What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Wireguard Session Manager - Discussion (2nd) thread

well, atleast not on my system: AC86U running stable 386.3.

other scripts I'm running, like Yazfi applies its own rules but none should remove rules (?). if I hit ? in wgm after boot it says WAN killswitch is disabled, but if I execute wg_firewall and checks it says its enabled.
but I guess the ? only checks for if the rules are present in iptables. but this still means that the rule is not out-prioritized by something else, it is just not there.
nat-start is executed during normal boot so wg_firewall should place the rule there to begin with. as it does apparently start wgm properly.

Hopefully you could replicate this on your system and have this bug squashed. if not, I will produce whatever logs/info you need to track this down.

//Zeb

Edit, I get the same logs as you but before it said killswitch was enabled, which would mean the rule was put into place but somehow removed later in the boot process?
 
Last edited:
well, atleast not on my system: AC86U running stable 386.3.

other scripts I'm running, like Yazfi applies its own rules but none should remove rules (?). if I hit ? in wgm after boot it says WAN killswitch is disabled, but if I execute wg_firewall and checks it says its enabled.
but I guess the ? only checks for if the rules are present in iptables. but this still means that the rule is not out-prioritized by something else, it is just not there.
nat-start is executed during normal boot so wg_firewall should place the rule there to begin with. as it does apparently start wgm properly.

Hopefully you could replicate this on your system and have this bug squashed. if not, I will produce whatever logs/info you need to track this down.

//Zeb

Edit, I get the same logs as you but before it said killswitch was enabled, which would mean the rule was put into place but somehow removed later in the boot process?
I set wg_firewall to execute in debug mode....then REBOOTed my RT-AC86U

Code:
Oct 15 10:19:19 RT-AC86U-6160 wireguard-clientwg12: Initialising Wireguard VPN client Peer (wg12) in Policy Mode to 209.58.188.180:51820 (# Mullvad)
Oct 15 10:19:19 RT-AC86U-6160 avahi-daemon[3459]: Server startup complete. Host name is RT-AC86U-6160.local. Local service cookie is 2306220288.
Oct 15 10:19:19 RT-AC86U-6160 avahi-daemon[3459]: Alias name "RT-AC86U" successfully established.
Oct 15 10:19:19 RT-AC86U-6160 wireguard-clientwg12: Executing Event:wg12-route-up.sh
Oct 15 10:19:19 RT-AC86U-6160 wireguard-clientwg12: Warning: No Selective Routing rules found
Oct 15 10:19:19 RT-AC86U-6160 wireguard-clientwg12: ***ERROR IPSet 'Netflix' does NOT EXIST! for routing through VPN 'client' Peer wg12
Oct 15 10:19:19 RT-AC86U-6160 wireguard-clientwg12: Initialisation complete.
Oct 15 10:19:19 RT-AC86U-6160 (wg_manager.sh): 3101 v4.11bC Initialising Wireguard VPN 'server' Peer (wg21)
Oct 15 10:19:19 RT-AC86U-6160 wireguard-server1: Initialising Wireguard VPN 'Server' Peer (\e[95mwg21\e[92m) on 192.168.0.1:51820
Oct 15 10:19:20 RT-AC86U-6160 wireguard-server1: Initialisation complete.
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: + basename /jffs/addons/wireguard/wg_firewall


Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: + logger -st (wg_firewall) 4858 Checking if WireGuard VPN Peer KILL-Switch is required.....
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: (wg_firewall): 4858 Checking if WireGuard VPN Peer KILL-Switch is required.....
Oct 15 10:19:23 RT-AC86U-6160 (wg_firewall): 4858 Checking if WireGuard VPN Peer KILL-Switch is required.....
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: + grep -E ^KILLSWITCH /jffs/addons/wireguard/WireguardVPN.conf
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: + [ -n KILLSWITCH ]
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: + nvram get wan0_ifname
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: + iptables -D FORWARD -i br0 -o eth0 -j REJECT -m comment --comment WireGuard KILL-Switch
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: + nvram get wan0_ifname
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: + iptables -I FORWARD -i br0 -o eth0 -j REJECT -m comment --comment WireGuard KILL-Switch
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: + basename /jffs/addons/wireguard/wg_firewall
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: + logger -st (wg_firewall) 4858 WireGuard VPN Peer KILL-Switch ENABLED
Oct 15 10:19:23 RT-AC86U-6160 wg_firewall[4858_***DEBUG]: (wg_firewall): 4858 WireGuard VPN Peer KILL-Switch ENABLED
Oct 15 10:19:23 RT-AC86U-6160 (wg_firewall): 4858 WireGuard VPN Peer KILL-Switch ENABLED
then checking the rule manually (without invoking wireguard_manager) to see if it exists
Code:
iptables --line -t filter -nvL FORWARD

