Wireguard Wireguard Client Help

[sammyano]

So, if I'm getting you right, no lan clients can access internet. Not the ones set to use wan and not the ones set to use vpn. Is that correct?

There is something not adding up here. Your wan clients should not be affected by whether or not wg11 is up.

Yes that correct, once i stop wg11 and comes back online. PS - my OVPN client turned off

 

[sammyano]

So, if I'm getting you right, no lan clients can access internet. Not the ones set to use wan and not the ones set to use vpn. Is that correct?

There is something not adding up here. Your wan clients should not be affected by whether or not wg11 is up.

I want to remove and start wg11 with rules to see if clients can access internet?

 

[ZebMcKayhan]

Yes that correct, once i stop wg11 and comes back online. PS - my OVPN client turned off

Wierd... before moving further, would you mind logging:

E:Option ==> stop wg11
E:Option ==> start wg11 debug

And posting the output here. Check and remove any wg keys or public ips before posting. Hopefully we can spot what wgm does and where it goes wrong.

I want to remove and start wg11 with rules to see if clients can access internet?

I'm not sure I understand what you mean. You can list the rules in wgm by:

E:Option ==> peer wg11

Notice each rule starts with an ID. Use that ID number to delete the rule:

E:Option ==> peer wg11 rule del 1
E:Option ==> peer wg11 rule del 2

Then you can start to create rules again.

Removing wg11 peer entirely should be possible with

E:Option ==> peer wg11 del

But then you need to import a new config again.

 

[sammyano]

Wierd... before moving further, would you mind logging:

E:Option ==> stop wg11
E:Option ==> start wg11 debug

And posting the output here. Check and remove any wg keys or public ips before posting. Hopefully we can spot what wgm does and where it goes wrong.



I'm not sure I understand what you mean. You can list the rules in wgm by:

E:Option ==> peer wg11

Notice each rule starts with an ID. Use that ID number to delete the rule:

E:Option ==> peer wg11 rule del 1
E:Option ==> peer wg11 rule del 2

Then you can start to create rules again.

Removing wg11 peer entirely should be possible with

E:Option ==> peer wg11 del

But then you need to import a new config again.

Hello Zeb, man dont know what is going on here, have been doing remove and reinstall with same outcome. once rule table is applied as specified previously, all client will loose internet. see below for the outputs you requested, back to my OVPN for now . Thanks for your time

Stop wg11 command - output

Requesting WireGuard® VPN Peer stop (wg11)
grep: /proc/blog/skip_wireguard_port: No such file or directory
wg_manager-clientwg11: WireGuard® VPN 'client' Peer (wg11) to 178.159.10.78:249 (# N/A) Terminated
wg11: transfer: 0 B received, 3.61 KiB sent 0 Days, 00:02:07 since Thu Jul 25 10:53:13 2024 >>>>>> Thu Jul 25 10:55:20 2024
wg11: period : 0 Bytes received, 3.61 KiB sent (Rx=0;Tx=3697)

start wg11 debug
E:Option ==> start wg11 debug
Requesting WireGuard® VPN Peer start (wg11)
wg_manager-clientwg11: Initialising WireGuard® VPN 'client' Peer (wg11) in Policy Mode to 178.159.10.78:249 (# N/A) DNS=10.100.0.1
grep: /proc/blog/skip_wireguard_port: No such file or directory
/jffs/addons/wireguard/wg_client: line 1345: can't create /proc/blog/skip_wireguard_port: nonexistent directory
[#] iptables -t nat -N WGDNS1
[#] ip link add dev wg11 type wireguard
[#] wg setconf wg11 /tmp/wg11.20422 #(/opt/etc/wireguard.d/wg11.conf)
[#] ip address add dev wg11 10.100.33.148/32
[#] ip link set up dev wg11
[ ] Auto MTU:1420 determined by WireGuard®
[#] ifconfig wg11 txqueuelen 1000
[#] ip route add 178.159.10.78 via xx.xx.xx.xx
[#] iptables -t nat -A WGDNS1 -s 192.168.1.1/24 -j DNAT --to-destination 10.100.0.1 -m comment --comment WireGuard 'client1 DNS'
[#] ip route add 0/1 dev wg11 table 121
[#] ip route add 128/1 dev wg11 table 121
[#] ip route add table 121 192.168.1.0/24 proto kernel scope link src 192.168.1.1 dev br0
[#] iptables -t mangle -I FORWARD -o wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I FORWARD -i wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I FORWARD -o wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I PREROUTING -i wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] iptables -t nat -I POSTROUTING -s 192.168.1.1/24 -o wg11 -j MASQUERADE -m comment --comment WireGuard 'client'
[#] iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
[#] iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
wg_manager-clientwg11: Initialisation complete.

