Wireguard Session Manager - Discussion (3rd) thread

[archiel]

another 6 months are up so, details of @Martineau's WireGuard manager can be found here and @ZebMcKayhan's invaluable setup guide here. Following on from #938 in the second thread

Having only a single computer over vpn could prove difficult with ipv6. ideally you should make an ipv6 rule for the computer ip in wgm, but the device could have many ip, so use the right one (or all).

Regarding DNS it follows the same pattern in Policy mode. whenever the rules are working, so shall (hopefully) the DNS redirect as well. But device ipv6 could be changing and I dont know how to deal with that.

Or use Unbound with br0 IP and point everything there.

Just thinking out loud

Making a rule based on a device's ipv6 ip is going to be challenging, not just because it may have more than one, but using SLAAC, the default for IPv6 networks, these ips change over time. While IPv6 networks can use stateless or stateful DHCPv6, we would need to see how (if) these can be configured on Asus routers and what the pro/cons are, other than getting WireGuard to work.

Also if the ISP is providing dynamic IPV6, then presumably even with DHCP6 starting pool (and hence the device addresses) will need to change as the assigned subnet changes?

Would it be possible to identify a device by its MAC and then manage WireGuard traffic (IPv4 or IPV6) based on that?

For IPv4 (testing with OpenVPN) is was possible to add a fixed IP (in my case 192.168.3.1) to br0:1 (via the router's wan-start script), link that IP to the VPN and then add the same IP into Unbound as an assigned interface. This should replicate with WireGuard, but the question is how to bring in IPv6
* What would (should) be the equivalent address? ULA, link-local, does it matter?
* With IPv4 the address can be assigned as an alias on br0:1, with ipv6 attempting to assign to br0:1, will actually assign to br0, does this matter?

More testing coming up - any comments / suggestions / recommendations welcome

I suppose the good news is that leakless WireGuard is possible using the default device clients, so it ought to be soluble from the router - just a matter of how.

 

[Martineau]

another 6 months are up so, following on from #938 in the second thread

Many thanks for creating this 3rd thread.

P.S. If you could update post #1 with a link to the 2nd thread, I'm sure that would be a great help to those wishing to follow/link back to your post #938.

 

[ZebMcKayhan]

Making a rule based on a device's ipv6 ip is going to be challenging, not just because it may have more than one, but using SLAAC, the default for IPv6 networks, these ips change over time. While IPv6 networks can use stateless or stateful DHCPv6, we would need to see how (if) these can be configured on Asus routers and what the pro/cons are, other than getting WireGuard to work.

DHCPv6 request needs to come from the clients for this to work, and Android doesnt send out ones, so it only works with stateful assignement which doesnt work for Android.

Also if the ISP is providing dynamic IPV6, then presumably even with DHCP6 starting pool (and hence the device addresses) will need to change as the assigned subnet changes?

Yep, but the router would handle this if you choose stateful I assume. But as you are leading on to it doesnt matter since you cant make your static rules.... dynamic ips are a pain.

Would it be possible to identify a device by its MAC and then manage WireGuard traffic (IPv4 or IPV6) based on that?

yes, in case it uses a proper mac address, it should be possible to mark these packages, something like:

ip6tables -t mangle -I PREROUTING -m mac --mac-source 9c:4e:36:aa:bb:cc -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -I PREROUTING -m mac --mac-source 9c:4e:36:aa:bb:cc -j MARK --set-mark 0x1000/0x1000

then use this to route marked packages to wg11 (which WGM already does?). But some devices use random mac address which makes this approach less desirable

For IPv4 (testing with OpenVPN) is was possible to add a fixed IP (in my case 192.168.3.1) to br0:1 (via the router's wan-start script), link that IP to the VPN and then add the same IP into Unbound as an assigned interface. This should replicate with WireGuard, but the question is how to bring in IPv6
* What would (should) be the equivalent address? ULA, link-local, does it matter?
* With IPv4 the address can be assigned as an alias on br0:1, with ipv6 attempting to assign to br0:1, will actually assign to br0, does this matter?

should be equally possible for ipv6, but you could just assign br0 a second (or third) ipv6 address, but as I said before, dont know if it somehow affects dnsmasq stateless assignement so it does not give out this address... only one way to find out?

