Wireguard Wireguard policy rules

[greenspanner]

Hi, I've successfully moved all my OpenVPNs over to Wireguard and I am very impressed with the speed and the session manager script. After solving a few things myself, I have a couple of issues that I'm hoping are quite straightforward but beyond my skills.

Firstly, with ovpn, on the router (192.168.1.1) I could run

curl icanhazip.com --interface xx

to check each clients IP. Now, I can only do it with the clients started without policy rules.

Secondly, when connected to the server (wg21), I can't access the webUI of an instance of transmission that i run on 192.168.1.111. As above, I can access the webUI from a server connection when I turn policy off on wg13. I also tried with passthru rules removed and the issue still occurs. When I connect to the, I get correctly passedthru wg11 as expected, but no webUI. It works fine when connected to wg11 locally as every DHCP client goes through it.

Hopefully these two issues are not hard to fix with somw tweaks of the policy rules, I've tried a few combinations but can't crack it. Let me know if you need any more info

    Server  Auto  Subnet
    wg21    Y     10.50.1.1/24

    Server  Client  Passthru
    wg21    wg11    S21
    wg21    wg11    mba


    interface: wg11
        ID  Peer  Interface  Source           Destination
        1   wg11  VPN        192.168.1.32/27  Any        


    interface: wg13
        ID  Peer  Interface  Source         Destination
        3   wg13  VPN        192.168.1.111  Any

Also, I couldn't reply to the main 3rd Thread, I got an error saying it was over six months old. Hope making a new topic is ok

 

[ZebMcKayhan]

Also, I couldn't reply to the main 3rd Thread, I got an error saying it was over six months old. Hope making a new topic is ok

There are now a 4th thread created.

Secondly, when connected to the server (wg21), I can't access the webUI of an instance of transmission that i run on 192.168.1.111. As above, I can access the webUI from a server connection when I turn policy off on wg13. I also tried with passthru rules removed and the issue still occurs. When I connect to the, I get correctly passedthru wg11 as expected, but no webUI. It works fine when connected to wg11 locally as every DHCP client goes through it.

This sounds like a routing issue. You probably can access the gui, the problem is that 192.168.1.111 can't reply back to wg server since no routes exists for it in the policy table for wg13 which it is using.

Try to add a rule to wg13 for destinations <wg server ip>/24 to WAN should hopefully resolve your issue.

 

[greenspanner]

Thanks for your suggestion. I tried this rule

peer wg13 rule add wan 10.50.1.1/24 comment wg21toTransmission

And still 192.168.1.111:9091 isn't accessible from a wg21 connection.

Trying something randomly to eliminate wg11 passthru as an issue, I added

peer wg11 rule add wan 10.50.1.1/24 comment wg21toTransmission

which unsurprisingly overrode the passthru, sending 10.50.1.x through the wan, and still can't get to 192.168.1.111 on wg13.

 

[ZebMcKayhan]

And still 192.168.1.111:9091 isn't accessible from a wg21 connection.

The rule you added are for source, not destinations. Delete it and try

peer wg13 rule add wan src=any dst=10.50.1.1/24 comment PolicyClientsToWg21

 

[greenspanner]

That did the job perfectly, thanks so much @ZebMcKayhan

Any clues on how to curl out via different interfaces from the router?

 

[ZebMcKayhan]

Any clues on how to curl out via different interfaces from the router?

It works for me:

admin@RT-AC86U-D7D8:/tmp/home/root# curl icanhazip.com --interface eth0
xx.yy.166.86
admin@RT-AC86U-D7D8:/tmp/home/root# curl icanhazip.com --interface wg11
xx.yy.186.71

What happens for you when you try?

 

[greenspanner]

Here is what I get when I curl out my WAN interface with all my wg clients in policy mode:

curl -v ipecho.net/plain --interface ppp0
*   Trying 34.160.111.145:80...
* Connected to ipecho.net (34.160.111.145) port 80 (#0)
> GET /plain HTTP/1.1
> Host: ipecho.net
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< access-control-allow-origin: *
< content-type: text/html; charset=utf-8
< content-length: 12
< date: Fri, 07 Oct 2022 10:52:02 GMT
< x-envoy-upstream-service-time: 0
< strict-transport-security: max-age=2592000; includeSubDomains
< server: istio-envoy
< Via: 1.1 google
<
* Connection #0 to host ipecho.net left intact
xx.xx.87.45

Via wg11 with policy mode on:

curl -v ipecho.net/plain --interface wg11
*   Trying 34.160.111.145:80...
* connect to 34.160.111.145 port 80 failed: Connection timed out
* Failed to connect to ipecho.net port 80 after 15170 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to ipecho.net port 80 after 15170 ms: Connection timed out

