Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

[Martineau]

What does this do?

# WAN KILL-Switch
KILLSWITCH

And why does "?" say it's DISABLED?
When there is no "#" in front of "KILLSWITCH"

View attachment 34645

It is supposed to globally block ALL WAN access (see /jffs/addons/wireguard/wg_firewall) ...i.e. prevent WAN leaks assuming LAN devices must always use WireGuard tunnels for outbound access.

So the test to see if the KILL-Switch is ACTIVE is to check for the physical existence of the blocking rule

i.e.

iptables -nvL FORWARD | grep "WireGuard KILL-Switch"

You can test to see if the toggle of the KILL-Switch using the killswitch command works under v4.10

+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v4.11b8 by Martineau                    |
|                                                                      |
+======================================================================+
    WireGuard ACTIVE Peer Status: Clients 4, Servers 1



1  = Update Wireguard modules                       7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]     10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients
5  = Stop    [ [Peer... ] | category ] e.g. stop clients
6  = Restart [ [Peer... ] | category ] e.g. restart servers

?  = About Configuration
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e  = Exit Script [?]

E:Option ==> killswitch on

ENABLED WireGuard ACTIVE Peer Status: Clients 4, Servers 1



1  = Update Wireguard modules                       7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]     10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients
5  = Stop    [ [Peer... ] | category ] e.g. stop clients
6  = Restart [ [Peer... ] | category ] e.g. restart servers

?  = About Configuration
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e  = Exit Script [?]

E:Option ==> ?

    v4.11b8 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=9648ba0592fc5ea1b306f397cab1671f /jffs/addons/wireguard/wg_manager.sh

<snip>

    [✔] WAN KILL-Switch is ENABLED
    [✖] UDP monitor is DISABLED

    [ℹ ] Reverse Path Filtering ENABLED

    [✔] Statistics gathering is ENABLED

ENABLED WireGuard ACTIVE Peer Status: Clients 4, Servers 1

then use the killswitch off command again

 

[paulmorabi]

Thanks.

maybe if your know what i need to set - if i connected client. and i connected from my phone to wg server (i need to access my LAN device )

I set up routing, byt this is not working. sorry, i don't know how.

when i connected to wg server - my ip 10.50.1.2/32 - i need to access my LAN device 192.168.1.0/24

3 ID rule - what i need change?


Thank you.

Did you ever get anywhere with this? I've been trying to get this working properly over the past few weeks but am completely stuck. Firstly, to summarise:

* I'd like to give wg11 access to internal LAN 192.168.1.0 as well as the VPN connection for WAN addresses.
* I'd like to give wg21, my wireguard server, access to internal LAN and also internet through internal LAN.

Peer setup:

Client  Auto  IP               Endpoint              DNS             MTU  Public                                        Private                                       Annotate
wg11    P     10.64.55.179/32  x.x.x.x:51820  x.x.x.x       g  g  # N/A

    Selective Routing RPDB rules
ID  Peer  Interface  Source          Destination     Description
6   wg11  WAN        0.0.0.0/0       192.168.0.0/16  ToLocalUseWan
1   wg11  VPN        Any             auto=p
2   wg11  VPN        Any             Any
3   wg11  VPN        192.168.6.0/24  Any             Guest2VPN


Server  Auto  Subnet        Port   Public                                        Private                                       Annotate
wg21    Y     10.50.1.1/24  51820  g    # RT-AX88U Server #1

    Selective Routing RPDB rules
ID  Peer  Interface  Source     Destination     Description
5   wg21  WAN        0.0.0.0/0  192.168.1.0/16  ToLocalUseWan

Problems:
* Restarting wg11 means I love internet access. The only thing out of the ordinary I get is "Error: any valid prefix is expected rather than "auto=p"."
* On wg21, I can neither access LAN or WAN addresses.

Any help/tips would be greatly appreciated.