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
3      329 22877 REJECT     all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            /* WireGuard KILL-Switch */ reject-with icmp-port-unreachable
4        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            224.0.0.0/4        
5       20  2294 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
6        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0          
7        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0          
8        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
9       12   840 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
10      12   840 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
11       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
12       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
13       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
and upon requesting wireguard_manager the menu clearly shows the killswitch feature indicator

1634290932352.png

so perhaps there is something in your environment that flushes the rule?
 
Last edited:
Didn't really manage to get the script in debug mode, thought that sh -x would do the trick, but all I got was:
Code:
Oct 15 11:55:14 RT-AC86U-D7D8 (wg_firewall): 3504 Checking if WireGuard VPN Peer KILL-Switch is required.....
Oct 15 11:55:14 RT-AC86U-D7D8 (wg_firewall): 3504 WireGuard VPN Peer KILL-Switch ENABLED
Oct 15 11:55:19 RT-AC86U-D7D8 (wg_manager.sh): 4796 v4.11bA Requesting WireGuard VPN Peer start (wg11 wg12 )
Oct 15 11:55:19 RT-AC86U-D7D8 (wg_manager.sh): 4796 v4.11bA Initialising Wireguard VPN 'client' Peer (wg11)
Oct 15 11:55:20 RT-AC86U-D7D8 wireguard-clientwg11: Initialising Wireguard VPN client Peer (wg11) in Policy Mode to -Removed- (# Integrity Swe)
Oct 15 11:55:20 RT-AC86U-D7D8 wireguard-clientwg11: Executing Event:wg11-route-up.sh
Oct 15 11:55:23 RT-AC86U-D7D8 wireguard-client1: Adding Wireguard 'client' Peer route 0.0.0.0/0to 192.168.1.1/16 through WAN
Oct 15 11:55:23 RT-AC86U-D7D8 wireguard-client1: Adding Wireguard 'client' Peer route 192.168.1.1/24 through VPN 'client' Peer wg11
Oct 15 11:55:23 RT-AC86U-D7D8 wireguard-clientwg11: Adding IPSet 'NETFLIX-DNS' route through VPN 'client' Peer wg11
Oct 15 11:55:23 RT-AC86U-D7D8 wireguard-clientwg11: Adding IPSet 'MYIP' route through VPN 'client' Peer wg11
Oct 15 11:55:23 RT-AC86U-D7D8 wireguard-clientwg11: Executing Event:wg11-up.sh
Oct 15 11:55:23 RT-AC86U-D7D8 wireguard-clientwg11: Initialisation complete.
Oct 15 11:55:23 RT-AC86U-D7D8 (wg_manager.sh): 4796 v4.11bA Initialising Wireguard VPN 'client' Peer (wg12)
Oct 15 11:55:24 RT-AC86U-D7D8 wireguard-clientwg12: Initialising Wireguard VPN client Peer (wg12) in Policy Mode to -Removed- (# Integrity USA)
Oct 15 11:55:24 RT-AC86U-D7D8 wireguard-client2: Adding Wireguard 'client' Peer route 192.168.6.0/24 through VPN 'client' Peer wg12
Oct 15 11:55:24 RT-AC86U-D7D8 wireguard-clientwg12: Executing Event:wg12-up.sh
Oct 15 11:55:24 RT-AC86U-D7D8 wireguard-clientwg12: Initialisation complete.

