I do use 3 Cudy WR3000s and one TPLink EAP225 outdoor.
One Cudy is Main Router MR rest are dumb APs.
Firmware on all devices is 24.10
2 VLANs are up and running for serving guest to MR and APs.
Firewall is adjusted to allow access from LAN to Guest cause I do have some
IoT devices I need to maintain from LAN.
reboot otherwise wireguard cannot be selected for the new interface
add new interface (check guide) incl. IPv6 -> Done
add traffic rule for the used port -> Done
assign firewall zone lan to interface wgserver (check guide 2a.) -> Done
cannot select only lan, wgserver is autoselected as well
Optional chapter 2b. contains allow forward to destination zones:
lan zone (to allow to connect to your lan clients)
wan zone (optional to give your wg server clients internet access via your
router)
lan zone is enabled via option 2a. in the guide.
Would wan zone mean I can connect from outside and access internet via
my secured WG connection?
Can I allow that also using option 2a. (the more simple setup)?
Chapter 3. about IPv6 ignored for the moment do I need that?
Chapter 4. allowing WG to LAN not clear for me just used that part for NAT
rule because pure SoHo environment
Add NAT rule (check guide chapter 4.) cannot only choose lan for outbound
zone, wgserver is autoselected -> Done
Peer setup for WG Server (don´t really know what it is )
I assume this is for the devices connecting to the WG server and I leave
the IPv6 part away for the moment (on page 11 little typo port is 55443)
Save and generate configuration
Scanned QR code to my Android app
on the phone switch off WLAN -> activate WG Tunnel -> no internet no
access to private -> deactivate private DNS -> no access to LAN
Question: in the guide is written that maybe 1.1.1.1 to be added to peer
DNS settings, but how to do that? I only can change when the code is
already generated and it doesn´t save changes
Try Reboot
I can connect WG tunnel on mobile is established but I cannot access LAN.
What config do you need to check my settings?
EDIT: After reboot I cannot activate WG on the phone message is Tunnel cannot be activated, what's wrong any idea?
EDIT2: Works restarted all again, now it is working
Just checked and can confirm also the access to guest network is working!
Does anybody know
How many wireguard connections can be started in parallel?
Can I just share that QR code with other family members or will that avoid parallel usage, is this requiring a new peer?
It is not possible to have a single peer active on more then one device.
It is possible but it won't work.
I make a new peer for every device I need WG on.
Comment on your first post:
Yes you need to have a DNS server set otherwise you cannot resolve DNS requests. Can be cloudflare (1.1.1.1), google (8.8.8.8), quad9 (9.9.9.9),....
I set it to my local pihole instance, this way I have add blocking when not at home.
What I noticed, can be wrong,
After editing the WG interface, restart the interface to use the new config.
OK just created additional peer with different IP for that peer and will test if possible to use these in parallel. The DNS used is the default DNS from the main router - that is working
Tested two peers in parallel - Works, Great
and I now know for what that peer is used for
Need help with PBR setup, can you please support me?
My requirements:
Running WG server and client in parallel
Restrict WG client to single IPs or single URL like http://xxx.yyy:8080
even better or additional is it possible to create an additional SSID and
have devices connected to it running via the WG client
Having kill switch activated ensuring stable outgoing WG connection
WG server and client are successfully setup and running.
I used the two guides from egc as attached - see first post.
When running client and server in parallel PBR setup is required but I don´t understand the details and how to configure it, can you please support me here?
PBR 1.18r16 is installed and is active as well.
Is it now just to "Enable" in status and add a rule in Policies?
If yes, how would such a restriction for e.g. one IP look like?
Need help with PBR setup, can you please support me?
My requirements:
Running WG server and client in parallel
Restrict WG client to single IPs or single URL like (http://xxx.yyy:8080)
even better or additional is it possible to create an additional SSID and
have devices connected to it running via the WG client
Having kill switch activated ensuring stable outgoing WG connection
WG server and client are successfully setup and running.
I used the two guides from egc as attached - see first post.
