bluetit config questions

[tmick 0]

Okay so I downloaded and installed the AirVpn suite, and it seemed to work for a bit. Then it stopped. I was looking through the instructions and saw that I need to do additional configuration. Okay so it doesn't use dpkg in Debian, oh well. I seen where it tells you what to put information but not where to get it?
My Bluetit.rc looks like this:

#
# bluetit runcontrol file
#

# AirVPN bootstrap servers

bootserver                  http://63.33.78.166
bootserver                  http://54.93.175.114
bootserver                  http://82.196.3.205
bootserver                  http://63.33.116.50
bootserver                  http://[2a03:b0c0:0:1010::9b:c001]

# RSA Parameters

rsaexponent                 AQAB
rsamodulus                  wuQXz7eZeEBwaaRsVK8iEHpueXoKyQzW8sr8qMUkZIcKtKv5iseXMrTbcGYGpRXdiqXp7FqrSjPSMDuRGaHfjWgjbnW4PwecmgJSfhkWt4xY8OnIwKkuI2Eo0MAa9lduPOQRKSfa9I1PBogIyEUrf7kSjcoJQgeY66D429m1BDWY3f65c+8HrCQ8qPg1GY+pSxuwp6+2dV7fd1tiKLQEoJg9NeWGW0he/DDkNSe4c8gFfHj3ANYwDhTQijb+VaVZqPmxVJIzLoE1JOom0/P8fKsvpx3cFOtDS4apiI+N7MyVAMcx5Jjk2AQ/tyDiybwwZ32fOqYJVGxs13guOlgI6h77QxqNIq2bGEjzSRZ4tem1uN7F8AoVKPls6yAUQK1cWM5AVu4apoNIFG+svS/2kmn0Nx8DRVDvKD+nOByXgqg01Y6r0Se8Tz9EEBTiEopdlKjmO1wlrmW3iWKeFIwZnHt2PMceJMqziV8rRGh9gUMLLJC9qdXCAS4vf5VVnZ+Pq3SK9pP87hOislIu4/Kcn06cotQChpVnALA83hFW5LXJvc85iloWJkuLGAV3CcAwoSA5CG1Uo2S76MM+GLLkVIqUk1PiJMTTlSw1SlMEflU4bZiZP8di5e2OJI6vOHjdM2oonpPi/Ul5KKmfp+jci+kGMs9+zOyjKFLVIKDE+Vc=

# bootserver                <ip|url>
# rsaexponent                <value>
# rsamodulus                <value>
# airconnectatboot            <off|quick|server|country>
# networklockpersist        <on|nftables|iptables|pf|off>
# airusername                <airvpn_username>
# airpassword                <aivpn_password>
# airkey                    <airvpn_user_key>
# airserver                    <airvpn_server_name>
# aircountry                <airvpn_country_name>
# airproto                    <udp|tcp>
# airport                    <port>
# aircipher                    <cipher_name>
# airipv6                    <yes|no>
# air6to4                    <yes|no>
# manifestupdateinterval    <minutes>
# airwhiteserverlist        <server list>
# airblackserverlist        <server list>
# airwhitecountrylist        <server list>
# airblackcountrylist        <server list>
# country                    <ISO code>
# remote                    <ip|url list>
# proto                        <udp|tcp>
# port                        <port>
# tunpersist                <yes|no>
# cipher                    <cipher_names>
# maxconnretries            <number>
# tcpqueuelimit                <value>
# ncpdisable                <yes|no>
# networklock                <on|nftables|iptables|pf|off>
# ignorednspush                <yes|no>
# timeout                    <seconds>
# compress                    <yes|no|asym>
# tlsversionmin                <disabled|default|tls_1_x>
# proxyhost                    <ip|url>
# proxyport                    <port>
# proxyusername                <username>
# proxypassword                <password>
# proxybasic                <yes|no>

So what do I have to un-comment or add it make it work when I reboot the computer?
Are there any additional configurations for Hummingbird and Goldcrest I need?
My choices for VPN Clients are OpenVPN and StrongSwan which one and what dependent packages are needed?
Also do I need to create a rule in NFTables for tun0 (what I'll name the VPN connection)
I'm on Debian Bookworm with Linux DebianTim 5.17.0-1-rt-amd64 #1 SMP PREEMPT_RT Debian 5.17.3-1 (2022-04-18) x86_64 GNU/Linux


Thanks in advance.

