Wireguard Session Manager - Discussion (2nd) thread

[John DeLuca]

Hi there kinda a noob question but, how do I change the DNS from the default 75.75.75.75 and 2601:184:etc to the IP of my router as right now I have that running as my DNS server. Also, will this automatically tie into Asus ddns as I do not have a static IP.

I do have an OpenDNS set up on the router as well but I have not tried opinion 12 yet as I do not know if it's needed.

Lastly its odd I have an option for wireguard on my router's GUI but it seems to be broken, i am running merlin atm.

I'm getting only 38 down and 23 up on a 1000/40 Home network line and my work has fiber at 200/200. OpenVPN is getting 39.1 by 33.7 so something seems to be wrong with my config. I have an ax11000 router so I should be getting much better speeds.

I was going to try running wireguard on my Odroid xu4 but wireguard is not compatible with arm32 via pivpn. Was trying to get it to run on windows too but idk if that's officially supported.

 

[ZebMcKayhan]

Hi there kinda a noob question but, how do I change the DNS from the default 75.75.75.75 and 2601:184:etc to the IP of my router as right now I have that running as my DNS server. Also, will this automatically tie into Asus ddns as I do not have a static IP.

You didn't say if your setting up wg server peer or your router or internet client. I'm assuming server since it fit with the rest of your text.

Here is how you change dns for you servers clients:
https://github.com/ZebMcKayhan/WireguardManager#setup-wg-server
You need to scroll down to device peer setup (hint: it's in the device.conf file).

I'm getting only 38 down and 23 up on a 1000/40 Home network line and my work has fiber at 200/200. OpenVPN is getting 39.1 by 33.7 so something seems to be wrong with my config. I have an ax11000 router so I should be getting much better speeds.

Since you only have a 40 upspeed it will cap your download speed via the server. If you download it goes from internet to your router (1000 down), becomes encrypted and sent to your phone (40 up). 38 seems fair but I have no explanation for the difference for up speed, should be about the same and not 23. Anything filling up your syslog?

Over the server you will never be able to get beyond your upspeed because what is down to the router is resent up to your device, it's not a wireguard/openvpn thing, you would have had similar for unencrypted tunnel.

 

[archiel]

Having got my wg server setup running, I am trying to setup a wg client. I am trying AzireVPN (I want a dual stack provider), I used the config generator tool and tested it on my phone where it worked fine (full ipv4 / ipv6, no discernible leaks, etc).

However when I imported it to the router and ran start wg11, (the wg server is off)

E:Option ==> start wg11

        Requesting WireGuard VPN Peer start (wg11)

        WireGuard-clientwg11: Initialising WireGuard VPN 'client' Peer (wg11) to nl1.wg.azirevpn.net:51820 (# N/A) DNS=2a0e:1c80:xxxx:yyyy::1
iptables v1.4.21: Need TCP, UDP, SCTP or DCCP with port specification
Try `iptables -h' or 'iptables --help' for more information.

and list shows

E:Option ==> list

        interface: wg11  EndPoint=45.15.19.34:51820                     2a0e:1c80:xxxx:yyyy::b7d/64                # N/A
                peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
                 latest handshake: 20 seconds ago
                 transfer: 7.55 KiB received, 712.18 KiB sent           0 Days, 00:07:42 since Thu Mar 31 20:29:00 2022 >>>>>>

        WireGuard ACTIVE Peer Status: Clients 1, Servers 0

But it is definitely NOT working correctly - if I browse to AzireVPN it shows I am not connected, on ipleak.net I only have IPv6 connectivity and ipv6-test.com shows the same

What does the iptables v1.4.21: Need TCP, UDP, SCTP or DCCP with port specification mean, what can I test?

 

[ZebMcKayhan]

Having got my wg server setup running, I am trying to setup a wg client. I am trying AzireVPN (I want a dual stack provider), I used the config generator tool and tested it on my phone where it worked fine (full ipv4 / ipv6, no discernible leaks, etc).