Here are some details you may require for the PBR config I still couldn´t do
ubus call system board
{
"kernel": "6.6.86",
"hostname": "Diele",
"system": "ARMv8 Processor rev 4",
"model": "Cudy WR3000S v1",
"board_name": "cudy,wr3000s-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@Diele:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fxxx::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.2'
option proto 'static'
option ipaddr 'xxx'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option ipv6 'auto'
option username 'xxx'
option password 'xxx'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'guest'
option proto 'static'
option device 'br-lan.3'
option ipaddr 'xxx.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
list ports 'lan2:t'
config interface 'wgserver'
option proto 'wireguard'
option private_key 'xxx='
option listen_port '55443'
list addresses 'xxx.1/24'
list addresses 'xxxd::/48'
config wireguard_wgserver
option description 'My Peer'
option public_key 'xxx'
option private_key 'xxx'
option route_allowed_ips '1'
option endpoint_port '55443'
option persistent_keepalive '25'
list allowed_ips '1xxx/32'
config wireguard_wgserver
option description 'Tobi Peer'
option public_key 'xxx'
option private_key 'xxx'
option route_allowed_ips '1'
option endpoint_port '55443'
option persistent_keepalive '25'
list allowed_ips 'xxx3/32'
config interface 'wgclient'
option proto 'wireguard'
option private_key 'xxx'
list addresses 'xxx2/32'
list dns '1xxx'
option mtu '1412'
config wireguard_wgclient
option description 'Imported peer configuration'
option public_key 'xxxx'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option persistent_keepalive '25'
option endpoint_host '1xxx'
option endpoint_port '51820'
option route_allowed_ips '1'
root@Diele:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wgserver'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wgclient'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option src 'guest'
option name 'Allow-DNS-Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Allow-DHCP-Guest'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'guest'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'NGINX 443'
option src 'wan'
option src_dport '443'
option dest_ip '1xxx'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'NGINX 80'
option src 'wan'
option src_dport '80'
option dest_ip '1xxx'
option dest_port '80'
config rule
option src 'wan'
option name 'Allow-55443-forWG'
list proto 'udp'
option dest_port '55443'
option target 'ACCEPT'
config nat
option name 'SNAT-WGServer'
list proto 'all'
option src 'lan'
option src_ip 'xxx/24'
option target 'MASQUERADE'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
root@Diele:~# cat /etc/config/pbr
config pbr 'config'
option enabled '0'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'dnsmasq.nftset'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_gc_interval ''
option nft_set_policy 'performance'
option nft_set_timeout ''
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config dns_policy
option name 'Redirect Local IP DNS'
option src_addr 'xxx.5'
option dest_dns '1.1.1.1'
option enabled '0'
config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 xxx.0/24 xxx0/24'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
root@Diele:~# service pbr restart
Resetting chains and sets [âś“]
Removing routing for 'wan/pppoe-wan/62x1' [âś“]
Removing routing for 'wgclient/10.2.0.2' [âś“]
Setting interface trigger for wan [âś“]
Setting interface trigger for wgclient [âś“]
ERROR: The pbr service is currently disabled!
root@Diele:~# service pbr status
pbr - environment
pbr 1.1.8-r16 running on OpenWrt 24.10.1.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
pbr chains - policies
chain pbr_forward { # handle 40
}
chain pbr_input { # handle 41
}
chain pbr_output { # handle 42
}
chain pbr_postrouting { # handle 44
}
chain pbr_prerouting { # handle 43
}
chain pbr_dstnat { # handle 39
}
pbr chains - marking
pbr nft sets
pbr tables & routing
root@Diele:~# ip route show
default via xxx1 dev pppoe-wan proto static
6xx51 dev pppoe-wan proto kernel scope link src xxx6
17xx/24 dev wgserver proto kernel scope link src 17x1
1xxx.2 dev wgserver proto static scope link
17xxx.3 dev wgserver proto static scope link
xxx via 6xxx1 dev pppoe-wan proto static
xxx0/24 dev br-lan.2 proto kernel scope link src xxx1
xxx.0/24 dev br-lan.3 proto kernel scope link src 1xxx.1
root@Diele:~# ip -6 route show
default from 2003:fxxx00::/56 via fe80::eexxx04:8c84 dev pppoe-wan proto static metric 512 pref medium
default from 2003xxxa9a::/64 via fe80::eexxx:8c84 dev pppoe-wan proto static metric 512 pref medium
2003xxx6a00::/64 dev br-lan.2 proto static metric 1024 pref medium
unreachable 2003xxx6a00::/56 dev lo proto static metric 2147483647 pref medium
unreachable 2003:fbxxx:/64 dev lo proto static metric 2147483647 pref medium
fdxxx2d::/48 dev wgserver proto kernel metric 256 pref medium
fd6xxxe9::/64 dev br-lan.2 proto static metric 1024 pref medium
unreachable fxxxae9::/48 dev lo proto static metric 2147483647 pref medium
fe80::xxx26:ce4b:b1e2 dev pppoe-wan proto kernel metric 256 pref medium
fe80::ee38xxx4:8c84 dev pppoe-wan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-lan.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.3 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
root@Diele:~# ip route show table all
default via 62xxx51 dev pppoe-wan proto static
62xxx51 dev pppoe-wan proto kernel scope link src 93xxx246
