Wireguard Session Manager - Discussion (2nd) thread

[ZebMcKayhan]

Ok, so now I know for sure what is the real deal in my conf if I want it to work.

Its the ipv6 in Address and Allowedips. I must remove those, otherwise it wont work. Nothing else needs changed.

Ok so it is ipv6 related. When you import a Peer with ipv4 and ipv6 and look at the output of (in wgm)

peer wg11

Is the imported ip ipv4 or ipv6? If ipv4 does it look ok as aaa.bbb.ccc.ddd/ee no exta characters or anything?

wgm checks the output of the command

nvram get ipv6_service

For explicit match "disabled". If you issue this outside wgm, do you get this exactly?

//Zeb

 

[DreaZ]

Ok so it is ipv6 related. When you import a Peer with ipv4 and ipv6 and look at the output of (in wgm)

peer wg11

Is the imported ip ipv4 or ipv6? If ipv4 does it look ok as aaa.bbb.ccc.ddd/ee no exta characters or anything?

wgm checks the output of the command

nvram get ipv6_service

For explicit match "disabled". If you issue this outside wgm, do you get this exactly?

//Zeb

nvram get ipv6_service
Replies back disabled.

Imported another unmodified WG-key (with ipv6 intact in the .conf) and peer wg12 replies back with the ipv6 and not ipv4. How did I miss this, could’ve saved so much time troubleshooting.

 

[ZebMcKayhan]

nvram get ipv6_service
Replies back disabled.

Imported another unmodified WG-key (with ipv6 intact in the .conf) and peer wg12 replies back with the ipv6 and not ipv4. How did I miss this, could’ve saved so much time troubleshooting.

Well then, there you go... strange though...

maybe the

if [ "$(nvram get ipv6_service)" == "disabled" ];then

Is too strict??? Capital D or space before or after would fail this? What router model are you on?

I'm sure @Martineau knows exactly what to do about this.

//Zeb

 

[DreaZ]

Well then, there you go... strange though...

maybe the

if [ "$(nvram get ipv6_service)" == "disabled" ];then

Is too strict??? Capital D or space before or after would fail this? What router model are you on?

I'm sure @Martineau knows exactly what to do about this.

//Zebb

I’m on Rt-ac86u

 

[ZebMcKayhan]

I’m on Rt-ac86u

Same as me and @Martineau then... this just gets wierder and wierder... and you are on 386.3_2... this should be solvable.

 

[DreaZ]

Same as me and @Martineau then... this just gets wierder and wierder... and you are on 386.3_2... this should be solvable.

Yes i’m on 386.3_2

 

[DragonOfJustice]

Hi Everyone, i'm having issue with routing

I setup wg11 as only VPN (using Mullvad config). the routing is specific

.150 is my IP Camera and DDNS, without this i can not connect to my Camera on other network with DDNS

If routing is correct i expect the router itself will route through VPN. However when i check router ip it's not connected through VPN

Is there something i missed? I want the router go through VPN too but it does not work with above routing. I looked for solutions in the forum but nothing found. Sorry for bothering

 

[ZebMcKayhan]

Is there something i missed? I want the router go through VPN too but it does not work with above routing. I looked for solutions in the forum but nothing found. Sorry for bothering

this is my experience as well. local process will typically not obey you routing rules since you have many interfaces on your router, the local process (curl in this case) will not give any source address, it will be determined during routing based most likely destination which usually means default routing in main routing table (== WAN).
you can read about source address selection here:

4.6. Source Address Selection

linux-ip.net

specific applications could be set to use (bind) a specific source address by changing the config but I dont know any way this could be done globally.

the only way I can think of is to revert to default routing and manually create a routing table without wg vpn and point you single camera ip to use this routing table, like this:

[Experimental] WireGuard for HND platform (4.1.x kernels)

Thank you for your work and effort! I'm trying to use Cloudflare WARP and was hoping, that the updated modules/kernel will solve my problem. I cannot resolve most domain names like reddit.com or speedtest.net after starting the WARP client/interface. Some domains, like snbforums.com, are loading...

www.snbforums.com

maybe someone have a better/simpler idea?