 

[chongnt]

Did you ever get anywhere with this? I've been trying to get this working properly over the past few weeks but am completely stuck. Firstly, to summarise:

* I'd like to give wg11 access to internal LAN 192.168.1.0 as well as the VPN connection for WAN addresses.
* I'd like to give wg21, my wireguard server, access to internal LAN and also internet through internal LAN.

Peer setup:

Client  Auto  IP               Endpoint              DNS             MTU  Public                                        Private                                       Annotate
wg11    P     10.64.55.179/32  x.x.x.x:51820  x.x.x.x       g  g  # N/A

    Selective Routing RPDB rules
ID  Peer  Interface  Source          Destination     Description
6   wg11  WAN        0.0.0.0/0       192.168.0.0/16  ToLocalUseWan
1   wg11  VPN        Any             auto=p
2   wg11  VPN        Any             Any
3   wg11  VPN        192.168.6.0/24  Any             Guest2VPN


Server  Auto  Subnet        Port   Public                                        Private                                       Annotate
wg21    Y     10.50.1.1/24  51820  g    # RT-AX88U Server #1

    Selective Routing RPDB rules
ID  Peer  Interface  Source     Destination     Description
5   wg21  WAN        0.0.0.0/0  192.168.1.0/16  ToLocalUseWan

Problems:
* Restarting wg11 means I love internet access. The only thing out of the ordinary I get is "Error: any valid prefix is expected rather than "auto=p"."
* On wg21, I can neither access LAN or WAN addresses.

Any help/tips would be greatly appreciated.

Hi, I read from your earlier post you peer this to Mullvad VPN. Lets go through the rules in wg11.
Rule 6 - I don’t understand the use of this rule so I will skip it first.
Rule 1 has a wrong destination prefix. I suggest to delete it.

E:Option ==> peer wg11 rule del 1

Rule 2 route any source to any destination via this tunnel peering to your vpn server. It seems to send all traffic via wg11. Is this what you want?
Rule 3 route traffic from 192.168.6.0/24 (i supposed your guest wifi subnet) to any destination via wg11. This seems to be covered by rule 2. If you only want these clients to go through wg11 but the rest of your LAN devices to go through your provider WAN I suggest to delete rule 2 as well.

For wg21, I dont need to create any rule. As long as I dial in from remote, I can access devices in local LAN 192.168.1.0/24 and go to internet via WAN interface. Perhaps can try delete rule 5 as well.
By the way, I’m also new to this. Lets learn together.

 

[ZebMcKayhan]

* I'd like to give wg11 access to internal LAN 192.168.1.0 as well as the VPN connection for WAN adaddresses.

I guess you mean the other way around? You want 192.168.1.x to go out wg11 vpn?

I agree with @chongnt about the wg11 rules. Rule 1, 2 should be removed. Regarding rule 3 is this the one you created for letting guest go out vpn? The rule looks ok.

The point with rule 6 is that this routing table does not contain any routes to other subnets (I.e. guest wifi) so if 192.168.1.x want to contact 192.168.6.x this rule redirects to main table where routing information exists. Access control is then handled by firewall and not by excluding routes. Depending on if you use subnets and access to them you might or might not need it. However, it does not do any harm, I would keep it.

You would need to make a rule

peer wg11 rule add vpn 192.168.1.0/24 comment LAN2Vpn

If you want entire lan subnet to route out wg11 (if this is indeed what you want).

Sorry, can't help with the server part.

//Zeb

 

[chongnt]

I guess you mean the other way around? You want 192.168.1.x to go out wg11 vpn?

I agree with @chongnt about the wg11 rules. Rule 1, 2 should be removed. Regarding rule 3 is this the one you created for letting guest go out vpn? The rule looks ok.

The point with rule 6 is that this routing table does not contain any routes to other subnets (I.e. guest wifi) so if 192.168.1.x want to contact 192.168.6.x this rule redirects to main table where routing information exists. Access control is then handled by firewall and not by excluding routes. Depending on if you use subnets and access to them you might or might not need it. However, it does not do any harm, I would keep it.

