WireGuard manual IPSet configuration

[privacyguy123]

@ZebMcKayhan I see your writeup here when using WGM, I wonder is there a similar way to do this using the firmware WireGuard rather than this script? I need my WG to respect some IPSet rules

GitHub - ZebMcKayhan/WireguardManager: Manage/Install WireGuard on applicable ASUS routers

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

 

[ZebMcKayhan]

@ZebMcKayhan I see your writeup here when using WGM, I wonder is there a similar way to do this using the firmware WireGuard rather than this script? I need my WG to respect some IPSet rules

GitHub - ZebMcKayhan/WireguardManager: Manage/Install WireGuard on applicable ASUS routers

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

Sure, aah well... you will need to do it via commands in various hook files.

Start by creating your ipset and make it persistant according to https://github.com/ZebMcKayhan/WireguardManager#create-and-setup-ipsets

Then we need to add fwmark routing rules in nat-start, something like:

ip rule add from all fwmark 0x8000/0x8000 table main prio 9900
ip rule add from all fwmark 0x1000/0x1000 table wgc1 prio 9910
ip rule add from all fwmark 0x2000/0x2000 table wgc2 prio 9920
ip rule add from all fwmark 0x4000/0x4000 table wgc3 prio 9930
ip rule add from all fwmark 0x7000/0x7000 table wgc4 prio 9940
ip rule add from all fwmark 0x3000/0x3000 table wgc5 prio 9950

(Remove for the interfaces you dont use)
These priorities will make them preferred over vpndirector. Use >20000 to have vpn director prefferred.

Turn of (or more correctly, set to loose) rp-filter for any interface using mark routing. This should probably be done in wgclient-start:

echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/wgc1/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/wgc2/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/wgc3/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/wgc4/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/wgc5/rp_filter

(Remove for the interfaces you dont use)

And add a firewall rule to mark packets matching content of ipset so it will be routed correct. This should probably be in nat-start as well:
The general command is:

iptables -t mangle -A PREROUTING -m set --match-set <ipset name> <dst/src> -j MARK --set-mark <mark>/<mask>

But this rule will apply to ALL so if you have a set of destination ips to route it will apply even for guest network which may not have the right access (havnt checked). Add a -i br0 before -m will only apply this rule on packets from br0 and not others. But for the typical netflix to wan route it may be:

iptables -t mangle -A PREROUTING -i br0 -m set --match-set NETFLIX-DNS dst -j MARK --set-mark 0x8000/0x8000

It should be noted that the marks used are conflicting with TrendMicro/Aiprotect that are using all bits in fwmark, so you probably shouldnt use this with trendmicro stuff enabled. Or atleast be observant: https://www.snbforums.com/threads/asuswrt-merlin-netflix-through-vpn-settings.41047/post-349109

 

[privacyguy123]

It should be noted that the marks used are conflicting with TrendMicro/Aiprotect that are using all bits in fwmark, so you probably shouldnt use this with trendmicro stuff enabled. Or atleast be observant: https://www.snbforums.com/threads/asuswrt-merlin-netflix-through-vpn-settings.41047/post-349109

Just noticed this part - are you saying it will conflict with what Adaptive QoS is doing also?

 

[ZebMcKayhan]

Just noticed this part - are you saying it will conflict with what Adaptive QoS is doing also?

Im not sure, I just know what I have read in the link I provided with some extra warnings from @RMerlin that I never cared to dig deeper into since I dont use any of that stuff.