you right, something seems to remove this rule, at least there are no sign of it:
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# iptables --line -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            224.0.0.0/4
2        0     0 YazFiDNSFILTER_DOT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853
3    11360 4421K YazFiFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4     4103 1438K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
7        0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
8      266 25736 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
9      266 25736 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
10       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
11       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
12       0     0 DNSFILTER_DOT  tcp  --  br+    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853
13       0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0
admin@RT-AC86U-D7D8:/tmp/home/root# iptables --line -t filter -nvL YazFiFORWARD
Chain YazFiFORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     3818 2374K ACCEPT     all  --  wg12   wl1.2   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  wg12   wl0.2   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3     3834 1021K ACCEPT     all  --  wl1.2  wg12    0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  wl0.2  wg12    0.0.0.0/0            0.0.0.0/0
5        0     0 ACCEPT     all  --  wg11   wl1.1   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
6        0     0 ACCEPT     all  --  wg11   wl0.1   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
7        0     0 ACCEPT     all  --  wl1.1  wg11    0.0.0.0/0            0.0.0.0/0
8        0     0 ACCEPT     all  --  wl0.1  wg11    0.0.0.0/0            0.0.0.0/0
9        5   260 ACCEPT     all  --  wl1.2  *       0.0.0.0/0            0.0.0.0/0
10      20  1040 YazFiREJECT  all  --  wl1.1  !eth0   0.0.0.0/0            0.0.0.0/0
11       0     0 YazFiREJECT  all  --  !eth0  wl1.1   0.0.0.0/0            0.0.0.0/0
12     934  144K ACCEPT     all  --  wl1.1  *       0.0.0.0/0            0.0.0.0/0
13       0     0 YazFiREJECT  all  --  wl0.1  !eth0   0.0.0.0/0            0.0.0.0/0
14       0     0 YazFiREJECT  all  --  !eth0  wl0.1   0.0.0.0/0            0.0.0.0/0
15       0     0 ACCEPT     all  --  wl0.1  *       0.0.0.0/0            0.0.0.0/0

wgm shows the kill switch as disabled:
Code:
E:Option ==> ?

        v4.11bA WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
        MD5=d0cb0aeacdd7fa1a42e66ebaa0206801 /jffs/addons/wireguard/wg_manager.sh

        [✔] arch=aarch64

        wireguard: WireGuard 1.0.20210606 loaded. See www.wireguard.com for information.
        wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

        [✔] WireGuard Module is LOADED

        MD5=078460d2aa2a5a7839f7d5fd22cd2f77 wireguard-kernel_1.0.20210606-ac_aarch64-3.10.ipk
        MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

        [✔] DNSmasq is listening on ALL WireGuard interfaces 'wg*'

        [✔] nat-start is monitoring WireGuard Firewall rules

        [✖] WAN KILL-Switch is DISABLED
        [✖] UDP monitor is DISABLED

        [ℹ ] Reverse Path Filtering DISABLED

        [✔] Statistics gathering is ENABLED

        WireGuard ACTIVE Peer Status: Clients 2, Servers 0

how do I put the wg_firewall in debug mode as you did?

note, I'm running scribe to filter out wireguard messages but it is not the best tool for searching for conflicting scripts when all are in separate logs...

//Zeb

Edit: tried "set -x" in wg_firewall but still no logs.
 
Last edited:
Didn't really manage to get the script in debug mode,

how do I put the wg_firewall in debug mode as you did?
see wg_client/wg_server scripts
 