You would need to make a rule

peer wg11 rule add vpn 192.168.1.0/24 comment LAN2Vpn

If you want entire lan subnet to route out wg11 (if this is indeed what you want).

Sorry, can't help with the server part.

//Zeb

I don’t have YazFi. Thereis a feature to allow one way or two way connection between local LAN 192.168.1.x to guest wifi 192.168.6.x. Is rule 6 meant to do the same?

 

[ZebMcKayhan]

I don’t have YazFi. Thereis a feature to allow one way or two way connection between local LAN 192.168.1.x to guest wifi 192.168.6.x. Is rule 6 meant to do the same?

Rule 6 does not allow anything that is the firewall (iptables) task. It simply prevents packages with a destination of local subnets to use the policy table since there are no routes for them there.

My opinion is that routing tables shall always have routes to any destination (via rules) then firewall shall be set up to allow access as you choose.

If for example a package destined for 192.168.6.x would end up in wg11 routing table, this package would be sent out on wg11 which is not really intended and you will be leaking data.
I like to have this rule here both to prevent dataleakage and to ease the access control management.

//Zeb

 

[paulmorabi]

@chongnt @ZebMcKayhan Sincerely thanks for your replies on this. I guess I ended up taking different rules from different places on this thread and elsewhere and it has confused everything more. From your descriptions, it's already making more sense.

Based on your feedback, I cleaned/cleared up to what I think should be the minimum:

Client  Auto  IP               Endpoint              DNS             MTU  Public                                        Private                                       Annotate
wg11    P     10.64.55.179/32  x.x.x.x:51820  193.138.218.74          N/A

    Selective Routing RPDB rules
ID  Peer  Interface  Source          Destination  Description
3   wg11  VPN        192.168.6.0/24  Any          Guest2VPN

Server  Auto  Subnet        Port   Public                                        Private                                       Annotate
wg21    Y     10.50.1.1/24  51820    # RT-AX88U Server #1

    No RPDB Selective Routing rules for wg21

Result is:
* wg11 has no LAN or WAN access.
* wg21 As above, can connect but no LAN or WAN access.
* If I restart either of these, I lose internet access ("6 wg11" or "6 wg21"). Only a reboot of router fixes it.

I'm using YazFi and for the Wifi network (wg11 192.168.6.x) I have one way and two way to guest disabled in the admin. I thought this would not be needed as I'd be manually creating the rules. Should I enable "two way to guest"?

The only other config I have is /jffs/addons/wireguard/Scripts/wg11-down.sh and /jffs/addons/wireguard/Scripts/wg11-up.sh which both contain:

#!/bin/sh

#add custom config here

iptables -t nat -I POSTROUTING -s 192.168.6.0/24 -o wg11 -j MASQUERADE

Ideally, what I would like to do is:
* wg11 is tied to a wifi network. Clients on it can access internal LAN but any WAN connection goes through wg11.
* wg21 is for connections to the local LAN. Any WAN requests go through default network (no VPN).

So, it sounds like what I should do is something like:

peer wg11 rule add vpn 192.168.1.0/24 comment LAN2Vpn
peer wg21 rule add vpn 192.168.1.0/24 comment LAN2Vpn

As this should create a route from 192.168.1.x to the 10.64.* for wg11 and 10.50.1.x for wg21? I was going to try this but as above wasn't working, wanted to start back there first before re-adding rules.

Thanks again.

 

[ZebMcKayhan]

@chongnt @ZebMcKayhan Sincerely thanks for your replies on this. I guess I ended up taking different rules from different places on this thread and elsewhere and it has confused everything more. From your descriptions, it's already making more sense.

