Wireguard - Policty Based Routing - R9000 - 46069 [SOLVED]

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
Night Prowler
DD-WRT Novice


Joined: 15 Jan 2016
Posts: 49

PostPosted: Tue Jul 20, 2021 15:48    Post subject: Wireguard - Policty Based Routing - R9000 - 46069 [SOLVED] Reply with quote
Router: R9000
Firmware: DD-WRT v3.0-r46069 std (03/17/21)

I just switched to Wireguard from OpenVPN.

In OpenVPN I only have a few IP's that are accessible through the VPN and if the VPN drops it kills that connection.

Firewall Commands:

iptables -I FORWARD -s 192.168.1.2 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.3 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.4 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.5 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.6 -o $(nvram get wan_iface) -j DROP

This above is not working with Wireguard. However there is a "Policy Based Routing" option in the Wireguard configuration window. I'm not finding any information on how to configure that, and any help would be greatly appreciated Smile

Thank you in advance...

_________________
Michael Steele
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 13178
Location: Texas, USA

PostPosted: Tue Jul 20, 2021 16:00    Post subject: Reply with quote
Moved to Advanced Networking forum. Read the stickies. And you should consider upgrading to 47074.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.
Because they are tired of bottom-feeders and the same old hat.

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 11219
Location: Netherlands

PostPosted: Tue Jul 20, 2021 16:02    Post subject: Reply with quote
WireGuard documentation (just like OpenVPN) is a sticky in this forum Smile

Links also in my signature

The OpenVPN and WireGuard built-in killswitch is intelligent, meaning if you use PBR they should block only the PBR clients, (recent builds that is) so you do not need any firewall rules.

It is experimental so always check if it is working as advertised (or simply add your own for safety as you did)

The Client setup guide, page 8: Options settings, will tell you more.

Otherwise feel free to ask

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Night Prowler
DD-WRT Novice


Joined: 15 Jan 2016
Posts: 49

PostPosted: Tue Jul 20, 2021 16:18    Post subject: Reply with quote
I was unable to get the firewall rules to work.

In Wireguard Tunneling there is a PBR option box that did work, as listed below, and tested. Any IP outside the below goes out through my default ISP IP.

192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.5, 192.168.1.6

Now I'm assuming I can tick the Kill switch box in Tunneling and it will know to kill the IP's that are listed in the PBR option?

_________________
Michael Steele
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 11219
Location: Netherlands

PostPosted: Tue Jul 20, 2021 16:28    Post subject: Reply with quote
That is how it should work indeed.

But as said always check.

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Night Prowler
DD-WRT Novice


Joined: 15 Jan 2016
Posts: 49

PostPosted: Tue Jul 20, 2021 16:51    Post subject: Reply with quote
It has been several years since I messed with any of this as I just upgraded to an R9000 from an R7000 router.

How would I go about testing the kill switch?

I'm guessing that if the kill switch was not ticked then it would just roll over to the normal non-VPN connection out, correct?

My PBR is: 192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.5, 192.168.1.6

Do I need to add the subnet /32 to the end of each IP?

I'm upgrading to the latest firmware, fingers crossed Smile

Thanks...

_________________
Michael Steele
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 11219
Location: Netherlands

PostPosted: Tue Jul 20, 2021 17:07    Post subject: Reply with quote
Night Prowler wrote:
It has been several years since I messed with any of this as I just upgraded to an R9000 from an R7000 router.

How would I go about testing the kill switch?

I'm guessing that if the kill switch was not ticked then it would just roll over to the normal non-VPN connection out, correct?

My PBR is: 192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.5, 192.168.1.6

Do I need to add the subnet /32 to the end of each IP?

I'm upgrading to the latest firmware, fingers crossed Smile

Thanks...


You actually should/could add /32 to make it clear it is only the one IP address (with CIDR notation you can have fewer lines) but ddwrt/linux is smart enough to 'add' /32 so you should be fine, but a purist like me always adds /32 Smile

Testing is difficult as the routing kicks in rather quickly for PBR, there is a small window where the routing is not present so reboot the router and while it reboots see if you got your WAN if not you should be fine.

Actually I made it so what could possibly go wrong Smile

Edit: but seriously if you are really wanting to be sure just add your own killswitch and add it to the firewall.
Something like this should work:
Code:
iptables -I FORWARD -s <my-client-ip> -o $(get_wanface) -j REJECT


Test the rule by disabling WG (your settings are retained)

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Night Prowler
DD-WRT Novice


Joined: 15 Jan 2016
Posts: 49

PostPosted: Tue Jul 20, 2021 17:42    Post subject: Reply with quote
Ok, I'll give it a try.

OPenVPN on a R7000 200mbps connection averaged 35mbps
Wireguard on a R7000 200mbps connection unable to configure

OPenVPN on a R9000 200mbps connection averaged 150mbps
Wireguard on a R9000 200mbps connection averaged 225mbps

I'm thrilled, so far on the R9000 and Wireguard...

Thanks...

