Wireguard Session Manager - Discussion (3rd) thread
- Thread starter archiel
- Start date
My mistake - DNS is behaving as expected for both IPv4 and IPv6.
What is not happening is routing the device's IPv6 connections through the tunnel, starting with I had not attached it!
Also I have edited wg11-up.sh in #17 to include your recommendation in in #16 of
Code:
ip6tables -t nat -A WGDNS1 -s <LanIP6> -j DNAT --to-destination <RouterIp6>
Code:
E:Option ==> peer wg11
Client Auto IP Endpoint DNS MTU Public Private
Annotate
wg11 P 10.0.11.124/19, 2a0e:1c80:4:2000::b7d/64 nl1.wg.azirevpn.net:51820 10.50.60.1,fe80::aa5e:45ff:feae:50aa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyI= # N/A
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
4 wg11 VPN fd36:7ef1:2add:aa88:100::1 Any Unbound6VPN
3 wg11 VPN 192.168.3.1 Any Unbound4VPN
2 wg11 VPN 10.50.60.150 Any Local PC
Code:
# ip -6 rule
0: from all lookup local
9911: from fd36:7ef1:2add:aa88:100::1 lookup 121
32766: from all lookup main
Code:
#ip -6 route show table 121
default dev wg11 metric 1024 pref mediumHowever if I try to attach the Local PC's IPV6 address, either as
Code:
peer wg11 rule add vpn 2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62
Code:
peer wg11 rule add vpn src=2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62
Code:
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
4 wg11 VPN fd36:7ef1:2add:aa88:100::1 Any Unbound6VPN
7 wg11 VPN Any 2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62
3 wg11 VPN 192.168.3.1 Any Unbound4VPN
2 wg11 VPN 10.50.60.150 Any Local PCTwo questions
2. as the IPv6 address is dynamic, how do I manage when it changes?
Following your advice in #3 I have added
Code:
ip6tables -t mangle -I PREROUTING -m mac --mac-source <devicemac> -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -I PREROUTING -m mac --mac-source <devicemac> -j MARK --set-mark 0x1000/0x1000
Code:
ip rule add from all fwmark 0x1000 table 121 prio 9900
ip -6 rule add from all fwmark 0x1000 table 121 prio 9900
echo 2 > /proc/sys/net/ipv4/conf/wg11/rp_filterChecked with ipleak.net, browserleak.com, test-ipv6.com & ipv6-test.com
Hopefully final questions
I should add the above to my wg11-up /wg11-down scripts?
is echo 2 > /proc/sys/net/ipv4/conf/wg11/rp_filter taken down on stop wg11, or do i need to do anything is the wg11-down.script?
I assume I can remove the IPv4 vpn to 10.50.60.150 rule as it is now superfluous?
Last edited:
me to, but here I am.
ZebMcKayhan
Very Senior Member
You are doing it right, but wgm forces the change to destination for some reason. I tried it:
Code:
E:Option ==> peer wg12 rule add vpn src=2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd6
2
[✔] Updated RPDB Selective Routing rule for wg12 ***Source 2a02:c7f:x
xxx:yyyy:6e12:d4fa:7179:cd62 switched to destination!This is something @Martineau will look at, or explain.
Meanwhile you could add it yourself:
Code:
ip -6 rule add from 2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62 table 121 prio 9911there are no defined ways to handle when an ipv6 changes as the router is not in control over that. But we should be able to manage prefix changes...
Solved using your recommendation in #3 above - see edits to #22 using the MAC address to circumvent the problem
AND this setup also sends all DNS enquires (IPv4 and IPv6) for all LAN devices (except I assume anything using DoH) through the WireGuard VPN, something that was not achievable on OpenVPN, as the router client does not support IPv6.
I may test using the revised instructions for adding the IPv6 to wg11 over the weekend and this may be a better/alternative solution where someone is using DHCP6 so the addresses are fixed. For SLAAC, where they are not I think using the MAC addresses (provided they are not also dynamic) is a more robust solution.
Next tests - passthrough.
Last edited:
Martineau
Part of the Furniture
When specifying the Selective Routing Rule, if there is any ambiguity (routable IP address vs. private IP address) then you must explicitly specify both the
src= and dst= parameterse.g.
Code:
e = Exit Script [?]
E:Option ==> peer wg12 rule add vpn src=2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62 dst=any
[✔] Updated RPDB Selective Routing rule for wg12
Client Auto IP Endpoint DNS MTU Public Private Annotate
wg12 N 10.168.128.1/32,fd00:bbbb:bbbb:bb01::9:1e00/128 193.220.213.51:51820 193.138.218.74 j//ylCahjy/LiynsaPKYkOwBmE5F0M6lQMZfgicJpm8= UO1tzRPU/EZeeKWSd3aR17lqWi6tD1snPXkXyqBLf0Q= # Mullvad France, Paris
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg12 VPN 2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62 Any
Last edited:
ZebMcKayhan
Very Senior Member
Really doesn't matter since the interface is brought down so these files are removed.
Does this work for wireless clients as well? Mac address is a low-level part of the protocol and removed in the higher level.
I don't know, I've never tried this, youre the first-runner. You tell me. Reliability? Efficiency? But in principle, yes, but make sure to test so it covers all cases (like tcp, udp)
ZebMcKayhan
Very Senior Member
While I haven't tried this, it seems possible to create Mac address ipsets:
Code:
ipset create wg11-mac hash:mac
ipset add wg11-mac XX:XX:XX:XX:XX:XXhere you could add as many Mac addresses to the set as you wish.