However when I imported it to the router and ran start wg11, (the wg server is off)

E:Option ==> start wg11

        Requesting WireGuard VPN Peer start (wg11)

        WireGuard-clientwg11: Initialising WireGuard VPN 'client' Peer (wg11) to nl1.wg.azirevpn.net:51820 (# N/A) DNS=2a0e:1c80:xxxx:yyyy::1
iptables v1.4.21: Need TCP, UDP, SCTP or DCCP with port specification
Try `iptables -h' or 'iptables --help' for more information.

and list shows

E:Option ==> list

        interface: wg11  EndPoint=45.15.19.34:51820                     2a0e:1c80:xxxx:yyyy::b7d/64                # N/A
                peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
                 latest handshake: 20 seconds ago
                 transfer: 7.55 KiB received, 712.18 KiB sent           0 Days, 00:07:42 since Thu Mar 31 20:29:00 2022 >>>>>>

        WireGuard ACTIVE Peer Status: Clients 1, Servers 0

But it is definitely NOT working correctly - if I browse to AzireVPN it shows I am not connected, on ipleak.net I only have IPv6 connectivity and ipv6-test.com shows the same

What does the iptables v1.4.21: Need TCP, UDP, SCTP or DCCP with port specification mean, what can I test?

To know which command that goes wrong. Start the peer in debug mode:

E:Option ==> start wg11 debug

And it will print all commands. Sanitize the information and post it here.

My dual stack peer dont give this error, so maybee some info got imported wrong, maybe. The output will point us in the right direction.

 

[archiel]

To know which command that goes wrong. Start the peer in debug mode:

E:Option ==> start wg11 debug

And it will print all commands. Sanitize the information and post it here.

My dual stack peer dont give this error, so maybee some info got imported wrong, maybe. The output will point us in the right direction.

E:Option ==> start wg11 debug

        Requesting WireGuard VPN Peer start (wg11)

        WireGuard-clientwg11: Initialising WireGuard VPN 'client' Peer (wg11) to nl1.wg.azirevpn.net:51820 (# N/A) DNS=2a0e:1c80:xxxx:yyyy::1
[#] iptables -t nat -N WGDNS1
[#] ip6tables -t nat -N WGDNS1
[#] ip link add dev wg11 type wireguard
[#] wg setconf wg11 /tmp/wg11.28604 #(/opt/etc/wireguard.d/wg11.conf)
[#] ip -6 address add dev wg11 2a0e:1c80:xxxx,yyyy::b7d/64
[#] ip link set up dev wg11
[#] ip -6 link set up dev wg11
[#] ifconfig wg11 mtu 1420
[#] ifconfig wg11 txqueuelen 1000
[#] ip route add 45.15.19.34 via {WAN IPv4}
[#] ip route add 0/1 dev wg11
[#] ip route add 128/1 dev wg11
[#] iptables -t nat -A WGDNS1 -s {LAN IPv4}/24 -j DNAT --to-destination 2a0e:1c80:xxxx:yyyy::1 -m comment --comment WireGuard 'client1 DNS'
iptables v1.4.21: Need TCP, UDP, SCTP or DCCP with port specification
Try `iptables -h' or 'iptables --help' for more information.
[#] ip route add 0/1 dev wg11 table 121
[#] ip route add 128/1 dev wg11 table 121
[#] ip route add table 121 10.0.0.0/8 proto kernel scope link src {Pixelsrv IPv4} dev br0
[#] ip route add table 121 {LAN IPv4}/24 proto kernel scope link src {Router IPv4} dev br0
[#] iptables -t mangle -I FORWARD -o wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I FORWARD -i wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I FORWARD -o wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I PREROUTING -i wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] iptables -t nat -I POSTROUTING -s {LAN IPv4}/24 -o wg11 -j MASQUERADE -m comment --comment WireGuard 'client'
[#] iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
[#] iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
[#] ip6tables -t mangle -I FORWARD -o wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I FORWARD -i wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I FORWARD -o wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I PREROUTING -i wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] ip6tables -t nat -I POSTROUTING -s {Router WAN IPv6}/64 -o wg11 -j MASQUERADE -m comment --comment WireGuard 'client'
[#] ip6tables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
[#] ip6tables -t nat -I PREROUTING -p udp -m udp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'

Where the issue appears to be in
[#] iptables -t nat -A WGDNS1 -s {LAN IPv4}/24 -j DNAT --to-destination 2a0e:1c80:xxxx:yyyy::1 -m comment --comment WireGuard 'client1 DNS'
iptables v1.4.21: Need TCP, UDP, SCTP or DCCP with port specification

 

[ZebMcKayhan]

Where the issue appears to be in

There is a lot going on here as far as I can tell:
1. wgm sets up interface with ipv6 but not ipv4. did it get both ip's from the import? (peer wg11)
2. wgm sets up route for ipv4 (altough there is no ip?) but not for ipv6.
3. for the iptables error rule, seems to be a case of mistaken ipv6 for ipv4.
4. the "ip route add table 121 10.0.0.0/8" looks dangerous. is your LAN really on a /8? There is a risk for conflict here. not unusual that wireguard internet clients are on 10.0.0.0/8 addresses.

