Wireguard Import wireguard .conf file from windows

[javo]

I just installed gnuton 387.02 for my TUF AX-5400 mostly to have access to wireguard, after a surprisingly easy time I could install both Entware and Winguard Manager, actually, amtm did everything.

The problem is that I have a windows computer and use putty to connect to the ax5400 via ssh and I just downloaded the wireguard .conf file from my vpn provider in my windows /downloads folder and I don't have the slightest idea how to import it from windows to the router.

I check the guide but it says: "...when you have concluded that your config file is working, stop the Android/windows/whatever client and copy the .conf file to the router here: /opt/etc/wireguard.d/"

I thought that I could use the WGM option 11 to import the file but I don't how to connect a windows file with the router using ssh.

I suppose it should be easy, for the way it is covered in the guide, but I don't have a clue how to do it.

Any ideas?

Thx

 

[rayyan]

okay what you can try is typing nano /opt/etc/wireguard.d/ (on the router via ssh)to make a file and on the wireguard config file for example uk-lon.prod.surfshark.com.conf you need to open the conf file in notepad and copy the contents of what's in the conf file and paste it in /opt/etc/wireguard.d/ let me know ill try my best to help

 

[javo]

thank you, Ray.

It was working ok, until I tried to save it (write out) and received an error message about read-only file system:

I am missing something.

 

[rayyan]

thank you, Ray.

It was working ok, until I tried to save it (write out) and received an error message about read-only file system:

View attachment 43939

I am missing something.

okay so you have wire guard installed right is there anything on the web ui

 

[javo]

In the gui I have 4 openvpn servers and one was active with vpn director when I was first trying to add the .conf file, after your last post I stopped all openvpn connections:

I just installed WGM, but I had to close it to try to write the .conf file on the opt folder:

 

[javo]

Thanks Ray, I just close the gui, close putty, started again and it worked!

 

[rayyan]

Thanks Ray, I just close the gui, close putty, started again and it worked!

ummmm okayyy

 

[Martineau]

I just installed gnuton 387.02 for my TUF AX-5400 mostly to have access to wireguard, after a surprisingly easy time I could install both Entware and Winguard Manager, actually, amtm did everything.

The problem is that I have a windows computer and use putty to connect to the ax5400 via ssh and I just downloaded the wireguard .conf file from my vpn provider in my windows /downloads folder and I don't have the slightest idea how to import it from windows to the router.

Any ideas?

FYI,,,,,
wg_manager v4.18 includes a crude WebUI ( although Beta v4.19b3/WebUI v1.04 available from the dev Github branch is a tad better) and is shown in the commandline menu....

e.g.

and can be accessed via the Addons Tab...

e.g. You can import the WireGuard .conf directly from Windows by clicking on the Choose File button.

Latest Beta WebUI v1.04

 

[javo]

Thanks @Martineau , so far i have used it in text mode but I will try the gui version, I have been very impressed with the performance of your work since my connection blowed from 50kbs on openvpn to 130 kbs on wireguard manager.

The only think I notice is that sometimes, the wg connection stops and all my connection went down and the only thing I have to do is putty to the router, stop the wg connection and start it again and it works again.

 

[Martineau]

The only think I notice is that sometimes, the wg connection stops and all my connection went down and the only thing I have to do is putty to the router, stop the wg connection and start it again and it works again.

I use both Mullvad and TorGuard concurrently, and they are 100% reliable.

I suggest you issue the following command when it is working,...

wgm diag > /tmp/Good_connection.txt

then this command when the connection fails.

wgm diag > /tmp/Lost_connection.txt

Hopefully you/we will then be able to perform a text file compare to hopefully identify what is causing the connection failure.

 

[javo]

FYI,,,,,
wg_manager v4.18 includes a crude WebUI ( although Beta v4.19b3/WebUI v1.04 available from the dev Github branch is a tad better) and is shown in the commandline menu....

e.g.

View attachment 43945

and can be accessed via the Addons Tab...

e.g. You can import the WireGuard .conf directly from Windows by clicking on the Choose File button.


View attachment 43946

Latest Beta WebUI v1.04

View attachment 43947

I think something is missing in my wgm setup because I don't have that same url to access the gui:

do I have to remove 4.18 to install the beta 4.19b3 or could I update it?

 

[Martineau]

I think something is missing in my wgm setup because I don't have that same url to access the gui:

View attachment 43965

do I have to remove 4.18 to install the beta 4.19b3 or could I update it?

Hmmmm,

You could try updating to Beta v4.19b3

e  = Exit Script [?]

E:Option ==> uf dev

EDIT: What does the following command show

nvram get rc_support | grep -o am_addons

 

[javo]

I use both Mullvad and TorGuard concurrently, and they are 100% reliable.

I suggest you issue the following command when it is working,...

wgm diag > /tmp/Good_connection.txt

then this command when the connection fails.

wgm diag > /tmp/Lost_connection.txt

Hopefully you/we will then be able to perform a text file compare to hopefully identify what is causing the connection failure.