Based on your feedback, I cleaned/cleared up to what I think should be the minimum:

Client  Auto  IP               Endpoint              DNS             MTU  Public                                        Private                                       Annotate
wg11    P     10.64.55.179/32  x.x.x.x:51820  193.138.218.74          N/A

    Selective Routing RPDB rules
ID  Peer  Interface  Source          Destination  Description
3   wg11  VPN        192.168.6.0/24  Any          Guest2VPN

Server  Auto  Subnet        Port   Public                                        Private                                       Annotate
wg21    Y     10.50.1.1/24  51820    # RT-AX88U Server #1

    No RPDB Selective Routing rules for wg21

Result is:
* wg11 has no LAN or WAN access.
* wg21 As above, can connect but no LAN or WAN access.
* If I restart either of these, I lose internet access ("6 wg11" or "6 wg21"). Only a reboot of router fixes it.

I'm using YazFi and for the Wifi network (wg11 192.168.6.x) I have one way and two way to guest disabled in the admin. I thought this would not be needed as I'd be manually creating the rules. Should I enable "two way to guest"?

The only other config I have is /jffs/addons/wireguard/Scripts/wg11-down.sh and /jffs/addons/wireguard/Scripts/wg11-up.sh which both contain:

#!/bin/sh

#add custom config here

iptables -t nat -I POSTROUTING -s 192.168.6.0/24 -o wg11 -j MASQUERADE

Ideally, what I would like to do is:
* wg11 is tied to a wifi network. Clients on it can access internal LAN but any WAN connection goes through wg11.
* wg21 is for connections to the local LAN. Any WAN requests go through default network (no VPN).

So, it sounds like what I should do is something like:

peer wg11 rule add vpn 192.168.1.0/24 comment LAN2Vpn
peer wg21 rule add vpn 192.168.1.0/24 comment LAN2Vpn

As this should create a route from 192.168.1.x to the 10.64.* for wg11 and 10.50.1.x for wg21? I was going to try this but as above wasn't working, wanted to start back there first before re-adding rules.

Thanks again.

Your wg11 client is currently set up to route guest network 192.168.6.x to wg11 vpn. All other will be routed through wan, as this was what you had previously requested.

《Should I enable "two way to guest"?》
- only if you need access between guest 192.168.6.x clients and lan 192.168.1.x clients. It will not have any effect on either Subnet ability to wan or vpn access. This is what you mean by 《wg11 is tied to a wifi network. Clients on it can access internal LAN but any WAN connection goes through wg11.》then yes. but you wont be able to access the router itself, as i.e. router web interface, router SSH a.s.o. for that you need additional rule in Yazfi custom config (iptables INPUT chain).

You could add more rules as you wish for wg11 like "peer wg11 rule add vpn 192.168.1.0/24 comment LAN2Vpn" IF you want all LAN clients to access internet through wg11 (but dont create the same rule for wg21).
but it sounds like you have more urgent issues:

It is problematic that you loose internet as you disable wg11. Perhaps you should disable your server until you have made your client operate properly.

Firstly are you sure wg11-up.sh and wg11-down.sh are executable?

chmod +x /jffs/addons/wireguard/Scripts/wg11-up.sh
chmod +x /jffs/addons/wireguard/Scripts/wg11-down.sh

wg11-up.sh shall contain

#!/bin/sh
#add custom config here
iptables -t nat -I POSTROUTING -s 192.168.6.0/24 -o wg11 -j MASQUERADE

wg11-down.sh shall contain

#!/bin/sh
#add custom config here
iptables -t nat -D POSTROUTING -s 192.168.6.0/24 -o wg11 -j MASQUERADE

Note the -I (Insert) changing to -D (delete).

If above is correct and you disable your server can't you still enable and disable wg11 without loosing internet?
If so, before rebooting from this error state were wg11 is disabled and you have no internet could you please post the output of:

ip rule

So we can figure out what is keeping you and internet apart, and hopefully what parts that has caused this.

//Zeb

 

[paulmorabi]

Your wg11 client is currently set up to route guest network 192.168.6.x to wg11 vpn. All other will be routed through wan, as this was what you had previously requested.

