Wireguard Session Manager - Discussion (3rd) thread

[JGrana]

I am so glad I am all IPv4…dread they day I need to deal with IPv6…

 

[archiel]

Soo, if I'm reading this right clients seems to use dns properly but only for ipv4 data. Ipv6 data still goes out wan?

If that is correct, check rules in wgm:

E: Option ==> peer wg11

and the resulting routing rules:

ip -6 rule

And wg11 policy route table:

ip -6 route show table 121

My mistake - DNS is behaving as expected for both IPv4 and IPv6.

What is not happening is routing the device's IPv6 connections through the tunnel, starting with I had not attached it!
Also I have edited wg11-up.sh in #17 to include your recommendation in in #16 of

ip6tables -t nat -A WGDNS1 -s <LanIP6> -j DNAT --to-destination <RouterIp6>

swapping -i br0 for -s <LanIP6>

E:Option ==> peer wg11

Client  Auto  IP                                        Endpoint                   DNS                                   MTU  Public                                        Private
                           Annotate
wg11    P     10.0.11.124/19, 2a0e:1c80:4:2000::b7d/64  nl1.wg.azirevpn.net:51820  10.50.60.1,fe80::aa5e:45ff:feae:50aa       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyI=  # N/A


        Selective Routing RPDB rules
ID  Peer  Interface  Source                      Destination  Description
4   wg11  VPN        fd36:7ef1:2add:aa88:100::1  Any          Unbound6VPN
3   wg11  VPN        192.168.3.1                 Any          Unbound4VPN
2   wg11  VPN        10.50.60.150                Any          Local PC

# ip -6 rule
0:      from all lookup local
9911:   from fd36:7ef1:2add:aa88:100::1 lookup 121
32766:  from all lookup main

#ip -6 route show table 121
default dev wg11 metric 1024 pref medium

However if I try to attach the Local PC's IPV6 address, either as

peer wg11 rule add vpn 2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62

or as

peer wg11 rule add vpn src=2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62

I get

        Selective Routing RPDB rules
ID  Peer  Interface  Source                      Destination                             Description
4   wg11  VPN        fd36:7ef1:2add:aa88:100::1  Any                                     Unbound6VPN
7   wg11  VPN        Any                         2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62
3   wg11  VPN        192.168.3.1                 Any                                     Unbound4VPN
2   wg11  VPN        10.50.60.150                Any                                    Local PC

Two questions
1. How do I add a device's IPv6 to the vpn as source?
2. as the IPv6 address is dynamic, how do I manage when it changes?

Following your advice in #3 I have added

ip6tables -t mangle -I PREROUTING -m mac --mac-source <devicemac> -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -I PREROUTING -m mac --mac-source <devicemac> -j MARK --set-mark 0x1000/0x1000

and

ip rule add from all fwmark 0x1000 table 121 prio 9900
ip -6 rule add from all fwmark 0x1000 table 121 prio 9900
echo 2 > /proc/sys/net/ipv4/conf/wg11/rp_filter

and the device IPs and DNS are now reporting correctly for IPv4 and IPv6 - no leaking
Checked with ipleak.net, browserleak.com, test-ipv6.com & ipv6-test.com

Hopefully final questions
I should add the above to my wg11-up /wg11-down scripts?
is echo 2 > /proc/sys/net/ipv4/conf/wg11/rp_filter taken down on stop wg11, or do i need to do anything is the wg11-down.script?
I assume I can remove the IPv4 vpn to 10.50.60.150 rule as it is now superfluous?

 

[archiel]

....dread they day I need to deal with IPv6…

me to, but here I am.

 

[ZebMcKayhan]

Two questions
1. How do I add a device's IPv6 to the vpn as source?

You are doing it right, but wgm forces the change to destination for some reason. I tried it:

E:Option ==> peer wg12 rule add vpn src=2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd6
2

        [✔] Updated RPDB Selective Routing rule for wg12 ***Source 2a02:c7f:x
xxx:yyyy:6e12:d4fa:7179:cd62 switched to destination!

This is something @Martineau will look at, or explain.

Meanwhile you could add it yourself:

ip -6 rule add from 2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62 table 121 prio 9911

there are no defined ways to handle when an ipv6 changes as the router is not in control over that. But we should be able to manage prefix changes...

