What's new

Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

How i can acces to my LAN devices when i connected to my wireguard Server ? i need only woeking LAN Devices not internet from my Wireguard Server.
Use the diagnostics command
Code:
e  = Exit Script [?]

E:Option ==> diag
and obfuscate personal info before posting the output
 
Use the diagnostics command
Code:
e  = Exit Script [?]

E:Option ==> diag
and obfuscate personal info before posting the output
Server:
when i create a new device - default route 0.0.0.0/0.

E:Option ==> peer multi

Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Device Auto IP DNS Allowed IPs
multi X 10.50.1.2/32 9.9.9.9 0.0.0.0/0

If i change manualy route to 192.168.1.0/24 in file wg21.conf and multi.conf in allowed ip: 192.168.1.0/24 and then restart server, when i connected from mobile device/PC... nothing working.

i see in diag (everethyng route 0.0.0.0.0/0

Split tunneling only working if i change in client allowed IP to 192.168.1.0/24.

if i create the new device from wg_manager how to specified allowed ip to LAN only?

my diag is:

peer:
endpoint: "Changed"
allowed ips: 0.0.0.0/0
latest handshake: 37 seconds ago
transfer: 831.63 KiB received, 8.62 MiB sent

DEBUG: Routing info MTU etc.

37: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.50.1.1/24 scope global wg21
valid_lft forever preferred_lft forever

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.50.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wg21

DEBUG: RPDB rules

0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
32766: from all lookup main
32767: from all lookup default

DEBUG: Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

DEBUG: UDP sockets.

udp 0 0 0.0.0.0:51820 0.0.0.0:* -
udp 0 0 :::51820 :::* -

DEBUG: Firewall rules


DEBUG: -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 7597 8484K ACCEPT all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
2 4621 570K ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 765 62863 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
2 5423 1004K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 163K packets, 43M bytes)
num pkts bytes target prot opt in out source destination
1 1081 248K ACCEPT all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

DEBUG: -t nat

Chain PREROUTING (policy ACCEPT 10997 packets, 1325K bytes)
num pkts bytes target prot opt in out source destination
1 5 880 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 7964 packets, 741K bytes)
num pkts bytes target prot opt in out source destination

DEBUG: -t mangle

Chain FORWARD (policy ACCEPT 999K packets, 715M bytes)
num pkts bytes target prot opt in out source destination
1 7597 8484K MARK all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */ MARK xset 0x1/0x7
2 88 4632 TCPMSS tcp -- wg21 * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
3 61 3228 TCPMSS tcp -- * wg21 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 1185K packets, 747M bytes)
num pkts bytes target prot opt in out source destination
1 5395 633K MARK all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */ MARK xset 0x1/0x7
Thank you.
 
Server:
when i create a new device - default route 0.0.0.0/0.
Fixed in v4.11b2 (May 4, 2021)
if i create the new device from wg_manager how to specified allowed ip to LAN only?
You can create a LAN-Only 'device' Road-Warrior Peer using
Code:
E:Option ==> createsplit multi

    Creating Wireguard Private/Public key pair for device 'multi'
    Device 'multi' Public key=oSAES951SLymItBS76/HOwzs7eQSWV2vIgmdAR5yKSo=

    Using Public key for 'server' Peer 'wg21'


    WireGuard config for Peer device 'multi' created (Allowed IP's 192.168.1.0/24 # Split Traffic LAN Only)

    Press y to Display QR Code for Scanning into WireGuard App on device 'multi' or press [Enter] to SKIP.

or if the 'device' Road-Warrior 'Peer' already exists
wg_manager v4.11b2 (May 4, 2021) added the peer xxxxxx allowedips= command to allow modification and implementation of the desired Road-Warrior 'device' Peer change.
Use the following to download the latest beta from the Github 'dev' branch
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 
Last edited:
createsplit multi
Thanks. this working. i see in "peer multi show" = allowed IP = 192.168.1.0/24. but if i change manually in client from Phone or Windows to allowed IP = 0.0.0.0/0 - this always working and all trafic go to the wireguard server. If possible how to prevent this?