《Should I enable "two way to guest"?》
- only if you need access between guest 192.168.6.x clients and lan 192.168.1.x clients. It will not have any effect on either Subnet ability to wan or vpn access. This is what you mean by 《wg11 is tied to a wifi network. Clients on it can access internal LAN but any WAN connection goes through wg11.》then yes. but you wont be able to access the router itself, as i.e. router web interface, router SSH a.s.o. for that you need additional rule in Yazfi custom config (iptables INPUT chain).

You could add more rules as you wish for wg11 like "peer wg11 rule add vpn 192.168.1.0/24 comment LAN2Vpn" IF you want all LAN clients to access internet through wg11 (but dont create the same rule for wg21).
but it sounds like you have more urgent issues:

It is problematic that you loose internet as you disable wg11. Perhaps you should disable your server until you have made your client operate properly.

Firstly are you sure wg11-up.sh and wg11-down.sh are executable?

chmod +x /jffs/addons/wireguard/Scripts/wg11-up.sh
chmod +x /jffs/addons/wireguard/Scripts/wg11-down.sh

wg11-up.sh shall contain

#!/bin/sh
#add custom config here
iptables -t nat -I POSTROUTING -s 192.168.6.0/24 -o wg11 -j MASQUERADE

wg11-down.sh shall contain

#!/bin/sh
#add custom config here
iptables -t nat -D POSTROUTING -s 192.168.6.0/24 -o wg11 -j MASQUERADE

Note the -I (Insert) changing to -D (delete).

If above is correct and you disable your server can't you still enable and disable wg11 without loosing internet?
If so, before rebooting from this error state were wg11 is disabled and you have no internet could you please post the output of:

ip rule

So we can figure out what is keeping you and internet apart, and hopefully what parts that has caused this.

//Zeb

Here's the details:

paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# ls -lt /jffs/addons/wireguard/Scripts/wg11-up.sh
-rwxrwxrwx    1 paul     root           107 Jun 19 09:07 /jffs/addons/wireguard/Scripts/wg11-up.sh

paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# ls -lt /jffs/addons/wireguard/Scripts/wg11-down.sh
-rwxrwxrwx    1 paul     root           107 Jun 19 09:07 /jffs/addons/wireguard/Scripts/wg11-down.sh

paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# cat /jffs/addons/wireguard/Scripts/wg11-up.sh
#!/bin/sh

#add custom config here

iptables -t nat -I POSTROUTING -s 192.168.6.0/24 -o wg11 -j MASQUERADE

paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# cat /jffs/addons/wireguard/Scripts/wg11-down.sh
#!/bin/sh

#add custom config here

iptables -t nat -D POSTROUTING -s 192.168.6.0/24 -o wg11 -j MASQUERADE

After stopping wg11:

paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# ping google.com
ping: bad address 'google.com'
paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# ip rule
0:    from all lookup local
9810:    from all fwmark 0xd2 lookup 210
32766:    from all lookup main
32767:    from all lookup default
paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d#

So if I enable two way to guess for the Wifi network, clients connecting to it (192.168.6.x) will be able to access 192.168.1.x but not the router itself (192.168.1.1) without the iptables input chain?

On "peer wg11 rule add vpn 192.168.1.0/24 comment LAN2Vpn", yes, you're correct. This is not what I want to do but rather only the clients on 192.168.6.x. The rule I have now should accommodate this:

    Selective Routing RPDB rules
ID  Peer  Interface  Source          Destination  Description
3   wg11  VPN        192.168.6.0/24  Any          Guest2VPN

Based on above, is it possible that the up and down scripts are not running?