//Zeb

 

[DreaZ]

Hmm... on wg11 I have 192.168.1.20 WAN (Computer) and 192.168.1.1/24 VPN

DNSLeakTest shows ISP-IP on the computer, so it is working. But DNS shows from VPN Provider? DNS in router gui is on automatic from ISP, DNSFilter Global is set to router.

Seems strange.

 

[ZebMcKayhan]

Hmm... on wg11 I have 192.168.1.20 WAN (Computer) and 192.168.1.1/24 VPN

DNSLeakTest shows ISP-IP on the computer, so it is working. But DNS shows from VPN Provider? DNS in router gui is on automatic from ISP, DNSFilter Global is set to router.

Seems strange.

Im guessing this is because wgm sets up firewall to redirect DNS to VPN for VPN client and since your VPN range includes your computer it will be redirected aswell... if you really needs DNS to go out wan you will probably need to make some adjustments to the firewall manually (tedious...).

a better way could be to lock DHCP range (in GUI) to only give out 192.168.1.8 - 192.168.1.255. then manually assign .2 - .7 for computers going out WAN.
192.168.1.8/29 to VPN
192.168.1.1/29 to WAN

then there will not be any conflict with the rules in the firewall...

//Zeb

Edit: just realized that 192.168.1.8/29 would not cover the range needed... will edit in required rules as I have time...

Edit2: ok, so as long as you create rules explicit for VPN, you dont to need any WAN rules. sadly CIDR notation is not perfect for specify a range to NOT include. you need to decide to divide your ip range in 2 (2x128 addresses), 4 (4x65 Addresses), 8 (8x32 addresses). divided in 8 will give the following ranges:
192.168.1.0/27 #0 - 31 (no rule needed for this)
192.168.1.32/27 #32-63 (wgm VPN rule)
192.168.1.64/26 #64-127 (wgm VPN rule)
192.168.1.128/25 #128-255 (wgm VPN rule)

so change DHCP to only give out .32-.255 and create rules only for .32/27, .64/26, .128/25 to VPN in wgm...
manually assign your computer an ip .2-.31. more rules would be needed if you need to limit the WAN range further, but this is maybe a fair compromise?
last rules will be 192.168.1.16/28 (for 0-16 to WAN), 192.168.1.8/29 (0-7 to WAN), 192.168.1.4/30 (0-3 to WAN)... depending on how many rules you want and how many ip's you can afford to reserve for WAN only ip's...

 

[DragonOfJustice]

this is my experience as well. local process will typically not obey you routing rules since you have many interfaces on your router, the local process (curl in this case) will not give any source address, it will be determined during routing based most likely destination which usually means default routing in main routing table (== WAN).
you can read about source address selection here:

4.6. Source Address Selection

linux-ip.net

specific applications could be set to use (bind) a specific source address by changing the config but I dont know any way this could be done globally.

the only way I can think of is to revert to default routing and manually create a routing table without wg vpn and point you single camera ip to use this routing table, like this:

[Experimental] WireGuard for HND platform (4.1.x kernels)

Thank you for your work and effort! I'm trying to use Cloudflare WARP and was hoping, that the updated modules/kernel will solve my problem. I cannot resolve most domain names like reddit.com or speedtest.net after starting the WARP client/interface. Some domains, like snbforums.com, are loading...

www.snbforums.com

maybe someone have a better/simpler idea?

//Zeb

Thanks for the help Zeb, i don't understand most thing from that link you provided but i'll try

 

[ZebMcKayhan]

Thanks for the help Zeb, i don't understand most thing from that link you provided but i'll try

Ok, give it a try and let me know if you run out of luck (or patience) and I will try to kit together something.

