Wireguard Session Manager - Discussion (3rd) thread

[archiel]

...continued

Spoiler: wg11 first

[#] iptables -t nat -N WGDNS1
[#] ip6tables -t nat -N WGDNS1
[#] ip link add dev wg11 type wireguard
[#] wg setconf wg11 /tmp/wg11.14187 #(/opt/etc/wireguard.d/wg11.conf)
[#] ip address add dev wg11 <vpn_ipv4_range>
[#] ip -6 address add dev wg11 <vpn_ipv6_range>
[#] ip link set up dev wg11
[#] ip -6 link set up dev wg11
[#] ifconfig wg11 mtu 1420
[#] ifconfig wg11 txqueuelen 1000
[+] wg11-route-up.sh
[#] ip route add <VPN IP4> via <WAN IP4>
[#] ip rule add from 0/0 fwmark 0x1000/0x1000 table 121 prio 9991
[#] ip -6 rule add from ::/0 fwmark 0x1000/0x1000 table 121 prio 9991
[#] iptables -t mangle -A PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000 -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -A PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000 -m comment --comment WireGuard 'client'
[#] ip route add 0/1 dev wg11 table 121
[#] ip route add 128/1 dev wg11 table 121
[#] ip -6 route add 0::/1 dev wg11 table 121
[#] ip -6 route add 8000::/1 dev wg11 table 121
[#] ip route add table 121 10.0.0.0/8 proto kernel scope link src 10.50.60.10 dev br0
[#] ip route add table 121 10.50.60.0/24 proto kernel scope link src 10.50.60.1 dev br0
[#] ip -6 route add table 121 <ISP IPv6 Range> proto kernel metric 256 pref medium dev br0
[#] ip -6 route add table 121 fe80::/64 proto kernel metric 256 pref medium dev br0
Error: any valid prefix is expected rather than "10.50.1.3/32,aa36:7ef1:2add:aa88:100::3/128".
iptables v1.4.21: invalid mask `128' specified
Try `iptables -h' or 'iptables --help' for more information.
WireGuard-clientwg11: Warning 'server' peer (wg21) route not found - is it UP? FLUSH=
[+] wg11-up.sh

Spoiler: adding wg21

[#] ip link add dev wg21 type wireguard
[#] ip -6 link add dev wg21 type wireguard
[#] wg set wg21 fwmark 11501
[#] wg setconf wg21 /tmp/wg21.19293 #(/opt/etc/wireguard.d/wg21.conf)
[#] ip link set up dev wg21
[#] ip -6 link set up dev wg21
[#] ip address add dev wg21 10.50.1.1/24
ERR: bdmf_attrelem_add_as_num#4276: system: status:No resources. attribute:ipv4_host_address_table  index:0 value:171049217
[#] ip -6 address add dev wg21 aa36:7ef1:2add:aa88:100::1/120
[#] ifconfig wg21 mtu 1420
[#] ifconfig wg21 txqueuelen 1000
[#] ip route add default dev wg21 table 210
[#] ip rule add fwmark 0x000d2 table 210 prio 9810
[#] ip -6 route add default dev wg21 table 210
[#] ip -6 rule add fwmark 0x000d2 table 210 prio 9810
Error: any valid prefix is expected rather than "10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120".
Error: inet6 prefix is expected rather than "10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120".

What I do not know is what effect (if any) this is all having as the LAN devices going though wg11 seem unaffected.

In regard to the road warrior devices, I had the idea that using passthru would be equivalent to connecting them directly to the VPN. Obviously this is not the situation so
(1) should this be what happens and if not (2) what should happen?

Finally it should be noted that on our android phones (either VPN direct or on the LAN via wg11) there will be webrtc leaks with current versions of Edge and Chrome - the standard flags are not available - I have not yet tested with Firefox or other browsers and do not currently have access to android tablets, iPhones or iPads to test these. On desktops and laptops, disabling the 'leaky bits' is not a problem.

