...continued
What I do not know is what effect (if any) this is all having as the LAN devices going though wg11 seem unaffected.
In regard to the road warrior devices, I had the idea that using passthru would be equivalent to connecting them directly to the VPN. Obviously this is not the situation so
(1) should this be what happens and if not (2) what should happen?
Finally it should be noted that on our android phones (either VPN direct or on the LAN via wg11) there will be webrtc leaks with current versions of Edge and Chrome - the standard flags are not available - I have not yet tested with Firefox or other browsers and do not currently have access to android tablets, iPhones or iPads to test these. On desktops and laptops, disabling the 'leaky bits' is not a problem.
Code:
[#] iptables -t nat -N WGDNS1
[#] ip6tables -t nat -N WGDNS1
[#] ip link add dev wg11 type wireguard
[#] wg setconf wg11 /tmp/wg11.14187 #(/opt/etc/wireguard.d/wg11.conf)
[#] ip address add dev wg11 <vpn_ipv4_range>
[#] ip -6 address add dev wg11 <vpn_ipv6_range>
[#] ip link set up dev wg11
[#] ip -6 link set up dev wg11
[#] ifconfig wg11 mtu 1420
[#] ifconfig wg11 txqueuelen 1000
[+] wg11-route-up.sh
[#] ip route add <VPN IP4> via <WAN IP4>
[#] ip rule add from 0/0 fwmark 0x1000/0x1000 table 121 prio 9991
[#] ip -6 rule add from ::/0 fwmark 0x1000/0x1000 table 121 prio 9991
[#] iptables -t mangle -A PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000 -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -A PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000 -m comment --comment WireGuard 'client'
[#] ip route add 0/1 dev wg11 table 121
[#] ip route add 128/1 dev wg11 table 121
[#] ip -6 route add 0::/1 dev wg11 table 121
[#] ip -6 route add 8000::/1 dev wg11 table 121
[#] ip route add table 121 10.0.0.0/8 proto kernel scope link src 10.50.60.10 dev br0
[#] ip route add table 121 10.50.60.0/24 proto kernel scope link src 10.50.60.1 dev br0
[#] ip -6 route add table 121 <ISP IPv6 Range> proto kernel metric 256 pref medium dev br0
[#] ip -6 route add table 121 fe80::/64 proto kernel metric 256 pref medium dev br0
Error: any valid prefix is expected rather than "10.50.1.3/32,aa36:7ef1:2add:aa88:100::3/128".
iptables v1.4.21: invalid mask `128' specified
Try `iptables -h' or 'iptables --help' for more information.
WireGuard-clientwg11: Warning 'server' peer (wg21) route not found - is it UP? FLUSH=
[+] wg11-up.sh
Code:
[#] ip link add dev wg21 type wireguard
[#] ip -6 link add dev wg21 type wireguard
[#] wg set wg21 fwmark 11501
[#] wg setconf wg21 /tmp/wg21.19293 #(/opt/etc/wireguard.d/wg21.conf)
[#] ip link set up dev wg21
[#] ip -6 link set up dev wg21
[#] ip address add dev wg21 10.50.1.1/24
ERR: bdmf_attrelem_add_as_num#4276: system: status:No resources. attribute:ipv4_host_address_table index:0 value:171049217
[#] ip -6 address add dev wg21 aa36:7ef1:2add:aa88:100::1/120
[#] ifconfig wg21 mtu 1420
[#] ifconfig wg21 txqueuelen 1000
[#] ip route add default dev wg21 table 210
[#] ip rule add fwmark 0x000d2 table 210 prio 9810
[#] ip -6 route add default dev wg21 table 210
[#] ip -6 rule add fwmark 0x000d2 table 210 prio 9810
Error: any valid prefix is expected rather than "10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120".
Error: inet6 prefix is expected rather than "10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120".
What I do not know is what effect (if any) this is all having as the LAN devices going though wg11 seem unaffected.
In regard to the road warrior devices, I had the idea that using passthru would be equivalent to connecting them directly to the VPN. Obviously this is not the situation so
(1) should this be what happens and if not (2) what should happen?
Finally it should be noted that on our android phones (either VPN direct or on the LAN via wg11) there will be webrtc leaks with current versions of Edge and Chrome - the standard flags are not available - I have not yet tested with Firefox or other browsers and do not currently have access to android tablets, iPhones or iPads to test these. On desktops and laptops, disabling the 'leaky bits' is not a problem.