Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

[Martineau]

4 wg11

does not the same as the scriptabove, see interfaces:

Spoiler: output

E:Option ==> 4 wg11

Requesting WireGuard VPN Peer start (wg11)

wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to engage.cloudflareclient.com:2408 (# Cloudflare Warp)
wireguard-client1: Initialisation complete.


WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> 5

Requesting WireGuard VPN Peer stop (wg11)


Error: no such column: subnet
Error: no such column: peer
wireguard-client1: Wireguard VPN 'client' Peer (wg11) to engage.cloudflareclient.com:2408 (# Cloudflare Warp) Terminated


WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> 4 wg11

Requesting WireGuard VPN Peer start (wg11)

wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to engage.cloudflareclient.com:2408 (# Cloudflare Warp)
wireguard-client1: Initialisation complete.


WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> wg show

WireGuard Userspace Tool:

interface: wg11
public key: QsI4jJI25mXZMdDh3+fQIaYEVvGv1cn/xkXeql2aFUw=
private key: (hidden)
listening port: 44491

peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
endpoint: 162.159.192.1:2408
allowed ips: 0.0.0.0/0

WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> wg show interfaces

WireGuard Userspace Tool:

wg11

WireGuard ACTIVE Peer Status: Clients 0, Servers 0

I've uploaded wg_manager Beta v4.05

What does the following show?
e = Exit Script [?]

E:Option ==> wg

 

[Ubimo]

Thank you for your patience.

I did uf, then 4 wg11

Output of wg

Spoiler: output

E:Option ==> wg

WireGuard Userspace Tool:

interface: wg11
public key: QsI4jJI25mXZMdDh3+fQIaYEVvGv1cn/xkXeql2aFUw=
private key: (hidden)
listening port: 44451

peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
endpoint: 162.159.192.1:2408
allowed ips: 0.0.0.0/0
latest handshake: Now
transfer: 912 B received, 1.02 KiB sent

WireGuard ACTIVE Peer Status: Clients 1, Servers 0

It's running, but most websites won't load.
I can ping 1.1.1.1, 9.9.9.9, 8.8.8.8, but it seems, I cannot resolve names.

 

[Martineau]

Thank you for your patience.

I did uf, but it still shows v4.04 WireGuard Session Manager

Spoiler: output

E:Option ==> uf

v4.04 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
MD5=f54b6a584b20261b43d7d8c21d1ac6ef /jffs/addons/wireguard/wg_manager.sh

wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information.
wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

[✔] WireGuard Module is LOADED

MD5=07a24a0efa926b3ad2c564d18b12312f wireguard-kernel_1.0.20210219-k27_aarch64-3.10.ipk
MD5=d7fdc2f1a770856a66c2c677ecb64d1b wireguard-tools_1.0.20210223-1_aarch64-3.10.ipk
Checking for WireGuard Kernel and Userspace Tool updates...

WireGuard Kernel and Userspace Tool up to date.


Forced Update

Downloading scripts
wg_manager.sh downloaded successfully
wg_client downloaded successfully
wg_server downloaded successfully
UDP_Updater.sh downloaded successfully


WireGuard ACTIVE Peer Status: Clients 0, Servers 0

Edit:
In menu, it shows v4.05, all OK!

Here is the output of 4 wg 11, wg show and wg show interfaces.

Spoiler: output

E:Option ==> 4 wg11

Requesting WireGuard VPN Peer start (wg11)

wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to engage.cloudflareclient.com:2408 (# Cloudflare Warp)
wireguard-client1: Initialisation complete.


WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> wg show

WireGuard Userspace Tool:

interface: wg11
public key: QsI4jJI25mXZMdDh3+fQIaYEVvGv1cn/xkXeql2aFUw=
private key: (hidden)
listening port: 50929

peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
endpoint: 162.159.192.1:2408
allowed ips: 0.0.0.0/0

WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> wg show interfaces

WireGuard Userspace Tool:

wg11

WireGuard ACTIVE Peer Status: Clients 0, Servers 0

Try exiting wg_manager then restart it

e  = Exit Script [?]

E:Option ==> e

wgm

Does wg11 show the correct endpoint / handshakes ?

e  = Exit Script [?]

E:Option ==> wg show wg11 endpoints

    WireGuard Userspace Tool:

e  = Exit Script [?]

