My goal : route all traffic from VLAN 99 to the outside through a Wireguard tunnel / VPN
I did set up a wireguard interface (let’s call it wg_p) connected to a Proton node which seems to work properly, i.e. ping -I wg_p 8.8.8.8 works as intended. All networks can be routed through this interface (0.0.0.0/0)
I also created a VLAN (let’s say br_lan.99, through luci) which I’d like to route exclusively through the wireguard interface
I thought that assigning wg_p and br-lan.99 to their own firewall zones (respectively WG_P and BR-LAN99) and allowing forward from BR-LAN99 to WG_P in luci would do the trick but I suspect I miss an important piece about routing as it does not work
You speak about Proto VPN. I doubt they allow you to route the addresses of Vlan99 directly through the tunnel, so my bet is, you need to enable the masquerading on the WG_P zone.
I have a very similar setup to what you’re trying to achieve.
You do need masquerading on the wg_p zone as @hagrid mentioned.
I also have an interface setup (call it vpn_lan) and a respective firewall zone. The interface is setup with a bridge device br-vpn_lan, which bridges br-lan.99 and a wireless interface so I can optionally use the VPN by just connecting to a specific SSID.
I also have these 2 entries in /etc/config/network:
That creates a route table 200 that essentially routes everything via wg_p. I then configure the br-vpn_lan bridge to use that table so all traffic that hits the bridge gets routed to the VPN.
I tried with masquerading without success.
Thanks for the detailed info, I think the route info was what I was missing. I’ll try and tell you
[edit] Thanks to your advices, I managed to get it work. There is however an option I had to activate somewhere in the interface to make it work (can’t find which for the time being, but it works)