 

[chongnt]

Here's the details:

paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# ls -lt /jffs/addons/wireguard/Scripts/wg11-up.sh
-rwxrwxrwx    1 paul     root           107 Jun 19 09:07 /jffs/addons/wireguard/Scripts/wg11-up.sh

paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# ls -lt /jffs/addons/wireguard/Scripts/wg11-down.sh
-rwxrwxrwx    1 paul     root           107 Jun 19 09:07 /jffs/addons/wireguard/Scripts/wg11-down.sh

paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# cat /jffs/addons/wireguard/Scripts/wg11-up.sh
#!/bin/sh

#add custom config here

iptables -t nat -I POSTROUTING -s 192.168.6.0/24 -o wg11 -j MASQUERADE

paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# cat /jffs/addons/wireguard/Scripts/wg11-down.sh
#!/bin/sh

#add custom config here

iptables -t nat -D POSTROUTING -s 192.168.6.0/24 -o wg11 -j MASQUERADE

After stopping wg11:

paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# ping google.com
ping: bad address 'google.com'
paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d# ip rule
0:    from all lookup local
9810:    from all fwmark 0xd2 lookup 210
32766:    from all lookup main
32767:    from all lookup default
paul@RT-AX88U-6948:/tmp/mnt/sda1/entware/etc/wireguard.d#

So if I enable two way to guess for the Wifi network, clients connecting to it (192.168.6.x) will be able to access 192.168.1.x but not the router itself (192.168.1.1) without the iptables input chain?

On "peer wg11 rule add vpn 192.168.1.0/24 comment LAN2Vpn", yes, you're correct. This is not what I want to do but rather only the clients on 192.168.6.x. The rule I have now should accommodate this:

    Selective Routing RPDB rules
ID  Peer  Interface  Source          Destination  Description
3   wg11  VPN        192.168.6.0/24  Any          Guest2VPN

Based on above, is it possible that the up and down scripts are not running?

That looks strange that you cannot ping to google.com. From the ip rule output my first suspect is wg21. Did you configure any rule for peer wg21? Did you try shutdown wg21 from that state, wait a few seconds and see if your internet is back? If you want to rule out wg21, probably can keep wg21 shutdown while checking wg11. What is the output of

ip route show table 210

?

This is one command that I used earlier to check if I get the desired routes. Since you only have 192.168.1.x (internet access via WAN) and 192.168.6.x (internet access via VPN), you can run the command in few scenario and see how it will be routed. Say scenario 1 with both wg down, you should see both will go through your WAN. Then scenario 2 bring up wg11, scenario 3 bring wg11 down, etc.

ip rule
ip route get 8.8.8.8 from 192.168.1.2 iif eth0
ip route get 8.8.8.8 from 192.168.6.2 iif eth0

 

[ZebMcKayhan]

Based on above, is it possible that the up and down scripts are not running?

no, the up and down scripts should not have anything to do with you not being able to access internet if wg11 is disabled.

it looks like wgm shut down wg11 properly an removed all rules associated with it.

what is this line:
9810: from all fwmark 0xd2 lookup 210

where is this rule created? what is marked with 0xd2 and what does table 210 contain (as @chongnt already pointed out)?

if you delete it, can you access internet then?

ip rule del prio 9810

do you have a connection or dns problem? can you ping ip adresses? i.e. "ping 142.250.74.14" (google.com from my location).

@chongnt The up and down scripts are needed to add masquarading as the 192.168.6.x packages go out wg11. Wgm only masqarades 192.168.1.0/24 when using yazfi.

//Zeb

 

[chongnt]

@chongnt The up and down scripts are needed to add masquarading as the 192.168.6.x packages go out wg11. Wgm only masqarades 192.168.1.0/24 when using yazfi.

//Zeb

Thanks for clearing my doubt. I figured this is not related to the connectivity issue so removed it to avoid confusion.

 

[chongnt]

If you create "wg11-route-up.sh" wgm will run it after the interface is created but before the routing tables and rules are created.

If you create "wg11-up.sh" wgm will run it after all is setup (well, most anyway).

The main difference is when they are executed.
Guess the main reason would be to add custom routes before the rules kicks in.