17xxx24 dev wgserver proto kernel scope link src 17xxx.1
17xxx dev wgserver proto static scope link
17xxxxxxxxxxxxxxxxxx.3 dev wgserver proto static scope link
19xxx29 via 62.15xxx1 dev pppoe-wan proto static
192xxx/24 dev br-lan.2 proto kernel scope link src 1xxx1
19xxx0/24 dev br-lan.3 proto kernel scope link src 1xxx.1
local 10.2.0.2 dev wgclient table local proto kernel scope host src 10.2.0.2
local 93.2xxx46 dev pppoe-wan table local proto kernel scope host src 93.xxx6
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172xx1 dev wgserver table local proto kernel scope host src 172.xxx
broadcast 172.22xxx255 dev wgserver table local proto kernel scope link src 172.xxx.1
local 19xxx.1 dev br-lan.2 table local proto kernel scope host src 19xxx.1
broadcast 192.xxx55 dev br-lan.2 table local proto kernel scope link src 192xxx.1
local 192xxx.1 dev br-lan.3 table local proto kernel scope host src 19xxx.1
broadcast 19xxx55 dev br-lan.3 table local proto kernel scope link src 192.168.3.1
default from 2003:fb:8x0::/56 via fe80::ee38x84 dev pppoe-wan proto static metric 512 pref medium
default from 2003:fb:x64 via fe80::ee38:x4 dev pppoe-wan proto static metric 512 pref medium
2003:x:/64 dev br-lan.2 proto static metric 1024 pref medium
unreachable 2003:fb:x::/56 dev lo proto static metric 2147483647 pref medium
unreachable 2003:x4 dev lo proto static metric 2147483647 pref medium
fd53x48 dev wgserver proto kernel metric 256 pref medium
fd6x::/64 dev br-lan.2 proto static metric 1024 pref medium
unreachable fd6x9::/48 dev lo proto static metric 2147483647 pref medium
fex6:ce4b:b1e2 dev pppoe-wan proto kernel metric 256 pref medium
fe80::ex84 dev pppoe-wan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-lan.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan.3 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 200xa00:: dev br-lan.2 table local proto kernel metric 0 pref medium
local 2003:fx::1 dev br-lan.2 table local proto kernel metric 0 pref medium
anycast 2003:fb:x: dev pppoe-wan table local proto kernel metric 0 pref medium
local 2003:fb:87x1e2 dev pppoe-wan table local proto kernel metric 0 pref medium
local fdxd:: dev wgserver table local proto kernel metric 0 pref medium
anycast fdxe9:: dev br-lan.2 table local proto kernel metric 0 pref medium
local fdx9::1 dev br-lan.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan.3 table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::8x:f910 dev eth0 table local proto kernel metric 0 pref medium
local fe80::82x10 dev br-lan.3 table local proto kernel metric 0 pref medium
local fe80::82x10 dev br-lan.2 table local proto kernel metric 0 pref medium
local fe80::8x0 dev br-lan table local proto kernel metric 0 pref medium
local fe80::8x11 dev wan table local proto kernel metric 0 pref medium
local fe80::8cxe2 dev pppoe-wan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan.2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wgserver table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan.3 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev pppoe-wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wgclient table local proto kernel metric 256 pref medium
root@Diele:~# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@Diele:~# wg show
interface: wgserver
public key: xxx=
private key: (hidden)
listening port: 55443
peer: x
endpoint: 6x57
allowed ips: 17x2/32
latest handshake: 2 days, 20 hours, 1 minute, 14 seconds ago
transfer: 1.65 MiB received, 14.54 MiB sent
persistent keepalive: every 25 seconds
peer: x
allowed ips: 1x3/32
persistent keepalive: every 25 seconds
interface: wgclient
public key: x=
private key: (hidden)
listening port: 46937
peer: x=
endpoint: 19x20
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 45 seconds ago
transfer: 176.63 KiB received, 653.37 KiB sent
persistent keepalive: every 25 seconds
To just route an SSID or single client start with disabling the defautl route via the WG client by disabling Route Allowed IPs.
Reboot afterwards to get default routing back or do:
service network restart
service pbr restart
To route e.g. a single client make a PBR policy using the MAC address of that client (because you are also using IPv6 and that covers IPv6 also) and set the WG client as interface.
You can also use a device as source e.g br-lan or br-guest (the device is what is giving with ifconfig) precede the device name with @
So if you make a guest subnet you can just route that whole subnet including an attached SSID via the WG client in this way
The above is all covered in the PBR read.me, I recommend reading it
Kill switch for a whole subnet.is easy only forward from guest zone to WG client zone and not to the WAN zone, but of course for that you have to create a WG client zone and move the wg client interface from wan zone to wg client firewall zone and no forwarding from guest zone to wan zone.
For a single client you can make a killswitch with a traffic rule (again you need to make a separate WG client firewall zone as outlined in my notes) blocking traffic via the WAN
ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@Diele:~# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@Diele:~# ip rule
0: from all lookup local
29998: from all fwmark 0x20000/0xff0000 lookup pbr_wgclient
29999: from all sport 55443 lookup pbr_wan
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766: from all lookup main
32767: from all lookup default
Nothing else changed yet and WG Server is still working.