E:Option ==> wg show wg11 latest-handshakes

    WireGuard Userspace Tool:

 

[Ubimo]

I stopped the client with 5, then uf, then 4 wg11.
This is the output of wg show wg11 endpoints and wg show wg11 latest-handshakes

Spoiler: output

E:Option ==> wg show wg11 endpoints

WireGuard Userspace Tool:

bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo= 162.159.192.1:2408

WireGuard ACTIVE Peer Status: Clients 1, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> wg show wg11 latest-handshakes

WireGuard Userspace Tool:

bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo= 1616936197

WireGuard ACTIVE Peer Status: Clients 1, Servers 0

I can ping 1.1.1.1 but cannot ping 9.9.9.9 and 8.8.8.8.
It seems, I cannot resolve domain names.

Output of wg

Spoiler: output

E:Option ==> wg

WireGuard Userspace Tool:

interface: wg11
public key: QsI4jJI25mXZMdDh3+fQIaYEVvGv1cn/xkXeql2aFUw=
private key: (hidden)
listening port: 44882

peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
endpoint: 162.159.192.1:2408
allowed ips: 0.0.0.0/0
latest handshake: 5 seconds ago
transfer: 9.21 KiB received, 46.86 KiB sent

WireGuard ACTIVE Peer Status: Clients 1, Servers 0

 

[Martineau]

I stopped the client with 5, then uf, then 4 wg11.
This is the output of wg show wg11 endpoints and wg show wg11 latest-handshakes

E:Option ==> wg show wg11 endpoints

WireGuard Userspace Tool:

bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo= 162.159.192.1:2408

WireGuard ACTIVE Peer Status: Clients 1, Servers 0

So hopefully the correct status is now shown using

e  = Exit Script [?]

E:Option ==> 3

 

[Ubimo]

Ok, I did 5, then uf, 4 wg11, 3

Spoiler: output

E:Option ==> 5

Requesting WireGuard VPN Peer stop (wg11)


wireguard-client1: Wireguard VPN 'client' Peer (wg11) to engage.cloudflareclient.com:2408 (# Cloudflare Warp) Terminated


WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> uf

v4.05 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
MD5=f54b6a584b20261b43d7d8c21d1ac6ef /jffs/addons/wireguard/wg_manager.sh

wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information.
wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

[✔] WireGuard Module is LOADED

MD5=07a24a0efa926b3ad2c564d18b12312f wireguard-kernel_1.0.20210219-k27_aarch64-3.10.ipk
MD5=d7fdc2f1a770856a66c2c677ecb64d1b wireguard-tools_1.0.20210223-1_aarch64-3.10.ipk
Checking for WireGuard Kernel and Userspace Tool updates...

WireGuard Kernel and Userspace Tool up to date.


Forced Update

Downloading scripts
wg_manager.sh downloaded successfully
wg_client downloaded successfully
wg_server downloaded successfully
UDP_Updater.sh downloaded successfully


WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> 4 wg11

Requesting WireGuard VPN Peer start (wg11)

wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) to engage.cloudflareclient.com:2408 (# Cloudflare Warp)
wireguard-client1: Initialisation complete.


WireGuard ACTIVE Peer Status: Clients 1, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> 3

WireGuard VPN Peer Status

interface: wg11 engage.cloudflareclient.com:2408 172.16.0.2/32 # Cloudflare Warp
peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
latest handshake: 15 seconds ago
transfer: 3.10 KiB received, 3.43 KiB sent 0 Days, 00:00:17 from 2021-03-28 15:34:20 >>>>>>

WireGuard ACTIVE Peer Status: Clients 1, Servers 0

I can ping 1.1.1.1, 9.9.9.9, 8.8.8.8, but I cannot resolve domain names.

 

[Martineau]

Ok, I did 5, then uf, 4 wg11, 3

Spoiler: output

E:Option ==> 5

Requesting WireGuard VPN Peer stop (wg11)


wireguard-client1: Wireguard VPN 'client' Peer (wg11) to engage.cloudflareclient.com:2408 (# Cloudflare Warp) Terminated


WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> uf

v4.05 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
MD5=f54b6a584b20261b43d7d8c21d1ac6ef /jffs/addons/wireguard/wg_manager.sh

wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information.
wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

[✔] WireGuard Module is LOADED

MD5=07a24a0efa926b3ad2c564d18b12312f wireguard-kernel_1.0.20210219-k27_aarch64-3.10.ipk
MD5=d7fdc2f1a770856a66c2c677ecb64d1b wireguard-tools_1.0.20210223-1_aarch64-3.10.ipk
Checking for WireGuard Kernel and Userspace Tool updates...