Then if I restart wg11 with peer wg11 auto=y:

curl -v ipecho.net/plain --interface wg11
*   Trying 34.160.111.145:80...
* Connected to ipecho.net (34.160.111.145) port 80 (#0)
> GET /plain HTTP/1.1
> Host: ipecho.net
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< access-control-allow-origin: *
< content-type: text/html; charset=utf-8
< content-length: 15
< date: Fri, 07 Oct 2022 10:59:53 GMT
< x-envoy-upstream-service-time: 1
< strict-transport-security: max-age=2592000; includeSubDomains
< server: istio-envoy
< Via: 1.1 google
<
* Connection #0 to host ipecho.net left intact
xx.xx.205.194

I can't curl out via ppp0 when wg11 is in auto=y (non-policy) mode, which is very weird:

curl -v ipecho.net/plain --interface ppp0
*   Trying 34.160.111.145:80...
* connect to 34.160.111.145 port 80 failed: Connection timed out
* Failed to connect to ipecho.net port 80 after 15041 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to ipecho.net port 80 after 15041 ms: Connection timed out

 

[Martineau]

curl -v ipecho.net/plain --interface ppp0
*   Trying 34.160.111.145:80...
* connect to 34.160.111.145 port 80 failed: Connection timed out
* Failed to connect to ipecho.net port 80 after 15041 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to ipecho.net port 80 after 15041 ms: Connection timed out

; I can't curl out via ppp0 when wg11 is in auto=y (non-policy) mode, which is very weird:

When wg11 ([non-policy mode auto=Y) is UP; what do you think the default routing interface is for ALL LAN outbound traffic?

curl -v ipecho.net/plain

 

[ZebMcKayhan]

Here is what I get when I curl out my WAN interface with all my wg clients in policy mode:

Today I tested my other wg client wg12 (also policy mode) and it didnt work as you say... made me think over what differs between them... one thing is that I use ipset on wg11 so rp_filter is set to loose, but wg12 has no ipset so its rp_filter is default strict. Wg12 start to work for me when changing rp_filter to loose:

admin@RT-AC86U-D7D8:/tmp/home/root# curl icanhazip.com --interface wg12
curl: (28) Failed to connect to icanhazip.com port 80 after 30080 ms: Connection timed out
admin@RT-AC86U-D7D8:/tmp/home/root# echo 2 > /proc/sys/net/ipv4/conf/wg12/rp_filter
admin@RT-AC86U-D7D8:/tmp/home/root# curl icanhazip.com --interface wg12
xx.yy.36.50

Perhaps you could test the same?

Rp_filter is supposed to check routing path of incooming packages by change place of source and destination and se if a reply to this package would be routed out the same interface it came in. Naturally it would be an issue when violating the normal routing path.

 

[greenspanner]

This worked perfectly! Every interface can be curled out, even ppp0. I had to make some wg-up scripts for the setting to survive a reboot as per your IPSET guide.

Now my wireguard is fully set up and everything seems super stable compared to my previously patchy OpenVPN setup. Thank you!

 

[PiCkLeS76]

Hi guys,

so let's get a few things straight before I ask my question:

* Yes, im pretty dumb
* Yes, I have _really_ tried to search for an answer before posting..

The question:

I love wg_manager since I get most of it for once instead of doing a lot of editing scripts. I have a RT-AC86U im running it on and after importing the .conf from my VPN provider (wg11) everything is up and working beautifully. Everything on my LAN is connecting through the tunnel.

So. I wanted to add a few devices to connect to the private server (wg21) and making the clients was easy and straightforward. I have a dynamic dns working on the router so I confirmed in the .conf files at /opt/etc/wireguard.d/*.conf that the devices had everything correctly in them, which they did, and do.

But for some reason.. no matter what I do.. I cant get the clients to connect? If I turn ON wifi on the device so it sits "behind" the router running all this (ie on the LAN) it connects fine. But as soon as I turn OFF wifi and run on the mobile network it just sits there, some bytes in tx but nothing back in rx..

I know what you are thinking - so the guy has the wrong WAN IP-address in his conf.. But it seems fine, I logged in to the gui of Asus and there on the first page the same IP is displayed as WAN IP as my DDNS is resolved to. I also resolved it fine in terminal on the phone so it seems to be correct.

Any help appreciated.

//NewbieNiclas

 

[PiCkLeS76]

Hi guys,

so let's get a few things straight before I ask my question:

* Yes, im pretty dumb
* Yes, I have _really_ tried to search for an answer before posting..

The question:

I love wg_manager since I get most of it for once instead of doing a lot of editing scripts. I have a RT-AC86U im running it on and after importing the .conf from my VPN provider (wg11) everything is up and working beautifully. Everything on my LAN is connecting through the tunnel.

