Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

[paulmorabi]

I have experience this. I delete and recreate device with same name but did not update in my client config. In my client it say connected but there is no connection. Perhaps can try recreate device and import the new config to client wg program again?

@chongnt I'm starting to think you are correct on this and I am not actually connected at all. I deleted wg21 and recreated.

E:Option ==> peer wg21

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Server  Auto  Subnet        Port   Public                                        Private                                       Annotate
wg21    N     10.50.1.1/24  11501    # RT-AX88U Server 1

However, when I add a peer/device, and connect from the device:

paul@RT-AX88U-6948:/tmp/home/root# wg show wg21
interface: wg21
  public key: 
  private key: (hidden)
  listening port: 11501

There are no peers listed so even though WireGuard says it is connected on my Samsung phone, the peer is not actually connected. I looked at the app logs and it's repeating "Sending handshake initiation" and then "Handshake did not complete" repeatedly.

I wondered then if I should be opening any ports for this so I opened port 11501 as its the listening port but it didn't make any difference, same issue. Any ideas?

 

[chongnt]

@chongnt I'm starting to think you are correct on this and I am not actually connected at all. I deleted wg21 and recreated.

E:Option ==> peer wg21

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Server  Auto  Subnet        Port   Public                                        Private                                       Annotate
wg21    N     10.50.1.1/24  11501    # RT-AX88U Server 1

However, when I add a peer/device, and connect from the device:

paul@RT-AX88U-6948:/tmp/home/root# wg show wg21
interface: wg21
  public key:
  private key: (hidden)
  listening port: 11501

There are no peers listed so even though WireGuard says it is connected on my Samsung phone, the peer is not actually connected. I looked at the app logs and it's repeating "Sending handshake initiation" and then "Handshake did not complete" repeatedly.

I wondered then if I should be opening any ports for this so I opened port 11501 as its the listening port but it didn't make any difference, same issue. Any ideas?

The peer device public key for wg21 should be displayed with the command "wg show wg21" even if it is not connected. Have you create your phone as peer device for wg21 in wg_manager?
You can do it like this, it will ask if you want to generate a QR code. In your phone wg apps, you can select create from QR code.

E:Option ==> 9 Samsung

 

[paulmorabi]

The peer device public key for wg21 should be displayed with the command "wg show wg21" even if it is not connected. Have you create your phone as peer device for wg21 in wg_manager?
You can do it like this, it will ask if you want to generate a QR code. In your phone wg apps, you can select create from QR code.

E:Option ==> 9 Samsung

@chongnt I've done a lot of testing now and also with two clients and it finally, finally, seems like it is working 100%.

Thank you and also @ZebMcKayhan for all of your help.

 

[ZebMcKayhan]

@chongnt I've done a lot of testing now and also with two clients and it finally, finally, seems like it is working 100%.

Thank you and also @ZebMcKayhan for all of your help.

Glad it worked!

Would you mindre sharing what the problem was so others could benefit?

Best regards
Zeb

 

[paulmorabi]

Glad it worked!

Would you mindre sharing what the problem was so others could benefit?

Best regards
Zeb

After fixing the rules from before to get wg11 working, there was no extra steps for wg21. @chongnt confirmed he had the same settings as I so I deleted and re-added wg21, as well as regenerating the peer configs. I also updated to the latest wgm dev code which may have helped in some way. However, I did compare the "ip rule" and "wg show" output and it looks the same but may in some way helped it along.

 

[chongnt]

After fixing the rules from before to get wg11 working, there was no extra steps for wg21. @chongnt confirmed he had the same settings as I so I deleted and re-added wg21, as well as regenerating the peer configs. I also updated to the latest wgm dev code which may have helped in some way. However, I did compare the "ip rule" and "wg show" output and it looks the same but may in some way helped it along.

I’m glad you got it working too. The wg client application status can be misleading. Active doesn’t necessarily mean peering with server is successful. Client will simply forward traffic to that interface and gets blackhole.

 

[Ubimo]

I'm seeing an error:

E:Option ==> 4 wg11

        Requesting WireGuard VPN Peer start (wg11)

        wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) to engage.cloudflareclient.com:2408 (# Cloudflare Warp) DNS=192.168.1.1
Error: table traffic has 4 columns but 6 values were supplied
        wireguard-clientwg11: Initialisation complete.


        WireGuard ACTIVE Peer Status: Clients 1, Servers 0

How can I resolve this?

Here is my wg11.conf:

Spoiler

# Cloudflare Warp
[Interface]
PrivateKey = xxxxx
Address = 172.16.0.2/32
DNS = 192.168.1.1
MTU = 1280

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = engage.cloudflareclient.com:2408

I'm on v4.11b8

 

[paulmorabi]

I'm seeing an error:

E:Option ==> 4 wg11

        Requesting WireGuard VPN Peer start (wg11)

        wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) to engage.cloudflareclient.com:2408 (# Cloudflare Warp) DNS=192.168.1.1
Error: table traffic has 4 columns but 6 values were supplied
        wireguard-clientwg11: Initialisation complete.


