Got wireguard configured on my Omada router w controller. How do I send EVERYTHING through it ALL the time

Got Wireguard configured on my Omada router w OC200 controller. How do I send EVERYTHING through it ALL the time. My use case is not so much inbound (although I would like that), but outbound so that all my torrents or IPTV etc which may be on a tablet, 3 different TV’s (Chromecast) all get encrypted when connected to the internet. I don’t want to set up a paid VPN on every Chromecast, phone and tablet. So is there a way to encrypt full time both incoming and outgoing. I’m using the hardware controller with ER707-M2.

Thank you

Use 0.0.0.0/0, ::/0 in your config aka all traffic.

How is your WireGuard peer setup? Is your router connected to a VPS for where you want to egress your traffic? Or is this a separate location that you want to send traffic to your router?
If setting up a device, set the Allowed IPs to 0.0.0.0/0 for ipv4 and/or ::0 for ipv6.
If you want devices on a subnet to send data to a WireGuard tunnel, I assume you’d want a static route to the WireGuard interface as the next hop for wan traffic but I am not sure.

So is this for the ability to have encrypted internet access for all of the devices using the router? Is the wireguard connecting to a VPN provider server? If it is one tunnel only, don’t you lose all internet access if the tunnel goes down?

I have an ER707-M2 along with the OC300 controller.

I have the same needs as you but a different approach was taken. I wish I could use openvpn but as far as I understand that protocol won’t work properly for this.

My need was to have outgoing internet access with encryption for all the devices, but to be able to turn on and off the encryption for each device, and also to utilize a number of VPN tunnels at the same time to avoid losing all connectivity when a tunnel goes down. This is all done through routing policies and the different devices grouped and also the multiple VPN tunnels grouped.

I wanted to do this using the best possible secure protocol, which from what I can tell is openvpn which can also allow you to in its configuration make some URLs not through the VPN and other URLs go through the VPN - so for example certain banking websites or other IRS tax websites things like that that you cannot be using a VPN for Access could still be used…

Unfortunately I learned that OpenVPN tunnels are configured only when established by the server end so it is impossible to have routing policies to change things from the client end. From what I understand from TP-Link, if you wanted separate OpenVPN tunnels, each would have to be on a separate vlan (and the devices to utilize such would have to be on those vlans).

The next best and only other protocol that I could find would ‘fit the bill’ was L2TP/IPSEC.

So I signed up with two VPN service providers (that offer L2TP/IPSEC - many do not these days) - both of which also don’t have their headquarters in any nine-eyes country, and then set up 5 VPN client tunnels in different cities worldwide with each VPN service provider that is not in any nine eyes country. I also selected cities which are also in non-corrupt and stable countries.

Once I had my devices in groups then I set up routing policies for the devices where any of those policies can contain all 10 (or any number) of the VPN tunnels (each policy can have many to many connections).

The VPN server connections do go down from time to time, but that’s only 2 or three at a time, never all 10 of course. So not only is my connection secure, but running a browser showing whoer.net of whatismyip.com, hitting refresh will show my location changing as the tunnel that responds first to the request responds :slight_smile:

I would like to be able to use a more secure newer faster protocol, or a better way of doing things but this seems to be fairly stable now… I’d love to figure out how to do this with OpenVPN instead… Your thoughts?

It is called full tunnel as opposed to split (hybrid) tunnel

Not sure if you can do this with Wireguard, but using OpenVPN, you can setup a VPN policy and configure the local networks section with the IPs that you would like to have routed via it.

I have this configured for 192.168.1.0/24 so that all IPs in that space route via the VPN. Everything else routes via the router directly.

In allowed IPs on the client side especially

Yes, but only by vlan - and no way to update via routing policies etc (note my other post)

For OpenVPN, I don’t need to use vlans. But, like I said, no idea about wireguard since I’m not using it.

OK but I am saying if you want to route different devices utilizing OpenVPN, and have some devices use one OpenVPN tunnel, while some other devices use no tunnel at all or a different OpenVPN tunnel, then each of the two OpenVPN tunnels have to be on different VLANS for it to work with an Omada router (or so they told me).

So if I want to quickly flip a device from using one OpenVPN tunnel for it’s connection to a different OpenVPN tunnel, it can be done slowly by going in and changing the router settings, but I can do it faster by just changing it’s IP address?

I’m just looking for fast on the fly flexibility here for quickly rerouting things dynamically as needed. That is why I liked the policy routing rules in Omada but even changing that is slow going.

No need for VLANs for this. You could use different class of IPs for the devices too. Then you could have multiple vpn tunnels alive and just change the tunnel a device uses by changing its IP.