Business Community > Routers > Wireguard VPN Peer Allow Address set to a VLAN subnet not working
< Routers

Wireguard VPN Peer Allow Address set to a VLAN subnet not working

Wireguard VPN Peer Allow Address set to a VLAN subnet not working

Wireguard VPN Peer Allow Address set to a VLAN subnet not working
Wireguard VPN Peer Allow Address set to a VLAN subnet not working
2024-01-24 18:54:06 - last edited 2024-06-12 04:05:52
Tags: #VPN #Routing #Gateway ACL
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.3 Build 20231201 Rel.32918

Hello everyone,

 

Have successfully configured a Wireguard VPN Interface and Peer with a third-party VPN Vendor, like: ProtonVPN, Mullvad, etc.

 

It works as expected when setting the Allow Address of the Peer to 0.0.0.0/0.

 

When set to 0.0.0.0/0, it routes all network traffic through the router for all VLANs.

 

But, if the Allow Address is set to an existing VLAN Subnet, like 192.168.10.0/29 it doesn't work.

 

So, the idea is to route all internet traffic of devices in one VLAN out of the 5 we have, to use the Wireguard VPN Peer.

 

The other VLANs must have normal internet traffic and only devices of the 192.168.10.0/29 subnet must go through the Wireguard VPN to browse the internet.

 

What is the proper configuration? What is needed? ACL, Static Route or Policy Routing? How to do it?

 

Any help would be greatly appreciate it. 

 

TL-SG2210MP v3.0

Switch: 3.0.6 Build 20230602 Rel.73473

 

Omada Controller: 5.12.9

Firmware: 2.11.3 Build 20230906 Rel.36272

LoveOmada
  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Wireguard VPN Peer Allow Address set to a VLAN subnet not working-Solution
2024-06-12 04:01:52 - last edited 2024-06-12 04:06:03

Hi  @LoveOmada 

PBR has been scheduled to V5.16: Wireguard policy routing

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  4  
  4  
#4
Options
3 Reply
Re:Wireguard VPN Peer Allow Address set to a VLAN subnet not working
2024-01-24 19:14:51 - last edited 2024-01-24 19:23:26

  @LoveOmada 

 

I have a similar issue, I have tried everything without success with anything other than 0.0.0.0/0

when you can route a single network, you probably have to look at acl to limit access from other vlans.

There are rumors that there will be policy routing for wireguard, but I don't know when.

https://community.tp-link.com/en/business/forum/topic/651332

 

@Clive_A should check with the test team, maybe we will get an answer this week.

 

 

  0  
  0  
#2
Options
Re:Wireguard VPN Peer Allow Address set to a VLAN subnet not working
2024-01-25 02:51:47

Hi @LoveOmada 

Thanks for posting in our business forum.

1. Incorrect setup in allowed IP address. Please read the article about WG VPN in the Configuration Guide in the forum.

2. If you want to bypass this now, set up the WG on your cellphone, or your individual device instead of on the router. 

There is no Policy Routing for WireGuard VPN yet. So you cannot route it like VLAN 10 or a single IP goes to WireGuard VPN peer like Proton.

3. Even if there is Policy Routing, you should still pay attention to the allowed IP as 0.0.0.0/0.

Note that you don't know what subnet they, Proton, or any third-party VPN service provider have on their end, so, setting up 0.0.0.0/0 to route all traffic is expected. Unless you know what you are doing and you specify the allowed IP subnets.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#3
Options
Re:Wireguard VPN Peer Allow Address set to a VLAN subnet not working-Solution
2024-06-12 04:01:52 - last edited 2024-06-12 04:06:03

Hi  @LoveOmada 

PBR has been scheduled to V5.16: Wireguard policy routing

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  4  
  4  
#4
Options

Information

Helpful: 0

Views: 760

Replies: 3

Tags

VPN Routing Gateway ACL
Related Articles
WireGuard - allow FQDN as Endpoint in Peer configuration
261 5
how to get Tunnel Peer IP address
282 0
ER605 v2.0 fw 2.2.2 Wire guard peer - can't select interface to create peer (solved; not fw issue)
628 0
 Wireguard > Peer has access to all VLANS, except one...
416 0
FQDN in Wireguard Peer Endpoint parameter?
455 0
 ER605 V2 Wireguard Allow Address for a whole /24
405 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.