Wireguard Session Manager - Discussion (3rd) thread

[ZebMcKayhan]

Hi to all,

I have "strange" question, but I'm stuck on this. I will be grateful if someone can advise.

router - Asus RT-AC86U
firmware - Asus Merlin 386.7
instaled wireguard via AMTM

I set NordVPN connection and make exception what IPs should go throw this VPN. All devices from lan - work with it, and all trafic except ip in rules go directly to WAN, ip in rules go through wg11 NordVPN

Client Auto IP Endpoint DNS MTU Annotate
wg11 P 10.102.248.248/32 xxx:xxx xxxx # N/A

Selective Routing RPDB rules
ID Peer Interface Source Destination Description
59 wg11 VPN Any 95.213.0.0/18 VPN Director:
29 wg11 VPN Any 95.163.32.0/19 VPN Director:
etc

peer wg21

Server Auto Subnet Port Annotate
wg21 Y 10.50.1.1/24 xxx # RT-AC86U Server #1

when I connect may tablet to server (from internet to wg21), I see all my lan network, but policies from wg11 - doesn't work, and I cann't connect to 95.213.0.0/18, 95.163.32.0/19, etc... through wg11 NordVPN

I'm gonna take a wild stab at this and say that it as a routing issue. Your tablet could probably contact your policy computer but it cant reply back, simply because there are no routes to your wg server in the policy route table.
Try to redirect communication TO wg server to use main routing table, like:

E:Option ==> peer wg11 rule add wan src=any dst=10.50.1.1/24 comment ToWg21UseMain

Or, since you imported your rules from VPNDirector, add this rule as well and import again.

 

[numminorih]

I'm gonna take a wild stab at this and say that it as a routing issue. Your tablet could probably contact your policy computer but it cant reply back, simply because there are no routes to your wg server in the policy route table.
Try to redirect communication TO wg server to use main routing table, like:

E:Option ==> peer wg11 rule add wan src=any dst=10.50.1.1/24 comment ToWg21UseMain

Or, since you imported your rules from VPNDirector, add this rule as well and import again.

thank you.

unfortunately, "peer wg11 rule add wan src=any dst=10.50.1.1/24 comment ToWg21UseMain" did not help
I'm still doesn't have access from wg21 to wg11 IP policies

I know that I can route all from wg21 to wg11 like "peer wg21 passthru add wg11 all", but I use vpn only for limited IP's from rules...

 

[ZebMcKayhan]

thank you.

unfortunately, "peer wg11 rule add wan src=any dst=10.50.1.1/24 comment ToWg21UseMain" did not help
I'm still doesn't have access from wg21 to wg11 IP policies

I know that I can route all from wg21 to wg11 like "peer wg21 passthru add wg11 all", but I use vpn only for limited IP's from rules...

Ok... did you restart wg11?

What's your output of (from shell, not wgm):

ip rule

 

[numminorih]

Ok... did you restart wg11?

What's your output of (from shell, not wgm):

ip rule

yes) at first wg11/21 and router at last)