peer xxxxxx allowedips=
if i put peer multi allowedips=192.168.1.0/24 - this is change - i show it only in wg_manager - peer multi show.
but if i open for example multi.conf from /opt/etc/wireguard.d/ - i see allowed ip = 0.0.0.0/0 (nothing change in config files in wireguard.d directory (maybe i have wrong rights...:
-rw-rw-rw-

if i create file wg11.conf and import from wg_manager - than connect. (it's successful) - not working my server when i connect from mobile phone. (not working split tunneling - i'm not able access my LAN devices.

diag show:
peer:
endpoint: changed
allowed ips: 10.50.1.2/32
latest handshake: 12 minutes, 50 seconds ago
transfer: 22.24 KiB received, 44.97 KiB sent

interface: wg11
public key:
private key: (hidden)
listening port: 37667

peer:
endpoint: changed
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 18 seconds ago
transfer: 87.95 MiB received, 2.81 MiB sent
persistent keepalive: every 25 seconds

DEBUG: Routing info MTU etc.

25: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.50.1.1/24 scope global wg21
valid_lft forever preferred_lft forever
26: wg11: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.5.0.2/32 scope global wg11
valid_lft forever preferred_lft forever

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 wg11
10.50.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wg21
128.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 wg11

DEBUG: RPDB rules

0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
32766: from all lookup main
32767: from all lookup default

DEBUG: Routing Table 121 (wg11) # N/A

0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1

DEBUG: Routing Table main

0.0.0.0/1 dev wg11 scope link
10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1
128.0.0.0/1 dev wg11 scope link

DEBUG: UDP sockets.

udp 0 0 0.0.0.0:51820 0.0.0.0:* -
udp 0 0 0.0.0.0:37667 0.0.0.0:* -
udp 0 0 :::51820 :::* -
udp 0 0 :::37667 :::* -

DEBUG: Firewall rules


DEBUG: -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 164 34780 ACCEPT all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
2 139 16615 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
2 143 26780 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 23231 packets, 4531K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

DEBUG: -t nat

Chain PREROUTING (policy ACCEPT 519 packets, 55397 bytes)
num pkts bytes target prot opt in out source destination
1 118 8467 WGDNS1 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* WireGuard 'client1 DNS' */
2 3 172 WGDNS1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* WireGuard 'client1 DNS' */
3 41 7216 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 134 packets, 13480 bytes)
num pkts bytes target prot opt in out source destination
1 400 32026 MASQUERADE all -- * wg11 192.168.1.0/24 0.0.0.0/0 /* WireGuard 'client' */

Chain WGDNS1 (2 references)
num pkts bytes target prot opt in out source destination
1 121 8639 DNAT all -- * * 192.168.1.0/24 0.0.0.0/0 /* WireGuard 'client1 DNS' */ to:103.86.96.100

DEBUG: -t mangle

Chain FORWARD (policy ACCEPT 72763 packets, 91M bytes)
num pkts bytes target prot opt in out source destination
1 18194 2185K MARK all -- * wg11 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'client' */ MARK xset 0x1/0x7
2 248 13908 TCPMSS tcp -- wg11 * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3 248 13924 TCPMSS tcp -- * wg11 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4 164 34780 MARK all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */ MARK xset 0x1/0x7
5 16 960 TCPMSS tcp -- wg21 * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6 16 960 TCPMSS tcp -- * wg21 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 148K packets, 186M bytes)
num pkts bytes target prot opt in out source destination
1 54578 89M MARK all -- wg11 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'client' */ MARK xset 0x1/0x7
2 139 16615 MARK all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */ MARK xset 0x1/0x7
I need to run Wireguard Server and VPN simultaneously.
for Wireguard Server (when i connect from client) i only need to access my LAN Devices - 192.168.1.0/24

IPSet:

i have IPSet - for example Netflix_DNS. and i need to Bypass Routing from wg11 client? how do i set it?

if i put:
peer wg11 add ipset Netflix_DNS
this is automatically add to wg11 interface.