Edit: Possible that WGM does not setup fwmark routing unless you add an ipset.... if you need to do it manually:

ip rule add from all fwmark 0x1000 table 121 prio 9900
ip -6 rule add from all fwmark 0x1000 table 121 prio 9900
echo 2 > /proc/sys/net/ipv4/conf/wg11/rp_filter

 

[archiel]

DHCPv6 request needs to come from the clients for this to work, and Android doesnt send out ones, so it only works with stateful assignement which doesnt work for Android.


Yep, but the router would handle this if you choose stateful I assume. But as you are leading on to it doesnt matter since you cant make your static rules.... dynamic ips are a pain.


yes, in case it uses a proper mac address, it should be possible to mark these packages, something like:

ip6tables -t mangle -I PREROUTING -m mac --mac-source 9c:4e:36:aa:bb:cc -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -I PREROUTING -m mac --mac-source 9c:4e:36:aa:bb:cc -j MARK --set-mark 0x1000/0x1000

then use this to route marked packages to wg11 (which WGM already does?). But some devices use random mac address which makes this approach less desirable



should be equally possible for ipv6, but you could just assign br0 a second (or third) ipv6 address, but as I said before, dont know if it somehow affects dnsmasq stateless assignement so it does not give out this address... only one way to find out?

Edit: Possible that WGM does not setup fwmark routing unless you add an ipset.... if you need to do it manually:

ip rule add from all fwmark 0x1000 table 121 prio 9900
ip -6 rule add from all fwmark 0x1000 table 121 prio 9900
echo 2 > /proc/sys/net/ipv4/conf/wg11/rp_filter

I am going to try alias > VPN > unbound route first - less complex

If I cannot get this to work then the MAC route is worth a shot - if there are devices with non-fixed MACs then I suppose you could start the iptables script by first getting the current MAC from the IPv4 (which would be fixed) and then drop that as a variable into the iptables script - messy though.

 

[archiel]

Help needed, definitely going nowhere fast. Tried adding ipv4 and 6 to wan-start - all sorts of problems, so I am going to work on ipv4 first and then look at ipv6
As with OpenVPN added the dummy local address to wan-start

ifconfig br0:1 192.168.3.1 netmask 255.255.255.255

then tried adding this to wg11 using

peer wg11 rule add 192.168.3.1  comment Unbound4VPN

which returns

        Selective Routing RPDB rules
ID  Peer  Interface  Source        Destination  Description
3   wg11  VPN        192.168.3.1   Any          Unbound4VPN
2   wg11  VPN        10.50.60.150  Any          PC1

and adding

outgoing-interface: 192.168.3.1

to unbound.conf

In my head I am thinking
1. local device is asking asking for DNS from router
2. Unbound is intercepting the request and sending it to 192.168.3.1
3. wg11 is listening for requests from 192.168.3.1 and routing out

However DNS is not working.

If the DNS for wg11 are the IPv4 (LAN) and IPv6 (link local) addresses of the Router (so as to use dnsmasq) is this introducing some circularity?
However replacing these DNS with those provided by Azire makes no difference and stopping wg11 gives

E:Option ==> stop wg11 debug

        Requesting WireGuard VPN Peer stop (wg11)

[#] ip link del dev wg11
[#] ip rule del prio 9911
[#] ip -6 rule del prio 9911
RTNETLINK answers: No such file or directory
[#] ip rule del prio 9911
[#] ip -6 rule del prio 9911
RTNETLINK answers: No such file or directory

If I keep the settings in wan-start and unbound, leave wg11 off and add the rule to VPNDirector though OpenVPN the everything works as expected.

 

[ZebMcKayhan]

Help needed, definitely going nowhere fast. Tried adding ipv4 and 6 to wan-start - all sorts of problems, so I am going to work on ipv4 first and then look at ipv6
As with OpenVPN added the dummy local address to wan-start

ifconfig br0:1 192.168.3.1 netmask 255.255.255.255

then tried adding this to wg11 using

peer wg11 rule add 192.168.3.1  comment Unbound4VPN

which returns

        Selective Routing RPDB rules
ID  Peer  Interface  Source        Destination  Description
3   wg11  VPN        192.168.3.1   Any          Unbound4VPN
2   wg11  VPN        10.50.60.150  Any          PC1

and adding

outgoing-interface: 192.168.3.1

to unbound.conf

In my head I am thinking
1. local device is asking asking for DNS from router
2. Unbound is intercepting the request and sending it to 192.168.3.1
3. wg11 is listening for requests from 192.168.3.1 and routing out

However DNS is not working.