ip rule
0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
9910:   from all to 10.50.1.1/24 lookup main
9911:   from all to 95.213.0.0/18 lookup 121
9911:   from all to 95.163.32.0/19 lookup 121
9911:   from all to 95.163.248.0/21 lookup 121
9911:   from all to 95.163.144.0/24 lookup 121
9911:   from all to 95.142.192.0/19 lookup 121
9911:   from all to 95.108.128.0/17 lookup 121
9911:   from all to 94.100.176.0/20 lookup 121
9911:   from all to 93.186.224.0/20 lookup 121
9911:   from all to 93.159.228.0/22 lookup 121
9911:   from all to 93.158.128.0/18 lookup 121
9911:   from all to 91.239.233.254 lookup 121
9911:   from all to 91.232.230.0/24 lookup 121
9911:   from all to 89.208.0.0/16 lookup 121
9911:   from all to 87.250.224.0/19 lookup 121
9911:   from all to 87.240.128.0/18 lookup 121
9911:   from all to 87.236.19.238 lookup 121
9911:   from all to 85.192.32.0/22 lookup 121
9911:   from all to 84.201.128.0/18 lookup 121
9911:   from all to 82.202.184.0/21 lookup 121
9911:   from all to 80.239.201.0/24 lookup 121
9911:   from all to 79.142.17.142 lookup 121
9911:   from all to 79.137.240.0/21 lookup 121
9911:   from all to 79.137.174.0/23 lookup 121
9911:   from all to 79.137.128.0/18 lookup 121
9911:   from all to 77.88.0.0/18 lookup 121
9911:   from all to 77.75.152.0/21 lookup 121
9911:   from all to 77.74.176.0/22 lookup 121
9911:   from all to 5.61.232.0/21 lookup 121
9911:   from all to 5.61.16.0/21 lookup 121
9911:   from all to 5.45.192.0/18 lookup 121
9911:   from all to 5.255.192.0/18 lookup 121
9911:   from all to 5.181.60.0/22 lookup 121
9911:   from all to 46.19.138.67 lookup 121
9911:   from all to 45.84.128.0/22 lookup 121
9911:   from all to 45.136.20.0/22 lookup 121
9911:   from all to 4.59.181.140 lookup 121
9911:   from all to 4.31.208.86 lookup 121
9911:   from all to 37.9.64.0/18 lookup 121
9911:   from all to 37.140.128.0/18 lookup 121
9911:   from all to 218.213.144.7 lookup 121
9911:   from all to 217.69.128.0/20 lookup 121
9911:   from all to 217.20.144.0/20 lookup 121
9911:   from all to 213.79.65.32/19 lookup 121
9911:   from all to 213.219.212.0/22 lookup 121
9911:   from all to 213.180.192.0/19 lookup 121
9911:   from all to 212.5.110.0/24 lookup 121
9911:   from all to 208.87.92.0/22 lookup 121
9911:   from all to 199.36.240.0/22 lookup 121
9911:   from all to 199.21.96.0/22 lookup 121
9911:   from all to 195.218.190.0/23 lookup 121
9911:   from all to 195.218.168.0/24 lookup 121
9911:   from all to 195.211.20.0/22 lookup 121
9911:   from all to 195.211.128.0/22 lookup 121
9911:   from all to 194.186.63.0/24 lookup 121
9911:   from all to 193.0.170.0/23 lookup 121
9911:   from all to 188.93.56.0/21 lookup 121
9911:   from all to 185.85.8.0/21 lookup 121
9911:   from all to 185.71.76.0/22 lookup 121
9911:   from all to 185.62.200.245 lookup 121
9911:   from all to 185.62.200.235 lookup 121
9911:   from all to 185.62.200.225 lookup 121
9911:   from all to 185.6.244.0/22 lookup 121
9911:   from all to 185.5.136.0/22 lookup 121
9911:   from all to 185.41.185.73 lookup 121
9911:   from all to 185.32.248.0/22 lookup 121
9911:   from all to 185.32.184.0/23 lookup 121
9911:   from all to 185.30.176.0/22 lookup 121
9911:   from all to 185.29.130.0/24 lookup 121
9911:   from all to 185.226.52.0/22 lookup 121
9911:   from all to 185.187.63.0/24 lookup 121
9911:   from all to 185.16.246.0/23 lookup 121
9911:   from all to 185.16.244.0/22 lookup 121
9911:   from all to 185.16.148.0/22 lookup 121
9911:   from all to 185.146.1.121 lookup 121
9911:   from all to 184.24.25.189 lookup 121
9911:   from all to 178.248.232.0/21 lookup 121
9911:   from all to 178.237.16.0/20 lookup 121
9911:   from all to 178.22.88.0/21 lookup 121
9911:   from all to 178.154.128.0/17 lookup 121
9911:   from all to 154.47.36.14 lookup 121
9911:   from all to 154.47.0.0/16 lookup 121
9911:   from all to 149.5.244.0/22 lookup 121
9911:   from all to 146.255.192.82 lookup 121
9911:   from all to 146.255.192.81 lookup 121
9911:   from all to 146.255.192.80 lookup 121
9911:   from all to 146.255.192.77 lookup 121
9911:   from all to 146.255.192.75 lookup 121
9911:   from all to 141.8.128.0/18 lookup 121
9911:   from all to 130.193.32.0/19 lookup 121
9911:   from all to 128.140.168.0/21 lookup 121
9911:   from all to 109.235.160.0/21 lookup 121
9911:   from all to 100.43.64.0/19 lookup 121
32766:  from all lookup main
32767:  from all lookup default

