Menu
What's new
By:
Filters Better Search

Wireguard Session Manager (4th) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Martineau

Martineau

Part of the Furniture
Another 6 months are up (thanks to SNB forum member @greenspanner for the heads-up); details of WireGuard® Manager can be found @the following:
github.com

GitHub - MartineauUK/wireguard: Manage/Install WireGuard on applicable ASUS routers

Manage/Install WireGuard on applicable ASUS routers - MartineauUK/wireguard
github.com github.com

and @ZebMcKayhan's invaluable Hint's and Tips Guide

github.com

WireguardManager/README.md at main · ZebMcKayhan/WireguardManager

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager
github.com github.com

Following on from #572 in the third thread.
 
Last edited:
Hi all,

yesterday, faced with the fact that the wireguard stopped working after reboot. Its showed as started, w/o any error, but doesn't work. No changes have been made to the router.

Code: 
Asus AC86U - Firmware Version:386.7_2
wireguard - Version v4.19b3 by Martineau

        interface: wg11 EndPoint=xxx.xxx.xxx.xxx:63665                   10.66.66.2/24,fd42:42:42::2/64          # N/A
                peer: xxx


Code: 
admin@RT-AC86U-33F8:/tmp/home/root# wgmExpo "peer wg11"


Client  Auto  IP                              Endpoint              DNS              MTU   Annotate
wg11    P     10.66.66.2/24,fd42:42:42::2/64  xxx.xxx.xxx.xxx:63665  8.8.8.8,8.8.4.4  1460  # N/A


        Selective Routing RPDB rules
ID  Peer  Interface  Source  Destination    Description
1   wg11  VPN        Any     185.41.185.73


IPSet      Enable  Peer  FWMark  DST/SRC
unblockip  Y       wg11  0x1000  dst

Code: 
admin@RT-AC86U-33F8:/tmp/home/root# wgmExpo "restart wg11"


        Requesting WireGuard® VPN Peer restart (wg11)


        Restarting Wireguard® 'client' Peer (wg11)


        wg_manager-clientwg11: WireGuard® VPN 'client' Peer (wg11) to xxx.xxx.xxx.xxx2:63665 (# N/A) Terminated
        wg_manager-clientwg11: Initialising WireGuard® VPN 'client' Peer (wg11) in Policy Mode to xxx.xxx.xxx.xxx:63665 (# N/A) DNS=8.8.8.8,8.8.4.4
wg_manager-clientwg11: Initialisation complete.


Please advise how to proceed.
Thank you.

UPD1 Stopped working my unblock list (unblockip Y wg11 0x1000 dst). Rules that direct in WGM is working ( 1 wg11 VPN Any 185.41.185.73)
UPD2 Problem solved. For some reason, unblockip list was empty in IPSet. After restoration backup - everything worked.
 
Last edited:
numminorih said:
UPD2 Problem solved. For some reason, unblockip list was empty in IPSet. After restoration backup - everything worked.
Click to expand...
did you use my scripts in nat-start to restore the ipset after boot? I know I have encountered similar issues with nat-start during boot. it seems to execute nat-start many times virtually simultaneously, which means it kind of blocks itself. thus the "sleep 10" but sometimes maybe not enough? perhaps something more elaborate is needed, like a lock-file creation....
 
ZebMcKayhan said:
did you use my scripts in nat-start to restore the ipset after boot? I know I have encountered similar issues with nat-start during boot. it seems to execute nat-start many times virtually simultaneously, which means it kind of blocks itself. thus the "sleep 10" but sometimes maybe not enough? perhaps something more elaborate is needed, like a lock-file creation....
Click to expand...
Yes, I use this script around a month with no problem before yesterday:

/jffs/scripts/nat-start

Code: 
IPSET_LIST="unblockip"


for IPSET_NAME in $IPSET_LIST; do
   if [ "$(ipset list -n "$IPSET_NAME" 2>/dev/null)" != "$IPSET_NAME" ]; then #if ipset does not already exist
      if [ -s "/mnt/sda1/entware/home/$IPSET_NAME" ]; then #if a backup file exists
         ipset restore -! <"/mnt/sda1/entware/home/$IPSET_NAME" #restore ipset
         cru a "$IPSET_NAME" "0 2 * * * ipset save $IPSET_NAME > /mnt/sda1/entware/home/$IPSET_NAME" >/dev/null 2>&1 # create cron job for autosave
      fi
   fi
done
 
ZebMcKayhan said:
did you use my scripts in nat-start to restore the ipset after boot? I know I have encountered similar issues with nat-start during boot. it seems to execute nat-start many times virtually simultaneously, which means it kind of blocks itself. thus the "sleep 10" but sometimes maybe not enough? perhaps something more elaborate is needed, like a lock-file creation....
Click to expand...
I use x3mRouting to manage ipset, the script itself check for Entware readiness before proceed to restore ipset. Perhaps need to do something similar before restore the ipset?
Regarding multiple re-run of nat-start script, I use the concept from @eibgrad to serialize the re-run.

Code: 
#!/bin/sh

# required for serialization when reentry is possible
LOCK="/tmp/$(basename $0).lock"
acquire_lock() { while ! mkdir $LOCK &>/dev/null; do sleep 2; done; }
release_lock() { rmdir $LOCK &>/dev/null; }

# exit (any concurrent instance(s) may now run)
exit_0() { release_lock; exit 0; }

# one instance at a time
acquire_lock

logger -t $(basename $0) "Started [$@]"


## existing scripts ##

logger -t $(basename $0) "Completed [$@]"
exit_0

This is how the sequence looks like. The second run only start after the first run is completed.
Code: 
May  5 13:05:25 custom_script: Running /jffs/scripts/nat-start
May  5 13:05:25 nat-start: Started []
Oct  1 12:53:28 custom_script: Running /jffs/scripts/nat-start
Oct  1 12:53:37 RT-AC86U-DBA8 nat-start: Completed []             
Oct  1 12:53:39 RT-AC86U-DBA8 nat-start: Started []             
Oct  1 12:53:45 RT-AC86U-DBA8 nat-start: Completed []
 
chongnt said:
I use x3mRouting to manage ipset, the script itself check for Entware readiness before proceed to restore ipset.
Click to expand...
Entware would not need to be ready (?) Ipset is part of the firmware and should be restore-able before Entware is up (I would assume). But now that I think about it, the usb drive needs to be up, but I would assume
Code: 
if [ -s "/mnt/sda1/entware/home/$IPSET_NAME" ]
Would return FALSE if sda1 is not mounted and nothing restored this event. So the ipset wouldn't even be created. Certainly not restore it blank???

chongnt said:
This is how the sequence looks like. The second run only start after the first run is completed.
Click to expand...
Ooh, that is nice. Always top-quality from @eibgrad. Perhaps @numminorih could try it out as wrap-around my script and see if it solves the issue (altough it may take some months to find out)...
 
Last edited:
ZebMcKayhan said:
Entware would not need to be ready (?) Ipset is part of the firmware and should be restore-able before Entware is up (I would assume). But now that I think about it, the usb drive needs to be up, but I would assume
Code: 
if [ -s "/mnt/sda1/entware/home/$IPSET_NAME" ]
Would return FALSE if sda1 is not mounted and nothing restored this event. So the ipset wouldn't even be created. Certainly not restore it blank???
Click to expand...
You are right, no need to wait for Entware. Only need to wait for usb drive.
 
How can I allow peers to talk to each other? I can ping server to peer and peer to server but I can't ping peer to peer.
 
Could somebody help me with a site 2 site setup please?

I am running the WireGuard server on my AX86U and have a Windows 10 PC connected as a peer/client, it has to be connected this way due to the inbound firewall on the Windows 10 PC LAN. I would like to be able to talk to the LAN of the connected Windows 10 PC. I have found some guides but they all seem to be Linux based and I can't get it working.