Edited ... by OpenSourcerer
Apply LOG format to file contents

[OpenSourcerer 1408]

15 hours ago, tmick said:

So what do I have to un-comment or add it make it work when I reboot the computer?

airconnectatboot quick/server/country
[airserver server]
[aircountry cc]
[airwhiteserverlist server,server,…]
[airblackserverlist server,server,…]
[airwhitecountrylist cc,cc,…]
[airblackcountrylist cc,cc,…]

• quick: Connect to a recommended server chosen from all servers, or those defined in airwhiteserverlist and/or airwhitecountrylist, excluding those in airblackserverlist and/or airblackcountrylist.
• server: Use the server defined in airserver directive.
• country: Use the list of countries defined in aircountry directive.
• cc = country code. us, uk, de,…

If you want IPv6 connectivity, too:
airipv6 on
 

16 hours ago, tmick said:

Are there any additional configurations for Hummingbird and Goldcrest I need?

No one knows what you want exactly. README.
 

16 hours ago, tmick said:

My choices for VPN Clients are OpenVPN and StrongSwan which one and what dependent packages are needed?

StrongSwan is an IPsec client, IPsec is unsupported.
Otherwise, it's a strange question. apt-get install openvpn will take care of everything. But you might choose to install iptables or nftables (preferred) as well if you want Network Lock.
 

16 hours ago, tmick said:

Also do I need to create a rule in NFTables for tun0 (what I'll name the VPN connection)

Let the AirVPN suite take care of that itself using the networklock nftables option.

[tmick 0]

3 hours ago, OpenSourcerer said:

airconnectatboot quick/server/country
[airserver server]
[aircountry cc]

so it should look like
airconnectatboot country
US
? Is that what I need to do?
Also for Goldcrest config, where would I find any of this info:

• air-server: (string) Default AirVPN server to be used in any AirVPN connection. Default: empty

• air-tls-mode: (auto/auth/crypt) Default tls mode for AirVPN connection. Default: empty

• air-ipv6: (on/off) Enable or disable IPv6 for AirVPN connection. Default: off

• air-6to4: (on/off) Enable or disable IPv6 over IVPv4 for AirVPN connection. Default: off

• air-user: (string) Default AirVPN username. Default: empty

• air-password: (string) Default AirVPN username password. Please note password is written in this file as plain, therefore it is visible to anyone editing the configuration file. For security reason, the user is advised to not store the user password in the configuration file and to enter it at each use. For more information on AirVPN user access, please see below. Default: empty

• air-key: (string) Default AirVPN user key to be used for all AirVPN operations and as defined in the "client area" in AirVPN web site. Default: empty

• cipher: (string) Default cipher algorithm name for all VPN connections. Default: empty

• proto: (udp/tcp) Default protocol for all VPN connections. Default: empty

• server: (string) Default server IP address or URL to be used for generic OpenVPN connection. Default: empty

• port: (number) Default port number for all VPN connections. Default: empty

• tcp-queue-limit: (integer) Define the maximum number of queued TCP output packets. In case this value is too small, it is very likely the queue becomes frequently full therefore leading to data loss. This is particularly true for high speed connections. Default: 8192

• ncp-disable: (yes/no) Control whether the Negotiable Crypto Parameters (NCP) is enabled or disabled by default. NCP is essential in order to let the OpenVPN client force a specific cipher algorithm in case of OpenVPN servers prior to 2.5 version. Default: on

• network-lock: (string) Define the network lock method to be used during the connection. Network lock is an exclusive AirVPN feature in order to prevent data leakage in case of accidental disconnection by keeping the network traffic on a locked state. Network locking is done by a specific set of firewall rules allowing traffic to and from the connected server only. Possible values are: on (automatic), iptables, nftable, pf or off. The "on" value automatically detects the firewall system in use. Default: on

• ignore-dns-push: (yes/no) Define whether the connection process should ignore the DNS setting pushed by the server of not. In case DNS push is ignored, connection will use current system DNS configuration. Default: no

• allowuaf: (yes/no/default) Allow unused address families. Default: default

• timeout: (integer) Connection timeout in seconds. Default: 0 (retry indefinitely)

• compress: (string) Compression mode. Possible values: yes, allow compression on both uplink and downlink; asym - allow compression on downlink only; no - support compression stubs only. Default: no

• proxy-host: (string) Proxy IP address or URL. Default: empty

• proxy-port: (integer) Proxy port number. Default: empty

• proxy-username: (string) Proxy user name. Default: empty

• proxy-password: (string) Proxy user password. Default: empty

• proxy-basic: (yes/no) Allow HTTP basic auth for proxy connection. Default: no

• alt-proxy: (yes/no) enable alternative proxy module. Default: no

• persist-tun: (on/off) Enable or disable tunnel persistence. In case it is enabled the tun device is kept active in case of VPN connection loss or pause. This usually prevents traffic leaks during reconnection or accidental disconnection. Default: on

• conn-stat-interval: (integer) Interval time in seconds for connection statistics logging. When set to 0, connection statistics logging is disabled. Default: 60 seconds
  
  I'm assuming this is where I set IP6 = ON
  But where do I find any of the info for the config in there??
   