If the DNS for wg11 are the IPv4 (LAN) and IPv6 (link local) addresses of the Router (so as to use dnsmasq) is this introducing some circularity?
However replacing these DNS with those provided by Azire makes no difference and stopping wg11 gives

E:Option ==> stop wg11 debug

        Requesting WireGuard VPN Peer stop (wg11)

[#] ip link del dev wg11
[#] ip rule del prio 9911
[#] ip -6 rule del prio 9911
RTNETLINK answers: No such file or directory
[#] ip rule del prio 9911
[#] ip -6 rule del prio 9911
RTNETLINK answers: No such file or directory

If I keep the settings in wan-start and unbound, leave wg11 off and add the rule to VPNDirector though OpenVPN the everything works as expected.

As you choose to use 192.168.3.1 and assuming your br0 is on 192.168.1.1 you will have to add:

iptables -t nat -I POSTROUTING -s 192.168.3.1/32 -o wg11 -j MASQUERADE

if you were to use 192.168.1.3 instead this wouldn't be nessissary.

You might need to add the ToLocalUseMain rule in wgm but not sure.

Edit: for your nr.2 to work you need to set wg11 dns to 192.168.3.1. But the rule will only be applied to your policy routes, nothing else. If you want that you need to add the rule manually.

 

[archiel]

As you choose to use 192.168.3.1 and assuming your br0 is on 192.168.1.1 you will have to add:

iptables -t nat -I POSTROUTING -s 192.168.3.1/32 -o wg11 -j MASQUERADE

if you were to use 192.168.1.3 instead this wouldn't be nessissary.

You might need to add the ToLocalUseMain rule in wgm but not sure.

br0 is on 10.50.60.1 - it was always intended that this should not be on the same subnet as the LAN and this works fine with OpenVPN - sorry if this is obvious, but what is the reason that the POSTROUTING rule would be necessary for WireGuard but not OpenVPN?

Adding the above (+ removing the OpenVPN rule, restarting wg11 and restarting unbound) worked as far as allowing DNS to work again and swapping the wg11 DNS servers back to the internal addresses was not a problem. However still getting

RTNETLINK answers: No such file or directory

on stops / restarts

In regard to ToLocalUseMain, can you give an example of how would this work, am I adding a rule for 192.168.3.1 or for 10.50.60.1/24?

 

[ZebMcKayhan]

what is the reason that the POSTROUTING rule would be necessary for WireGuard but not OpenVPN?

I'll pass this question to the author @Martineau

However still getting
on stops / restarts

Seems like it tries to remove an ipv6 policy rule that does not exist, and it shouldn't since you dont appear to have any ipv6 rules. Again, I think @Martineau will need to take a look. You only have your 2 ipv4 rules right?

Edit: if you want to Override wgm sparse masquarading rule with one that covers everything (like openvpn)

iptables -t nat -I POSTROUTING ! -s <wg11Ipv4> -o wg11 -j MASQUERADE
ip6tables -t nat -I POSTROUTING ! -s <wg11Ipv6> -o wg11 -j MASQUERADE

Then masquarading will never be a problem any more.

Edit2: for ipv4 and lan the ToLocalUseMain is not needed but for wg21 it might as 192.168.3.1 is redirected to policy route table and there is no routes TO wg21 there, so destination wg21 to use wan. But test without it first.

 

[archiel]

I'll pass this question to the author @Martineau


Seems like it tries to remove an ipv6 policy rule that does not exist, and it shouldn't since you dont appear to have any ipv6 rules. Again, I think @Martineau will need to take a look. You only have your 2 ipv4 rules right?

Edit: if you want to Override wgm sparse masquarading rule with one that covers everything (like openvpn)

iptables -t nat -I POSTROUTING -s ! <wg11Ipv4> -o wg11 -j MASQUERADE
ip6tables -t nat -I POSTROUTING -s ! <wg11Ipv6> -o wg11 -j MASQUERADE

Then masquarading will never be a problem any more.

Edit2: for ipv4 and lan the ToLocalUseMain is not needed but for wg21 it might as 192.168.3.1 is redirected to policy route table and there is no routes TO wg21 there, so destination wg21 to use wan. But test without it first.

if I try the rules using the address/mask I get

iptables -t nat -I POSTROUTING -s ! 10.0.11.nnn/19 -o wg11 -j MASQUERADE
Bad argument `10.0.11.nnn/19'

same with ip6tables

 

[ZebMcKayhan]

if I try the rules using the address/mask I get

Skip the mask. In this case there should not be any.