I have no issues with connecting to the Windows 10 PC via the WireGuard IP and I can now talk both ways but it would be a bonus if I could get access to the LAN as well.
 
jakeycrx said:
Could somebody help me with a site 2 site setup please?

I am running the WireGuard server on my AX86U and have a Windows 10 PC connected as a peer/client, it has to be connected this way due to the inbound firewall on the Windows 10 PC LAN. I would like to be able to talk to the LAN of the connected Windows 10 PC. I have found some guides but they all seem to be Linux based and I can't get it working.

I have no issues with connecting to the Windows 10 PC via the WireGuard IP and I can now talk both ways but it would be a bonus if I could get access to the LAN as well.
Click to expand...
You would need to turn on ip forwarding on your windows machine in order for it to pass packages between networks
https://www.google.se/amp/s/www.wikihow.com/Enable-IP-Routing-on-Windows-10?amp=1

But that alone would not be enough. You would also need to add a route on the router of the windows machine lan. Telling it that your other lan is via windows machine.

Edit: @evlo did a similar setup with a linux machine behind the router and managed to setup site-2-site. Perhaps he has more input.
https://www.snbforums.com/threads/session-manager-discussion-3rd-thread.78317/post-780728
 
Last edited:
numminorih said:
Ok, will try, please advise where can I find your script?
Click to expand...
I thought you could merge @eibgrad script posted by @chongnt above with what you already have...

but I'll added a check for you that waits a maximum of 30sec for the USB-Drive to be mounted and if it fails it will give you a log message.

Code: 
#!/bin/sh
############################################################
# required for serialization when reentry is possible
LOCK="/tmp/$(basename $0).lock"
acquire_lock() { while ! mkdir $LOCK &>/dev/null; do sleep 2; done; }
release_lock() { rmdir $LOCK &>/dev/null; }
exit_0() { release_lock; exit 0; } # exit (any concurrent instance(s) may now run)
############################################################
# one instance at a time
acquire_lock
logger -t $(basename $0) "Started [$@]"

##
## Put existing nat-start directives here
##


## IPSET restore:
IPSET_LIST="unblockip"
MAX_TRIES=30 #Retries every second [MAX_TRIES] amount of times.

TRIES="0"
while [ "$TRIES" -lt "$MAX_TRIES" ]; do
    if [ -d "/mnt/sda1/entware/home" ]; then
       for IPSET_NAME in $IPSET_LIST; do
           if [ "$(ipset list -n "$IPSET_NAME" 2>/dev/null)" != "$IPSET_NAME" ]; then #if ipset does not already exist
                  if [ -s "/mnt/sda1/entware/home/$IPSET_NAME" ]; then #if a backup file exists
                     ipset restore -! <"/mnt/sda1/entware/home/$IPSET_NAME" #restore ipset
                     cru a "$IPSET_NAME" "0 2 * * * ipset save $IPSET_NAME > /mnt/sda1/entware/home/$IPSET_NAME" >/dev/null 2>&1 # create cron job for autosave
                     logger -t $(basename $0) "IPSET restored: $IPSET_NAME"
                  fi
           fi
       done
       break #all done
    else
           sleep 1
           TRIES=$((TRIES + 1))
           if [ "$TRIES" == "$MAX_TRIES" ]; then
               logger -t $(basename $0) "Warning: Failed to detect mounted USB-Drive within $MAX_TRIES seconds! IPSET not restored!"
           fi
    fi
done
############################################################
logger -t $(basename $0) "Completed [$@]"
exit_0

I have merged the code above and put in @eibgrad code for serialization and added check for usb-drive. It gets a bit bigger and harder to understand/overview but hopefully now it will give a more predictable outcome.

I never tested the entire script, only different sections, so I hope there is no typo... if anyone finds any please let me know.

