Wireguard Session Manager - Discussion (2nd) thread

[Martineau]

well, that's kind of a bummer. as i have 3 peers set to P... i don't mind setting one/two to N but when i will manually turn it on it will set to Y which isn't good.

'Client' Peers that have associated Policy Routing rules, can now be manually started even if they are designated to NOT auto-start auto=N @boot

e.g. manually override 'client' Peer auto= flag for 'wg12' (NOTE: It will still NOT auto-start @boot)

e  = Exit Script [?]

E:Option ==> peer

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51821  # RT-AC86U Server #1

Client  Auto  IP                                                Endpoint                       DNS             MTU  Annotate
wg11    N     10.67.125.168/32,fc00:bbbb:bbbb:bb01::4:7da7/128  89.45.90.197:51820             193.138.218.74       # Mullvad USA, Los Angeles
wg12    N     10.68.28.1/32,fc00:bbbb:bbbb:bb01::5:1c00/128     194.110.113.51:51820           193.138.218.74       # Mullvad France, Paris
wg13    N     10.67.221.249/32                                  89.44.10.178:51820             193.138.218.74       # Mullvad OZ, Sydney
wg14    N     10.13.93.45/24                                    146.70.51.178:1443             1.1.1.1              # TorGuard USA, Miami
wg15    N     fc00:bbbb:bbbb:bb01::4:fd0f/128                   [2001:ac8:20:308::a15f]:51820  193.138.218.74       # Mullvad Germany, Frankfurt (IPv6)

e  = Exit Script [?]

E:Option ==> start policy wg12

    Requesting WireGuard VPN Peer start (wg12)

    wireguard-clientwg12: Initialising Wireguard VPN 'client' Peer (wg12) in Policy Mode to 194.110.113.51:51820 (# Mullvad France, Paris) DNS=193.138.218.74
    wireguard-clientwg12: Initialisation complete.


     WireGuard ACTIVE Peer Status: Clients 5, Servers 1

@Martineau a confirmation if I really want to uninstall would be nice...

No more fat-fingers?

e  = Exit Script [?]

E:Option ==> remove

    Press Y to Remove WireGuard Manager or press [Enter] to cancel request.


     WireGuard ACTIVE Peer Status: Clients 4, Servers 1

Upgrade to wireguard_manager Beta v4.14b8 using

e  = Exit Script [?]

E:Option ==> uf dev

 

[ZebMcKayhan]

Client Auto IP Endpoint DNS MTU Annotate wg11 N 10.67.125.168/32,fc00:bbbb:bbbb:bb01::4:7da7/128 89.45.90.197:51820 193.138.218.74 # Mullvad USA, Los Angeles wg12 N 10.68.28.1/32,fc00:bbbb:bbbb:bb01::5:1c00/128 194.110.113.51:51820 193.138.218.74 # Mullvad France, Paris

looks like you been busy with ipv6 integration, yay!

E:Option ==> start policy wg12

great addition! I guess it also work directly at the shell?

wg_manager start policy wg12

No more fat-fingers?

always fat-fingers... but hopefully not with any severe consequence (anymore).

but the syntax terminology to open wgm, run some command(s) and then close again could be useful... for example if you make a script for monitoring if the tunnel goes down, use the Geo-Policy to switch the subnet output to WAN to regain internet access while still monitor the peer for connectivity and switch back when it returns (if one would ever want/need such a function).

 

[Martineau]

looks like you been busy with ipv6 integration, yay!

Not really, tried to follow your IPv6 tutorial(s), but don't have true access to IPv6 Global, so spoofing IPv6 ONLY (without the native 6in4 as apparently used by WireGuard) is probably never going to work....unless I replicate wg-quick and enforce WireGuard's fwmark feature?

However, given ASUS is still tinkering with its IPv6 Beta; I will probably wait.

e  = Exit Script [?]

