I think I'm understanding how the PBR and the kill switch work:
With Wireguard enabled EVERY connection in my home is going through Wireguard. Not just the IP's listed in the PBR, correct (that is what it is doing now)?
If Wireguard goes down those IP's listed in the PBR with a kill switch will drop the connection until Wireguard re-connects. All the other devices will rollover from the Wireguard connection to the regular ISP connection and keep going?
I thought ONLY the IP's listed in the PBR were the only ones running through the VPN connection, and all the others ran outside Wireguard, even when Wireguard was enabled.
When I place the below into the firewall and disable Wireguard it rolls that IP over to the regular ISP and fails to drop the connection. I tried DROP, and REJECT.
iptables -I FORWARD -s 192.168.1.3 -o $(get wanface) -j DROP
Now I have the firewall rule set to the way it used to be in OpenVPN, and it does work.
iptables -I FORWARD -s 192.168.1.3 -o $(nvram get wan_iface) -j DROP
Code:
0;root@Nighthawk: ~root@Nighthawk:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * vlan2 192.168.1.3 0.0.0.0/0
0 0 DROP all -- * vlan2 192.168.1.2 0.0.0.0/0
77 11640 ACCEPT tcp -- oet1 * 0.0.0.0/0 192.168.1.3 tcp dpt:4000
341 23799 ACCEPT udp -- oet1 * 0.0.0.0/0 192.168.1.3 udp dpt:4000
0 0 ACCEPT all -- oet1 * 0.0.0.0/0 0.0.0.0/0 state NEW
11471 4251K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1240 106K upnp all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 lan2wan all -- oet1 * 0.0.0.0/0 0.0.0.0/0
1240 106K lan2wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan2 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 47 -- * vlan2 192.168.1.0/24 0.0.0.0/0
0 0 TRIGGER all -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
1240 106K trigger_out all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER all -- vlan2 eth0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 eth1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 eth2 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 vlan1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- vlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 wlan0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 wlan1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- wlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 oet1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- oet1 * 0.0.0.0/0 0.0.0.0/0
1177 103K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
63 2780 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0;root@Nighthawk: ~root@Nighthawk:~#
Place these rules under Administration/Command and save as Firewall.
Reboot the router and check after that with:
iptables -vnL FORWARD
Next thing is to check that your clients actually have these IP addresses, so either set a static lease or static IP on the clients involved so that they have those IP addresses, check on the client presuming you use windows, from the cmd prompt with: ipconfig/all
That should deal with the killswitch.
In the latest WireGuard Client setup guide are instructions how to test.
Next PBR, for a description how it works and how you must implement it see the WireGuard client setup guide page 9.
Only IP addresses you put in the PBR list will use the VPN.
You can check with ipleak.net if clients are using the VPN or not.
Although safeguards are built in it is possible that when you enter wrong settings you will end up with all clients using the PBR.
If that is the case please show a picture of the PBR box so that I can see what you entered and were things went wrong.
In that case also show from the CLI (telnet/Putty):
ip route show table 21
ip rule show
grep -E -i 'oet|wireguard' /var/log/messages _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Next PBR, for a description how it works and how you must implement it see the WireGuard client setup guide page 9.
Yes, it was another error on my part and ONLY the IP's listed in the PBR are now going through Wireguard.
There is no easy way to test the kill switch in Wireguard, that I'm aware of. Putting the kill switch in the firewall settings appears to be the easiest way to make sure it is working. Maybe a test switch in the Wireguard configuration screen?
All my issues have been resolved
Thank you for all your help, it was all very much appreaciated... _________________ Michael Steele
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Thu Jul 22, 2021 13:52 Post subject:
You are welcome, glad it is resolved
On the latest WG client setup guide (from this morning) I added instructions how you could test.
Warning this only works when using 47047 or later.
I think you are not yet using this as that build should have (some) protection from errors in the PBR field so that everything goes via the tunnel and not only the addresses in the PBR field