VPN policies and traffic from 192.168.8.1

mrkplz · February 4, 2024, 3:22pm

I’ve set up some VPN policies on my Mango based on target IP/domains (basically netflix traffic) and wireguard.
Everything seems to work properly from LAN clients perspective.
However, if I jump via SSH on the router, I noticed that all traffic from there use the wgclient interface.

This is my routing table:
estination Gateway Genmask Flags Metric Ref Use Iface
default * 128.0.0.0 U 0 0 0 wgclient
default 192.168.1.1 0.0.0.0 UG 10 0 0 eth0.2
128.0.0.0 * 128.0.0.0 U 0 0 0 wgclient
192.168.1.0 * 255.255.255.0 U 10 0 0 eth0.2
192.168.8.0 * 255.255.255.0 U 0 0 0 br-lan

A check on the route it takes for 1.1.1.1:
root@GL-MT300N-V2:~# ip route get 1.1.1.1
1.1.1.1 dev wgclient src 10.1.242.180 uid 0

A check on my external ip reports the Wireguard endpoint instead of my isp:
root@GL-MT300N-V2:~# curl https://ipinfo.io/ip
188.213.34.xxx

What should I do to instradate traffic from router accordingly to VPN policies I’ve set?

alzhao · February 5, 2024, 8:15am

The router itself does not respect the rules you set on vpn policies. It rather route all of its own traffic to vpn.

Is there any problem caused by this?

mrkplz · February 5, 2024, 9:25am

Thank you for answering.
Well, there’s also a Http Proxy (tinyproxy) installed on the router, and I’d like the traffic it generates could respect the vpn policies or at least bypass the VPN if possible.

Thanks

hansome · February 5, 2024, 10:24am

To bypass VPN, run tinyproxy with group nonevpn:

uci set tinyproxy.@tinyproxy[0].Group=nonevpn
uci commit tinyproxy
/etc/init.d/tinyproxy restart

Thanks to its running group is configurable.

For general process to run with nonevpn group:

sudo -g nonevpn curl ip.me