see wg_client/wg_server scripts
thanks, ok... that did it:
Code:
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + VERSION=20210604-101732
Oct 15 15:13:04 RT-AC86U-D7D8 (wg_firewall): 3510 Checking if WireGuard VPN Peer KILL-Switch is required.....
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + basename /jffs/addons/wireguard/wg_firewall
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + logger -st (wg_firewall) 3510 Checking if WireGuard VPN Peer KILL-Switch is required.....
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: (wg_firewall): 3510 Checking if WireGuard VPN Peer KILL-Switch is required.....
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + grep -E ^KILLSWITCH /jffs/addons/wireguard/WireguardVPN.conf
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + [ -n KILLSWITCH ]
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + nvram get wan0_ifname
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + iptables -D FORWARD -i br0 -o eth0 -j REJECT -m comment --comment WireGuard KILL-Switch
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + nvram get wan0_ifname
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + iptables -I FORWARD -i br0 -o eth0 -j REJECT -m comment --comment WireGuard KILL-Switch
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + basename /jffs/addons/wireguard/wg_firewall
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + logger -st (wg_firewall) 3510 WireGuard VPN Peer KILL-Switch ENABLED
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: (wg_firewall): 3510 WireGuard VPN Peer KILL-Switch ENABLED
Oct 15 15:13:04 RT-AC86U-D7D8 (wg_firewall): 3510 WireGuard VPN Peer KILL-Switch ENABLED
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + wg show interfaces
Oct 15 15:13:04 RT-AC86U-D7D8 wg_firewall[3510_***DEBUG]: + [ -n  ]
Oct 15 15:13:09 RT-AC86U-D7D8 (wg_manager.sh): 4760 v4.11bA Requesting WireGuard VPN Peer start (wg11 wg12 )
Oct 15 15:13:09 RT-AC86U-D7D8 (wg_manager.sh): 4760 v4.11bA Initialising Wireguard VPN 'client' Peer (wg11)
Oct 15 15:13:09 RT-AC86U-D7D8 wireguard-clientwg11: Initialising Wireguard VPN client Peer (wg11) in Policy Mode to -Removed- (# Integrity Swe)
Oct 15 15:13:10 RT-AC86U-D7D8 wireguard-clientwg11: Executing Event:wg11-route-up.sh
Oct 15 15:13:13 RT-AC86U-D7D8 wireguard-client1: Adding Wireguard 'client' Peer route 0.0.0.0/0to 192.168.1.1/16 through WAN
Oct 15 15:13:13 RT-AC86U-D7D8 wireguard-client1: Adding Wireguard 'client' Peer route 192.168.1.1/24 through VPN 'client' Peer wg11
Oct 15 15:13:13 RT-AC86U-D7D8 wireguard-clientwg11: Adding IPSet 'NETFLIX-DNS' route through VPN 'client' Peer wg11
Oct 15 15:13:13 RT-AC86U-D7D8 wireguard-clientwg11: Adding IPSet 'MYIP' route through VPN 'client' Peer wg11
Oct 15 15:13:13 RT-AC86U-D7D8 wireguard-clientwg11: Executing Event:wg11-up.sh
Oct 15 15:13:13 RT-AC86U-D7D8 wireguard-clientwg11: Initialisation complete.
Oct 15 15:13:13 RT-AC86U-D7D8 (wg_manager.sh): 4760 v4.11bA Initialising Wireguard VPN 'client' Peer (wg12)
Oct 15 15:13:13 RT-AC86U-D7D8 wireguard-clientwg12: Initialising Wireguard VPN client Peer (wg12) in Policy Mode to -Removed- (# Integrity USA)
Oct 15 15:13:14 RT-AC86U-D7D8 wireguard-client2: Adding Wireguard 'client' Peer route 192.168.6.0/24 through VPN 'client' Peer wg12
Oct 15 15:13:14 RT-AC86U-D7D8 wireguard-clientwg12: Executing Event:wg12-up.sh
Oct 15 15:13:14 RT-AC86U-D7D8 wireguard-clientwg12: Initialisation complete.

yep... the rule is applied, still:

Code:
admin@RT-AC86U-D7D8:/tmp/home/root# iptables --line -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            224.0.0.0/4
2        0     0 YazFiDNSFILTER_DOT  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853
3    16785   11M YazFiFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4    16948   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
7        0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
8      306 79095 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
9      306 79095 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
10       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
11       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
12       0     0 DNSFILTER_DOT  tcp  --  br+    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853
13       0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

well, I'm stumped... the only script I can think of that is messing with the firewall is the Yazfi script. anyone else running Yazfi that could confirm or deny this?