E:Option ==> 3

    interface: wg21  Port:51821    10.50.1.1/24             VPN Tunnel Network    # RT-AC86U Server #1
        peer: vGL1PWH7bVaZxBQppCZq/jjPfas1sKs+8e3Rf7fB/xY=     10.50.1.2/32        # Host_A "Alice's Laptop"  
        peer: BPlG+7INAMW+FZDqJ8u227TQtdTCt6dnkvy3ksQ3IEA=     10.50.1.3/32        # Host_B "Bobs's Laptop"  
        peer: cw2TWN51jRGwajvIwzi8H7a17mUhc79VEytdXpyIuVk=     10.50.1.4/32        # Host_C "Carol's Laptop"  

    interface: wg15  EndPoint=[2001:ac8:20:308::a15f]:51820        fc00:bbbb:bbbb:bb01::4:fd0f/128        # Mullvad Germany, Frankfurt (IPv6)
        peer: 7YN0g5B6gTRAcgb+78RpfGTw1UaNJprciQTSO/tKjyE=
         transfer: 0 B received, 1.30 KiB sent            0 Days, 00:00:44 from 2022-01-11 10:23:15 >>>>>>

great addition! I guess it also work directly at the shell?

wg_manager start policy wg12

Yup

wg_manager start policy wg12

    Requesting WireGuard VPN Peer start (wg12)

    wireguard-clientwg12: Initialising Wireguard VPN 'client' Peer (wg12) in Policy Mode to 194.110.113.51:51820 (# Mullvad France, Paris) DNS=193.138.218.74
    wireguard-clientwg12: Initialisation complete.

 

[ZebMcKayhan]

Not really, tried to follow your IPv6 tutorial(s), but don't have true access to IPv6 Global, so spoofing IPv6 ONLY (without the native 6in4 as apparently used by WireGuard) is probably never going to work

you mean my tutorials did not give you ipv6 access? or you dont have wireguard with ipv6 IP (I could send you a .conf file with dual stack for test)?

given the fact that niether you nor me could test the wireguard UDP tunnel over ipv6, everything else would work (hope someone else could test that for you)... either way you would/should get a dual-stack wg11 interface and besides the UDP tunnel there should not be any difference.

as far as I could see, the only missing piece (for clients) was the DNS-part in wgm which needs to be ipv4+ipv6 (currently only ipv4 DNS is imported but ipv6 dns expected when starting) and firewall dnat rules for both (both probably exist in code but both needs to be applied). and one missing firewall rule that is needed for ipv6 and not for ipv4. thats it.

 

[Martineau]

you mean my tutorials did not give you ipv6 access? or you dont have wireguard with ipv6 IP (I could send you a .conf file with dual stack for test)?

given the fact that niether you nor me could test the wireguard UDP tunnel over ipv6, everything else would work (hope someone else could test that for you)... either way you would/should get a dual-stack wg11 interface and besides the UDP tunnel there should not be any difference.

as far as I could see, the only missing piece (for clients) was the DNS-part in wgm which needs to be ipv4+ipv6 (currently only ipv4 DNS is imported but ipv6 dns expected when starting) and firewall dnat rules for both (both probably exist in code but both needs to be applied). and one missing firewall rule that is needed for ipv6 and not for ipv4. thats it.

Mullvad's WireGuard configurator allows generating a config that is compatible with various platforms

• Windows, macOS, Linux, iOS and Android/Chrome OS

but (apart from Linux), not sure what differs in the generated .conf for each platform?

So when generating the WireGuard .conf I (finally) found that you can choose

presumably the defaults are as shown above - hence my assumption that WireGuard's auto 6in4 on the router if IPv4 takes priority.


Clearly I was interested in the IPv6/Only IPv6 combo option - so I was finally able to give it a test (my 'wg15' profile), albeit with my test RT-AC86U downstream of the primary Sky IPv6 router.

Mullvad do not seem to provide an IPv6 DNS, but I think I did attempt to fudge it with Google's IPv6 DNS

e.g. RT-AC86U possibly shows IPv6 is ENABLED?

ping -6 2001:4860:4860::8888

PING 2001:4860:4860::8888 (2001:4860:4860::8888): 56 data bytes
64 bytes from 2001:4860:4860::8888: seq=0 ttl=118 time=13.426 ms
64 bytes from 2001:4860:4860::8888: seq=1 ttl=118 time=12.184 ms
64 bytes from 2001:4860:4860::8888: seq=2 ttl=118 time=12.448 ms

although from what I've read; I understand NAT IPv6 is bad, so not sure how to correctly handle custom IPv6 DNS per WireGuard Peer.......