Total IPSet
1 Netflix_DNS

Total IPSet Peer
1 Netflix_DNS wg11

FWMark Interface
0x1000 wg11
0x2000 wg12
0x4000 wg13
0x7000 wg14
0x3000 wg15
0x8000 wan
i need to change this IPSet - go to WAN interface, not WG11 Client.

Thank you very much for help.
 
Last edited:
Please, can anyone explain, how to use ipset feature, step-by-step? I've imported an old wg11 client config, added existing ipset, restarted… nothing works, nothing routes to wg11.
 
Please, can anyone explain, how to use ipset feature, step-by-step? I've imported an old wg11 client config, added existing ipset, restarted… nothing works, nothing routes to wg11.
At a high-level, there are 2 steps to setup the ipset feature.
The first one (essential) is to have a stable, working client peer connection to the server peer (i.e. regular handshakes, a site of your choice like 'https://www.whatismyip.com/' detecting the configured WireGuard server peer's IP etc.)
NOTE: the WireGuard configuration files generated by VPN providers have, in most cases, a limited life span if unused. So, trying to import "an old wg11 client config" may be a questionable starting point.
In any case, this step is a prerequisite.

The second step is to 'add' the 'ipset' i.e.
Code:
peer wg11 add ipset IPSET
in its most basic form. Note that IPSET must exist - check with
Code:
ipset -L IPSET
.
There are a number of configurable parameters depending on your requirements - FwMark, destination/source, enable/disable.
 
IPSet:

i have IPSet - for example Netflix_DNS. and i need to Bypass Routing from wg11 client? how do i set it?

if i put:

this is automatically add to wg11 interface.

i need to change this IPSet - go to WAN interface, not WG11 Client.

Thank you very much for help.
Run:
Code:
peer wg11 upd ipset Netflix_DNS fwmark 0x8000
Then
Code:
peer wg11
should show the updated 'fwmark' as 0x8000 (WAN). Restart the client peer.
 
peer wg11 upd ipset Netflix_DNS fwmark 0x8000
Thanks.

maybe if your know what i need to set - if i connected client. and i connected from my phone to wg server (i need to access my LAN device )

I set up routing, byt this is not working. sorry, i don't know how.

when i connected to wg server - my ip 10.50.1.2/32 - i need to access my LAN device 192.168.1.0/24

3 ID rule - what i need change?

Selective Routing RPDB rules
ID Peer Interface Source Destination Description
2 wg11 WAN 192.168.1.1 Any Router
1 wg11 VPN 192.168.1.0/24 Any LAN
3 wg11 VPN 10.50.1.0/24 192.168.1.0/24 Server

IPSet Enable Peer FWMark DST/SRC
Netflix_DNS Y wg11 0x8000 dst
Netflix_ASN Y wg11 0x8000 dst
Thank you.
 
Thanks.

maybe if your know what i need to set - if i connected client. and i connected from my phone to wg server (i need to access my LAN device )

I set up routing, byt this is not working. sorry, i don't know how.

when i connected to wg server - my ip 10.50.1.2/32 - i need to access my LAN device 192.168.1.0/24

3 ID rule - what i need change?


Thank you.
I have never tried that scenario because I never felt the need (or urge) to forward the entire LAN through the VPN tunnel. What I have, is devices grouped in IP ranges forwarded through the VPN as required. This way the access to the internal network works with no additional configuration. If you don't have CIDRs defined you can still forward individual devices through the VPN and change the autostart to 'policy':
Code:
peer wg1* auto=p
.
 
Thanks. this working. i see in "peer multi show" = allowed IP = 192.168.1.0/24. but if i change manually in client from Phone or Windows to allowed IP = 0.0.0.0/0 - this always working and all trafic go to the wireguard server. If possible how to prevent this?


if i put peer multi allowedips=192.168.1.0/24 - this is change - i show it only in wg_manager - peer multi show.
but if i open for example multi.conf from /opt/etc/wireguard.d/ - i see allowed ip = 0.0.0.0/0 (nothing change in config files in wireguard.d directory (maybe i have wrong rights...:
That is not a matter of "wrong rights". It's just the way the 'WireGuard Manager' script works; it adds an sqlite database between the front end ('wgm' in the CLI) and the WireGuard application. Also, it creates and/or modifies the .conf files to a format suitable to WirGuard's inner workings. After the .conf import and/or creation, 'wgm' populates and modifies the database as required. In its current iteration it does not go back to apply every database change to the .conf files.