I still have a disconnection problem at least once every 24 hours.

Here is the wg diag of the good connection:
^[[93m
WireGuard® VPN Peers^[[0m
^[[97m
Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)^[[96m
Server Auto Subnet Port Annotate
wg21 Y 10.50.1.1/24 51820 # TUF-AX5400 Server #1

Client Auto IP Endpoint DNS MTU Annotate
wg11 Y 10.2.0.2/32 193.148.18.34:51820 10.2.0.1 Auto # N/A
^[[97m
Peers (Auto=X - External i.e. Cell/Mobile/Site)^[[96m
^[[0m^[[93m
DEBUG: Routing info MTU etc.
^[[96m
27: wg11: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.2.0.2/32 scope global wg11
^[[93m
DEBUG: Routing Table main
^[[96m
0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
^[[93m
DEBUG: Routing Cache
^[[96m
^[[93m
DEBUG: RPDB rules
^[[96m
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
^[[93m
DEBUG: Routing Table 121 (wg11) ^[[95m# N/A
^[[96m
0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
239.0.0.0/8 dev br0 scope link
^[[93m
DEBUG: Netstat
^[[0m
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 wg11
128.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 wg11
^[[93m
DEBUG: UDP sockets.
^[[96m
udp 0 0 0.0.0.0:40301 0.0.0.0:* -
udp 0 0 :::40301 :::* -
^[[93m
DEBUG: Firewall rules
^[[96m
^[[93m
DEBUG: -t filter
^[[96m
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
2 0 0 WGM_ACL_F all -- wg+ * 0.0.0.0/0 0.0.0.0/0 /* Wireguard ACL */

And the one when the connection is lost:

^[[93m
WireGuard® VPN Peers^[[0m
^[[97m
Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)^[[96m
Server Auto Subnet Port Annotate
wg21 Y 10.50.1.1/24 51820 # TUF-AX5400 Server #1

Client Auto IP Endpoint DNS MTU Annotate
wg11 Y 10.2.0.2/32 193.148.18.34:51820 10.2.0.1 Auto # N/A
^[[97m
Peers (Auto=X - External i.e. Cell/Mobile/Site)^[[96m
^[[0m^[[93m
DEBUG: Routing info MTU etc.
^[[96m
28: wg11: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.2.0.2/32 scope global wg11
^[[93m
DEBUG: Routing Table main
^[[96m
0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
^[[93m
DEBUG: Routing Cache
^[[96m
^[[93m
DEBUG: RPDB rules
^[[96m
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
^[[93m
DEBUG: Routing Table 121 (wg11) ^[[95m# N/A
^[[96m
0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
239.0.0.0/8 dev br0 scope link
^[[93m
DEBUG: Netstat
^[[0m
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 wg11
128.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0 wg11
^[[93m
DEBUG: UDP sockets.
^[[96m
udp 0 0 0.0.0.0:46769 0.0.0.0:* -
udp 0 0 :::46769 :::* -
^[[93m
DEBUG: Firewall rules
^[[96m
^[[93m
DEBUG: -t filter
^[[96m
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
2 0 0 WGM_ACL_F all -- wg+ * 0.0.0.0/0 0.0.0.0/0 /* Wireguard ACL */

I still can't find any reason for the random network disconnection.

 

[ZebMcKayhan]

I still can't find any reason for the random network disconnection.

you could see if the Wireguard udp tunnel is up when connection fails:

E:Option ==> wg show

        WireGuard® Userspace Tool:

interface: wg11
  public key: (hidden)
  private key: (hidden)
  listening port: 40773

peer: (hidden)
  endpoint: xx.xx.xx.xx:48574
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 29 seconds ago
  transfer: 136.92 GiB received, 5.34 GiB sent
  persistent keepalive: every 25 seconds

The latest handshake should reset every couple of minutes. if the timer reaches over 3 minutes that would mean the connection to the server is lost between wg11 and the server.

If the timer gets reset:
your output provide info on firewall FORWARD, filter rules, however there are one more rule that is critical for wireguard to function correctly in the POSTROUTING, nat. could be useful to check so that rule is there before and after your connection breaks:

admin@RT-AC86U-D7D8:/tmp/home/root# iptables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 577K packets, 54M bytes)
 pkts bytes target     prot opt in     out     source               destination
 584K   50M MASQUERADE  all  --  *      wg11    192.168.1.0/24       0.0.0.0/0            /* WireGuard 'client' */
admin@RT-AC86U-D7D8:/tmp/home/root#

why this could be interesting to check is that the firmware could flush the filter chains when something needs change and rebuild them and execute a firewall-start event. but when nat tables are flushed it is a different event, nat-start. dont know if there is any difference in how @GNUton firmware handles this.

https://github.com/ZebMcKayhan/WireguardManager#check-connection

 

[javo]

I don't know why, but I still keep getting random wireguard disconnections; sometimes while I watching a streaming movie suddenly the wg vpn just goes down and the only thing that I can do is to stop the wg11 and then started again.