...however, thanks, but I think I'm good with an IPv6 'client' Peer .conf, but alas it seems my laptop's browser never gets a good IPv6 ENABLED status from

Ready for the future of the Internet?

ipv6test.google.com

 

[ZebMcKayhan]

e.g. RT-AC86U possibly shows IPv6 is ENABLED?

looks like it... does it work from a client connected to the router aswell?

...however, thanks, but I think I'm good with an IPv6 'client' Peer .conf, but alas it seems my laptop's browser never gets a good IPv6 ENABLED status from

Ready for the future of the Internet?

neither do I... nor will I when using my .conf file on Android... think this is a limitation of this since you probably share ipv6 address among others (atleast my .conf file includes and ULA adress) you will never be open backwards for new sockets if they try to ping echo request you and your wireguard ipv6 connection will never comply with RPCs because of privacy reasons. that does not mean there is something wrong, it just the way it works when over VPN. we could probably do better for a server/client config ourselves if we did not have to care about any privacy stuff online and have a global routable prefix to spare.

look at IPv6 test - IPv6/4 connectivity and speed test (ipv6-test.com) and see that you have an ipv6 and the DNS turns green and your golden!

you could also test to access ipv6.google.com this site only has an AAAA record so you will not be able to access it if you cant access ipv6 sites.

although from what I've read; I understand NAT IPv6 is bad, so not sure how to correctly handle custom IPv6 DNS per WireGuard Peer.......

bad? how? I know that ipv6 was designed to get rid of it (and some ipv6 communities looks at it as some abomination), but most agree today that there are legitimate reason for using NAT66 in some cases so proper implementations has been done in netfilter. we are (well I am) using it already for masquarading (SNAT but still).

there are implementations that would not require NAT66 on our part, for example if you got an entire /64 subnet with your .conf file and assign clients from this, however I verified that this is not the case. so because of this limited implementation from our/my wg vpn supplier we have to do masquarading (and ASUS is doing it too in their wireguard implemention, guess this is the reason for them to implement the ip6 nat tables). dont see why any DNAT6 should be any worse than SNAT6 (or masquarade).

you can check asus implementation here (from the time were this GPL was)

I would be ok for not having DNS re-direct for ipv6 if you choose, but I would like to keep my ipv4 redirect intact when turning on ipv6 so I get the interface ip, firewall rules and routes/rules in place for IPv6.

 

[abir1909]

'Client' Peers that have associated Policy Routing rules, can now be manually started even if they are designated to NOT auto-start auto=N @boot

e.g. manually override 'client' Peer auto= flag for 'wg12' (NOTE: It will still NOT auto-start @boot)

e  = Exit Script [?]

E:Option ==> peer

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51821  # RT-AC86U Server #1

Client  Auto  IP                                                Endpoint                       DNS             MTU  Annotate
wg11    N     10.67.125.168/32,fc00:bbbb:bbbb:bb01::4:7da7/128  89.45.90.197:51820             193.138.218.74       # Mullvad USA, Los Angeles
wg12    N     10.68.28.1/32,fc00:bbbb:bbbb:bb01::5:1c00/128     194.110.113.51:51820           193.138.218.74       # Mullvad France, Paris
wg13    N     10.67.221.249/32                                  89.44.10.178:51820             193.138.218.74       # Mullvad OZ, Sydney
wg14    N     10.13.93.45/24                                    146.70.51.178:1443             1.1.1.1              # TorGuard USA, Miami
wg15    N     fc00:bbbb:bbbb:bb01::4:fd0f/128                   [2001:ac8:20:308::a15f]:51820  193.138.218.74       # Mullvad Germany, Frankfurt (IPv6)

e  = Exit Script [?]

E:Option ==> start policy wg12

    Requesting WireGuard VPN Peer start (wg12)

    wireguard-clientwg12: Initialising Wireguard VPN 'client' Peer (wg12) in Policy Mode to 194.110.113.51:51820 (# Mullvad France, Paris) DNS=193.138.218.74
    wireguard-clientwg12: Initialisation complete.


     WireGuard ACTIVE Peer Status: Clients 5, Servers 1

No more fat-fingers?

e  = Exit Script [?]

E:Option ==> remove

    Press Y to Remove WireGuard Manager or press [Enter] to cancel request.


