Wireguard Session Manager - Discussion (2nd) thread

[chongnt]

Ooh, just found that Torguard offers port-forwarding... that would kind of explain the listenport directive I guess:

TorGuard FAQ | TorGuard

Find answers to your frequently asked questions regarding TorGuard VPN here.

torguard.net

Setup TorGuard for port forwarding - TRaSH Guides

Guides mainly for Sonarr/Radarr/Bazarr and everything related to it.

trash-guides.info

//Zeb

While I don't have ListenPort in wg11.conf, I noticed there is listening port from wg show wg11 listen-port output.

 

[ZebMcKayhan]

My only concern is that when WG is worked out in Asus' firmware, and then @RMerlin does his thing for us, there is a nice smooth transition of setups while the flash is happening so we don't have to remember how to make it all work all over again. Maybe the only way to do that is with a setup wizard? (cart before the horse, I realize, but...)

(Or do I have it all bass-ackwards and Asus is following the lead of the folks here who are working it out? If that's the case...spectacular! Go Teamwork! Keep making the dream work!!!)

Ok, now a serious question for @ZebMcKayhan and @Martineau - if I want to use WG on my phone to connect to my router at home, I have to have a stable/static IP address for the router endpoint, right? This means DDNS for me...which I think is neat, because I can (theoretically) assign the WG server on my router its own subdomain & IP (correct?) in the IPv6 /48 that I have from tunnelbroker.net, and when my ISP rotates my WAN address, my LAN endpoint won't change...but at the same time my ISP's Native v6 is quite nice, so losing that simplicity will be tough. but it may be worthwhile, once I dig deeper...thinking now, if I can do it for WG, my unbound can have its own subdomain as well...and maybe ntpMerlin... Or am I asking for too much from my SOHO router?

I'm not sure I completally understand what you are trying to do... but as far as I understand ipv6 and ipv4 needs an interface which has both adresses and A.F.A.I.K wireguard could tunnel one in the other but how that works is beyond me.

How ipv6 will work without the possibility to nat is also puzzling but you will likely assign wg client from your assigned public ipv6 subnet.

Ipv6 in wgm is still not confirmed tested and working (to my knowledge) since no one with a native ipv6 have been running it (?)

There is already some ipv6 support in wgm but you might need to bring it home yourself and in the process I will support with what I can.

from what I been able to read myself to you setup the udp tunnel with your either ipv4 or ipv6 endpoint which will basically define how the encrypted wireguard communication travels. from that point you could setup both ipv4 and ipv6 addresses even though the tunnel is only one or the other (?). try to start setting up an ipv4 tunnel and start to manually assign ipv6 addresses on both sides and start see what happens.

//Zeb

Edit: just realized that if what I just said was true, then I should be able to assign my wg ipv6 to my wg11 and add a route and some firewall stuff... then I may be able to ping some ipv6 on the internet... now I know what to do this evening

Edit2: well, wasn't as much fun as I thought:

admin@RT-AC86U-D7D8:/tmp/home/root# ip link del dev wg12
admin@RT-AC86U-D7D8:/tmp/home/root# ip -6 link add dev wg12 type wireguard
admin@RT-AC86U-D7D8:/tmp/home/root# wg setconf wg12 /opt/etc/wireguard.d/wg12.conf
admin@RT-AC86U-D7D8:/tmp/home/root# ip address add dev wg12 <MyWgIpv4>/24
admin@RT-AC86U-D7D8:/tmp/home/root# ip -6 address add dev wg12 <MyWgIpv6>/64
RTNETLINK answers: Permission denied

Looks like I'm locked out if I don't have ipv6 globally enabled (bummer!)

 

[heysoundude]

@ZebMcKayhan
Let me see if I can find the reddit post in r/WireGuard that explained why DDNS and Tunnelbroker and a /48 are helpful...something about both wg endpoints needing a v6 assignment, and the WAN side needing to be static (thus DDNS).

maybe if you add v6 first or skip adding v4 you'll have better luck?

In general, this has been a big help for grokking public-private key stuff...and the video link to Justin's presentation was great too. I keep looking for what I might be missing or not catching...

 

[ZebMcKayhan]

maybe if you add v6 first or skip adding v4 you'll have better luck

Nope, same response... searching around finding ipv6 must be enabled globally.

I'm abit scared about enabling ipv6 globally since I don't have any ipv6 connection. Think I might break something (it's cold out on the parking-lot)

 

[heysoundude]

Nope, same response... searching around finding ipv6 must be enabled globally.

