What's new

Wireguard Session Manager (4th) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Regarding the iptables, should I add that to the wg11-down? And remove in up?
No... in that case it would probably not do any good.

Just start withexecuting the rule at the prompt and test it by enable and disable wg peer and check connection.

When it works,
Either you put it in
/jffs/scripts/firewall-start
That would probably easiest and sure to be working as you want. But then the rule will always be there. So even if you uninstall wgm the rule will still be there.

Or you tweak the rule wgm puts in inside
/jffs/addons/wireguard/wg_firewall
But this could be more work to figure out if this is enough, I think I saw the rule applied wg_manager.sh as well, so there may be more places needed.
 
No... in that case it would probably not do any good.

Just start withexecuting the rule at the prompt and test it by enable and disable wg peer and check connection.

When it works,
Either you put it in
/jffs/scripts/firewall-start
That would probably easiest and sure to be working as you want. But then the rule will always be there. So even if you uninstall wgm the rule will still be there.

Or you tweak the rule wgm puts in inside
/jffs/addons/wireguard/wg_firewall
But this could be more work to figure out if this is enough, I think I saw the rule applied wg_manager.sh as well, so there may be more places needed.

Quick update, this works well!
 
Hello everyone, I have a ROG GT-AX6000 (388.4 Merlin Wrt Version) router and setup:
1. Entware - https://gist.github.com/1951FDG/3cada1211df8a59a95a8a71db6310299
2. Wireguard Session Manager - https://github.com/MartineauUK/wireguard

When I start a config from Wireguard Manager, I can ping my server via local IP address, but all traffic goes through WAN connection.
I've tested the config on the Windows client, and with the default Merlin GUI Wireguard Client, both work fine.

Can anyone guide me on what I'm doing wrong?

Wg config:
Code:
[Interface]
PrivateKey = <key>
Address = 10.10.10.1/24
DNS = 1.1.1.1, 1.0.0.1
MTU = 1280


[Peer]
PublicKey = <key>
AllowedIPs = 0.0.0.0/0
Endpoint = ip:port
PersistentKeepalive = 25

Iptables output:
Code:
iptables -vnL FORWARD | grep wg
0     0 WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */
 
Last edited:
Hello everyone, I have a ROG GT-AX6000 (388.4 Merlin Wrt Version) router and setup:
1. Entware - https://gist.github.com/1951FDG/3cada1211df8a59a95a8a71db6310299
2. Wireguard Session Manager - https://github.com/MartineauUK/wireguard

When I start a config from Wireguard Manager, I can ping my server via local IP address, but all traffic goes through WAN connection.
I've tested the config on the Windows client, and with the default Merlin GUI Wireguard Client, both work fine.

Can anyone guide me on what I'm doing wrong?

Wg config:
Code:
[Interface]
Address = 10.10.10.1/24
DNS = 1.1.1.1, 1.0.0.1
MTU = 1280


[Peer]
PublicKey = <key>
AllowedIPs = 0.0.0.0/0
Endpoint = ip:port
PersistentKeepalive = 25

Iptables output:
Code:
iptables -vnL FORWARD | grep wg
0     0 WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */
Did you setup the peer in policy mode and created rules?

https://github.com/ZebMcKayhan/WireguardManager#default-or-policy-routing
 
Now config started in auto=Y mode
Also I've tried to start with rules and auto=P mode. Same WAN IP address when checking my connection.
Does wgm report the client as started? Was there any error messages when it was started? Did your config import generate any errors?

The config you show are missing "PrivateKey = " argument. Did you remove this?
 
Does wgm report the client as started? Was there any error messages when it was started? Did your config import generate any errors?

The config you show are missing "PrivateKey = " argument. Did you remove this?
Sorry, has remove by mistake when copy to forum.
PrivateKey = <key>

No error message when started, neither when import config.
Code:
wg_manager-clientwg11: Initializing Wireguard VPN 'client' Peer (wg11) to server_ip:port (# N/A) DNS=1.1.1.1,1.0.0.1
wg_manager-clientwg11: Initialization complete.

Wireguard ACTIVE Peer Status: Clients 1, Servers 0
 
Sorry, has remove by mistake when copy to forum.


No error message when started, neither when import config.
Code:
wg_manager-clientwg11: Initializing Wireguard VPN 'client' Peer (wg11) to server_ip:port (# N/A) DNS=1.1.1.1,1.0.0.1
wg_manager-clientwg11: Initialization complete.

Wireguard ACTIVE Peer Status: Clients 1, Servers 0
Hmm. How does the import look in wgm:
Code:
E:Option ==> peer wg11
Redact any keys/public ips.

Check if there are any routing rules in your system overriding main routing table:
Code:
ip rule

Finally check so wgm adds the default route in main routing table:
Code:
ip route show table main
Mask any public ips appropriately before posting.
 
Hmm. How does the import look in wgm:
Redact any keys/public ips.

