You should also post your complete configuration if you have questions because it is hard to follow the thread.
The thread consists mainly of words and not screenshots
And since the thread is now 3 pages long, I would also recommend that you read the Wireguard documentation - everything is actually explained there. _________________ Quickstart guides:
Some sites still come up but most don't with the killswitch enabled. i.e. dnsleaktest.com still comes up. I left the kill switch turned off for now.
ho1Aetoo wrote:
You should also post your complete configuration if you have questions because it is hard to follow the thread.
The thread consists mainly of words and not screenshots
There are some screenshots on the first page but they're mostly about the local WG server. I've attached more screenshots with the client WG (for connecting to nordvpn). I made some changes to the services page also.
ho1Aetoo wrote:
And since the thread is now 3 pages long, I would also recommend that you read the Wireguard documentation - everything is actually explained there.
I disagree. I've had to shuffle between several guides to make this work at all and some of the documentation has acknowledged that the information may be incomplete or has errors. I'm doing the best I can to get it figured out. From my point of view my config should be working and for the most part it is.
Sorry, but without killswitch there is no security.
If the tunnel is down or the Wireguard server is unavailable, everything goes out via the WAN.
Then you don't have to be surprised if your IP address is revealed.
Everything works here.
I use wireguard myself and have a complicated setup with wireguard server and wireguard clients and various VLANs etc.
And you have activated options in the Wireguard client setup that make no sense to me because they are for a Wireguard server or a site to site setup but not for simple clients such as "Allow Clients WAN Access" or "Bypass LAN Same-Origin Policy".
Your dnsmasq options are also wild _________________ Quickstart guides:
Sorry, but without killswitch there is no security.
If the tunnel is down or the Wireguard server is unavailable, everything goes out via the WAN.
If websites are seeing my VPN IP I have to assume that the tunnel is up. Not to mention that the Wireguard status field shows handshaking and traffic flow through the tunnel is happening. Some sites see my actual IP so if the tunnel is functioning then why do some sites see my real IP?
ho1Aetoo wrote:
Then you don't have to be surprised if your IP address is revealed.
Everything works here.
I use wireguard myself and have a complicated setup with wireguard server and wireguard clients and various VLANs etc.
And you have activated options in the Wireguard client setup that make no sense to me because they are for a Wireguard server or a site to site setup but not for simple clients such as "Allow Clients WAN Access" or "Bypass LAN Same-Origin Policy".
I unchecked those boxes - no change and nothing stopped working.
ho1Aetoo wrote:
Your dnsmasq options are also wild
In what way? The Smart DNS settings are almost the same as the egc tutorial and seems to be working properly. dnsmasq optional settings have been cleaned up but made no difference. I know you can't see all the optional settings. I've included the full settings list below.
Smart DNS additional settings:
log-file /opt/var/log/smartdnsegc.log
log-level notice
# fatal,error,warn,notice,info,debug
log-size 8K
#audit-enable yes
#audit-file /tmp/smartdns-audit.log
server 8.8.8.8 -bootstrap-dns
server 8.8.8.8 -group time -exclude-default-group
nameserver /pool.ntp.org/time
server-tls 9.9.9.9:853 -host-name dns.quad9.net
server-tls 1.0.0.1:853 -host-name cloudflare-dns.com
server-https https://1.0.0.1/dns-query
server-https https://9.9.9.9/dns-query
dnsmasq additional config:
interface=oet2 #manual says this is necessary to cut thru WG server to WG client(nordvpn)
all-servers
user=nobody #optional
Some sites still come up but most don't with the killswitch enabled. i.e. dnsleaktest.com still comes up. I left the kill switch turned off for now.
johnnyNobody999 wrote:
If websites are seeing my VPN IP I have to assume that the
tunnel is up. Not to mention that the Wireguard status field shows handshaking and traffic flow through the tunnel is happening. Some sites see my actual IP so if the tunnel is functioning then why do some sites see my real IP?
Well, probably because something is leaking and you should stop the leak.
Parts of the scrennshot are masked and I have no idea what you have configured via PBR, for example.
As I said, you should read the Wireguard documentation that you can find here in the forum.
And you should read up on what a killswitch is.
A killswitch prevents traffic from going out via the WAN interface if the tunnel is down.
I don't know exactly how the GUI killswitch works, egc's documentation says that the killswitch is intelligent and takes PBR into account.
(I have always created my killswitches myself, customised to my needs)
If you activate the killswitch and describe that some pages then no longer work and also describe that some pages recognise your Wireguard IP and other pages your ISP IP then this fits in quite well with the leak theory.
