Wireguard LOCAL traffic over tunnel

jbhardman · October 25, 2022, 11:09pm

I’m stuck trying to get my vyos box itself to send internet traffic to the wireguard tunnel. I have mostly followed this guide (VyOS Policy Based Routing with WireGuard + Mullvad) and got my lan and vlan’s working. I setup a policy based route, and said everything that’s not destined for 10.0.0.0/8, use wireguard. I then applied that policy to eth1, and eth1 vif 2. Works great.
But, I applied that policy to the eth0 interface, and nope. The box itself still uses local isp.
What’s the trick that I’m missing?
I can provide configs, just didn’t know what was necessary and didn’t want to flood the post.

tjh · October 26, 2022, 2:49am

There’s not really enough info here to understand the problem sorry.

“The box itself” - what box? The Router? The router is going to have to use the Internet to route to the VPN. It’s also not going to use the VPN for DNS lookups etc. Is that what’s out eth0? You don’t say.

If you want everything to go via the VPN, why don’t you just install a static route going via the VPN (make SURE you leave a more specific /32 route to your VPN Provider, otherwise you’ll try to route to your VPN over your VPN, and nothing will work)

Probably eth0 is your route to the Internet (I’m guessing). Policy routing only applies to traffic coming into the Interface, not going out of it.

Are you understanding what you’re trying to do, or just blindly trying things?

Viacheslav · October 26, 2022, 5:19am

You can use

policy local-route rule x source x.x.x.x

jbhardman · October 26, 2022, 4:03pm

Thank you @Viacheslav . Right what I’m looking for.
Would be great if I could set destination and source groups. Like this for non-local routes:

set policy route VPN rule 1 destination group network-group 'internals'

So that I could easily create groups of IP’s that go over main, and others that go over my custom table.

It appears that “set policy local-route…” only allows for specific IP addresses or cidr ranges.

tjh · October 26, 2022, 4:22pm

Nice one @Viacheslav - apologies @jbhardman for my obviously unhelpful inital reply. I’ve learnt something new today myself.

Viacheslav · October 26, 2022, 4:25pm

It used also for non local routes, for all routes source/destination match SRS or DST addresses
It doesn’t matter if it local or not local route
And yes It doesn’t support groups so you have to set CIDR’s

Viacheslav · October 26, 2022, 4:25pm

It’s a nice feature