Setup IP forwarding

Unfortunately this isn’t an option, I need this only on a couple of devices.
Is it possible to disable IPv6 per device on the fritz if you know?

Would probably go this way as on some devices I’ve set a static IP and RPi4 as gateway and dns server.
Btw I did what you told me above and noticed that with vpn up, the RPi4 is working as I can run an nslookup dietpi.com or curl ipinfo.io but on devices that use the RPi4 as gateway and dns server these commands don’t work.

It is probably missing the masquerade and forwarding rules in iptables. But first things first. Is DNS working with VPN off?

I did set the RPi4 as gateway and dns on my pc as said above and after setting alse the RPi4’s IPv6 as dns server, running nslookup dietpi.com returned an answer from PiHole.
That was while vpn was off as per your request :wink:

This means that IPv6 is taking precedence over IPv4 on your lan host. If VPN is not routing IPv6, you’ll need to disable it on the lan hosts. If it is routing IPv6, you can configure the IPv6 GW and DNS as the RPi.

Now that we have established that DNS is working as expected with VPN off, what happens with VPN on?

This is usually the case on modern operating systems.

nope. Probably better to disable IPv6 completely within your F!B

It is possible!

I tried disabling IPv6 on my pc, set the RPi4 as gateway and dns server and run a nslookup, got answer from PiHole.
I then tried turning on vpn and no connection at all.

Yes, this setting is present. Any downsides?

What’s the output of:
ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c; head -n -0 /etc/wireguard/*.conf | grep -v Key

Here you go :wink:

root@DietPi:~# ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c; head -n -0 /etc/wireguard/*.conf | grep -v Key
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.178.42/24 brd 192.168.178.255 scope global dynamic eth0
       valid_lft 814479sec preferred_lft 814479sec
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.59.244.2/24 scope global wg0
       valid_lft forever preferred_lft forever
default dev wg0 table 51820 scope link
192.168.178.0/24 dev eth0 table 51821 scope link
default via 192.168.178.1 dev eth0
10.59.244.0/24 dev wg0 proto kernel scope link src 10.59.244.2
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.42
local 10.59.244.2 dev wg0 table local proto kernel scope host src 10.59.244.2
broadcast 10.59.244.255 dev wg0 table local proto kernel scope link src 10.59.244.2
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.178.42 dev eth0 table local proto kernel scope host src 192.168.178.42
broadcast 192.168.178.255 dev eth0 table local proto kernel scope link src 192.168.178.42
0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Nov  8 12:23:44 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[60:14697] -A PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[25:3612] -A POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Wed Nov  8 12:23:44 2023
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Nov  8 12:23:44 2023
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A PREROUTING -d 10.59.244.2/32 ! -i wg0 -m addrtype ! --src-type LOCAL -m comment --comment "wg-quick(8) rule for wg0" -j DROP
COMMIT
# Completed on Wed Nov  8 12:23:44 2023
[Interface]
Address = 10.59.244.2/24
PreUp = ip route add 192.168.178.0/24 dev eth0 table 51821
PostDown = ip route del 192.168.178.0/24 dev eth0 table 51821
PostDown = iptables -D FORWARD -i eth0 -o eth0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

[Peer]
Endpoint = [REDACTED]:51820
AllowedIPs = 0.0.0.0/0, ::0/0

Change the following:

PreUp = ip route add 192.168.178.0/24 dev eth0 table 51820

Add the following:

PostUp = iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostUp = iptables -A INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT
PreDown = iptables -D INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT

In case it still doesn’t work, post the same with VPN up.

Please forgive my stupidity.
Here are the rules I currently have (please note iptables number is 51821 instead of 51820 as you told me some comments above).

PreUp = ip route add 192.168.178.0/24 dev eth0 table 51821
PostDown = ip route del 192.168.178.0/24 dev eth0 table 51821
PostDown = iptables -D FORWARD -i eth0 -o eth0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg-netflix -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg-netflix -j MASQUERADE

What I need to change and what I need to add?

Thanks again and sorry :smiling_face_with_tear:

You need to change the 51821 into 51820. For some reason I have not identified, your rule keeps changing the virtual table.

The rest of the PostUp/PreDown rules need to be added.