     WireGuard ACTIVE Peer Status: Clients 4, Servers 1

Upgrade to wireguard_manager Beta v4.14b8 using

e  = Exit Script [?]

E:Option ==> uf dev

Thanks for both fixes, that was quick

 

[heysoundude]

...however, thanks, but I think I'm good with an IPv6 'client' Peer .conf, but alas it seems my laptop's browser never gets a good IPv6 ENABLED status from

Ready for the future of the Internet?

ipv6test.google.com

https://ipv6-test.com/ might get you a little more focused on what to look at as opposed to that awful/practically useless google page
(you may also find it nice that it's confirming your work on unbound)

 

[chongnt]

I update to Beta v4.14b8 and get the following message that peer client cannot come up.

        wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) to X.X.X.X:51820 (# xxx.nordvpn.com 'client' (wg11)) DNS=192.168.1.1
iptables: Chain already exists.


wireguard-clientwg11: ***ERROR Failed to create -t nat WGDNS1.

After reboot, even OpenVPN client is impacted. I have now "downgraded" back to v4.13. Somehow it still looks like impacting my connections. My OpenVPN connection ping time goes up when I bring up wg client. It goes back to normal when I bring down wg client. I have yet to try trace from client see what the route is.

admin@RT-AC86U-DBA8:/tmp/home/root# ping 1.1.1.1  -I tun11
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=58 time=16.957 ms
64 bytes from 1.1.1.1: seq=1 ttl=58 time=15.506 ms
64 bytes from 1.1.1.1: seq=2 ttl=58 time=15.431 ms
64 bytes from 1.1.1.1: seq=3 ttl=58 time=15.371 ms
64 bytes from 1.1.1.1: seq=4 ttl=58 time=15.424 ms
64 bytes from 1.1.1.1: seq=5 ttl=58 time=17.526 ms
64 bytes from 1.1.1.1: seq=6 ttl=58 time=15.552 ms
64 bytes from 1.1.1.1: seq=7 ttl=58 time=17.485 ms
64 bytes from 1.1.1.1: seq=8 ttl=58 time=15.933 ms
64 bytes from 1.1.1.1: seq=9 ttl=58 time=17.482 ms
64 bytes from 1.1.1.1: seq=10 ttl=58 time=15.313 ms
64 bytes from 1.1.1.1: seq=11 ttl=58 time=17.278 ms
64 bytes from 1.1.1.1: seq=12 ttl=58 time=15.401 ms
64 bytes from 1.1.1.1: seq=37 ttl=58 time=679.932 ms
64 bytes from 1.1.1.1: seq=38 ttl=58 time=445.451 ms
64 bytes from 1.1.1.1: seq=39 ttl=58 time=523.284 ms
...snipped...
64 bytes from 1.1.1.1: seq=86 ttl=58 time=447.407 ms
64 bytes from 1.1.1.1: seq=87 ttl=58 time=445.074 ms
64 bytes from 1.1.1.1: seq=137 ttl=58 time=15.472 ms
64 bytes from 1.1.1.1: seq=138 ttl=58 time=39.275 ms
64 bytes from 1.1.1.1: seq=139 ttl=58 time=15.290 ms
64 bytes from 1.1.1.1: seq=140 ttl=58 time=15.332 ms
64 bytes from 1.1.1.1: seq=141 ttl=58 time=30.836 ms
64 bytes from 1.1.1.1: seq=142 ttl=58 time=15.318 ms

Update: I think I found the issue. Both my wg client become auto=Y. Change it back to auto=P seems to solve it.

 

[Martineau]

I update to Beta v4.14b8 and get the following message that peer client cannot come up.

        wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) to X.X.X.X:51820 (# xxx.nordvpn.com 'client' (wg11)) DNS=192.168.1.1
iptables: Chain already exists.


wireguard-clientwg11: ***ERROR Failed to create -t nat WGDNS1.

I suspect that the uf command isn't tearing down 'wg11' correctly?, so a quick fix (if a reboot isn't appropriate/possible) would be to manually issue:

sh /jffs/addons/wireguard/wg_client wg11 disable

or if it is a Policy 'client' Peer

sh /jffs/addons/wireguard/wg_client wg11 policy disable

Update: I think I found the issue. Both my wg client become auto=Y. Change it back to auto=P seems to solve it.

