Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

[Torson]

Here are some of my observations and input from a new install of wg_manager v4.11b3:
1. On a remote peer server I created a device peer:

Device  Auto  IP            DNS          Allowed IPs  Annotate
MSG     X     10.50.1.3/32  192.168.2.1  0.0.0.0/0    # MSG "Device"

From the local PC I logged in and it all works as expected. I then created a second device peer on the remote server and it all locked up upon login:

MSG     X     10.50.1.3/32  192.168.2.1  0.0.0.0/0      # MSG "Device"
SGG     X     10.50.1.3/32  1.1.1.1      0.0.0.0/0      # SGG "Device"

It looks like since I changed the original DNS on the first device peer, upon the creation of the second one the IP did not get incremented, hence the IP conflict and lockup.
It all works well after editing the second client:

MSG     X         10.50.1.3/32  192.168.2.1  0.0.0.0/0    # MSG "Device"
SGG     X         10.50.1.4/32  192.168.2.1  0.0.0.0/0    # SGG "Device"

Note that the second client has the 'Allowed IPs' field set to '0.0.0.0/0'. It works as is but I remember you mentioning a few posts up that the newly created clients should have that field set to the VPN pool.
Is the script doing that or a manual intervention is required?
Note: I just created a new device peer on the local server peer with:

create ILO

and it came in with all zeroes as allowed IPs.

2.a I use selective routing through event scripts with a number of peer clients. The 'killswitch' as a global setting interferes with peer clients that have no need to be forced through the tunnel.
2.b Considering the above point I keep it as 'disabled' for now. However, the

firewall restart

command will enable it.
Any way of keeping it 'off' until a per interface option may be available?

3. We've discussed earlier in the thread the option of saving the content of /opt/etc/wireguard.d + /jffs/addons/wireguard/Scripts. The Scripts are not saved after uninstalling wg_manager. An alternative is having a cron job running every so often to back it up - that's what I do now.

4. The 'fwmark' values are identical to the OpenVPN ones. That makes selective routing troubleshooting hard on the eye and more. I changed the database values to:

FWMark  Interface
0x1010  wg11
0x2010  wg12
0x4010  wg13
0x7010  wg14
0x3010  wg15
0x8010  wan

and that is easier to work with - no side effects so far. I'm uncertain though if that's acceptable with the addons standardization suggestions/requirements or anything else.

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
9890:   from all fwmark 0x8010/0x8010 lookup main
9892:   from all fwmark 0x7010/0x7010 lookup 124
9894:   from all fwmark 0x2010/0x2010 lookup 122
9911:   from 192.168.1.197 lookup 121
9921:   from 192.168.1.198 lookup 122
<snip>
9990:   from all fwmark 0x8000/0x8000 lookup main
9992:   from all fwmark 0x7000/0x7000 lookup ovpnc4
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:  from 192.168.1.238 lookup ovpnc1
<snip>
32766:  from all lookup main
32767:  from all lookup default

and

<snip>
20    7952 1374K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set DRxxx dst MARK or 0x7000
21    7846  839K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set Pxxxx_rev dst MARK or 0x2000
22    8869 1152K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set cxxx dst MARK or 0x8010
23    3129  656K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set Dxxx dst MARK or 0x7010
24    4076  805K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set Sxxxx dst MARK or 0x2010
<snip>

 

[Joe Mifflin]

so after countless hours managed to get this far.....any assistance is appreciated

:Option ==> start wg11

Requesting WireGuard VPN Peer start (wg11)

wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) to 192.252.213.70:1443 (# Asus RT-AC86U (client)) DNS==1.1.1.1
ip6tables v1.4.15: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.


wireguard-clientwg11: ***ERROR Failed to create -t nat WGDNS1.

 

[Torson]

so after countless hours managed to get this far.....any assistance is appreciated

:Option ==> start wg11

Requesting WireGuard VPN Peer start (wg11)

wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) to 192.252.213.70:1443 (# Asus RT-AC86U (client)) DNS==1.1.1.1
ip6tables v1.4.15: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.


wireguard-clientwg11: ***ERROR Failed to create -t nat WGDNS1.

The DNS line has 2 '=' signs.
Post the edited version of the .conf file you're trying to import.