So. I wanted to add a few devices to connect to the private server (wg21) and making the clients was easy and straightforward. I have a dynamic dns working on the router so I confirmed in the .conf files at /opt/etc/wireguard.d/*.conf that the devices had everything correctly in them, which they did, and do.

But for some reason.. no matter what I do.. I cant get the clients to connect? If I turn ON wifi on the device so it sits "behind" the router running all this (ie on the LAN) it connects fine. But as soon as I turn OFF wifi and run on the mobile network it just sits there, some bytes in tx but nothing back in rx..

I know what you are thinking - so the guy has the wrong WAN IP-address in his conf.. But it seems fine, I logged in to the gui of Asus and there on the first page the same IP is displayed as WAN IP as my DDNS is resolved to. I also resolved it fine in terminal on the phone so it seems to be correct.

Any help appreciated.

//NewbieNiclas

Crap. I JUST found out that I've been moved to a CG-NAT at my ISP. Sorry. That explains it all..

//N

 

[ZebMcKayhan]

Everything on my LAN is connecting through the tunnel.

Was going to point out that wg server is not possible if you have your client in auto=Y (default routing). But maybe not the case for you.

. I JUST found out that I've been moved to a CG-NAT at my ISP. Sorry. That explains it all..

Welcome to the club. Just to sit back and wait for ipv6 (or pay for global ipv4).
You could attempt to set up a free-tier Oracle server to bounce your data. I tried to register 100 times or so but was always rejected so I gave up. Maybee you have better luck?

 

[PiCkLeS76]

Was going to point out that wg server is not possible if you have your client in auto=Y (default routing). But maybe not the case for you.

First off.. your guide is freaking amazing.. A huge thanks.

Second.. Oh crap really? I just assumed that since the private server was setup automatically at first run of the script, everything was setup for it to work. Especially if all I want is the tunnel to lead me into the LAN (IPv4) and the traffic doesnt need to go out through the wg11-tunnel. I really just need to be able to connect to my LAN, work on small stuff on my servers, then leave. Im not going to use it to be able to tunnel out behind a VPN.

Therefore, when I read your section:

WireguardManager/README.md at main · ZebMcKayhan/WireguardManager

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

.. it seemed a perfect out-of-the-box-done-deal. But I need to figure out how to work with Policy routing (auto=P) and somehow create some magic with rules to get this to work then?

This is all assuming I get a public IP from my ISP (which seems promising right now, Ill hear back from them tomorrow) or work with IPv6 (which I actually have from my ISP, which I really dont want to do.)

Well. Ill try to figure it out, any pointers much appreciated but really not assumed - you have done a lot just by answering.

A big thanks again.

//Niclas

Welcome to the club. Just to sit back and wait for ipv6 (or pay for global ipv4).
You could attempt to set up a free-tier Oracle server to bounce your data. I tried to register 100 times or so but was always rejected so I gave up. Maybee you have better luck?

 

[ZebMcKayhan]

Oh crap really? I just assumed that since the private server was setup automatically at first run of the script, everything was setup for it to work.

At that time it is. It is when you start your internet client in auto=y mode that borkes the server. The problem lies in that the server udp tunnel is now over vpn (thereof default (all) routing). When you try to connect to your server via wan it will respond over vpn (but more likely blocked by rp_filter).

.. it seemed a perfect out-of-the-box-done-deal. But I need to figure out how to work with Policy routing (auto=P) and somehow create some magic with rules to get this to work then?

Just to be perfectly clear. Wg21 could (and should) be in auto=y. It is your wg11 that cannot be in auto=y when simultaneously using wg21 since it will put wg21 tunnel over wg11.

Well. Ill try to figure it out, any pointers much appreciated but really not assumed - you have done a lot just by answering.

Just put wg11 in auto=p and create a rule that covers your entire lan. There are plenty of examples of this in my guide. The penalty for this is that router itself will NOT connect via wg11 (thats really the point but it works both ways). This also means dns-lookup, any torrent client on router a.s.o will now use wan. Any lan clients will use vpn though.
If you really MUST have router to access internet via wg11 there is a workaround in my guide under "reverse policy based routing" but its abit clunky.

 

[PiCkLeS76]

At that time it is. It is when you start your internet client in auto=y mode that borkes the server. The problem lies in that the server udp tunnel is now over vpn (thereof default (all) routing). When you try to connect to your server via wan it will respond over vpn (but more likely blocked by rp_filter).


Just to be perfectly clear. Wg21 could (and should) be in auto=y. It is your wg11 that cannot be in auto=y when simultaneously using wg21 since it will put wg21 tunnel over wg11.


Just put wg11 in auto=p and create a rule that covers your entire lan. There are plenty of examples of this in my guide. The penalty for this is that router itself will NOT connect via wg11 (thats really the point but it works both ways). This also means dns-lookup, any torrent client on router a.s.o will now use wan. Any lan clients will use vpn though.
If you really MUST have router to access internet via wg11 there is a workaround in my guide under "reverse policy based routing" but its abit clunky.

