Split tunnel issues with vpn vlan based policy

Evening all,

I’ve got the Beryl AX device and I’m currently trying to do split tunnel vpn for wireguard whilst using the policy based routing for vlans.

I have the private and public networks, I’ve done a custom script that allows me to use the toggle to switch between 2 vpns. VPN A is the split tunnel wireguard vpn that allows me to access my home subnet. VPN B is a openvpn tunnel to a PIA server in London this should route all traffic.

When in auto mode the guest network can access the VPNs so I changed to the VLAN based policy however this attempts to tunnel all traffic down the wireguard vpn instead of allowing it to split tunnel.

I have the settings configured to allow non vpn traffic to route outbound but this makes little difference.

I’m tempted to do it based on auto mode and remove guest networks from accessing the tunnels however it automatically adds the firewall allows back in when the tunnel is turned off and on.

Can anyone offer advice on how to either stop all traffic being forced down the split tunnel in policy mode. Or to stop the auto creation of guest rules for the tunnels in route based policies.

TIA

@bring.fringe18 That sounds like a case for you.

No can do. I’m (eventually) going to get into nftables now that’s the default engine for OWRT 23.05.x but iptables is still a black hole to me.

@Origin I can tell you it’s possible to insert/remove iptables routing rules ‘on the fly’ if that helps in your scripting.

Ill look into this then as plan B.

@bring.fringe18 Any idea why the VLAN routing policy overrides a working split tunnel configuration?

If i can understand this i may be able to work in some additional commands into my custom toggle script that “update” that policy and control the behaviour better.

In that scenario i guess the end goal would be to add additional routes for the vpn and allow traffic in the configuration for position 1. Then when the toggle is moved to position 2 undo these changes.

That was exactly my thought. FWIW the last time I pointed an OP to a custom iptables route solution, they successfully used ChatGPT to get them the proper rule. YMMV.

Certainly could be interesting given chat gpt’s current performance/reliability

Ill feed back with the soloution if i get it working.

I appreciate the input thanks

@bring.fringe18 any chance you can help me pick apart whether im looking at the right thing.

Ive stumbled my way through the config from /etc/wireguard/scripts/wgclient.sh (shortened the file name as im on my phone and cannot remember) this script references /usr/bin/route-policy

Would you be able to confirm whether this looks to be right for what the global proxy policies would be using in your oppinion?

I wouldn’t know what I’d be looking at or what I’d be looking for. Crudely speaking, scripting custom rules should be no more difficult than entering the rule fr the CLI. Eg:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

In your case you’re using a script… which is good; otherwise I’d say to add it to /etc/rc.local (LuCI → System → Startup → Local Startup).

I don’t think I’d recommend modifying the GL stock scripts unless I absolutely had to, though.

I may not have been overly clear sorry, im still trying to track down what the specific proxy options change before i make any adjustments to my scripts. more because i have 0 clue when it comes to nftables and iptables so im hoping if i find the related scripts i can understand what each proxy option changes.

I might use diffutils to live read any changes to the config file for iptables and see if i can find it that way.

Yeah, I understand but anything I could offer further as ‘advice’ would just be adding noise to the signal & I’d rather not do that to 'ya.

Have a good one.

@bring.fringe18 I opted to a sort of hashed together work around but given im wiping this in the new year for stock openwrt im fine with it.

I added

config forwarding 'guest2wgclient'
	option src 'guest'
	option dest 'wgclient'
	option enabled '0

to firewall.user and then added

sed -i "9s/option proxy_mode '5'/option proxy_mode '1'/" /etc/config/vpnpolicy
and
sed -i "9s/option proxy_mode '1'/option proxy_mode '5'/" /etc/config/vpnpolicy

respectively to my custom script in gl-switch.d

Just for posterity here is my script for the Custom switch behaviour in gl-switch.d