I'm not sure how/if the auto= flag is modified in the SQL database? - everything is possible but very strange.

Anyway, hopefully both issues can be attributed to the upgrade process, and there should be no reported issues (post-update) when invoking the start|stop command against any Peer.

 

[ZebMcKayhan]

@Martineau
I downloaded the latest dev version and enabled ipv6 with basically copies/duplicates of my existing rules to ipv6 rules. The ipv4/ipv6 dns issue seems resolved but still error message regarding dnat but that's not really an issue right now.

My rules are:

        Selective Routing RPDB rules
ID  Peer  Interface  Source                 Destination          Description
6   wg11  WAN        Any                    fdff:a37f:fa75::/48  To ipv6Lan
2   wg11  WAN        0.0.0.0/0              192.168.1.1/16       local WAN
5   wg11  VPN        fdff:a37f:fa75:1::/64  Any                  LAN to VPN
3   wg11  VPN        192.168.1.1/24         Any                  LAN to VPN

IPSet        Enable  Peer  FWMark  DST/SRC
NETFLIX-DNS  Y       wg11  0x8000  dst
MYIP         Y       wg11  0x8000  dst

I did remove all custom rules so there won't be any duplicates. But found multiple rules in ip -6 so I removed all but one manually but everytime I restart wgm the wg11 rules don't get deleted. So they get appended on every start:

admin@RT-AC86U-D7D8:/jffs/addons/wireguard/Scripts# ip -6 rule
0:      from all lookup local
9900:   from fdff:a37f:fa75:1::/64 fwmark 0x8000 lookup main
9910:   from all to fdff:a37f:fa75::/48 lookup main
9910:   from all to fdff:a37f:fa75::/48 lookup main
9910:   from all to fdff:a37f:fa75::/48 lookup main
9911:   from fdff:a37f:fa75:1::/64 lookup 121
9911:   from fdff:a37f:fa75:1::/64 lookup 121
9911:   from fdff:a37f:fa75:1::/64 lookup 121
9921:   from fdff:a37f:fa75:6::/64 lookup 122
9991:   from all fwmark 0x1000/0x1000 lookup 121
32766:  from all lookup main

Wg12 ipv6 rules gets deleted properly, this seems to only be on wg11.

If I plainly stop all peers (from this point) the result is:

0:      from all lookup local
9910:   from all to fdff:a37f:fa75::/48 lookup main
9910:   from all to fdff:a37f:fa75::/48 lookup main
9910:   from all to fdff:a37f:fa75::/48 lookup main
9911:   from fdff:a37f:fa75:1::/64 lookup 121
9911:   from fdff:a37f:fa75:1::/64 lookup 121
9911:   from fdff:a37f:fa75:1::/64 lookup 121
32766:  from all lookup main

Could you replicate this or is it something in my setup?

Also, on my system, there don't seem to be any route to br0 in the policy tables:

admin@RT-AC86U-D7D8:/tmp/home/root# ip -6 route show table 121
default dev wg11 metric 1024 pref medium
admin@RT-AC86U-D7D8:/tmp/home/root# ip -6 route show table 122
default dev wg12 metric 1024 pref medium
admin@RT-AC86U-D7D8:/tmp/home/root#

Maybee intentional? Or am I missing some nvram variable?

Edit: looks like the function purge_client_list() in wg_client is missing IPv6 functionality.

 

[abir1909]

'Client' Peers that have associated Policy Routing rules, can now be manually started even if they are designated to NOT auto-start auto=N @boot

e.g. manually override 'client' Peer auto= flag for 'wg12' (NOTE: It will still NOT auto-start @boot)

e  = Exit Script [?]

