Wireguard Session Manager - Discussion (2nd) thread

[abir1909]

Thats great! So, did you go for start/stop or did you attempt geo-location "livin"?

I really think the geo-location feature would be really nice in an app like this.

I did the start/stop option. i will test the other method.

 

[abir1909]

I did the start/stop option. i will test the other method.

Thats great! So, did you go for start/stop or did you attempt geo-location "livin"?

I really think the geo-location feature would be really nice in an app like this.

What would you say will be the benefit of using the livin feature vs start/stop?

 

[ZebMcKayhan]

What would you say will be the benefit of using the livin feature vs start/stop?

Mostly flexibility I guess. You could keep a basic setup that always applies like your network to wg11 then change a single ip output without disturbing the others.

It allows you to keep all peers up all the time with the basic config and only change what you want.

So basically on every phone you could have buttons for which wg1x this phone should use without affecting the entire network.

 

[abir1909]

Mostly flexibility I guess. You could keep a basic setup that always applies like your network to wg11 then change a single ip output without disturbing the others.

It allows you to keep all peers up all the time with the basic config and only change what you want.

So basically on every phone you could have buttons for which wg1x this phone should use without affecting the entire network.

Hi Zeb, I must be doing something wrong. I execute “livin wg12 192.168.1.6” and get an Error “Invalid host IPv4 address”

also, what’s the difference between livin/jump/geo? Thx

 

[Martineau]

Hi Zeb, I must be doing something wrong. I execute “livin wg12 192.168.1.6” and get an Error “Invalid host IPv4 address”

Whoops

wireguard_manager Beta v4.15b5 patched

Update wg_manager.sh · MartineauUK/wireguard@c227baa

FIX: 'livin wg1x 192.168.50.38' fails as it doesn't recognise '192.168.50.38' as a valid IPv4 address (Should be RESERVED with 'dhcp-host=' defined in '/etc/dnsmasq....

github.com

Update using

e  = Exit Script [?]

E:Option ==> uf dev

also, what’s the difference between livin/jump/geo? Thx

None - simply aliases for the feature

 

[abir1909]

I updated. Still

Whoops

wireguard_manager Beta v4.15b5 patched

Update wg_manager.sh · MartineauUK/wireguard@c227baa

FIX: 'livin wg1x 192.168.50.38' fails as it doesn't recognise '192.168.50.38' as a valid IPv4 address (Should be RESERVED with 'dhcp-host=' defined in '/etc/dnsmasq....

github.com

Update using

e  = Exit Script [?]

E:Option ==> uf dev

None - simply aliases for the feature

Updated. Still getting same Error.

 

[Martineau]

I updated. Still

Updated. Still getting same Error.

Do you have the IP reserved?

grep -F 192.168.1.6 /etc/dnsmasq.conf

 

[abir1909]

Do you have the IP reserved?

grep -F 192.168.1.6 /etc/dnsmasq.conf

I don't think so. any ip I try I get the same Error.

E:Option ==> livin wg12 192.168.1.100

***ERROR: Invalid host IPv4 address!'

WireGuard ACTIVE Peer Status: Clients 2, Servers 0



E:Option ==> grep -F 192.168.1.6 /etc/dnsmasq.conf

Invalid Option "grep -F 192.168.1.6 /etc/dnsmasq.conf" Please enter a valid option

WireGuard ACTIVE Peer Status: Clients 2, Servers 0

 

[Martineau]

I don't think so. any ip I try I get the same Error.

E:Option ==> livin wg12 192.168.1.100

***ERROR: Invalid host IPv4 address!'

WireGuard ACTIVE Peer Status: Clients 2, Servers 0



E:Option ==> grep -F 192.168.1.6 /etc/dnsmasq.conf

Invalid Option "grep -F 192.168.1.6 /etc/dnsmasq.conf" Please enter a valid option

WireGuard ACTIVE Peer Status: Clients 2, Servers 0

grep -F 192.168.1.6 /etc/dnsmasq.conf

is not awireguard_manager command!

If you have not reserverd/assigned the IP to a specific LAN device, then the livin command won't work, as it is trying to validate that the IP address is authorised.

 

[ZebMcKayhan]

I don't think so. any ip I try I get the same Error

So add your ip to the manual ip list in gui, under LAN-->DHCP-Server.

Guess it makes sense that wgm only allows this for static ips.

If you have not reserverd/assigned the IP to a specific LAN device, then the livin command won't work, as it is trying to validate that the IP address is authorised.

Some time ago when I attempted this it was possible to use cidr notation with this command. Is this no longer possible with this check?

 

[abir1909]

grep -F 192.168.1.6 /etc/dnsmasq.conf

is not awireguard_manager command!

If you have not reserverd/assigned the IP to a specific LAN device, then the livin command won't work, as it is trying to validate that the IP address is authorised.

got it! thank you.
now its working.

 

[Martineau]

So add your ip to the manual ip list in gui, under LAN-->DHCP-Server.

Guess it makes sense that wgm only allows this for static ips.

The original check was for IPv4 or IPv4 CIDR format only, but I suppose you could have several subnets or even wish to have passthru' clients such as OpenVPN 10.8.0.x addresses use the feature, but it is prudent when implementing Selective Routing, that you ensure that the IPs are reserved/static to prevent the wrong device from being accidentally routed out the wrong interface.