Check if there are any routing rules in your system overriding main routing table:
Code:
ip rule

Finally check so wgm adds the default route in main routing table:
Code:
ip route show table main
Mask any public ips appropriately before posting.
Code:
E:Option ==> peer wg11

Client  Auto  IP             Endpoint        DNS              MTU   Annotate
wg11    Y     10.10.10.1/24  server_ip:port  1.1.1.1,1.0.0.1  1280  # N/A

    Selective Routing RPDB rules
ID  Peer  Interface  Source           Destination  Description
1   wg11  VPN        192.168.51.1/24  Any          All T VPN

     WireGuard® ACTIVE Peer Status: Clients 1, Servers 0

Code:
ip rule

0:    from all lookup local
32766:    from all lookup main
32767:    from all lookup default

Code:
ip route show table main

default via 192.168.8.1 dev usb0
10.10.10.0/24 dev wg11 proto kernel scope link src 10.10.10.1
<wg_server_public_ip> via 192.168.8.1 dev usb0
127.0.0.0/8 dev lo scope link
192.168.8.0/24 dev usb0 proto kernel scope link src 192.168.8.163
192.168.8.1 dev usb0 proto kernel scope link
192.168.51.0/24 dev br0 proto kernel scope link src 192.168.51.1
 
Code:
E:Option ==> peer wg11

Client  Auto  IP             Endpoint        DNS              MTU   Annotate
wg11    Y     10.10.10.1/24  server_ip:port  1.1.1.1,1.0.0.1  1280  # N/A

    Selective Routing RPDB rules
ID  Peer  Interface  Source           Destination  Description
1   wg11  VPN        192.168.51.1/24  Any          All T VPN

     WireGuard® ACTIVE Peer Status: Clients 1, Servers 0

Code:
ip rule

0:    from all lookup local
32766:    from all lookup main
32767:    from all lookup default

Code:
ip route show table main

default via 192.168.8.1 dev usb0
10.10.10.0/24 dev wg11 proto kernel scope link src 10.10.10.1
<wg_server_public_ip> via 192.168.8.1 dev usb0
127.0.0.0/8 dev lo scope link
192.168.8.0/24 dev usb0 proto kernel scope link src 192.168.8.163
192.168.8.1 dev usb0 proto kernel scope link
192.168.51.0/24 dev br0 proto kernel scope link src 192.168.51.1
Yep, looks like wgm is not adding the routes in the main table... must have been some problems when wgm imported your config, probably the AllowedIPs didnt import right, but its just a guess.

I wonder if this works for you:
Stop the client in wgm first.
Then:
Code:
E:Option ==> peer wg11 allowedips=0.0.0.0/0
Start the client again.
 
Still no routes after updating allowed IPs.

Code:
E:Option ==> peer wg11 config

    'client' Peer wg11 Configuration Detail

[Interface]
Address=10.10.10.1/24
PrivateKey=<key>
MTU=1280
DNS=1.1.1.1, 1.0.0.1

[Peer]
PublicKey=<key>
AllowedIPS=0.0.0.0/0
#Endpoint=127.0.0.1:3333
Endpoint=server_ip:port
PersistentKeepalive=25
 
Last edited:
Still no routes after updating allowed IPs.
Yep, I checked the script source and it looks at the .conf file to determine to add routes. We only changed in the sql database. Take a look at you active config file /opt/etc/wireguard.d/wg11.conf
And pay attention to the AllowedIPs line. Look if there are any extra character or anything.

The script source executes something like this:
Code:
awk '/^AllowedIPs/ {print $0}' /opt/etc/wireguard.d/wg11.conf | grep -oF "0.0.0.0/0"
And expects an output of "0.0.0.0/0". Could you test this outside of wgm and see what it returns?
 
Line
Code:
AllowedIPS=0.0.0.0/0
has been changed to
Code:
AllowedIPs=0.0.0.0/0

And now it's work just fine. Thank you!!!
Great!
Wierd that it had a capital S, was it like this when you recieved the config file? Or did wgm or you change this? I thought most wg implementations were more picky than this. Perhaps we will see more of this in the future if other implementations allows this.
 
Great!
Wierd that it had a capital S, was it like this when you recieved the config file? Or did wgm or you change this? I thought most wg implementations were more picky than this. Perhaps we will see more of this in the future if other implementations allows this.
Yes, I guess it was in config at first time. And for Wireguard Windows and Merling GUI Client it wasn't a problem =)
 
My router is in Double NAT due to needing a modem with VoIP. The modem is also located down stairs and is wired to the router.
I have a NUc that updates my domain with the Modems public ip address.

I was wondering without installing Wireguard Manager which I found the WebGui was odd... (I couldn't work out how to add clients etc) if I can update the DDNS on the router with the domain name so that when I setup a Wireguard client from the WG server it will use the DDNS domain name as opposed to the LAN address?

Cloudflare is what I am using currently.

If I use Wireguard manager, is there a way to download the conf through the GUI?

Any help would be great!
 
if I can update the DDNS on the router with the domain name so that when I setup a Wireguard client from the WG server it will use the DDNS domain name as opposed to the LAN address?
The only reason for wgm needing to know this is to be able to create the client config files. If no ddns is found it will ask you for it. Atleast if you do it from the CLI

If I use Wireguard manager, is there a way to download the conf through the GUI?
I dont know. But the client config is just a text file. If you ssh into your router you could just, for example MyPhone client:
Code:
cat /opt/etc/wireguard.d/MyPhone.conf
Then copy this info into notepad and save it. Make sure to not get any extra line-breaks or anything.
 
In wgm status, there is a green checkmark at "WebUI Addon Enabled". Where can I find this? There is nothing in the VPN section.
EDIT: already found - there is an "addons" section at the end of the left menu.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top