WireGuard Kernel and Userspace Tool up to date.


Forced Update

Downloading scripts
wg_manager.sh downloaded successfully
wg_client downloaded successfully
wg_server downloaded successfully
UDP_Updater.sh downloaded successfully


WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> 4 wg11

Requesting WireGuard VPN Peer start (wg11)

wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) to engage.cloudflareclient.com:2408 (# Cloudflare Warp)
wireguard-client1: Initialisation complete.


WireGuard ACTIVE Peer Status: Clients 1, Servers 0



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> 3

WireGuard VPN Peer Status

interface: wg11 engage.cloudflareclient.com:2408 172.16.0.2/32 # Cloudflare Warp
peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
latest handshake: 15 seconds ago
transfer: 3.10 KiB received, 3.43 KiB sent 0 Days, 00:00:17 from 2021-03-28 15:34:20 >>>>>>

WireGuard ACTIVE Peer Status: Clients 1, Servers 0

I can ping 1.1.1.1, 9.9.9.9, 8.8.8.8, but I cannot resolve domain names.

So 3 - List appears to finally correctly identify and track the 'client' Peer UP time and log the traffic stats every hour etc.

Embarrassed to understand why your particular setup/config has caused so many frustrating issues.

I'll take a break now.

Many thanks for persevering with the script, but DNS issues DoT,DoH/leaks/x3mRouting etc. when using OpenVPN clients are notoriously complex, and at the moment I'm simply concentrating on the script's management functionality.

I'm sure someone will chime in to assist with WireGuard DNS issues, but I'd check what you have in /etc/resolv.conf is appropriate etc.

 

[Ubimo]

Thank you for your patience with my config.
Now hoping some can give tips on how to resolve DNS with Cloudflare WARP.
This is in my resolv.conf

nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 127.0.1.1

 

[heysoundude]

Thank you for your patience with my config.
Now hoping some can give tips on how to resolve DNS with Cloudflare WARP.
This is in my resolv.conf

nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 127.0.1.1

No need for WARP: we have the technology. Include the adblocking of either diversion OR unbound, plus the Firewalling capabilities of SkyNet, and you'll be pleasantly surprised how private you can be while online, at home and on the move.
Please consider:
DDNS, unbound and this WireGuard will essentially make YOUR ROUTER a private, tailor-made, as fast as (or faster than) CloudFlare DNS.

CloudFlare Warp+ for RT-AC86U (or RT-AX88U)

I just set up my RT-AC86U with Warp+ from CloudFlare and thought I'd share how in case anyone else is interested. This is only for RT-AC86U (and RT-AX88U I assume though haven't tested) since it relies on the experimental WireGuard posted by @Odkrys. Here are the setup instructions: Sign up for...

www.snbforums.com

#ThisIsTheWay

 

[Jumpstarter]

Thanks to @Odkrys, WireGuard as an alternative to established VPN tunnel protocols OpenVPN and IPSec has been available on some specific ASUS Routers for a while, although the instructions posted by the OP



are quite straight forward with only a few steps, they only provide static information for either a single 'client' Peer or 'server' (or both) and managing more than one concurrent Peer (either a 'client' or 'server') is more complex hence this script.

As with any Beta, this script shouldn't be deployed in mission critical environments in case it does cause undue disruption but hopefully this script can be easily quickly removed if it happens to do so.

Whilst I have used different names for the support scripts, I have currently chosen S50wireguard but any existing /opt/etc/init.d/S50wireguard script will be backed up during the install.

Once the script is running, existing interfaces 'wg0/wg1' should validly remain as-is, as my script uses interface names 'wg11'-'wg15' for 'client' Peers and 'wg21'-'wg22' for the two 'server' Peers.

Seven interfaces should be adequate, although more could/can easily be defined.

The script is based on my use of using Mullvad's WireGuard servers for remote 'client' Peer connections - so if you don't have access to a remote WireGuard server then this script is pointless in terms of outbound WireGuard connections.

However, the script does set up a WireGuard 'server' Peer on the router and the script can be used to assist with basic auto-definition of say mobile devices to allow remote Peer inbound connections.

Very basic rules are added, but RPDB Routing Policy rules can be manually applied in much the same way as OpenVPN rules are currently used.

Hopefully this script may open the door a little wider for those that need performance (albeit with the caveat/numerous posts that WireGuard may not yet be fully ratified from a security view point) although it largely depends on how the comparison is made between OpenVPN and WireGuard throughput so YMMV.

i.e. Is WireGuard measurably say 3 X faster than OpenVPN?