[OpenSourcerer 1408]

22 hours ago, tmick said:

airconnectatboot country

airconnectatboot, then one of the options quick, country or server.
If you choose country, set aircountry to the preferred country.
If you choose server, set airserver to the preferred server.
 

22 hours ago, tmick said:

Also for Goldcrest config, where would I find any of this info:

Not sure what you're asking, you copy-pasted the documentation of the rc file…
 

22 hours ago, tmick said:

I'm assuming this is where I set IP6 = ON

Depends. Bluetit as the backend and Goldcrest as a user frontend are two different pair of boots, both use their own rc file. In regards to IPv6: The setting in bluetit.rc is air-ipv6. The setting in goldcrest.rc would be allowuaf.

[tmick 0]

Okay I decided to try the Wireguard generated config file and it seems to working like I want without a bunch of hassle.
I'm not sure if the Network lock is in that, I looked at the file and there's nothing explicitly calling it, so it's either automatic or not used. I'm guessing automatic though.

[OpenSourcerer 1408]

On 5/24/2022 at 3:12 AM, tmick said:

I'm not sure if the Network lock is in that, I looked at the file and there's nothing explicitly calling it, so it's either automatic or not used. I'm guessing automatic though.

There is no automation in computing, only a config a human wrote and some code applying it which also a human wrote. Please look in the logs for the answer. If you need help, post the logs.

[tmick 0]

20 minutes ago, OpenSourcerer said:

There is no automation in computing, only a config a human wrote and some code applying it which also a human wrote. Please look in the logs for the answer. If you need help, post the logs.

Well it might be something in Wire guard's settings. This site shows I'm connected to the VPN, running nft list ruleset shows

table ip sshguard {
	set attackers {
		type ipv4_addr
		flags interval
	}

	chain blacklist {
		type filter hook input priority filter - 10; policy accept;
		ip saddr @attackers drop
	}
}
table ip6 sshguard {
	set attackers {
		type ipv6_addr
		flags interval
	}

	chain blacklist {
		type filter hook input priority filter - 10; policy accept;
		ip6 saddr @attackers drop
	}
}
table ip6 wg-quick-vpn {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
		iifname != "vpn" ip6 daddr fd7d:76ee:e68f:a993:6c33:1401:f02c:98a8 fib saddr type != local drop
	}

	chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

	chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}
table ip wg-quick-vpn {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
		iifname != "vpn" ip daddr 10.162.132.125 fib saddr type != local drop
	}

	chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

	chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}

and my logs show:

This email is sent by logcheck. If you no longer wish to receive
such mail, you can either uninstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).

