Wireguard Wireguard Client Help

[sammyano]

Hello guys, please was hoping someone could help me out here, I followed the steps to install WG via amtm after installing entware
Device is RT-AC86U running merlin 386.14
Stopped my OVPN1 client
Installed WG and imported my VPN provider wireguard config file, then ran the below command to clone my existing VPN Director settings, however, everything is been routed through VPN as opposed to the specified devices to go through WAN as in my OVPN1

e = Exit Script [?]
E:Option ==> vpndirector clone
Auto clone VPN Director rules
peer wg11 rule add wan 192.168.1.91 comment Samsung_TV
[?] Updated RPDB Selective Routing rule for wg11
peer wg11 rule add wan 192.168.1.105 comment Amazon_Fire
[?] Updated RPDB Selective Routing rule for wg11
peer wg11 rule add wan 192.168.1.181 comment Galaxy_Phone
[?] Updated RPDB Selective Routing rule for wg11
peer wg11 rule add vpn 192.168.1.1/24 comment Other Clients
[?] Updated RPDB Selective Routing rule for wg11

VPN Director Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg11 WAN 192.168.1.91 0.0.0.0 VPN Director: Samsung_TV
2 wg11 WAN 192.168.1.105 0.0.0.0 VPN Director: Amazon_Fire
3 wg11 WAN 192.168.1.181 0.0.0.0 VPN Director: Galaxy_Phone
4 wg11 VPN 192.168.1.1/24 0.0.0.0 VPN Director: Other Clients

Are there more steps needed to make the devices specified to go through the wan as opposed to VPN?
Thanks

 

[ZebMcKayhan]

Hello guys, please was hoping someone could help me out here, I followed the steps to install WG via amtm after installing entware
Device is RT-AC86U running merlin 386.14
Stopped my OVPN1 client
Installed WG and imported my VPN provider wireguard config file, then ran the below command to clone my existing VPN Director settings, however, everything is been routed through VPN as opposed to the specified devices to go through WAN as in my OVPN1

e = Exit Script [?]
E:Option ==> vpndirector clone
Auto clone VPN Director rules
peer wg11 rule add wan 192.168.1.91 comment Samsung_TV
[?] Updated RPDB Selective Routing rule for wg11
peer wg11 rule add wan 192.168.1.105 comment Amazon_Fire
[?] Updated RPDB Selective Routing rule for wg11
peer wg11 rule add wan 192.168.1.181 comment Galaxy_Phone
[?] Updated RPDB Selective Routing rule for wg11
peer wg11 rule add vpn 192.168.1.1/24 comment Other Clients
[?] Updated RPDB Selective Routing rule for wg11

VPN Director Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg11 WAN 192.168.1.91 0.0.0.0 VPN Director: Samsung_TV
2 wg11 WAN 192.168.1.105 0.0.0.0 VPN Director: Amazon_Fire
3 wg11 WAN 192.168.1.181 0.0.0.0 VPN Director: Galaxy_Phone
4 wg11 VPN 192.168.1.1/24 0.0.0.0 VPN Director: Other Clients

Are there more steps needed to make the devices specified to go through the wan as opposed to VPN?
Thanks

Please check so your imported client is in policy mode: https://github.com/ZebMcKayhan/WireguardManager?tab=readme-ov-file#default-or-policy-routing

If the rule import is still not working to your liking, use the CLI menu to administer your rules. It's not harder than VPN director once you get familiar with the syntax: https://github.com/ZebMcKayhan/WireguardManager?tab=readme-ov-file#create-rules-in-wgm

 

[eibgrad]

Let's dump the ip rules to see the results of those changes.

ip rule

Those ip rules have to be pointing to an alternative routing table for the WireGuard clients (similar to what happens w/ the OpenVPN client (e.g., ovpnc1), which will show in those ip rules. That needs to be dumped as well (but I don't the name of that table until you dump ip rules).

ip route show table ???

 

[sammyano]

Let's dump the ip rules to see the results of those changes.

ip rule

Those ip rules have to be pointing to an alternative routing table for the WireGuard clients (similar to what happens w/ the OpenVPN client (e.g., ovpnc1), which will show in those ip rules. That needs to be dumped as well (but I don't the name of that table until you dump ip rules).

ip route show table ???

Hello, do i run the ip rule from wg or from the normal ssh window? as am getting error from wg
Below is what i get with ip rule from the ssh not wg

0: from all lookup local
9910: from 192.168.1.91 lookup main
9910: from 192.168.1.181 lookup main
9910: from 192.168.1.105 lookup main
9911: from 192.168.1.1/24 lookup 121
10010: from 192.168.1.91 lookup main
10011: from 192.168.1.105 lookup main
10012: from 192.168.1.181 lookup main
32766: from all lookup main
32767: from all lookup default
thanks

 

[sammyano]

Please check so your imported client is in policy mode: https://github.com/ZebMcKayhan/WireguardManager?tab=readme-ov-file#default-or-policy-routing

If the rule import is still not working to your liking, use the CLI menu to administer your rules. It's not harder than VPN director once you get familiar with the syntax: https://github.com/ZebMcKayhan/WireguardManager?tab=readme-ov-file#create-rules-in-wgm

Hello, yes I added to line auto=P.

