Wireguard Session Manager (4th) thread

[ZebMcKayhan]

I just installed wgm and can't find gui

I can't remember but you might need to enable it from wgm cli:

E:Option ==> www mount

It should appear under the addons tab in the gui.

 

[kfahoo]

I can't remember but you might need to enable it from wgm cli:

E:Option ==> www mount

It should appear under the addons tab in the gui.

it worked but that's new for me, last time I installed it, gui was on by default,

thanks anyway

ps

without gui menu shows line

?  = About Configuration (WebUI http://://router_ip:/)

and with

?  = About Configuration (WebUI http://://router_ip:/user9.asp)

 

[wliu88]

do anyone know how can I update/replace the private key for my client peer?

 

[ZebMcKayhan]

do anyone know how can I update/replace the private key for my client peer?

as you are asking this question, I assume you wish to not delete your old peer and import the new? as that would be the most straight forward way.

the keys exists in 2 places.

mostly the config used for running the peer will be in:

/opt/etc/wireguard.d/wg11.conf

for wg11.

but wgm also keeps it in its sql database

/opt/etc/wireguard.d/WireGuard.db

the SQL database is mainly used by WGM when setting up everything around the peer (firewall rules, policy rules et.c)

you can try to stop the peer, exist wgm and update the keys in the config file by, i.e.:

nano /opt/etc/wireguard.d/wg11.conf

but Im not sure wgm will notice the mismatch and throw some errors. in that case you may need to update the SQL database as well.

I have sometimes copied the SQL database to my android phone and used "SQLite Editor" to update it and put it back and it works good, its well structured so its obvious what to change and where.
you should probably stop all peers and exit wgm before doing this, and make a safety copy of the database before you start changing it.

 

[wliu88]

as you are asking this question, I assume you wish to not delete your old peer and import the new? as that would be the most straight forward way.

the keys exists in 2 places.

mostly the config used for running the peer will be in:

/opt/etc/wireguard.d/wg11.conf

for wg11.

but wgm also keeps it in its sql database

/opt/etc/wireguard.d/WireGuard.db

the SQL database is mainly used by WGM when setting up everything around the peer (firewall rules, policy rules et.c)

you can try to stop the peer, exist wgm and update the keys in the config file by, i.e.:

nano /opt/etc/wireguard.d/wg11.conf

but Im not sure wgm will notice the mismatch and throw some errors. in that case you may need to update the SQL database as well.

I have sometimes copied the SQL database to my android phone and used "SQLite Editor" to update it and put it back and it works good, its well structured so its obvious what to change and where.
you should probably stop all peers and exit wgm before doing this, and make a safety copy of the database before you start changing it.

thanks for your explanation, yes, I don't want to delete the peer and re-import the config to it. The wg config from my service provide valid only 2 hours every time, once the wg tunnel need to reconnect after then I need obtain an new private key. So want to update just the private key of the peer config and remain all others same.

I've tried to update on /opt/etc/wireguard.d/wg11.conf, but no luck. So I assume the sqldb should be updated also. I'm going to find some tools to open sqldb.

 

[ZebMcKayhan]

The wg config from my service provide valid only 2 hours every time, once the wg tunnel need to reconnect after then I need obtain an new private key.

Ouch, 2h!
I would be concerned about all the hassle I would need to go through to get it working so I would probably not use it.
Perhaps worth your time to write a script that updates both wg11.conf and the sql database - and possibly retrieves a new config file - cron job every 2h.
All bits and pieces about changes to the files are already in wgm script.

I really thought it would be enough with wg11.conf. out of curiosity, what error message did you get?

 

[wliu88]

Ouch, 2h!
I would be concerned about all the hassle I would need to go through to get it working so I would probably not use it.
Perhaps worth your time to write a script that updates both wg11.conf and the sql database - and possibly retrieves a new config file - cron job every 2h.
All bits and pieces about changes to the files are already in wgm script.

I really thought it would be enough with wg11.conf. out of curiosity, what error message did you get?

sorry for my expression not clearly, the key valid for 2h for connection, once connected will persistent keep alive until the link broken and need a new key to rebuild the connection.

update:
i try to update both wg11.conf and sqldb, but unfortunetely not working as expected. the sympton is 0 bytes transfer.

I decide to you Asus gui wireguard for now and try to do more troubeshooting when i have time later.

thanks again for your concern about my issue.

 

[ZebMcKayhan]

i try to update both wg11.conf and sqldb, but unfortunetely not working as expected. the sympton is 0 bytes transfer.