I guess removing wg11 and try a fresh import gives same result?

pinging @Martineau to take a look.

 

[archiel]

There is a lot going on here as far as I can tell:
1. wgm sets up interface with ipv6 but not ipv4. did it get both ip's from the import? (peer wg11)
2. wgm sets up route for ipv4 (altough there is no ip?) but not for ipv6.
3. for the iptables error rule, seems to be a case of mistaken ipv6 for ipv4.
4. the "ip route add table 121 10.0.0.0/8" looks dangerous. is your LAN really on a /8? There is a risk for conflict here. not unusual that wireguard internet clients are on 10.0.0.0/8 addresses.

I guess removing wg11 and try a fresh import gives same result?

pinging @Martineau to take a look.

In case it helps, the wg11.conf looks like

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.0.11.124/19, 2a0e:1c80:xxxx:yyyy::b7d/64
DNS = 10.0.0.1, 2a0e:1c80:xxxx:yyyy::1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = nl1.wg.azirevpn.net:51820

PersistentKeepalive = 25

it was created from

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.0.11.124/19, 2a0e:1c80:xxxx:yyyy::b7d/64
DNS = 10.0.0.1, 2a0e:1c80:xxxx:yyyy::1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = nl1.wg.azirevpn.net:51820

So a 1:1 mapping and then I added the 'keep alive'

My LAN is a 10.50.60.1/24 (So not /8), I use DHCP from .67 to .254 and the pixelsrv (primary and alternate) are

br0:alternate_b Link encap:Ethernet  HWaddr A8:5E:45:AA:BB:CC
          inet addr:10.50.60.11  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

br0:pixelserv-t Link encap:Ethernet  HWaddr A8:5E:45:AA:BB:CC
          inet addr:10.50.60.10  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

 

[Martineau]

In case it helps, the wg11.conf looks like

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.0.11.124/19, 2a0e:1c80:xxxx:yyyy::b7d/64
DNS = 10.0.0.1, 2a0e:1c80:xxxx:yyyy::1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = nl1.wg.azirevpn.net:51820

PersistentKeepalive = 25

it was created from

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.0.11.124/19, 2a0e:1c80:xxxx:yyyy::b7d/64
DNS = 10.0.0.1, 2a0e:1c80:xxxx:yyyy::1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = nl1.wg.azirevpn.net:51820

So a 1:1 mapping and then I added the 'keep alive'

My LAN is a 10.50.60.1/24 (So not /8), I use DHCP from .67 to .254 and the pixelsrv (primary and alternate) are

br0:alternate_b Link encap:Ethernet  HWaddr A8:5E:45:AA:BB:CC
          inet addr:10.50.60.11  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

br0:pixelserv-t Link encap:Ethernet  HWaddr A8:5E:45:AA:BB:CC
          inet addr:10.50.60.10  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

Thanks for your Dual-stack IPv4+IPv6 bug report; but before I push a fix......

Regarding the dangerous 10.0.0.0/8, what does the following show

ip route show table main dev $(nvram get lan_ifname)

and which NVRAM variable holds your IPv6 LAN subnet and mask suffix? ....... or a variable from which I could derive it?

e.g.

nvram get ipv6_rtr_addr

 

[archiel]

Thanks for your Dual-stack IPv4+IPv6 bug report; but before I push a fix......

Regarding the dangerous 10.0.0.0/8, what does the following show

ip route show table main dev $(nvram get lan_ifname)

and which NVRAM variable holds your IPv6 LAN subnet and mask suffix? ....... or a variable from which I could derive it?

e.g.

nvram get ipv6_rtr_addr

admin@RT-AX88U-5050:/tmp/home/root# ip route show table main dev $(nvram get lan_ifname)
10.0.0.0/8 proto kernel scope link src 10.50.60.10
10.50.60.0/24 proto kernel scope link src 10.50.60.1

The ipv6 entries are from nvram show | grep ipv6 I have not included any ipv61_ or ipv6_6rd_ entries as ipv61_service=disabled and I am using Native with DCHP-PD, not tunnelling, I can provide if it would assist.

