Different VPN per site? Flint AX & WireGuard

Hi, I have a Flint AX and wanted to know if I can use one wireguard VPN profile by default but another wireguard VPN profile for specific sites?

Such as all web traffic goes through Sweden but only Facebook goes through Germany?

Thanks.

This is probably not possible per site with custom routing from the GL Ui vpn policies.

However there is also a luci app which kinda replaces policies which should be possible to work with.

This app is called luci-app-pbr but in order to have it work more properly you need to set the global policies in the GL Ui to custom routing.

But theres also a other catch, you may also need luci-proto-wireguard but this might break the wgclient, why? because you need two instances of vpn and i don’t think its possible in GL’s version since it is unmanaged (could be wrong) but it looks different than vanilla OpenWrts wireguard opkg, in the worst scenario you need to rebuild wgclient in luci, a better scenario is only setting up your second instance so that both vpn interfaces can co-exist hence the software differences between vanillas version and GL’s version.

Then you also need to make sure all routing is disabled aswell from the new vpn interface, as from the default gateway checkbox in the advanced tab when you are in the interface edit, this is on all interfaces required except lan.

In pbr the priority is from top to down, so: your domain rule should always be on top of the rule that routes through the default vpn, Heres a example:

name: route site to vpn2
local ip: 192.168.8.0/24
remote ip: mysite.mydomain
chain: prerouting
interface: wgclient2

And

name: route all vpn
local ip: 192.168.8.0/24
remote ip:
chain: prerouting
interface: wgclient

I can see this is alot advanced so please let me know if you need help :+1:

1 Like

Yeah that sounds way too complex for me, I will just stick with normal functionality. Your reply is much appreciated though.

1 Like

I can attest stangri’s PBR for LuCI is a rather impressive piece of software.

Yeah, @xize11 is right on point; it’s not going to be an easy time using GL firmware. luci-app-pbr will certainly conflict & for best results it’s best to have full nft tables for the firewall vs iptables… nft is now the default as of OpenWrt 23.05 but the Flint is still using 21.02 in firmware 4.4.6-release1. You’d also need dnsmasq-full (v2.39+) & not just stock/regular dnsmasq.

If you can afford the hit to the wallet, I’d pick up another Flint or a Slate AX & flash it with @solidus1983 's ‘pure’ OpenWrt firmware build for it. While there might be a hit to the device’s overall performance as it doesn’t have GL’s optimizations via the proprietary SDK, you’ll have full access to all things OpenWrt. You could then put this pure OpenWrt behind/downstream of your GL Flint to handle whatever device clients you want to use PBR.

Of course you can always just pick up a compatible OpenWrt router on the used market for experimentation… but it can be done & close to a case of ‘easier done than said.’

2 Likes