        WireGuard ACTIVE Peer Status: Clients 1, Servers 0

How can I resolve this?

Here is my wg11.conf:

Spoiler

# Cloudflare Warp
[Interface]
PrivateKey = xxxxx
Address = 172.16.0.2/32
DNS = 192.168.1.1
MTU = 1280

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = engage.cloudflareclient.com:2408

I'm on v4.11b8

I had this when I upgraded versions also. I guess the internal DB has a different schema. I don't think it will cause you problems but as part of my troubleshooting, I ended up deleting and re-adding and that fixed the error.

 

[ZebMcKayhan]

I'm seeing an error:

E:Option ==> 4 wg11

        Requesting WireGuard VPN Peer start (wg11)

        wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) to engage.cloudflareclient.com:2408 (# Cloudflare Warp) DNS=192.168.1.1
Error: table traffic has 4 columns but 6 values were supplied
        wireguard-clientwg11: Initialisation complete.


        WireGuard ACTIVE Peer Status: Clients 1, Servers 0

How can I resolve this?

Here is my wg11.conf:

Spoiler

# Cloudflare Warp
[Interface]
PrivateKey = xxxxx
Address = 172.16.0.2/32
DNS = 192.168.1.1
MTU = 1280

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = engage.cloudflareclient.com:2408

I'm on v4.11b8

There have been som changes in the database needed for produce right stats from 4.11b7 and onwards.

Check post #321 to update your database without starting over:
http://www.snbforums.com/threads/session-manager.70787/post-696141

//Zeb

 

[paulmorabi]

I've noticed access to LAN from my wifi network tied to wg11 stopped at some point. Saving the two way access settings in YazFi again on the router admin panel seems to make it work. Other than that though, it's working fine. I suspect its something with YazFi..

Also, is there a way to delete devices from wgm? I've tested to remove the files but the devices are still present when you type "peer" and get the device list.

 

[ZebMcKayhan]

I've noticed access to LAN from my wifi network tied to wg11 stopped at some point. Saving the two way access settings in YazFi again on the router admin panel seems to make it work. Other than that though, it's working fine. I suspect its something with YazFi..

I have been having similar issues after updating yazfi and since the great @Jack Yaz is really productive the updates are short in between. However a simple reboot has always fixed this.
I figured it is re-applying firewall rules which now may be in different orders but never really investigated further.
Have you updated yazfi in the time area (-ish) when it stopped working?

//Zeb

 

[paulmorabi]

I have been having similar issues after updating yazfi and since the great @Jack Yaz is really productive the updates are short in between. However a simple reboot has always fixed this.
I figured it is re-applying firewall rules which now may be in different orders but never really investigated further.
Have you updated yazfi in the time area (-ish) when it stopped working?

//Zeb

Haven't touched anything related to the router config at all so unsure what triggered it. I also suspected something changed with the rules either being changed or removed. Saving on the YazFi page or rebooting restores the access to internal lan from the wifi. In any case, it's not a big issue at all. Good to know I am not the only one experiencing it!

 

[Martineau]

Also, is there a way to delete devices from wgm? I've tested to remove the files but the devices are still present when you type "peer" and get the device list.

If the Peer menu option '8' syntax description doesn't suffice...

1  = Update Wireguard modules                               7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                            8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                            9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]             10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ] 
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                     
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                    
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                 

?  = About Configuration                    
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')      

e  = Exit Script [?]

E:Option ==>

use

e  = Exit Script [?]

E:Option ==> peer help

    peer help                                                           - This text
    peer                                                                - Show ALL Peers in database
    peer peer_name                                                      - Show Peer in database or for details e.g peer wg21 config
    peer peer_name {cmd {options} }                                     - Action the command against the Peer
    peer peer_name del                                                  - Delete the Peer from the database and all of its files *.conf, *.key
    peer peer_name ip=xxx.xxx.xxx.xxx                                   - Change the Peer VPN Pool IP
    peer category                                                       - Show Peer categories in database
    peer peer_name category [category_name {del | add peer_name[...]} ] - Create a new category with 3 Peers e.g. peer category GroupA add wg17 wg99 wg11
    peer new [peer_name [options]]                                      - Create new server Peer e.g. peer new wg27 ip=10.50.99.1/24 port=12345
    peer peer_name [del|add] ipset {ipset_name[...]}                    - Selectively Route IPSets e.g. peer wg13 add ipset NetFlix Hulu
    peer peer_name {rule [del {id_num} |add [wan] rule_def]}            - Manage Policy rules e.g. peer wg13 rule add 172.16.1.0/24 comment All LAN
                                                                                                   peer wg13 rule add wan 52.97.133.162 comment smtp.office365.com
                                                                                                   peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS

 

[chongnt]

I've noticed access to LAN from my wifi network tied to wg11 stopped at some point. Saving the two way access settings in YazFi again on the router admin panel seems to make it work. Other than that though, it's working fine. I suspect its something with YazFi..