That's wierd. Are you sure everything turned out correctly?
I know that wgm "builds" a new config, which is basically wg11.conf, with removed stuff that Wireguard itself does not handle, like dns and others, and runs it from /tmp. I did not check if it recreates it on start if it already exists.

When your updated peer is running you could run directly in shell:

wg showconf wg11

It will output the config it's currently using. Compare your keys, are they still the old keys?

 

[wliu88]

That's wierd. Are you sure everything turned out correctly?
I know that wgm "builds" a new config, which is basically wg11.conf, with removed stuff that Wireguard itself does not handle, like dns and others, and runs it from /tmp. I did not check if it recreates it on start if it already exists.

When your updated peer is running you could run directly in shell:

wg showconf wg11

It will output the config it's currently using. Compare your keys, are they still the old keys?

yes, it's really new key, but transfer 0
I think it should be something wrong during my update steps, but I don't which is it.

[Interface]
ListenPort = 33922
PrivateKey = xxx <-- new key

[Peer]
PublicKey = XvfaTRG0IMezPQNzNvtW4Vn2T2RTEijsR1NhoM0XPmc=
AllowedIPs = 0.0.0.0/0
Endpoint = 149.88.98.226:51820
PersistentKeepalive = 21

but trasfer 0

interface: wg11 EndPoint=149.88.98.226:51820 172.21.4.129 # N/A
peer: XvfaTRG0IMezPQNzNvtW4Vn2T2RTEijsR1NhoM0XPmc=
transfer: 0 B received, 888 B sent 0 Days, 00:00:30 since Thu Oct 10 16:11:27 2024 >>>>>>

WireGuard® ACTIVE Peer Status: Clients 1, Servers 0
ASUS GUI Peers: Clients 3, Servers 0



checked back wg11.conf
admin@asuswifi:/tmp/home/root# cat /opt/etc/wireguard.d/wg11.conf
[Interface]
PrivateKey=xxx <- same new key
Address=172.21.4.129
DNS=149.88.98.225,149.88.98.227
[Peer]
PublicKey=XvfaTRG0IMezPQNzNvtW4Vn2T2RTEijsR1NhoM0XPmc=
AllowedIPs=0.0.0.0/0
Endpoint=sx0320108-wg.pointtoserver.com:51820
PersistentKeepalive=21
admin@asuswifi:/tmp/home/root#

 

[ZebMcKayhan]

yes, it's really new key, but transfer 0
I think it should be something wrong during my update steps, but I don't which is it.

[Interface]
ListenPort = 33922
PrivateKey = xxx <-- new key

[Peer]
PublicKey = XvfaTRG0IMezPQNzNvtW4Vn2T2RTEijsR1NhoM0XPmc=
AllowedIPs = 0.0.0.0/0
Endpoint = 149.88.98.226:51820
PersistentKeepalive = 21

but trasfer 0

interface: wg11 EndPoint=149.88.98.226:51820 172.21.4.129 # N/A
peer: XvfaTRG0IMezPQNzNvtW4Vn2T2RTEijsR1NhoM0XPmc=
transfer: 0 B received, 888 B sent 0 Days, 00:00:30 since Thu Oct 10 16:11:27 2024 >>>>>>

WireGuard® ACTIVE Peer Status: Clients 1, Servers 0
ASUS GUI Peers: Clients 3, Servers 0



checked back wg11.conf
admin@asuswifi:/tmp/home/root# cat /opt/etc/wireguard.d/wg11.conf
[Interface]
PrivateKey=xxx <- same new key
Address=172.21.4.129
DNS=149.88.98.225,149.88.98.227
[Peer]
PublicKey=XvfaTRG0IMezPQNzNvtW4Vn2T2RTEijsR1NhoM0XPmc=
AllowedIPs=0.0.0.0/0
Endpoint=sx0320108-wg.pointtoserver.com:51820
PersistentKeepalive=21
admin@asuswifi:/tmp/home/root#

You basically only need the keys and endpointort for the handshakes to work. Could this new config be not active? You can test it on your phone/computer to be sure.
Did you check Endpoint and/or port didn't change?

It's either that or some error in editing, some character missing or something?

 

[wliu88]

You basically only need the keys and endpointort for the handshakes to work. Could this new config be not active? You can test it on your phone/computer to be sure.
Did you check Endpoint and/or port didn't change?

It's either that or some error in editing, some character missing or something?

I found the issue casued by vpn rule of vpn director conflict with wgm, it works when I disable all rules

 

[ZebMcKayhan]

I found the issue casued by vpn rule of vpn director conflict with wgm, it works when I disable all rules

Yea, putting everything (0.0.0.0/0) to vpn is troublesome and doing it twice is probably just a bad idea.