 

[ZebMcKayhan]

As the above seems to do what is needed, the next issue is how this affects any 'road-warrior' devices and what I should expect

It wouldn't affect at all, only Unbound uses this ip. RoadWarrior devices should use dnsmasq on wg21 ip which then forwards to Unbound and lookups using your ethX address.

Adding wg21 to wg11 or vice-versa (without passthru) generates error messages

I got these too:

ERR: bdmf_attrelem_add_as_num#4276: system: status:No resources. attribute:ipv4_host_address_table index:0 value:171049217

seems I've run out of ipv4 addresses (or some memory where they are stored in some module is full) according to some broadcom module. Everything seems to work anyway and I have not found any bad effect of it. The interface still gets its ipv4. I get it if a add wg21. But if I stop wg12 I can start wg21 with no errors but I then get the error when I start wg12. I calculated to 16 ipv4 addresses in local routing table. Scanned internet and this forum and found nothing. Perhaps it is because on Entware iptables?
Edit: one source file with this info could be found here but I don't know what to make of it: http://datashed.science/misc/bcm/gp...nsource/char/bdmf/impl1/framework/bdmf_attr.c

But the other error messages are wgm probably doing something wrong.

Regarding passthru... I don't think anyone tested this for ipv6, you might be first. Basically wgm adds wg21 ips to wg11 policy routes to have them routed out wg11 and it adds masquarading for them. You already took care of ALL masquarading so you could only add policy rules for wg21 ips in wg11.

I'm using Firefox for Android with ublock origin addon. It blocks WebRTC.

 

[Ellenswamy]

Just installed WG and everything is working.

One question, how do I change the DNS in the config file once I create the config to point to my router DNS instead of my WAN dns?

 

[ZebMcKayhan]

Just installed WG and everything is working.

One question, how do I change the DNS in the config file once I create the config to point to my router DNS instead of my WAN dns?

https://github.com/ZebMcKayhan/WireguardManager#setup-wg-server
You'll need to scroll down to "Device peer setup"

If you are on latest beta you could do it when creating the device peer, ie:

E:Option ==> create Samsung-S10 wg21 dns=local

If you are on stable release you could edit the .conf file according to the guide.

 

[Ellenswamy]

https://github.com/ZebMcKayhan/WireguardManager#setup-wg-server
You'll need to scroll down to "Device peer setup"

If you are on latest beta you could do it when creating the device peer, ie:

E:Option ==> create Samsung-S10 wg21 dns=local

If you are on stable release you could edit the .conf file according to the guide.

awesome! Thank you, guess I am not on the beta but editing the conf file to 192.168.50.1 for dns and allowed IPs to 192.168.50.1/32 for split tunneling worked perfect!

 

[ZebMcKayhan]

awesome! Thank you, guess I am not on the beta but editing the conf file to 192.168.50.1 for dns and allowed IPs to 192.168.50.1/32 for split tunneling worked perfect!

Well, assuming your router br0 interface is on 192.168.59.1. I reccommend using wg21 address to clients for dns. All local addresses points to dnsmasq and wgm adds all wg* interfaces in dnsmasq.conf so it works.
While br0 ip is working you are relying on several dependencies to get to br0 for which might change in the future I try to keep everything so simple and stand alone as possible to ease future maintenence.

 

[Ellenswamy]

Well, assuming your router br0 interface is on 192.168.59.1. I reccommend using wg21 address to clients for dns. All local addresses points to dnsmasq and wgm adds all wg* interfaces in dnsmasq.conf so it works.
While br0 ip is working you are relying on several dependencies to get to br0 for which might change in the future I try to keep everything so simple and stand alone as possible to ease future maintenence.

I have to check my conf file. I just installed with the defaults. Right now thought with those settings I am not seeing any issues. Should I be concerned?

Edit: just checked and it is using wg21

So what would be the best config? I would like to have split DNS

 

[ZebMcKayhan]

Should I be concerned?

No, no, no concerns... in principle you will get the same result by br0 ip and wg21 ip but I reccommend wg21 ip for the sake of future maintenence.

