Joined: 04 Jan 2007 Posts: 11564 Location: Wherever the wind blows- North America
Posted: Mon Mar 06, 2023 20:00 Post subject: [SOLVED] Wireguard and PBR
Hi all...I'm hoping you can help me out here. I have WindScribe VPN (using Wireguard)...it works great...but I can't seem to get certain web pages from bypassing the VPN to use the WAN address.
If I visit Facebook for example....It still shows the Wireguard given IP address. (causes login issues at times) How do I get my list of PBR sites to bypass VPN?
Yes...I have read the Wireguard guide.
This is an XR500 running 51937. (but it's been doing this all along.)
redhawk
[Edited for clarification]
Last edited by redhawk0 on Mon Mar 06, 2023 20:59; edited 1 time in total
All sources via VPN would mean all clients in your LAN would use the VPN, regardless of destination, perhaps? _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 04 Jan 2007 Posts: 11564 Location: Wherever the wind blows- North America
Posted: Mon Mar 06, 2023 20:39 Post subject:
The way I understand it...it sets all sources to use the VPN IP address...except when the "Route Selected Destinations via WAN" is selected then the entered addresses are only to be routed through the WAN address.
Facebook (and amazon/netflix etc.) use a lot of different domains and subdomains so you have to take care you route them all.
Second problem is that the IP addresses change over time (other servers are added etc) and the IP address is only resolved when the tunnel starts so it can be that right after the tunnel starts it will work but after some time not as your client which is resolving facebook.com at that moment gets another IP address.
Both problems can be mitigated by the use of IPSET which dynamically creates a list of resolved IP addresses and routes this list, this also will catch subdomains on the fly.
Joined: 04 Jan 2007 Posts: 11564 Location: Wherever the wind blows- North America
Posted: Tue Mar 07, 2023 15:35 Post subject:
Thanx egc....I'll have to wait I guess...I did add "@eth0" to my DNSMasq line...but it didn't help. (yes...eth0 is the correct interface for WAN on the XR500....verified)
This is just a bit frustrating...I'm not proficient with command line rules...if it's in the configuration...I can understand it...but if it's changing the code or manually entering the code....I get lost very quickly.
[EDIT] - I found I missed a quote the first time around...This has fixed it....(see image)