Good luck and please report back about your results!

//Zeb

My ovpn client lasted 3 days+ before restarts. So far it seems wg peering is much more stable for NordVPN. It is just rough comparison as I am not peer to the same server, but to different servers from same VPN provider.
I got back to this. Stop unbound, edit unbound.conf, restart unbound and get to my last state that my WAN ip is shown as my DNS. Next I manually add ip rule to route 192.168.1.1 via wg11. It is finally working. WG11 VPN IP is my DNS IP now for all devices.
WG VPN server is a bit strange. If my phone wg peer dns set to 192.168.1.1 I have no access once connected. I can get access by change my phone wg dns to public dns ip to get it work. Probably need more time to figure out on this part. Revert to my last working configuration for the time being.

 

[ZebMcKayhan]

My ovpn client lasted 3 days+ before restarts. So far it seems wg peering is much more stable for NordVPN. It is just rough comparison as I am not peer to the same server, but to different servers from same VPN provider.
I got back to this. Stop unbound, edit unbound.conf, restart unbound and get to my last state that my WAN ip is shown as my DNS. Next I manually add ip rule to route 192.168.1.1 via wg11. It is finally working. WG11 VPN IP is my DNS IP now for all devices.
WG VPN server is a bit strange. If my phone wg peer dns set to 192.168.1.1 I have no access once connected. I can get access by change my phone wg dns to public dns ip to get it work. Probably need more time to figure out on this part. Revert to my last working configuration for the time being.

great news!

did you add the "pause 2" in wg11-route-up.sh? or are you trying without it. if without, check if your unbound stats in gui gets updated each hour, or check the cron job so it is there. strangely some boots were ok and some not until I added this.

do your vpn server subnet have access to contact 192.168.1.1 for DNS requests? this would need to be allowed by iptables input chain.

//Zeb

 

[chongnt]

great news!

did you add the "pause 2" in wg11-route-up.sh? or are you trying without it. if without, check if your unbound stats in gui gets updated each hour, or check the cron job so it is there. strangely some boots were ok and some not until I added this.

//Zeb

I have move wg11-up to wg11-route-up and all is working fine. I have this problem too. Sometimes certain cron job are not loaded properly. I keep a separate cronjob file, and call this in post-mount script. So far this has been working good for me. But there is a risk if any addons being updated and cronjob is changed I may missed it. I have this in my post-mount

 crontab -u admin /jffs/configs/cronjobs.add

 

[ZebMcKayhan]

WG VPN server is a bit strange. If my phone wg peer dns set to 192.168.1.1 I have no access once connected. I can get access by change my phone wg dns to public dns ip to get it work. Probably need more time to figure out on this part. Revert to my last working configuration for the time being.

Just figured it out (I think)... unbound is using 192.168.1.1. to communicate, which leads to the use of routing table 121 (or similar) which only contains routes to 192.168.1.x and wg11... you need to guide packets with destination "wg server" to a routing table which contains routes to your server (main?). similar problem as I solved with rule destination 192.168.0.0/16 to use wan. unbound gets the request from the wg server but cant answer back...

 

[paulmorabi]

no, the up and down scripts should not have anything to do with you not being able to access internet if wg11 is disabled.

it looks like wgm shut down wg11 properly an removed all rules associated with it.

what is this line:
9810: from all fwmark 0xd2 lookup 210

where is this rule created? what is marked with 0xd2 and what does table 210 contain (as @chongnt already pointed out)?

if you delete it, can you access internet then?

ip rule del prio 9810

do you have a connection or dns problem? can you ping ip adresses? i.e. "ping 142.250.74.14" (google.com from my location).

@chongnt The up and down scripts are needed to add masquarading as the 192.168.6.x packages go out wg11. Wgm only masqarades 192.168.1.0/24 when using yazfi.

