I’ve just installed WireGuard on my RPi4 and connected to a VPN.
I’ve some devices on LAN that don’t support VPN so I need to set RPi4’s IP as these devices’ gateway and route their traffic to the RPi4 and then to the VPN.
The RPi4 is connected via ethernet to my router, the VPN won’t always be up so I would like (don’t know if it’s possible):
Route traffic of specific IPs from eth0 to wg0
Route traffic of specific IPs from eth0 to my router if VPN is down
As stated above I don’t know if it’s possible and my knowledge about networking stuff is a little limited so I’m asking for your help!
Both are possible.
For the first you need to control the DHCP server in your lan and advertise to the specific clients dhcp option 3 to be the RPi IP address, in order to use it as their gateway. Most likely the ISP router will not support this function, so you should be looking at dnsmasq or dhcpd in RPi. There is also the option to use Pihole which has embedded dnsmasq, but this might be an overkill.
For the second, it will be done automatically when the VPN is up. The default gateway will be via the VPN, when the latter is active. When the VPN is down, it will be routed via the ISP router.
Can you explain the problem?
I successfully connect to vpn and internet, my ip is vpn’s ip and everything is fine.
Devices which use RPi4’s ip as gateway successfully connect to internet too with the vpn’s ip.
@trendy could it be, that even VPN is up, default gw is the router still, because VPN tunnel is established via the default route?? Means, all data are going into the VPN tunnel, while VPN tunnel is using the router to connect to internet?
root@DietPi:~# ip -4 route list table all
default dev wg0 table 51820 scope link
default via 192.168.178.1 dev eth0
10.59.244.0/24 dev wg0 proto kernel scope link src 10.59.244.2
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.42
local 10.59.244.2 dev wg0 table local proto kernel scope host src 10.59.244.2
broadcast 10.59.244.255 dev wg0 table local proto kernel scope link src 10.59.244.2
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.178.42 dev eth0 table local proto kernel scope host src 192.168.178.42
broadcast 192.168.178.255 dev eth0 table local proto kernel scope link src 192.168.178.42
root@DietPi:~# ip -4 rule
0: from all lookup local
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0xca6c lookup 51820
32766: from all lookup main
32767: from all lookup default
Don’t know if it can help but I’m connecting via VPN to another RPi.
ok it is now clear that the vpn is using a separate routing table and gets precedence from the ip rules.
It’s all good, you can add the echo 1 > /proc/sys/net/ipv4/ip_forward in /etc/rc.local or edit /etc/sysctl
The iptables rules can be added in PostUp and PostDown wg-quick(8) — wireguard-tools — Debian unstable — Debian Manpages
For the PostDown use