ipv6_accept_defrtr=1
ipv6_autoconf_type=0
ipv6_debug=0
ipv6_dhcp6c_release=0
ipv6_dhcp6s_enable=1
ipv6_dhcp_end=
ipv6_dhcp_lifetime=86400
ipv6_dhcp_pd=1
ipv6_dhcp_start=
ipv6_dns1=2620:119:35::35
ipv6_dns2=2620:119:53::53
ipv6_dns3=
ipv6_dnsenable=0
ipv6_fw_enable=1
ipv6_gateway=
ipv6_get_dns=
ipv6_get_domain=
ipv6_ifdev=ppp
ipv6_ipaddr=
ipv6_llremote=
ipv6_ns_drop=0
ipv6_prefix=2a02:c7f:xxxx:yyyy::
ipv6_prefix_len_wan=64
ipv6_prefix_length=56
ipv6_prefix_length_s=
ipv6_prefix_s=
ipv6_radvd=1
ipv6_relay=192.88.99.1
ipv6_rtr_addr=2a02:c7f:xxxx:yyyy::1
ipv6_rtr_addr_s=
ipv6_sbstate_t=0
ipv6_service=dhcp6
ipv6_state_t=0
ipv6_tun_addr=
ipv6_tun_addrlen=64
ipv6_tun_mtu=0
ipv6_tun_peer=
ipv6_tun_ttl=255
ipv6_tun_v4end=0.0.0.0
ipv6_unit=0
ipv6_wan_addr=
wl0_ipv6addr=0
wl1_ipv6addr=0
wl_ipv6addr=0
ipv6_fw_rulelist=

From the IPv6 Log tab

WAN IPv6 Address 2a02:c7f:xxxx:yyyy::1
LAN IPv6 Address 2a02:c7f:xxxx:yyyy::1/56
LAN IPv6 Prefix 2a02:c7f:xxxx:yyyy::/56

 

[Martineau]

admin@RT-AX88U-5050:/tmp/home/root# ip route show table main dev $(nvram get lan_ifname)
10.0.0.0/8 proto kernel scope link src 10.50.60.10
10.50.60.0/24 proto kernel scope link src 10.50.60.1

The ipv6 entries are from nvram show | grep ipv6 I have not included any ipv61_ or ipv6_6rd_ entries as ipv61_service=disabled and I am using Native with DCHP-PD, not tunnelling, I can provide if it would assist.

ipv6_accept_defrtr=1
ipv6_autoconf_type=0
ipv6_debug=0
ipv6_dhcp6c_release=0
ipv6_dhcp6s_enable=1
ipv6_dhcp_end=
ipv6_dhcp_lifetime=86400
ipv6_dhcp_pd=1
ipv6_dhcp_start=
ipv6_dns1=2620:119:35::35
ipv6_dns2=2620:119:53::53
ipv6_dns3=
ipv6_dnsenable=0
ipv6_fw_enable=1
ipv6_gateway=
ipv6_get_dns=
ipv6_get_domain=
ipv6_ifdev=ppp
ipv6_ipaddr=
ipv6_llremote=
ipv6_ns_drop=0
ipv6_prefix=2a02:c7f:xxxx:yyyy::
ipv6_prefix_len_wan=64
ipv6_prefix_length=56
ipv6_prefix_length_s=
ipv6_prefix_s=
ipv6_radvd=1
ipv6_relay=192.88.99.1
ipv6_rtr_addr=2a02:c7f:xxxx:yyyy::1
ipv6_rtr_addr_s=
ipv6_sbstate_t=0
ipv6_service=dhcp6
ipv6_state_t=0
ipv6_tun_addr=
ipv6_tun_addrlen=64
ipv6_tun_mtu=0
ipv6_tun_peer=
ipv6_tun_ttl=255
ipv6_tun_v4end=0.0.0.0
ipv6_unit=0
ipv6_wan_addr=
wl0_ipv6addr=0
wl1_ipv6addr=0
wl_ipv6addr=0
ipv6_fw_rulelist=

From the IPv6 Log tab

Many thanks.

The IPv6 stuff is a minefield...

I've uploaded wireguard_manager Beta v4.16bA

To test the patch; upgrade using

e  = Exit Script [?]

E:Option ==> uf dev

 

[withinboredom]

Hi, I'm totally at a loss. I set this up and I cannot seem to get an ipv6 server. When I do

peer new ipv6=2001:REDACTED::100:1/64 ip=192.168.51.1/24

I get the following error:

***ERROR: '2001:REDACTED::100:1/64' must be Private IPv6 address

Yes, the prefix is allocated to me and is static. In the GUI, it's native IPV6 with prefix-delegation on. Creating a new peer without specifying the ipv6 address only gets me an ipv4 server.