looks like yazfi is restarting the firewall when it starts up at the very end (roughly 1 minute after the killswitch is put in), but this is not triggering a new nat-start. could that be the issue?
Code:
Oct 15 15:14:07 RT-AC86U-D7D8 YazFi: Firewall restarted - sleeping 30s before running YazFi
Oct 15 15:14:37 RT-AC86U-D7D8 YazFi: YazFi v4.3.4 starting up
Oct 15 15:14:39 RT-AC86U-D7D8 avahi-daemon[7172]: Joining mDNS multicast group on interface wl0.1.IPv4 with address 192.168.2.1.
Oct 15 15:14:39 RT-AC86U-D7D8 avahi-daemon[7172]: New relevant interface wl0.1.IPv4 for mDNS.
Oct 15 15:14:39 RT-AC86U-D7D8 avahi-daemon[7172]: Registering new address record for 192.168.2.1 on wl0.1.IPv4.
Oct 15 15:14:40 RT-AC86U-D7D8 YazFi: wl0.1 (SSID: -Removed-) - sending all interface internet traffic over WAN interface
Oct 15 15:14:43 RT-AC86U-D7D8 avahi-daemon[7172]: Joining mDNS multicast group on interface wl1.1.IPv4 with address 192.168.5.1.
Oct 15 15:14:43 RT-AC86U-D7D8 avahi-daemon[7172]: New relevant interface wl1.1.IPv4 for mDNS.
Oct 15 15:14:43 RT-AC86U-D7D8 avahi-daemon[7172]: Registering new address record for 192.168.5.1 on wl1.1.IPv4.
Oct 15 15:14:44 RT-AC86U-D7D8 YazFi: wl1.1 (SSID: -Removed-) - sending all interface internet traffic over WAN interface

would a firewall-restart wipe all rules and apply new ones without running the nat-start script?

//Zeb

Edit: just checked the NAT and MANGLE table and there are all rules setup by wireguard:
Code:
admin@RT-AC86U-D7D8:/jffs/scripts# iptables --line -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 1979 packets, 175K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        2   378 MASQUERADE  all  --  *      wl1.2   192.168.6.0/24       192.168.6.0/24       /* YazFi 5GHz 2 */
2        1   328 MASQUERADE  all  --  *      wl1.1   192.168.5.0/24       192.168.5.0/24       /* YazFi 5GHz 1 */
3        0     0 MASQUERADE  all  --  *      wl0.1   192.168.2.0/24       192.168.2.0/24       /* YazFi 2.4GHz 1 */
4        0     0 MASQUERADE  all  --  *      wg12    192.168.1.0/24       0.0.0.0/0            /* WireGuard 'client' */
5      815 56811 MASQUERADE  all  --  *      wg12    192.168.6.0/24       0.0.0.0/0
6     6762  818K MASQUERADE  all  --  *      wg11    192.168.1.0/24       0.0.0.0/0            /* WireGuard 'client' */
7      694  117K PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
8      225 80781 MASQUERADE  all  --  *      eth0   !100.126.122.18       0.0.0.0/0
9      115 21260 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24
admin@RT-AC86U-D7D8:/jffs/scripts# iptables --line -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 5793 packets, 823K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       12   600 YazFiDNSFILTER  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2     2169  151K YazFiDNSFILTER  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
3     2179  153K WGDNS2     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client2 DNS' */
4       17   860 WGDNS2     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client2 DNS' */
5     1508  103K WGDNS1     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client1 DNS' */
6        7   340 WGDNS1     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client1 DNS' */
7        1    32 ACCEPT     all  --  eth0   *       0.0.0.0/0            224.0.0.0/4
8      229 36609 GAME_VSERVER  all  --  *      *       0.0.0.0/0            -Removed-
9      229 36609 VSERVER    all  --  *      *       0.0.0.0/0            -Removed-
10       0     0 DNSFILTER  udp  --  br+    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
11       0     0 DNSFILTER  tcp  --  br+    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
so whatever is causing this only seems to affect the filter table... since I'm not running any server no rules are really needed in the filter table for br0 to reach wg11. wonder what would have happened if I were running a server.
 