 

[Joe Mifflin]

so i fixed that...still no go.....uninstalled and rebooted.....didn't use save option...to start from scratch...still no go
i created wg11.conf in wireguard.d.......imported it....ran.... peer wg11 rule add

I do appreciate this is an advanced thread......maybe I'm just doing it all wrong

copy/paste of wg11.conf

# TorGuard WireGuard Config Toronto
[Interface]
PrivateKey = ---------------=
ListenPort = 51820
#DNS = 1.1.1.1
#Address = 10.13.38.113/24

[Peer]
PublicKey = --------------=
AllowedIPs = 0.0.0.0/0
Endpoint = 192.252.213.58:1443
PersistentKeepalive = 25

 

[Torson]

That's better
The file format is alright - just remove the 'ListenPort' line.
Run:

peer wg11 del

and follow the prompts to remove the client peer.
Then make a clean 'wg11.conf' with IP6 and ListenPort lines removed.
Do

import wg11

.
You should then see on the interface

WireGuard ACTIVE Peer Status: Clients 1, Servers 1

. Start the client peer

4 wg11

.
If you want the client peer to autoatart do

peer wg11 auto=y (or p)

. Youl'll need to add a rule before you can set autostart in policy mode. After adding a rule restart the client peer:

6 wg11

.
Check at 'dnsleaktest.com' your IP and DNS(s).
If you run into issues, check the system log and post.

 

[Joe Mifflin]

what is the ip6 line to remove fron conf file?

all went well until I added the rule.....message saying

wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 192.252.213.58:1443 (# TorGuard WireGuard Config Toronto) DNS=1.1.1.1
ip6tables v1.4.15: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

i have no idea what you mean regarding how to remove ip6......i did go into admin settings on router and disabled it.....deleted wg11 and went through process again....same thing.....Is the i line i can add to config file that disables it?

 

[Martineau]

what is the ip6 line to remove fron conf file?

i have no idea what you mean regarding how to remove ip6......i did go into admin settings on router and disabled it.....

Currently, IPv6 isn't really supported by wg_manager,but although I have no way of testing IPv6, I paid lip-service to the possibility of nominal IPv6 support for the 'server' Peers, and I did subsequently (recklessly/foolishly?) mass replicate the IPv4 'client' Peer code in the Beta.

Now I'm sure IPv6 gurus will bleat "you don't need NAT with IPv6" (clearly there are exceptions), but ip6tables-mod-nat etc. isn't available on ASUS routers (hence the error message) so wg_manager Selective DNS redirection will need to be implemented differently (i.e. perhaps block IPv6 DNS lookups and use IPv4 fallback results?)

However, if IPv6 is truly DISABLED in the GUI

.. check NVRAM variable

nvram get ipv6_service

then wg_manager will successfully configure IPv4 'client' Peers.

However, if it is inappropriate to completely disable IPv6, then in the interim (until I update wg_client) you can edit

'/jffs/addons/wireguard/wg_client'

Change line

[ "$(nvram get ipv6_service)" != "disabled" ] && { USE_IPV6="Y"; IPV6_TXT="(IPv6) "; }

to

USE_IPV6="N"; IPV6_TXT=

 

[heysoundude]

I have no way of testing IPv6

Are you sure your mobile phone doesn't connect to your provider's network using IPv6? if it does, (I'd wager it probably does, especially if it's a smart phone), maybe you could tether your phone to your router for testing purposes? Dual-WAN Failover, yank the ethernet WAN cable...
testing how the script reacts to that is probably a bit ahead of the game for the time being though...

 

[amd94]

Hi,

can we help me?

I now installed Wireguard to Asus RT-AX86U... but speed is slow...

when i run speedtest - my CPU in AX86U - is 100 %... and result of testspeed - download is max 2-3 Mbps....


maybe I missed something when setting up?

 

[Joe Mifflin]

so i tried both options for disabling ip6......no errors setting up client.....internet worked.....but wasn't going through tunnel...tried wg11 and wg12.....with different torguard servers.....checked with several utilities....and speed test went to bell aliant (isp provider) and speeds consistent with running no vpn

 

[Torson]

Hi,

can we help me?

I now installed Wireguard to Asus RT-AX86U... but speed is slow...

when i run speedtest - my CPU in AX86U - is 100 %... and result of testspeed - download is max 2-3 Mbps....


maybe I missed something when setting up?

On the AX86U for some unexplained (yet) reason, one have to disable the Flow Cache:

fc disable

.
After that the speed is quite spectacular.

 

[Torson]

so i tried both options for disabling ip6......no errors setting up client.....internet worked.....but wasn't going through tunnel...tried wg11 and wg12.....with different torguard servers.....checked with several utilities....and speed test went to bell aliant (isp provider) and speeds consistent with running no vpn

Did you start the client? Does it look similar to this?