 

[sammyano]

Please check so your imported client is in policy mode: https://github.com/ZebMcKayhan/WireguardManager?tab=readme-ov-file#default-or-policy-routing

If the rule import is still not working to your liking, use the CLI menu to administer your rules. It's not harder than VPN director once you get familiar with the syntax: https://github.com/ZebMcKayhan/WireguardManager?tab=readme-ov-file#create-rules-in-wgm

Hello, how do i use the CLI menu for this, am new to wireguard manager, thanks

 

[ZebMcKayhan]

Hello, how do i use the CLI menu for this, am new to wireguard manager, thanks

If you follow the link there are instructions there. If you don't get to the right headline, scroll down slightly from the top to get a clickable table of content

 

[sammyano]

Maybe will have to delete wg and start all over again, just one more question, during installation that it prompts to enter y to create a peer for server wg21, do i skip or enter a name for the device?

 

[ZebMcKayhan]

Maybe will have to delete wg and start all over again, just one more question, during installation that it prompts to enter y to create a peer for server wg21, do i skip or enter a name for the device?

If you don't want to run a server peer, skip it. You can then delete the server peer by

E:Option ==> peer wg21 del

 

[eibgrad]

Hello, do i run the ip rule from wg or from the normal ssh window? as am getting error from wg
Below is what i get with ip rule from the ssh not wg

0: from all lookup local
9910: from 192.168.1.91 lookup main
9910: from 192.168.1.181 lookup main
9910: from 192.168.1.105 lookup main
9911: from 192.168.1.1/24 lookup 121
10010: from 192.168.1.91 lookup main
10011: from 192.168.1.105 lookup main
10012: from 192.168.1.181 lookup main
32766: from all lookup main
32767: from all lookup default
thanks

So it appears to be table 121. Now dump that table.

ip route show table 121

 

[sammyano]

So it appears to be table 121. Now dump that table.

ip route show table 121

Here's the result
0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1

 

[ZebMcKayhan]

VPN Director Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg11 WAN 192.168.1.91 0.0.0.0 VPN Director: Samsung_TV
2 wg11 WAN 192.168.1.105 0.0.0.0 VPN Director: Amazon_Fire
3 wg11 WAN 192.168.1.181 0.0.0.0 VPN Director: Galaxy_Phone
4 wg11 VPN 192.168.1.1/24 0.0.0.0 VPN Director: Other Clients

Are there more steps needed to make the devices specified to go through the wan as opposed to VPN?
Thanks

It not perfectly clear in your question but it appears your entire lan is sent to wg11 except 192.168.1.91, 105, 181 which is sent to wan. Was this not what you wanted? Or what is not working?

Dns is tricky in this setup as I wrote in my link so all will use vpn dns but data should be as advertised.

If dns is the issue, you need to create rules which don't incorporate your clients to wan so you might need to sectioning your network in 2 parts (again as I wrote in my guide)

 

[sammyano]

It not perfectly clear in your question but it appears your entire lan is sent to wg11 except 192.168.1.91, 105, 181 which is sent to wan. Was this not what you wanted? Or what is not working?

Dns is tricky in this setup as I wrote in my link so all will use vpn dns but data should be as advertised.

If dns is the issue, you need to create rules which don't incorporate your clients to wan so you might need to sectioning your network in 2 parts (again as I wrote in my guide

@Zeb thanks for your response, please let me explain again. I wanted the first 3 IP's to route through WAN the all others to VPN, but all clients are going through VPN. If i switch to my OVPN1 using same VPN director rules, its working as intended. I check What's my ip, it points to my ISP and other client to my VPN IP. If you can look at the rule i used and advise what to change. I even removed and started fresh and now all clients pointed to WAN cannot access Internet, have been tiring my hair out since morning to get this working as my OVPN

 

[ZebMcKayhan]

@Zeb thanks for your response, please let me explain again. I wanted the first 3 IP's to route through WAN the all others to VPN, but all clients are going through VPN. If i switch to my OVPN1 using same VPN director rules, its working as intended. I check What's my ip, it points to my ISP and other client to my VPN IP. If you can look at the rule i used and advise what to change. I even removed and started fresh and now all clients pointed to WAN cannot access Internet, have been tiring my hair out since morning to get this working as my OVPN

The "ip rule" you gave earlier clearly points these 3 ip to main route table which should mean WAN.