I expect it is not possible to add this ipset in wgm, but the firewall rule would be something like:
Code:
iptables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000
ip6tables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000After this you could manage the Mac addresses in the ipsets instead of changing and adding more firewall rules. .
1. Okay
2. Just tried on my phone (Samsung S20-5G - Android 12) and a laptop (Windows 10) - both tested the same as wired devices.
3. I have removed IPv4 vpn to 10.50.60.150 rule and in addition to the sites noted above (ipleak.net, browserleak.com, test-ipv6.com & ipv6-test.com) I also ran
Code:
tcpdump -vv -i $(nvram get wan0_ifname) udp port 53 or tcp port 53 or tcp port 853Can you suggest any other tests I can run?
Sounds good - not used ipsets before - do they survive reboots and where would I find them?
ZebMcKayhan
Very Senior Member
Play around with tcpdump I guess to watch all traffic from your redirected ip on your WAN interface and see so it remains empty after some various internet usage.
they do not survive reboots on their own, you typically save them, either manually after each change, or set up a cron job to periodically save them, i.e:
Code:
ipset save wg11-mac > /opt/tmp/wg11-macand to restore on boot (like in nat-start):
Code:
IPSET_NAME=wg11-mac
if [ "$(ipset list -n "$IPSET_NAME" 2>/dev/null)" != "$IPSET_NAME" ]; then #if ipset does not already exist
if [ -s "/opt/tmp/$IPSET_NAME" ]; then #if a backup file exists
ipset restore -! <"/opt/tmp/$IPSET_NAME" #restore ipset
fi
finot sure if it is easier but once this is setup (and especially if you use a cron job to periodically save them) you could simply add or delete mac addresses in the set and thus change the routing for these ip's...
if it is indeed working good, perhaps we could make a polite request to @Martineau to include the
hash:mac ipset capabilities to wgm (ipv4+ipv6 firewall mark rule), so it takes care of the firewall rules and routing for you, but you will still need to create and restore the ipset yourself.
Martineau
Part of the Furniture
wireguard_manager simply tags the named IPSET so any type of IPSET should already be supported.However, the contents of the IPSET are deemed by default to contain destination elements such as Netflix/Hulu target IPs.
e.g.
Code:
e = Exit Script [?]
E:Option ==> peer wg12
Client Auto IP Endpoint DNS MTU Annotate
wg12 N 10.68.28.1/32,fc00:bbbb:bbbb:bb01::5:1c00/128 194.110.113.51:51820 193.138.218.74 # Mullvad France, Paris
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg12 VPN 2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62 Any
IPSet Enable Peer FWMark DST/SRC
Netflix Y wg12 0x2000 dst
MACs Y wg12 0x2000 srcZebMcKayhan
Very Senior Member
I remember something about wgm scanning the set for
INET or INET6 to determine if the rules should be in iptables or ip6tables. this would go in both, hence my comment that wgm might need to recognize the hash:mac type of set and put in firewall rules for both (or as appropriate depending on router setup). or maybee it already does?
Last edited:
ZebMcKayhan
Very Senior Member
I don't know what parental control does, possibly flushes some firewall chains?
Are you referring to wg server or wg client or both? Ipv4, ipv6 or both? Policy/default mode?
What happens when it don't work? Loosing connection completally or something else?
I think it mess with firewall
Server. ipv4. Policy default. Can connect but no internet. It looks like block some devices on parental control change firewall and everything stops working.
I was thinking what for is that:
[✔] firewall-start is monitoring WireGuard Firewall rules
ZebMcKayhan
Very Senior Member
Ok... most probably it would filter content in the FORWARD chain. Check and compare before and after
Code:
iptables -nvL FORWARDWhat does the syslog say when you change parental control?
Scrub any sensitive data before posting
iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 wg21 0.0.0.0/0 0.0.0.0/0 /* LAN to WireGuard 'server clients' */
0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
Looks like this two entry are deleted after changing parental control
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 wg21 0.0.0.0/0 0.0.0.0/0 /* LAN to WireGuard 'server clients' */
0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
Looks like this two entry are deleted after changing parental control
ZebMcKayhan
Very Senior Member
That would explain why you loose contact.
It seems then as parental control is flushing the FORWARD filter Chain without a firewall-start event happens.
Check the syslog if there is any service-event you can use to restart wg when parental control is changed.
I have being trying to use ipsets and while the routing rules
Code:
iptables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000
ip6tables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000The issue is not the script, rather I cannot get it to run early enough, i.e. before WireGuard so that the wg11-mac value is picked up and restored before wg11-up.sh is run
I have tried running the code in wan-event, nat-start and services-start and (in case loading entware was the issue) moved the saved version from /opt/tmp to /jffs/addons/wireguard. Nothing helps and I always get
Code:
ipset list -n wg11-mac
ipset v7.6: The set with the given name does not exist
Code:
ipset list -n wg11-mac
wg11-macIt may be that the ipset module is busy with loading the Skynet ipsets or just that ipset is not yet functional when wgm starts. I can try disabling Skynet and trying again but for now, I have rebooted the router too many times for everyone's liking and will need to come back to this later.
Similar threads
Similar threads
Similar threads
-
New Addon - ChatAI - have a chat session with Googles Gemini AI Bot- Started by JGrana
- Replies: 2
-
Solved How do I remove WG Manager from amtm without resetting amtm?
- Started by DJones
- Replies: 2