E:Option ==> 8

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
<snip>
Client  Auto  IP                Endpoint          DNS                  MTU  Annotate
wg11    P     10.xx.xx.xx/24    xx.xx.xx.xx:1443  192.168.1.1               # SomePlace
<snip>

Should show Y or P under Auto to autostart or you start it with

4 wg11

 

[amd94]

On the AX86U for some unexplained (yet) reason, one have to disable the Flow Cache:

It's working. Thank you very much.

now i have full speed on Wireguard.

 

[Martineau]

so i tried both options for disabling ip6......no errors setting up client.....internet worked.....but wasn't going through tunnel...tried wg11 and wg12.....with different torguard servers.....checked with several utilities....and speed test went to bell aliant (isp provider) and speeds consistent with running no vpn

Use the diagnostics command

e  = Exit Script [?]

E:Option ==> diag

and obfuscate personal info before posting the output

 

[Joe Mifflin]

E:Option ==> diag

WireGuard VPN Peer Status
interface: wg21
public key: R6bkxJYP/M6U96iUP91Woch/ijFM/oavTJSJKh1fGnk=
private key: (hidden)
listening port: 51820

interface: wg12
listening port: 51820

peer: --------------------------=
endpoint: 23.226.128.194:1443
allowed ips: 0.0.0.0/0
persistent keepalive: every 25 seconds

DEBUG: Routing info MTU etc.

53: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.50.1.1/24 scope global wg21
valid_lft forever preferred_lft forever
54: wg12: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
link/none
inet 10.13.122.77/24 scope global wg12
valid_lft forever preferred_lft forever

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.50.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wg21

DEBUG: RPDB rules

0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
32766: from all lookup main
32767: from all lookup default

DEBUG: Routing Table 122 (wg12) # TorGuard ('client') New Jersey

192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1

DEBUG: Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

DEBUG: UDP sockets.

udp 0 0 0.0.0.0:51820 0.0.0.0:* -
udp 0 0 :::51820 :::* -

DEBUG: Firewall rules


DEBUG: -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
2 0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 40227 packets, 5163K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

DEBUG: -t nat

Chain PREROUTING (policy ACCEPT 977 packets, 133K bytes)
num pkts bytes target prot opt in out source destination
1 326 24524 WGDNS2 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* WireGuard 'client2 DNS' */
2 0 0 WGDNS2 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* WireGuard 'client2 DNS' */
3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 218 packets, 18658 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * wg12 192.168.50.0/24 0.0.0.0/0 /* WireGuard 'client' */

Chain WGDNS2 (2 references)
num pkts bytes target prot opt in out source destination
1 326 24524 DNAT all -- * * 192.168.50.0/24 0.0.0.0/0 /* WireGuard 'client2 DNS' */ to:1.1.1.1

DEBUG: -t mangle

Chain FORWARD (policy ACCEPT 1999 packets, 310K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * wg12 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'client' */ MARK xset 0x1/0x7
2 0 0 TCPMSS tcp -- wg12 * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3 0 0 TCPMSS tcp -- * wg12 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4 0 0 MARK all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */ MARK xset 0x1/0x7
5 0 0 TCPMSS tcp -- wg21 * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6 0 0 TCPMSS tcp -- * wg21 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 28275 packets, 4579K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- wg12 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'client' */ MARK xset 0x1/0x7
2 0 0 MARK all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

Valid SQL Database tables: clients devices fwmark ipset policy servers session traffic

e.g. diag sql traffic will show the traffic stats SQL table


WireGuard ACTIVE Peer Status: Clients 1, Servers 1



1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

 

[Martineau]

E:Option ==> diag

         WireGuard VPN Peer Status
interface: wg21
  public key: R6bkxJYP/M6U96iUP91Woch/ijFM/oavTJSJKh1fGnk=
  private key: (hidden)
  listening port: 51820

interface: wg12
  listening port: 51820

peer: --------------------------=
  endpoint: 23.226.128.194:1443
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

    DEBUG: Routing info MTU etc.