I was following the ipv6 portion of the instructions here: https://github.com/ZebMcKayhan/WireguardManager#setup-wg-server

Are they no longer accurate?

 

[ZebMcKayhan]

Hi, I'm totally at a loss. I set this up and I cannot seem to get an ipv6 server. When I do

peer new ipv6=2001:REDACTED::100:1/64 ip=192.168.51.1/24

I get the following error:

***ERROR: '2001:REDACTED::100:1/64' must be Private IPv6 address

Yes, the prefix is allocated to me and is static. In the GUI, it's native IPV6 with prefix-delegation on. Creating a new peer without specifying the ipv6 address only gets me an ipv4 server.

I was following the ipv6 portion of the instructions here: https://github.com/ZebMcKayhan/WireguardManager#setup-wg-server

Are they no longer accurate?

They should be. But you might need to update to dev version

E:Option ==> uf dev

Also, don't know if it is still relevant but test 2001:REDACTED:100::1/64 instead of 2001:REDACTED::100:1/64

When I tested wgm got the ips wrong if it didn't end with ::1 which yours didn't.

 

[withinboredom]

Thanks for the reply @ZebMcKayhan! I thought I'd deleted the message because I literally somehow missed that on the previous page!

 

[archiel]

Many thanks.

The IPv6 stuff is a minefield...

I've uploaded wireguard_manager Beta v4.16bA

To test the patch; upgrade using

e  = Exit Script [?]

E:Option ==> uf dev

After uploading, deleting and recreating wg11 and rebooting, the IPv4 connectivity returned but IPv6 is still not be working correctly
If I browse to AzireVPN it shows as not connected
If I browse to Bowserleaks, IPv4 shows the VPN address but IPv6 still shows the device IPv6 address
- running the same conf on my phone works correctly.

start wg11 debug now shows

[#] iptables -t nat -N WGDNS1
[#] ip6tables -t nat -N WGDNS1
[#] ip link add dev wg11 type wireguard
[#] wg setconf wg11 /tmp/wg11.23822 #(/opt/etc/wireguard.d/wg11.conf)
[#] ip address add dev wg11 10.0.11.124/19
[#] ip -6 address add dev wg11 2a0e:1c80:xxxx:yyyy::b7d/64
[#] ip link set up dev wg11
[#] ip -6 link set up dev wg11
[#] ifconfig wg11 mtu 1420
[#] ifconfig wg11 txqueuelen 1000
[#] ip route add 45.15.19.34 via {WAN IPV4}
[#] ip route add 0/1 dev wg11
[#] ip route add 128/1 dev wg11
[#] iptables -t nat -A WGDNS1 -s 10.50.60.0/24 -j DNAT --to-destination 10.0.0.1 -m comment --comment WireGuard 'client1 DNS'
[#] ip6tables -t nat -A WGDNS1 -s {ipv6_prefix/ipv6_prefix_length} -j DNAT --to-destination 2a0e:1c80:xxxx:yyyy::1 -m comment --comment WireGuard 'client1 DNS'
[#] ip route add 0/1 dev wg11 table 121
[#] ip route add 128/1 dev wg11 table 121
[#] ip route add table 121 10.0.0.0/8 proto kernel scope link src 10.50.60.10 dev br0
[#] ip route add table 121 10.50.60.0/24 proto kernel scope link src 10.50.60.1 dev br0
[#] iptables -t mangle -I FORWARD -o wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I FORWARD -i wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I FORWARD -o wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I PREROUTING -i wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] iptables -t nat -I POSTROUTING -s 10.50.60.1/24 -o wg11 -j MASQUERADE -m comment --comment WireGuard 'client'
[#] iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
[#] iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
[#] ip6tables -t mangle -I FORWARD -o wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I FORWARD -i wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I FORWARD -o wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I PREROUTING -i wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] ip6tables -t nat -I POSTROUTING -s {ipv6_rtr_addr/ipv6_prefix_len_wan} -o wg11 -j MASQUERADE -m comment --comment WireGuard 'client'
[#] ip6tables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
[#] ip6tables -t nat -I PREROUTING -p udp -m udp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'

 

[ZebMcKayhan]