 

[archiel]

You are doing it right, but wgm forces the change to destination for some reason. I tried it:

E:Option ==> peer wg12 rule add vpn src=2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd6
2

        [✔] Updated RPDB Selective Routing rule for wg12 ***Source 2a02:c7f:x
xxx:yyyy:6e12:d4fa:7179:cd62 switched to destination!

This is something @Martineau will look at, or explain.

Meanwhile you could add it yourself:

ip -6 rule add from 2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62 table 121 prio 9911

there are no defined ways to handle when an ipv6 changes as the router is not in control over that. But we should be able to manage prefix changes...

Solved using your recommendation in #3 above - see edits to #22 using the MAC address to circumvent the problem

AND this setup also sends all DNS enquires (IPv4 and IPv6) for all LAN devices (except I assume anything using DoH) through the WireGuard VPN, something that was not achievable on OpenVPN, as the router client does not support IPv6.

I may test using the revised instructions for adding the IPv6 to wg11 over the weekend and this may be a better/alternative solution where someone is using DHCP6 so the addresses are fixed. For SLAAC, where they are not I think using the MAC addresses (provided they are not also dynamic) is a more robust solution.

Next tests - passthrough.

 

[Martineau]

You are doing it right, but wgm forces the change to destination for some reason. I tried it:

E:Option ==> peer wg12 rule add vpn src=2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62

        [✔] Updated RPDB Selective Routing rule for wg12 ***Source 2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62 switched to destination!

This is something @Martineau will look at, or explain.

When specifying the Selective Routing Rule, if there is any ambiguity (routable IP address vs. private IP address) then you must explicitly specify both the src= and dst= parameters

e.g.

e  = Exit Script [?]

E:Option ==> peer wg12 rule add vpn src=2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62 dst=any

    [✔] Updated RPDB Selective Routing rule for wg12


Client  Auto  IP                                               Endpoint              DNS             MTU  Public                                        Private                                       Annotate
wg12    N     10.168.128.1/32,fd00:bbbb:bbbb:bb01::9:1e00/128  193.220.213.51:51820  193.138.218.74       j//ylCahjy/LiynsaPKYkOwBmE5F0M6lQMZfgicJpm8=  UO1tzRPU/EZeeKWSd3aR17lqWi6tD1snPXkXyqBLf0Q=  # Mullvad France, Paris

    Selective Routing RPDB rules
ID  Peer  Interface  Source                                  Destination  Description
1   wg12  VPN        2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62  Any

 

[ZebMcKayhan]

is echo 2 > /proc/sys/net/ipv4/conf/wg11/rp_filter taken down on stop wg11, or do i need to do anything is the wg11-down.script?

Really doesn't matter since the interface is brought down so these files are removed.

Following your advice in #3 I have added

Does this work for wireless clients as well? Mac address is a low-level part of the protocol and removed in the higher level.

I assume I can remove the IPv4 vpn to 10.50.60.150 rule as it is now superfluous?

I don't know, I've never tried this, youre the first-runner. You tell me. Reliability? Efficiency? But in principle, yes, but make sure to test so it covers all cases (like tcp, udp)

 

[ZebMcKayhan]

Solved using your recommendation in #3 above - see edits to #22 using the MAC address to circumvent the problem

AND this setup also sends all DNS enquires (IPv4 and IPv6) for all LAN devices (except I assume anything using DoH) through the WireGuard VPN, something that was not achievable on OpenVPN, as the router client does not support IPv6.

I may test using the revised instructions for adding the IPv6 to wg11 over the weekend and this may be a better/alternative solution where someone is using DHCP6 so the addresses are fixed. For SLAAC, where they are not I think using the MAC addresses (provided they are not also dynamic) is a more robust solution.

Next tests - passthrough.

While I haven't tried this, it seems possible to create Mac address ipsets:

ipset create wg11-mac hash:mac
ipset add wg11-mac XX:XX:XX:XX:XX:XX

here you could add as many Mac addresses to the set as you wish.

I expect it is not possible to add this ipset in wgm, but the firewall rule would be something like:

iptables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000
ip6tables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000

After this you could manage the Mac addresses in the ipsets instead of changing and adding more firewall rules. .

 

[archiel]

1. Really doesn't matter since the interface is brought down so these files are removed.


2. Does this work for wireless clients as well? Mac address is a low-level part of the protocol and removed in the higher level.