That being said, I had the same experience with accessing the Internet through the split tunnel if changing the device peer setting from allowing LAN IPs (192.168.1.0/24) to allow everything (0.0.0.0/0). The immediate solution would be the equivalent of 'if it hurts don't do it.)
I see that, and other issues (reported or to be reported) in the context of beta testing the script.
 
What do I have to do, to use my router as a Wireguard client AND use Diversion?
I've already configured my router as a client using 1.1.1.1 as DNS, but this now circumvents Diversions ad-blocking capabilities. (I guess)
How do I configure my router to use Diversion again?
 
ok, so I managed to import my VPN client, wg11. set it to policy mode and add rules to route my subnet 192.168.1.1/24 via VPN but the rest via WAN. this works great!
then I added my 2 ipsets (attempting to run these through WAN) but this has basically no effect:
Code:
E:Option ==> peer wg11

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP              Endpoint                   DNS          MTU   Public                                        Private                                       Annotate
wg11    P     10.0.69.214/24  wireguard.5july.net:48574  192.168.1.1  1420  <hidden>                                        <hidden>  # N/A

        Selective Routing RPDB rules
ID  Peer  Interface  Source          Destination     Description
2   wg11  WAN        0.0.0.0/0       192.168.1.1/16  local WAN
3   wg11  VPN        192.168.1.1/24  Any             LAN to VPN

IPSet        Enable  Peer  FWMark  DST/SRC
NETFLIX-DNS  Y       wg11  0x8000  dst
MYIP         Y       wg11  0x8000  dst

        WireGuard ACTIVE Peer Status: Clients 1, Servers 0

E:Option ==> ipset

        Table:ipset Summary

Total  IPSet
1      MYIP
1      NETFLIX-DNS

Total  IPSet        Peer
1      MYIP         wg11
1      NETFLIX-DNS  wg11

FWMark  Interface
0x1000  wg11
0x2000  wg12
0x4000  wg13
0x7000  wg14
0x3000  wg15
0x8000  wan

so checking the iptables if the mark is set:
Code:
admin@RT-AC86U-D7D8:/tmp/mnt/UsbDrv/entware/etc/wireguard# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 24275 packets, 11M bytes)
pkts bytes target     prot opt in     out     source               destination
4201 2612K MARK       all  --  wg11   any     anywhere             anywhere             /* WireGuard 'client' */ MARK xset 0x1/0x7
    0     0 MARK       all  --  any    any     anywhere             anywhere             match-set NETFLIX-DNS dst MARK or 0x8000
   51  4623 MARK       all  --  any    any     anywhere             anywhere             match-set MYIP dst MARK or 0x8000
yep...

checking the rules:
Code:
admin@RT-AC86U-D7D8:/tmp/mnt/UsbDrv/entware/etc/wireguard# ip rule
0:      from all lookup local
9910:   from all to 192.168.1.1/16 lookup main
9911:   from 192.168.1.1/24 lookup 121
32766:  from all lookup main
32767:  from all lookup default
nope...

manually adding
Code:
ip rule add fwmark 0x8000 table main prio 9907
breaks the connection to these ipsets.

also setting the reverse path filter for wan to loose mode:
Code:
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
then it seems to work.

is there something I have failed to configure for ipsets? or am I meant to add the rest in my user sripts?

//Zeb

EDIT: did a search through the wg_manager and wg_client scripts and found basically no entries were any "ip rule add fwmark" is added. so I guess that answers it. unless this is done through NAT:ing but I cant find anything in the NAT table....
 
