This morning my router GL-AXT1800 (FW: 4.2.1) wasn’t able to successfully connect to the wireguard VPN server back home.
I have a VPN based on client policy, today all traffic flowed through my traveling WiFi network and not through my WireGuard server.
I understand there’s a block non-vpn traffic option under global options.
I’m wondering if there is a way to block all non-vpn traffic at the MAC address level or if that’s a feature that’s being looked into?
Use Case: Google monitors ip addresses and GPS locations and they are able to set your location based on this. I do not want my personal phone (location) to be associated with the VPN ip and would like to only use the VPN with my work equipment.
This is why I no longer use block non-vpn traffic (Instead all non sensitive devices go through travel network and not VPN). But if for some reason my VPN server isn’t connecting, like today, I don’t know till I check my IP in browser. (Not the best solution)
Toggling this blocks all non-vpn traffic and on all devices connected to the router even if those devices are not set to use the VPN.
I have 3 devices connected to the router, 1 device has a MAC address device policy set to use the VPN. The other 2 devices are not set to use the VPN. If I toggle block all non-vpn traffic, that is a global option, it will block my 2 devices not using the VPN.
My question was is there a way to block non-vpn traffic for the 1 device that is set to use the VPN via MAC filter?
The verbiage confuses me. If you want to only have specific MACs use the VPN that is a policy. If you do not set Block Non-VPN Traffic the other MACs will continue using clearnet as they’re not whitelisted to use the VPN. The MAC for the device on the whitelist/use VPN policy should, by default, be shunting all traffic through the VPN.
Check the results of ipleak.net from ea. of your devices to confirm.
I want my other devices to access the internet normally, without the VPN (clearnet). When I toggle block non-vpn traffic policy, which is a global option, the devices intended for clearnet lose internet access.
So my question is: can I configure the router so that my work devices strictly use VPN while allowing my other devices to access the internet directly without the VPN? If there’s no direct way, is there any workaround? Is there any development planned for this kind of setup?
Now I got it: when the GL GUI → VPN → VPN Dashboard → VPN Client tunnel/link drops for whatever reason, the VPN-only policy whitelisted device’s MAC (eg: work mobile) drops back to using clearnet. Yeah, that’s a problem.
Let’s do a quick little experiment:
Ensure Global Options → Block Non-VPN Traffic is not enabled
Throw a ‘work device’ (or stand-in $device) MAC into the Based on the Client Device policy
Enable the GL GUI VPN Client, confirm active & operating as expected (as you do)
Block $device from WAN access (GL GUI → Clients → $device.MAC → Block WAN)
Test $device for VPN connectivity via ipleak.net (expectation: your VPN Server’s IP)
Disable the GL GUI VPN Client
Test $device for WAN connectivity via ipleak.net (expectation: blocked from clearnet)
Rational: I want to see if stock tools can do what you require. Under the hood, WAN is a different network interface (technically in this case a firewall zone forward) than WG Glient (wgclient zone/fwd).
Lemme know your results. I’d rather not get into custom firewall rules but… if we must…
Dammit! It looks like we’ll have to get into some custom firewall rules then. Okay, give me a day or two. In the meantime you’re going to need to install LuCI… & we should make a backup before making any unsupported changes to your firewall. See the below link.
I’m going to need a day or two to dig up some references from the OpenWrt Wiki. It’s been longer than I care to remember since I had to resort custom firewall rules.
Thanks for your response. Yes, ideally that would be the solution.
Unfortunately, as discussed earlier in this thread, you are not protected if your VPN fails…
Edit: I wonder if this issue may have been fixed on Brume 2 firmware 4.5.0. I am testing with a purposefully invalid Wireguard configuration and the device does not fall back to clearnet, but rather has no connection. Not sure if this a valid or best test for this.