Wireguard Wireguard Client Help

[ZebMcKayhan]

I did not do anything within the WG

Have wg11 been running since last time? With all rules we set up? So your lan have been using Wireguard this whole time?

Probably you will need to obtain a new config file and import in wgm as wg11 as this one does not appear to work anymore.

Using Geo-location works best if you have client not routed out any vpn to begin with and 1 or more vpn clients which you can use to temporary divert this client.

Please what commands do you want to run ?

Not sure what you mean by this. The commands for debug is in my post. You only posted the first one.
Regarding rules, vpndirector cannot be used with wgm but there is a function to import rules into wgm from vpndirector. But I recommend to enter your rules directly in wgm:
https://github.com/ZebMcKayhan/WireguardManager?tab=readme-ov-file#create-rules-in-wgm

 

[sammyano]

Yes, they have been working. I have deleted WG and imported new config file but issue now is they all go through WAN, even with the rules we created last time. Am in the process of starting a new import. I was beginning to like the WG manager

 

[sammyano]

@Zeb, I went back to the following after deleting wg11 and importing again and it worked, dont know why the previous rules by splitting the network into 4 subnets we created was not working again, though i noticed the previous rules seems more faster this, would prefer the old one as it seems more robust in terms of performance, any idea?

E:Option ==> peer wg11 rule add wan 192.168.1.105 comment Amazon_Fire
E:Option ==> peer wg11 rule add wan 192.168.1.181 comment Galaxy_Phone
E:Option ==> peer wg11 rule add vpn 192.168.1.1/24 comment Other Clients

 

[ZebMcKayhan]

@Zeb, I went back to the following after deleting wg11 and importing again and it worked, dont know why the previous rules by splitting the network into 4 subnets we created was not working again, though i noticed the previous rules seems more faster this, would prefer the old one as it seems more robust in terms of performance, any idea?

E:Option ==> peer wg11 rule add wan 192.168.1.105 comment Amazon_Fire
E:Option ==> peer wg11 rule add wan 192.168.1.181 comment Galaxy_Phone
E:Option ==> peer wg11 rule add vpn 192.168.1.1/24 comment Other Clients

The initial issue you had with these rule-set was dns. Your wan clients will still use wg dns which gives issues if this dns is only accessible over vpn.

I would prefer the way before as no wan rules are needed, thus you won't have dns issues. But it is up to you.

If something is not working with your old rules, something is wrong and should be investigated. The best way to do so is to check that the rules are applied properly:
Exit wgm and amtm and execute one by one:

wg show
ip rule
ip route show table main
ip route show table 121

 

[sammyano]

The initial issue you had with these rule-set was dns. Your wan clients will still use wg dns which gives issues if this dns is only accessible over vpn.

I would prefer the way before as no wan rules are needed, thus you won't have dns issues. But it is up to you.

If something is not working with your old rules, something is wrong and should be investigated. The best way to do so is to check that the rules are applied properly:
Exit wgm and amtm and execute one by one:

wg show
ip rule
ip route show table main
ip route show table 121

Are you saying the delete and apply the old rule and then run the above commands or run them using ones i sent in my previous post. PS - I have to change the DNS in wg to use a different one that the specified from VPN conf, please advise?

 

[ZebMcKayhan]

Are you saying the delete and apply the old rule and then run the above commands or run them using ones i sent in my previous post.

Well, yes. There is no point debugging something that is working.

PS - I have to change the DNS in wg to use a different one that the specified from VPN conf, please advise?

Yes, that is the only way to make your current setup work. You won't be able to ever use wg dns with this setup.

But it's really up to you. If you are completely OK with not using isp dns for wan clients or wg dns for wg clients and use a publically available dns for both then there is nothing wrong with keeping this setup. Your call.

 

[sammyano]

Well, yes. There is no point debugging something that is working.



Yes, that is the only way to make your current setup work. You won't be able to ever use wg dns with this setup.

But it's really up to you. If you are completely OK with not using isp dns for wan clients or wg dns for wg clients and use a publically available dns for both then there is nothing wrong with keeping this setup. Your call.

Will like to find out why the previous rule was not working, will delete now and run the commands and revert back

 

[sammyano]

Will like to find out why the previous rule was not working, will delete now and run the commands and revert back

@Zeb, everything is now going through WAN after applying the subnetted rules, nothing is going through VPN - please see below for the commands outputs as requested - thanks


interface: wg21
public key: iie3r9sqxxxxxxxxxx
private key: (hidden)
listening port: 51820
interface: wg11
public key: yQinrxAHc3z56Zxxxxxxxx
private key: (hidden)
listening port: 56952
peer: M7aqYRrqdZCxxxxxxxxxxxxxx
preshared key: (hidden)
endpoint: xx7.xx.18:15252
allowed ips: 0.0.0.0/0
latest handshake: 6 seconds ago. (sec:6)
transfer: 18.94 KiB received, 428 B sent
persistent keepalive: every 25 seconds

IP Rule -

0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
9911: from 192.168.1.64/26 lookup 121
9911: from 192.168.1.32/27 lookup 121
9911: from 192.168.1.16/28 lookup 121
9911: from 192.168.1.128/25 lookup 121
32766: from all lookup main
32767: from all lookup default

IP route show table main -

default via xxxxxxxxx dev eth0
1.0.0.1 via xxxxxxxx.1 dev eth0 metric 1
1.1.1.1 via xxxxxxxx dev eth0 metric 1
10.8.0.0/24 dev tun21 proto kernel scope link src 10.8.0.1
10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1
50.7.114.18 via xxxxxxxx dev eth0
xxxxxx.0/23 dev eth0 proto kernel scope link src xxxxxxxxxx
xxxxxxxxdev eth0 proto kernel scope link
127.0.0.0/8 dev lo scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.101.0/24 dev br1 proto kernel scope link src 192.168.101.1
192.168.102.0/24 dev br2 proto kernel scope link src 192.168.102.1