 

[ZebMcKayhan]

Hello Zeb, man dont know what is going on here, have been doing remove and reinstall with same outcome. once rule table is applied as specified previously, all client will loose internet. see below for the outputs you requested, back to my OVPN for now . Thanks for your time

I get it, wgm wasnt the quick solution for you. Please keep in mind it have not been updated for over a year as fw wireguard is taking over. Altough it give some added benefits it also comes with added complexity. Altough I believe there are people still using it so it should work, but there is something in your setup that's causing it to fail.

Just to ease my curiosity, would you mind importing the same wg conf file on i.e android, windows or similar, just to check it's working. Previously people have reporter configs never working and had to generate several before finding a working one. Even if it was working if not used it could be shut down, pretty fast.

I don't see anything out of the ordinary from the logs except the Endpoint uses port 249. I don't see how that would be an issue but it's unusual.

If you want to pursue this I think you need to make a full dump when tunnel is up and from shell prompt:

wg show wg11
ip rule
ip route show table main
ip route show table 121
iptables -nvL PREROUTING -t nat
iptables -nvL WGDNS1 -t nat
iptables -nvL FORWARD

But there is nothing wrong with sticking with OVPN. This router have accelerated ovpn so you will get ~250Mb/s and in best case for wg you will get 400Mb/s. It's not a huge difference.

 

[sammyano]

I get it, wgm wasnt the quick solution for you. Please keep in mind it have not been updated for over a year as fw wireguard is taking over. Altough it give some added benefits it also comes with added complexity. Altough I believe there are people still using it so it should work, but there is something in your setup that's causing it to fail.

Just to ease my curiosity, would you mind importing the same wg conf file on i.e android, windows or similar, just to check it's working. Previously people have reporter configs never working and had to generate several before finding a working one. Even if it was working if not used it could be shut down, pretty fast.

I don't see anything out of the ordinary from the logs except the Endpoint uses port 249. I don't see how that would be an issue but it's unusual.

If you want to pursue this I think you need to make a full dump when tunnel is up and from shell prompt:

wg show wg11
ip rule
ip route show table main
ip route show table 121
iptables -nvL PREROUTING -t nat
iptables -nvL WGDNS1 -t nat
iptables -nvL FORWARD

But there is nothing wrong with sticking with OVPN. This router have accelerated ovpn so you will get ~250Mb/s and in best case for wg you will get 400Mb/s. It's not a huge difference.

Honestly, would want to see how it performs, but unfortunately not working for me, but sure with your help we can sort it out.

Wg show wg11 output-
interface: wg11
public key: xxxxx=
private key: (hidden)
listening port: 44417
peer: xxx=
preshared key: (hidden)
endpoint: 178.159.10.78:249
allowed ips: 0.0.0.0/0
transfer: 0 B received, 1.01 KiB sent
persistent keepalive: every 25 seconds

Ip rule output -
0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
9910: from 192.168.1.91 lookup main
9910: from 192.168.1.181 lookup main
9910: from 192.168.1.105 lookup main
9911: from 192.168.1.1/24 lookup 121
10010: from 192.168.1.91 lookup main
10011: from 192.168.1.105 lookup main
32766: from all lookup main
32767: from all lookup default

