Business Community > Routers > Wireguard VPN Peer Allow Address set to a VLAN subnet not working
< Routers

Wireguard VPN Peer Allow Address set to a VLAN subnet not working

Wireguard VPN Peer Allow Address set to a VLAN subnet not working

Wireguard VPN Peer Allow Address set to a VLAN subnet not working
Wireguard VPN Peer Allow Address set to a VLAN subnet not working
2024-01-24 18:54:06
Tags: #VPN #VLAN & Multi-Networks #Routing #Gateway ACL
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.3 Build 20231201 Rel.32918

Hello everyone,

 

Have successfully configured a Wireguard VPN Interface and Peer with a third-party VPN Vendor, like: ProtonVPN, Mullvad, etc.

 

It works as expected when setting the Allow Address of the Peer to 0.0.0.0/0.

 

When set to 0.0.0.0/0, it routes all network traffic through the router for all VLANs.

 

But, if the Allow Address is set to an existing VLAN Subnet, like 192.168.10.0/29 it doesn't work.

 

So, the idea is to route all internet traffic of devices in one VLAN out of the 5 we have, to use the Wireguard VPN Peer.

 

The other VLANs must have normal internet traffic and only devices of the 192.168.10.0/29 subnet must go through the Wireguard VPN to browse the internet.

 

What is the proper configuration? What is needed? ACL, Static Route or Policy Routing? How to do it?

 

Any help would be greatly appreciate it. 

 

TL-SG2210MP v3.0

Switch: 3.0.6 Build 20230602 Rel.73473

 

Omada Controller: 5.12.9

Firmware: 2.11.3 Build 20230906 Rel.36272

LoveOmada
  0      
 
  0      
 
#1
Options
2 Reply
Re:Wireguard VPN Peer Allow Address set to a VLAN subnet not working
2024-01-24 19:14:51 - last edited 2024-01-24 19:23:26

  @LoveOmada 

 

I have a similar issue, I have tried everything without success with anything other than 0.0.0.0/0

when you can route a single network, you probably have to look at acl to limit access from other vlans.

There are rumors that there will be policy routing for wireguard, but I don't know when.

https://community.tp-link.com/en/business/forum/topic/651332

 

@Clive_A should check with the test team, maybe we will get an answer this week.

 

 

  0  
  0  
#2
Options
Re:Wireguard VPN Peer Allow Address set to a VLAN subnet not working
2024-01-25 02:51:47

Hi @LoveOmada 

Thanks for posting in our business forum.

1. Incorrect setup in allowed IP address. Please read the article about WG VPN in the Configuration Guide in the forum.

2. If you want to bypass this now, set up the WG on your cellphone, or your individual device instead of on the router. 

There is no Policy Routing for WireGuard VPN yet. So you cannot route it like VLAN 10 or a single IP goes to WireGuard VPN peer like Proton.

3. Even if there is Policy Routing, you should still pay attention to the allowed IP as 0.0.0.0/0.

Note that you don't know what subnet they, Proton, or any third-party VPN service provider have on their end, so, setting up 0.0.0.0/0 to route all traffic is expected. Unless you know what you are doing and you specify the allowed IP subnets.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#3
Options

Information

Helpful: 0

Views: 293

Replies: 2

Tags

VPN VLAN & Multi-Networks Routing Gateway ACL
Related Articles
Wireguard > Peer has access to all VLANS, except one...
189 0
omada vpn client only for 1 vlan
301 0
FQDN in Wireguard Peer Endpoint parameter?
243 0
WireGuard VPN to Remote IPSEC network.
774 0
ER605 v2.0 fw 2.2.2 Wire guard peer - can't select interface to create peer (solved; not fw issue)
322 0
Wireguard VPN - allowing access to every VLAN
934 1
About Us
Press
Copyright © TP-LINK CORPORATION PTE. LTD. All rights reserved.