IP route show table 121 -

0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1

 

[ZebMcKayhan]

@Zeb, everything is now going through WAN after applying the subnetted rules, nothing is going through VPN - please see below for the commands outputs as requested - thanks


interface: wg21
public key: iie3r9sqxxxxxxxxxx
private key: (hidden)
listening port: 51820
interface: wg11
public key: yQinrxAHc3z56Zxxxxxxxx
private key: (hidden)
listening port: 56952
peer: M7aqYRrqdZCxxxxxxxxxxxxxx
preshared key: (hidden)
endpoint: 50.7.114.18:15252
allowed ips: 0.0.0.0/0
latest handshake: 6 seconds ago. (sec:6)
transfer: 18.94 KiB received, 428 B sent
persistent keepalive: every 25 seconds

IP Rule -

0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
9911: from 192.168.1.64/26 lookup 121
9911: from 192.168.1.32/27 lookup 121
9911: from 192.168.1.16/28 lookup 121
9911: from 192.168.1.128/25 lookup 121
32766: from all lookup main
32767: from all lookup default

IP route show table main -

default via xxxxxxxxx dev eth0
1.0.0.1 via xxxxxxxx.1 dev eth0 metric 1
1.1.1.1 via xxxxxxxx dev eth0 metric 1
10.8.0.0/24 dev tun21 proto kernel scope link src 10.8.0.1
10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1
50.7.114.18 via xxxxxxxx dev eth0
xxxxxx.0/23 dev eth0 proto kernel scope link src xxxxxxxxxx
xxxxxxxxdev eth0 proto kernel scope link
127.0.0.0/8 dev lo scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.101.0/24 dev br1 proto kernel scope link src 192.168.101.1
192.168.102.0/24 dev br2 proto kernel scope link src 192.168.102.1

IP route show table 121 -

0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1

Well, everything looks OK as far as I can see. Only 192.168.1.0 - 192.168.1.15 should be wan. The rest should be through wg11.
From what device are you testing over wan? What is that device lan ip? How are you testing?

 

[sammyano]

I use the whatismyip to test both from my macbook and my phone and it shows my WAN IP not VPN

 

[sammyano]

Well, everything looks OK as far as I can see. Only 192.168.1.0 - 192.168.1.15 should be wan. The rest should be through wg11.
From what device are you testing over wan? What is that device lan ip? How are you testing?

And also, when I use these, works as expected though I have to change DNS and is much slower -
E:Option ==> peer wg11 rule add wan 192.168.1.105 comment Amazon_Fire
E:Option ==> peer wg11 rule add wan 192.168.1.181 comment Galaxy_Phone
E:Option ==> peer wg11 rule add vpn 192.168.1.1/24 comment Other Clients

 

[ZebMcKayhan]

I use the whatismyip to test both from my macbook and my phone and it shows my WAN IP not VPN

The only way this makes sense is if your MacBook and phone has a local IP between 192.168.1.0 - 192.168.1.15
Did you check this?

 

[sammyano]

The only way this makes sense is if your MacBook and phone has a local IP between 192.168.1.0 - 192.168.1.15
Did you check this?

My macbook is .182 and phone was already set in LAN to use < .16 address, so not sure why the macbook should be using WAN instead of VPN. Is there a setting or what am missing?

 

[ZebMcKayhan]

My macbook is .182 and phone was already set in LAN to use < .16 address, so not sure why the macbook should be using WAN instead of VPN. Is there a setting or what am missing?

Cached browser page perhaps. Try to clear cache or use private (incognito) tab to make sure you are not seeing old data.
For your phone it is expected then. If not desired, change it's ip.

 

[sammyano]

The only way this makes sense is if your MacBook and phone has a local IP between 192.168.1.0 - 192.168.1.15
Did you check this?

I have now removed my phone from .15 addressing and still it is going through WAN same as the macbook

 

[ZebMcKayhan]

I have now removed my phone from .15 addressing and still it is going through WAN same as the macbook

Is there any way you could check the ip it's using?

I'm sorry, but the rules are clearly sending 192.168.1.16 - 192.168.1.255 to route table 121 and in there there are only routes to lan and wg11. There is no way an ip in this range would route to wan.

 

[sammyano]

Is there any way you could check the ip it's using?

I'm sorry, but the rules are clearly sending 192.168.1.16 - 192.168.1.255 to route table 121 and in there there are only routes to lan and wg11. There is no way an ip in this range would route to wan.

My phone is .229 and have tested on incognito mode for both mac and phone but still getting same WAN IP

 

[ZebMcKayhan]

My phone is .229 and have tested on incognito mode for both mac and phone but still getting same WAN IP

This is unbelievable... just to make sure something have not happened since last time:

ip rule

 

[sammyano]

My phone is .229 and have tested on incognito mode for both mac and phone but still getting same WAN IP

Also I go to my VPN provider site to check and it says am not connected

 

[sammyano]

This is unbelievable... just to make sure something have not happened since last time:

ip rule

0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
9911: from 192.168.1.64/26 lookup 121
9911: from 192.168.1.32/27 lookup 121
9911: from 192.168.1.16/28 lookup 121
9911: from 192.168.1.128/25 lookup 121
32766: from all lookup main
32767: from all lookup default