//Zeb

@ZebMcKayhan @chongnt thanks again for both of your replies. Here's some more details and testing:

Here's some more details:

paul@RT-AX88U-6948:/tmp/home/root# ip route show table 210
default dev wg21 scope link

wg21 details:

E:Option ==> peer wg21


    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)


Server  Auto  Subnet        Port   Public                                        Private                                       Annotate

wg21    Y     10.50.1.1/24  51820    # RT-AX88U Server #1


    No RPDB Selective Routing rules for wg21

Before stopping wg21:

paul@RT-AX88U-6948:/tmp/home/root# ip rule

0:    from all lookup local

9810:    from all fwmark 0xd2 lookup 210

9911:    from 192.168.6.0/24 lookup 121

32766:    from all lookup main

32767:    from all lookup default

After stopping wg21:

paul@RT-AX88U-6948:/tmp/home/root# ping google.com

PING google.com (216.58.213.14): 56 data bytes

64 bytes from 216.58.213.14: seq=0 ttl=116 time=1.032 ms

64 bytes from 216.58.213.14: seq=1 ttl=116 time=1.108 ms

^C

--- google.com ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max = 1.032/1.070/1.108 ms


paul@RT-AX88U-6948:/tmp/home/root# ip rule

0:    from all lookup local

9911:    from 192.168.6.0/24 lookup 121

32766:    from all lookup main

32767:    from all lookup default

After stopping wg11:

paul@RT-AX88U-6948:/tmp/home/root# ping google.com

PING google.com (216.58.213.14): 56 data bytes

64 bytes from 216.58.213.14: seq=0 ttl=116 time=1.139 ms

64 bytes from 216.58.213.14: seq=1 ttl=116 time=0.997 ms

^C

--- google.com ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max = 0.997/1.068/1.139 ms


paul@RT-AX88U-6948:/tmp/home/root# ip rule

0:    from all lookup local

32766:    from all lookup main

32767:    from all lookup default

After restarting wg11 with wg21 down, I still have internet access. However, connections to the wifi network linked to wg11 have no internet. It's not only DNS as pinging the above google IP also gives "destination host unreachable".

So, there are two issues here:
* No internet access through wg11's assigned wifi network (which uses YazFi). Other than assigning the 192.168.6.x to it, I didn't change any YazFi settings in the router admin panel so everything is defaulted to "no" except the enabled radio button.
* wg21. It's creating strange rules that when it's running and wg11 is stopped, internet or at least DNS is not working. Also doesn't give 192.168.1.x or WAN access.

 

[chongnt]

@paulmorabi , a quick question. which version are you using now? Would you try update to the latest version first. The rule created by wg21 is normal. I have it as well.

E:Option ==> uf dev

 

[chongnt]

Just figured it out (I think)... unbound is using 192.168.1.1. to communicate, which leads to the use of routing table 121 (or similar) which only contains routes to 192.168.1.x and wg11... you need to guide packets with destination "wg server" to a routing table which contains routes to your server (main?). similar problem as I solved with rule destination 192.168.0.0/16 to use wan. unbound gets the request from the wg server but cant answer back...

I think you are right. Without adding the rule to route 192.168.1.1 to table 121, WAN ip is my DNS address. At this state, I can peer with my phone using dns 192.168.1.1. I can access both LAN and internet. After adding this rule, my home devices DNS become wg11 ip. But my phone after connected to wg21 cannot access 192.168.1.x and lost internet connection. I have to change phone wg dns to public dns ip to get internet access.
Anyway, I can get it works by adding the following rules in wg11-route-up. I will keep this setup.

ip rule add from 0/0 fwmark 0xd1/0xd1 lookup 121 prio 9905
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0xd1/0xd1
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0xd1/0xd1

 

[paulmorabi]

@paulmorabi , a quick question. which version are you using now? Would you try update to the latest version first. The rule created by wg21 is normal. I have it as well.

E:Option ==> uf dev

I upgraded to v4.11b8 just then. I stopped and restarted wg11 and wg21. Anything else I should do?