Don't know how you setup your split dns so I cannot judge if it is affected or not.

 

[archiel]

It wouldn't affect at all, only Unbound uses this ip. RoadWarrior devices should use dnsmasq on wg21 ip which then forwards to Unbound and lookups using your ethX address.


I got these too:

ERR: bdmf_attrelem_add_as_num#4276: system: status:No resources. attribute:ipv4_host_address_table index:0 value:171049217

seems I've run out of ipv4 addresses (or some memory where they are stored in some module is full) according to some broadcom module. Everything seems to work anyway and I have not found any bad effect of it. The interface still gets its ipv4. I get it if a add wg21. But if I stop wg12 I can start wg21 with no errors but I then get the error when I start wg12. I calculated to 16 ipv4 addresses in local routing table. Scanned internet and this forum and found nothing. Perhaps it is because on Entware iptables?
Edit: one source file with this info could be found here but I don't know what to make of it: http://datashed.science/misc/bcm/gp...nsource/char/bdmf/impl1/framework/bdmf_attr.c

But the other error messages are wgm probably doing something wrong.

Regarding passthru... I don't think anyone tested this for ipv6, you might be first. Basically wgm adds wg21 ips to wg11 policy routes to have them routed out wg11 and it adds masquarading for them. You already took care of ALL masquarading so you could only add policy rules for wg21 ips in wg11.

I'm using Firefox for Android with ublock origin addon. It blocks WebRTC.

In regard to the source file - way over my head.

In regard to using wgm for a dual-stack setup, I think we have shown that

• setting up as server and connecting a road-warrior (phone or laptop) works
• setting up a default (all traffic) client works
• setting up policy routing (via IP or MAC - better suited to SLAAC) works
• BUT passthru does not - assuming by passthru you would effectively get the same result as connecting the road-warrior device directly to the VPN provider

so a question for you - what policy rules am I looking at in regard to 'wg21 ips in wg11.'

and for @Martineau - could you have a look at the debug errors showing in posts #80 and #81 and let me know what testing I can do to help?

 

[Ellenswamy]

No, no, no concerns... in principle you will get the same result by br0 ip and wg21 ip but I reccommend wg21 ip for the sake of future maintenence.

Don't know how you setup your split dns so I cannot judge if it is affected or not.

gotcha, For split DNS I made the config file after a default install. Then went to the conf file, and pointed the peer and client to DNS=192.168.50.1 and Allowed IPs=192.168.50.1. DNS goes through ad guard home and my router and the actual data goes through Verizon on my phone. So I maintain the speed but get DNS ad blocking on the go. DNSleaktest.com reports the correct DNS servers with no leakage!

 

[ZebMcKayhan]

so a question for you - what policy rules am I looking at in regard to 'wg21 ips in wg11.'

Something like:

E:Option ==> peer wg11 rule add vpn src=<wg21Ipv4>/24 dst=any comment wg21 To VPN
E:Option ==> peer wg11 rule add wan src=any dst=<wg21Ipv4>/24 comment To wg21 use Main
E:Option ==> peer wg11 rule add vpn src=<wg21Ipv6>/120 dst=any comment wg21 To VPN
E:Option ==> peer wg11 rule add wan src=any dst=<wg21Ipv6>/120 comment To wg21 use Main

To add all wg21 clients. Not sure if the "To wg21 use main" rules are needed but I would add them just in case...

Change to single ips if you dont want the entire wg21 to go out wg11 but keep the "To wg21 use main" for your entire wg21...

 

[Ellenswamy]

gotcha, For split DNS I made the config file after a default install. Then went to the conf file, and pointed the peer and client to DNS=192.168.50.1 and Allowed IPs=192.168.50.1. DNS goes through ad guard home and my router and the actual data goes through Verizon on my phone. So I maintain the speed but get DNS ad blocking on the go. DNSleaktest.com reports the correct DNS servers with no leakage!

Finally got what you where saying. I changed DNS to 10.50.1.1 and allowed IPs to 10.50.1.1/32 and all works well and now I can see queries in ad guard home. Thanks for the assist!