In summary, the point of this initial Beta is to assist in managing existing/multiple WireGuard interfaces, and isn't intended as a tutorial on how to exploit WireGuard etc.

WireGuard session Manager

Regards,

Does this support a full ipv6 tunnel?

 

[heysoundude]

Does this support a full ipv6 tunnel?

Yes, it should: https://www.wireguard.com/

 

[Martineau]

Does this support a full ipv6 tunnel?

Do the WireGuard modules supplied by @Odkrys support IPv6?

Since I have no access to IPv6 the initial short answer is NO, but I have paid lip-service to IPv6 but the script by and large only checks to strip IPv6 stuff if IPv6 isn't enabled.

i.e. if you have IPv6 enabled and already manually installed WireGuard, when creating the Road-Warrior 'device' Peer the Github main branch script does add this to the Peer to the Allowed IPs:

[ "$USE_IPV6" == "Y" ] && IPV6=", ::/0"

However, if you wish to test IPv6, I have uploaded to the Github dev branch

GitHub - MartineauUK/wireguard at dev

Manage/Install WireGuard on applicable ASUS routers - GitHub - MartineauUK/wireguard at dev

github.com

a crude IPv6 version for creating/testing an IPv6 'server' Peer for an IPv6 Road-Warrior 'device' Peer (it may be borked who knows!)

e.g. Normally a new 'server' Peer is created as IPv4

e  = Exit Script [?]

E:Option ==> peer new

    *** Ensure Upstream router Port Foward entry for port:11503 ***

    Press y to Create 'server' Peer (wg23) 10.50.3.1/24:11503 or press [Enter] to SKIP.

but you can try

e  = Exit Script [?]

E:Option ==> peer new ipv6

    *** Ensure Upstream router Port Foward entry for port:11503 ***

    Press y to Create (IPv6) 'server' Peer (wg23) fc00:50:3::1/64:11503 or press [Enter] to SKIP.
y
    Creating WireGuard Private/Public key-pair for (IPv6) 'server' Peer wg23 on RT-AC86U (v386.2)
    Press y to Start (IPv6) 'server' Peer (wg23) or press [Enter] to SKIP.
y

    Requesting WireGuard VPN Peer start (wg23)

    wireguard-server3: Initialising Wireguard VPN (IPv6) 'Server' Peer (wg23) on 10.88.8.1:11503 (# RT-AC86U (IPv6) Server 3)
    wireguard-server3: Initialisation complete.


    interface: wg23     Port:11503             VPN Tunnel Network    # RT-AC86U (IPv6) Server 3

     WireGuard ACTIVE Peer Status: Clients 0, Servers 1

e  = Exit Script [?]

E:Option ==> peer wg23

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Server  Auto  Subnet           Port   Public                                        Private                                       Annotate
wg23    N     fc00:50:3::1/64  11503  AGc+n42YCNDdDY/eA7ZchreaeW5cfEYvz3DEwyrW0Hw=  ++c1n42XDNCdDYDe&ZAchreaeW5cfEYvxxxwVrW0Hw=  # RT-AC86U (IPv6) Server 3

Now create a Road-Warrior 'device' Peer and attach it to the new IPv6 'server' Peer

e  = Exit Script [?]

E:Option ==> 9 MyIPv6Phone wg23

    Creating Wireguard Private/Public key pair for device 'MyIPv6Phone'
    Device 'MyIPv6Phone' Public key=yhhpomh0OWTEBcCQzGXdsYjmFy85otcHXoX/a0j+yTE=

    Using Public key for 'server' Peer 'wg23'


    WireGuard config for Peer device 'MyIPv6Phone' created (Allowed IP's 0.0.0.0/0, ::/0 # ALL Traffic)

    Press y to Display QR Code for Scanning into WireGuard App on device 'MyIPv6Phone' or press [Enter] to SKIP.
y

<QR code here>

    Press y to ADD device 'MyIPv6Phone' to 'server' Peer (wg23) or press [Enter] to SKIP.
y

    Adding device Peer 'MyIPv6Phone' fc00:50:3::2/128 to RT-AC86U 'server' (wg23) and WireGuard config


    WireGuard 'server' Peer needs to be restarted to listen for 'client' Peer MyIPv6Phone "Device"
    Press y to restart 'server' Peer (wg23) or press [Enter] to SKIP.
y

