Wireguard Session Manager - Discussion (2nd) thread

[Martineau]

I have it working but have a couple of questions.

Q1. my Astrill wg0.conf contains values for MTU and DNS but when imported to wg11.conf these 2 values are hashed out - why is that ?

Short answer:
If it is working, i.e. the values are physically applied to the interface ; does it matter?

Use

e  = Exit Script [?]

E:Option ==> diag

to prove if the values are applied to the interface.

Spoiler: TLDR;

On ASUS routers, WireGuard baulks at the directives if left as-is, and the WireGuard 'client' Peer never initialises.

So, the values are cloned into an SQL database, with the intention that if ever you screw up the database values, you should still be able to reimport the original .conf. into wireguard_manager but alas this does affect exporting the '.conf' as-is to another platform e.g. RPi.

Q2. when I test the Astrill WG on my Windows PC and Android phone using Astrill's own apps I more or less get full speed up and down, I don't expect that sort of of result on the router but what sort of reduction should I expect to see ? At this time up and down are +- 140Mbs which is much better than when using ovpn.

Q1. What router and firmware? (RT-AX86U needs to disable hardware acceleration)
Q2. +- 140Mbs is how much better than OpenVPN - I think 3 times is an expected improvement?

 

[jakey]

Q1. What router and firmware?
Q2. What speeds do you actually observe? - is it close to +- 140Mbs?

Router and firmware list in my OP

Added speedtest result to OP

yes diag shows correct MTU and DNS

Thanks

 

[jakey]

Q2. +- 140Mbs is how much better than OpenVPN - I think 3 times is an expected improvement?

OpenVPN

Yes 3 times plus ! Brilliant

thank you again

 

[ZebMcKayhan]

I would ultimately like to exclude some www sites I visit but this is where it gets complicated for me and would prefer a ui

Install X3mRouting with option 3

Create ipsets for the sites you wish to exclude from VPN, i.e:

x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

Use this guide to setup the ipset to route this ipset to wan:

GitHub - ZebMcKayhan/WireguardManager: Manage/Install WireGuard on applicable ASUS routers

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

Good luck!

//Zeb

 

[Martineau]

I would ultimately like to exclude some www sites I visit but this is where it gets complicated for me and would prefer a ui

Since you are a self-confessed UI guy, if you only have a few websites that should ALWAYS be routed via the WAN to bypass the WireGuard 'client' Peer, then you may be able to exploit the VPN Director to add your WAN exception(s), then simply clone/convert them for use with wireguard_manager and set the 'client' Peer to Policy mode to enable the Selective Routing.


e.g. define your WAN exceptions in the VPN Director GUI.....here I just define one website 'www.asciiart.eu' (IP) to bypass any VPN

You will get an error if you attempt to set a 'client' Peer to Policy mode and there are no Policy rules defined

e  = Exit Script [?]

E:Option ==> peer wg11 auto=p

    ***ERROR No Policy (nor IPSET/Passthru) rules exist for wg11 ( e.g. use 'peer wg11 rule add' command first)

e  = Exit Script [?]

E:Option ==> peer help

    peer help                                                       - This text
    peer                                                            - Show ALL Peers in database
    peer peer_name                                                  - Show Peer in database or for details e.g peer wg21 config
    peer peer_name {cmd {options} }                                 - Action the command against the Peer
    peer peer_name del                                              - Delete the Peer from the database and all of its files *.conf, *.key
    peer peer_name ip=xxx.xxx.xxx.xxx                               - Change the Peer VPN Pool IP
    peer category                                                   - Show Peer categories in database
    peer peer_name category [category_name {del | add peer_name[...]} ] - Create a new category with 3 Peers e.g. peer category GroupA add wg17 wg99 wg11
    peer new [peer_name [options]]                                  - Create new server Peer e.g. peer new wg27 ip=10.50.99.1/24 port=12345
    peer peer_name [del|add] ipset {ipset_name[...]}                - Selectively Route IPSets e.g. peer wg13 add ipset NetFlix Hulu
    peer peer_name [add] subnet {IPSubnet[...]}                     - Configure downstream subnets e.g. peer wg13 add subnet 192.168.5.0/24
    peer peer_name {rule [del {id_num} |add [wan] rule_def]}        - Manage Policy rules e.g. peer wg13 rule add 172.16.1.0/24 comment All LAN
                                                                                               peer wg13 rule add wan 52.97.133.162 comment smtp.office365.com
                                                                                               peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS
    peer serv_peer_name {passthru client_peer {[add|del] [device|IP/CIDR]}} - Manage passthu' rules; 'server' peer devices/IPs/CIDR outbound via 'client' peer
                                                                                               peer wg21 passthru add wg11 SGS8
                                                                                               peer wg21 passthru add wg15 all
                                                                                               peer wg21 passthru add wg12 10.100.100.0/27

So clone the VPN Director WAN rules into wireguard_manager

e  = Exit Script [?]