Perhaps a good idea to destroy your ipset and test run the script before to see that they get restored properly (and check so that there are no complaints from the shell)
 
Last edited:
ZebMcKayhan said:
You would need to turn on ip forwarding on your windows machine in order for it to pass packages between networks
https://www.google.se/amp/s/www.wikihow.com/Enable-IP-Routing-on-Windows-10?amp=1

But that alone would not be enough. You would also need to add a route on the router of the windows machine lan. Telling it that your other lan is via windows machine.

Edit: @evlo did a similar setup with a linux machine behind the router and managed to setup site-2-site. Perhaps he has more input.
https://www.snbforums.com/threads/session-manager-discussion-3rd-thread.78317/post-780728
Click to expand...
Thanks for the reply. Unfortunately, I don't have access to the router, I'll have a read through that thread and see what I can do.
 
numminorih said:
Ok, will try, please advise where can I find your script?
Click to expand...
Had some time today to test the nat-start script and found acouple of typos. I also added a variable for you to choose storage location:
Code: 
#!/bin/sh
############################################################
# required for serialization when reentry is possible
LOCK="/tmp/$(basename $0).lock"
acquire_lock() { while ! mkdir $LOCK &>/dev/null; do sleep 2; done; }
release_lock() { rmdir $LOCK &>/dev/null; }
exit_0() { release_lock; exit 0; } # exit (any concurrent instance(s) may now run)
############################################################
acquire_lock # one instance at a time
logger -t $(basename $0) "Started"

##
## Put existing nat-start directives here
##

IPSET_LIST="unblockip" #List of ipsets to restore
DIR="/mnt/sda1/entware/home" #directory for store ipset
MAX_TRIES=30 #Retries to find usb every second [MAX_TRIES] amount of times.


## Normally nothing need to be changed below ##
TRIES="0"
while [ "$TRIES" -lt "$MAX_TRIES" ]; do
    if [ -d "$DIR" ]; then
        for IPSET_NAME in $IPSET_LIST; do
            if [ "$(ipset list -n "$IPSET_NAME" 2>/dev/null)" != "$IPSET_NAME" ]; then #if ipset does not already exist
                if [ -s "$DIR/$IPSET_NAME" ]; then #if a backup file exists
                    ipset restore -! <"$DIR/$IPSET_NAME" #restore ipset
                    cru a "$IPSET_NAME" "0 2 * * * ipset save $IPSET_NAME > $DIR/$IPSET_NAME" >/dev/null 2>&1 # create cron job for autosave
                    logger -t $(basename $0) "IPSET restored: $IPSET_NAME"
                fi
            fi
        done
        break
    else
        sleep 1
        TRIES=$((TRIES + 1))
        if [ "$TRIES" -eq "$MAX_TRIES" ]; then
            logger -t $(basename $0) "Warning: Failed to detect mounted USB-Drive within $MAX_TRIES seconds! IPSET not restored!"
        fi
    fi
done
############################################################
logger -t $(basename $0) "Completed [$@]"
exit_0
 
Last edited:
ZebMcKayhan said:
Had some time today to test the nat-start script and found acouple of typos. I also added a variable for you to choose storage location:
Code: 
#!/bin/sh
############################################################
# required for serialization when reentry is possible
LOCK="/tmp/$(basename $0).lock"
acquire_lock() { while ! mkdir $LOCK &>/dev/null; do sleep 2; done; }
release_lock() { rmdir $LOCK &>/dev/null; }
exit_0() { release_lock; exit 0; } # exit (any concurrent instance(s) may now run)
############################################################
acquire_lock # one instance at a time
logger -t $(basename $0) "Started"

##
## Put existing nat-start directives here
##

IPSET_LIST="unblockip" #List of ipsets to restore
DIR="/mnt/sda1/entware/home" #directory for store ipset
MAX_TRIES=30 #Retries to find usb every second [MAX_TRIES] amount of times.