That is already good
But for the rest I cannot really follow you that isn´t easy ...
I really prefer LUCI for configuration is possible
When reading your comments I think I would prefer the single
client method cause I can control LAN and WLAN devices, right?
I would like to use that WGclient for standard IPs with WAN access
or is this not recommendable?
And is it also possible to restrict single URL e.g. http://xxx.yyy?
Yes by default the WG server port is routed via the WAN
You can do everything with Luci.
Sure, use the MAC address of the client as outlined in my previous post as source in the PBR Policy rule. Make sure your client is not using a random MAC address.
Not exactly sure what you mean.
As it is setup now everything is standard routed via the WireGuard client because you enabled Route Allowed IPs on the WireGuard client peer.
If you want to have everything standard routed via the WAN then disable Route Allowed IPs on the WireGuard Client Interface > Peers > Edit the peer.
Sure you can test it with e.g. ipleak.net to see it working, set this in the destination field of the PBR policy rule
Mind you, your lan client and also the router will cache DNS results so reboot your client and reboot the router to take effect
Wait a sec, means the whole outgoing traffic is now via the VPN client?
So I need to disable and use the PBR rule for activating following specific rules, IPs, ...? I just rebooted and I think you are right, now it is all via the WG Client, speed is little down and it took a while until internet was back assuming VPN connection took a moment. OK that standard behavior I need to change.
What I don´t understand you mentioned without PBR, WG Client and WG Server won´t properly work in parallel mode. And why is it working now I don´t use any rule yet?
Can not find the fields source and destination in the GUI for the PBR rule.
There are 3 examples in PBR section all not activate. Will I need to activate them when changing this "Route allowed IPs"?
I already explained that, the PBR App by default routes the WireGuard server traffic (using the listen port) back via the WAN as can be seen with ip rules show
How about setting your thinking cap on?
Local=source and remote=destination
So set the MAC address in the Local field and set the interface you want to use in the interface field that is all there is.
Check from the client with ipleak.net
OK that works - almost
I use the MAC of the IP but ipleak.net shows me IPv4 is using VPN, IPv6 isn´t. So I assume cause I wasn´t completely following your setup guide concerning the IPv6 settings. Surprised that it works like that and IPv6 is unprotected that means IPv6 and IPv4 is fully separated!
Will check your guide and check what I didn´t complete for IPv6 or is there maybe another issue I can´t see?
Further in settings I didn´t change Protocol and Chain is that something to be adjusted?
Also I see there an PBR rule example for "ignore local requests, that isn´t important for me when disabling "Route allowed IPs", right?
Just checking the settings for "network" there is a slight difference when comparing your docu in list allowed_ips
config wireguard_wgclient
option description 'Imported peer configuration'
option public_key 'n'
option persistent_keepalive '25'
option endpoint_host '19'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0' #-> in your file this is ::/0 - does it matter?
list allowed_ips '::/1'
list allowed_ips '8000::/0'
further for the firewall settings I was choosing "Easy method" I cannot find the IPv6 in the Wireguard interface as stated in the guide. Where can I find the IPv6? Is it maybe the one I can see in ipleak.net?
Your VPN provider should give you that IPv6 address in the WireGuard config.
If your provider does not support IPv6 not a big problem then ipleak.net should show IPv6 unreachable, of course you will not have IPv6 connection but at least no IPv6 leak.
In that cause not need to masquerade.
Uisng proton free for this test and I assume they don´t provide IPv6 yet.
But I still had the IPv6 leak when using ipleak.net. Now changed this 8000::/1 (I think there is a typo in your guide) and also activated the IPv6 Support in PBR Config
Success Checking again and now I do have IPv6 not reachable in ipleak.net and IPv4 of course is somewhere else ...
Now I am thinking about adjusting DNS but don´t know if really necessary.
Is this DNS change only valid for that WG Client or for the whole traffic?
EDIT: Just tested to change DNS for WAN to Proton DNS -> Result Internet access gone, so I won´t use that. Even I can see the wrong DNS with dnsleaktest.com so I do have a DNS leak
And for the kill switch I think I would try the watchdog instead changing config for that.
Hi, need to add here one question.
Earlier we discussed the possibility to assign a whole @device as source to PBR.
I do have a guest network running using the SSID IoT on VLAN br-lan.3
Can I just add this @br-lan.3 as device and assign to wgclient in PBR policies and add additionally the two PBR DNS Policies as already running for the single devices?
Will each device connected to SSID IoT run via the wgclient?
And can I still use the single LAN MAC devices at the same time?
)
Checking again and now I do have IPv6 not reachable in 