    Requesting WireGuard VPN Peer restart (wg23)

    Restarting Wireguard 'server' Peer (wg23)
    wireguard-server3: Wireguard VPN '' Peer (wg23) on 10.88.8.1:11503 (# RT-AC86U (IPv6) Server 3) Terminated

    wireguard-server3: Initialising Wireguard VPN (IPv6) 'Server' Peer (wg23) on 10.88.8.1:11503 (# RT-AC86U (IPv6) Server 3)
    wireguard-server3: Initialisation complete.


    interface: wg23     Port:11503                             VPN Tunnel Network      # RT-AC86U (IPv6) Server 3
        peer: yhhpomh0OWTEBcCQzGXdsYjmFy85otcHXoX/a0j+yTE=     fc00:50:3::2/128        # MyIPv6Phone "Device"

     WireGuard ACTIVE Peer Status: Clients 0, Servers 1

 

[Torson]

@Martineau, over the past few days I replaced 2 of my 4 ovpn clients with wireguard. Things are looking well, thank you.

One observation is that when choosing policy mode as (client peer) auto start the RPDB rules are not added to the 'policy' table in the database (i.e. there is nothing under 'peer' and 'rules' in the table for that interface.)

E:Option ==> peer wg13 auto=p

        [✔] Updated AUTO=P:


        Enter RPDB Selective Routing rules e.g. <Router>192.168.1.0/24>>VPN<LAN>192.168.1.1>>WAN or hit ENTER to skip
<D4P>192.168.2.198>>VPN

        [✔] Updated RPDB Selective Routing rules for wg13

At this point although in policy mode, for lack of interface entries in the 'policy' table, all the network traffic is routed through the respective wg interface. If I manually add the D4P client information (as above) to the database it all works as expected.
So the question here is whether to enable policy mode without forcing all the traffic through the tunnel if no rule exists at the moment? However, the route would be there for selective routing to be configured any time. That would be more like the ovpn clients work now.
For what I need I found that adding a dummy client to the RPDB rules with a valid but unused IP will make thing alright (as shown above.)

Another topic - I'm using the wg-route-up/down for the client peer selective routing and that works well. My question is if there is a way (or you're planning for it) to achieve that level of selective routing by using option 10 (or something else) in the interface.

What works for me now - one example is wg11-route-up:

iptables -t mangle -D PREROUTING -i br0 -m set --match-set SkyS dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set SkyS dst -j MARK --set-mark 0x1000/0x1000
ip rule del from 0/0 fwmark 0x1000/0x1000 table 121 prio 9890 2>/dev/null
ip rule add from 0/0 fwmark 0x1000/0x1000 table 121 prio 9890

...but that's on a case-by-case basis and manually editing the files...

All in all very nice progress... My observation is that the wireguard clients provide a 20-30% (at least) bandwith increase over ovpn. Most times of the day I connect at or above ISP provided bandwidth to North America and Europe.

 

[Ubimo]

Hi, I'm the one with the Cloudflare WARP profile. I cannot get it to work properly.
Anyhow, I sometimes see these entries in syslog, maybe someone knows what this is:

Mar 30 17:25:38 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when deleting flowfor net_p=ffffffc012ec4758

 

[Torson]

Hi, I'm the one with the Cloudflare WARP profile. I cannot get it to work properly.
Anyhow, I sometimes see these entries in syslog, maybe someone knows what this is:

Mar 30 17:25:38 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when deleting flowfor net_p=ffffffc012ec4758

See @RMerlin's reply to a (very) similar issue:

BLOG ERROR blog_request Entries in System Log 86U

I've never seen this error, and though it gave me a chuckle, need to know what is going on. No options/addons just a plain vanilla install with some port forwarding. The router has been rock solid for months, then this. Jan 3 17:33:49 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key...

www.snbforums.com

I remember that in some cases the culprit was connectivity to another device on the network - the issue is finding which one...

Re Cloudflare Warp - list all the scripts you are running and the latest issues you encounter.

 

[Ubimo]

Re Cloudflare Warp - list all the scripts you are running and the latest issues you encounter.

Hi
I'm running Diversion, Skynet and connmon.
I can import the warp.conf into WireGuard Manager and start the peer. I also see handshakes and some ...kb running over, but all/most websites won't load.
I can ping 1.1.1.1, 8.8.8.8 and 9.9.9.9.
I think my router cannot resolve domain names any more.
Websites like facebook.com, reddit.com or speedtest.net (and many more) won't load. Oddly, snbforums is loading.
Starting a music stream (e.g. http://94.23.51.96:8010/) in Winamp shows "ICY 200 OK" instead of "buffering" and then playing the stream.
My router has 192.168.1.1.
DNS Filter, Global Filter Mode is set to "Router".

