I’ve set up WireGuard tunnel from my hAP lite (ROS 7.1.1) to the third-party VPN provider using the config he is providing. I can now successfully ping 8.8.8.8 with the wireguard1 interface via Tools > Ping, so I assume it is working fine.
Now the idea is to make only specified websites go via that tunnel instead of a regular internet connection to bypass blocked by ISP resources etc. There is nothing specific in my network, just a home router and several clients using the internet.
I’ve made this once via the IKEv2 VPN by marking a connection with Mangle rule and Address lists, but it looks like this method won’t work with the WireGuard now. I do not remember exactly how I did this, but I guess it is something with the routing and default gateway, for when I am adding an IP for the WireGuard interface in IP > Addresses now the default route for that address appears in IP > Routes and I can not do anything with it. I could be completely going in the wrong direction here and not fully understand what I am talking about, so pardon me in advance (:
Anyway, please advise on how to route only specified websites via WireGuard.
Just so I understand, you only want users to go out the wireguard for specific WebSites. For the rest of their internet usage they should use the standard haplite WAN correct?
Yes, this is correct.
narrow this down to public iP addresses and not domain names
Sounds not very convenient. The public IP of the domain could change over time and I am aiming for a set-and-forget configuration (as much as possible).
its probably mangle time
Can you please advise exactly how to do it? So far I have created the list in Firewall > Address lists, created a mangle rule… from this point I am not sure what should be done exactly. Should I use mark routing or mark connection? Or both? I tried both, both are working (counters are properly updated when I am accessing the websites) but I do not know what to do at this point, how to use these marks to route the traffic to the WireGuard. I tried fiddling with settings and IPs in IP > Routes, but that did not work.
Thank you sooo much, I googled my ass out for this.
The funny thing is I did all that before my post but perhaps screwed something up, some IP or something else and it did not work.
Now I have done it all from scratch using your instructions and it worked.
While it is working, the connection to the specified in the list domains is super slow, down to timeouts sometimes or incorrect page view.
I have faced similar behavior before when routed address list via the IKEv2 tunnel and, as I recall, I fixed it with the MSS changing mangle rule.
I lurked a bit and found that it is advised to change TCP MSS for wg marked connection to “clamp to pmtu”
I did that, but it did not work. I also tried moving the rule and changing the MSS to some other values - all the same.
Maybe there are other recommendations for the WireGuard tunnel optimization? Can someone advise a proper way to get rid of that slowness?
Can’t. As I mentioned, I am using a third-party paid VPN service provider. I only can download configs for OVPN or WireGuard and can’t change MTU on their side. MTU on my side is default 1420.
Forgot to mention.
I also disabled fasttrack rule for the market connection, since I read somewhere that it also can screw up tunnel-routed connections. Still all the same.
Yes, fasttrack is common problem, it doesn’t go together with mangle rules. What exactly you did with it? Or, as a simple test, temporarily disable fasttrack rule completely and see if it makes any difference.
works fine that way with the enabled rule. Please correct me if I am wrong.
As a sidenote.
Since fasttrack was the main issue, do I even need that MTU clamping at all? If I do, what is the proper way to add it? Mainly, should I use this on routing mark or on connection mark, or both? And, just to be sure, the rule should go after both marking rules, right?
Encountered with the same issue - some domains were super slow to open, and some are failed with timeout. Disabling a fasttrack connection didn’t helped. Changing the MSS in Mangle rule solved the problem.
@s0b, how does the Router distinguish between google and youtube, in other words, there are OVERLAPPING IPS for different websites URLS.
How will this technique work effectively when some sites are allowed and others not, but we have this conflict.
The concept may be tenable but the practical application on the MT is a NO GO.
I just wish you would stick to things that work and not try such extravagant outside the box configurations ;-PPP
Finally, the Sob proposed method is actually sub optimal, much better to use output chain… and KEEP fasttrack!
Step1: Identify the firewall address for the config. I will ignore any scripts etc what is important is that it exists and its populated… firewall address list name= blocked-IPs
Step3: Create the table /ip routing table add name=useWG fib
Step4: Create the route. dst-address=0.0.0.0/0 gwy=wg-interface-name table=useWG
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
in effect one would have these IP Routes
dst-address=0.0.0.0/0 gwy=wanip gateway table=main
dst-address=0.0.0.0/0 gwy=wg-interface-name table=useWG
AGAIN, this will break down very quickly in the real world due to overlapping IPs for different websites. Not even sure if this will work for httpS websites…
Even though it’s all Google’s adresseses and they can use any of them for any of their services, chances are that they don’t use any for multiple services at the same time. And if they do, tough luck.
And did you forget that chain=output is only for router’s own traffic?
Damn, yes I did, I was using that approach when considering another application. Thanks! I knew it seemed to easy.
In any case the OP should know that there can and will be issues with that approach.