E:Option ==> peer

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51821  # RT-AC86U Server #1

Client  Auto  IP                                                Endpoint                       DNS             MTU  Annotate
wg11    N     10.67.125.168/32,fc00:bbbb:bbbb:bb01::4:7da7/128  89.45.90.197:51820             193.138.218.74       # Mullvad USA, Los Angeles
wg12    N     10.68.28.1/32,fc00:bbbb:bbbb:bb01::5:1c00/128     194.110.113.51:51820           193.138.218.74       # Mullvad France, Paris
wg13    N     10.67.221.249/32                                  89.44.10.178:51820             193.138.218.74       # Mullvad OZ, Sydney
wg14    N     10.13.93.45/24                                    146.70.51.178:1443             1.1.1.1              # TorGuard USA, Miami
wg15    N     fc00:bbbb:bbbb:bb01::4:fd0f/128                   [2001:ac8:20:308::a15f]:51820  193.138.218.74       # Mullvad Germany, Frankfurt (IPv6)

e  = Exit Script [?]

E:Option ==> start policy wg12

    Requesting WireGuard VPN Peer start (wg12)

    wireguard-clientwg12: Initialising Wireguard VPN 'client' Peer (wg12) in Policy Mode to 194.110.113.51:51820 (# Mullvad France, Paris) DNS=193.138.218.74
    wireguard-clientwg12: Initialisation complete.


     WireGuard ACTIVE Peer Status: Clients 5, Servers 1

No more fat-fingers?

e  = Exit Script [?]

E:Option ==> remove

    Press Y to Remove WireGuard Manager or press [Enter] to cancel request.


     WireGuard ACTIVE Peer Status: Clients 4, Servers 1

Upgrade to wireguard_manager Beta v4.14b8 using

e  = Exit Script [?]

E:Option ==> uf dev

question- when I ssh using Mac terminal or iOS ssh client after entering wgm landing page. the "delete" button doesn't work anymore... it works in amtm before entering wgm and stops once selecting wgm. any ideas?

 

[ZebMcKayhan]

question- when I ssh using Mac terminal or iOS ssh client after entering wgm landing page. the "delete" button doesn't work anymore... it works in amtm before entering wgm and stops once selecting wgm. any ideas?

See this post: http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/post-732368

 

[ZebMcKayhan]

Just found out that the ip6tables installed does not contain the extension --to-destination which is used for ipv6 dns dnat. That is why I get error message when trying to start my peers.
But the extension is available in entware package iptables

admin@RT-AC86U D7D8:/tmp/home/root# opkg install xtables-addons_legacy
Installing xtables-addons_legacy (1.47.1-1a) to root...
Downloading https://bin.entware.net/aarch64-k3.10/xtables-addons_legacy_1.47.
1-1a_aarch64-3.10.ipk
Installing iptables (1.4.21-3) to root...
Downloading https://bin.entware.net/aarch64-k3.10/iptables_1.4.21-3_aarch64-3
.10.ipk
Configuring iptables.
Configuring xtables-addons_legacy.
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -t nat -A WGDNS2 -s fdff:a37f:f
a75:6::/64 -j DNAT --to-destination 2001:aaa:bbbb::53
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL WGDNS2 -t nat
Chain WGDNS2 (0 references)
pkts bytes target     prot opt in     out     source               destinati
on
    0     0 DNAT       all      *      *       fdff:a37f:fa75:6::/64  ::/0
              to:2001:aaa:bbbb::53
admin@RT-AC86U-D7D8:/tmp/home/root#

Added the missing commands:

ip6tables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j WGDNS2 -m comment --comment "WireGuard 'client wg12 DNS'"

ip6tables -t nat -I PREROUTING -p udp -m udp --dport 53 -j WGDNS2 -m comment --comment "WireGuard 'client wg12 DNS'"

And did some lookup with ping-tools and it appears to be working (the lookup was successful but how could I tell for real?)

admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 20 packets, 2776 bytes)
pkts bytes target     prot opt in     out     source               destinati
on
  113  9145 WGDNS2     udp      *      *       ::/0                 ::/0
            udp dpt:53 /* WireGuard 'client wg12 DNS' */
    1    80 WGDNS2     tcp      *      *       ::/0                 ::/0
            tcp dpt:53 /* WireGuard 'client wg12 DNS' */
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -t nat -nvL WGDNS2
Chain WGDNS2 (2 references)
pkts bytes target     prot opt in     out     source               destinati
on
  114  9225 DNAT       all      *      *       fdff:a37f:fa75:6::/64  ::/0
              to:2001:aaa:bbbb::53
admin@RT-AC86U-D7D8:/tmp/home/root#

@Martineau is it possible to enter ipv4,ipv6 dns in wgm?
If you dont feel comfortable in using dns dnat for ipv6, perhaps it could be enabled from conf file??