I remember exactly this behaviour, when I was testing the very early Cloudflare WARP Windows client. Later the client was updated and the problem was gone.
I suspect a problem inside wireguard (kernel) itself.

To get a Cloudflare WARP config, just register and generate a config with wgcf.
This is my WARP conf.

# Cloudflare Warp
[Interface]
PrivateKey = hidden
Address = 172.16.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0
Endpoint = engage.cloudflareclient.com:2408

 

[ZebMcKayhan]

@Martineau, over the past few days I replaced 2 of my 4 ovpn clients with wireguard. Things are looking well, thank you.

One observation is that when choosing policy mode as (client peer) auto start the RPDB rules are not added to the 'policy' table in the database (i.e. there is nothing under 'peer' and 'rules' in the table for that interface.)

E:Option ==> peer wg13 auto=p

        [✔] Updated AUTO=P:


        Enter RPDB Selective Routing rules e.g. <Router>192.168.1.0/24>>VPN<LAN>192.168.1.1>>WAN or hit ENTER to skip
<D4P>192.168.2.198>>VPN

        [✔] Updated RPDB Selective Routing rules for wg13

At this point although in policy mode, for lack of interface entries in the 'policy' table, all the network traffic is routed through the respective wg interface. If I manually add the D4P client information (as above) to the database it all works as expected.
So the question here is whether to enable policy mode without forcing all the traffic through the tunnel if no rule exists at the moment? However, the route would be there for selective routing to be configured any time. That would be more like the ovpn clients work now.
For what I need I found that adding a dummy client to the RPDB rules with a valid but unused IP will make thing alright (as shown above.)

Another topic - I'm using the wg-route-up/down for the client peer selective routing and that works well. My question is if there is a way (or you're planning for it) to achieve that level of selective routing by using option 10 (or something else) in the interface.

What works for me now - one example is wg11-route-up:

iptables -t mangle -D PREROUTING -i br0 -m set --match-set SkyS dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set SkyS dst -j MARK --set-mark 0x1000/0x1000
ip rule del from 0/0 fwmark 0x1000/0x1000 table 121 prio 9890 2>/dev/null
ip rule add from 0/0 fwmark 0x1000/0x1000 table 121 prio 9890

...but that's on a case-by-case basis and manually editing the files...

All in all very nice progress... My observation is that the wireguard clients provide a 20-30% (at least) bandwith increase over ovpn. Most times of the day I connect at or above ISP provided bandwidth to North America and Europe.

According to post #110 beta 4 should support ipsets, some more info in post #126.
Ipsets could be added and by settings different marks for different ipsets you can select Which interface/routing table they should use.
Don't know if you can specify source interface though.

/Zeb

 

[Martineau]

@Martineau, over the past few days I replaced 2 of my 4 ovpn clients with wireguard. Things are looking well, thank you.

One observation is that when choosing policy mode as (client peer) auto start the RPDB rules are not added to the 'policy' table in the database (i.e. there is nothing under 'peer' and 'rules' in the table for that interface.)

E:Option ==> peer wg13 auto=p

        [✔] Updated AUTO=P:


        Enter RPDB Selective Routing rules e.g. <Router>192.168.1.0/24>>VPN<LAN>192.168.1.1>>WAN or hit ENTER to skip
<D4P>192.168.2.198>>VPN

        [✔] Updated RPDB Selective Routing rules for wg13

At this point although in policy mode, for lack of interface entries in the 'policy' table, all the network traffic is routed through the respective wg interface. If I manually add the D4P client information (as above) to the database it all works as expected.
So the question here is whether to enable policy mode without forcing all the traffic through the tunnel if no rule exists at the moment? However, the route would be there for selective routing to be configured any time. That would be more like the ovpn clients work now.
For what I need I found that adding a dummy client to the RPDB rules with a valid but unused IP will make thing alright (as shown above.)

Another topic - I'm using the wg-route-up/down for the client peer selective routing and that works well. My question is if there is a way (or you're planning for it) to achieve that level of selective routing by using option 10 (or something else) in the interface.