Put your lan subnet there instead, but exclude router ip. You should remove your Interface rules as they have no purpose. Also you need to exclude router lan ip if you ever want to use the killswitch.
Like
Local ip: 192.168.1.1 inerface: wan
Local ip: 192.168.1.0/24 interface: wgc1

You could duplicate the last rule for ovpn but you should only have 1 active if you want to decide vpn interface, otherwise your router decides.

 

[Edward2025]

Hello.
Few days ago I set Wireguard connection with my VPS Wireguard server. Connection is ok but I can't get inside my local network from Wireguard tunel. I use this tunel to connect my 2 networks in different locations. So there is VPS with Wireguard server and two routers one with OpenWRT (works ok) and second RT-AC86U 382.14_2 RMerlin. I can ping from this Asus my VPS and OpenWRT. I don't have public IP.
Could someone help with setting this up ?
My Asus is 192.168.100.x and in Wireguard 10.9.0.2
VPS 192.168.1.x and in Wireguard 10.9.0.1
OpenWRT 192.168.11.x and in Wireguard 10.9.0.3

When I turn off firewall in Asus I can ping it from Wireguard tunel.

BTW
This GUI addon isn't working ?

 

[ZebMcKayhan]

Hello.
Few days ago I set Wireguard connection with my VPS Wireguard server. Connection is ok but I can't get inside my local network from Wireguard tunel. I use this tunel to connect my 2 networks in different locations. So there is VPS with Wireguard server and two routers one with OpenWRT (works ok) and second RT-AC86U 382.14_2 RMerlin. I can ping from this Asus my VPS and OpenWRT. I don't have public IP.
Could someone help with setting this up ?
My Asus is 192.168.100.x and in Wireguard 10.9.0.2
VPS 192.168.1.x and in Wireguard 10.9.0.1
OpenWRT 192.168.11.x and in Wireguard 10.9.0.3

When I turn off firewall in Asus I can ping it from Wireguard tunel.

BTW
This GUI addon isn't working ?

You would need to provide a lot more information about all peer config if we are going to help you.

Specifically how did you set this up in wgm?
This is how I did it, but it's only roaming devices via VPS to router:
https://github.com/ZebMcKayhan/Wire...ov-file#setup-private-server-via-cloud-server
But changes would be needed to peer AllowedIPs if more networks are reachable via VPS.

 

[Edward2025]

Specifically how did you set this up in wgm?

I just imported this file in wgm:

# mikrus
[Interface]
PrivateKey = My_key ;)
Address = 10.9.0.2/24
ListenPort = 21296

[Peer]
# mikrus
PublicKey = My_key ;)
AllowedIPs = 10.9.0.0/24,192.168.11.0/24,192.168.8.0/24
PersistentKeepalive = 25
Endpoint = fxxxxxxx.us:21296
# mikrus end

Now I have :

admin@RT-AC86U-97C0:/tmp/home/root# wg
interface: wg11
  public key: My_key ;)
  private key: (hidden)
  listening port: 21296

peer: My_key ;)
  endpoint: 6x.x.x.x9:21296
  allowed ips: 10.9.0.0/24, 192.168.11.0/24, 192.168.8.0/24
  latest handshake: 42 seconds ago. (sec:42)
  transfer: 73.48 KiB received, 73.08 KiB sent
  persistent keepalive: every 25 seconds
admin@RT-AC86U-97C0:/tmp/home/root#

E:Option ==> 3

        interface: wg11  EndPoint=6x.x.x.x9:21296                   10.9.0.2/24             # mikrus
                peer: My_key ;)
                 latest handshake: 23 seconds ago. (sec:23)
                 transfer: 86.39 KiB received, 85.88 KiB sent           0 Days, 00:08:26 since Fri Feb 21 19:38:34 2025 >>>>>>

        WireGuard® ACTIVE Peer Status: Clients 1, Servers 0

What you need more?
10.9.0.x is my VPN
192.168.11.x is my OpenWRT router
192.168.8.x is my LTE modem connected to OpenWRT router
This part works good . I can connect them from my phone or PC using Wireguard app(tunel?).

