Posted: Thu Mar 11, 2021 17:20 Post subject: WireGuard VPN tunnel only for one virtual interface
How do I set up DD-WRT (I’m on a fairly recent r45229) so that I have a WireGuard tunnel to my VPN provider but only the traffic from one virtual interface (wl1.1 in my case) goes through that tunnel?
I know how to set up the tunnel correctly (but then all traffic goes through it), and I know how to set up different VAPs. But I’m missing how to restrict tunnel traffic to one of them. Can anybody help?
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Thu Mar 11, 2021 23:01 Post subject:
Look for "Policy Based Routing" in the wireguard docs.
There's a PBR field in the tunnel config section. If you put 192.168.1.128/26 in it, then only 192.168.1.128 through 192.168.1.191 (64 addresses) will be routed through the tunnel. Have that VAP's DHCP server start at 192.168.1.128 with a max of 64 addresses, and you're good to go. (If the /26 thing should be new to you, google CIDR notation.) _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
I need to add one computer to connect through that VPN tunnel, and that PC is attached to LAN port 1 of the router. I'm guessing I need to add a VLAN somehow for that particular port and bridge it (?) to the tunnel, but I haven't been able to find a specific thread for that...
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Mar 29, 2021 13:20 Post subject:
VLAN setup is very hardware dependent, so search the forum associated with your router type. There is a link in my signature to some guidance for Linksys dual-CPU WRT... routers in particular. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
No need for vlans, doesn't matter if LAN or WLAN.
If you only need 1 ip routing through the wireguard VPN simply add that IP into the policy based routing field IP/32 eg. 192.168.1.6/32 Allowed IPs 0.0.0.0/1,128.0.0.0/1
Don't over complicate it!
aelfinn wrote:
I need to add one computer to connect through that VPN tunnel, and that PC is attached to LAN port 1 of the router. I'm guessing I need to add a VLAN somehow for that particular port and bridge it (?) to the tunnel, but I haven't been able to find a specific thread for that...
I'd be very grateful for a pointer or two!
_________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Mar 29, 2021 13:56 Post subject:
Good catch, foz111!
aelfinn, you'll need to give that one computer a static DHCP lease (of an IP address) on the GUI>Services>Services page (or in DHCPMasq Additional Options... many forum posts out there on details). Pick an address NOT in the DHCP range. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
No need for vlans, doesn't matter if LAN or WLAN.
If you only need 1 ip routing through the wireguard VPN simply add that IP into the policy based routing field IP/32 eg. 192.168.1.6/32 Allowed IPs 0.0.0.0/1,128.0.0.0/1
Don't over complicate it!
Good catch, indeed! Thanks a lot! In this case, I was in fact overthinking things.
For future reference, though, how would I do it if it had to be a specific LAN port on the router that had to be routed through the VPN tunnel (eg if it was different machines connecting to that port)?
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Mar 29, 2021 15:34 Post subject:
aelfinn wrote:
For future reference, though, how would I do it if it had to be a specific LAN port on the router that had to be routed through the VPN tunnel (eg if it was different machines connecting to that port)?
[Router is a Linksys EA6300v1]
That case requires separating the 4 ethernet ports into two VLANs, with 3 ports and one port. The 3-port VLAN is left bridged to wherever your four ports are bridged now, and the 1-port VLAN is given its own bridge and IP address for PBR. One would not think a bridge necessary for one port and no wifi, but at least in the Marvell-hardware case -- your router uses Broadcom hardware, not Marvell -- a bridge was necessary in order for initialization to work right.
I know no details myself about setting up VLANs for Broadcom routers, but I believe it's been heavily discussed in the Broadcom forum. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
I think I can get the VLANs sorted out, but inspite of reading quite a bit about this, I’m still unclear on whether a bridge would be required and if so, where to?
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Wed Mar 31, 2021 1:27 Post subject:
aelfinn wrote:
I think I can get the VLANs sorted out, but inspite of reading quite a bit about this, I’m still unclear on whether a bridge would be required and if so, where to?
A bridge doesn't have to go "to" something. It's more of a meeting place where a set of interfaces hang out and communicate freely (without dealing with routing and the firewall). Actually there's no harm in only having one interface (a VLAN in this discussion) there.
It's been a couple of years so YMMV, but in the Marvell case way back when, it turned out that even though a bridge was unnecessary in principle - one should just be able to check "unbridged" for that VLAN on the networking page - in practice it was necessary in order to get things to initialize in the right sequence when booting up. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.