Perhaps you need to give us you main table, obscure you public ip with i.e <wan ip>

ip route show table main

 

[sammyano]

T

The "ip rule" you gave earlier clearly points these 3 ip to main route table which should mean WAN.

Perhaps you need to give us you main table, obscure you public ip with i.e <wan ip>

ip route show table main

Thanks for your time, I really appreciate - see below for the result

0.0.0.0/1 dev wg11 scope link
default via x.x.x.1 dev eth0
50.7.114.18 via x.x.x.x dev eth0
x.x.x.0/23 dev eth0 proto kernel scope link src x.x.x.x
x.x.x.x dev eth0 proto kernel scope link
127.0.0.0/8 dev lo scope link
128.0.0.0/1 dev wg11 scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
208.67.220.220 via x.x.x.x dev eth0 metric 1
208.67.222.222 via x.x.x.x dev eth0 metric 1

PS - 208.67.220.220 is OpenDNS as specified in WAN custom DNS. Also I though WG will be using my VPN provider DNS? I removed and started afresh. Tested again and the WAN client is pointing to VPN when checking what is my ip. I also disabled the FC using VX but still the speed is even worst than my OVPN.
Thanks

 

[ZebMcKayhan]

0.0.0.0/1 dev wg11 scope link

Looks like wg11 is still in default mode not Policy mode,
Try to execute directly at the ssh prompt (not in wgm):

wgmExpo 'stop wg11' 'peer wg11 auto=P' 'start wg11'

If still not working,
Not sure if it may be some remnant as wg11 is default mode after import and if wg11 is not stopped when this is changed they may not be removed. A reboot probably fixes this. If not wanting to reboot the routes could be removed manually, I.e:

ip route del 0.0.0.0/1 dev wg11 scope link
ip route del 128.0.0.0/1 dev wg11 scope link

 

[ZebMcKayhan]

Also I though WG will be using my VPN provider DNS?

It will, but not via routes. It uses a rule in the firewall to redirect to vpn dns. This dns could be checked or changed in wgm.

I also disabled the FC using VX but still the speed is even worst than my OVPN.

What speeds do you get? What isp speeds do you have? When I ran wgm on AC86U I got 240Mb/s on a 250Mb/s connection. Others have reported it maxes out at about 400Mb/s due to NAT incompability.
I know that sometimes my speeds where alittle slower (like 150Mb/s), seems like my VPN server got crowded so a disconnect and reconnect fixed so I got another ip which were faster.

 

[sammyano]

Looks like wg11 is still in default mode not Policy mode,
Try to execute directly at the ssh prompt (not in wgm):

wgmExpo 'stop wg11' 'peer wg11 auto=P' 'start wg11'

If still not working,
Not sure if it may be some remnant as wg11 is default mode after import and if wg11 is not stopped when this is changed they may not be removed. A reboot probably fixes this. If not wanting to reboot the routes could be removed manually, I.e:

ip route del 0.0.0.0/1 dev wg11 scope link
ip route del 128.0.0.0/1 dev wg11 scope link

Hello it is on auo=P, see below

Client Auto IP Endpoint DNS MTU Annotate
wg11 P 10.100.19.198/32 50.7.114.18:250 10.100.0.1 Auto # N/A

Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg11 WAN 192.168.1.91 Any Samsung_TV
3 wg11 WAN 192.168.1.181 Any Sam_Phone
2 wg11 WAN 192.168.1.105 Any Amazon_Fire
4 wg11 VPN 192.168.1.1/24 Any Other Clients

Configuration rules for Peer wg11
Requesting WireGuard® VPN Peer start (wg11)
wg_manager-clientwg11: Initialising WireGuard® VPN 'client' Peer (wg11) in Policy Mode to 50.7.114.18:250 (# N/A) DNS=10.100.0.1
wg_manager-clientwg11: Initialisation complete.

 

[sammyano]

It will, but not via routes. It uses a rule in the firewall to redirect to vpn dns. This dns could be checked or changed in wgm.



What speeds do you get? What isp speeds do you have? When I ran wgm on AC86U I got 240Mb/s on a 250Mb/s connection. Others have reported it maxes out at about 400Mb/s due to NAT incompability.
I know that sometimes my speeds where alittle slower (like 150Mb/s), seems like my VPN server got crowded so a disconnect and reconnect fixed so I got another ip which were faster.

I am on 500MB and when testing without OVPN, i get 345mb on wireless 5ghz and with OVPN i get 190 - 195MB, whereas with WG am getting 50 - 65mb, even lower at times, which doesn't make sense as i thought WG is much faster than OVPN.

 

[ZebMcKayhan]

Hello it is on auo=P, see below

Alright, then these routes in main table should not be there. Try to remove them:

ip route del 0.0.0.0/1 dev wg11 scope link
ip route del 128.0.0.0/1 dev wg11 scope link