silicon101
Occasional Visitor
ugh, I reread my post after posting and you are entirely correct. Thank you for solving my error.
Sorry, I'm running Wireguard Manager in my RT-AX86U and I have not modules loadedSolved - Thank you. Although wireguardVPN.conf had
I needed to runand after completingCode:loadmodules
Code:Requesting WireGuard® VPN Peer stop (wg21 wg12 wg11)
and now runningCode:Initialising WireGuard® module 'wireguard-kernel' Installing wireguard-kernel (1.0.20220627-RT-AX88U) to root... Configuring wireguard-kernel. Initialising WireGuard® module 'wireguard-tools' Installing wireguard-tools (1.0.20210914-1) to root... Configuring wireguard-tools.
I can see
Code:[✔] WireGuard® Module LOADED Sat Nov 12 00:14:51 GMT 2022 MD5=70a85a1bed5f6313add595e2a95423c4 wireguard-kernel_1.0.20220627-RT-AX88U_aarch64-3.10.ipk MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk
So need to note that after a dirty upgradeneeds to be re-run.Code:loadmodules
If Wireguard is working you most certenly have Wireguard kernel modules loaded but you probably run on the ones compiled in the firmware. Ive managed to compile the latest released one from the Wireguard team for RT-AC86U and RT-AX88U. This is what @archiel is running.Sorry, I'm running Wireguard Manager in my RT-AX86U and I have not modules loaded
What's the difference between having kernel modules loaded or not?
Thanks.
Well, last month I loaded kernel modules and it resulted in a complete corruption on Wireguard Manager. I had to reinstall and configure it from scratch.If Wireguard is working you most certenly have Wireguard kernel modules loaded but you probably run on the ones compiled in the firmware. Ive managed to compile the latest released one from the Wireguard team for RT-AC86U and RT-AX88U. This is what @archiel is running.
Sadly I never manage to do it for RT-AX86U. After spending maybee 100h on it I just gave up. The firmware compiles just fine but some symlink or something is missing in the kernel build folder causing the kernel module build to fail. I likely wont attempt it anymore unless someone express their need for it while at the same time offers their help in resolving the issue.
I dont know if updated kernel modules have any impact on anything. Checking the change logs there are mostly compatibility related changes.
https://github.com/ZebMcKayhan/WireguardManager#why-is-diversion-not-working-for-wg-clientsSince I switched to Wireguard Manager (instead of OpenVPN), Unbound barely gets to block any ads, they mostly all go trough. I used to have over 98% ad blocking hit rate previously.
What did I forget to enable, link, configure?
Are your mesh really a mesh or a star topology?Hi I need an advise on iptables (i think). I successfully created a site to site mesh network using the guide from this forum. Below is the topology;
SiteA: wgIP 10.60.1.1 LAN 192.168.1.0/24
SiteB: wgIP 10.60.1.2 LAN 192.168.2.0/24
SiteC: wgIP 10.60.1.3 LAN 192.168.3.0/24
If I'm in siteA network, I am able to access the devices in SiteB and C and vice versa.
Then I created another wg client in siteA with wgIP 10.60.1.4 which is I am using on my phone.
When I connect to siteA through wg on my phone while outside, I only able to access the devices behind siteA ip address but not siteB and siteC.
May I know how to access to siteB and siteC ip addresses while I am connected to siteA using wireguard? I think it has to do with iptables. I already try and error several commands but still cannot work.
Thanks for the help
Are your mesh really a mesh or a star topology?
Did you set it up so that there is only one wg peer at each site?
How does your phone config file look like (redact any keys and mask ip/ddns)
Most likely you need to put your added phone wg ip (10.60.1.4) On list of AllowedIPs on siteB and siteC. But if you run star topology this could be simpler so it will work even for newly added devices.
Thanks for sharing your setup, this is the first time I hear someone using mesh topology. really cool that its working!Yes it is working by adding the wg ip. Based on your advice, I added AllowedIp as per attached file. Thanks again
If they are working in 386.5_2 then hopefully they should still work in 388.1 I have done dirty upgrades 386.5 > 386.7 > 386.8 > 388.1 betas > 388.1 final and all the my extra scripts have continued to work. However I am not running either uiDivStats, FlexQoS or vnStat.Using Merlin 388.1 and wireguard do Diversion and other AMTM scripts still work in RT-AX88U?
#ifdef RTCONFIG_HND_ROUTER fprintf(fp, "iptables -t mangle -I PREROUTING -i %s -j MARK --or 0x1\n", ifname);
fprintf(fp, "iptables -t mangle -I POSTROUTING -o %s -j MARK --or 0x1\n", ifname);
fprintf(fp, "ip6tables -t mangle -I PREROUTING -i %s -j MARK --or 0x1\n", ifname);
fprintf(fp, "ip6tables -t mangle -I POSTROUTING -o %s -j MARK --or 0x1\n", ifname);
#endif
Thanks! although it seems as AX88U is not currently available for 388.2: https://www.snbforums.com/threads/388-2-alpha-build-s-testing-available-build-s.82784/post-814336Definitely interested and happy to run any tests (on AX88U).
These are just failback rules, which won`t intercept all traffic. The real flow cache bypass which works for newer HND models is here:As it looks in the github commits, looks like Asus/Rmerlin is using fwmarks to mark packages for bypass similar to what WGM uses but only seem effective for AC86U and AX88U.
Thanks!These are just failback rules, which won`t intercept all traffic.
Basically you need to keep track of which CIDR you use, and write them the the userspace /proc interface. Need to keep track of them because if you have two clients with the same IP address and you stop one client, you don't want to remove the IP until both clients are stopped.Thanks!
Guess its not that simple. I dont really have what it takes to put all that code into context to figure out wheither or not this bypass could be used on other Wireguard interfaces than the ones created by the firmware.
Thanks!Basically you need to keep track of which CIDR you use, and write them the the userspace /proc interface. Need to keep track of them because if you have two clients with the same IP address and you stop one client, you don't want to remove the IP until both clients are stopped.
So for ordinary policy routing based on source or destination ip it for sure seems do-able. Altough not sure how to handle when routing is based on ipset which could be thousands of destination ips or ips and port combinations.#define BLOG_SKIP_PORT "/proc/blog/skip_wireguard_port"
#define BLOG_SKIP_NET "/proc/blog/skip_wireguard_network"
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!