 

[ZebMcKayhan]

yes) at first wg11/21 and router at last)

ip rule
0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
9910:   from all to 10.50.1.1/24 lookup main
9911:   from all to 95.213.0.0/18 lookup 121
9911:   from all to 95.163.32.0/19 lookup 121
9911:   from all to 95.163.248.0/21 lookup 121
9911:   from all to 95.163.144.0/24 lookup 121
9911:   from all to 95.142.192.0/19 lookup 121
9911:   from all to 95.108.128.0/17 lookup 121
9911:   from all to 94.100.176.0/20 lookup 121
9911:   from all to 93.186.224.0/20 lookup 121
9911:   from all to 93.159.228.0/22 lookup 121
9911:   from all to 93.158.128.0/18 lookup 121
9911:   from all to 91.239.233.254 lookup 121
9911:   from all to 91.232.230.0/24 lookup 121
9911:   from all to 89.208.0.0/16 lookup 121
9911:   from all to 87.250.224.0/19 lookup 121
9911:   from all to 87.240.128.0/18 lookup 121
9911:   from all to 87.236.19.238 lookup 121
9911:   from all to 85.192.32.0/22 lookup 121
9911:   from all to 84.201.128.0/18 lookup 121
9911:   from all to 82.202.184.0/21 lookup 121
9911:   from all to 80.239.201.0/24 lookup 121
9911:   from all to 79.142.17.142 lookup 121
9911:   from all to 79.137.240.0/21 lookup 121
9911:   from all to 79.137.174.0/23 lookup 121
9911:   from all to 79.137.128.0/18 lookup 121
9911:   from all to 77.88.0.0/18 lookup 121
9911:   from all to 77.75.152.0/21 lookup 121
9911:   from all to 77.74.176.0/22 lookup 121
9911:   from all to 5.61.232.0/21 lookup 121
9911:   from all to 5.61.16.0/21 lookup 121
9911:   from all to 5.45.192.0/18 lookup 121
9911:   from all to 5.255.192.0/18 lookup 121
9911:   from all to 5.181.60.0/22 lookup 121
9911:   from all to 46.19.138.67 lookup 121
9911:   from all to 45.84.128.0/22 lookup 121
9911:   from all to 45.136.20.0/22 lookup 121
9911:   from all to 4.59.181.140 lookup 121
9911:   from all to 4.31.208.86 lookup 121
9911:   from all to 37.9.64.0/18 lookup 121
9911:   from all to 37.140.128.0/18 lookup 121
9911:   from all to 218.213.144.7 lookup 121
9911:   from all to 217.69.128.0/20 lookup 121
9911:   from all to 217.20.144.0/20 lookup 121
9911:   from all to 213.79.65.32/19 lookup 121
9911:   from all to 213.219.212.0/22 lookup 121
9911:   from all to 213.180.192.0/19 lookup 121
9911:   from all to 212.5.110.0/24 lookup 121
9911:   from all to 208.87.92.0/22 lookup 121
9911:   from all to 199.36.240.0/22 lookup 121
9911:   from all to 199.21.96.0/22 lookup 121
9911:   from all to 195.218.190.0/23 lookup 121
9911:   from all to 195.218.168.0/24 lookup 121
9911:   from all to 195.211.20.0/22 lookup 121
9911:   from all to 195.211.128.0/22 lookup 121
9911:   from all to 194.186.63.0/24 lookup 121
9911:   from all to 193.0.170.0/23 lookup 121
9911:   from all to 188.93.56.0/21 lookup 121
9911:   from all to 185.85.8.0/21 lookup 121
9911:   from all to 185.71.76.0/22 lookup 121
9911:   from all to 185.62.200.245 lookup 121
9911:   from all to 185.62.200.235 lookup 121
9911:   from all to 185.62.200.225 lookup 121
9911:   from all to 185.6.244.0/22 lookup 121
9911:   from all to 185.5.136.0/22 lookup 121
9911:   from all to 185.41.185.73 lookup 121
9911:   from all to 185.32.248.0/22 lookup 121
9911:   from all to 185.32.184.0/23 lookup 121
9911:   from all to 185.30.176.0/22 lookup 121
9911:   from all to 185.29.130.0/24 lookup 121
9911:   from all to 185.226.52.0/22 lookup 121
9911:   from all to 185.187.63.0/24 lookup 121
9911:   from all to 185.16.246.0/23 lookup 121
9911:   from all to 185.16.244.0/22 lookup 121
9911:   from all to 185.16.148.0/22 lookup 121
9911:   from all to 185.146.1.121 lookup 121
9911:   from all to 184.24.25.189 lookup 121
9911:   from all to 178.248.232.0/21 lookup 121
9911:   from all to 178.237.16.0/20 lookup 121
9911:   from all to 178.22.88.0/21 lookup 121
9911:   from all to 178.154.128.0/17 lookup 121
9911:   from all to 154.47.36.14 lookup 121
9911:   from all to 154.47.0.0/16 lookup 121
9911:   from all to 149.5.244.0/22 lookup 121
9911:   from all to 146.255.192.82 lookup 121
9911:   from all to 146.255.192.81 lookup 121
9911:   from all to 146.255.192.80 lookup 121
9911:   from all to 146.255.192.77 lookup 121
9911:   from all to 146.255.192.75 lookup 121
9911:   from all to 141.8.128.0/18 lookup 121
9911:   from all to 130.193.32.0/19 lookup 121
9911:   from all to 128.140.168.0/21 lookup 121
9911:   from all to 109.235.160.0/21 lookup 121
9911:   from all to 100.43.64.0/19 lookup 121
32766:  from all lookup main
32767:  from all lookup default

Aha, I think I misunderstood you. You only have destination policy rules...

You could delete the rule I asked you to create before, it won't do you any good.

If you are OK with your tablet (via server) access these ips via wan then you will need a rule to bypass the destination rules for server clients, the rule is

peer wg11 rule add wan src=10.50.1.1/24 dst=any comment wg21UseWan

If you want server clients to access these also via wg11 it's possible but I'll await your confirmation before proceeding (need to setup masquarade rule which i happily prepare for you, but takes acouple of minutes so not sure how you want it).

@Martineau perhaps this use case is not considered by wgm. When creating destination policy routes in combination with server it will break connection to the vpn destinations from the server since server is not part of the masquarade rule for wg11. Don't know if any action should be taken, you decide.

 

[numminorih]

Aha, I think I misunderstood you. You only have destination policy rules...

You could delete the rule I asked you to create before, it won't do you any good.

If you are OK with your tablet (via server) access these ips via wan then you will need a rule to bypass the destination rules for server clients, the rule is

peer wg11 rule add wan src=10.50.1.1/24 dst=any comment wg21UseWan

If you want server clients to access these also via wg11 it's possible but I'll await your confirmation before proceeding (need to setup masquarade rule which i happily prepare for you, but takes acouple of minutes so not sure how you want it).

@Martineau perhaps this use case is not considered by wgm. When creating destination policy routes in combination with server it will break connection to the vpn destinations from the server since server is not part of the masquarade rule for wg11. Don't know if any action should be taken, you decide.

Unfortunately, it didn't work.

Sorry, maybe i didn’t explain right what i need:

• Asus rt-ac86u (192.168.0.1 local IP address + dhcp)
• Wg11 VPN NORD interface
• Wg21 server interface on ASUS rt-n86u
• Android Tablets – device/devices that connected from internet to wg21 and have access to local home network, I cat reach 192.168.0.1/24 resources (http/https/etc…)
• Local clients (wired/wireless) in local (192.168.0.1/24) network connected direct to ASUS rt-n86u

I have list of IP that I couldn’t reach from my WAN, so I need to wrap it in VPN.

I make rules in wg11:

Selective Routing RPDB rules

ID Peer Interface Source Destination

59 wg11 VPN Any 95.213.0.0/18

29 wg11 VPN Any 95.163.32.0/19

Etc…

After that, all my local devices rooted right. All traffic except IP from rule through WAN direct. IP from rules – through VPN (wg11).

I want this and for devices, that will be connected to local lan through wg21.



Or, maybe I should use rules list at another way, please advise.

 

[ZebMcKayhan]

Unfortunately, it didn't work.

Sorry, maybe i didn’t explain right what i need:

• Asus rt-ac86u (192.168.0.1 local IP address + dhcp)
• Wg11 VPN NORD interface
• Wg21 server interface on ASUS rt-n86u
• Android Tablets – device/devices that connected from internet to wg21 and have access to local home network, I cat reach 192.168.0.1/24 resources (http/https/etc…)
• Local clients (wired/wireless) in local (192.168.0.1/24) network connected direct to ASUS rt-n86u

I have list of IP that I couldn’t reach from my WAN, so I need to wrap it in VPN.

I make rules in wg11:

Selective Routing RPDB rules

ID Peer Interface Source Destination

59 wg11 VPN Any 95.213.0.0/18

29 wg11 VPN Any 95.163.32.0/19

Etc…

After that, all my local devices rooted right. All traffic except IP from rule through WAN direct. IP from rules – through VPN (wg11).

I want this and for devices, that will be connected to local lan through wg21.



Or, maybe I should use rules list at another way, please advise.

Just to be sure I'm not lost in some spelling error:

Wg21 server interface on ASUS rt-n86u

Is this a second router??? I thought you were on ac86u.

Android Tablets – device/devices that connected from internet to wg21 and have access to local home network, I cat reach 192.168.0.1/24 resources (http/https/etc…)

Can or can't? (Ok/satisfied or not)

After that, all my local devices rooted right. All traffic except IP from rule through WAN direct. IP from rules – through VPN (wg11).

Rooted=routed? I enterpret this as: all lan clients are behaving satisfactory.

I want this and for devices, that will be connected to local lan through wg21.

Ok, so if this is your only problem, I will get cracking on the masquarade rule needed. Please remove all other rule I told you, or it will not work (as they bypass vpn)

I will edit this post in short time with the rule needed, hang tight.

Edit: OK, try to execute this at the shell (not from wgm):

iptables -t nat -I POSTROUTING -s 10.50.1.1/24 -o wg11 -j MASQUERADE -m comment --comment "WireGuard 'client'"

this will allow wg21 clients to access out wg11 whenever the destination rules are matched. If it seems to fix your issue, put it to autostart with wg11:

nano /jffs/addons/wireguard/Scripts/wg11-up.sh

populate with:

#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.50.1.1/24 -o wg11 -j MASQUERADE -m comment --comment "WireGuard 'client'"

Save & exit

Make the file executable:

chmod +x /jffs/addons/wireguard/Scripts/wg11-up.sh

Crossing my fingers that this is what you wanted and that it is working for you.

 

[numminorih]

Ough... I'm so sorry, my bad, didn't check from phone....

Is this a second router??? I thought you were on ac86u.

No, only one, ac86u

Can or can't? (Ok/satisfied or not)

I can reach 192.168.0.1/24 resources (http/https/etc…)

Rooted=routed? I enterpret this as: all lan clients are behaving satisfactory.

Routed. Yes, all ok for LAN clients.
Sorry for this mishmash!
Thank you for your time and help.
maybe I should use the rules list out of wirefuard? I’m unexperienced in this, but I'll try to figure it out...

Edit: OK, try to execute this at the shell (not from wgm):

I will try iptables and reply.
the only thing I did not understand is why the rule must be specified for wg11 but no for wg21

EDIT1:
Please advise a few more questions:
1. Can I use a standalone file with a list of IP/networks and import it into the rules in case of a change? I can not find such commands in the instructions.
2. What is the maximum limit on of rules (for exampleб in the vpn direct it says 199)?

EDIT2:
Yes, it's worked. Thank you for help!

 

[ZebMcKayhan]

the only thing I did not understand is why the rule must be specified for wg11 but no for wg21

Because currently that is what is preventing wg21 to access wg11. Access rights are all ok in firewall but as a second precaution the rule for masquarading (which is always needed on wg11) are limited to lan subnet. This is a decision of the author of wgm to prevent accidental/unintended/whatever access to wg11. When creating passthru rules, masquarade rule is added as well but since you dont use passthru but still wants wg21 to sometimes use wg11 it will be needed. And it is to satisfy wg11/NORD requirements and has nothing to do with wg21 else than wg21 ip needs to be included for these packages to be masquaraded.

 

[ZebMcKayhan]

maybe I should use the rules list out of wirefuard?

as you started with VPNDirector import, I think you should continue to use VPNDirector. it seems like the future way of doing it. Just be aware that whenever you import to wgm, the import is strictly additive and appends the rules to your current rules (but not identical rules). so if you i.e. delete a rule an import will not delete that rule in wgm. and if you change a rule and import it will keep your old rule and import the new rule so you. Probably you should delete all VPNDirector rules in wgm before doing a new import.

1. Can I use a standalone file with a list of IP/networks and import it into the rules in case of a change? I can not find such commands in the instructions.

not that I know of. the closest thing I could think of is to use IPSETs:
https://github.com/ZebMcKayhan/WireguardManager#create-and-setup-ipsets
https://github.com/ZebMcKayhan/WireguardManager#managesetup-ipsets-for-policy-based-routing

2. What is the maximum limit on of rules (for exampleб in the vpn direct it says 199)?

I have no idea. as all your rules have same priority, maybe there are no limit (@Martineau ?)

Yes, it's worked. Thank you for help!

I'm glad! but I just remember Ive missed something. the rule needs to be deleted when wg11 is shutdown otherwise there will either be duplicates or error messages like "rule already exists" whenever wg11 restarts:

Edit the file that is executed when wg11 is brought down:

nano /jffs/addons/wireguard/Scripts/wg11-down.sh

populate with:

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.50.1.1/24 -o wg11 -j MASQUERADE -m comment --comment "WireGuard 'client'"

Save & exit

Make the file executable:

chmod +x /jffs/addons/wireguard/Scripts/wg11-down.sh

thats it!

 

[Martineau]

@Martineau
Just updated to 386.7 and tried to check out new ipv6 dnat so I removed entware iptables, but wgm currently dont populate any wgdnsx rules? I'm on latest dev version

Looks like the IPv6 support for 'client' Peers in Policy mode was never implemented?

I've hastily (not much time to fully investigate/test as no IPv6 environment to play with) uploaded wg_manager Beta v4.17bD

You can upgrade using

e  = Exit Script [?]

E:Option ==> uf dev

 

[Martineau]

BTW, @Martineau , could you consider allowing a different editor for the vx command? Us old timers much prefer vi. Maybe vix?

Not sure such a feature request is even sane? - I still get shivers recalling having to use it on IBM VM LPARs

Still each to their own - old dogs new tricks etc.

To view .confs using vi editor in Read-only mode

e  = Exit Script [?]

E:Option ==> vi

and to edit/modify use

e  = Exit Script [?]

E:Option ==> vix

I've uploaded wg_manager Beta v4.17bD

You can upgrade using

e  = Exit Script [?]

E:Option ==> uf dev

 

[numminorih]

as you started with VPNDirector import, I think you should continue to use VPNDirector. it seems like the future way of doing it. Just be aware that whenever you import to wgm, the import is strictly additive and appends the rules to your current rules (but not identical rules). so if you i.e. delete a rule an import will not delete that rule in wgm. and if you change a rule and import it will keep your old rule and import the new rule so you. Probably you should delete all VPNDirector rules in wgm before doing a new import.

No, all new rules will be directly in WG

not that I know of. the closest thing I could think of is to use IPSETs:
https://github.com/ZebMcKayhan/WireguardManager#create-and-setup-ipsets
https://github.com/ZebMcKayhan/WireguardManager#managesetup-ipsets-for-policy-based-routing

Thank you, I’ll try.

I'm glad! but I just remember Ive missed something. the rule needs to be deleted when wg11 is shutdown otherwise there will either be duplicates or error messages like "rule already exists" whenever wg11 restarts:

Edit the file that is executed when wg11 is brought down:

nano /jffs/addons/wireguard/Scripts/wg11-down.sh

populate with:

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.50.1.1/24 -o wg11 -j MASQUERADE -m comment --comment "WireGuard 'client'"

Save & exit

Make the file executable:

chmod +x /jffs/addons/wireguard/Scripts/wg11-down.sh

thats it!

yes, thanks. I made it right away when created start wg11 script, yesterday)

 

[Martineau]

Please advise a few more questions:
1. Can I use a standalone file with a list of IP/networks and import it into the rules in case of a change? I can not find such commands in the instructions.
2. What is the maximum limit on of rules (for exampleб in the vpn direct it says 199)?

Because I'm too lazy to write a FULL WebUI for WireGuard Manager, I thought it would be easier to exploit the VPN Director GUI to allow a one-off bulk import of wg_manager Selective Routing rules as a convenient alternative to the esoteric command line.

The VPN Director rules are imported into the wg_manager SQL database so you can certainly have more than 199 destination subnets, if you enter the desired rules via the peer wg1x rule add ...... command.

However, if the destination IP/Subnets ultimately are likely to exceed 199 (you have 92 entries already!), or change, then you should consider saving the destination IPs/Subnets in an IPSET, then you have the option to have dnsmasq automatically populate the IPSET whenever the domain name is referenced.

Once the IPs/Subnets are contained in the IPSET; they can exported to a plain text file, and during the reboot you can elect to import the saved text file as-is (or manually modified) into the IPSET.

Hopefully this answers both of your queries.

 

[numminorih]

Can I dell or create rules "massive"? Maybe there is a command to add/remove it not one by one?

 

[JGrana]

Not sure such a feature request is even sane? - I still get shivers recalling having to use it on IBM VM LPARs

Still each to their own - old dogs new tricks etc.

Perfect, worked great. Thanks.

Hey, could have been worse, I could have requested ed from the old System 3 Unix days!!!

 

[ZebMcKayhan]

Looks like the IPv6 support for 'client' Peers in Policy mode was never implemented?

it was/is implemented/working in latest stable release. both IPv4 and IPv6 rules and DNS were properly populated and working. but on the last dev version neither IPv4 nor IPv6 DNS DNAT rules were populated (as the variable used to pass the list of DNS was unknown to the function).

I've hastily (not much time to fully investigate/test as no IPv6 environment to play with)

great work! I will sink my teeth into it when I get home and do some extensive testing.

 

[Martineau]

it was/is implemented/working in latest stable release. both IPv4 and IPv6 rules and DNS were properly populated and working. but on the last dev version neither IPv4 nor IPv6 DNS DNAT rules were populated (as the variable used to pass the list of DNS was unknown to the function).

Oh dear perhaps my hastily applied assumption as to the correct fix is then somewhat flawed.

 

[ZebMcKayhan]

Oh dear perhaps my hastily applied assumption as to the correct fix is then somewhat flawed.

Sorry, but still no-go...

ASUSWRT-Merlin RT-AC86U 386.7_0 Wed Jun 22 18:49:26 UTC 2022
admin@RT-AC86U-D7D8:/tmp/home/root# grep -iE "^version" /jffs/addons/wireguar
d/wg_c*
/jffs/addons/wireguard/wg_client:VERSION="v4.17.8"
admin@RT-AC86U-D7D8:/tmp/home/root# iptables -nvL WGDNS1 -t nat
Chain WGDNS1 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
admin@RT-AC86U-D7D8:/tmp/home/root# iptables -nvL WGDNS2 -t nat
Chain WGDNS2 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL WGDNS1 -t nat
Chain WGDNS1 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL WGDNS2 -t nat
Chain WGDNS2 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
admin@RT-AC86U-D7D8:/tmp/home/root#

will do some digging and see if I could find out why...

Edit: found it. Left-over variable $PEER_DNS is not available in this function at this point, so -n appears FALSE:
Line 213:

if [ -n "$PEER_DNS" ] && [ "$TARGET_LOOKUP" != "main" ] && [ "$VPN_IP" != "Any" ];then

change to:

if [ -n "$PEERDNS_LIST" ] && [ "$TARGET_LOOKUP" != "main" ] && [ "$VPN_IP" != "Any" ];then

Not sure if $PEERDNS_LIST or $PEER_DNS_LIST should be used, or either maybe. Then its working again!!

 

[Martineau]

Line 213:

if [ -n "$PEER_DNS" ] && [ "$TARGET_LOOKUP" != "main" ] && [ "$VPN_IP" != "Any" ];then

change to:

if [ -n "$PEERDNS_LIST" ] && [ "$TARGET_LOOKUP" != "main" ] && [ "$VPN_IP" != "Any" ];then

Then its working again!!

Whoops!

I've updated wg_client to v4.17.9

Update wg_client · MartineauUK/wireguard@2a81046

FIX: Typo in variable name used for DNS - which can now contain both IPv4 and IPv6 values - Thanks SNB forums member @ZebMcKayhan

github.com

To upgrade use:

e  = Exit Script [?]

E:Option ==> uf dev

Many thanks.