I'm abit scared about enabling ipv6 globally since I don't have any ipv6 connection. Think I might break something (it's cold out on the parking-lot)

looking at the current merlin beta thread, IPv6 and DDNS are an issue, which I'm sure WG ties into (mindboggling since this is the 3rd decade of the 21st century...but we're still waiting for the jetpacks promised in the 60s, so...)
let's make sure you don't turn into a Zeb-sicle ;-)
I've native v6, so when I get some more free time (soon!) I'll give things a whack and see what blows up in my face...or just works <shrug>

 

[ZebMcKayhan]

looking at the current merlin beta thread, IPv6 and DDNS are an issue, which I'm sure WG ties into (mindboggling since this is the 3rd decade of the 21st century

Just frustading that every attempt I make at getting somwere with this ends up with a brick-wall and a sore head.
But now that isp starts to hand out ipv6 for free and charge money for public ipv4 the public demand follows, hopefully ipv6 progress will pick up the pace.

I've native v6, so when I get some more free time (soon!) I'll give things a whack and see what blows up in my face...or just works <shrug>

I'll be here if you need a newbee for moral support.

//Zeb

 

[ZebMcKayhan]

While I don't have ListenPort in wg11.conf, I noticed there is listening port from wg show wg11 listen-port output.

Without really knowing I would say that this is the peer recieve port. The .conf normally only gives the endpoint (destination) port and the kernel will assign an arbitrary recieve port.
Guess the listenport directive would try to force the peer to a specific recieve port and may even be used by the wg software to open this port in the firewall.

The wireguard interface does not have any client or server knowledge and is designed to function as fully bidirectional. As such interface both source and destination ports need to be agreed upon.

It actually seems as, because of wg double roaming capability, and udp nat hole punching this could actually work, bidirectional even behind cgnats (as long as you can make the initial connection).

 

[heysoundude]

Just frustading that every attempt I make at getting somwere with this ends up with a brick-wall and a sore head.
But now that isp starts to hand out ipv6 for free and charge money for public ipv4 the public demand follows, hopefully ipv6 progress will pick up the pace.



I'll be here if you need a newbee for moral support.

//Zeb

You understand this stuff WAY better than I do, believe me. I have to keep refreshing my memory on...well, everything because I forget what I did to make it work back then and since I don't use it regularly...poof.

That said: since I did the amtm installation, I peeked in on my router config, and something funky happens because of WGM - the router loses the WAN IPv6 Gateway somehow:



There used to be an address there. It's still working, but something behind the scenes is off in the weeds. (unless I've missed a step in a config of WGM, which is entirely probable)

but yes, transitioning to v6 has been one of the benefits of the past 2 yrs...and I'd even wager that more ISPs have implemented and enabled it, but haven't announced that they've done so, than most people think. (Have you tried with yours?)

 

[ZebMcKayhan]

That said: since I did the amtm installation, I peeked in on my router config, and something funky happens because of WGM - the router loses the WAN IPv6 Gateway somehow:

You could check this nvram

nvram get ipv6_gateway

And the ipv6 routing table:

ip -6 route show table main

Do you run any ipv6 clients in wgm?

Have you tried with yours?

Yup, my service provider hands out ipv6 for free, but my infrastructure is not ready yet, they are upgrading and planning to have this in the next year (we'll, let's see)

 

[JGrana]

I am presently using OpenVPN for a site-to-site setup. Pretty simple - home to cabin.
Home routes to WAN through Spectrum, Cabin routes to WAN via FiOS. Both use DDNS.
Each have a different local address range (i.e Home=192.168.1.X; Cabin 192.168.2.X).
Any device on Cabin lan can access any device on Home lan; Any device on Home lan can access any device on Cabin lan.
Main purpose is for remote backups (rsync) and Cabin clients to access Plex server @ Home.
Im starting to research using Wireguard. Site to Site looks pretty straight forward.

In looking over the github example for wgm I am wondering how wgm handles site to site. It looks more like a single client (peer) to server (peer).
How would it handle lan peer to lan peer?
From my reading, setting up the server peer looks straight forward. How do I setup the “clients” peer to include the entire subnet? (192.168.X.X/24)?

 

[Martineau]

How do I setup the “clients” peer to include the entire subnet? (192.168.X.X/24)?

WireGuard is a routing protocol, and the 'client' Peer may contain the following 'default' IPv4 and IPv6 directive.

e.g.

AllowedIPs = 0.0.0.0/0,::0/0

Basically this defines which routes are reachable via the Endpoint, in this case ANY/ALL.

For a site-to-site, the 'client' Peer could specify a list of specific subnets or a specific IP.

e.g. Two private subnets and a specific device

AllowedIps = 192.168.123.0/24, 172.16.55.0/24, 10.1.1.1/32

 

[heysoundude]

You could check this nvram

nvram get ipv6_gateway

And the ipv6 routing table:

ip -6 route show table main

Do you run any ipv6 clients in wgm?