Last edited:
v4.11 formally released

There have been significant changes in the dev version for many months since May 2021, but are documented in the change log:

To upgrade use:
Code:
e  = Exit Script [?]

E:Option ==> uf

v4.11 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
MD5=405e9eb22ed0d69f9d0a24ab301078ab /jffs/addons/wireguard/wg_manager.sh

wireguard: WireGuard 1.0.20210606 loaded. See www.wireguard.com for information.
wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

[✔] WireGuard Module is LOADED

MD5=078460d2aa2a5a7839f7d5fd22cd2f77 wireguard-kernel_1.0.20210606-ac_aarch64-3.10.ipk
MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk
Checking for WireGuard Kernel and Userspace Tool updates...
Kernel UPDATE available
Userspace Tool UPDATE available

Press y to Update WireGuard Kernel and Userspace Tool or press [Enter] to SKIP.
y

Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20210606-k27_1_aarch64-3.10.ipk' for RT-AC86U (v386.4) @ZebMcKayhan

##################################################################################################################################################################################### 100.0%

Downloading WireGuard User space Tool 'wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk' for RT-AC86U (v386.4) @ZebMcKayhan

##################################################################################################################################################################################### 100.0%

Loading WireGuard Kernel module and Userspace Tool for RT-AC86U (v386.4)
Package wireguard-kernel (1.0.20210606-ac) installed in root is up to date.
Package wireguard-tools (1.0.20210914-1) installed in root is up to date.
wireguard: WireGuard 1.0.20210606 loaded. See www.wireguard.com for information.
wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.


Forced Update

Downloading scripts
wg_manager.sh downloaded successfully
wg_client downloaded successfully
wg_server downloaded successfully

As per the issue reported in


if you are running yasfi, then you must issue
Code:
e  = Exit Script [?]

E:Option ==> firewallstart

firewall-start updated to protect WireGuard firewall rules
but even if not, it is recommended that you do so anyway.
 
Thanks for the update! Update went smooth.
CPU load is much less at high speeds. But maybe this is subjective?
 
Thanks for the update! Update went smooth.
CPU load is much less at high speeds. But maybe this is subjective?
If you have RT-AC86U, then you will now be running @ZebMcKayhan's Kernel module, but I can't see anything in the official change log in the jump from @Odkrys's Feb source code version to the current June source code.

Jason may have tweaked something internally in the source code, but I would perhaps agree that at the moment it my be subjective etc.
 
v4.11 formally released
Thank you for the main branch update! It looks good.

The menu item 11 = Import Wireguard configuration seems to be missing, but the functionality is there.
 
Thank you for the main branch update! It looks good.

The menu item 11 = Import Wireguard configuration seems to be missing, but the functionality is there.
Ensure you have the version v4.11 with Today's date 16-Oct-2021 that was posted 5-hours ago....(and includes the full change log)
Code:
grep "Last Updated" /jffs/addons/wireguard/wg_manager.sh

# Last Updated Date: 16-Oct-2021

Code:
+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v4.11 by Martineau                      |
|                                                                      |
+======================================================================+
     WireGuard ACTIVE Peer Status: Clients 1, Servers 1



1  = Update Wireguard modules                       7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]     10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
                                                    11 = Import Wireguard configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ rename_as ] ]}

4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                   
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                  
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                  

?  = About Configuration                  
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')      

e  = Exit Script [?]

E:Option ==> ?
 
Last edited:
Ensure you have the version v4.11 with Today's date 16-Oct-2021 that was posted 5-hours ago....(and includes the full change log)
Code:
grep "Last Updated" /jffs/addons/wireguard/wg_manager.sh

# Last Updated Date: 16-Oct-2021
You're right - I have the new version, but the terminal size played tricks on me. It all looks good now...
 
You're right - I have the new version, but the terminal size played tricks on me. It all looks good now...
Ahh, do you mean that the terminal screen-wrap has made option 11 appear? :oops:

I'll check to see if that is the case and push a fix if appropriate, but it is purely cosmetic so may be delayed.
 