Here’s the updated conf:

[Interface]
PrivateKey = [REDACTED]
Address = 10.59.244.2/24
PreUp = ip route add 192.168.178.0/24 dev eth0 table 51820
PreDown = iptables -D INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostUp = iptables -A INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT
PostDown = ip route del 192.168.178.0/24 dev eth0 table 51821
PostDown = iptables -D FORWARD -i eth0 -o eth0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

[Peer]
PublicKey = [REDACTED]
PresharedKey = [REDACTED]
Endpoint = [REDACTED]:51820
AllowedIPs = 0.0.0.0/0, ::0/0

Now EVERYTHING, and I mean EVERYTHING works! :heart_eyes:
I’ve disabled IPv6 on desired device so my home network can still take advantage of IPv6.
Either with VPN down or up my DNS works correctly as I get answer from PiHole when running nslookup commands and can reach all websites.
Plex also works without any settings change in Plex app.

Here’s is the wg-quick up/down wg0 commands output:

root@DietPi:~# wg-quick up wg0
[#] ip route add 192.168.178.0/24 dev eth0 table 51820
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.59.244.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51821
[#] ip -6 route add ::/0 dev wg0 table 51821
[#] ip -6 rule add not fwmark 51821 table 51821
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51821
[#] ip -4 rule add not fwmark 51821 table 51821
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
[#] iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
[#] iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
[#] iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[#] iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
[#] iptables -A INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT
root@DietPi:~# wg-quick down wg0
[#] iptables -D INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT
[#] ip -4 rule delete table 51821
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip -6 rule delete table 51821
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[#] iptables-restore -n
[#] ip6tables-restore -n
[#] ip route del 192.168.178.0/24 dev eth0 table 51821
RTNETLINK answers: No such process

I see the down command returns an error/warning (last line). Anything wrong or to worry about?
Don’t know if these outputs have other errors/warnings, if so please tell me :wink:

Also, the AllowedIPs = 0.0.0.0/0, ::0/0 has ::0/0, can I remove this as we checked earlier VPN isn’t routing IPv6?

Wow, finally!

Not too worrying, as the table number is not the same as the PreUp. But you need to align it with the table that wg-quick is using.

[#] wg set wg0 fwmark 51821
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51821
[#] ip -4 rule add not fwmark 51821 table 51821

I am not sure why is wg-quick is using 51821 though.
I would advise then to use both:

PreUp = ip route add 192.168.178.0/24 dev eth0 table 51820
PreUp = ip route add 192.168.178.0/24 dev eth0 table 51821
PostDown = ip route del 192.168.178.0/24 dev eth0 table 51821
PostDown = ip route del 192.168.178.0/24 dev eth0 table 51820

Yes, you can!

I basically duplicate the rules? For both tables?

Yes, basically.

Rules duplicated, IPv6 removed from AllowedIPs. All working and no errors:

root@DietPi:~# wg-quick up wg0
[#] ip route add 192.168.178.0/24 dev eth0 table 51820
[#] ip route add 192.168.178.0/24 dev eth0 table 51821
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.59.244.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51822
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51822
[#] ip -4 rule add not fwmark 51822 table 51822
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
[#] iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
[#] iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT
[#] iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[#] iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
[#] iptables -A INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT
root@DietPi:~# wg-quick down wg0
[#] iptables -D INPUT -i eth0 -s 192.168.178.0/24 -j ACCEPT
[#] ip -4 rule delete table 51822
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[#] iptables-restore -n
[#] ip route del 192.168.178.0/24 dev eth0 table 51820
[#] ip route del 192.168.178.0/24 dev eth0 table 51821
[#] iptables -D FORWARD -i eth0 -o eth0 -j ACCEPT
[#] iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
[#] iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[#] iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

EDIT: Just noticed a couple of 51822??? How is that possible? :joy:

I have no idea how does Wireguard decide which number to use. Maybe it could help to change your rules from PreUp to PostUp.

What do you mean?

Could be that removing IPv6 from AllowedIPs triggered this?

Everything is working btw, also rebooted between duplicating rules and turning vpn on/off with the new conf.
Actually I didn’t reboot immediatly, duplicated rules and turned vpn on and got an error then rebooted and turned on/off vpn.

From PreUp to PostUp.

No it was evident earlier when we added routes to table 51820 and the Wireguard was adding rule to 51821.
Better reboot before any changes.