Some time ago when I attempted this it was possible to use cidr notation with this command. Is this no longer possible with this check?

At present no.

 

[Zonkd]

Hi all. I was previously using a guide by @Odkrys to install their experimental WireGuard kernel module and tools. It had easy to follow instructions for setup of vpn server.

[Experimental] WireGuard for HND platform (4.1.x kernels)

1. Install WireGuard You need Entware-aarch64-3.10 to use wireguard without a new firmware build. ㅡ Kernel Module ㅡ RT-AC86U, GT-AC2900 - 4.1.27 https://github.com/odkrys/entware-makefile-for-merlin/raw/main/wireguard-kernel_1.0.20210219-k27_1_aarch64-3.10.ipk opkg install...

www.snbforums.com

After upgrading to 386.4 I note it DOES already include wg kernel and tools. So I can’t use the experimental ones and follow it’s guide. I saw in AMTM that this wg session manager script was available but not sure how to import my old configuration which used custom listening ports and pre shared keys. Should I roll back to 386.3 and go back to using experimental wg for now? Not sure how to proceed.

 

[ZebMcKayhan]

After upgrading to 386.4 I note it DOES already include wg kernel and tools. So I can’t use the experimental ones and follow it’s guide.

You should be able to run @Odkrys scripts even though there is buildt in modules. You could still load custom modules (or use the scripts with the buildt in modules).

Wireguard Session Manager will probably serve your needs well, it sets up a server peer when you install it. You can then change listen port if you need.
If you want to give it a try, backup your current solution and start experimenting.

I think you change the port of the server peer with:

E:Option ==> peer wg21 port=xxxxx

//Zeb

 

[Martineau]

I saw in AMTM that this wg session manager script was available but not sure how to import my old configuration which used custom listening ports and pre shared keys.

wireguard_manager uses SQL tables (in lieu of NVRAM) so .conf files need to be imported.

wireguard_manager 'server' Peers are named 'wg2x' and during the initial install 'server' Peer 'wg21' is created.

If your 'server'/'client' Peers are currently called 'wg0' or 'wg1' then after the wireguard_manager install, save/rename the .conf files as say

'/opt/etc/wireguard.d/wg0_old.conf'
'/opt/etc/wireguard.d/wg1_old.conf'

then delete the default 'server' Peer

e  = Exit Script [?]

E:Option ==> peer wg21 del

then import the .configs

e  = Exit Script [?]

E:Option ==> peer import wg0_old type=server

e  = Exit Script [?]

E:Option ==> peer import wg1_old type=server

You should now be able to view the imported Peers

e  = Exit Script [?]

E:Option ==> peer

and their details...complete with your custom Ports/Keys etc.

e,g. 'server' Peer

e  = Exit Script [?]

E:Option ==> peer wg21 config

to have the imported Peers auto-start @ boot; for each Peer issue the auto=y directive

e  = Exit Script [?]

E:Option ==> peer wg21 auto=y

 

[Zonkd]

Thankyou both @Martineau and @ZebMcKayhan for your answers. I'll take a look at both options.

 

[ZebMcKayhan]

then import the .configs

does wgm somehow understand that you import a server peer with

E:Option ==> peer import wg1_old

Or would you need to specify:

E:Option ==> peer import wg1_old type=server

 

[Martineau]

does wgm somehow understand that you import a server peer with

E:Option ==> peer import wg1_old

Or would you need to specify:

E:Option ==> peer import wg1_old type=server

Until the Site-to-Site feature was implemented, a wireguard_manager created 'server' Peer .conf file never contained an Endpoint = socket directive so the peer import xxx request is able to differentiate between a 'server' and 'client' Peer.

So for most import requests there is no requirement to explicitly specify type=, but whilst for advanced Peer topology requirements it is mandatory, in this case it wouldn't hurt!

EDIT:type=server is mandatory! - post #595 updated.

We will have to wait and see if the OP's attempt to port his current 'server' Peer to wireguard_manager is successful, or if he will need to start from scratch and use wireguard_manager's default 'server' Peer 'wg21' and (re)create the necessary Road Warrior 'client' Peers.

 

[Zonkd]

I can confirm the old experimental WireGuard Kernel and tools still install and work on 386.4. There seems to be no conflicts with the inbuilt wg kernel. Will report back if anything breaks. For now I can continue using my wireguard server like before, which is a relief because I don’t have time yet to investigate setting up something different. Thanks for your help guys.

 

[Zonkd]

Until the Site-to-Site feature was implemented, a wireguard_manager created 'server' Peer .conf file never contained an Endpoint = socket directive so the peer import xxx request is able to differentiate between a 'server' and 'client' Peer.

So for most import requests there is no requirement to explicitly specify type=, but whilst for advanced Peer topology requirements it is mandatory, in this case it wouldn't hurt!

We will have to wait and see if the OP's attempt to port his current 'server' Peer to wireguard_manager is successful, or if he will need to start from scratch and use wireguard_manager's default 'server' Peer 'wg21' and (re)create the necessary Road Warrior 'client' Peers.

I appreciate your effort. If I had more time available for experimenting and then testing I would have tried importing and figuring it out. But I’m sure your instructions are going to help people. And I might come back to them if I get time to revisit. Thanks.