I’m wondering if there is a way to block all non-vpn traffic at the MAC address level or if that’s a feature that’s being looked into?
That’d be an optional policy for you to apply:
Be sure to test that your expectations are met, of course!
But if for some reason my VPN server isn’t connecting, like today, I don’t know till I check my IP in browser. (Not the best solution)
Consider splitting this off into a new thread; there’s other details to gather before troubleshooting & having this thread get muddled wouldn’t help keeping it all straight.
Toggling this blocks all non-vpn traffic and on all devices connected to the router even if those devices are not set to use the VPN.
I have 3 devices connected to the router, 1 device has a MAC address device policy set to use the VPN. The other 2 devices are not set to use the VPN. If I toggle block all non-vpn traffic, that is a global option, it will block my 2 devices not using the VPN.
My question was is there a way to block non-vpn traffic for the 1 device that is set to use the VPN via MAC filter?
The verbiage confuses me. If you want to only have specific MACs use the VPN that is a policy. If you do not set Block Non-VPN Traffic the other MACs will continue using clearnet as they’re not whitelisted to use the VPN. The MAC for the device on the whitelist/use VPN policy should, by default, be shunting all traffic through the VPN.
Check the results of ipleak.net from ea. of your devices to confirm.
I want my other devices to access the internet normally, without the VPN (clearnet). When I toggle block non-vpn traffic policy, which is a global option, the devices intended for clearnet lose internet access.
So my question is: can I configure the router so that my work devices strictly use VPN while allowing my other devices to access the internet directly without the VPN? If there’s no direct way, is there any workaround? Is there any development planned for this kind of setup?
That doesn’t really solve my issue though. The way you are explaining how to set up my router is exactly how it’s set up.
The issue is if the VPN loses connection now that VPN MAC address whitelisted device will then fallback to using clearnet.
I want the functionality of block non-vpn traffic but at the MAC address level.
I’m totally 100% able to set my work device to use the VPN and my other devices to use clearnet.
The issue is when the VPN goes offline for whatever reasons there’s no way to block that clearnet traffic reaching the MAC address white listed device.
Toggling block non VPN traffic would kill the internet on my work device if the VPN were down, good, but I won’t be able to use my clear net devices if I did that, bad.
Now I got it: when the GL GUI → VPN → VPN Dashboard → VPN Client tunnel/link drops for whatever reason, the VPN-only policy whitelisted device’s MAC (eg: work mobile) drops back to using clearnet. Yeah, that’s a problem.
Let’s do a quick little experiment:
Ensure Global Options → Block Non-VPN Traffic is not enabled
Throw a ‘work device’ (or stand-in $device) MAC into the Based on the Client Device policy
Enable the GL GUI VPN Client, confirm active & operating as expected (as you do)
Block $device from WAN access (GL GUI → Clients → $device.MAC → Block WAN)
Test $device for VPN connectivity via ipleak.net (expectation: your VPN Server’s IP)
Disable the GL GUI VPN Client
Test $device for WAN connectivity via ipleak.net (expectation: blocked from clearnet)
Rational: I want to see if stock tools can do what you require. Under the hood, WAN is a different network interface (technically in this case a firewall zone forward) than WG Glient (wgclient zone/fwd).
Lemme know your results. I’d rather not get into custom firewall rules but… if we must…
Dammit! It looks like we’ll have to get into some custom firewall rules then. Okay, give me a day or two. In the meantime you’re going to need to install LuCI… & we should make a backup before making any unsupported changes to your firewall. See the below link.
I’m going to need a day or two to dig up some references from the OpenWrt Wiki. It’s been longer than I care to remember since I had to resort custom firewall rules.
Got it working! chatgpt + this thread + your direction to use custom firewall rules.
I have a working iptables rule that drops the device when wgclient fails/is offline.
iptables -I FORWARD -m mac --mac-source 66:2D:BF:64:EA:62 ! -o wgclient -j DROP
It would of been nice to see it in the GUI but hey it works now, I’m not complaining anymore!
Thanks for the help!
A heads up: the upcoming GL firmware, 4.3, is most likely going to be based on OpenWrt 22.03. Upstream switched to nftables. You may have to adapt accordingly.
Anyone know how we can do this in reverse? I would like to whitelist Mac addresses to bypass VPN and sending everything else though VPN and drop Internet if VPN fails.
Thanks for your response. Yes, ideally that would be the solution.
Unfortunately, as discussed earlier in this thread, you are not protected if your VPN fails…
Edit: I wonder if this issue may have been fixed on Brume 2 firmware 4.5.0. I am testing with a purposefully invalid Wireguard configuration and the device does not fall back to clearnet, but rather has no connection. Not sure if this a valid or best test for this.
Done
No internet, blocking WAN supersedes VPN support
