Doing more research, I noticed a serious bug regarding the fw:
Trying to access my email (POP) server, which is also on the wg-server, I noticed following wrong rules:
First rule is already wrong:
Thu Jun 30 15:52:27 2022 kern.warn kernel: [454382.914405] TRACE: mangle:FORWARD:rule:5 IN=br-lan OUT=wg0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:37:0a:44:93:08:00 SRC=192.168.8.221 DST=my.wg.server.ip LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=6125 DF PROTO=TCP SPT=50866 DPT=110 SEQ=235051918 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405640103030201010402) MARK=0xe3f00
…
Last rule:
Thu Jun 30 15:52:30 2022 kern.warn kernel: [454385.969623] TRACE: filter:ROUTE_POLICY:rule:1 IN=br-lan OUT=wg0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:37:0a:44:93:08:00 SRC=192.168.8.221 DST=my.wg.server.ip LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=6156 DF PROTO=TCP SPT=50866 DPT=110 SEQ=235051918 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405640103030201010402) MARK=0xe3f00
THIS DOES NOT WORK. Packets to wg-servers public adrs can not be routed thru tunnel. Must be outside of wg-tunnel. As I wrote in linked thread, only noticed when VPN-policies used.
Any comments from GLi ? At least, confirmation of bug will be appreciated. I think, I gave sufficient, detailed info. Recreation of bug should be easy.
I simply run “official” openwrt on my router, avoiding the more or less “messy” fiddling around with firewall and “route” settings, required for wg, which I consider the reason for the wg issue(s). I use simple and clean private iptables rules instead.
I need to not leak any connections, but also, I need any new connections from the router’s clients to my VPN’s server to come through the tunnel and not via the public address of my router.