System Events
=-=-=-=-=-=-=
May 25 11:02:05 DebianTim kernel: [132564.492504] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:07 DebianTim kernel: [132566.797348] FW REJECT (input): IN=enp1s0 OUT= MAC=01:00:5e:00:00:01:48:4e:fc:f0:69:b8:08:00 SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 OPT (94040000) PROTO=2
May 25 11:02:07 DebianTim kernel: [132566.798241] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 OPT ( ) PROTO=ICMPv6 TYPE=130 CODE=0
May 25 11:02:11 DebianTim kernel: [132570.497027] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:14 DebianTim kernel: [132573.498498] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:17 DebianTim kernel: [132576.501781] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:17 DebianTim systemd[1]: fwupd.service: Deactivated successfully.
May 25 11:02:17 DebianTim systemd[1]: fwupd.service: Consumed 2.065s CPU time.
May 25 11:02:20 DebianTim kernel: [132579.504361] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:23 DebianTim kernel: [132582.507520] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:26 DebianTim kernel: [132585.511180] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:29 DebianTim kernel: [132588.513645] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:32 DebianTim kernel: [132591.516087] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:35 DebianTim kernel: [132594.519632] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:38 DebianTim kernel: [132597.523233] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:41 DebianTim kernel: [132600.524967] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:44 DebianTim kernel: [132603.528706] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:47 DebianTim kernel: [132606.531952] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:49 DebianTim gnome-shell[4900]: libinput error: event4  - SEM USB Wired PC Keyboard: client bug: event processing lagging behind by 27ms, your system is too slow
May 25 11:02:49 DebianTim kernel: [132608.844746] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=130.89.148.77 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=5998 DF PROTO=TCP SPT=53256 DPT=80 WINDOW=502 RES=0x00 ACK FIN URGP=0 OPT (0101080AB93001C974DDD72B)
May 25 11:02:49 DebianTim kernel: [132608.846637] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=199.232.30.132 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=63322 DF PROTO=TCP SPT=56276 DPT=80 WINDOW=523 RES=0x00 ACK FIN URGP=0 OPT (0101080AB18503CF6F6E6652)
May 25 11:02:49 DebianTim kernel: [132608.847773] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=151.101.150.217 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1993 DF PROTO=TCP SPT=45328 DPT=443 WINDOW=502 RES=0x00 ACK RST URGP=0 OPT (0101080AC8832635C5490230)
May 25 11:02:49 DebianTim kernel: [132608.848342] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=199.232.30.132 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=566 DF PROTO=TCP SPT=56280 DPT=80 WINDOW=502 RES=0x00 ACK FIN URGP=0 OPT (0101080AB18503D03CE3FB5E)
May 25 11:02:49 DebianTim kernel: [132609.149156] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=199.232.30.132 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=567 DF PROTO=TCP SPT=56280 DPT=80 WINDOW=502 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080AB18504FD3CE3FB5E)
May 25 11:02:50 DebianTim kernel: [132609.536572] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:52 DebianTim kernel: [132612.189337] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=130.89.148.77 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6001 DF PROTO=TCP SPT=53256 DPT=80 WINDOW=502 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080AB9300ED974DDD72B)
May 25 11:02:53 DebianTim kernel: [132612.540557] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:53 DebianTim kernel: [132612.691405] wireguard: vpn: Sending handshake initiation to peer 1 (199.249.230.26:1637)
May 25 11:02:53 DebianTim kernel: [132612.739117] wireguard: vpn: Receiving handshake response from peer 1 (199.249.230.26:1637)
May 25 11:02:53 DebianTim kernel: [132612.739130] wireguard: vpn: Keypair 1082 destroyed for peer 1
May 25 11:02:53 DebianTim kernel: [132612.739132] wireguard: vpn: Keypair 1084 created for peer 1
May 25 11:02:53 DebianTim kernel: [132612.739138] wireguard: vpn: Sending keepalive packet to peer 1 (199.249.230.26:1637)
May 25 11:02:56 DebianTim kernel: [132615.543416] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:02:56 DebianTim kernel: [132616.093586] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=130.89.148.77 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6002 DF PROTO=TCP SPT=53256 DPT=80 WINDOW=502 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080AB9301E1974DDD72B)
May 25 11:02:58 DebianTim kernel: [132617.885694] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=199.232.30.132 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=63327 DF PROTO=TCP SPT=56276 DPT=80 WINDOW=523 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080AB185271D6F6E6652)
May 25 11:02:59 DebianTim kernel: [132618.546420] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:02 DebianTim kernel: [132621.548922] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:04 DebianTim kernel: [132623.774063] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=130.89.148.77 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6003 DF PROTO=TCP SPT=53256 DPT=80 WINDOW=502 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080AB9303C1974DDD72B)
May 25 11:03:05 DebianTim kernel: [132624.552012] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:07 DebianTim kernel: [132626.846250] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=199.232.30.132 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=63328 DF PROTO=TCP SPT=56276 DPT=80 WINDOW=523 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080AB1854A1D6F6E6652)
May 25 11:03:07 DebianTim kernel: [132627.102267] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=199.232.30.132 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=572 DF PROTO=TCP SPT=56280 DPT=80 WINDOW=502 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080AB1854B1D3CE3FB5E)
May 25 11:03:08 DebianTim kernel: [132627.554243] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:11 DebianTim kernel: [132630.556192] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:14 DebianTim kernel: [132633.558265] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:17 DebianTim kernel: [132636.562109] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:19 DebianTim kernel: [132638.879002] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=130.89.148.77 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6004 DF PROTO=TCP SPT=53256 DPT=80 WINDOW=502 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080AB930771974DDD72B)
May 25 11:03:20 DebianTim kernel: [132639.564335] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:23 DebianTim kernel: [132642.568354] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:26 DebianTim kernel: [132645.570629] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:26 DebianTim kernel: [132646.047445] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=199.232.30.132 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=573 DF PROTO=TCP SPT=56280 DPT=80 WINDOW=502 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080AB185951D3CE3FB5E)
May 25 11:03:26 DebianTim kernel: [132646.047458] FW INVALID STATE: IN= OUT=vpn SRC=10.162.132.125 DST=199.232.30.132 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=63329 DF PROTO=TCP SPT=56276 DPT=80 WINDOW=523 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080AB185951D6F6E6652)
May 25 11:03:29 DebianTim kernel: [132648.573587] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:32 DebianTim kernel: [132651.574698] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:35 DebianTim kernel: [132654.577286] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:38 DebianTim kernel: [132657.578505] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:41 DebianTim kernel: [132660.580873] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:44 DebianTim kernel: [132663.582166] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
May 25 11:03:47 DebianTim kernel: [132666.584431] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd 

So all I have to do now is figure out how to make that rule drop the neighbor discovery packets instead of rejecting them and I'm golden. 
I'm all in favor of suggestions btw
 

[OpenSourcerer 1408]

13 minutes ago, tmick said:

and my logs show:

Meant the Wireguard connection logs… the kernel log buffer you pasted is of very limited use for your particular question.

From the nft rulesets, though, I'd deduce Network Lock is not enabled.