Setting Up a WireGuard Client with Policy-Based Routing on OpenWrt

Setting Up a WireGuard Client with Policy-Based Routing on OpenWrt

This guide outlines how to configure an OpenWrt router to connect to a commercial or private WireGuard VPN as a client and then use Policy-Based Routing (PBR) to selectively route traffic from specific devices on your LAN through the VPN tunnel. This allows some devices to benefit from the VPN while others use the standard, faster WAN connection.

1. Install Required Packages

First, connect to your router via SSH or use the LuCI web interface (System -> Software) to install the necessary packages.

# Update package lists
opkg update

# Install packages for WireGuard and the PBR application
opkg install luci-app-wireguard wireguard-tools luci-app-pbr

2. Configure the WireGuard Client Interface

Next, we will create the network interface for the WireGuard tunnel.

1. Navigate to Network -> Interfaces and click Add new interface....
2. Give the interface a name, for example, `wg_client`.
3. For the protocol, select WireGuard VPN.
4. Click Create interface.

On the configuration page that appears, fill out the General Settings tab:

• Private Key: Paste the private key for your client.
• IP Addresses: Enter the IP address assigned to you by the VPN provider (e.g., `10.100.0.253/24`).

Now, move to the Peers tab and click Add peer:

• Public Key: Paste the public key of the VPN server.
• Allowed IPs: Enter `0.0.0.0/0` and `::/0`. This tells the interface that it is allowed to route all traffic. The PBR service will decide what traffic actually gets sent here.
• Endpoint Host: The domain name or IP address of your VPN server.
• Endpoint Port: The port your VPN server is listening on.
• Persistent Keepalive: A value of `25` is recommended to keep the connection alive behind NAT.

Click Save, then navigate back to Network -> Interfaces and click Save & Apply.

Resulting UCI Configuration

Your changes will be saved in `/etc/config/network`. The new section will look similar to this:

# In /etc/config/network

config interface 'wg_client'
        option proto 'wireguard'
        option private_key '<YOUR_PRIVATE_KEY>'
        list addresses '10.100.0.253/24'
        option mtu '1420' # It is good practice to set this manually

config wireguard_wg_client
        option public_key '<PEER_PUBLIC_KEY>'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host 'your-vpn-server.com'
        option endpoint_port '51820'
        option persistent_keepalive '25'

3. Configure the Firewall

A dedicated firewall zone is required to manage traffic for the new WireGuard interface.

1. Navigate to Network -> Firewall.
2. Under the Zones section, click Add.
3. Configure the new zone as follows:
   • Name: Give it a descriptive name, like `wg_fw`.
   • Input: `REJECT`
   • Output: `ACCEPT`
   • Forward: `REJECT`
   • Covered networks: Select your new `wg_client` interface.
   • Allow forward to destination zones: Select `wan`.
   • Allow forward from source zones: Select `lan`.

Enable MSS Clamping (Crucial for Stability)

While editing the firewall zone, go to the Advanced Settings tab and check the box for MSS clamping. This prevents VPN-related timeout issues (PMTUD black holes).

Click Save, then Save & Apply.

Resulting UCI Configuration

Your changes will be saved in `/etc/config/firewall`:

# In /etc/config/firewall

config zone
        option name 'wg_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg_client'
        option mtu_fix '1' # This is the MSS Clamping setting

config forwarding
        option src 'lan'
        option dest 'wg_fw'

4. Configure Policy-Based Routing

This is where you will specify which devices on your network should use the VPN tunnel.

1. Navigate to Services -> Policy-Based Routing.
2. Ensure the service is Enabled at the top of the page.
3. In the Policies section, click Add.
4. Configure the new policy:
   • Name: A description for the rule (e.g., `Pterodactyl_VPN`).
   • Local Address / Subnet: The IP address of the device you want to route through the VPN (e.g., `10.0.1.105/32`). You can also specify a whole subnet.
   • Interface: In the dropdown, select your `wg_client` interface.

Click Save, then Save & Apply. The PBR service will automatically create the necessary firewall marks and IP rules.

5. Apply and Verify

Reboot your router or restart the network, firewall, and PBR services to ensure all settings are active.

Verification Steps

1. Check PBR Status: Navigate to Services -> Policy-Based Routing and look at the "Active Policies" table. Your new rule should be present and active.
2. Test from a PBR Client: From the device you specified in the PBR rule (`10.0.1.105`), check your public IP. It should be the IP of your VPN server.

curl ifconfig.me
# Expected output: <Your_VPN_Server_IP>

1. Test from a Non-PBR Client: From any other device on your LAN, check your public IP. It should be your regular internet IP.

curl ifconfig.me
# Expected output: <Your_ISP_IP>