3. I don't know, I've never tried this, youre the first-runner. You tell me. Reliability? Efficiency? But in principle, yes, but make sure to test so it covers all cases (like tcp, udp)

1. Okay
2. Just tried on my phone (Samsung S20-5G - Android 12) and a laptop (Windows 10) - both tested the same as wired devices.
3. I have removed IPv4 vpn to 10.50.60.150 rule and in addition to the sites noted above (ipleak.net, browserleak.com, test-ipv6.com & ipv6-test.com) I also ran

tcpdump -vv -i $(nvram get wan0_ifname) udp port 53 or tcp port 53 or tcp port 853

and all the eth0 traffic was on port 853. I tried running @eibgrad's dsmon tool, but this is now only showing ipv4 traffic - all either yellow or green, but I am guessing that script is updated so the IPv6 traffic is now filtered out as he had only intended it for IPv4.

Can you suggest any other tests I can run?

 

[archiel]

While I haven't tried this, it seems possible to create Mac address ipsets:

ipset create wg11-mac hash:mac
ipset add wg11-mac XX:XX:XX:XX:XX:XX

here you could add as many Mac addresses to the set as you wish.

I expect it is not possible to add this ipset in wgm, but the firewall rule would be something like:

iptables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000
ip6tables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000

After this you could manage the Mac addresses in the ipsets instead of changing and adding more firewall rules. .

Sounds good - not used ipsets before - do they survive reboots and where would I find them?

 

[ZebMcKayhan]

Can you suggest any other tests I can run?

Play around with tcpdump I guess to watch all traffic from your redirected ip on your WAN interface and see so it remains empty after some various internet usage.

Sounds good - not used ipsets before - do they survive reboots and where would I find them?

they do not survive reboots on their own, you typically save them, either manually after each change, or set up a cron job to periodically save them, i.e:

ipset save wg11-mac > /opt/tmp/wg11-mac

and to restore on boot (like in nat-start):

IPSET_NAME=wg11-mac
if [ "$(ipset list -n "$IPSET_NAME" 2>/dev/null)" != "$IPSET_NAME" ]; then #if ipset does not already exist
   if [ -s "/opt/tmp/$IPSET_NAME" ]; then #if a backup file exists
      ipset restore -! <"/opt/tmp/$IPSET_NAME" #restore ipset
    fi
fi

not sure if it is easier but once this is setup (and especially if you use a cron job to periodically save them) you could simply add or delete mac addresses in the set and thus change the routing for these ip's...

if it is indeed working good, perhaps we could make a polite request to @Martineau to include the hash:mac ipset capabilities to wgm (ipv4+ipv6 firewall mark rule), so it takes care of the firewall rules and routing for you, but you will still need to create and restore the ipset yourself.

 

[Martineau]

You could simply add or delete mac addresses in the set and thus change the routing for these ip's...

if it is indeed working good, perhaps we could make a polite request to @Martineau to include the hash:mac ipset capabilities to wgm (ipv4+ipv6 firewall mark rule), so it takes care of the firewall rules and routing for you, but you will still need to create and restore the ipset yourself.

wireguard_manager simply tags the named IPSET so any type of IPSET should already be supported.

However, the contents of the IPSET are deemed by default to contain destination elements such as Netflix/Hulu target IPs.

e.g.

e  = Exit Script [?]

E:Option ==> peer wg12

Client  Auto  IP                                             Endpoint              DNS             MTU   Annotate
wg12    N     10.68.28.1/32,fc00:bbbb:bbbb:bb01::5:1c00/128  194.110.113.51:51820  193.138.218.74        # Mullvad France, Paris

    Selective Routing RPDB rules
ID  Peer  Interface  Source                                  Destination  Description
1   wg12  VPN        2a02:c7f:xxxx:yyyy:6e12:d4fa:7179:cd62  Any          

IPSet      Enable  Peer  FWMark  DST/SRC
Netflix    Y       wg12  0x2000  dst
MACs       Y       wg12  0x2000  src

For an IPSet containing MACs then the DST/SRC must be set to src, but I suspect you are saying that the 'ipset dstsrc src' command shown in the menu to alter the firewall rule doesn't work?

 

[ZebMcKayhan]

However, the contents of the IPSET are deemed by default to contain destination elements such as Netflix/Hulu target IPs.

I remember something about wgm scanning the set for INET or INET6 to determine if the rules should be in iptables or ip6tables. this would go in both, hence my comment that wgm might need to recognize the hash:mac type of set and put in firewall rules for both (or as appropriate depending on router setup). or maybee it already does?