Updated the post above as it seems as the ! should be before the -s

 

[archiel]

Skip the mask. In this case there should not be any.

Updated the post above as it seems as the ! should be before the -s

I have added these directives to wg11-up.sh (& down) and they now work. As expected, with unbound only requesting DNS via an IPv4 interface, IPv6 works but DNSv6 doesn't.

The 'RTNETLINK answers: No such file or directory' message has not gone away, will see what happens when I add the IPv6 redirect (to wg11, br0 and unbound), but may not have time before the weekend. Also do you know the equivalent instruction to

ifconfig br0:1 192.168.3.1 netmask 255.255.255.255

for IPv6 as netmask is not applicable.

 

[ZebMcKayhan]

I have added these directives to wg11-up.sh (& down) and they now work. As expected, with unbound only requesting DNS via an IPv4 interface, IPv6 works but DNSv6 doesn't.

The 'RTNETLINK answers: No such file or directory' message has not gone away, will see what happens when I add the IPv6 redirect (to wg11, br0 and unbound), but may not have time before the weekend. Also do you know the equivalent instruction to

for IPv6 as netmask is not applicable.

I propose to use ip address instead to add an address to existing br0 (or your alias perhaps)

ip -6 address add dev br0 aaaa:bbbb:cccc:dddd::1/128

Please note that wgm will only redirect dns requests for ips/subnets that has rules, so not for subnets that policy rules says to route out wan.

 

[archiel]

I propose to use ip address instead to add an address to existing br0 (or your alias perhaps)

ip -6 address add dev br0 aaaa:bbbb:cccc:dddd::1/128

Please note that wgm will only redirect dns requests for ips/subnets that has rules, so not for subnets that policy rules says to route out wan.

Could you explain your last sentence above, as I am fear I am not getting my head around it properly - assume I know nothing about routing (a reasonably safe assumption)

As far as I understand it
A device (or set of devices) wants to connect to the internet and needs a DNS address and requests this on port 53. DNSMasq intercepts this and routes it to unbound
which will either pull it from its cache or run a recursive search for it via the outgoing-interface address(es) where these are defined. In our case these addresses are defined and are on br0 (br0:1) and are in turn intercepted by the wg client and routed through the tunnel. As these requests are going directly to the .root-servers.net and recursing back, I assume that these requests do not even look at the DNS servers defined in the wg client conf - is this correct?

Any such device will show its ISP assigned IPv4 address and its own (SLAAC assigned) IPv6 address, while the DNS servers will (should) show as those of the tunnel provider

If the connecting device is linked to the wg tunnel then its DNS request will go straight to wgm rather than dnsmasq, where it will interrogate the the wg DNS servers defined in the client.conf, which are the router's private local addresses on br0 and so will be intercepted by dnsmasq then unbound and after that as above.

In this case the device will (should) instead show the tunnel provider assigned IP address and DNS servers.

So, if I have ipv6 rules like

peer wg11 rule add 192.168.3.1  comment Unbound4VPN
peer wg11 rule add fdaa:bbbb:cccc:dddd::1 comment Unbound6VPN

that link to

ifconfig br0:1 192.168.3.1 netmask 255.255.255.255
ip -6 address add dev br0 fdaa:bbbb:cccc:dddd::1/128

and a matching outgoing-interfaces in unbound then how would setting a policy in wgm for a subnet to WAN bypass this?

 

[ZebMcKayhan]

and a matching outgoing-interfaces in unbound then how would setting a policy in wgm for a subnet to WAN bypass this?

You are mostly correct in above. Maybee I need to explain myself better.

There is normally nothing forcing clients to use dnsmasq and I wasn't even sure you are using dnsmasq for i.e your lan dns. Router gives a dns to lan clients via dhcp according to what you selected in the gui, but clients are not forced to use this one but could use any.

Dns filter (if turned on) does just this. If you dont have dns filter turned on Various devices could use any dns if they would like. Dnsfilter redirect any package on port53 to what you selected.

For ipv6 there are no dnsfilter that I know of (as ip6tables DNAT is not included in firmware).

If you put in ipv6 dns in wgm it will attempt to redirect all dns request from ips which has rules to wg11 to wg11 dns (hence needing Entware iptables) but none else.

Soo, this means if your lan is routed out wan then there is nothing to force them to use dnsmasq which leads to unbound wich requests out wg11. Some app (like PingTools) could use another ipv6 dns thus leading to plain dns out on wan.