Ip route show table main - output
default via xx.xx.xx.1 dev eth0
10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1
xx.xx.xx.0/23 dev eth0 proto kernel scope link src xx.xx.xx.xx
xx.xx.xx.1 dev eth0 proto kernel scope link
127.0.0.0/8 dev lo scope link
178.159.10.78 via xx.xx.xx.1 dev eth0
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
208.67.220.220 via xx.xx.xx.1 dev eth0 metric 1
208.67.222.222 via xx.xx.xx.1 dev eth0 metric 1

p route show table 121 - output
0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1

ptables -nvL PREROUTING -t nat - output
Chain PREROUTING (policy ACCEPT 814 packets, 99929 bytes)
pkts bytes target prot opt in out source destination
951 67478 WGDNS1 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* WireGuard 'client1 DNS' */
0 0 WGDNS1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* WireGuard 'client1 DNS' */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* WireGuard 'server' */
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
2536 318K GAME_VSERVER all -- * * 0.0.0.0/0 xx.xx.xx.xx
2536 318K VSERVER all -- * * 0.0.0.0/0 xx.xx.xx.xx

ptables -nvL WGDNS1 -t nat - output
Chain WGDNS1 (2 references)
pkts bytes target prot opt in out source destination
1616 115K DNAT all -- * * 192.168.1.0/24 0.0.0.0/0 /* WireGuard 'client1 DNS' */ to:10.100.0.1

ptables -nvL FORWARD - output
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
729K 763M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 WGM_ACL_F all -- wg+ * 0.0.0.0/0 0.0.0.0/0 /* Wireguard ACL */
0 0 ACCEPT all -- br0 wg21 0.0.0.0/0 0.0.0.0/0 /* LAN to WireGuard 'server clients' */
0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
10702 2098K OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
588 33597 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
10114 2065K NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
10114 2065K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 VPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

 

[ZebMcKayhan]

transfer: 0 B received, 1.01 KiB sent

This line indicates that your wireguard tunnel is not working on a lower level. Your router have sent out 1kB data and received 0B back. So, either this config file is terminated by your supplier or wgm got something wrong during the import.
Open the original config file in some text editor and compare with what you can see in wgm.

Please, also test this config file on windows, android, it's or something, just to check it's working

 

[sammyano]

This line indicates that your wireguard tunnel is not working on a lower level. Your router have sent out 1kB data and received 0B back. So, either this config file is terminated by your supplier or wgm got something wrong during the import.
Open the original config file in some text editor and compare with what you can see in wgm.

Please, also test this config file on windows, android, it's or something, just to check it's working

Hello Zeb, am using the config now on an Android phone and works alright. What do you want me to compare, what line / command?

 

[sammyano]

This line indicates that your wireguard tunnel is not working on a lower level. Your router have sent out 1kB data and received 0B back. So, either this config file is terminated by your supplier or wgm got something wrong during the import.
Open the original config file in some text editor and compare with what you can see in wgm.

Please, also test this config file on windows, android, it's or something, just to check it's working

Hello Zeb, am bad I imported an old wg config, but now used same that is working my the Android phone, and noticed that all VPN clients have access to the internet but WAN has no access. please can you have a look again and advice why the WAN clients have no access. see new outputs for the 7 commands

interface: wg11 - output
public key: xxxxxx=
private key: (hidden)
listening port: 41479
peer: xxxxxx=
preshared key: (hidden)
endpoint: 50.7.114.51:250
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 19 seconds ago. (sec:79)
transfer: 85.10 MiB received, 5.44 MiB sent
persistent keepalive: every 25 seconds

ip rule - output
0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
9910: from 192.168.1.91 lookup main
9910: from 192.168.1.181 lookup main
9910: from 192.168.1.105 lookup main
9911: from 192.168.1.1/24 lookup 121
10010: from 192.168.1.91 lookup main
10011: from 192.168.1.105 lookup main
32766: from all lookup main
32767: from all lookup default

p route show table main - output
default via xx.xx.xx.1 dev eth0
10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1
10.50.1.2 dev wg21 scope link
50.7.114.51 via xx.xx.xx.1 dev eth0
xx.xx.xx.0/23 dev eth0 proto kernel scope link src xx.xx.xx.xx
xx.xx.xx.1 dev eth0 proto kernel scope link
127.0.0.0/8 dev lo scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
208.67.220.220 via xx.xx.xx.1 dev eth0 metric 1
208.67.222.222 via xx.xx.xx.1 dev eth0 metric 1