 

[simowdas]

Does anybody use wireguard with parental control? After starting WG everythink works perfect until I block some devices by parental control on my asuswrt. After that I need to restart WG.

 

[ZebMcKayhan]

Does anybody use wireguard with parental control? After starting WG everythink works perfect until I block some devices by parental control on my asuswrt. After that I need to restart WG.

I don't know what parental control does, possibly flushes some firewall chains?

Are you referring to wg server or wg client or both? Ipv4, ipv6 or both? Policy/default mode?
What happens when it don't work? Loosing connection completally or something else?

 

[simowdas]

I don't know what parental control does, possibly flushes some firewall chains?

I think it mess with firewall

Are you referring to wg server or wg client or both? Ipv4, ipv6 or both? Policy/default mode?
What happens when it don't work? Loosing connection completally or something else?

Server. ipv4. Policy default. Can connect but no internet. It looks like block some devices on parental control change firewall and everything stops working.
I was thinking what for is that:
[✔] firewall-start is monitoring WireGuard Firewall rules

 

[ZebMcKayhan]

I think it mess with firewall

Server. ipv4. Policy default. Can connect but no internet. It looks like block some devices on parental control change firewall and everything stops working.
I was thinking what for is that:
[✔] firewall-start is monitoring WireGuard Firewall rules

Ok... most probably it would filter content in the FORWARD chain. Check and compare before and after

iptables -nvL FORWARD

What does the syslog say when you change parental control?
Scrub any sensitive data before posting

 

[simowdas]

iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 wg21 0.0.0.0/0 0.0.0.0/0 /* LAN to WireGuard 'server clients' */
0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

Looks like this two entry are deleted after changing parental control

 

[ZebMcKayhan]

iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 wg21 0.0.0.0/0 0.0.0.0/0 /* LAN to WireGuard 'server clients' */
0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

Looks like this two entry are deleted after changing parental control

That would explain why you loose contact.

It seems then as parental control is flushing the FORWARD filter Chain without a firewall-start event happens.

Check the syslog if there is any service-event you can use to restart wg when parental control is changed.

 

[archiel]

Play around with tcpdump I guess to watch all traffic from your redirected ip on your WAN interface and see so it remains empty after some various internet usage.


they do not survive reboots on their own, you typically save them, either manually after each change, or set up a cron job to periodically save them, i.e:

ipset save wg11-mac > /opt/tmp/wg11-mac

and to restore on boot (like in nat-start):

IPSET_NAME=wg11-mac
if [ "$(ipset list -n "$IPSET_NAME" 2>/dev/null)" != "$IPSET_NAME" ]; then #if ipset does not already exist
   if [ -s "/opt/tmp/$IPSET_NAME" ]; then #if a backup file exists
      ipset restore -! <"/opt/tmp/$IPSET_NAME" #restore ipset
    fi
fi

not sure if it is easier but once this is setup (and especially if you use a cron job to periodically save them) you could simply add or delete mac addresses in the set and thus change the routing for these ip's...

if it is indeed working good, perhaps we could make a polite request to @Martineau to include the hash:mac ipset capabilities to wgm (ipv4+ipv6 firewall mark rule), so it takes care of the firewall rules and routing for you, but you will still need to create and restore the ipset yourself.

I have being trying to use ipsets and while the routing rules

iptables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000
ip6tables -t mangle -I PREROUTING -m set --match-set wg11-mac src -j MARK --set-mark 0x1000/0x1000

work perfectly and I can run cru to save the ipset the restore command is the problem.

The issue is not the script, rather I cannot get it to run early enough, i.e. before WireGuard so that the wg11-mac value is picked up and restored before wg11-up.sh is run
I have tried running the code in wan-event, nat-start and services-start and (in case loading entware was the issue) moved the saved version from /opt/tmp to /jffs/addons/wireguard. Nothing helps and I always get

ipset list -n wg11-mac
ipset v7.6: The set with the given name does not exist

Once the router is up, then I can re-run any of these (wan-event, nat-start and services-start or a stand alone script) and I then get

ipset list -n wg11-mac
wg11-mac

It may be that the ipset module is busy with loading the Skynet ipsets or just that ipset is not yet functional when wgm starts. I can try disabling Skynet and trying again but for now, I have rebooted the router too many times for everyone's liking and will need to come back to this later.