Edit: The error message I get when starting is because it tries to create a IPv6 rule for my IPv4 DNS, an extra check is probably needed to Rule+DNS == IPv4 or IPV6+Rule+DNS == IPv6, like:

if [ -z "$(echo $VPN_IP | grep -F ":")" ] && [ -z "$(echo $PEER_DNS | grep -F ":")" ];then          # v4.13
    iptables -t nat -A WGDNS$VPN_NUM -s ${VPN_IP} -j DNAT --to-destination $PEER_DNS -m comment --comment "WireGuard 'client${VPN_NUM} DNS'"     # v4.05
fi
if [ "$USE_IPV6" == "Y" ] && [ -n "$(echo $VPN_IP | grep -F ":")" ] && [ -n "$(echo $PEER_DNS | grep -F ":")" ];then    # v4.13
    ip6tables -t nat -A WGDNS$VPN_NUM -s ${VPN_IP} -j DNAT --to-destination $PEER_DNS -m comment --comment "WireGuard 'client${VPN_NUM} DNS'"
fi

 

[syahmiemoboyz]

I get this error. Need help.

1  = Update WireGuard modules                                           7  = QRcode for a Peer {device} e.g. iPhone
2  = Remove WireGuard/(wg_manager)                                      8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                                        9  = Create[split] Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                         10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients     11 = Import WireGuard configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ "name="rename_as ] ]}
5  = Stop    [ [Peer... ] | category ] e.g. stop clients
6  = Restart [ [Peer... ] | category ] e.g. restart servers

?  = About Configuration
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e  = Exit Script [?]

E:Option ==> 4

        Requesting WireGuard VPN Peer start (wg21)



wireguard-{server}wg21: Local Peer I/P endpoint ('/jffs/addons/wireguard/WireguardVPN.conf') not VALID. ABORTing Initialisation.


        WireGuard ACTIVE Peer Status: Clients 0, Servers 0

 

[heysoundude]

I get this error. Need help.

1  = Update WireGuard modules                                           7  = QRcode for a Peer {device} e.g. iPhone
2  = Remove WireGuard/(wg_manager)                                      8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                                        9  = Create[split] Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                         10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients     11 = Import WireGuard configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ "name="rename_as ] ]}
5  = Stop    [ [Peer... ] | category ] e.g. stop clients
6  = Restart [ [Peer... ] | category ] e.g. restart servers

?  = About Configuration
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e  = Exit Script [?]

E:Option ==> 4

        Requesting WireGuard VPN Peer start (wg21)



wireguard-{server}wg21: Local Peer I/P endpoint ('/jffs/addons/wireguard/WireguardVPN.conf') not VALID. ABORTing Initialisation.


        WireGuard ACTIVE Peer Status: Clients 0, Servers 0

help us help you: router model and firmware version?

 

[chongnt]

I get this error. Need help.

1  = Update WireGuard modules                                           7  = QRcode for a Peer {device} e.g. iPhone
2  = Remove WireGuard/(wg_manager)                                      8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                                        9  = Create[split] Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                         10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients     11 = Import WireGuard configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ "name="rename_as ] ]}
5  = Stop    [ [Peer... ] | category ] e.g. stop clients
6  = Restart [ [Peer... ] | category ] e.g. restart servers

?  = About Configuration
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e  = Exit Script [?]

E:Option ==> 4

        Requesting WireGuard VPN Peer start (wg21)



wireguard-{server}wg21: Local Peer I/P endpoint ('/jffs/addons/wireguard/WireguardVPN.conf') not VALID. ABORTing Initialisation.


        WireGuard ACTIVE Peer Status: Clients 0, Servers 0

How do you setup your wg21? Make sure the subnet is not in use and different from openvpn server subnet. Perhaps can delete it and recreate again.
Here is a sample of the syntax:

E:Option ==> peer wg21 del

E:Option ==> peer new wg21 ip=10.50.1.1/24 port=51820

 

[Martineau]

I get this error. Need help.