Was kinda hoping someone would chip in with a better idea than this since I don't consider this to be a very scalable solution.

//Zeb

Edit: @DragonOfJustice hmm, I wonder if it works to

ip rule add iif lo table 121 prio 32000

If you issue this from the router shell and test your curl again? This might be a simpler way.

 

[DragonOfJustice]

I issued the command and as soon as i turn on wg11 there's no internet connection
i tried curl https://am.i.mullvad.net/connected and returned with host not resolve
Unbound on and off doesn't change result sadly

Ok, give it a try and let me know if you run out of luck (or patience) and I will try to kit together something.

Was kinda hoping someone would chip in with a better idea than this since I don't consider this to be a very scalable solution.

//Zeb

Edit: @DragonOfJustice hmm, I wonder if it works to

ip rule add iif lo table 121 prio 32000

If you issue this from the router shell and test your curl again? This might be a simpler way.

Edit

this is ip rule after turn on wg11, adding that rule in break internet

 

[ZebMcKayhan]

I issued the command and as soon as i turn on wg11 there's no internet connection
i tried curl https://am.i.mullvad.net/connected and returned with host not resolve
Unbound on and off doesn't change result sadly



Edit

View attachment 37026

this is ip rule after turn on wg11, adding that rule in break internet

Yea, I suspected this might happen. without knowing the extents of your system I was kind of hoping the sparse routing information in table 121 would be enough to serve your system. obviously not. had no idea you were running unbound.

if you try to add this rule in wgm:

E:Option ==> peer wg11 rule add wan dst=192.168.1.1/16 comment ToLocalUseMain
E:Option ==> restart wg11

this would redirect any communication to your local clients (192.168.x.y) (like DNS replies back to the client) to the main routing table were routing information exists. if you are running more subnets (like wg server or similar these will need to be added as well, but we could worry about this later). this rule will have a higher priority so it will match local destination before our rule redirects it to table 121.
the plan is to end up with local packages for external communication only should be sent to table 121 (VPN) and nothing else.

then as wg11 is up and running, try issue:

ip rule add iif lo table 121 prio 32000

the "ip rule" will only be temporary and easily deletable by "ip rule del prio 32000" or a reboot. if you find this satisfactory we could make it stick by adding it to wg-up.sh (wgm custom scripts).

if not, it will get a whole lot more complicated and you will end up needing to handle both the tables and rules manually which might make you think about how bad you really need this and if it is worth it. but I will help you set it up if you want.

//Zeb

 

[DragonOfJustice]

Yea, I suspected this might happen. without knowing the extents of your system I was kind of hoping the sparse routing information in table 121 would be enough to serve your system. obviously not. had no idea you were running unbound.

if you try to add this rule in wgm:

E:Option ==> peer wg11 rule add wan dst=192.168.1.1/16 comment ToLocalUseMain
E:Option ==> restart wg11

this would redirect any communication to your local clients (192.168.x.y) (like DNS replies back to the client) to the main routing table were routing information exists. if you are running more subnets (like wg server or similar these will need to be added as well, but we could worry about this later). this rule will have a higher priority so it will match local destination before our rule redirects it to table 121.
the plan is to end up with local packages for external communication only should be sent to table 121 (VPN) and nothing else.

then as wg11 is up and running, try issue:

ip rule add iif lo table 121 prio 32000

the "ip rule" will only be temporary and easily deletable by "ip rule del prio 32000" or a reboot. if you find this satisfactory we could make it stick by adding it to wg-up.sh (wgm custom scripts).

if not, it will get a whole lot more complicated and you will end up needing to handle both the tables and rules manually which might make you think about how bad you really need this and if it is worth it. but I will help you set it up if you want.

//Zeb

After i added this one peer wg11 rule add wan dst=192.168.1.1/16 comment ToLocalUseMain

wg_manager changed it to Any to Any, is this expected?

after this i tried the ip rule again and no internet whatsoever. If wireguard is too hard to do this, can Openvpn do it?