 

[Martineau]

@Martineau - could you have a look at the debug errors showing in posts #80 and #81 and let me know what testing I can do to help?

OK, I've updated the auxiliary scripts to address the IPv6 errors (and introduce new ones? )

• wg_client v4.16.14
• wg_server v4.16.10

To upgrade/test use

e  = Exit Script [?]

E:Option ==> uf dev

NOTE: No change in the wireguard_manager Beta v4.16bC version number

 

[Ellenswamy]

OK, I've updated the auxiliary scripts to address the IPv6 errors (and introduce new ones? )

• wg_client v4.16.14
• wg_server v4.16.10

To upgrade/test use

e  = Exit Script [?]

E:Option ==> uf dev

NOTE: No change in the wireguard_manager Beta v4.16bC version number

How do we go to the beta build?

 

[Martineau]

How do we go to the beta build?

Do you not see the command in the post?

 

[archiel]

Something like:

E:Option ==> peer wg11 rule add vpn src=<wg21Ipv4>/24 dst=any comment wg21 To VPN
E:Option ==> peer wg11 rule add wan src=any dst=<wg21Ipv4>/24 comment To wg21 use Main
E:Option ==> peer wg11 rule add vpn src=<wg21Ipv6>/120 dst=any comment wg21 To VPN
E:Option ==> peer wg11 rule add wan src=any dst=<wg21Ipv6>/120 comment To wg21 use Main

To add all wg21 clients. Not sure if the "To wg21 use main" rules are needed but I would add them just in case...

Change to single ips if you dont want the entire wg21 to go out wg11 but keep the "To wg21 use main" for your entire wg21...

Many thanks - works perfectly - I had added the outgoing (wg21 to VPN) rules, which did not work - adding the 'use main fixed it
* IPv4 & IPv6
No DNS leaks
No webrtc leaks (of IP)
Diversion ad blocking working

 

[ZebMcKayhan]

Many thanks - works perfectly - I had added the outgoing (wg21 to VPN) rules, which did not work - adding the 'use main fixed it
* IPv4 & IPv6
No DNS leaks
No webrtc leaks (of IP)
Diversion ad blocking working

Great! Soo, did you test the latest beta passthru functionality (maybee should delete the rules before)?

Is this the end-of-the-line for you? You have given wgm an ipv6 run like no one before. I think we all learned alot in the process! I know I have, thank you!

 

[archiel]

OK, I've updated the auxiliary scripts to address the IPv6 errors (and introduce new ones? )

• wg_client v4.16.14
• wg_server v4.16.10

To upgrade/test use

e  = Exit Script [?]

E:Option ==> uf dev

NOTE: No change in the wireguard_manager Beta v4.16bC version number

I removed the rules from @ZebMcKayhan in #91, ran the update, restarted wg11, wg21 and the device on my phone; do I need to delete and re-create the latter?

IPv4 is working, but IPv6 is showing the wg21 IPv6 addresses and DNS, not the wg11 (Azire) ones.

start wg21 debug

....
[#] ifconfig wg21 mtu 1420
[#] ifconfig wg21 txqueuelen 1000
[#] ip route add default dev wg21 table 210
[#] ip rule add fwmark 0x000d2 table 210 prio 9810
[#] ip -6 route add default dev wg21 table 210
[#] ip -6 rule add fwmark 0x000d2 table 210 prio 9810
[#] ip rule add from 10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120 table 121 prio 9981
Error: any valid prefix is expected rather than "10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120".
[#] ip -6 rule add from 10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120 table 121 prio 9981
Error: inet6 prefix is expected rather than "10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120".
[#] iptables -t mangle -I FORWARD -o wg21 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'server'
[#] iptables -t mangle -I FORWARD -i wg21 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'server'
....