1  = Update WireGuard modules                                           7  = QRcode for a Peer {device} e.g. iPhone
2  = Remove WireGuard/(wg_manager)                                      8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                                        9  = Create[split] Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                         10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients     11 = Import WireGuard configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ "name="rename_as ] ]}
5  = Stop    [ [Peer... ] | category ] e.g. stop clients
6  = Restart [ [Peer... ] | category ] e.g. restart servers

?  = About Configuration
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e  = Exit Script [?]

E:Option ==> 4

        Requesting WireGuard VPN Peer start (wg21)



wireguard-{server}wg21: Local Peer I/P endpoint ('/jffs/addons/wireguard/WireguardVPN.conf') not VALID. ABORTing Initialisation.


        WireGuard ACTIVE Peer Status: Clients 0, Servers 0

Strange...the test was recently added to fix an issue where the import of a 'client' Peer ('server' peer isn't currently allowed) fails, and results in a missing IP Address.

I suggest you manually recreate the 'server' Peer

e.g.

E:Option ==> peer wg21 del

    Deleting 'server' Peer (wg21)


    Warning: 'server' Peer wg21 has 1 'client' Peer

# MyPhone device
[Peer]
PublicKey = Q9Jry1MMm51JbDvkwtVUMjDsljAq7cyYJPkFL38/5wQ=
AllowedIPs = 10.50.1.2/32
PresharedKey = XnD7QSAoqHd1YLzYlTT25A/M40csxGiHpL7oLdxMdXU=

    You can manually reassign them to a different 'server' Peer by recreating the 'client' Peer then rescan the QR code on the device
    Press y to CONFIRM or press [Enter] to SKIP.
y
    'server' Peer wg21 DELETED

e  = Exit Script [?]

E:Option ==> peer new port=51820

    *** Ensure Upstream router Port Foward entry for port:51820 ***

    Press y to Create (IPv6) 'server' Peer (wg21) 10.50.1.1/24:51820 or press [Enter] to SKIP.
y
    Creating WireGuard Private/Public key-pair for (IPv6) 'server' Peer wg21 on RT-AX86U (v386.4_0)
    Press y to Start (IPv6) 'server' Peer (wg21) or press [Enter] to SKIP.
y

    Requesting WireGuard VPN Peer start (wg21)

    wireguard-server1: Initialising Wireguard VPN (IPv6) [2a02:c7f:644f:1000:3e7c:3fff:fe6c:22b0] 'Server' Peer (wg21) on 192.168.0.1:51820 (# RT-AX86U (IPv6) Server 1)
    wireguard-server1: Initialisation complete.


    interface: wg21  Port:51820    10.50.1.1/24             VPN Tunnel Network    # RT-AX86U (IPv6) Server 1

EDIT: @chongnt beat me to it!

 

[Martineau]

@Martineau is it possible to enter ipv4,ipv6 dns in wgm?

You should be able to specify IPv4/IPv6 DNS servers to be saved in the database ?

E:Option ==> peer

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    N     10.50.1.1/24  51820  # RT-AX86U (IPv6) Server 1

Client  Auto  IP                                                Endpoint                       DNS                             MTU  Annotate
<snip>
wg15    N     fc00:bbbb:bbbb:bb01::4:fd0f/128                   [2001:ac8:20:308::a15f]:51820  193.138.218.74                       # Mullvad Germany, Frankfurt (IPv6)

e  = Exit Script [?]

E:Option ==> peer wg15 dns=193.138.218.74,2620:119:35::35

    [✔] Updated DNS

e  = Exit Script [?]

E:Option ==> peer

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    N     10.50.1.1/24  51820  # RT-AX86U (IPv6) Server 1

Client  Auto  IP                                                Endpoint                       DNS                             MTU  Annotate
<snip>
wg15    N     fc00:bbbb:bbbb:bb01::4:fd0f/128                   [2001:ac8:20:308::a15f]:51820  193.138.218.74,2620:119:35::35       # Mullvad Germany, Frankfurt (IPv6)

 

[ZebMcKayhan]

You should be able to specify IPv4/IPv6 DNS servers to be saved in the database ?

Thanks! had not the guts to test before I had confirmation.

Maybee this will get rid of the error messages I get when attempting to start a dual stack peer with ipv4 dns only. Will test tonight.
Still, maybee my suggestion above is a good idea to get rid of the error message?