Awesome. I have nothing on the router and never will, it is a barebone install with just the necessary stuff for wg to work. Everything else is handled by other stuff on my LAN. Including running AdGuard Home as a stand-alone DNS for the LAN on a dedicated machine and every other service I use. And since they are all "LAN-devices", it uses the tunnel for that.

So for me, this work perfectly

I actually played around with the section where you cover in great detail the (of you untested) setup of the private server, ie using Policy routing and setting the rules. Im hoping the rules below are actually correct and that the fact that I was stuck in CG-NAT messed it all up.

I think this should do the trick, if im not terribly mistaken (please point out if so). Someone could at least find and use this post further down the line with the same questions:

peer wg11 rule add vpn 10.0.1.1/24
peer wg11 rule add wan 0.0.0.0/0 10.0.1.1/24
peer wg11 auto=P

(I'm using 10.0.1.x as my LAN, usage may vary..).

Thank you,

Niclas

 

[ZebMcKayhan]

peer wg11 rule add vpn 10.0.1.1/24
peer wg11 rule add wan 0.0.0.0/0 10.0.1.1/24
peer wg11 auto=P

Looks correct. But I think that

peer wg11 rule add wan 0.0.0.0/0 10.0.1.1/24

is outdated (thought I had changed all these. Well, the up-to-date version is:

peer wg11 rule add wan src=any dst=10.0.1.1/24

but you actually never need this rule for your lan. The policy routing table contains your lan and wg11(internet), this is the only destinations policy clients can communicate to out-of-the-box.

So, you may need similar when you start your wg21 server so policy clients (lan) could be sending packets to wg21 (as your wg21 purpose is wg21<->lan communication). But then you need to use wg21 ip inside, I.e. if you used default:

peer wg11 rule add wan src=any dst=10.50.1.1/24

Hope it makes sense...

 

[PiCkLeS76]

Looks correct. But I think that

peer wg11 rule add wan 0.0.0.0/0 10.0.1.1/24

is outdated (thought I had changed all these. Well, the up-to-date version is:

peer wg11 rule add wan src=any dst=10.0.1.1/24

but you actually never need this rule for your lan. The policy routing table contains your lan and wg11(internet), this is the only destinations policy clients can communicate to out-of-the-box.

So, you may need similar when you start your wg21 server so policy clients (lan) could be sending packets to wg21 (as your wg21 purpose is wg21<->lan communication). But then you need to use wg21 ip inside, I.e. if you used default:

peer wg11 rule add wan src=any dst=10.50.1.1/24

Hope it makes sense...

Ah yes, that makes perfect sense. Well, fingers crossed my ISP gets back to me tomorrow about the public IP. If and when that is correct, I can add the rules and try it out.

Thanks for now!

//Niclas

 

[PiCkLeS76]

Looks correct. But I think that

peer wg11 rule add wan 0.0.0.0/0 10.0.1.1/24

is outdated (thought I had changed all these. Well, the up-to-date version is:

peer wg11 rule add wan src=any dst=10.0.1.1/24

but you actually never need this rule for your lan. The policy routing table contains your lan and wg11(internet), this is the only destinations policy clients can communicate to out-of-the-box.

So, you may need similar when you start your wg21 server so policy clients (lan) could be sending packets to wg21 (as your wg21 purpose is wg21<->lan communication). But then you need to use wg21 ip inside, I.e. if you used default:

peer wg11 rule add wan src=any dst=10.50.1.1/24

Hope it makes sense...

Hi!

Just a quick follow-up to finish this thread-in-the-thread:

I got my public IP activated this morning. Proceeded to add the rules as per your fine instructions/clearifications above. All is well, works perfectly

I went ahead and actually also added your passus about getting the client traffic via the wg21 private server going through the tunnel of wg11. Ie, having all the road warrior-devices connected through the private server to route their traffic through my vpn provider instead of going straight out via the wan-interface. This with the simple command

peer wg21 passthru add wg11 all

.. and also added the scripts with the iptables stuff (up/down activated) and that worked like a charm too. If I were to connect to work on some of my servers on the LAN and forgot it up and running, well at least the traffic is secure with using the client connection to my VPN provider. So I thought, why not

Anyways, again a final HUGE thanks for great responses and fast at that. Im very grateful.

Regards,

Niclas

 

[ZebMcKayhan]

Anyways, again a final HUGE thanks for great responses and fast at that. Im very grateful.

Glad that Wireguard showed you its best side!

and also added the scripts with the iptables stuff (up/down activated) and that worked like a charm too.

Curious, what scripting did you need for your setup? From the setup you describe there shouldnt need to be any custom scripting?