Ahh, do you mean that the terminal screen-wrap has made option 11 appear? :oops:
Yes, that's what it is. When first added to the beta, option 11 looked off too.
It may as well be my terminal - I'm using a size of 188 / 49 and UTF-8 for character set. Really nothing of essence...
 
Yes, that's what it is. When first added to the beta, option 11 looked off too.
It may as well be my terminal - I'm using a size of 188 / 49 and UTF-8 for character set. Really nothing of essence...
Since unbound_manager I have used/recommended the following terminal size:
So, given that I use both scripts on a daily basis, that's probably why I haven't noticed the menu display bug.:oops:
 
Hey! After i’ve imported my wg11.conf with import wg11 and start it, internet dies. Anything im missing to do? I remember when I followed https://www.snbforums.com/threads/experimental-wireguard-for-hnd-platform-4-1-x-kernels.46164/

I had to put # before DNS and Address and copy the Address to another conf file.
wireguard_manager's import function was designed to take the 'raw' Wireguard config file supplied by your VPN ISP and converts it to a compatible wireguard_manager 'wg1x.conf' format by auto commenting out incompatible directives.

So usually you do not import an already converted 'wg1x.conf' (The intention was that you retain the original unaltered xxxxxxxx.conf file(s)to assist troubleshooting).

Perhaps you should try generating/retrieving a new Wireguard client config from your VPN ISP and import it as a different wireguard_manager client.

e.g. Mullvad created the file 'mlvd-us53.conf' so to see if it works I can import it as 'wg15.conf'
Code:
e  = Exit Script [?]

E:Option ==> import mlvd-us53.conf name=wg15
and compare the two files if necessary to debug.

If using either wireguard_manager commands list or wg don't show any traffic stats, then you would need to provide wireguard_manager diagnostics.
 
Last edited:
Hey! After i’ve imported my wg11.conf with import wg11 and start it, internet dies. Anything im missing to do? I remember when I followed https://www.snbforums.com/threads/experimental-wireguard-for-hnd-platform-4-1-x-kernels.46164/

I had to put # before DNS and Address and copy the Address to another conf file.
As stated earlier in the previous thread by @Torson, it could be good to test your isp .conf file on I.e android or similar to make sure it is still working.
If you have been disconnected for days/weeks there is a chance that it has expired and you need to get a new one from your wireguard supplier.

//Zeb
 
@Martineau
Whenever I issue the
Code:
E:Option ==> killswitch on

There is no real useful information more than the green ENABLED sign in the corner. Perhaps in a future release there could be some text like
"KILLSWITCH temporarily enabled. Use vx to change KILLSWITCH permanently"
To assist the user of what has happened, what to expect and what to do from here?

And of course similar when turning it off.

Just a suggestion.

//Zeb
 
As stated earlier in the previous thread by @Torson, it could be good to test your isp .conf file on I.e android or similar to make sure it is still working.
If you have been disconnected for days/weeks there is a chance that it has expired and you need to get a new one from your wireguard supplier.

//Zeb

Hey!

Thanks again for the answers. I generated a new Wireguard key from my provider OVPN.com tried it on my iPhone with the iOS Wireguard app and no issues.

Uploaded the conf file to the router and did an import. Compared the original and the ported one, and the only difference was that in the ported conf, DNS and Address were disabled with #.

Started the imported key in WGM and Internet stops.
 
Hey!

Thanks again for the answers. I generated a new Wireguard key from my provider OVPN.com tried it on my iPhone with the iOS Wireguard app and no issues.

Uploaded the conf file to the router and did an import. Compared the original and the ported one, and the only difference was that in the ported conf, DNS and Address were disabled with #.

Started the imported key in WGM and Internet stops.
ok, then we need to start digging.

check your output of:
Code:
E:Option ==> list
as suggested by @Martineau above. (please post it, but remove the keys and other sensistive data)

check the transfer data and se if there is any data there or if they are 0. if there is ANY data tx and rx then the peer config is working and we need to look into firewall, routing, DNS and such.

if the data is infact 0 then you can use
Code:
E:Option ==> peer wg11
and check all info there and compare to the config file you imported to check that the import has got everything right. check server adress, ports and both private and public keys so they are accurate.

//Zeb
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top