53: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/24 scope global wg21
       valid_lft forever preferred_lft forever
54: wg12: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none
    inet 10.13.122.77/24 scope global wg12
       valid_lft forever preferred_lft forever

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.50.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wg21

    DEBUG: RPDB rules

0:    from all lookup local
9810:    from all fwmark 0xd2 lookup 210
32766:    from all lookup main
32767:    from all lookup default

    DEBUG: Routing Table 122 (wg12) # TorGuard ('client') New Jersey

192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1

    DEBUG: Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

    DEBUG: UDP sockets.

udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -

    DEBUG: Firewall rules


    DEBUG: -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 40227 packets, 5163K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

    DEBUG: -t nat

Chain PREROUTING (policy ACCEPT 977 packets, 133K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1      326 24524 WGDNS2     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client2 DNS' */
2        0     0 WGDNS2     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client2 DNS' */
3        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 218 packets, 18658 bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 MASQUERADE  all  --  *      wg12    192.168.50.0/24      0.0.0.0/0            /* WireGuard 'client' */

Chain WGDNS2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination       
1      326 24524 DNAT       all  --  *      *       192.168.50.0/24      0.0.0.0/0            /* WireGuard 'client2 DNS' */ to:1.1.1.1

    DEBUG: -t mangle

Chain FORWARD (policy ACCEPT 1999 packets, 310K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 MARK       all  --  *      wg12    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 TCPMSS     tcp  --  wg12   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3        0     0 TCPMSS     tcp  --  *      wg12    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4        0     0 MARK       all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7
5        0     0 TCPMSS     tcp  --  wg21   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6        0     0 TCPMSS     tcp  --  *      wg21    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 28275 packets, 4579K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 MARK       all  --  wg12   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 MARK       all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients  devices  fwmark   ipset    policy   servers  session  traffic

             e.g. diag sql traffic will show the traffic stats SQL table


     WireGuard ACTIVE Peer Status: Clients 1, Servers 1



1  = Update Wireguard modules                        7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                   
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                  
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                  

?  = About Configuration                  
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')      

e  = Exit Script [?]

Whilst there doesn't appear to be any handshake/data transfer statistics shown (did you deliberately redact them?), normally I would expect to see the two default routes added to routing table 254 (aka main) - assuming the 'client' Peer is not defined as a Selective Routing Policy 'client' Peer

i.e.

    DEBUG: Routing Table main

0.0.0.0/1 dev wg12 scope link
10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1
128.0.0.0/1 dev wg12 scope link

Can you confirm the 'client' Peer config

e  = Exit Script [?]

E:Option ==> list

e  = Exit Script [?]

E:Option ==> peer

 

[Joe Mifflin]

so .....I've been messing with this for a week......was thinking I'd format a usb and start from scratch. Unplugged router last night and fired it up this am....uninstalled unbound...thinking my setting there could be playing havoc.....went into wgm....removed wg11.... then re-created it.....when I checked it with menu 3 list...it was there and showed a handshake...which it never did anytime before. So it's running.....Ookla speed test hit 270....alot better than 90-130 I get from open vpn. I have 1 gb service but I'm ~about 1900 km from nearest vpn server. I tried setting up 2nd client (wg12) but couldn't get the handshake. Not a priority at moment...as I'm connected to the fastest server for me anyway.

Thanks for assistance!

 

[Martineau]

removed wg11.... then re-created it.....when I checked it with menu 3 list...it was there and showed a handshake...which it never did anytime before. So it's running.....Ookla speed test hit 270....alot better than 90-130 I get from open vpn.

100% increase in throughput - justification indeed to persist with the WireGuard implementation!

I tried setting up 2nd client (wg12) but couldn't get the handshake.

wg_manager supports multiple 'client' Peers, and if they are not defined as Policy 'client' Peers, then the ACTIVE default (usually the last 'client' Peer started) will be indicated by the '-----'
e.g.

e  = Exit Script [?]

E:Option ==> list

    interface: wg21     Port:51820  10.50.1.1/24            VPN Tunnel Network  # RT-AC86U Server #1
        peer: IWqxR4Y0iZNoO95IizWVgj55xtAMS77ea/yVgG56ewk=  10.50.1.2/32        # SGS8 "My phone"
        peer: bDANWB5Ws2gqgZBae+k2+KrbXBEqdVsVz0ADc3LsnWU=  10.50.1.3/32        # Pixel5 "Device"
        peer: dlsROPCXnU1q5DQgLedt7+EQATg9XX5Vc0JJAUXDqm0=  10.50.1.4/32        # Pixel8 "Testing" 

    interface: wg11     86.106.143.93:51820                 10.67.146.14/32     # Mullvad USA, New York
        peer: ru9aQRxYBkK5pWvNkdFlCR8VMPSqcEENBPGkIGENOXU=
         latest handshake: 1 minute, 35 seconds ago
         transfer: 44.24 MiB received, 5.17 MiB sent        0 Days, 01:14:29 from 2021-05-14 07:21:39 >>>>>>