ip route show table 121 - output
0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1

iptables -nvL PREROUTING -t nat - output
Chain PREROUTING (policy ACCEPT 1233 packets, 201K bytes)
pkts bytes target prot opt in out source destination
741 50469 WGDNS1 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* WireGuard 'client1 DNS' */
0 0 WGDNS1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* WireGuard 'client1 DNS' */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* WireGuard 'server' */
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
4329 429K GAME_VSERVER all -- * * 0.0.0.0/0 xx.xx.xx.xx
4329 429K VSERVER all -- * * 0.0.0.0/0 xx.xx.xx.xx

iptables -nvL WGDNS1 -t nat - output
Chain WGDNS1 (2 references)
pkts bytes target prot opt in out source destination
751 51281 DNAT all -- * * 192.168.1.0/24 0.0.0.0/0 /* WireGuard 'client1 DNS' */ to:10.100.0.1

iptables -nvL FORWARD - output
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
2074K 2130M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 WGM_ACL_F all -- wg+ * 0.0.0.0/0 0.0.0.0/0 /* Wireguard ACL */
0 0 ACCEPT all -- br0 wg21 0.0.0.0/0 0.0.0.0/0 /* LAN to WireGuard 'server clients' */
0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
30216 9462K OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
1505 85262 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
28711 9376K NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
28711 9376K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 VPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

 

[ZebMcKayhan]

Hello Zeb, am bad I imported an old wg config, but now used same that is working my the Android phone, and noticed that all VPN clients have access to the internet but WAN has no access. please can you have a look again and advice why the WAN clients have no access. see new outputs for the 7 commands

Haha, yea I've been there too.

Everything looks fine. The reason your wan clients have no access is because they don't have a dns. Wgm redirects all VPN clients dns and you have your entire lan to vpn. Problem is that this dns is wg specific so it's only possible to contact it over vpn. Your 3 wan clients will attempt dns over wan so it's not going to work.
This is a real issue with how you do the policy routing. We get to that next.

To check this, you can put any publically available dns for wg11, then all should work:

E:Option ==> stop wg11
E:Option ==> peer wg11 dns=8.8.8.8
E:Option ==> start wg11

Now both wan and vpn clients work?

Depending on why you are using vpn this may not be an acceptable solution. Problem is that your vpn rule includes your wan clients and in order to fix this you will need to change ip address of your 3 wan clients. I could help with that if you want. Let me know.

 

[sammyano]

Haha, yea I've been there too.

Everything looks fine. The reason your wan clients have no access is because they don't have a dns. Wgm redirects all VPN clients dns and you have your entire lan to vpn. Problem is that this dns is wg specific so it's only possible to contact it over vpn. Your 3 wan clients will attempt dns over wan so it's not going to work.
This is a real issue with how you do the policy routing. We get to that next.

To check this, you can put any publically available dns for wg11, then all should work:

E:Option ==> stop wg11
E:Option ==> peer wg11 dns=8.8.8.8
E:Option ==> start wg11

Now both wan and vpn clients work?

Yes man, both vpn and WAN working now and what is my ip now shows ISP IP for wan and VPN for VPN provider. Thanks alot for your time. Have been on this for 3 days, just want to learn how to works, though my OVPN gives more throughput than the WG. Pls from the WG GUI on asus, i changed the DNS there and saved, but didnt work, untill i used the command, why?

 

[ZebMcKayhan]

Pls from the WG GUI on asus, i changed the DNS there and saved, but didnt work, untill i used the command, why?

No idea. I always use commands.

Are you OK with all clients using this public dns?? We can fix it so vpn clients are using dns from config and wan clients use wan dns if you want.
There are also potential issues with your way of doing things that may come back to bite you in the future.
But the fix would require you to change dhcp pool start ip and re-assign another ip to your wan clients.

 

[sammyano]

No idea. I always use commands.

Are you OK with all clients using this public dns?? We can fix it so vpn clients are using dns from config and wan clients use wan dns if you want.
There are also potential issues with your way of doing things that may come back to bite you in the future.
But the fix would require you to change dhcp pool start ip and re-assign another ip to your wan clients.