What works for me now - one example is wg11-route-up:

iptables -t mangle -D PREROUTING -i br0 -m set --match-set SkyS dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set SkyS dst -j MARK --set-mark 0x1000/0x1000
ip rule del from 0/0 fwmark 0x1000/0x1000 table 121 prio 9890 2>/dev/null
ip rule add from 0/0 fwmark 0x1000/0x1000 table 121 prio 9890

...but that's on a case-by-case basis and manually editing the files...

All in all very nice progress... My observation is that the wireguard clients provide a 20-30% (at least) bandwith increase over ovpn. Most times of the day I connect at or above ISP provided bandwidth to North America and Europe.

Not sure if I understand what you are requesting?

i.e. you can assign an IPSET (default dst) for Selective Routing via a 'client' Peer...

e  = Exit Script [?]

E:Option ==> peer wg13 add ipset Netflix


    [✔] Ipset 'Netflix' Selective Routing added wg13

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP               Endpoint             DNS             Public                                        Private                                       Annotate
wg13    P     10.66.146.14/32  103.231.88.18:51820  193.138.218.74  D2ltFd7TbpYNq9PejAeGwlaJ2bEFLqOSYywdY9N5xCY=  ABC+dD40ozIv7rGo8//3Vjglr!elsjY3yD4BT999JSl0=  # Mullvad Oz, Melbourne

    No RPDB Selective Routing rules for wg13


IPSet    Enable  Peer  FWMark  DST/SRC
Netflix  Y       wg13  0x4000  dst

but the contents of the Event files are expected to be managed externally and not from within wgm unless you are suggesting a vx shortcut to edit the event scripts?

The concept of source Selective Routing is not native to WireGuard, so if you have a Peer with Policy rules

e  = Exit Script [?]

E:Option ==> peer wg13

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP               Endpoint             DNS             Public                                        Private                                       Annotate
wg13    P     10.66.146.14/32  103.231.88.18:51820  193.138.218.74  D2ltFd7TbpYNq9PejAeGwlaJ2bEFLqOSYywdY9N5xCY=  ABC+dD40ozIv7rGo8//3Vjglr!elsjY3yD4BT999JSl0=  # Mullvad Oz, Melbourne

    Selective Routing RPDB rules
ID  Peer  Interface  Source         Destination    Description
4   wg13  VPN        172.168.1.55   Any            Road Warrior
3   wg13  WAN        172.168.1.123  Any            Email Server
2   wg13  WAN        Any            9.9.9.9        Quad9 DNS
1   wg13  VPN        172.16.1.0/24  Any            All LAN

IPSet    Enable  Peer  FWMark  DST/SRC
Netflix  Y       wg13  0x4000  dst

     WireGuard ACTIVE Peer Status: Clients 0, Servers 0

and you decide to explicitly switch Auto=P to Auto=N, then the 'client' Peer config invariably contains 'AllowedIps= 0.0.0.0/0, ::/0"' just like any non-Policy 'client' Peer, subsequently if you elect to start it, it will indeed become the default 'client' Peer routing ALL traffic.

although there is a warning....

e  = Exit Script [?]

E:Option ==> start wg13

    Requesting WireGuard VPN Peer start (wg13)

    Warning: WireGuard 'client' Peer (wg13) defined as Policy mode but no RPDB Selective Routing rules found?

    wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) to 103.231.88.18:51820 (# Mullvad Oz, Melbourne) DNS=193.138.218.74
    wireguard-client3: Initialisation complete.

EDIT: Perhaps it is prudent to prevent setting Auto=P if there are no Policy rules defined for the 'client' Peer?
e.g.

e  = Exit Script [?]

E:Option ==> peer wg12 auto=p

    ***ERROR No Policy rules exist for wg12 (use 'peer wg12 rule add' command first)

although it is very convenient to be able to quickly temporarily establish the now converted non-Policy Peer connection for say immediate testing?


NOTE: I have rewritten the clunky Selective Routing RPDB rule management method, and no longer use the esoteric typo-vulnerable method.

e.g.

Spoiler: RPDB Rule management

e  = Exit Script [?]