start wg11 debug

[#] iptables -t nat -N WGDNS1
[#] ip6tables -t nat -N WGDNS1
[#] ip link add dev wg11 type wireguard
[#] wg setconf wg11 /tmp/wg11.3727 #(/opt/etc/wireguard.d/wg11.conf)
[#] ip address add dev wg11 <vpn_ipv4>/19
ERR: bdmf_attrelem_add_as_num#4276: system: status:No resources. attribute:ipv4_host_address_table  index:0 value:167775100
[#] ip -6 address add dev wg11 <vpn_ipv6>/64
[#] ip link set up dev wg11
[#] ip -6 link set up dev wg11
[#] ifconfig wg11 mtu 1420
[#] ifconfig wg11 txqueuelen 1000
[+] wg11-route-up.sh
[#] ip route add <vpn_ipv4_WAN> via <ISP_WAN>
[#] ip rule add from 0/0 fwmark 0x1000/0x1000 table 121 prio 9991
[#] ip -6 rule add from ::/0 fwmark 0x1000/0x1000 table 121 prio 9991
[#] iptables -t mangle -A PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000 -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -A PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000 -m comment --comment WireGuard 'client'
[#] ip route add 0/1 dev wg11 table 121
[#] ip route add 128/1 dev wg11 table 121
[#] ip -6 route add 0::/1 dev wg11 table 121
[#] ip -6 route add 8000::/1 dev wg11 table 121
[#] ip route add table 121 10.0.0.0/8 proto kernel scope link src 10.50.60.10 dev br0
[#] ip route add table 121 10.50.60.0/24 proto kernel scope link src 10.50.60.1 dev br0
[#] ip -6 route add table 121 <ISP_ipv6_range> proto kernel metric 256 pref medium dev br0
[#] ip -6 route add table 121 fe80::/64 proto kernel metric 256 pref medium dev br0
[#] ip rule add from 10.50.1.2/32 table 121 prio 9981
[#] iptables -t nat -I POSTROUTING -s 10.50.1.2/32,aa36:7ef1:2add:aa88:100::2/128 -o wg11 -j MASQUERADE
iptables v1.4.21: invalid mask `128' specified
Try `iptables -h' or 'iptables --help' for more information.
[#] ip -6 ip rule add from aa36:7ef1:2add:aa88:100::2/128 table 121 prio 9981
Object "ip" is unknown, try "ip help".
[#] ip6tables -t nat -I POSTROUTING -s 10.50.1.2/32,aa36:7ef1:2add:aa88:100::2/128 -o wg11 -j MASQUERADE
ip6tables v1.4.21: host/network `10.50.1.2' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
[#] ip route flush cache
[?] ip -6 route flush cache >>>>'Failed to send flush request: No such process'.....ALWAYS FAILS!!!!
[+] wg11-up.sh
...

 

[archiel]

Great! Soo, did you test the latest beta passthru functionality (maybee should delete the rules before)?

Is this the end-of-the-line for you? You have given wgm an ipv6 run like no one before. I think we all learned alot in the process! I know I have, thank you!

passthru is not quite there, see above. Once it is done I have all I need for now, but happy to run more tests (family permitting) if you don't have any more dual stack volunteers.

 

[ZebMcKayhan]

I removed the rules from @ZebMcKayhan in #91, ran the update, restarted wg11, wg21 and the device on my phone; do I need to delete and re-create the latter?

IPv4 is working, but IPv6 is showing the wg21 IPv6 addresses and DNS, not the wg11 (Azire) ones.

start wg21 debug

....
[#] ifconfig wg21 mtu 1420
[#] ifconfig wg21 txqueuelen 1000
[#] ip route add default dev wg21 table 210
[#] ip rule add fwmark 0x000d2 table 210 prio 9810
[#] ip -6 route add default dev wg21 table 210
[#] ip -6 rule add fwmark 0x000d2 table 210 prio 9810
[#] ip rule add from 10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120 table 121 prio 9981
Error: any valid prefix is expected rather than "10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120".
[#] ip -6 rule add from 10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120 table 121 prio 9981
Error: inet6 prefix is expected rather than "10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120".
[#] iptables -t mangle -I FORWARD -o wg21 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'server'
[#] iptables -t mangle -I FORWARD -i wg21 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'server'
....