Yup, my service provider hands out ipv6 for free, but my infrastructure is not ready yet, they are upgrading and planning to have this in the next year (we'll, let's see)

get ipv6_gateway returns nothing (do I need to assign it to br0?), but I've a v6 addy on ppp0 and a /56 assignment on br0 (I've never looked at this before, and I'm starting to question if it's configured optimally...so thanks! something is tickling my brain about my cake QoS setup...)
no v6 clients in wgm yet - if this (above) is the 1st step in making ready to use WG, what do I need to do?

I would be calling my service provider's tech support quarterly with other minor "issues" if I were you just to put a bug in their ear about wanting it sooner than later. (its a good thing those calls are monitored, isnt it? ;-D)

 

[ZebMcKayhan]

get ipv6_gateway returns nothing (do I need to assign it to br0?), but I've a v6 addy on ppp0 and a /56 assignment on br0 (I've never looked at this before, and I'm starting to question if it's configured optimally...so thanks! something is tickling my brain about my cake QoS setup...)

Wierd... I would expect the firmware to put this in there, but my knowledge about merlin with ipv6 is really slim (like zip)

f this (above) is the 1st step in making ready to use WG, what do I need to do?

Since wgm is not really tested (?) With ipv6 I thought I just start experimenting in getting the ipv6 adress into the wg12 interface. I removed the if while wg12 were up and tried to recreate it. It would probably be enough to bring the if down then add the ipv6 and back up again. I would expect that ipv6 firewall rules and routes need to be added manually... maybee a place to start...

 

[heysoundude]

I have faith that things will get understood/sorted over the next few weeks - somebody (it could be me, or anyone here on this thread!) will zero in on whatever the key factors are and take us over the top into a new era of understanding with whatever fixes might need to happen, but I suspect the guru-types, the framers/designers and maintainers of the protocols in question have the solutions already in place for us. I'm reading over the ip(8) man page to wrap my nugget around what the 'show table main' returned...the options are where the config parameters are set and oopsies get made/resolved. (defaults are where the troubles can sometimes trip things up)

 

[ZebMcKayhan]

Maybee this is obvious for everyone but me, but I tested my ipv6 connection on my android phone via home wifi and ipv6 test failed (obviously).
Turned off wifi and tested over Mobile data, still failed (Mobile provider is on ipv6 hall of shame list).
Turned on my wireguard internet client on the same phone (conf file includes ipv6) and the ipv6 test passed (native)!

So this simple test shows that I should be able to get ipv6 connection on my router itself via my wg11 (through the ipv4 udp tunnel) but in order to do so, I need to flip the dreaded ipv6 switch.

Anyone knows what will happen if I enable ipv6 on my router without having ipv6 wan?

//Zeb

 

[L&LD]

Zombie Apocalypse!

 

[ZebMcKayhan]

Zombie Apocalypse!

Yep, Thats what I thought... but could be worth it?

 

[L&LD]

I'll be waiting for your report after you test it to let us know.

 

[ZebMcKayhan]

Fascinating work to illustrate Wireguard possibility to utilize udp nat hole punching allowing 2 clients each behind cgnats to connect to each other via an relay server (only for the initial connection, not hub-and-spoke).

WireGuard Endpoint Discovery and NAT Traversal using DNS-SD

In this post we will set out to establish a WireGuard tunnel between dynamically addressed peers that are both sitting behind a NAT. One of the primary goals for achieving this is to stick with WireGuard in its purest form, the code that now ships with the Linux Kernel.

www.jordanwhited.com

//Zeb

 

[jakey]

As my VPN provider (Astrill) supports WireGuard and you guys also found a way to implement on our Asus routers (thank you to all involved) I had a play with it.
I in no way can say I have any expert knowledge in this stuff, I can follow instructions (admit to being UI sort of person generally speaking).
I have it working but have a couple of questions.

Some background first:

AX58U with Merlin 386.4 beta2
500Mbs symmetrical fibre IPv4 only
AMTM of course with connmon, scMerlin and now WG

Q1. my Astrill wg0.conf contains values for MTU but when imported to wg11.conf this values is hashed out - why is that ?
Q2. when I test the Astrill WG on my Windows PC and Android phone using Astrill's own apps I more or less get full speed up and down, I don't expect that sort of of result on the router but what sort of reduction should I expect to see ? At this time up and down are +- 140Mbs which is much better than when using ovpn.

I would ultimately like to exclude some www sites I visit but this is where it gets complicated for me and would prefer a ui

Thanks for any info.

Just now speed test