E:Option ==> vpndirector clone wan

    Auto clone VPN Director ONLY WAN rules

    peer wg11 rule add wan dst=185.76.64.174 comment www.asciiart.eu via WAN
    [✔] Updated RPDB Selective Routing rule for wg11


    VPN Director Selective Routing RPDB rules

ID  Peer  Interface  Source  Destination    Description
1   wg11  WAN        Any     185.76.64.174  VPN Director: www.asciiart.eu via WAN

Ensure you create the Policy rule for everything else to route via the 'client' Peer

e  = Exit Script [?]

E:Option ==> peer wg11 rule add 192.168.1.0/24 comment All LAN

    [✔] Updated RPDB Selective Routing rule for wg11

e  = Exit Script [?]

E:Option ==> peer wg11

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP                                               Endpoint          DNS             MTU  Public                                        Private                                       Annotate
wg11    P     10.72.31.150/32,fc00:bbbb:bbbb:bb01::9:1f95/128  89.45.90.2:51820  193.138.218.74       ADkVF9//uY4xAZgfgRQq371mwr24uJ1XxvLC3gsHgwA=  DEVnWepO76q5ss/wgnxy0fFyWPPPVcdA44Pn19dJFpg=  # Mullvad USA, Los Angeles

    Selective Routing RPDB rules
ID  Peer  Interface  Source          Destination    Description
1   wg11  WAN        Any             185.76.64.174  VPN Director: www.asciiart.eu via WAN
2   wg11  VPN        192.168.1.0/24  Any            ALL LAN

Set Policy mode

e  = Exit Script [?]

E:Option ==> peer wg11 auto=p

    [✔] Updated 'wg11' AUTO=P

and start the 'client' Peer

e  = Exit Script [?]

E:Option ==> start wg11

Syslog....

RT-AC86U (wg_manager.sh): 4081 v4.14b3 Initialising Wireguard VPN 'client' Peer (wg11)
RT-AC86U wireguard-clientwg11: Initialising Wireguard VPN client Peer (wg11) in Policy Mode to 89.45.90.2:51820 (# Mullvad USA, Los Angeles)
RT-AC86U wireguard-clientwg11: Adding Wireguard 'client' Peer route to 185.76.64.174 through WAN
RT-AC86U wireguard-clientwg11: Adding Wireguard 'client' Peer route 192.168.1.0/24 through VPN 'client' Peer wg11
RT-AC86U wireguard-clientwg11: Initialisation complete.

 

[chongnt]

Install X3mRouting with option 3

Create ipsets for the sites you wish to exclude from VPN, i.e:

x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

Use this guide to setup the ipset to route this ipset to wan:

GitHub - ZebMcKayhan/WireguardManager: Manage/Install WireGuard on applicable ASUS routers

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

Good luck!

//Zeb

I have not explore the ipset feature in wgm. With ipset created from x3mRouting, I have these rules in nat-start it seems to work just fine.

iptables -t mangle -D PREROUTING -i br0 -m set --match-set NETFLIX dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set NETFLIX dst -j MARK --set-mark 0x8000/0x8000

 

[ZebMcKayhan]

I have not explore the ipset feature in wgm. With ipset created from x3mRouting, I have these rules in nat-start it seems to work just fine.

iptables -t mangle -D PREROUTING -i br0 -m set --match-set NETFLIX dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set NETFLIX dst -j MARK --set-mark 0x8000/0x8000

Wgm does not know/care were the ipsets are created.

Wgm will handle these firewall rules for you:

E:Option ==> peer wg11 add ipset NETFLIX

E:Option ==> peer wg11 upd ipset NETFLIX fwmark 0x8000

But for wan you still need to add the ip rule and rp_filter...

 

[chongnt]

Wgm does not know/care were the ipsets are created.