start wg11 debug

[#] iptables -t nat -N WGDNS1
[#] ip6tables -t nat -N WGDNS1
[#] ip link add dev wg11 type wireguard
[#] wg setconf wg11 /tmp/wg11.3727 #(/opt/etc/wireguard.d/wg11.conf)
[#] ip address add dev wg11 <vpn_ipv4>/19
ERR: bdmf_attrelem_add_as_num#4276: system: status:No resources. attribute:ipv4_host_address_table  index:0 value:167775100
[#] ip -6 address add dev wg11 <vpn_ipv6>/64
[#] ip link set up dev wg11
[#] ip -6 link set up dev wg11
[#] ifconfig wg11 mtu 1420
[#] ifconfig wg11 txqueuelen 1000
[+] wg11-route-up.sh
[#] ip route add <vpn_ipv4_WAN> via <ISP_WAN>
[#] ip rule add from 0/0 fwmark 0x1000/0x1000 table 121 prio 9991
[#] ip -6 rule add from ::/0 fwmark 0x1000/0x1000 table 121 prio 9991
[#] iptables -t mangle -A PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000 -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -A PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000 -m comment --comment WireGuard 'client'
[#] ip route add 0/1 dev wg11 table 121
[#] ip route add 128/1 dev wg11 table 121
[#] ip -6 route add 0::/1 dev wg11 table 121
[#] ip -6 route add 8000::/1 dev wg11 table 121
[#] ip route add table 121 10.0.0.0/8 proto kernel scope link src 10.50.60.10 dev br0
[#] ip route add table 121 10.50.60.0/24 proto kernel scope link src 10.50.60.1 dev br0
[#] ip -6 route add table 121 <ISP_ipv6_range> proto kernel metric 256 pref medium dev br0
[#] ip -6 route add table 121 fe80::/64 proto kernel metric 256 pref medium dev br0
[#] ip rule add from 10.50.1.2/32 table 121 prio 9981
[#] iptables -t nat -I POSTROUTING -s 10.50.1.2/32,aa36:7ef1:2add:aa88:100::2/128 -o wg11 -j MASQUERADE
iptables v1.4.21: invalid mask `128' specified
Try `iptables -h' or 'iptables --help' for more information.
[#] ip -6 ip rule add from aa36:7ef1:2add:aa88:100::2/128 table 121 prio 9981
Object "ip" is unknown, try "ip help".
[#] ip6tables -t nat -I POSTROUTING -s 10.50.1.2/32,aa36:7ef1:2add:aa88:100::2/128 -o wg11 -j MASQUERADE
ip6tables v1.4.21: host/network `10.50.1.2' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
[#] ip route flush cache
[?] ip -6 route flush cache >>>>'Failed to send flush request: No such process'.....ALWAYS FAILS!!!!
[+] wg11-up.sh
...

Looks mostly like typo/concatenation errors....

But while following the sequence of commands, I don't see any route added to wg21 clients in policy route table, nor any "to wg21 use main" rules. If none of these are added there might be issues for any client policy routed to wg11 to contact wg21 clients.
This may not always be a problem, but you will not be able to contact your lan device, which is also routed to wg11, from wg21 clients (actually you could but it wont be able to reply)
Maybee the most obvious problem is if entire wg21 (including wg21 own ip) is used in passthrough any router local process (chrony, ntpd, dnsmasq a.s.o) will use wg21 ip to contact wg21 clients, which leads to routing table 121 where no routes exist so connection may be broken. If wg21 clients are then setup to use router for dns and wg11 too, it is not going to work.
Dns is not really an issue for a vanilla setup where wg21 clients uses wan dns and for passthru gets redirected to wg11 dns but you are quite far from vanilla setup.

I would thought that wgm adds route to wg21 in table 121 to get rid of this issue for passthru, but if it don't you still might need the 2 "To Wg21 use Main" rules even with passthru.