 

[ZebMcKayhan]

wg_manager changed it to Any to Any, is this expected?

no, this is a bug... you might need to remove it:

E:Option ==> peer wg11 rule del 1

and add it in a different way:

E:Option ==> peer wg11 rule add wan 0.0.0.0/0 192.168.0.0/16 comment ToLocalUseMain

you will also need to add you old rules

E:Option ==> peer wg11 rule add wan 192.168.50.150 comment Camera
E:Option ==> peer wg11 rule add vpn 192.168.50.1/24 comment Everything

then, when this looks good, restart the peers and try to add the rules again.

after this i tried the ip rule again and no internet whatsoever. If wireguard is too hard to do this, can Openvpn do it?

I dont see why Open VPN would be any different (have never used it)... as you require policy based routing in combination needing to route local (router) packages out VPN. maybee the VPNDirector handles this differently, but I wouldnt know.

//Zeb

 

[DragonOfJustice]

no, this is a bug... you might need to remove it:

E:Option ==> peer wg11 rule del 1

and add it in a different way:

E:Option ==> peer wg11 rule add wan 0.0.0.0/0 192.168.0.0/16 comment ToLocalUseMain

you will also need to add you old rules

E:Option ==> peer wg11 rule add wan 192.168.50.150 comment Camera
E:Option ==> peer wg11 rule add vpn 192.168.50.1/24 comment Everything

then, when this looks good, restart the peers and try to add the rules again.


I dont see why Open VPN would be any different (have never used it)... as you require policy based routing in combination needing to route local (router) packages out VPN. maybee the VPNDirector handles this differently, but I wouldnt know.

//Zeb

Thanks Zeb

Using your commands i added 3 rules, but some how the rule 1 is below rule 2. Not sure if this would affect the result
After i restarted the wg11, here's the ip rule and curl result

I added your ip rule and my whole internet failed

To clarify stuff, i have these addons installed, sorry to not mention to you earlier if these would affect: Skynet, Diversion, Unbound
The wireguard manager is in dev branch 4.12b2

 

[chongnt]

I did tcpdump

tcpdump -i any udp port 51820

which shows my connection to Wireguard NordVPN. The source address is my WAN IP.
After add the ip rule

ip rule add iif lo table 121 prio 32000

, tcpdump show the source IP changed to wg11 private ip 10.5.0.2 and the VPN connection went down. I think this is the reason.

 

[ZebMcKayhan]

Thanks Zeb

View attachment 37028

Using your commands i added 3 rules, but some how the rule 1 is below rule 2. Not sure if this would affect the result
After i restarted the wg11, here's the ip rule and curl result

View attachment 37029

I added your ip rule and my whole internet failed

View attachment 37030

To clarify stuff, i have these addons installed, sorry to not mention to you earlier if these would affect: Skynet, Diversion, Unbound
The wireguard manager is in dev branch 4.12b2

hmm... noticing that both WAN rules end up with the same priority... have never seen this (actually didnt think this was possible)... try to delete your camera rule so you only have one prio 9910. dont know if this changes anything... probably @chongnt is right... this rabbit hole goes way deeper. but it could be worth a final test before giving up...

I would probably recommend you switch to default routing and handle your single computer outside:

E:Option ==> peer wg11 auto=Y
E:Option ==> restart wg11

then you should have all you want except for your camera will be on VPN but that is easier to fix. could you please confirm that this works for you?

one word of caution however, you will probably end up with Camera DNS lookup will be over VPN. but Im guessing you only use this to get to your camera from outside so it should be ok right?

//Zeb

 

[ZebMcKayhan]

tcpdump show the source IP changed to wg11 private ip 10.5.0.2 and the VPN connection went down. I think this is the reason.

somehow, yes... thinking that this all would be solved by the "local" routing table sorting out all local interface business but apparently not... wouldnt you get the same if you use default routing?