Search results

You dont need to setup packet marks for this, that just complicates things. This is a good start: https://www.snbforums.com/threads/guide-wireguard-portforwarding.89737/post-903628

This is not really my area, so I probably cant help you. DoT is something I would expect to be used externally, like directly out to a public dns server or between something like stubby on the router which requests DoT externally or if dnsmasq can do this now days possibly. I wouldnt expect DoT...

The problem with using firewall-start isthat the firewall is not restarted when wgs1 starts, so your rules may be superseded when wgs1 starts. The firmware is already prepared to do all this in the wgserver-start hook script, but you need to amend the /etc/wg/fw_wgs1.sh file which is executed...

I dont do that. There always a risk with whatever you do and this means different things to different people. Not sure I understand what you mean. With the firewall rule removed, there is basically the same access from WG server to the router that there is from WAN to the router. Run a...

Sure, but there is really no need. The firewall is built up upon dropping everything last, then on top of it allow whatever should be allowed. now we removed the firewall rule that would allow wgs1 to access the router so this means it will be dropped by the firewall. any specific reason you...

Depends, and up to you. I didnt know you had IPv6 enabled. So, right now the firewall allows IPv6 from Wireguard Server to the router but not IPv4. if you are not using IPv6 over your VPS then it shouldnt matter. but just for the sake of: /jffs/scripts/wgserver-start #!/bin/sh #remove firewall...

No, that would not be reliable as the firewall rebuilds itself every now and then and not when wg-server is started. We would need to do this in wgserver-start First you need to turn on userscripts in the gui (Administration -> system) Then edit the file executed when wg server starts nano...

Depends on how it is setup to be used. The only thing that could matter is if you need dns lookup on the router (from wg server connected clients) for it to work. If this is your intended operation you should be good. We are not affecting any lan operation or any routing stuff. Try it out with...

Hmm, ok. Using non-official apps? And you are right, it wouldnt be secure from user tampering. The AllowedIP at the client is meant to tell the client which destination ip to go over the tunnel and which should not. But there are only a set of AllowedIPs, you cannot prevent an ip. So if you want...

Before we create files for persistance, if you log in over ssh and execute this line iptables -D WGSI -i wgs1 -j ACCEPT It should not give any output if it works. Then test if all that should work over wg is working and you get the effect you want. Just be careful, any config change on the...

Ofcource, its not using the tunnel anymore if AllowedIPs (client) is limited to wg subnet. All other data would not use the tunnel at all. Im assuming the OP want internet via his router as that would be the only reason left. Another resource local to the router itself. Unfortunately Im not...

What do you mean? If access intranet is set to No, WG is not allowed to be forwarded to LAN. Are you saying you can communicate with lan from WG even though access intranet is disabled? Or are you talking about something else?

This setting will only affect traffic to router itself and only the ports related to gui and/or ssh, nothing else. Everything else will be unaffected. But if you dont put your lan ip /24 in the list you may not have any access to the router gui yourself anymore.

This settings work for me, it prevents access to both gui and ssh over WG: But please note that it creates a high priority firewall rule that prevents access to all not listed so you better be sure to add your lan ip /24 so you dont lock yourself out. if you use ssh, test with that only first...

According to: https://github.com/RMerl/asuswrt-merlin.ng/blob/main/release/src/router/rc/wireguard.c the access intranet switch only prevents traffic from being forwarded to lan. The Gui is a service running locally on the router, and from what I see that is always allowed in the firewall and...

on an RT-AX86U PRO with this firmware running a speed test on WGC1 appears to run on a server quite far from both my WAN and VPN exit, in a different country: But when trying to select one a little closer manually in the list the test fails: I tried maybe 5 or 6 different servers, they all...

The wording "Allow DNS" implies that the router is not forcing anything. The DNS is in the wg config file according to your settings in the gui. If your client dont use that its a problem with the client, not the router. This setting would only allow the router itself to answer dns, if you dont...

Your peer 2 is set to the whole wireguard subnet. It is not allowed to have overlapping ip in AllowedIPs between peers which is probably why its not working. For each peer, if you only use single devce to connect in (not site-to-site) the AllowedIPs (server) should only be each client wg ip /32...

The mtu setting for wireguard server interface is currently not possible to change in gui. Use merlin user scripts: https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts Like this https://www.snbforums.com/threads/wireguard-server-tweaks.85758/post-852124 Check your settings under...

Thats great news!! So do you know what you problem really was? Please share. The ipv6/ipv4 stuff should not matter. If you have a very unsymmetrical speed this could very well be the case. Additionally if you are accessing smb shares, the added latency over vpn is a killer for smb due to how...