Need help to resolve VPN Director issue

[wmd1942]

Yes, the issue is resolved by combining these 2 AllowedIPs in one line (see the revised config file below). I should have included the full web config page in the 1st place. Really appreciate all your help. What a great community here!

[Interface]
PrivateKey =
Address = 172.16.0.2/32
Address = 2606:4700:110:889d:c1ef:27f:14c3:9932/128
DNS = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
MTU = 1280
[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = engage.cloudflareclient.com:2408

 

[ZebMcKayhan]

Address = 172.16.0.2/32
Address = 2606:4700:110:889d:c1ef:27f:14c3:9932/128

I just noticed you also got 2 Address directives and again the import you provided earlier shows only last one (ipv6) got imported. Your peer currently has no ipv4 address. If you say it's working anyway I have to believe you but I don't understand how the router performs SNAT (wich is usually required) without it. These should also be on one line with a ',' between them. Again, something for @RMerlin to look at for future improvements.

 

[wmd1942]

Yeah, that's strange as IPv6 is disabled (per RMerlin's suggestion). But I'm positive it's working as "ipleak.net" shows my IP (IPv4 only) from Cloudflare. By the way, I tried to route my guest WiFi subnet to VPN (in VPN Director) but it lost all internet after that. After searching in this wonderful forum, I got the problem resolved by adding the following 2 lines to YazFi's user script:

iptables -I YazFiFORWARD -i wl0.1 -o wgc1 -j ACCEPT
iptables -I YazFiFORWARD -i wgc1 -o wl0.1 -m state --state RELATED,ESTABLISHED -j ACCEPT

 

[ZebMcKayhan]

Just for reference, this is how dual stack import looks like:

 

[wmd1942]

I tried manually adding IPv4 address in GUI, but it won't allow me. I went back to config file and combined these 2 address directives into one line and re-upload. It still works. The GUI now shows:

 

[RMerlin]

Found this from your link:

AllowedIPs — a comma-separated list of IP (v4 orv6) addresses with CIDR masks from which incoming trafficfor this peer is allowed and to which outgoing traffic forthis peer is directed. The catch-all 0.0.0.0/0 may bespecified for matching all IPv4 addresses, and ::/0may be specified for matching all IPv6 addresses. May be specified multiple times.

So it does appear to be a bug in the router.

So the OP should just edit the config file and specify both arguments on one AllowedIPs directive, separated by a comma, then import again.

I implemented importing multiple instances of AllowedIPs and will submit it to Asus for upstream inclusion.

This should be included in 388.8_2.

 

[ZebMcKayhan]

I implemented importing multiple instances of AllowedIPs and will submit it to Asus for upstream inclusion.

This should be included in 388.8_2.

Great!

Looks like also interface Address and DNS may be specified multiple times:

wg-quick(8) - Linux manual page

Address — a comma-separated list of IP (v4 or v6)
addresses (optionally with CIDR masks) to be assigned to
the interface. May be specified multiple times.

DNS — a comma-separated list of IP (v4 or v6) addresses to
be set as the interface's DNS servers, or non-IP hostnames
to be set as the interface's DNS search domains. May be
specified multiple times.

 

[RMerlin]

Looks like also interface Address and DNS may be specified multiple times:

I'll see what I can do... This only makes parsing unnecessarily complicated considering they already allow you to provide multiple values per parameter.

The more I have to deal with WireGuard, the more I dislike it. For so many reasons.