## Normally nothing need to be changed below ##
TRIES="0"
while [ "$TRIES" -lt "$MAX_TRIES" ]; do
    if [ -d "$DIR" ]; then
        for IPSET_NAME in $IPSET_LIST; do
            if [ "$(ipset list -n "$IPSET_NAME" 2>/dev/null)" != "$IPSET_NAME" ]; then #if ipset does not already exist
                if [ -s "$DIR/$IPSET_NAME" ]; then #if a backup file exists
                    ipset restore -! <"$DIR/$IPSET_NAME" #restore ipset
                    cru a "$IPSET_NAME" "0 2 * * * ipset save $IPSET_NAME > $DIR/$IPSET_NAME" >/dev/null 2>&1 # create cron job for autosave
                    logger -t $(basename $0) "IPSET restored: $IPSET_NAME"
                fi
            fi
        done
        break
    else
        sleep 1
        TRIES=$((TRIES + 1))
        if [ "$TRIES" -eq "$MAX_TRIES" ]; then
            logger -t $(basename $0) "Warning: Failed to detect mounted USB-Drive within $MAX_TRIES seconds! IPSET not restored!"
        fi
    fi
done
############################################################
logger -t $(basename $0) "Completed [$@]"
exit_0
Click to expand...
Thx, I'll try this.
 
Are these the latest available kernel and tools?

Code: 
 getmodules

        Downloading WireGuard® Kernel module 'wireguard-kernel_1.0.20220627-RT-AC86U_aarch64-3.10.ipk' for RT-AC86U (v386.7_2) @ZebMcKayhan
Success!

        Downloading WireGuard® User space Tool 'wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk' for RT-AC86U (v386.7_2) @ZebMcKayhan
Success!
 
Ubimo said:
Are these the latest available kernel and tools?

Code: 
 getmodules

        Downloading WireGuard® Kernel module 'wireguard-kernel_1.0.20220627-RT-AC86U_aarch64-3.10.ipk' for RT-AC86U (v386.7_2) @ZebMcKayhan
Success!

        Downloading WireGuard® User space Tool 'wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk' for RT-AC86U (v386.7_2) @ZebMcKayhan
Success!
Click to expand...
Why don't you check the release page from the Wireguard team:
Kernel modules:
https://git.zx2c4.com/wireguard-linux-compat/

User-space tools:
https://git.zx2c4.com/wireguard-tools/
 
Ive updated the section about creating ipsets:
https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#create-and-setup-ipsets
And moved the script to a separate file and execute in the post-mount script, so it will run each boot after usb-drive is mounted.

according to https://www.snbforums.com/threads/push-syslog-msg-from-nat-start.81332/ There is still a chance that, if you are using scribe, some initial syslog messages might be lost. However the setup works well on my router.
 
You must log in or register to reply here.

Similar threads

A
Splitting Wireguard between Router and client
2 3
Replies
53
Views
3K
ZebMcKayhan
Z
A
Wireguard Session Manager - Discussion (3rd) thread
27 28 29
Replies
571
Views
75K
RMerlin
RMerlin
ExtremeFiretop
MerlinAU MerlinAU v1.3.4 - The Ultimate Firmware Auto-Updater (GNUTON SUPPORT!)
Replies
18
Views
4K
ExtremeFiretop
ExtremeFiretop
Martineau
Wireguard Session Manager - Discussion (2nd) thread
45 46 47
Replies
937
Views
111K
ZebMcKayhan
Z
Martineau
Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)
23 24 25
Replies
499
Views
84K
ZebMcKayhan
Z
Similar threads
Thread starter Title Forum Replies Date
JGrana chatai - version two - have a chat session with either Googles Gemini AI or Anthropics Claude (or both at once) Asuswrt-Merlin AddOns 4
JGrana New Addon - ChatAI - have a chat session with Googles Gemini AI Bot Asuswrt-Merlin AddOns 2
D Solved How do I remove WG Manager from amtm without resetting amtm? Asuswrt-Merlin AddOns 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 847 (members: 37, guests: 810)
Top