Last edited:
ok, so I managed to import my VPN client, wg11. set it to policy mode and add rules to route my subnet 192.168.1.1/24 via VPN but the rest via WAN. this works great!
then I added my 2 ipsets (attempting to run these through WAN) but this has basically no effect:
Code:
E:Option ==> peer wg11

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP              Endpoint                   DNS          MTU   Public                                        Private                                       Annotate
wg11    P     10.0.69.214/24  wireguard.5july.net:48574  192.168.1.1  1420  <hidden>                                        <hidden>  # N/A

        Selective Routing RPDB rules
ID  Peer  Interface  Source          Destination     Description
2   wg11  WAN        0.0.0.0/0       192.168.1.1/16  local WAN
3   wg11  VPN        192.168.1.1/24  Any             LAN to VPN

IPSet        Enable  Peer  FWMark  DST/SRC
NETFLIX-DNS  Y       wg11  0x8000  dst
MYIP         Y       wg11  0x8000  dst

        WireGuard ACTIVE Peer Status: Clients 1, Servers 0

E:Option ==> ipset

        Table:ipset Summary

Total  IPSet
1      MYIP
1      NETFLIX-DNS

Total  IPSet        Peer
1      MYIP         wg11
1      NETFLIX-DNS  wg11

FWMark  Interface
0x1000  wg11
0x2000  wg12
0x4000  wg13
0x7000  wg14
0x3000  wg15
0x8000  wan

so checking the iptables if the mark is set:
Code:
admin@RT-AC86U-D7D8:/tmp/mnt/UsbDrv/entware/etc/wireguard# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 24275 packets, 11M bytes)
pkts bytes target     prot opt in     out     source               destination
4201 2612K MARK       all  --  wg11   any     anywhere             anywhere             /* WireGuard 'client' */ MARK xset 0x1/0x7
    0     0 MARK       all  --  any    any     anywhere             anywhere             match-set NETFLIX-DNS dst MARK or 0x8000
   51  4623 MARK       all  --  any    any     anywhere             anywhere             match-set MYIP dst MARK or 0x8000
yep...

checking the rules:
Code:
admin@RT-AC86U-D7D8:/tmp/mnt/UsbDrv/entware/etc/wireguard# ip rule
0:      from all lookup local
9910:   from all to 192.168.1.1/16 lookup main
9911:   from 192.168.1.1/24 lookup 121
32766:  from all lookup main
32767:  from all lookup default
nope...

manually adding
Code:
ip rule add fwmark 0x8000 table main prio 9907
breaks the connection to these ipsets.

also setting the reverse path filter for wan to loose mode:
Code:
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
then it seems to work.

is there something I have failed to configure for ipsets? or am I meant to add the rest in my user sripts?

//Zeb

EDIT: did a search through the wg_manager and wg_client scripts and found basically no entries were any "ip rule add fwmark" is added. so I guess that answers it. unless this is done through NAT:ing but I cant find anything in the NAT table....
see nat-start script to enable Selective Routing of IPSETs
 
Thanks! just wanted to make sure I had not missed any important step of configuration.

instead of using nat-start scripts I made use of your nice custom scripts "/jffs/addons/wireguard/Scripts/wg11-up.sh" and placed the rule and rp filter there. works perfectly!

realized that masquarading is still only on /24 subnet:
Code:
 5327  558K MASQUERADE  all  --  any    wg11    192.168.1.0/24       anywhere             /* WireGuard 'client' */

so I'm not able to route guest network through VPN (not as is anyway)...
curious on why that is, running
Code:
brctl show
gives:
Code:
bridge name     bridge id               STP enabled     interfaces
br0             8000.244bfebcd7d8       yes             eth1
                                                        eth2
                                                        eth3
                                                        eth4
                                                        eth5
                                                        eth6
                                                        wl0.1
                                                        wl1.1

so this is basically because br1 and br2 is not used, since Im running Yazfi, which removes Asus VLAN's.

is there any need for being so sparse in what is masquaraded? checking how wan does it:
Code:
   42  2670 MASQUERADE  all  --  any    eth0   !xxx.xxx.xxx.xx       anywhere
where xxx is my wan ip... so all reaching this interface with other source address will be masquaraded.

or are we using masquarading as another means of access control?

//Zeb
 
What do I have to do, to use my router as a Wireguard client AND use Diversion?
I've already configured my router as a client using 1.1.1.1 as DNS, but this now circumvents Diversions ad-blocking capabilities. (I guess)
How do I configure my router to use Diversion again?
Well, I set my dns in the wg11.conf to router lan ip (192.168.1.1). So unbound and diversion works as normal. This works for me...