This is a half-baked configuration that does not work properly and has leaks.
The killswitch only closes these leaks.
So you have to fix your configuration - so that unwanted traffic does not go out via WAN then there are no problems with the killswitch _________________ Quickstart guides:
Parts of the scrennshot are masked and I have no idea what you have configured via PBR, for example.
Source for PBR:
sport$(nvram get oet2_port) #for routing WG server - this is specified in the docs.
dport 25 #SMTP VPN bypass
192.168.###.###,192.168.###.###,192.168.###.### #routes certain LAN clients directly to WAN
Destination for PBR:
$$$$$$$.infinitecampus.org #a website that rejects VPN access - this bypasses the VPN
ho1Aetoo wrote:
As I said, you should read the Wireguard documentation that you can find here in the forum.
And you should read up on what a killswitch is.
I know what a kill switch is for but I don't know the technical details how it works.
ho1Aetoo wrote:
A killswitch prevents traffic from going out via the WAN interface if the tunnel is down.
I don't know exactly how the GUI killswitch works, egc's documentation says that the killswitch is intelligent and takes PBR into account.
(I have always created my killswitches myself, customised to my needs)
A killswitch prevents traffic from going out via the WAN interface if the tunnel is down.
I don't know exactly how the GUI killswitch works, egc's documentation says that the killswitch is intelligent and takes PBR into account.
(I have always created my killswitches myself, customised to my needs)
If you activate the killswitch and describe that some pages then no longer work and also describe that some pages recognise your Wireguard IP and other pages your ISP IP then this fits in quite well with the leak theory.
I'm wondering why the killswitch would stop sources in the PBR field that are intended to go directly out on the WAN. That makes no sense to me.
I'm still trying to make sense of iptables also. Correct me if I'm wrong, the following code is for a killswitch that prevents that IP address for connecting to the WAN. Does that mean it forces that IP to use the VPN? I'm trying not to experiment too much so that the wife doesn't get angry.
iptables -I FORWARD -s 192.168.1.100 -o $(get_wanface) -m state --state NEW -j REJECT
Joined: 04 Aug 2018 Posts: 1560 Location: Appalachian mountains, USA
Posted: Sat Apr 26, 2025 15:50 Post subject:
You have Allowed IPs set to "0.0.0.0/1,127.0.0.0/1" when it should be "0.0.0.0/1,128.0.0.0/1". That will break pretty much everything.
While you are at it, consider unchecking "Allow Clients WAN Access", which is a feature for servers, not clients. Also, I'm rusty on the precise meaning of "Bypass LAN Same-Origin Policy", but I notice I don't have it checked in any of the dozen or so client tunnels I manage on my various routers. Perhaps it's a server thing as well. _________________ On 59582: 2x Dynalink DL-WRX36, Linksys MX4200v2, MR7350. On 61465: DL-WRX36, MR7350. WPA2personal/WPA3 w/ AES, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), Two SmartDNS/DoT providers and one DNSCrypt provider via VPNs. DNSmasq manages that plus ad blocking and local DNS.
You have Allowed IPs set to "0.0.0.0/1,127.0.0.0/1" when it should be "0.0.0.0/1,128.0.0.0/1". That will break pretty much everything.
Wow. I need to get my eyes checked. I went over the config several times and missed that. I fixed it and now things function correctly. THANKS.
SurprisedItWorks wrote:
While you are at it, consider unchecking "Allow Clients WAN Access", which is a feature for servers, not clients. Also, I'm rusty on the precise meaning of "Bypass LAN Same-Origin Policy", but I notice I don't have it checked in any of the dozen or so client tunnels I manage on my various routers. Perhaps it's a server thing as well.
I unchecked those yesterday. It didn't make any difference whether they were checked or unchecked (that I could tell). I left them unchecked.
Well, the killswitch is working properly and there doesn't seem to be anymore "leaks". But I just discovered that I can't get traffic to flow between the client (nordvpn) and the local wireguard server when connecting via cell data. Works fine when the phone is connected from the LAN side but not the WAN/cell side even though it's talking to the wireguard server (no handshake but data transfer). The guide says to set the server allowed IPs to 192.168.###.###/24,10.###.###.0/24,0.0.0.0/1,128.0.0.0/1 (DD-WRT WireGuard Advanced Setup v.26, page 24, route allowed IPs). But there's no internet traffic to the phone using cell data. What am I missing?
UPDATE: Problem solved by adding sport <oet2 port> to the oet1 Source for PBR. For some reason sport$(nvram get oet2_port) didn't work. On to my next project.