Yes, please if there other command, to use my WAN DNS - thanks

 

[sammyano]

Yes, please if there other command, to use my WAN DNS - thanks

Also Zeb, any tweak to make it more faster. I thought WG is supposed to be more faster than OVPN?

 

[ZebMcKayhan]

Yes, please if there other command, to use my WAN DNS - thanks

It's not about commands.
Just a note of cation first, as you swap between ovpn and wg this change will affect ovpn too and you need to remake vpndirector rules. But you will get a more robust setup for both ovpn and wg.

Head into router gui. LAN -> DHCP Server. Here there is a field "IP Pool Starting Address" this is probably 192.168.1.2 for you.
Change this to 192.168.1.16.

this means no clients will be assigned ip below 16.

Change Enable Manual Assignment to yes if not already.

then further down in "Manually Assigned IP around the DHCP list" you probably have your wan clients here. Change all wan clients to have ip below 16 (Like 192.168.1.5, 192.168.1.6, 192.168.1.7). If you have other static assigned ip here for vpn make sure they are above 16.

Now head into wgm and stop wg11, remove all rules in wg11.

then create new rules:

E:Option ==> peer wg11 rule add vpn 192.168.1.128/25 comment 128-255
E:Option ==> peer wg11 rule add vpn 192.168.1.64/26 comment 64-127
E:Option ==> peer wg11 rule add vpn 192.168.1.32/27 comment 32-63
E:Option ==> peer wg11 rule add vpn 192.168.1.16/28 comment 16-31

Reset dns to the one in your wg config:

E:Option ==> peer wg11 dns=10.100.0.1

Now start wg11 again.

Now the rules for vpn only covers ip above 16 which means your router and any ip below 16 will be completely unaffected by vpn. So if you want other clients to go out wan, just assign it an ip below 16 and your done.

the same goes for ovpn and vpndirector. Remove all rules and assign above ip/cidr to ovpn.

Also Zeb, any tweak to make it more faster. I thought WG is supposed to be more faster than OVPN?

No tweaks for this in wgm. Your router is not your bottleneck.

 

[sammyano]

It's not about commands.
Just a note of cation first, as you swap between ovpn and wg this change will affect ovpn too and you need to remake vpndirector rules. But you will get a more robust setup for both ovpn and wg.

Head into router gui. LAN -> DHCP Server. Here there is a field "IP Pool Starting Address" this is probably 192.168.1.2 for you.
Change this to 192.168.1.16.

this means no clients will be assigned ip below 16.

Change Enable Manual Assignment to yes if not already.

then further down in "Manually Assigned IP around the DHCP list" you probably have your wan clients here. Change all wan clients to have ip below 16 (Like 192.168.1.5, 192.168.1.6, 192.168.1.7). If you have other static assigned ip here for vpn make sure they are above 16.

Now head into wgm and stop wg11, remove all rules in wg11.

then create new rules:

E:Option ==> peer wg11 rule add vpn 192.168.1.128/25 comment 128-255
E:Option ==> peer wg11 rule add vpn 192.168.1.64/26 comment 64-127
E:Option ==> peer wg11 rule add vpn 192.168.1.32/27 comment 32-63
E:Option ==> peer wg11 rule add vpn 192.168.1.16/28 comment 16-31

Reset dns to the one in your wg config:

E:Option ==> peer wg11 dns=10.100.0.1

Now start wg11 again.

Now the rules for vpn only covers ip above 16 which means your router and any ip below 16 will be completely unaffected by vpn. So if you want other clients to go out wan, just assign it an ip below 16 and your done.

the same goes for ovpn and vpndirector. Remove all rules and assign above ip/cidr to ovpn.




No tweaks for this in wgm. Your router is not your bottleneck.

Ok, will change and let you know. But what do you mean by "Just a note of cation first, as you swap between ovpn and wg this change will affect ovpn"?

 

[sammyano]

It's not about commands.
Just a note of cation first, as you swap between ovpn and wg this change will affect ovpn too and you need to remake vpndirector rules. But you will get a more robust setup for both ovpn and wg.