Since you are using Entware iptables you could setup ipv6 dnsfilter that forces all your devices (even those not routed out wg) to router dnsmasq. But for devices which have rules in wgm to route out wg you dont need to since wgm already handles this.

 

[archiel]

You are correct in above. Maybee I need to explain myself better.

There is normally nothing forcing clients to use dnsmasq and I wasn't even sure you are using dnsmasq for i.e your lan dns. Dns filter (if turned on) does just this. If you dont have dns filter turned on Various devices could use any dns if they would like.

For ipv6 there are no dnsfilter that I know of (as ip6tables DNAT is not included in firmware).

If you put in ipv6 dns in wgm it will attempt to redirect all dns request from ips which has rules to wg11 to wg11 dns (hence needing Entware iptables) but none else.

Soo, this means if your lan is routed out wan then there is nothing to force them to use dnsmasq which leads to unbound wich requests out wg11. Some app (like PingTools) could use another ipv6 dns thus leading to plain dns out on wan.

Thanks for this. If I have followed correctly, as I have DNSFilter enabled (default Router) then that is pushing any included iPv4 devices through dnsmasq, unbound, etc.

As this does not apply to IPv6 traffic, then this will not get redirected via unbound unless the device/app has its IPv6 DNS server selected as the Router or specifically routed to wgm through a rule. Out of curiosity does the entware ip6tables support DNAT and if so would there be a way to replicate DNSFilter routing to dnsmasq for some or all LAN IPv6 addresses / subnets?

 

[ZebMcKayhan]

Thanks for this. If I have followed correctly, as I have DNSFilter enabled (default Router) then that is pushing any included iPv4 devices through dnsmasq, unbound, etc.

As this does not apply to IPv6 traffic, then this will not get redirected via unbound unless the device/app has its IPv6 DNS server selected as the Router or specifically routed to wgm through a rule. Out of curiosity does the entware ip6tables support DNAT and if so would there be a way to replicate DNSFilter routing to dnsmasq for some or all LAN IPv6 addresses / subnets?

It should be possible and would look something like:

ip6tables -t nat -A WGDNS1 -s <LanIP6> -j DNAT --to-destination <RouterIp6>

WGDNS1 is a custom chain wgm creates that have all packages on port 53 sent to this chain. we could use this to create simpler rules were we dont have to filter out tcp/udp, port number.

I'm not sure how much we are allowed to bend this command. possibly -s <SourceIp6> could be replaced by -i br0 or possibly even removed to apply to all forwarded packages regardless of where it comes from. but maybee sometime in the future you wish to have exceptions, like some guest wifi not using the router (I use this as a fail safe when family is working from home)

 

[archiel]

Closer! But still no cigar....

Summarising steps taken to get IPv6 working and not leaking while using unbound for DNS and Diversion for add blocking.
Starting with the VPN provided conf file (tested and working if run using the default WireGuard client on Windows 11, Ubuntu 20.04 LTS and Android 12). Using Azire.
EDIT: In case it is relevant, I have also installed entware iptables as I need this when using WireGuard as a server.

Replace wg11 DNS with LAN DNS (local/link-local). As I want to use Unbound these will be my Router's local & link-local ips (for IPv4 and IPv6 respectively)

peer wg11 dns=10.50.60.1,fe80::aa5e:45ff:feae:50aa

wan-event

#!/bin/sh
ifconfig br0:1 192.168.3.1 netmask 255.255.255.255
ip -6 address add dev br0 fd36:7ef1:2add:aa88:100::1/128

Where both above above addresses are any local (IPv4) and ULA (IPv6) that are not already part of an existing subnet on the router.

edit unbound.conf to add

outgoing-interface: 192.168.3.1                        # routing to wan-event + wgm policy rules
outgoing-interface:  fd36:7ef1:2add:aa88:100::1        # routing to wan-event + wgm policy rules

Add policy rules to wg1x

peer wg11 rule add 192.168.3.1  comment Unbound4VPN
peer wg11 rule add fd36:7ef1:2add:aa88:100::1 comment Unbound6VPN

