Search results

The wording "Allow DNS" implies that the router is not forcing anything. The DNS is in the wg config file according to your settings in the gui. If your client dont use that its a problem with the client, not the router. This setting would only allow the router itself to answer dns, if you dont...

Your peer 2 is set to the whole wireguard subnet. It is not allowed to have overlapping ip in AllowedIPs between peers which is probably why its not working. For each peer, if you only use single devce to connect in (not site-to-site) the AllowedIPs (server) should only be each client wg ip /32...

The mtu setting for wireguard server interface is currently not possible to change in gui. Use merlin user scripts: https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts Like this https://www.snbforums.com/threads/wireguard-server-tweaks.85758/post-852124 Check your settings under...

Thats great news!! So do you know what you problem really was? Please share. The ipv6/ipv4 stuff should not matter. If you have a very unsymmetrical speed this could very well be the case. Additionally if you are accessing smb shares, the added latency over vpn is a killer for smb due to how...

Did you enable custom scripts in gui?

The keys are indeed confusing for me as well. Each interface (like wgs1) have a private key and a public key. But wgs1 only have its own private key in its config. Whoever connects into wgs1 has wgs1 public key under its peer directive. Wgs1 also have 1 or more clients that can connects to it...

According to wg manual https://man7.org/linux/man-pages/man8/wg.8.html when you set an endpoint it does not go into the interface wgs1, but it needs to go in under a specific peer in wgs1: So, in order to add in an endpoint we need to specify to which peer (client) under wgs1 it should be...

Depending on what client you have and which app you are using perhaps there is a setting there somewhere?? No, as this is not related to peer ipv4/ipv6, it's about the udp tunnel. The tunnel is always over ipv4 OR ipv6, never both. It's always the client that chooses if the tunnel is over ipv4...

Yes! No, there is no option for that. 10.0.0.x will directly contact your server as is. Its typical for Windows to only allow local ips unless specifically opened up for other ips. You will need to allow 10.0.0.0/24 in the Windows firewall.

What do you mean with switched wan? The server needs to allow connections from wg network.perhaps its already done, but check? can you trace to asus router lan ip 192.168.3.1? Can you give me all AllowedIPs on all devices and I could take a look if something is wrong.

It would be up to the client trying to connect if should use ipv4 or ipv6. If its trying to use ipv4 and it does not work Im not too sure it will try with ipv6 as Wireguard doesnt have any active connection tracking. I have created a ddns with only ipv6 in it and no ipv4 to force ipv6 usage.

Ah, ok. So its not a site-2site? Just some clients connecting to the vps and want to reach your server on lan? So you should set Inbound firewall=allow Nat=no Keeping allowedIPs on asus router 10.0.0.0/24 should be fine. On the vps peer asus router connects to should have AllowedIP...

Its tricky without knowing all the details. You will need to provide all ips involved in this. Your issue is probably in AllowedIPs somewhere. It usually is. I can see a server ip, 192.168.3.46, is that an ip on a remote lan also connecting into the vps? I can see the Wireguard subnet...

No, I meant on the client device. As you cant make the handshake, your device is likely not reaching the router. Local wg ip hasnt come into play yet. thats no cgnat address, so what have changed? I did see your other posts and it looks like your back on public ipv4?

If the handshake fails then the tunnel does not work on a lower level. How are you setting the endpoint in your client? Are you using ipv6 as it is? Br0 ipv6 or wan iov6? Or are you using ddns, and if so, how do you know its trying to use ipv6). Iirc i did setup wgm for direct connection using...

The setting you are looking for is called: Inbound firewall. You should set it to allow. You also need to setup vpndirector rules. For reference, here is my setup, which initially used an addon for witrguard...

Great! Note that it must be in /jffs/scripts for it to be executed by firmware when rebuilding the nat table.

This really is a client issue if its not respecting wg dns. But if this is the way to solve I dont see a problem with it. If you want your rules to persist you could put them in the appropriate hook script, nat-start: https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#nat-start It...

I just used this script when updating my RT-AX86U PRO from 388.8_4 to 3006.102.6 and it was successful. I removed my USB drive before updating. updated the FW and did a factory reset. did the basic setup manually and replugged my USB drive. when downloading and running the script again there...

if you add 10.6.0.1 to the allowedip list as "192.168.1.0/24, 10.6.0.1/32" then you should be able to use dns as 10.6.0.1 and have dns lookup by your router, potentially benefit if you are using domain names (or running Diversion or AGH or whatnot).