#!/bin/sh

action=$1

if [ "$action" = "on" ];then
	sed -i "9s/option proxy_mode '5'/option proxy_mode '1'/" /etc/config/vpnpolicy
	result=`curl -H 'glinet: 1' -s -k http://127.0.0.1/rpc -d "{\"jsonrpc\":\"2.0\",\"method\":\"call\",\"params\":[\"\",\"wg-client\",\"get_status\",{}],\"id\":1}" | jsonfilter -e @.result`
	status=`echo $result | jsonfilter -e @.status`
	group_id=`echo $result | jsonfilter -e @.group_id`
	peer_id=`echo $result | jsonfilter -e @.peer_id`
	if [ "$status" = "0" -a -n "$group_id" -a "$group_id" != "0" -a -n "$peer_id" -a "$peer_id" != "0" ];then
		curl -H 'glinet: 1' -s -k http://127.0.0.1/rpc -d "{\"jsonrpc\":\"2.0\",\"method\":\"call\",\"params\":[\"\",\"wg-client\",\"start\",{\"group_id\":$group_id,\"peer_id\":$peer_id}],\"id\":1}"
	fi
fi

if [ "$action" = "off" ];then
	sed -i "9s/option proxy_mode '1'/option proxy_mode '5'/" /etc/config/vpnpolicy
	curl -H 'glinet: 1' -s -k http://127.0.0.1/rpc -d "{\"jsonrpc\":\"2.0\",\"method\":\"call\",\"params\":[\"\",\"wg-client\",\"stop\",{}],\"id\":1}" 
fi

if [ "$action" = "on" ];then
	result=`curl -H 'glinet: 1' -s -k http://127.0.0.1/rpc -d "{\"jsonrpc\":\"2.0\",\"method\":\"call\",\"params\":[\"\",\"ovpn-client\",\"get_status\",{}],\"id\":1}" | jsonfilter -e @.result`
	status=`echo $result | jsonfilter -e @.status`
	group_id=`echo $result | jsonfilter -e @.group_id`
	client_id=`echo $result | jsonfilter -e @.client_id`
	if [ "$status" != "0" -a -n "$group_id" -a -n "$client_id" ];then
		curl -H 'glinet: 1' -s -k http://127.0.0.1/rpc -d "{\"jsonrpc\":\"2.0\",\"method\":\"call\",\"params\":[\"\",\"ovpn-client\",\"stop\",{\"group_id\":$group_id,\"client_id\":$client_id}],\"id\":1}"
	fi
fi

if [ "$action" = "off" ];then
	result=`curl -H 'glinet: 1' -s -k http://127.0.0.1/rpc -d "{\"jsonrpc\":\"2.0\",\"method\":\"call\",\"params\":[\"\",\"ovpn-client\",\"get_status\",{}],\"id\":1}" | jsonfilter -e @.result`
	status=`echo $result | jsonfilter -e @.status`
	group_id=`echo $result | jsonfilter -e @.group_id`
	client_id=`echo $result | jsonfilter -e @.client_id`
	if [ "$status" = "0" -a -n "$group_id" -a "$group_id" != "0" -a -n "$client_id" -a "$client_id" != "0" ];then
		curl -H 'glinet: 1' -s -k http://127.0.0.1/rpc -d "{\"jsonrpc\":\"2.0\",\"method\":\"call\",\"params\":[\"\",\"ovpn-client\",\"start\",{\"group_id\":$group_id,\"client_id\":$client_id}],\"id\":1}"
	fi
fi

sleep 5

@admon

Wadd’ya think, admon? Do we have a legend in the making or what?

Nicely done, @Origin . Very nicely done. Bookmarked.

Not quite sure what I see here or maybe I don’t understand the use case.

He scripted a toggle to re-route the guest (“public network” in his use case) over to/off the WG Client connection at his leisure.

I don’t see a use case for it myself but that’s probably just a limitation of my imagination. Those RPC calls he’s making sure are sweet, thou.

@bring.fringe18 @admon. Going to humble myself real quick here i just reutilised the existing scripts already made from gl.inet.

Im talking custom in a very loose sense here although i do appreciate your appreciation the praise is undeserved .

All this does by the way is toggle between two vpns. So when one is off the other is always on.

Its mainly for when i go on trips. my work device required me to be in the UK but i work 100% remote so i like to travel. Vpn A lets me access my home lab so i can practice random stuff and vpn B terminates me in london so i can work. All at the flick of that toggle

Oh, well it’s still a good hack, regardless. If/when you flash vanilla OpenWrt, install stangri’s pbr & luci-app-pbr. My OWRT 23.05 jumpbox has four WG tunnels going at all times, routing according:

This service allows you to define rules (policies) for routing traffic via WAN or your L2TP, Openconnect, OpenVPN, PPTP, Softether or Wireguard tunnels. Policies can be set based on any combination of local/remote ports, local/remote IPv4 or IPv6 addresses/subnets or domains. This service supersedes and obsoletes the VPN Bypass and VPN Policy Routing services.

Awesome, bookmarked this for when i do then!

Thanks for your help