But while the wg connection was down I could made the steps in @Martineau guide to check wgm connection, the thing that confuses me more is that even with no connection, the handshake time is always less than 2 minutes:

---

E:Option ==> list

interface: wg11 EndPoint=193.148.18.34:51820 10.2.0.2/32 # N/A
peer: (hidden)
latest handshake: 4 seconds ago. (sec:4)
transfer: 6.76 GiB received, 507.79 MiB sent 0 Days, 15:45:54 since Fri Sep 9 21:09:36 2022 >>>>>>

WireGuard® ACTIVE Peer Status: Clients 1, Servers 0

E:Option ==> wg show

WireGuard® Userspace Tool:

interface: wg11
public key: (hidden)
private key: (hidden)
listening port: 38272

peer: VeryLongKey
endpoint: 193.148.18.34:51820
allowed ips: 0.0.0.0/0
latest handshake: 15 seconds ago. (sec:15)
transfer: 6.76 GiB received, 507.82 MiB sent

WireGuard® ACTIVE Peer Status: Clients 1, Servers 0

I tried the dns restart opción to clear dns servers but I could't:

E:Option ==> peer wg11 restart

***ERROR Invalid command 'restart' e.g. [add | del | upd | bind]


WireGuard® ACTIVE Peer Status: Clients 1, Servers 0

I also have the diag command output, but I can not paste it here, I received an error message, so I added as an attached file.

 

[chongnt]

I don't know why, but I still keep getting random wireguard disconnections; sometimes while I watching a streaming movie suddenly the wg vpn just goes down and the only thing that I can do is to stop the wg11 and then started again.

But while the wg connection was down I could made the steps in @Martineau guide to check wgm connection, the thing that confuses me more is that even with no connection, the handshake time is always less than 2 minutes:

---

I tried the dns restart opción to clear dns servers but I could't:



I also have the diag command output, but I can not paste it here, I received an error message, so I added as an attached file.

It appears the wrong command is used. To restart the client,

E:Option ==> restart wg11

        Requesting WireGuard® VPN Peer restart (wg11) 

        Restarting Wireguard® 'client' Peer (wg11)
wg11-down.sh: Executing Event:wgvpn-client wg11 down
… snipped …

When you notice the latest handshake time still refreshes when it reaches 2 min plus, the peering should be up. Can you try to ping and see if there is issue with the “server” peer?

 admin@RT-AC86U-DBA8:/tmp/home/root# ping -I wg11 google.com

If the problem is indeed at the server end, perhaps can try peer to a different server.

 

[ZebMcKayhan]

I also have the diag command output, but I can not paste it here, I received an error message, so I added as an attached file

From what I can see, all bits and pieces are still there. Altough full firewall/routes is not disclosed by these commands so something may be fooling us.

Perhaps it could be some conntrack/nat issue, like sockets are closed by some reason. Have you added persistent keepalive? Could be worth a shot maybee?
https://github.com/ZebMcKayhan/WireguardManager#add-persistentkeepalive

 

[javo]

Perhaps it could be some conntrack/nat issue, like sockets are closed by some reason. Have you added persistent keepalive? Could be worth a shot maybee?
https://github.com/ZebMcKayhan/WireguardManager#add-persistentkeepalive

Even thought the .conf file does not have a keep persistent alive I added it, but still the connection suddenly is lost.

Thinking that could be a server issue, I changed to another server but still keep getting random disconnections, but I used to have them when I was streaming tv while my kid was gaming on his computer and the fastest way to up the link was to do a E:Option ==> restart wg11, and immediately the connection goes up, but now it goes down even during the night while the network use is at minimum.

 

[ZebMcKayhan]

Even thought the .conf file does not have a keep persistent alive I added it, but still the connection suddenly is lost.

Thinking that could be a server issue, I changed to another server but still keep getting random disconnections, but I used to have them when I was streaming tv while my kid was gaming on his computer and the fastest way to up the link was to do a E:Option ==> restart wg11, and immediately the connection goes up, but now it goes down even during the night while the network use is at minimum.

Starting to run out of options here.... maybe a server issue as you say (but I would think that is unlikely).

Did you disable FlowCache? At this point it is all I can think of:
https://github.com/ZebMcKayhan/WireguardManager#disable-flowcache

different architectures seems to have different symptoms of this incompatibility, some loose speed and get syslog errors, some seems to get random disconnections...

This will limit all WAN speed to 400-600Mb/s (Wireguard included) but unfortunately there are yet no other solution for this. Asus also disabled FlowCache in the RC-3 beta because of this compatibility issue. Dont know if they have any fix included in 388 firmware, but really hope so.

 

[javo]

Did you disable FlowCache? At this point it is all I can think of:
https://github.com/ZebMcKayhan/WireguardManager#disable-flowcache

Don't know if it is a coincidence,but so far I have almost 24 hours without network disconnections after I disable the FlowCache. Since my current speed is 120Mb/s doesn't seem a trade-off to me.