//Zeb
 
Instead of using nat-start scripts I made use of your nice custom scripts "/jffs/addons/wireguard/Scripts/wg11-up.sh" and placed the rule and rp filter there. works perfectly!
FYI, Depending on the router housekeeping/GUI interaction, the custom fwmarks used by the Selective IPSET routing can unfortunately be silently deleted. :eek:

So when using '/jffs/addons/wireguard/Scripts/wg1X-up.sh' to customise the WireGuard iptables, it is prudent to ensure that in the event that nat-start is unexpectedly executed by the firmware, nat-start should still be customised to make sure any ACTIVE WireGuard connections are forced to re-execute the appropriate '/jffs/addons/wireguard/Scripts/wg1X-up.sh' script (either explicitly or by bouncing the WireGuard connection).
 
FYI, Depending on the router housekeeping/GUI interaction, the custom fwmarks used by the Selective IPSET routing can unfortunately be silently deleted. :eek:

So when using '/jffs/addons/wireguard/Scripts/wg1X-up.sh' to customise the WireGuard iptables, it is prudent to ensure that in the event that nat-start is unexpectedly executed by the firmware, nat-start should still be customised to make sure any ACTIVE WireGuard connections are forced to re-execute the appropriate '/jffs/addons/wireguard/Scripts/wg1X-up.sh' script (either explicitly or by bouncing the WireGuard connection).
That is sound advice... thank you! I opt for bouncing the WireGuard client peers rather than re-execute the interfaces' 'up-down' scripts in nat-start - easier to maintain.
I tried the 2 relevant bouncing options from the command line first. Here is the outcome:
Code:
asmin@RT-AX86U:/tmp/mnt/asus/conf# /jffs/addons/wireguard/wg_manager.sh restart clients
(wg_firewall): 20461 Checking if WireGuard VPN Peer KILL-Switch is required.....
(wg_firewall): 20461 Restarting WireGuard to reinstate RPDB/firewall rules
        Requesting WireGuard VPN Peer stop (wg21 wg14 wg12 wg13 wg11)
<snip>
        Requesting WireGuard VPN Peer start (wg11 wg14 wg12 wg13  wg21)
<snip>
        Requesting WireGuard VPN Peer stop for Category 'Clients' (wg11 wg14 wg12 wg13)
<snip>
        Requesting WireGuard VPN Peer start for Category 'Clients' (wg11 wg14 wg12 wg13)
<snip>
So, the 'restart' or 'restart clients' options run 2 passes - the first one restarts all peers.

The other option - restarting an individual client peer looks like that:
Code:
asmin@RT-AX86U:/tmp/mnt/asus/conf# /jffs/addons/wireguard/wg_manager.sh restart wg12
(wg_firewall): 9045 Checking if WireGuard VPN Peer KILL-Switch is required.....
(wg_firewall): 9045 Restarting WireGuard to reinstate RPDB/firewall rules

        Requesting WireGuard VPN Peer stop (wg11 wg14 wg12 wg13 wg21)
<snip>
         Requesting WireGuard VPN Peer start (wg11 wg14 wg12 wg13  wg21)
<snip>
        Requesting WireGuard VPN Peer stop (wg12)
<snip>
        Requesting WireGuard VPN Peer start (wg12)
It also runs the 2 passes, the second one being the client peer for which the restart was requested.

Any suggestion?
 