EDIT: Add routing rules to wg11-up-sh

!/bin/sh
###############################################################################
#for use in default mode only
#ip -6 route add 0::/1 dev wg11
#ip -6 route add 8000::/1 dev wg11
#for use in policy mode only
WanIp6=$(nvram get ipv6_rtr_addr)     #WanIp6=2001:1111:2222:3333::1
iptables -t nat -I POSTROUTING ! -s <wg11Ipv4> -o wg11 -j MASQUERADE
ip6tables -t nat -I POSTROUTING ! -s <wg11Ipv6> -o wg11 -j MASQUERADE
ip6tables -t nat -A WGDNS1 -i br0 -j DNAT --to-destination ${WanIp6}
###############################################################################

After all the above unbound is working (at least no error messages), diversion is working and web DNS tests (ipleak.net, browserleaks.com, etc) all show the Azire DNS servers

However devices connected to wg11 still show the ISP assigned IPv6 address rather than the Azire one. So the issue appear not that that DNS is leaking, rather that any device attached to wg11 is continuing to report its SLAAC assigned IPv6 rather than that in the wg11.conf. As noted at the start, this does not happen using the Wireguard client on the device. Edit I had not routed the IPv6 traffic through the vpn see #22.

 

[ZebMcKayhan]

However devices connected to wg11 still show the ISP assigned IPv6 address rather than the Azire one. So the issue appear not that that DNS is leaking, rather that any device attached to wg11 is continuing to report its SLAAC assigned IPv6 rather than that in the wg11.conf. As noted at the start, this does not happen using the Wireguard client on the device.

Soo, if I'm reading this right clients seems to use dns properly but only for ipv4 data. Ipv6 data still goes out wan?

If that is correct, check rules in wgm:

E: Option ==> peer wg11

and the resulting routing rules:

ip -6 rule

And wg11 policy route table:

ip -6 route show table 121

@Martineau when checking my rules found an old bug seems to have returned, ipv6 rules does not appear to be removed:

admin@RT-AC86U-D7D8:/tmp/home/root# ip -6 rule
0:      from all lookup local
9900:   from aaff:a37f:fa75:1::/64 fwmark 0x8000 lookup main
9900:   from aaff:a37f:fa75:1::/64 fwmark 0x8000 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9921:   from aaff:a37f:fa75:6::1/64 lookup 122
9991:   from all fwmark 0x1000/0x1000 lookup 121
32766:  from all lookup main

I'm on 4.16b8... maybee fixed in later versions?

 

[Martineau]

Soo, if I'm reading this right clients seems to use dns properly but only for ipv4 data. Ipv6 data still goes out wan?

If that is correct, check rules in wgm:

E: Option ==> peer wg11

and the resulting routing rules:

ip -6 rule

And wg11 policy route table:

ip -6 route show table 121

@Martineau when checking my rules found an old bug seems to have returned, ipv6 rules does not appear to be removed:

admin@RT-AC86U-D7D8:/tmp/home/root# ip -6 rule
0:      from all lookup local
9900:   from aaff:a37f:fa75:1::/64 fwmark 0x8000 lookup main
9900:   from aaff:a37f:fa75:1::/64 fwmark 0x8000 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9910:   from all to aaff:a37f:fa75:1::1/48 lookup main
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9911:   from aaff:a37f:fa75:1::1/64 lookup 121
9921:   from aaff:a37f:fa75:6::1/64 lookup 122
9991:   from all fwmark 0x1000/0x1000 lookup 121
32766:  from all lookup main

I'm on 4.16b8... maybee fixed in later versions?

What does the following show?

grep -i "^version" /jffs/addons/wireguard/wg_client

grep -i "^version" /jffs/addons/wireguard/wg_server

 

[ZebMcKayhan]

What does the following show?

grep -i "^version" /jffs/addons/wireguard/wg_client

grep -i "^version" /jffs/addons/wireguard/wg_server

admin@RT-AC86U-D7D8:/tmp/home/root# grep -i "^version" /jffs/addons/wireguard
/wg_client
VERSION="v4.16.6"
admin@RT-AC86U-D7D8:/tmp/home/root# grep -i "^version" /jffs/addons/wireguard
/wg_server
VERSION="v4.16.7"

maybee a false alarm, I tested to remove the duplicates and restart all peers (tested restart wg11, restart wg12 and just restart) and after this still no duplicate rules. But something seems to create these duplicates.

Edit: could this be because I'm using wg_firewall in both nat-start and in firewall-start? Could there be some collision? But no duplicates in ipv4 ip rule, wierd...

Edit2: rebooted because Unbound where misbehaving and still no duplicates. I have been cutting power to my fiber modem because I've been working on electrical installations several times the last days. Maybee something did not end up correctly in all this...I'll keep an eye on in in the cooming weeks