Head into router gui. LAN -> DHCP Server. Here there is a field "IP Pool Starting Address" this is probably 192.168.1.2 for you.
Change this to 192.168.1.16.

this means no clients will be assigned ip below 16.

Change Enable Manual Assignment to yes if not already.

then further down in "Manually Assigned IP around the DHCP list" you probably have your wan clients here. Change all wan clients to have ip below 16 (Like 192.168.1.5, 192.168.1.6, 192.168.1.7). If you have other static assigned ip here for vpn make sure they are above 16.

Now head into wgm and stop wg11, remove all rules in wg11.

then create new rules:

E:Option ==> peer wg11 rule add vpn 192.168.1.128/25 comment 128-255
E:Option ==> peer wg11 rule add vpn 192.168.1.64/26 comment 64-127
E:Option ==> peer wg11 rule add vpn 192.168.1.32/27 comment 32-63
E:Option ==> peer wg11 rule add vpn 192.168.1.16/28 comment 16-31

Reset dns to the one in your wg config:

E:Option ==> peer wg11 dns=10.100.0.1

Now start wg11 again.

Now the rules for vpn only covers ip above 16 which means your router and any ip below 16 will be completely unaffected by vpn. So if you want other clients to go out wan, just assign it an ip below 16 and your done.

the same goes for ovpn and vpndirector. Remove all rules and assign above ip/cidr to ovpn.




No tweaks for this in wgm. Your router is not your bottleneck.

Zeb, i believe "E:Option ==> peer wg11 rule add vpn 192.168.1.16/28 comment 16-31" the range is for WAN right?

 

[sammyano]

It's not about commands.
Just a note of cation first, as you swap between ovpn and wg this change will affect ovpn too and you need to remake vpndirector rules. But you will get a more robust setup for both ovpn and wg.

Head into router gui. LAN -> DHCP Server. Here there is a field "IP Pool Starting Address" this is probably 192.168.1.2 for you.
Change this to 192.168.1.16.

this means no clients will be assigned ip below 16.

Change Enable Manual Assignment to yes if not already.

then further down in "Manually Assigned IP around the DHCP list" you probably have your wan clients here. Change all wan clients to have ip below 16 (Like 192.168.1.5, 192.168.1.6, 192.168.1.7). If you have other static assigned ip here for vpn make sure they are above 16.

Now head into wgm and stop wg11, remove all rules in wg11.

then create new rules:

E:Option ==> peer wg11 rule add vpn 192.168.1.128/25 comment 128-255
E:Option ==> peer wg11 rule add vpn 192.168.1.64/26 comment 64-127
E:Option ==> peer wg11 rule add vpn 192.168.1.32/27 comment 32-63
E:Option ==> peer wg11 rule add vpn 192.168.1.16/28 comment 16-31

Reset dns to the one in your wg config:

E:Option ==> peer wg11 dns=10.100.0.1

Now start wg11 again.

Now the rules for vpn only covers ip above 16 which means your router and any ip below 16 will be completely unaffected by vpn. So if you want other clients to go out wan, just assign it an ip below 16 and your done.

the same goes for ovpn and vpndirector. Remove all rules and assign above ip/cidr to ovpn.




No tweaks for this in wgm. Your router is not your bottleneck.

Also "Now head into wgm and stop wg11, remove all rules in wg11." how do i remove the current rule?

 

[ZebMcKayhan]

Ok, will change and let you know. But what do you mean by "Just a note of cation first, as you swap between ovpn and wg this change will affect ovpn"?

I mean when you starting to change ip for your wan clients they will not be over wan anymore until you change vpndirector.

Zeb, i believe "E:Option ==> peer wg11 rule add vpn 192.168.1.16/28 comment 16-31" the range is for WAN right?

No it should be vpn. This specific rule covers ips 192.168.1.16 - 192.168.1.31

 

[ZebMcKayhan]

Also "Now head into wgm and stop wg11, remove all rules in wg11." how do i remove the current rule?

See post 43 https://www.snbforums.com/threads/wireguard-client-help.91103/post-919473