_________________
Michael Steele
Night Prowler
DD-WRT Novice


Joined: 15 Jan 2016
Posts: 49

PostPosted: Tue Jul 20, 2021 18:45    Post subject: Reply with quote
egc wrote:
You actually should/could add /32 to make it clear it is only the one IP address (with CIDR notation you can have fewer lines) but ddwrt/linux is smart enough to 'add' /32 so you should be fine, but a purist like me always adds /32 Smile

Testing is difficult as the routing kicks in rather quickly for PBR, there is a small window where the routing is not present so reboot the router and while it reboots see if you got your WAN if not you should be fine.

Actually I made it so what could possibly go wrong Smile

Edit: but seriously if you are really wanting to be sure just add your own killswitch and add it to the firewall.
Something like this should work:
Code:
iptables -I FORWARD -s <my-client-ip> -o $(get_wanface) -j REJECT


Test the rule by disabling WG (your settings are retained)


After updating to Wireguard everything in my firewall config does not work.

Code:
iptables -I FORWARD -i tun1 -p udp -d 192.168.1.3 --dport 4000 -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.3 --dport 4000 -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 4000 -j DNAT --to-destination 192.168.1.3
iptables -t nat -I PREROUTING -i tun1 -p udp --dport 4000 -j DNAT --to-destination 192.168.1.3
iptables -I FORWARD -s 192.168.1.2 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.3 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.4 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.5 -o $(nvram get wan_iface) -j DROP
iptables -I FORWARD -s 192.168.1.6 -o $(nvram get wan_iface) -j DROP


Do you have any suggestions as to why my firewall config is failing?

_________________
Michael Steele
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 11219
Location: Netherlands

PostPosted: Tue Jul 20, 2021 19:18    Post subject: Reply with quote
It depends where you put those rules, if placed under Administration/Commands and Save firewall it should be there.

The best way to view your firewall rules is from the command line with:
Code:
iptables -vnL FORWARD


That is to see the FORWARD rules

The PREROUTING rules are in the nat table: -t nat

This looks like port forwarding on the VPN.
You can run a VPN and a WG tunnel when both are on PBR but you cannot port forward via the VPN and have the same IP address in the PBR of WireGuard

Furthermore:
$(nvram get wan_face) is unreliable and should not be used

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Night Prowler
DD-WRT Novice


Joined: 15 Jan 2016
Posts: 49

PostPosted: Tue Jul 20, 2021 20:04    Post subject: Reply with quote
egc wrote:
This looks like port forwarding on the VPN.
You can run a VPN and a WG tunnel when both are on PBR but you cannot port forward via the VPN and have the same IP address in the PBR of WireGuard

Furthermore:
$(nvram get wan_face) is unreliable and should not be used


Is there a solution to using port forward so I can access that PC from the outside on port 4000 when it is tied to PBR in wireguard?

Is that the reason why PBR is not working from the Firewall?

I tried: iptables -I FORWARD -s 192.168.1.3 -o $(get wan_iface) -j REJECT

The above failed too.

_________________
Michael Steele
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 11219
Location: Netherlands

PostPosted: Tue Jul 20, 2021 20:36    Post subject: Reply with quote
How do you know it failed it is a killswitch for that client.

You can see all rules in action with:
iprables -vnL FORWARD

To answer your question you cannot reach a client which is using wireguard or openvpn via the WAN.

You can reach that client via wireguard or openvpn if you port forward via that same vpn but not via the WAN.

The rules you showed earlier were a port forward via the openvpn client.

You can do the same for WG but of course your vpn provider has to support port forwarding for WG

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Night Prowler
DD-WRT Novice


Joined: 15 Jan 2016
Posts: 49

PostPosted: Tue Jul 20, 2021 20:50    Post subject: Reply with quote
I am in contact with my VPN provider and it does appear to be something they have to fix.

I'm not sure why my firewall is not allowing PBR. Maybe I'll revisit that after port forwarding is fixed.

Thank you so much for your help...

_________________
Michael Steele
Night Prowler
DD-WRT Novice


Joined: 15 Jan 2016
Posts: 49

PostPosted: Wed Jul 21, 2021 20:01    Post subject: Reply with quote
egc wrote:
Furthermore:
$(nvram get wan_face) is unreliable and should not be used


I have tried the below with DROP and REJECT. When I disable (drop) Wireguard it reverts back to my ISP connection. It should block connection to the outside if Wireguard is disabled, or the VPN connection drops.

iptables -I FORWARD -s 192.168.1.2 -o $(get wanface) -j DROP
iptables -I FORWARD -s 192.168.1.3 -o $(get wanface) -j DROP

Also If I change the IP to 192.168.1.9 while Wireguard is enabled it should revert back through my ISP connection, but it is still going through Wireguard. I only want 192.168.1.2 and 192.168.1.3 to go through the VPN, everything else to go out through my ISP.

_________________
Michael Steele
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 11219
Location: Netherlands

PostPosted: Wed Jul 21, 2021 20:45    Post subject: Reply with quote
We can only see what is going on if you show the output of:
iptables -vnL FORWARD
Executed from the command line interface e.g. telnet or putty.

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum