Following @ZebMcKayhan changes recommended in #54 and updating to Beta v4.16bB, my setup appears to be completely broken. The update took quite a while before happening and (just in case I ran it again). Somehow this also messed up unbound (logging was not correct and time server had reset to ntp from Chrony) and the IPv6 WAN interface was completely missing. Once I had done the necessary repairs I noted that my VPN (MAC assigned) device was no longer going through the VPN.FYI,
wireguard_manager
Beta v4.16bB now makes an exception for IPSets ofType: hash:mac
whereby, rather than insisting on creating a duplicate IPv6 IPset (mirroring the contents of the IPv4 MAC IPSet), the IPv6 firewall rule will now also be created if appropriate.
I had been experimenting with where and how to add the IPv6 alias and restore the ipset on boot and before making the above changes I had come to the following conclusions
- that the ipv6 alias for br0 needs to be up before unbound is started
- that the ipset needs to be restored before wg_manager is started (which is after unbound)
- that ipv6 full functionality appear to only happen well after ipv4 (e.g. adding an ipv4 alias works in wan-event or nat-start with no wait state, it does not for an ipv6 alias)
- selecting the wait time was somewhat hit and miss.
Code:
#!/bin/sh
ip -6 address add dev br0 fd36:7ef1:2add:aa88:100::1/128
IPSET_NAME=wg11-mac
if [ "$(ipset list -n "$IPSET_NAME" 2>/dev/null)" != "$IPSET_NAME" ]; then #if ipset does not already exist
if [ -s "/opt/tmp/$IPSET_NAME" ]; then #if a backup file exists
ipset restore -! <"/jffs/addons/wireguard/$IPSET_NAME" #restore ipset
fi
fi
Code:
#!/bin/sh
###############################################################################
WanIp6=$(nvram get ipv6_rtr_addr) #WanIp6=2001:1111:2222:3333::1
iptables -t nat -I POSTROUTING ! -s <vpn_ipv4> -o wg11 -j MASQUERADE
ip6tables -t nat -I POSTROUTING ! -s <vpn_ipv6> -o wg11 -j MASQUERADE
ip6tables -t nat -A WGDNS1 -i br0 -j DNAT --to-destination ${WanIp6}
ip6tables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000
ip rule add from all fwmark 0x1000 table 121 prio 9900
ip -6 rule add from all fwmark 0x1000 table 121 prio 9900
echo 2 > /proc/sys/net/ipv4/conf/wg11/rp_filter
Code:
#!/bin/sh
###############################################################################
iptables -t nat -D POSTROUTING ! -s <vpn_ipv4> -o wg11 -j MASQUERADE
ip6tables -t nat -D POSTROUTING ! -s <vpn_ipv6> -o wg11 -j MASQUERADE
ip6tables -t mangle -D PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000
ip rule del from all fwmark 0x1000 table 121 prio 9900
ip -6 rule del from all fwmark 0x1000 table 121 prio 9900
After making the recommended changes and adding
Code:
E:Option ==> peer wg11 add ipset wg11-mac
Code:
#!/bin/sh
###############################################################################
WanIp6=$(nvram get ipv6_rtr_addr) #WanIp6=2001:1111:2222:3333::1
iptables -t nat -I POSTROUTING ! -s 10.0.11.124 -o wg11 -j MASQUERADE
ip6tables -t nat -I POSTROUTING ! -s 2a0e:1c80:4:2000::b7d -o wg11 -j MASQUERADE
ip6tables -t nat -A WGDNS1 -i br0 -j DNAT --to-destination ${WanIp6}
Code:
#!/bin/sh
###############################################################################
iptables -t nat -D POSTROUTING ! -s 10.0.11.124 -o wg11 -j MASQUERADE
ip6tables -t nat -D POSTROUTING ! -s 2a0e:1c80:4:2000::b7d -o wg11 -j MASQUERADE
- All of the devices are showing the ISP assigned IPv4 address as the sole DNS server (before they showed the Azire DNS servers)
- the MAC device is not going through the VPN at all.
Code:
E:Option ==> ?
Router RT-AX88U Firmware (v386.5_2)
[✔] Entware Architecture arch=aarch64
v4.16bB WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
MD5=6bd27234bb2fcbe38ef7d4ac7edb5814 /jffs/addons/wireguard/wg_manager.sh
.
.
.
.
[✔] IPv6 Service is dhcp6
As I changed the vpn settings and updated the version at the same time (and it did not appear to run smoothly) I am at a loss as how best to troubleshoot. Ideally I would like to revert to my old settings and then check step by step, but that would require the previous dev version.