 

[ZebMcKayhan]

I just imported this file in wgm:

# mikrus
[Interface]
PrivateKey = My_key ;)
Address = 10.9.0.2/24
ListenPort = 21296

[Peer]
# mikrus
PublicKey = My_key ;)
AllowedIPs = 10.9.0.0/24,192.168.11.0/24,192.168.8.0/24
PersistentKeepalive = 25
Endpoint = fxxxxxxx.us:21296
# mikrus end

Now I have :

admin@RT-AC86U-97C0:/tmp/home/root# wg
interface: wg11
  public key: My_key ;)
  private key: (hidden)
  listening port: 21296

peer: My_key ;)
  endpoint: 6x.x.x.x9:21296
  allowed ips: 10.9.0.0/24, 192.168.11.0/24, 192.168.8.0/24
  latest handshake: 42 seconds ago. (sec:42)
  transfer: 73.48 KiB received, 73.08 KiB sent
  persistent keepalive: every 25 seconds
admin@RT-AC86U-97C0:/tmp/home/root#

E:Option ==> 3

        interface: wg11  EndPoint=6x.x.x.x9:21296                   10.9.0.2/24             # mikrus
                peer: My_key ;)
                 latest handshake: 23 seconds ago. (sec:23)
                 transfer: 86.39 KiB received, 85.88 KiB sent           0 Days, 00:08:26 since Fri Feb 21 19:38:34 2025 >>>>>>

        WireGuard® ACTIVE Peer Status: Clients 1, Servers 0

What you need more?
10.9.0.x is my VPN
192.168.11.x is my OpenWRT router
192.168.8.x is my LTE modem connected to OpenWRT router
This part works good . I can connect them from my phone or PC using Wireguard app(tunel?).

I used a server peer for this in wgm. While it's more messy to setup, it will automatically setup it more proper.

If you imported this as a client you will have to
1. Manually open firewall with iptables for incoming connections from wg11
2. Remove output ip masquerading via iptables.

And these should be added in /jffs/addons/wireguard/Scripts/wg11-up.sh and removed in /jffs/addons/wireguard/Scripts/wg11-down.sh

Would you need help to formulate the rules?

 

[Edward2025]

Would you need help to formulate the rules?

Yes, please. I totaly noob in this .

 

[ZebMcKayhan]

Yes, please. I totaly noob in this .

You can try to execute these directly at the shell prompt (exit wgm and amtm) when wg11 is up and running:

Rule to allow incoming connections on wg11 to router itself:

iptables -I INPUT -i wg11 -j ACCEPT

Rule to allow incoming connections on wg11 to lan:

iptables -I FORWARD -i wg11 -j ACCEPT

delete masquarade rule:

iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg11 -j MASQUERADE -m comment --comment "WireGuard 'client'"

Successful execution should not give any output. Do all commands work without error message?

After you executed these, do your access work? Note, if you restart wg11 you may need to re-remove the last rule.

If all works as you want we can look into have them automatically executed when peer starts/stop.

 

[Edward2025]

You can try to execute these directly at the shell prompt (exit wgm and amtm) when wg11 is up and running:

Rule to allow incoming connections on wg11 to router itself:

iptables -I INPUT -i wg11 -j ACCEPT

Rule to allow incoming connections on wg11 to lan:

iptables -I FORWARD -i wg11 -j ACCEPT

delete masquarade rule:

iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg11 -j MASQUERADE -m comment --comment "WireGuard 'client'"

Successful execution should not give any output. Do all commands work without error message?

After you executed these, do your access work? Note, if you restart wg11 you may need to re-remove the last rule.

If all works as you want we can look into have them automatically executed when peer starts/stop.

It works quite good using router IP 192.168.100.1 and it is OK for me but I can't connect using this IP 10.9.0.2 . This isn't important for me.
I would execute them automatically if you could help .

 

[ZebMcKayhan]

It works quite good using router IP 192.168.100.1 and it is OK for me but I can't connect using this IP 10.9.0.2 . This isn't important for me.
I would execute them automatically if you could help .

If you are attempting to access router gui it will never work using router wg address, it only listens to the lan ip.

To make the rules auto apply at boot or peer restart:
Exit wgm and amtm.
Edit/create the file wgm executes when wg11-starts:

nano /jffs/addons/wireguard/Scripts/wg11-up.sh

Paste in:

#!/bin/sh

iptables -I INPUT -i wg11 -j ACCEPT
iptables -I FORWARD -i wg11 -j ACCEPT
iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg11 -j MASQUERADE -m comment --comment "WireGuard 'client'"

Save and exit nano editor (cntrl+x y enter).
Make the file executable:

chmod +x /jffs/addons/wireguard/Scripts/wg11-up.sh

edit/create the file wgn executes when stopping wg11:

nano /jffs/addons/wireguard/Scripts/wg11-down.sh

Paste in the content:

#!/bin/sh
iptables -D INPUT -i wg11 -j ACCEPT
iptables -D FORWARD -i wg11 -j ACCEPT

Save and exit nano.

Make it executable:

chmod +x /jffs/addons/wireguard/Scripts/wg11-down.sh

That should be it!