    interface: wg12     209.58.188.180:51820                10.67.146.14/32     # Mullvad China, Hong Kong
        peer: oS2vR1rHoFtpevzl2KLUjqDH/AiLwnh9GH/MiB5FVgM=
         latest handshake: 1 minute, 22 seconds ago
         transfer: 1.42 MiB received, 384.42 KiB sent       0 Days, 00:05:25 from 2021-05-14 08:30:44 >>>>>>

    interface: wg14     193.32.126.66:51820                 10.67.146.14/32     # Mullvad France, Paris
        peer: ov323GydOEHLT0sNRUUPYiE3fkvFDjpmi1a/f/v49hE=
         latest handshake: 56 seconds ago
         transfer: 2.75 KiB received, 2.54 KiB sent         0 Days, 00:00:58 from 2021-05-14 08:36:01 >>>>>>

    interface: wg13     103.231.88.18:51820                 10.67.146.14/32     # Mullvad Oz, Melbourne
    ---------------
        peer: D2lt/d7TopYNq9PejAeGwlaJ2bEFfq/SYywdY9N5xCY=
         latest handshake: 8 seconds ago
         transfer: 2.59 KiB received, 180 B sent            0 Days, 00:00:09 from 2021-05-14 08:41:52 >>>>>>

     WireGuard ACTIVE Peer Status: Clients 4, Servers 1

I use Mullvad, so the four 'client' wg1X.conf files differ only by the 'Endpoint' target destination directive.

Not sure why you seemingly can't have a second 'client' Peer running/handshaking.

 

[amd94]

Hi,

I Fresh install WG Manager.

Client Mode:
import wg11.conf and connected. I configured IP Set to selective routing:

No RPDB Selective Routing rules for wg11


IPSet Enable Peer FWMark DST/SRC
NETFLIX Y wg11 0x1000 dst
NETFLIX_DNS Y wg11 0x1000 dst

WireGuard ACTIVE Peer Status: Clients 1, Servers 1

i Also have Server:

when i connect to Server - nothing working.. internet and my LAN devices.. such as QNAP and other.

How i can acces to my LAN devices when i connected to my wireguard Server ? i need only woeking LAN Devices not internet from my Wireguard Server.

maybe i need to configure: No RPDB Selective Routing rules for wg11 (but i don't know how and what i need to right there)

Anyone can please help me?

Thanks.

 

[Joe Mifflin]

as a followup...
couldn't get 2nd client to handshake.....knowing enough about networking to be dangerous.....i did realise that unbound and wgm use dns masque...so i uninstalled unbound and reinstalled wgm.....and got client wg11 working.....thinking i had something messed up. So when i got it working... I had to have unbound back and reinstalled it.....new issue....adblock didn't work.....but everything else did....
re-read this whole thread this am.....noticed Torson uses Toguard vpn and his list of clients showed dns as router ip.....so i deleted wg11.....recreated it with dns set to router ip 192.168.50.1.....fired right up and adblock worked.....then I added wg12........

3

interface: wg11 192.252.213.222:1443 10.13.106.77/24 # TorGuard WireGuard Config Toronto
peer: AtCdXrwYHnnMwZvRMpk15xUpZ24tkYYLeVLR2yeGURQ=
latest handshake: 1 minute, 39 seconds ago
transfer: 3.50 MiB received, 892.25 KiB sent 0 Days, 00:38:12 from 2021-05-15 08:26:31 >>>>>>

interface: wg21 Port:51820 10.50.1.1/24 VPN Tunnel Network # RT-AC86U Server #1

interface: wg12 23.226.134.18:1443 10.13.101.201/24 # TorGuard WireGuard Config New Jersey
peer: CBhix6k1wkxpv/sRj0lLqlpphqhiUp8gcxlgyIV5eCc=
latest handshake: 1 minute, 10 seconds ago
transfer: 2.92 MiB received, 567.37 KiB sent 0 Days, 00:35:33 from 2021-05-15 08:29:10 >>>>>>

I can switch between clients....whats my ip shows what it should....speeds are good.

I'll also add that after I got vpn service I researched routers that could process vpn and it took me to this site....so I looked around for a few days and arrived at the conclusion.....that I'll need support during the learning curve....and as long as I didn't expect spoon feeding.....asus was the way to go because of this site and it's members.

Thanks for assistance and everyone sharing their expertise.