After uploading, deleting and recreating wg11 and rebooting, the IPv4 connectivity returned but IPv6 is still not be working correctly
If I browse to AzireVPN it shows as not connected
If I browse to Bowserleaks, IPv4 shows the VPN address but IPv6 still shows the device IPv6 address
- running the same conf on my phone works correctly.

start wg11 debug now shows

[#] iptables -t nat -N WGDNS1
[#] ip6tables -t nat -N WGDNS1
[#] ip link add dev wg11 type wireguard
[#] wg setconf wg11 /tmp/wg11.23822 #(/opt/etc/wireguard.d/wg11.conf)
[#] ip address add dev wg11 10.0.11.124/19
[#] ip -6 address add dev wg11 2a0e:1c80:xxxx:yyyy::b7d/64
[#] ip link set up dev wg11
[#] ip -6 link set up dev wg11
[#] ifconfig wg11 mtu 1420
[#] ifconfig wg11 txqueuelen 1000
[#] ip route add 45.15.19.34 via {WAN IPV4}
[#] ip route add 0/1 dev wg11
[#] ip route add 128/1 dev wg11
[#] iptables -t nat -A WGDNS1 -s 10.50.60.0/24 -j DNAT --to-destination 10.0.0.1 -m comment --comment WireGuard 'client1 DNS'
[#] ip6tables -t nat -A WGDNS1 -s {ipv6_prefix/ipv6_prefix_length} -j DNAT --to-destination 2a0e:1c80:xxxx:yyyy::1 -m comment --comment WireGuard 'client1 DNS'
[#] ip route add 0/1 dev wg11 table 121
[#] ip route add 128/1 dev wg11 table 121
[#] ip route add table 121 10.0.0.0/8 proto kernel scope link src 10.50.60.10 dev br0
[#] ip route add table 121 10.50.60.0/24 proto kernel scope link src 10.50.60.1 dev br0
[#] iptables -t mangle -I FORWARD -o wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I FORWARD -i wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I FORWARD -o wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I PREROUTING -i wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] iptables -t nat -I POSTROUTING -s 10.50.60.1/24 -o wg11 -j MASQUERADE -m comment --comment WireGuard 'client'
[#] iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
[#] iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
[#] ip6tables -t mangle -I FORWARD -o wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I FORWARD -i wg11 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I FORWARD -o wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I PREROUTING -i wg11 -j MARK --set-xmark 0x01/0x7 -m comment --comment WireGuard 'client'
[#] ip6tables -t nat -I POSTROUTING -s {ipv6_rtr_addr/ipv6_prefix_len_wan} -o wg11 -j MASQUERADE -m comment --comment WireGuard 'client'
[#] ip6tables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'
[#] ip6tables -t nat -I PREROUTING -p udp -m udp --dport 53 -j WGDNS1 -m comment --comment WireGuard 'client1 DNS'

Still wgm doesnt add a default route for ipv6. Are you client in default (ALL auto=y/n) mode or Policy (auto=p) mode. Looks like default, so you could add the route manually meanwhile:

ip -6 route add 0::/1 dev wg11
ip -6 route add 8000::/1 dev wg11

 

[Martineau]

Still wgm doesnt add a default route for ipv6. Are you client in default (ALL auto=y/n) mode or Policy (auto=p) mode. Looks like default, so you could add the route manually meanwhile:

ip -6 route add 0/1 dev wg11
ip -6 route add 128/1 dev wg11

ip -6 route add 0/1 dev wg11
Error: inet6 prefix is expected rather than "0/1".

ip -6 route add 128/1 dev wg11
Error: inet6 prefix is expected rather than "128/1".

 

[ZebMcKayhan]

ip -6 route add 0/1 dev wg11
Error: inet6 prefix is expected rather than "0/1".

ip -6 route add 128/1 dev wg11
Error: inet6 prefix is expected rather than "128/1".

Thanks, forgot to ipv6-ify it... updated the post.

 

[SomeWhereOverTheRainBow]

Thanks, forgot to ipv6-ify it... updated the post.

thank you for your support because it is the best guidance anyone has been able to give for running wireguard from asuswrt-merlin. I hope you continue.

 

[SomeWhereOverTheRainBow]

@ZebMcKayhan I hope you know, you have done a marvelous job!

 

[ZebMcKayhan]

@ZebMcKayhan I hope you know, you have done a marvelous job!

Thanks! I really appreciate it! Hope it helps people as I mostly hear when my guide fails.