Wgm will handle these firewall rules for you:

E:Option ==> peer wg11 add ipset NETFLIX

E:Option ==> peer wg11 upd ipset NETFLIX fwmark 0x8000

But for wan you still need to add the ip rule and rp_filter...

The above only work for wg11? Looks like this has more control. The blanket iptables rules I use will route ipset to WAN, and it affects all wg1x and tun1x.

 

[ZebMcKayhan]

The above only work for wg11? Looks like this has more control. The blanket iptables rules I use will route ipset to WAN, and it affects all wg1x and tun1x.

Well, you will ofcource always have more control if you do it yourself, but also more to maintain.

The ipsets are not only for wg11 it is only applied/deleted as wg11 is start/stop but the rule is applied on all:

iptables -t mangle -D PREROUTING -m set --match-set $IPSET $DSTSRC -j MARK --set-mark ${FWMARK}/${FWMARK} -m comment --comment "WireGuard 'client'" 2>/dev/null # v4.12
iptables -t mangle -A PREROUTING -m set --match-set $IPSET $DSTSRC -j MARK --set-mark ${FWMARK}/${FWMARK} -m comment --comment "WireGuard 'client'" # v4.12

 

[chongnt]

Well, you will ofcource always have more control if you do it yourself, but also more to maintain.

The ipsets are not only for wg11 it is only applied/deleted as wg11 is start/stop but the rule is applied on all:

iptables -t mangle -D PREROUTING -m set --match-set $IPSET $DSTSRC -j MARK --set-mark ${FWMARK}/${FWMARK} -m comment --comment "WireGuard 'client'" 2>/dev/null # v4.12
iptables -t mangle -A PREROUTING -m set --match-set $IPSET $DSTSRC -j MARK --set-mark ${FWMARK}/${FWMARK} -m comment --comment "WireGuard 'client'" # v4.12

Thanks @ZebMcKayhan.

 

[JGrana]

WireGuard is a routing protocol, and the 'client' Peer may contain the following 'default' IPv4 and IPv6 directive.

e.g.

AllowedIPs = 0.0.0.0/0,::0/0

Basically this defines which routes are reachable via the Endpoint, in this case ANY/ALL.

For a site-to-site, the 'client' Peer could specify a list of specific subnets or a specific IP.

e.g. Two private subnets and a specific device

AllowedIps = 192.168.123.0/24, 172.16.55.0/24, 10.1.1.1/32

Many thanks @Martineau .

So, in my case (home=192.168.1.1, cabin=192.168.2.1, home wg = 10.1.1.1, cabin wg =10.1.2.1)
I would put in AllowedIps:
Home = 192.168.2.0/24, 10.1.2.1/32
Cabin = 192.168.1.0/24, 10.1.1.1/32

Am I getting this correct?

Also, I believe I am supposed to disable hw acceleration on both routers
Home = AX88U
Cabin = AX86U
I couldn't find the WebUI page that had that setting...


BTW, Merry Christmas, thanks for all your addons!!!

 

[Martineau]

So, in my case (home=192.168.1.1, cabin=192.168.2.1, home wg = 10.1.1.1, cabin wg =10.1.2.1)
I would put in AllowedIps:
Home = 192.168.2.0/24, 10.1.2.1/32
Cabin = 192.168.1.0/24, 10.1.1.1/32

Am I getting this correct?

From the tutorials/examples this would seem to be correct,

Unfortunately, I do not have an environment suitable to facilitate testing site-to-site myself, however I have just discovered/realised that I hard-code
[COD]]AllowedIPs = 0.0.0.0/0, ::0/0[/CODE]

So, I have quickly created wireguard_manager Beta v4.14bX which should now fully honour the Allowed IPs directive as expected, rather than overwriting it with the above.

If you want to take the risk, then you should upgrade (only on your local router initially just to verify that the route table is correctly populated)

e  = Exit Script [?]

E:Option ==> uf dev

    Router RT-AC86U Firmware (v3.0.0.4.386.4_beta1)

    [✔] Entware Architecture arch=aarch64


    v4.14b4 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=12366733e7aae32beb349257a2784640 /jffs/addons/wireguard/wg_manager.sh

    wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

or simply manually add the correct the routes using the appropriate '/jffs/addons/wireguard/Scripts/wg1x-route-up' user script.

Also, I believe I am supposed to disable hw acceleration on both routers
Home = AX88U
Cabin = AX86U
I couldn't find the WebUI page that had that setting...

As reported by @Torson back in May 2021

Wireguard - Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

Here are some of my observations and input from a new install of wg_manager v4.11b3: 1. On a remote peer server I created a device peer: Device Auto IP DNS Allowed IPs Annotate MSG X 10.50.1.3/32 192.168.2.1 0.0.0.0/0 # MSG "Device" From the local PC I logged...

www.snbforums.com

Consequently, wireguard_manager auto disables Flow Cache on RT-AX86U routers.

(This is seemingly confirmed in the ASUS v386 RC-x Beta on my RT-AX86U where they announced the inclusion of WireGuard support.)

To facilitate manual management of the Flow Cache setting (on router models other than the confirmed RT-AX86U e.g. the RT-AX88U), wireguard_manager Beta v4.14b4 includes a hidden command

e  = Exit Script [?]

E:Option ==> fc disable

Broadcom Packet Flow Cache learning via BLOG disabled.
Broadcom Packet Flow Cache flushing the flows
    Disabled

e  = Exit Script [?]

E:Option ==> fc enable

Broadcom Packet Flow Cache learning via BLOG enabled.
Broadcom Packet Flow Cache flushing the flows
    Enabled

e  = Exit Script [?]

E:Option ==> ?

    Router RT-AC86U Firmware (v3.0.0.4.386.4_beta1)

    [✔] Entware Architecture arch=aarch64


    v4.14b4 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=12366733e7aae32beb349257a2784640 /jffs/addons/wireguard/wg_manager.sh

    [✔] WireGuard Kernel module/User Space Tools included in Firmware (1.0.20210124)


    [✔] DNSmasq is listening on ALL WireGuard interfaces 'wg*'

    [✔] firewall-start is monitoring WireGuard Firewall rules

    [✖] WAN KILL-Switch is DISABLED (use 'vx' command for info)
    [✖] UDP monitor is DISABLED

    [✖] Flow Cache is DISABLED

<snip>

 

[JGrana]

Thanks @Martineau ! I will do some testing later this week when I am at the remote site (cabin).
In the mean time, I am going to "clean out" both routers with respect to wireguard. I have been doing too much "experimenting". I think I have at least 2 wireguard.ko on both routers and a number of wg-quick files...
BTW, As @RMerlin has noted, there is a wireguard.ko module now in 386.4 beta 2 (at least on my AX88U):

/lib/modules/4.1.51/kernel/net/wireguard/wireguard.ko

Should I use this one (from Asus) or the one from wireguard-manager?

 

[ZebMcKayhan]

Thanks @Martineau ! I will do some testing later this week when I am at the remote site (cabin).
In the mean time, I am going to "clean out" both routers with respect to wireguard. I have been doing too much "experimenting". I think I have at least 2 wireguard.ko on both routers and a number of wg-quick files...
BTW, As @RMerlin I believe there is a wireguard.ko module now in 386.4 beta 2 (at least on my AX88U):

/lib/modules/4.1.51/kernel/net/wireguard/wireguard.ko

Should I use this one (from Asus) or the one from wireguard-manager?

When you/@Martineau gets this working, please provide how you did it here.

I could also include it in my Hint's and Tips Guide as Im sure there is a lot of people looking for setting up this.

//Zeb

 

[ZebMcKayhan]

Should I use this one (from Asus) or the one from wireguard-manager?

Your choice really. I think the ASUS included version 20210124. For AX86U wgm fetches @Odkrys Version 20210219 and for AX88U it fetches my version 20211208.

You can read up on what has happened here:

wireguard-linux-compat - WireGuard kernel module backport for Linux 3.10 - 5.5

git.zx2c4.com

All should work good but if anyone works better than the other? You'll find out.

 

[johndoe85]

Short answer:
If it is working, i.e. the values are physically applied to the interface ; does it matter?

Use

e  = Exit Script [?]

E:Option ==> diag

to prove if the values are applied to the interface.

Spoiler: TLDR;

On ASUS routers, WireGuard baulks at the directives if left as-is, and the WireGuard 'client' Peer never initialises.

So, the values are cloned into an SQL database, with the intention that if ever you screw up the database values, you should still be able to reimport the original .conf. into wireguard_manager but alas this does affect exporting the '.conf' as-is to another platform e.g. RPi.

Q1. What router and firmware? (RT-AX86U needs to disable hardware acceleration)
Q2. +- 140Mbs is how much better than OpenVPN - I think 3 times is an expected improvement?

Will there be an option that suggest this disable hardware acceleration when installing wireguard on a RT-AX86U?

Many people would miss this, me included, unless there is some kind of reminder when installing/making changes to wireguard in the GUI.

 

[ZebMcKayhan]

ok, got some more time to test this ipv6...

my wg11.conf includes an ipv6 address, although I have no ipv6 wan, tunnel or anything else... wg11 is up and running as a ipv4 internet client so I decided to elaborate on how far I could take this ipv6 connection. my conf file gives me this ULA fdab:xxxx:xxxx:69::214/64. I have made in total 3 conf files and they all give different subnets (another: fdab:xxxx:xxxx:93::103/64)

apparently this cannot be done without enabling ipv6 on the router (see this post)
so I flipped the dreaded ipv6 switch, set it to native and did not touch anything for the moment.

ip link set down dev wg11
ip -6 address add dev wg11 fdab:xxxx:xxxx:69::214/64
ip link set up dev wg11

looking at my interface:

admin@RT-AC86U-D7D8:/tmp/home/root# ifconfig wg11
wg11      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.0.69.214  P-t-P:10.0.69.214  Mask:255.255.255.0
          inet6 addr: fdab:xxxx:xxxx:69::214/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1412  Metric:1
          RX packets:15403 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14313 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14173304 (13.5 MiB)  TX bytes:4693064 (4.4 MiB)

ok, looking good, but the main routing table still lacks a default route, so adding one to this interface:

ip -6 route add ::/1 dev wg11
ip -6 route add 8000::/1 dev wg11

testing to ping something:

admin@RT-AC86U-D7D8:/tmp/home/root# ping 2600:: -c 3
PING 2600:: (2600::): 56 data bytes
64 bytes from 2600::: seq=0 ttl=50 time=144.946 ms
64 bytes from 2600::: seq=1 ttl=50 time=142.667 ms
64 bytes from 2600::: seq=2 ttl=50 time=144.360 ms

--- 2600:: ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 142.667/143.991/144.946 ms

YAY!!!!

went into unbound and enabled ipv6 using vx

admin@RT-AC86U-D7D8:/tmp/home/root# ping ipv6.google.com -c 3
PING ipv6.google.com (2a00:1450:400f:802::200e): 56 data bytes
64 bytes from 2a00:1450:400f:802::200e: seq=0 ttl=118 time=16.757 ms
64 bytes from 2a00:1450:400f:802::200e: seq=1 ttl=118 time=14.432 ms
64 bytes from 2a00:1450:400f:802::200e: seq=2 ttl=118 time=16.692 ms

--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 14.432/15.960/16.757 ms

Hurray!!!!

so... now what? GUI in router still shows nothing obtained via DHVPv6... so I set DHCP-PD to disabled and populated:
LAN IPv6 Adress: fdab:xxxx:xxxx:69::1
LAN Prefix Length: 64

so, now my br0 get an ip in the same subnet

admin@RT-AC86U-D7D8:/tmp/home/root# ping ipv6.google.com -c 3 -I br0
PING ipv6.google.com (2a00:1450:400f:802::200e): 56 data bytes
ping: sendto: Network is unreachable

now, I dont get it... it appears as if something is still fishy... maybee having wg11 and br0 on the same subnet messes things up, routing wise... and since we cannot masquarade/NAT I dont know what to do... prehaps try another subnet, but I'm quite sure any replies wont find their way back to me....

ooh, when executing:

ip link set down dev wg11
ip -6 address add dev wg11 fdab:xxxx:xxxx:69::214/64
ip link set up dev wg11

it messes up the ipv4 routing table (wg11 is removed) so in order to make this stick, I put this in wg11-route-up.sh then wgm sets up the routing tables after this.

I also added in wg11-up.sh

ip -6 route add ::/1 dev wg11
ip -6 route add 8000::/1 dev wg11
ip6tables -t mangle -I FORWARD -o wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment "WireGuard 'client'"
ip6tables -t mangle -I FORWARD -i wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment "WireGuard 'client'"
ip6tables -t mangle -I FORWARD -o wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment "WireGuard 'client'"
ip6tables -t mangle -I PREROUTING -i wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment "WireGuard 'client'"
ip6tables -t filter -I FORWARD -i br0 -o wg11 -j ACCEPT

and here is my filter rules:

admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables --line -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        5   472 ACCEPT     all      br0    wg11    ::/0                 ::/0
2        0     0 ACCEPT     all      eth0   *       ::/0                 ff00::/8
3        0     0 ACCEPT     all      *      *       ::/0                 ::/0                 state RELATED,ESTABLISHED
4        0     0 ACCEPT     all      br0    eth0    ::/0                 ::/0
5        0     0 ACCEPT     all      br0    br0     ::/0                 ::/0
6        0     0 logdrop    all      *      *       ::/0                 ::/0                 state INVALID
7        0     0 ACCEPT     59       *      *       ::/0                 ::/0                 length 40
8        0     0 ICMP_V6    icmpv6    *      *       ::/0                 ::/0
9        2   152 logdrop    all      *      *       ::/0                 ::/0

(the byte movement on the br0 rule appears when I do ipv6 ping from a router client (my Android phone) but the ping fails

anyone know how to make the jump between br0 to wg11???

ps. still keeping a weary eye out through the wooden planks I nailed up on the windows for any zombies...

 

[chongnt]

Hi @Martineau, can you have a look at the passthru feature again? I noticed duplicate ip rules are created after reboot. Can we have just the second rule?

9819:   from 10.50.22.1/24 lookup wgc1
9981:   from 10.50.22.1/24 lookup wgc1

I try change the prio of fwmark 0x8000 from 9900 to 9800, the duplicated first rule created with a lower priority value after reboot. My ipset that goes to table main does not work as this rule always has a lower priority. I have manually delete the first rule.

 

[Martineau]

I flipped the dreaded ipv6 switch, set it to native and did not touch anything for the moment.

ip link set down dev wg11
ip -6 address add dev wg11 fdab:xxxx:xxxx:69::214/64
ip link set up dev wg11

looking at my interface:

admin@RT-AC86U-D7D8:/tmp/home/root# ifconfig wg11
wg11      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.0.69.214  P-t-P:10.0.69.214  Mask:255.255.255.0
          inet6 addr: fdab:xxxx:xxxx:69::214/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1412  Metric:1
          RX packets:15403 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14313 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14173304 (13.5 MiB)  TX bytes:4693064 (4.4 MiB)

ok, looking good, but the main routing table still lacks a default route, so adding one to this interface:

ip -6 route add ::/1 dev wg11
ip -6 route add 8000::/1 dev wg11

Whoops!

In the Beta4.14b3 I took note of your suggestion to differentiate between the actual IPv6 configuration status and changed

 [ "$(nvram get ipv6_service != "disabled")" ] && USE_IPV6="Y"; IPV6_TXT="(IPv6) "

to

IPV6_SERVICE=$(nvram get ipv6_service)

if [ "$IPV6_SERVICE" != "disabled" ];then       
        ipv6pt|dhcp6)
            # ip -6 addr | grep "scope global"
            USE_IPV6="Y"; IPV6_TXT="(IPv6) "    # 4.08
        ;;
        6to4|6in4|6rd)
            :
        ;;
        other)
            :
        ;;
        spoof|simulate)
            USE_IPV6="Y"; IPV6_TXT="(IPv6) Simulate "   # v4.14
        ;;
    esac
fi

I've pushed the patch

Update wg_client · MartineauUK/wireguard@0a41e12

FIX: Add detection of IPv6 native

github.com

to Github Dev Branch.


- Doh!

 

[Martineau]

Thanks @Martineau ! I will do some testing later this week when I am at the remote site (cabin).
In the mean time, I am going to "clean out" both routers with respect to wireguard. I have been doing too much "experimenting". I think I have at least 2 wireguard.ko on both routers and a number of wg-quick files...
BTW, As @RMerlin has noted, there is a wireguard.ko module now in 386.4 beta 2 (at least on my AX88U):

/lib/modules/4.1.51/kernel/net/wireguard/wireguard.ko

Should I use this one (from Asus) or the one from wireguard-manager?

wireguard_manager honours the firmware version of the Kernel/User Space Tools modules if found, and athough @ZebMcKayhan/@Odkrys provide these modules, they will only be retrieved if you explicitly request the firmware override (or they don't exist in the firmware).