Wireguard Session Manager (4th) thread

chongnt · Nov 8, 2022

I had internet outage yesterday. Upon service restored, I was not able to dial-in remotely and noticed some iptables rules are missing. I have to restart wg server to get it working again. Is this expected?

This is the rules after WAN disconnect/reconnect:

Code:

admin@RT-AC86U-DBA8:/jffs/addons/wireguard/Scripts# iptables -vnL FORWARD | grep wg
    0     0 WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */

This is the rules after manually restart wg22:

Code:

admin@RT-AC86U-DBA8:/jffs/addons/wireguard/Scripts# iptables -vnL FORWARD | grep wg
    0     0 ACCEPT     all  --  wg22   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server clients' to LAN */
    0     0 WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */
    0     0 ACCEPT     all  --  br0    wg22    0.0.0.0/0            0.0.0.0/0            /* LAN to WireGuard 'server clients' */
    0     0 ACCEPT     all  --  wg22   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Martineau · Nov 8, 2022

chongnt said:
I had internet outage yesterday. Upon service restored, I was not able to dial-in remotely and noticed some iptables rules are missing. I have to restart wg server to get it working again. Is this expected?

This is the rules after WAN disconnect/reconnect:

Code:

admin@RT-AC86U-DBA8:/jffs/addons/wireguard/Scripts# iptables -vnL FORWARD | grep wg 0 0 WGM_ACL_F all -- wg+ * 0.0.0.0/0 0.0.0.0/0 /* Wireguard ACL */

This is the rules after manually restart wg22:

Code:

admin@RT-AC86U-DBA8:/jffs/addons/wireguard/Scripts# iptables -vnL FORWARD | grep wg 0 0 ACCEPT all -- wg22 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server clients' to LAN */ 0 0 WGM_ACL_F all -- wg+ * 0.0.0.0/0 0.0.0.0/0 /* Wireguard ACL */ 0 0 ACCEPT all -- br0 wg22 0.0.0.0/0 0.0.0.0/0 /* LAN to WireGuard 'server clients' */ 0 0 ACCEPT all -- wg22 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

As a quick'n'dirty test...

Pulling WAN cable...

Code:

Nov  8 13:20:16 RT-AX86U kernel: eth0 (Int switch port: 3) (Logical Port: 3) (phyId: c) Link DOWN.
Nov  8 13:20:16 RT-AX86U kernel: ===> Activate Deep Green Mode
Nov  8 13:20:16 RT-AX86U kernel: bcmswlpbk0 (Ext switch port: 8) (Logical Port: 8) Virtual link DOWN
Nov  8 13:20:22 RT-AX86U WAN_Connection: WAN(0) link down.

then reinserting.... to see the effects on my wg21 server

Code:

Nov  8 13:21:57 RT-AX86U WAN_Connection: WAN(0) link up.

Nov  8 13:21:57 RT-AX86U rc_service: wanduck 1435:notify_rc restart_wan_if 0
Nov  8 13:21:57 RT-AX86U custom_script: Running /jffs/scripts/service-event (args: restart wan_if)
Nov  8 13:21:57 RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 stopping)
Nov  8 13:21:57 RT-AX86U ovpn-server1[2933]: event_wait : Interrupted system call (code=4)
Nov  8 13:21:57 RT-AX86U ovpn-server1[2933]: Closing TUN/TAP interface
Nov  8 13:21:57 RT-AX86U ovpn-server1[2933]: /usr/sbin/ip addr del dev tun21 10.8.0.1/24
Nov  8 13:21:57 RT-AX86U ovpn-server1[2933]: ovpn-down 1 server tun21 1500 1621 10.8.0.1 255.255.255.0 init
Nov  8 13:21:57 RT-AX86U ovpn-server1[2933]: PLUGIN_CLOSE: /usr/lib/openvpn-plugin-auth-pam.so
Nov  8 13:21:57 RT-AX86U ovpn-server1[2933]: PLUGIN AUTH-PAM: Error signaling background process to exit: Connection refused (errno=111)
Nov  8 13:21:57 RT-AX86U ovpn-server1[2933]: SIGTERM[hard,] received, process exiting
Nov  8 13:21:57 RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 disconnected)
Nov  8 13:21:57 RT-AX86U dnsmasq[3121]: read /etc/ hosts - 6 addresses
Nov  8 13:21:57 RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 stopped)
Nov  8 13:21:57 RT-AX86U dnsmasq[3121]: using nameserver 192.168.0.1#53 for domain Home
Nov  8 13:21:57 RT-AX86U dnsmasq[3121]: using nameserver 192.168.0.1#53
Nov  8 13:21:57 RT-AX86U dnsmasq[3121]: using only locally-known addresses for domain Testing.lan
Nov  8 13:21:57 RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 stopped)
Nov  8 13:21:57 RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 init)
Nov  8 13:21:57 RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 connecting)
Nov  8 13:21:57 RT-AX86U custom_script: Running /jffs/scripts/service-event-end (args: restart wan_if)
Nov  8 13:21:57 RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 disconnected)
Nov  8 13:21:57 RT-AX86U dnsmasq[3121]: read /etc/ hosts - 6 addresses
Nov  8 13:21:57 RT-AX86U dnsmasq[3121]: using only locally-known addresses for domain Testing.lan
Nov  8 13:21:57 RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 stopped)
Nov  8 13:22:01 RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 connected)
Nov  8 13:22:01 RT-AX86U custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: read /etc/ hosts - 6 addresses
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: using nameserver 192.168.0.1#53 for domain Home
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: using nameserver 192.168.0.1#53
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: using only locally-known addresses for domain Testing.lan
Nov  8 13:22:01 RT-AX86U (wg_firewall): 4410 Checking if WireGuard® VPN Peer KILL-Switch is required.....
Nov  8 13:22:01 RT-AX86U (wg_firewall): 4410 Restarting WireGuard® to reinstate RPDB/firewall rules
Nov  8 13:22:01 RT-AX86U wan: finish adding multi routes
Nov  8 13:22:01 RT-AX86U vpndirector: Routing ALL to WG1 from 192.168.55.0/24 to any through wgc1
Nov  8 13:22:01 RT-AX86U (wg_manager.sh): 4440 v4.19b4 Requesting WireGuard® VPN Peer stop (wg21)
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: read /etc/ hosts - 6 addresses
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: using nameserver 192.168.0.1#53 for domain Home
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: using nameserver 192.168.0.1#53
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: using only locally-known addresses for domain Testing.lan
Nov  8 13:22:01 RT-AX86U (wg_manager.sh): 4440 v4.19b4 Requesting termination of WireGuard® VPN 'server' Peer ('wg21')
Nov  8 13:22:01 RT-AX86U WireGuard: Stopping client 1.
Nov  8 13:22:01 RT-AX86U vpndirector: Routing ALL to WG1 from 192.168.55.0/24 to any through wgc1
Nov  8 13:22:01 RT-AX86U wireguard: Forcing 192.168.55.0/24 to use DNS server 1.1.1.1 for WGC1
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: read /etc/ hosts - 6 addresses
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: using nameserver 192.168.0.1#53 for domain Home
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: using nameserver 192.168.0.1#53
Nov  8 13:22:01 RT-AX86U dnsmasq[3121]: using only locally-known addresses for domain Testing.lan
Nov  8 13:22:01 RT-AX86U WireGuard: Starting client 1.
Nov  8 13:22:01 RT-AX86U miniupnpd[2882]: shutting down MiniUPnPd
Nov  8 13:22:01 RT-AX86U wg_manager-serverwg21: WireGuard® VPN 'server' Peer (wg21) on 10.50.1.1:51820 Terminated

