Need help with wireguard

trendy · December 21, 2023, 2:11pm

Alright, one last thing, the myddns endpoint is IPv4 or IPv6?

temp · December 21, 2023, 6:59pm

It’s on the dietpi ddclient is running and it’s an a ipv6 address

trendy · December 21, 2023, 7:21pm

Try this and if it works we can make it permanent.

echo '10 isp' >> /etc/iproute2/rt_tables 
ip -6 route add to default via "$(ip -6 route list match ::/0 | cut -f3 -d ' ')" dev eth1 table isp
ip -6 rule add iif lo sport 51820 to default lookup isp prio 15

temp · December 21, 2023, 7:54pm

amazing perfect runs smooth

But I can’t connect to the internal network

even if I have

AllowedIPs = 192.168.178.0/24

in my client conf

Joulinar · December 21, 2023, 8:31pm

why not using 0.0.0.0/0 within your client configuration?

temp · December 21, 2023, 8:36pm

Still not working

I only can connect to 192.168.178.43 which is my dietpi’s ip and the Internet but mother local address

without yor ip rule it’s running but than if i connect to openvpn wireguard is not connecting

trendy · December 22, 2023, 8:06am

You need to change the allowed IPs on the client device WG configuration.
Then the other lan hosts are using the ISP router as gateway, so you need to apply also masquerade on eth0 egress traffic.
If there is some killswitch from the vpn client, you need to bypass that too.

temp · December 22, 2023, 10:56am

Okay,

this is my current client conf file

[Interface]
Address = 10.0.0.2/32
PrivateKey = [privatekey]

# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 192.168.178.43

# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = [publickey]
AllowedIPs = 192.168.178.0/24
Endpoint = xx.io:51820

# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25

What do I need to change now?

Joulinar · December 22, 2023, 11:00am

Not sure if related but your DNS is a PiHole and located on same system as WireGuard Server?

Btw: the client file needs to be uploaded to your client each time you change something or your do changes on the client app directly. Just updating client file on server will not have any effect.

temp · December 22, 2023, 11:02am

yes it’s a pihole located on the same dietpi than my wireguard server

And I edit the conf file on my mobile phone directly

How do I do this

masquerade on eth0 egress traffic

trendy · December 22, 2023, 11:12am

PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

Joulinar · December 22, 2023, 11:18am

just out of interest, you see DNS request arriving from VPN client within PiHole? Sometimes it is needed to allow PiHole to accept request from all interfaces.

temp · December 22, 2023, 11:21am

yes i see and they get also blocked…tested yesterday evening…i am not at home so need to test again

So with

echo '10 isp' >> /etc/iproute2/rt_tables 
ip -6 route add to default via "$(ip -6 route list match ::/0 | cut -f3 -d ' ')" dev eth1 table isp
ip -6 rule add iif lo sport 51820 to default lookup isp prio 15

and

PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

everything seems to run as expected.

How can I do this permanent now?

trendy · December 22, 2023, 12:24pm

The entry in rt_tables is permanent. Add the others in a dietpi-autostart script.
dietpi-config #9 AutoStart Options → #14 Custom script (background, no autologin)

ip -6 route add to default via "$(ip -6 route list match ::/0 | cut -f3 -d ' ')" dev eth1 table isp
ip -6 rule add iif lo sport 51820 to default lookup isp prio 15

temp · December 22, 2023, 1:02pm

Is it also possible to route all wlan0 data to the tun1?

I use this right now

sudo /usr/sbin/ip route add default via 10.8.110.19 dev tun1 table 200
sudo /usr/sbin/ip rule add from 192.168.42.0/24 table 200
sudo /usr/sbin/ip route flush cache

Or is there a better way?

trendy · December 22, 2023, 1:39pm

I think it is quite alright.

temp · December 25, 2023, 11:01am

Also possible to write this ip independent?

trendy · December 25, 2023, 3:32pm

I am not sure I understand your question.

temp · December 26, 2023, 8:26am

sudo /usr/sbin/ip route add default via 10.8.110.19 dev tun1 table 200
sudo /usr/sbin/ip rule add from 192.168.42.0/24 table 200
sudo /usr/sbin/ip route flush cache

there you can see it’s specific for the IP 10.8.110.19 how can I change it to all IPs so I don’t need to care about this IP?

trendy · December 27, 2023, 10:07am

If it is a point to point tunnel, then try to omit the via IP, it may as well work without it.