E:Option ==> peer wg13

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP               Endpoint             DNS             Public                                        Private                                       Annotate
wg13    P     10.66.146.14/32  103.231.88.18:51820  193.138.218.74  D2ltFd7TbpYNq9PejAeGwlaJ2bEFLqOSYywdY9N5xCY=  ABC+dD40ozIv7rGo8//3Vjglr!elsjY3yD4BT999JSl0=  # Mullvad Oz, Melbourne

    Selective Routing RPDB rules
ID  Peer  Interface  Source         Destination    Description
4   wg13  VPN        172.168.1.55   Any            Road Warrior
3   wg13  WAN        172.168.1.123  Any            Email Server
2   wg13  WAN        Any            9.9.9.9        Quad9 DNS
1   wg13  VPN        172.16.1.0/24  Any            All LAN

IPSet    Enable  Peer  FWMark  DST/SRC
Netflix  Y       wg13  0x4000  dst

     WireGuard ACTIVE Peer Status: Clients 0, Servers 0

e  = Exit Script [?]

E:Option ==> peer wg13 rule add 172.16.1.88 52.97.133.162 comment smtp.office365.com

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP               Endpoint             DNS             Public                                        Private                                       Annotate
wg13    P     10.66.146.14/32  103.231.88.18:51820  193.138.218.74  D2ltFd7TbpYNq9PejAeGwlaJ2bEFLqOSYywdY9N5xCY=  ABC+dD40ozIv7rGo8//3Vjglr!elsjY3yD4BT999JSl0=  # Mullvad Oz, Melbourne

    Selective Routing RPDB rules
ID  Peer  Interface  Source         Destination    Description
5   wg13  VPN        172.16.1.88    52.97.133.162  smtp.office365.com
4   wg13  VPN        172.168.1.55   Any            Road Warrior
3   wg13  WAN        172.168.1.123  Any            Email Server
2   wg13  WAN        Any            9.9.9.9        Quad9 DNS
1   wg13  VPN        172.16.1.0/24  Any            All LAN

IPSet    Enable  Peer  FWMark  DST/SRC
Netflix  Y       wg13  0x4000  dst

     WireGuard ACTIVE Peer Status: Clients 0, Servers 0

E:Option ==> peer wg13 rule del 2

    [✔] Deleted RPDB Selective Routing rule for wg13


    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP               Endpoint             DNS             Public                                        Private                                       Annotate
wg13    P     10.66.146.14/32  103.231.88.18:51820  193.138.218.74  D2ltFd7TbpYNq9PejAeGwlaJ2bEFLqOSYywdY9N5xCY=  ABC+dD40ozIv7rGo8//3Vjglr!elsjY3yD4BT999JSl0=  # Mullvad Oz, Melbourne

    Selective Routing RPDB rules
ID  Peer  Interface  Source         Destination    Description
5   wg13  VPN        172.16.1.88    52.97.133.162  smtp.office365.com
4   wg13  VPN        172.168.1.55   Any            Road Warrior
3   wg13  WAN        172.168.1.123  Any            Email Server
1   wg13  VPN        172.16.1.0/24  Any            All LAN

IPSet    Enable  Peer  FWMark  DST/SRC
Netflix  Y       wg13  0x4000  dst

e  = Exit Script [?]

E:Option ==> peer wg13 rules del all

    Do you want to DELETE ALL Selective Routing RPDB rules for wg13?
    Press y to CONFIRM or press [Enter] to SKIP.
y

    [✔] Deleted ALL RPDB Selective Routing rules for wg13


    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP               Endpoint             DNS             Public                                        Private                                       Annotate
wg13    P     10.66.146.14/32  103.231.88.18:51820  193.138.218.74  D2ltFd7TbpYNq9PejAeGwlaJ2bEFLqOSYywdY9N5xCY=  ABC+dD40ozIv7rGo8//3Vjglr!elsjY3yD4BT999JSl0=  # Mullvad Oz, Melbourne

    No RPDB Selective Routing rules for wg13


IPSet    Enable  Peer  FWMark  DST/SRC
Netflix  Y       wg13  0x4000  dst

 

[Torson]

Edit5:
I also cannot reach my LTU Pro at 172.16.xxx.x

It may as well be that the resolution issues you're seeing are related to that device at 172.16.xxx.x. You're on a 192.168.1.0/24 network and you may have a route setup to the other subnet.
Now the Cloudflare Warp has in its configuration the subnet 172.16.0.2/32.
Look closer how you get to that device when Cloudflare is not part of the picture. Once you start Cloudflare you may have a conflict there.

 

[Ubimo]

@Torson
Yes, this might be the solution to my problem!
I remember now, when "do not use WARP for local network devices" was introduced in the Windows WARP beta client, the problem was gone.
Maybe @Martineau is able to introduce a "switch" to "bypass VPN for local devices/IP ranges/local network connectivity".