6
Do I need to add the subnet /32 to the end of each IP?
I'm upgrading to the latest firmware, fingers crossed
Thanks...
You actually should/could add /32 to make it clear it is only the one IP address (with CIDR notation you can have fewer lines) but ddwrt/linux is smart enough to 'add' /32 so you should be fine, but a purist like me always adds /32
Testing is difficult as the routing kicks in rather quickly for PBR, there is a small window where the routing is not present so reboot the router and while it reboots see if you got your WAN if not you should be fine.
Actually I made it so what could possibly go wrong
Edit: but seriously if you are really wanting to be sure just add your own killswitch and add it to the firewall.
Something like this should work:
You actually should/could add /32 to make it clear it is only the one IP address (with CIDR notation you can have fewer lines) but ddwrt/linux is smart enough to 'add' /32 so you should be fine, but a purist like me always adds /32
Testing is difficult as the routing kicks in rather quickly for PBR, there is a small window where the routing is not present so reboot the router and while it reboots see if you got your WAN if not you should be fine.
Actually I made it so what could possibly go wrong
Edit: but seriously if you are really wanting to be sure just add your own killswitch and add it to the firewall.
Something like this should work:
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Tue Jul 20, 2021 19:18 Post subject:
It depends where you put those rules, if placed under Administration/Commands and Save firewall it should be there.
The best way to view your firewall rules is from the command line with:
Code:
iptables -vnL FORWARD
That is to see the FORWARD rules
The PREROUTING rules are in the nat table: -t nat
This looks like port forwarding on the VPN.
You can run a VPN and a WG tunnel when both are on PBR but you cannot port forward via the VPN and have the same IP address in the PBR of WireGuard
This looks like port forwarding on the VPN.
You can run a VPN and a WG tunnel when both are on PBR but you cannot port forward via the VPN and have the same IP address in the PBR of WireGuard
Furthermore:
$(nvram get wan_face) is unreliable and should not be used
Is there a solution to using port forward so I can access that PC from the outside on port 4000 when it is tied to PBR in wireguard?
Is that the reason why PBR is not working from the Firewall?
Furthermore:
$(nvram get wan_face) is unreliable and should not be used
I have tried the below with DROP and REJECT. When I disable (drop) Wireguard it reverts back to my ISP connection. It should block connection to the outside if Wireguard is disabled, or the VPN connection drops.
iptables -I FORWARD -s 192.168.1.2 -o $(get wanface) -j DROP
iptables -I FORWARD -s 192.168.1.3 -o $(get wanface) -j DROP
Also If I change the IP to 192.168.1.9 while Wireguard is enabled it should revert back through my ISP connection, but it is still going through Wireguard. I only want 192.168.1.2 and 192.168.1.3 to go through the VPN, everything else to go out through my ISP. _________________ Michael Steele