FYI, Depending on the router housekeeping/GUI interaction, the custom fwmarks used by the Selective IPSET routing can unfortunately be silently deleted. :eek:

So when using '/jffs/addons/wireguard/Scripts/wg1X-up.sh' to customise the WireGuard iptables, it is prudent to ensure that in the event that nat-start is unexpectedly executed by the firmware, nat-start should still be customised to make sure any ACTIVE WireGuard connections are forced to re-execute the appropriate '/jffs/addons/wireguard/Scripts/wg1X-up.sh' script (either explicitly or by bouncing the WireGuard connection).
I'm confused. wg_manager puts this in nat-start
Code:
/jffs/addons/wireguard/wg_firewall            # WireGuard

which executes
Code:
if [ -n "$(wg show interfaces)" ];then
    logger -st "($(basename "$0"))" $$ "Restarting WireGuard to reinstate RPDB/>
    /jffs/addons/wireguard/wg_manager.sh stop
    /jffs/addons/wireguard/wg_manager.sh start
fi

so this should do it, right? or are'nt the custom script executed at stop/start? or how do you mean?

anyway, been running my client now for a couple of un-eventful days, however the syslog looks strange:
Code:
Jun  7 20:59:00 RT-AC86U-D7D8 (wg_manager.sh): 6941 Clients [97m1[95m, Servers [97m0
Jun  7 20:59:01 RT-AC86U-D7D8 (wg_manager.sh): 6941 wg11:[97m transfer: 392.88 MiB received, 14.18 MiB sent        [97m0 Days, 02:28:50 from 2021-06-07 18:30:11 >>>>>>[0m
Jun  7 20:59:01 RT-AC86U-D7D8 (wg_manager.sh): 6941 wg11: period : 367.07 MiB received, 11.97 MiB sent (Rx=384900792;Tx=12555459)
this was also in post #218 but with negative data values. tried the same advice you gave to rebuild the SQL tables, but that did not work. any advice?
Code:
E:Option ==> diag sql traffic

        DEBUG: SQL '/opt/etc/wireguard.d/WireGuard.db'

        Table:traffic
Peer  Timestamp            RX         TX
wg11  2021-06-07 18:14:53  0          0
wg11  2021-06-07 18:16:50  34437      16056
wg11  2021-06-07 18:26:34  0          0
wg11  2021-06-07 18:27:44  5304       5816
wg11  2021-06-07 18:28:28  2786       3963
wg11  2021-06-07 18:30:11  0          0
wg11  2021-06-07 18:36:07  4194304    331540
wg11  2021-06-07 18:59:01  82659246   3212647
wg11  2021-06-07 19:59:01  27063747   2313349
wg11  2021-06-07 20:59:01  384900792  12555459

//Zeb
 
I tried the 2 relevant bouncing options from the command line first. Here is the outcome:
Code:
asmin@RT-AX86U:/tmp/mnt/asus/conf# /jffs/addons/wireguard/wg_manager.sh restart clients
(wg_firewall): 20461 Checking if WireGuard VPN Peer KILL-Switch is required.....
(wg_firewall): 20461 Restarting WireGuard to reinstate RPDB/firewall rules
        Requesting WireGuard VPN Peer stop (wg21 wg14 wg12 wg13 wg11)
<snip>
        Requesting WireGuard VPN Peer start (wg11 wg14 wg12 wg13  wg21)
<snip>
        Requesting WireGuard VPN Peer stop for Category 'Clients' (wg11 wg14 wg12 wg13)
<snip>
        Requesting WireGuard VPN Peer start for Category 'Clients' (wg11 wg14 wg12 wg13)
<snip>
So, the 'restart' or 'restart clients' options run 2 passes - the first one restarts all peers.

The other option - restarting an individual client peer looks like that:
Code:
asmin@RT-AX86U:/tmp/mnt/asus/conf# /jffs/addons/wireguard/wg_manager.sh restart wg12
(wg_firewall): 9045 Checking if WireGuard VPN Peer KILL-Switch is required.....
(wg_firewall): 9045 Restarting WireGuard to reinstate RPDB/firewall rules

        Requesting WireGuard VPN Peer stop (wg11 wg14 wg12 wg13 wg21)
<snip>
         Requesting WireGuard VPN Peer start (wg11 wg14 wg12 wg13  wg21)
<snip>
        Requesting WireGuard VPN Peer stop (wg12)
<snip>
        Requesting WireGuard VPN Peer start (wg12)
It also runs the 2 passes, the second one being the client peer for which the restart was requested.

Any suggestion?
Whoops! :oops:

Fixed in v4.11b5 commit

Apply patch from the Github 'dev' branch
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top