Use WireGuard interface for specific devices only

Hi,

I have a Linksys WRT1200AC router with LEDE 17.01.4. I have WireGuard successfully set up and it works fine with the default route. Now I have some devices like my FireTV stick which shouldn't use WireGuard because Netflix & other services block VPN access.

Is it possible to route only devices with a specific mac address through the WireGuard interface?

I'm also not sure about the firewall zone settings. I followed Running WireGuard on a router from Mullvad up to the firewall part. Is it necessary to set everything to accept and check every checkbox?

My current config:
wireguard-zones

It is.

Using "specific MAC addresses" would require putting your device back to use WAN by default and make forwarding exceptions to using the WAN. Just FYI MACs are Layer 2 (not Layer 3 which is where routing is handled after the LAN). Let's start off by saying...wireguard doesn't have the be the "default route."

  • if you have it checked, uncheck the make routes for subnets box under the wireguard interface
  • config your router back to use the normal WAN

So...You want your router to use 2 separate default routes...that's easily done via policy-based routing on Linux systems. I will show a quick pseudo-config using the NORMAL default route as WAN, and setup a route you send devices to by an exception - using the Wireguard interface (as you inquired):

  • From here, make sure each device on your LAN is assigned a static or DHCP-reserved or excluded IP, and note each IP you assign to each non set top box device in LAN (you could make the bottom part of the subnet DHCP and assign the upper half as static IPs e.g. 192.168.1.128/25 or DHCP start 128 and limit 100 addresses).
  • From there, you go to the Firewall page and ADD allow traffic from LAN to wireguard (you can specify each MAC or IP under Traffic Rules, but no device will forward unless you give them the route via policy, this way - by adding a general policy, you'll never have to touch your firewall config to get the devices to use another default route).

I suggest adding a startup script like this to configure the devices to wireguard as their default route:

ip route add default dev [name you have wireguard interface] via [tunnel IP] table wg
ip rule add from [IP/32] table wg priority 5
ip rule add from [IP/32] table wg priority 6
ip rule add from [IP/32] table wg priority 7
#etc.....


OR if you do the DHCP reconfig instead and all set top boxes are given a static (reserved) 4th IP octet <= 127, simply:

ip route add default dev [name you have wireguard interface] via [tunnel IP] table wg
ip rule add from 192.168.1.128/25 table wg priority 5

IN ANY CASE, YOU HAVE TO CONFIGURE SOME IPs NOT TO CHANGE IF YOU WANT TO KEEP THE SAME LAN AND HAVE INDIVIDUAL DEVICES USE THE VPN.

This gives your network the following outbound route policy (doing the DHCP reconfig to Start 128 Limit 100):

  • 192.168.1.0/24 full network in kernel
    • 192.168.1.0/25
      • 1-127: WAN
    • 192.168.1.128/25
      • 128-228: DHCP Wireguard
      • 229-254: Available to statically assign to Wireguard
  • 255: SUBNET BROADCAST IP

So making a VLAN/LAN/SSID for the boxes would do the same (but, the suggestion above would be a lot more complex to initially setup, and you may have other physical and logical restrictions, now or in the future, keeping you from doing so.

2 Likes

You may want to take a look at this, not sure if it supports MACs though.

1 Like

Thanks, I got it working with policy-based routing! However I had to add the new table in /etc/iproute2/rt_tables first.

@anomeome I saw that before and I didn't know that it works with WireGuard too. I installed it now and it seems really promising.

1 Like

My apologies...you can only ID tables by NUMBER. Otherwise, you have to add them to the rt_tables file. Again, apologies for you having to find that out on your own...slipped my mind (I copied the config from a setup that gave the policy-based table a numerical ID).

Glad you got it working!

1 Like

Did you ever find an answer to that?

It seems you may not have reviewed the thread, it's been solved.

Specifically to your question, you only check the relevant check boxes. In this case, masquerade is needed; but checking the box was not the cause of the OP's original problem.