What's new

WireGuard manual IPSet configuration

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@ZebMcKayhan I see your writeup here when using WGM, I wonder is there a similar way to do this using the firmware WireGuard rather than this script? I need my WG to respect some IPSet rules

Sure, aah well... you will need to do it via commands in various hook files.

Start by creating your ipset and make it persistant according to https://github.com/ZebMcKayhan/WireguardManager#create-and-setup-ipsets

Then we need to add fwmark routing rules in nat-start, something like:
ip rule add from all fwmark 0x8000/0x8000 table main prio 9900
ip rule add from all fwmark 0x1000/0x1000 table wgc1 prio 9910
ip rule add from all fwmark 0x2000/0x2000 table wgc2 prio 9920
ip rule add from all fwmark 0x4000/0x4000 table wgc3 prio 9930
ip rule add from all fwmark 0x7000/0x7000 table wgc4 prio 9940
ip rule add from all fwmark 0x3000/0x3000 table wgc5 prio 9950
(Remove for the interfaces you dont use)
These priorities will make them preferred over vpndirector. Use >20000 to have vpn director prefferred.

Turn of (or more correctly, set to loose) rp-filter for any interface using mark routing. This should probably be done in wgclient-start:
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/wgc1/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/wgc2/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/wgc3/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/wgc4/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/wgc5/rp_filter
(Remove for the interfaces you dont use)

And add a firewall rule to mark packets matching content of ipset so it will be routed correct. This should probably be in nat-start as well:
The general command is:
iptables -t mangle -A PREROUTING -m set --match-set <ipset name> <dst/src> -j MARK --set-mark <mark>/<mask>
But this rule will apply to ALL so if you have a set of destination ips to route it will apply even for guest network which may not have the right access (havnt checked). Add a -i br0 before -m will only apply this rule on packets from br0 and not others. But for the typical netflix to wan route it may be:
iptables -t mangle -A PREROUTING -i br0 -m set --match-set NETFLIX-DNS dst -j MARK --set-mark 0x8000/0x8000

It should be noted that the marks used are conflicting with TrendMicro/Aiprotect that are using all bits in fwmark, so you probably shouldnt use this with trendmicro stuff enabled. Or atleast be observant: https://www.snbforums.com/threads/asuswrt-merlin-netflix-through-vpn-settings.41047/post-349109
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!