Also, is there a way to delete devices from wgm? I've tested to remove the files but the devices are still present when you type "peer" and get the device list.

To delete device properly, use the command above by @Martineau
example

 E:Option ==> peer MyPhone del

If you have removed say MyPhone.conf from /opt/etc/wireguard.d/, I think you will get error when try to run the above command. In case this happen, create back a blank file with MyPhone.conf in that directory, then run the peer del command in wgm again.

 

[Martineau]

To delete device properly, use the command above by @Martineau
example

 E:Option ==> peer MyPhone del

If you have removed say MyPhone.conf from /opt/etc/wireguard.d/, I think you will get error when try to run the above command. In case this happen, create back a blank file with MyPhone.conf in that directory, then run the peer del command in wgm again.

If there is a mismatch i.e. the database doesn't match the expected existence of the physical files (due to the unexpected manual erasure of the '.conf' file ) then specify

peer peer_name delX

and the script will force the database entry deletion without the need to recreate blank files.

 

[paulmorabi]

If there is a mismatch i.e. the database doesn't match the expected existence of the physical files (due to the unexpected manual erasure of the '.conf' file ) then specify

peer peer_name delX

and the script will force the database entry deletion without the need to recreate blank files.

Thanks @Martineau & @chongnt.

I've deleted all of my previous devices created from testing but have noticed a few of these entries:

E:Option ==> 3

    interface: wg21     Port:11501    10.50.1.1/24         VPN Tunnel Network    # RT-AX88U Server 1
        peer:      10.50.1.3/32        # PaulsIpad "Device"
         latest handshake: 1 minute, 38 seconds ago
         transfer: 147.39 KiB received, 978.23 KiB sent        0 Days, 00:00:00 from 2021-07-08 07:57:32 >>>>>>
        peer:      10.50.1.3/32        # Unidentified owner of this Public key:
        peer:      10.50.1.3/32        # Unidentified owner of this Public key:
        peer:      10.50.1.2/32        # PaulsS21 "Device"

Is the previous devices assigned to 1.3 in the database still? The peer keys for each are different.

 

[Martineau]

Thanks @Martineau & @chongnt.

I've deleted all of my previous devices created from testing but have noticed a few of these entries:

E:Option ==> 3

    interface: wg21     Port:11501    10.50.1.1/24         VPN Tunnel Network    # RT-AX88U Server 1
        peer:      10.50.1.3/32        # PaulsIpad "Device"
         latest handshake: 1 minute, 38 seconds ago
         transfer: 147.39 KiB received, 978.23 KiB sent        0 Days, 00:00:00 from 2021-07-08 07:57:32 >>>>>>
        peer:      10.50.1.3/32        # Unidentified owner of this Public key:
        peer:      10.50.1.3/32        # Unidentified owner of this Public key:
        peer:      10.50.1.2/32        # PaulsS21 "Device"

Is the previous devices assigned to 1.3 in the database still? The peer keys for each are different.

As you have several Road-Warrior 'client' Peers with the same IP (10.50.1.3/32), back in early June I applied the patch

Update wg_manager.sh · MartineauUK/wireguard@07b7372

FIX: Creation of a new Road-Warrior 'device' may assign an existing VPN Pool IP already allocated to another Road-Warrior device. CHANGE: Display Road-Warrior 'device' SQL table ...

github.com

So rather than tediously hack the SQL tables, I suggest you uninstall and reinstall the latest beta

GitHub - MartineauUK/wireguard at dev

Manage/Install WireGuard on applicable ASUS routers - GitHub - MartineauUK/wireguard at dev

github.com

 

[paulmorabi]

As you have several Road-Warrior 'client' Peers with the same IP (10.50.1.3/32), back in early June I applied the patch

So rather than tediously hack the SQL tables, I suggest you uninstall and reinstall the latest beta

Will that also wipe all of my configs?

 

[Martineau]

Will that also wipe all of my configs?

Unfortunately yes, but you only appear to be creating a single associated Road-Warrior 'client' Peer which is easily recreated (albeit with a different key-pair) for the default WireGuard 'server' Peer?

However, if you have '.config' files (either custom or provided by your WireGuard ISP), you can save them and reimport them into the SQL database.

Alternatively, you can obviously hack/modify the relevant SQL tables (there are examples in the thread how use SQL commands DROP/DELETE/UPDATE) edit 'wg21.conf' to remove the invalid entries.

 

[JGrana]

As I sit here in a remote location, how I wish Wireguard was supported on the AX58U...