Wireguard LOCAL traffic over tunnel

I’m stuck trying to get my vyos box itself to send internet traffic to the wireguard tunnel. I have mostly followed this guide (VyOS Policy Based Routing with WireGuard + Mullvad) and got my lan and vlan’s working. I setup a policy based route, and said everything that’s not destined for, use wireguard. I then applied that policy to eth1, and eth1 vif 2. Works great.
But, I applied that policy to the eth0 interface, and nope. The box itself still uses local isp.
What’s the trick that I’m missing?
I can provide configs, just didn’t know what was necessary and didn’t want to flood the post.

There’s not really enough info here to understand the problem sorry.

“The box itself” - what box? The Router? The router is going to have to use the Internet to route to the VPN. It’s also not going to use the VPN for DNS lookups etc. Is that what’s out eth0? You don’t say.

If you want everything to go via the VPN, why don’t you just install a static route going via the VPN (make SURE you leave a more specific /32 route to your VPN Provider, otherwise you’ll try to route to your VPN over your VPN, and nothing will work)

Probably eth0 is your route to the Internet (I’m guessing). Policy routing only applies to traffic coming into the Interface, not going out of it.

Are you understanding what you’re trying to do, or just blindly trying things?

You can use

policy local-route rule x source x.x.x.x


Thank you @Viacheslav . Right what I’m looking for.
Would be great if I could set destination and source groups. Like this for non-local routes:

set policy route VPN rule 1 destination group network-group 'internals'

So that I could easily create groups of IP’s that go over main, and others that go over my custom table.

It appears that “set policy local-route…” only allows for specific IP addresses or cidr ranges.

1 Like

Nice one @Viacheslav - apologies @jbhardman for my obviously unhelpful inital reply. I’ve learnt something new today myself.

1 Like

It used also for non local routes, for all routes source/destination match SRS or DST addresses
It doesn’t matter if it local or not local route
And yes It doesn’t support groups so you have to set CIDR’s

It’s a nice feature :slight_smile: