Wireguard Session Manager (4th) thread

[wgetmerlin]

Yep!

Just tested it, the internet went POOF! Thanks a lot! That's exactly what I was after

I'm assuming there isn't a way of adding another wg12 instance and routing through there conditionally (if wg11 is not connecting to anything)?

 

[ZebMcKayhan]

I'm assuming there isn't a way of adding another wg12 instance and routing through there conditionally (if wg11 is not connecting to anything)?

there is always a way, but this is where the connection-less nature of wireguard makes it more difficult.

@Martineau has made a script for fail-over, which is kind of what you want:
https://github.com/MartineauUK/VPN-Failover
but it is written for Open-VPN so it may take some work to redo it for Wireguard. would probably be easier to throw together something yourself...

 

[juanantonio]

yea, this is tricky... the problem is that the router has no control over which ip the devices gets. stateless means that the device only gets the prefix then the device assigns itself the last part. this means it could be changing over time (privacy extension). anyway, the ip you should use is your 2a0c addresses, and I cant see in your picture properly but one is probably based on mac. you could test both but I would guess the top one is the one being used for external data. but beware that it may be changing and your rule may loose effect.

I achieved it for my Windows PC using ipset with manual MAC address, but once done that, I wanted to add my mobile phone, too, and I've lost IPv6 connectivity.

I have a couple of questions.
First is: Have I to add prefix to the IP6 address I want to route to wireguard client?
Second is: I know there is a way to enable/disable ipset inside session manager, but I can't figure it out. I have tried with:

E:Option ==> peer wg11 upd ipset wg11-mac enable n
Error: in prepare, near "peer": syntax error
  UPDATE ipset SET use='N' WHERE ipset='wg11-mac' peer='wg11';
                                    error here ---^

        [✔] Updated IPSet 'wg11-mac' Enable for wg11

with no luck.

Third is: Why session manager changes my IP6 address from source to destination? Here is the output of the command:

E:Option ==> peer wg11 rule add vpn src=2a0c:5a80:4708:c600:9e58:7c5e:9b53:f0db


        [✔] Updated RPDB Selective Routing rule for wg11 ***Source 2a0c:5a80:4708:c600:9e58:7c5e:9b53:f0db switched to destination!



        WireGuard® 'client' Peer needs to be restarted to implement RPDB rules

        Press y to restart 'client' Peer (VPN) or press [Enter] to SKIP.

[/CODE]

Thanks in advance.

 

[ZebMcKayhan]

I achieved it for my Windows PC using ipset with manual MAC address, but once done that, I wanted to add my mobile phone, too, and I've lost IPv6 connectivity.

Just on that device or all together? Some phones randomizes mac so you may need to turn that off, or making sure the device randomizes mac in a persistant way.

Have I to add prefix to the IP6 address I want to route to wireguard client?

Yes, the entire ip with both the prefix and device part. I wish that someday you would only need the device part but until then...

Second is: I know there is a way to enable/disable ipset inside session manager, but I can't figure it out. I have tried with:

Looks like there might be a bug in wgm. Only @Martineau could fix...

Third is: Why session manager changes my IP6 address from source to destination? Here is the output of the command:

I have no idea, could be wgm smart categorization since this is a global adress. but try to add the dst as well to override:

E:Option ==> peer wg11 rule add vpn src=2a0c:5a80:4708:c600:9e58:7c5e:9b53:f0db dst=any

 

[juanantonio]

Just on that device or all together? Some phones randomizes mac so you may need to turn that off, or making sure the device randomizes mac in a persistant way.

All together. Now I would like to delete all rules and start from scratch, but I don't know how.

Yes, the entire ip with both the prefix and device part. I wish that someday you would only need the device part but until then...

Well, in that case, I would like to know how to find out that prefix. Windows net properties dialog only shows addresses, not prefixes.
By the way, I imagine that was the case and addedd both IPv6 adresses with prefix/64, just in case, but doesn't work. Now I've completely lost my IPv6 connectivity, even out of Wireguard Manager.
As I said, I would like to know how to delete all and start from scratch.
Many thanks.

 

[ZebMcKayhan]

Well, in that case, I would like to know how to find out that prefix. Windows net properties dialog only shows addresses, not prefixes.
By the way, I imagine that was the case and addedd both IPv6 adresses with prefix/64, just in case, but doesn't work.

Just to be clear, the prefix is the first 64bits of the address, it could be: [2001:aaaa:bbbb:cccc], the rest of the address is the device part [dddd:eeee:ffff:1111] and put together is the complete ip: [2001:aaaa:bbbb:cccc:dddd:eeee:ffff:1111]. The /64 is the cidr, a form of network mask. Using /64 in a rule means only first 64 bits are matched (prefix), so such rule would cover your entire lan.

How to delete rules and ipsets are all in my guide:
https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm

And
https://github.com/ZebMcKayhan/WireguardManager#managesetup-ipsets-for-policy-based-routing

Edit: prefixlength is perhaps what you are thinking about, but its something else. A device requires 64 bit which means the prefix can be maximum 64 bits and by this you will only be able to assign a single network. If you get a prefix with a i.e 48 ([2001:aaaa:bbbb::]) you have 16bits (~65000) networks you could assign for yourself so each network will have its own 64bit prefix (48bits assigned by isp, 16bits assigned by you).
Prefix lenght is normally assigned as cidr as if you were assigned [2001:aaaa:bbbb::] you wouldnt know if you are free to change the last 16bits or you were just happened to be assigned the last 16bits 0.

So if you put in a rule 2001:aaaa:bbbb:cccc::1234:5678 it will just be a single device (/128) but if you add 2001:aaaa:bbbb:cccc::1234:5678/64 it will be your entire network

 

[ZebMcKayhan]

Thanks for you quick reply.

As you can see in following attached code, my Wireguard Client has both IPv4 and IPv6 addresses and DNS.

E:Option ==> peer wg11 add ipset wg11-mac


        [✔] Ipset 'wg11-mac' Selective Routing added wg11

Client  Auto  IP                                                            Endpoint            DNS                                MTU   Annotate
wg11    P     10.151.13.172/32,fd7d:76ee:e68f:a993:d0c0:1334:273a:628b/128  185.183.106.2:1637  10.128.0.1,fd7d:76ee:e68f:a993::1  Auto  # N/A

        Selective Routing RPDB rules
ID  Peer  Interface  Source                                      Destination                                 Description
14  wg11  WAN        Any                                         192.168.0.0/24
13  wg11  WAN        192.168.0.0/24                              Any
11  wg11  VPN        fe80::782b:cf7b:fb37:c62b/64                Any
15  wg11  VPN        Any                                         2a0c:5a80:460a:b00:4923:d086:abcd:1763/64
17  wg11  VPN        Any                                         2a0c:5a80:460a:b00:4923:d086:abcd:1763
16  wg11  VPN        Any                                         2a0c:5a80:460a:b00:29c3:eed3:5bc9:df21/128
18  wg11  VPN        Any                                         2a0c:5a80:460a:b00:29c3:eed3:5bc9:df21
19  wg11  VPN        2a0c:5a80:460a:b00:4923:d086:abcd:1763/64   Any
20  wg11  VPN        2a0c:5a80:460a:b00:4923:d086:abcd:1763      Any
21  wg11  VPN        2a0c:5a80:460a:b00:29c3:eed3:5bc9:df21/128  Any
22  wg11  VPN        2a0c:5a80:460a:b00:29c3:eed3:5bc9:df21      Any
8   wg11  VPN        192.168.1.207                               Any
5   wg11  VPN        192.168.1.18                                Any
4   wg11  VPN        192.168.1.16                                Any
7   wg11  VPN        192.168.1.140                               Any
3   wg11  VPN        192.168.1.14                                Any
6   wg11  VPN        192.168.1.137                               Any
2   wg11  VPN        192.168.1.12                                Any
12  wg11  VPN        192.168.1.11                                Any
1   wg11  VPN        192.168.1.10                                Any

IPSet     Enable  Peer  FWMark  DST/SRC
wg11-mac  Y       wg11  0x1000  src

Server  Client  Passthru
wg21    wg11    10.50.1.1/24

        Configuration rules for Peer wg11

Also, you can see that I've added an MAC based ipset, still with no luck.
Additionally, I've added rules to my wg11 client for every IPv6 addresses I've noted in my Net Properties dialog, which neither worked.


Edit: After a 'restart wg11' command, all worked flawlessly. Thanks a lot!

Looking at your rules, perhaps it is good to start over. Atleast remove your rules # 11, 15, 16, 17, 18. These could be the reson for your connection breaking to these devices.

It just to

E:Option ==> stop wg11
E:Option ==> peer wg11 rule del 11
E:Option ==> peer wg11 rule del 15
E:Option ==> peer wg11 rule del 16
E:Option ==> peer wg11 rule del 17
E:Option ==> peer wg11 rule del 18
E:Option ==> start wg11

You should probably decide to use rules or ipset_mac for ipv6 but using both could have unexpected issues further down the road if your prefix or device ip changes. Ipv4 is private and static so not the same risk there.

 

[juanantonio]

Just to be clear, the prefix is the first 64bits of the address, it could be: [2001:aaaa:bbbb:cccc], the rest of the address is the device part [dddd:eeee:ffff:1111] and put together is the complete ip: [2001:aaaa:bbbb:cccc:dddd:eeee:ffff:1111]. The /64 is the cidr, a form of network mask. Using /64 in a rule means only first 64 bits are matched (prefix), so such rule would cover your entire lan.

How to delete rules and ipsets are all in my guide:
https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm

And
https://github.com/ZebMcKayhan/WireguardManager#managesetup-ipsets-for-policy-based-routing

Edit: prefixlength is perhaps what you are thinking about, but its something else. A device requires 64 bit which means the prefix can be maximum 64 bits and by this you will only be able to assign a single network. If you get a prefix with a i.e 48 ([2001:aaaa:bbbb::]) you have 16bits (~65000) networks you could assign for yourself so each network will have its own 64bit prefix (48bits assigned by isp, 16bits assigned by you).
Prefix lenght is normally assigned as cidr as if you were assigned [2001:aaaa:bbbb::] you wouldnt know if you are free to change the last 16bits or you were just happened to be assigned the last 16bits 0.

So if you put in a rule 2001:aaaa:bbbb:cccc::1234:5678 it will just be a single device (/128) but if you add 2001:aaaa:bbbb:cccc::1234:5678/64 it will be your entire network

Good morning.

Well, I deleted rules and added ipset with mac address.

By now, my Windows PC is surfing the web through my VPN supplier, both for IPv4 and IPv6. Also my mobile phone, whose MAC address I've added to my mac ipset.

The thing is that I would like to add a IPv4/IPv6 Wireguard Server to my Session Manager setup, in order to passthrough my remote devices to my VPN supplier, but when I do so, the IPv6 connectivity brokes.

I don't know much about IPv6 addresses, but I've looked into my router's configuration and it seems that I have a IPv6 address with a /56 prefix, that changes every router reboot. I have two ways to configure it: stateless (the one that I am using because I didn't want to change the default) or stateful, as can be seen in attached images.

Which would be the best way to create a IPv4/IPv6 Wireguard Server in Session Manager and route its clients through IPv6 Wireguard Client wg11, so these remote clients could access Internet hidden by my VPN supplier connection? I have tried following this link: https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#setup-wireguard-private-server, in particular the IP6 part, but I don't know whether my IP6 is static or dynamic, and the thing doesn't work. Here is my wg22 server configuration:

Edit: I suppose the IP6 my ISP is giving me is dynamic, because it changes every router reboot, but I don't know if I have to choose stateful or stateless, which is the router's default.

Edit 2: I have already a wg21 server configured with lots of wg clients. Can I somehow change its config to work with IPv6?

E:Option ==> peer wg22 config

        'server' Peer wg22 Configuration Summary


Server  Auto  Subnet                                     Port   Annotate
wg22    N     10.50.2.0/24,2a0c:5a80:4605:5a00:1::1/120  11502  # RT-AX86U (IPv4/IPv6) Server 2


Server  Client  Passthru
wg22    wg11    10.50.2.0/24,2a0c:5a80:4605:5a00:1::1/120

        Configuration rules for Peer wg22

PresharedKey = <hidden>

Public Key = <hidden>
PrivateKey = <hidden>
ListenPort = 11502
Client Peer: Xiaomi

Peer  Annotation
wg22  # RT-AX86U (IPv4/IPv6) Server 2

Many thanks.

 

[ZebMcKayhan]

The thing is that I would like to add a IPv4/IPv6 Wireguard Server to my Session Manager setup, in order to passthrough my remote devices to my VPN supplier, but when I do so, the IPv6 connectivity brokes.

Thats wierd... server bypass to VPN works for me over Ipv6, altough Im not using mac ipsets, we may need to take a look at that.

I don't know much about IPv6 addresses, but I've looked into my router's configuration and it seems that I have a IPv6 address with a /56 prefix, that changes every router reboot. I have two ways to configure it: stateless (the one that I am using because I didn't want to change the default) or stateful, as can be seen in attached images.

You should use stateless, even if it is unconvenient. stateful does not play nice with some devices, i.e. Android...

Which would be the best way to create a IPv4/IPv6 Wireguard Server in Session Manager and route its clients through IPv6 Wireguard Client wg11, so these remote clients could access Internet hidden by my VPN supplier connection? I have tried following this link: https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#setup-wireguard-private-server, in particular the IP6 part, but I don't know whether my IP6 is static or dynamic, and the thing doesn't work.

if your ipv6 prefix changes at every boot you have a dynamic one and should use a modified ULA for your server according to my guide.

Edit 2: I have already a wg21 server configured with lots of wg clients. Can I somehow change its config to work with IPv6?

you could change the server to include ipv6 but you cannot change the clients as their config is already imported.... is there a problem with keeping it ipv4 only? otherwise I would probably create a new server with same private key as the old had and then update all device configs with ipv6 and import them into wgm again and bind them to your server.... but there would be a lot of try and error until it works.

Here is my wg22 server configuration:

looks like you created a server using your global prefix. if its not static it could be your issue. use a modified ULA instead and use the MASQUARADE rule, but if you are using bypass you dont need to worry, wgm does this for you (if memory serves).

 

[juanantonio]

looks like you created a server using your global prefix. if its not static it could be your issue. use a modified ULA instead and use the MASQUARADE rule, but if you are using bypass you dont need to worry, wgm does this for you (if memory serves).

Hi.
Well, I did follow the tutorial point: IPv6 - setup with dynamic IPv6

I chose option 3. generate an ULA (Enter wgm command "ipv6 ula" and it generates it for you) then change the 2 first letters to something not used, like aa (proposed).

So I used wgm command 'ipv6 ula' which gave me an IPv6 address, and a suggestion for replacing first two characters with 'aa', so the resultant address, after inserting digit '100' is 'aa65:a7b6:23ff:100::/120', as follows:

E:Option ==> ipv6 ula

        Warning IPv6 ULA generate function requires Entware 'date' module.....')
Installing coreutils-date (9.1-1) to root...
Downloading https://bin.entware.net/aarch64-k3.10/coreutils-date_9.1-1_aarch64-3.10.ipk
Configuring coreutils-date.
        Removing package coreutils-date from root...

        On Wed Apr 26 15:07:44 2023, Your IPv6 ULA is 'fd65:a7b6:23ff::1/64' (Use 'aa65:a7b6:23ff::1/64' for Dual-stack IPv4+IPv6)

I created my wg22 server with the command:

peer new ip=10.50.2.1/24 ipv6=aa65:a7b6:23ff:100::1/120

Also I've created /jffs/addons/wireguard/Scripts/wg22-up.sh and /jffs/addons/wireguard/Scripts/wg22-down.sh with the corresponding MASQUARADE rules:

#!/bin/sh
#Masquarade ipv6 packets from clients to WAN
ip6tables -t nat -I POSTROUTING -s aa65:a7b6:23ff:100::1/120 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

and

#!/bin/sh
#Masquarade ipv6 packets from clients to WAN
ip6tables -t nat -D POSTROUTING -s aa65:a7b6:23ff:100::1/120 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

and I passthrued it through my wg11 client, which is IPv6 enabled as is working well with my LAN connected devices.

I'm in doubt whether I should MASQUARADE my wg22 server to eth0 or wg11 client, since I am using passthru, but after trying both, none of them works.

The result is that I'm getting an IPv4 VPN supplier's address on my remote device, but no IPv6 at all.

Am I doing something wrong?

Best regards.

 

[archiel]

Hi.
Well, I did follow the tutorial point: IPv6 - setup with dynamic IPv6

I chose option 3. generate an ULA (Enter wgm command "ipv6 ula" and it generates it for you) then change the 2 first letters to something not used, like aa (proposed).

So I used wgm command 'ipv6 ula' which gave me an IPv6 address, and a suggestion for replacing first two characters with 'aa', so the resultant address, after inserting digit '100' is 'aa65:a7b6:23ff:100::/120', as follows:

E:Option ==> ipv6 ula

        Warning IPv6 ULA generate function requires Entware 'date' module.....')
Installing coreutils-date (9.1-1) to root...
Downloading https://bin.entware.net/aarch64-k3.10/coreutils-date_9.1-1_aarch64-3.10.ipk
Configuring coreutils-date.
        Removing package coreutils-date from root...

        On Wed Apr 26 15:07:44 2023, Your IPv6 ULA is 'fd65:a7b6:23ff::1/64' (Use 'aa65:a7b6:23ff::1/64' for Dual-stack IPv4+IPv6)

I created my wg22 server with the command:

peer new ip=10.50.2.1/24 ipv6=aa65:a7b6:23ff:100::1/120

Also I've created /jffs/addons/wireguard/Scripts/wg22-up.sh and /jffs/addons/wireguard/Scripts/wg22-down.sh with the corresponding MASQUARADE rules:

#!/bin/sh
#Masquarade ipv6 packets from clients to WAN
ip6tables -t nat -I POSTROUTING -s aa65:a7b6:23ff:100::1/120 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

and

#!/bin/sh
#Masquarade ipv6 packets from clients to WAN
ip6tables -t nat -D POSTROUTING -s aa65:a7b6:23ff:100::1/120 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"

and I passthrued it through my wg11 client, which is IPv6 enabled as is working well with my LAN connected devices.

I'm in doubt whether I should MASQUARADE my wg22 server to eth0 or wg11 client, since I am using passthru, but after trying both, none of them works.

The result is that I'm getting an IPv4 VPN supplier's address on my remote device, but no IPv6 at all.

Am I doing something wrong?

Best regards.

While @ZebMcKayhan is the expert here, this looks correct to me. In case it helps my (slightly more longwinded) wg21-up.sh looks like

#!/bin/sh
###############################################################################
# Example for Wg21 ipv6 = aa00:aaaa:bbbb:cccc:100::1/120
# Change to your needs but keep formatting
Wg21Prefix=aa36:xxxx:2add:aa88:: #Wg21 ULA prefix with aa instead of fd
Wg21Suffix=100::1  #Wg21 Device suffix (last 64 bits)
Wg21PrefixLength=120   #Wg21 Prefix Length (120 recommended)
WanInterface=eth0
# Changing below lines should not be needed:
WanIp6Prefix=$(nvram get ipv6_prefix)     #WanIp6Prefix=2001:1111:2222:3333::
Wg21_PrefIp=${Wg21Prefix%:*}${Wg21Suffix}/${Wg21PrefixLength}      #aa00:aaaa:bbbb:cccc:100::1/120
WanWg21_PrefIp=${WanIp6Prefix%:*}${Wg21Suffix}/${Wg21PrefixLength}   #2001:1111:2222:3333:100::1/120
##Execute firewall commands: with entware iptables
#ip6tables -t nat -I POSTROUTING -s ${Wg21_PrefIp} -o ${WanInterface} -j NETMAP --to ${WanIp6Prefix}/64
#ip6tables -t nat -I PREROUTING -i ${WanInterface} -d ${WanWg21_PrefIp} -j NETMAP --to ${Wg21Prefix}/64
##Or if no NETMAP (without entware iptables)
ip6tables -t nat -I POSTROUTING -s ${Wg21_PrefIp} -o ${WanInterface} -j MASQUERADE -m comment --comment "WireGuard 'server'"
###############################################################################

but the net result will be the same

and checking

E:Option ==> peer wg21

Server  Auto  Subnet                                       Port   Annotate
wg21    Y     10.50.1.1/24,aa36:xxxx:2add:aa88:100::1/120  11501  # RT-AX88U (IPv4/IPv6) Server 1

Server  Client  Passthru
wg21    wg11    pho21

and

E:Option ==> 3

        interface: wg21 Port:11501      10.50.1.1/24                    VPN Tunnel Network      # RT-AX88U (IPv4/IPv6) Server 1
                peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=      10.50.1.2/32,aa36:xxxx:2add:aa88:100::2/128             # pho21 "Device"
                 latest handshake: 1 minute, 18 seconds ago
                 transfer: 345.35 KiB received, 1.05 MiB sent           0 Days, 03:24:54 since Wed Apr 26 14:17:49 2023

and

E:Option ==> peer pho21

Device  Auto  IP                                           DNS                                   Allowed IPs      Annotate          Conntrack
pho21   X     10.50.1.2/32,aa36:xxxx:2add:aa88:100::2/128  10.50.1.1,aa36:xxxx:2add:aa88:100::1  0.0.0.0/0, ::/0  # pho21 "Device"  1682515069

Server  Client  Passthru
wg21    wg11    pho21

and the remote device (Samsung phone) is showing both IPv4 and IPv6 (local from the server and public from the VPN provider)

 

[ZebMcKayhan]

Also I've created /jffs/addons/wireguard/Scripts/wg22-up.sh and /jffs/addons/wireguard/Scripts/wg22-down.sh with the corresponding MASQUARADE rules:

Great, but from an earlier picture it looked like you got ipv6 ppp connection. Are you sure eth0 is your outgoing interface for ipv6?

I'm in doubt whether I should MASQUARADE my wg22 server to eth0 or wg11 client, since I am using passthru, but after trying both, none of them works.

Well, both are needed for communication to them to work, but I think wgm puts the masquarade for wg21 ipv6 when you select it for passthru (but I could be wrong). If entire wg22 is set to passthrough to wg11 then only masquarade to wg11 would be needed. Check your firewall rules with:

ip6tables -nvL POSTROUTING -t nat

The result is that I'm getting an IPv4 VPN supplier's address on my remote device, but no IPv6 at all.

Do you have ipv6 connection to router? From your client, can you ping aa65:a7b6:23ff:100::1 ?

If your problem is at the router we may need to dig through your routing rules and firewall entries...

 

[juanantonio]

Great, but from an earlier picture it looked like you got ipv6 ppp connection. Are you sure eth0 is your outgoing interface for ipv6?

Now that you are saying it, I'm in doubt, mostly because after trying a couple of 'ifconfig' commands, I have this:

juanantonio@RT-AX86U-6C38:/tmp/home/root# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 7C:10:C9:B3:6C:38
          inet6 addr: fe80::7e10:c9ff:feb3:6c38/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5333930 errors:0 dropped:163032 overruns:0 frame:0
          TX packets:6268469 errors:0 dropped:672 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4896596291 (4.5 GiB)  TX bytes:6272556819 (5.8 GiB)

juanantonio@RT-AX86U-6C38:/tmp/home/root# ifconfig br0
br0       Link encap:Ethernet  HWaddr 7C:10:C9:B3:6C:38
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2a0c:5a80:4605:5a00::1/56 Scope:Global
          inet6 addr: fe80::7e10:c9ff:feb3:6c38/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:5546766 errors:0 dropped:40729 overruns:0 frame:0
          TX packets:3213756 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4782249061 (4.4 GiB)  TX bytes:3590637734 (3.3 GiB)

Check your firewall rules with:

juanantonio@RT-AX86U-6C38:/tmp/home/root# ip6tables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 126 packets, 14641 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all      *      wg11    2a0c:5a80:4605:5a00::/64  ::/0                 /* WireGuard 'client' */
    0     0 MASQUERADE  all      *      br0     aa65:a7b6:23ff:100::/120  ::/0                 /* WireGuard 'server' */
    0     0 MASQUERADE  all      *      br0     aa65:a7b6:23ff:100::/120  ::/0                 /* WireGuard 'server clients to LAN' */
    0     0 MASQUERADE  all      *      wg11    aa65:a7b6:23ff:100::2/128  ::/0
    0     0 MASQUERADE  all      *      wg11    aa65:a7b6:23ff:100::/120  ::/0
    0     0 MASQUERADE  all      *      eth0    aa65:a7b6:23ff:100::/120  ::/0                 /* WireGuard 'server' */
  103 11047 MASQUERADE  all      *      wgc1   !fd7d:76ee:e68f:a993:d0c0:1334:273a:628b/128  ::/0
    0     0 MASQUERADE  all      *      eth0    aa65:a7b6:23ff:100::/120  ::/0                 /* WireGuard 'server' */
    0     0 MASQUERADE  all      *      wg11    2a0c:5a80:4605:5a10::/64  ::/0
  284 33770 MASQUERADE  all      *      wgc1   !fd7d:76ee:e68f:a993:d0c0:1334:273a:628b/128  ::/0
    0     0 MASQUERADE  all      *      wg11    2a0c:5a80:4708:c600:1::/120  ::/0
    0     0 MASQUERADE  all      *      wgc1   !fd7d:76ee:e68f:a993:d0c0:1334:273a:628b/128  ::/0

Do you have ipv6 connection to router? From your client, can you ping aa65:a7b6:23ff:100::1 ?

Right. My client is a Xiaomi Mi Mix 2S Android phone. I've just installed a network app and I'm getting response from the wg22 peer.

Many thanks to both of you, @ZebMcKayhan and @archiel .

 

[juanantonio]

Just to give an update... I have:

E:Option ==> 3

        interface: wg22  Port:11502     10.50.2.1/24                    VPN Tunnel Network      # RT-AX86U (IPv4/IPv6) Server 2
                peer: xxxxxxxxxxxxxxxxxxxxxxxxx      10.50.2.2/32,aa65:xxxx:xxxx:100::2/128          # XiaomiMiMix2S "Device"
                 latest handshake: 1 minute, 44 seconds ago. (sec:104)
                 transfer: 177.91 KiB received, 1.42 MiB sent           0 Days, 00:01:52 since Wed Apr 26 21:12:47 2023

And also can ping to wg22 (aa65:a7b6:23ff:100::1) from my phone, but still not got public IPv6 from this phone. Only being able to get public IPv4 from my VPN provider.

Thanks.

 

[ZebMcKayhan]

Now that you are saying it, I'm in doubt, mostly because after trying a couple of 'ifconfig' commands

Check with

ip -6 route | grep default

and while you are at it, check routing rules:

ip -6 rule

I see there are 0 packets matched by your masquarade rules, only for your firmware wireguard client wgc1, which you forgot to mention. It should not be a problem but could be part of it.

Doesnt look like anything ipv6 goes neither to wg11 nor eth0. Only to wgc1...

 

[juanantonio]

Hi.

Here is the output of the two commands you asked for:

juanantonio@RT-AX86U-6C38:/tmp/home/root# ip -6 route | grep default
default via fe80::1 dev ppp0 proto ra metric 1024 expires 814sec hoplimit 64 pref medium

juanantonio@RT-AX86U-6C38:/tmp/home/root# ip -6 rule
0:      from all lookup local
220:    from all lookup 220
9810:   from all fwmark 0xd2 lookup 210
9820:   from all fwmark 0xdc lookup 220
9981:   from aa65:a7b6:23ff:100::2 lookup 121
9991:   from all fwmark 0x1000/0x1000 lookup 121
32766:  from all lookup main

I'm sorry I didn't mention my firmware wireguard client. I have it for rendundancy reasons until I have finished working with session manager.

Thanks.

 

[ZebMcKayhan]

asked for:

Your wan ipv6 interface is ppp0 and not eth0, so you should change your masquarade rule to that and see what happens.

Your rule with prio 220 seems to be applied to all, which could be messing with us as it has higher prio than wgm rules? What is in routing table 220?

ip -6 route show table 220

 

[juanantonio]

Your rule with prio 220 seems to be applied to all, which could be messing with us as it has higher prio than wgm rules? What is in routing table 220?

juanantonio@RT-AX86U-6C38:/tmp/home/root# ip -6 route show table 220
default dev wg22 metric 1024 pref medium

I've changed the masquarade rule to ppp0 with no luck.

Setting -x flag in wg-22.sh results in:

+ Wg21Prefix=aa65:a7b6:23ff::
+ Wg21Suffix=100::1
+ Wg21PrefixLength=120
+ WanInterface=ppp0
+ nvram get ipv6_prefix
+ WanIp6Prefix=2a0c:5a80:4605:5a00::
+ Wg21_PrefIp=aa65:a7b6:23ff:100::1/120
+ WanWg21_PrefIp=2a0c:5a80:4605:5a00:100::1/120
+ ip6tables -t nat -I POSTROUTING -s aa65:a7b6:23ff:100::1/120 -o ppp0 -j MASQUERADE -m comment --comment WireGuard 'server'

Edit: I've tried disabling my firmware wireguard client (wgc1), and here is the output of ip6tables:

juanantonio@RT-AX86U-6C38:/tmp/home/root# ip6tables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 97 packets, 9827 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all      *      wg11    2a0c:5a80:4601:e00::/64  ::/0                 /* WireGuard 'client' */
    0     0 MASQUERADE  all      *      wg11    aa65:a7b6:23ff:100::2/128  ::/0
    0     0 MASQUERADE  all      *      ppp0    aa65:a7b6:23ff:100::/120  ::/0                 /* WireGuard 'server' */
    0     0 MASQUERADE  all      *      br0     aa65:a7b6:23ff:100::/120  ::/0                 /* WireGuard 'server clients to LAN' */
    0     0 MASQUERADE  all      *      ppp0    aa65:a7b6:23ff:100::/120  ::/0                 /* WireGuard 'server' */

Still no luck.

 

[ZebMcKayhan]

Edit: I've tried disabling my firmware wireguard client (wgc1), and here is the output of ip6tables:

But all these still shows 0 packets matched, try to use wg11 ipv6 by i.e check your ipv6 page or ping some ipv6 like ipv6.google.com and check the "pkts" count for the masquarade rule. If its still 0, no packets are reaching wg11. Check so pkts increase both from lan clients using wg11 and wg21 and make sure wg11 ipv6 actually works.

 

[juanantonio]

But all these still shows 0 packets matched, try to use wg11 ipv6 by i.e check your ipv6 page or ping some ipv6 like ipv6.google.com and check the "pkts" count for the masquarade rule. If its still 0, no packets are reaching wg11. Check so pkts increase both from lan clients using wg11 and wg21 and make sure wg11 ipv6 actually works.

Just to make sure wg11 ipv6 works, I tried the following commands:

C:\Users\Juan Antonio>ping ipv6.google.com

Haciendo ping a ipv6.l.google.com [2a00:1450:4003:803::200e] con 32 bytes de datos:
Respuesta desde 2a00:1450:4003:803::200e: tiempo=15ms
Respuesta desde 2a00:1450:4003:803::200e: tiempo=15ms
Respuesta desde 2a00:1450:4003:803::200e: tiempo=16ms
Respuesta desde 2a00:1450:4003:803::200e: tiempo=16ms

Estadísticas de ping para 2a00:1450:4003:803::200e:
    Paquetes: enviados = 4, recibidos = 4, perdidos = 0
    (0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 15ms, Máximo = 16ms, Media = 15ms

juanantonio@RT-AX86U-6C38:/tmp/home/root# ip6tables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 6 packets, 512 bytes)
 pkts bytes target     prot opt in     out     source               destination
  367 40639 MASQUERADE  all      *      wg11    2a0c:5a80:4601:e00::/64  ::/0                 /* WireGuard 'client' */
   27  2248 MASQUERADE  all      *      ppp0    fd00:ac68:1::/64     ::/0
    0     0 MASQUERADE  all      *      wg11    aa65:a7b6:23ff:100::2/128  ::/0
    0     0 MASQUERADE  all      *      ppp0    aa65:a7b6:23ff:100::/120  ::/0                 /* WireGuard 'server' */

C:\Users\Juan Antonio>tracert ipv6.google.com

Traza a la dirección ipv6.l.google.com [2a00:1450:4003:803::200e]
sobre un máximo de 30 saltos:

  1     1 ms     2 ms     2 ms  2a0c:5a80:4601:e00::1
  2    15 ms    15 ms    15 ms  fd7d:76ee:e68f:a993::1
  3     *        *        *     Tiempo de espera agotado para esta solicitud.
  4    16 ms    17 ms    16 ms  2a01:300:c:0:82:102:29:90
  5    32 ms    23 ms    16 ms  ae3-990.cr3-mad5.ip6.gtt.net [2001:668:0:3:ffff:1:0:18ed]
  6   114 ms    66 ms    35 ms  2001:668:0:2:ffff:0:5995:82ea
  7    17 ms    16 ms    16 ms  2001:668:0:3:ffff:0:2e21:5f3a
  8    17 ms    17 ms    16 ms  2001:4860::12:0:ba2d
  9    16 ms    15 ms    16 ms  2001:4860:0:1::51d7
 10    15 ms    15 ms    15 ms  mad41s11-in-x0e.1e100.net [2a00:1450:4003:803::200e]

fd7d:76ee:e68f:a993::1 is the IPv6 address from my VPN provider, and 2a0c:5a80:4601:e00::1 is my IPv6 local address, so I guess ipset is working well and routing my Windows PC through wg11 client.

Also, I've visited a couple of sites that tell you your IPv6. Here are the pictures:

Thanks a lot for your help.