Nov  8 13:22:02 RT-AX86U (wg_manager.sh): 4440 Broadcom Packet Flow Cache learning via BLOG (Flow Cache) ENABLED

Nov  8 13:22:02 RT-AX86U (wg_manager.sh): 5013 v4.19b4 Requesting WireGuard® VPN Peer start (wg21)
Nov  8 13:22:02 RT-AX86U (wg_manager.sh): 5013 v4.19b4 Initialising Wireguard® VPN 'server' Peer (wg21)
Nov  8 13:22:02 RT-AX86U wg_manager-serverwg21: Initialising WireGuard® VPN 'Server' Peer (wg21) on 10.50.1.1:51820

Nov  8 13:22:02 RT-AX86U WAN_Connection: WAN was restored.

and my server wg21 was automatically bounced/restarted when the WAN was restored.

So although I have added a few minor cosmetic wg_manager v4.19b4 tweaks for Firmware v388.1Beta, providing your server (wg22) has auto=y then the server should be restarted by script '/jffs/addons/wireguard/wg_firewall to fully reinstate the necessary firewall rules.

chongnt · Nov 8, 2022

Martineau said:
As a quick'n'dirty test...

and my server wg21 was automatically bounced/restarted when the WAN was restored.

So although I have added a few minor cosmetic wg_manager v4.19b4 tweaks for Firmware v388.1Beta, providing your server (wg22) has auto=y then the server should be restarted by script '/jffs/addons/wireguard/wg_firewall to fully reinstate the necessary firewall rules.

Thanks @Martineau for testing it out.
I retest again too, here is what I observed:
1. Once WAN is down, the rules are still intact.

Code:

Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:00
Tue Nov  8 22:55:00 MYT 2022
    0     0 ACCEPT     all  --  wg22   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server clients' to LAN */
    0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server clients' to LAN */
    0     0 WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */
    0     0 ACCEPT     all  --  br0    wg22    0.0.0.0/0            0.0.0.0/0            /* LAN to WireGuard 'server clients' */
    0     0 ACCEPT     all  --  wg22   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
    0     0 ACCEPT     all  --  br0    wg21    0.0.0.0/0            0.0.0.0/0            /* LAN to WireGuard 'server clients' */
    0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

2. When WAN is started again, the rules are cleared.

Code:

Nov  8 22:55:00 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/wan-event (args: 0 connected)
Nov  8 22:55:00 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/wan-start (args: 0)
Nov  8 22:55:00 RT-AC86U-DBA8 wan-event: Started [0 connected]
Nov  8 22:55:00 RT-AC86U-DBA8 wan-start: Started [0]
Nov  8 22:55:00 RT-AC86U-DBA8 (wan-event): 534126 Script not defined for wan-event: wan0-connected
Nov  8 22:55:00 RT-AC86U-DBA8 wan-start: Completed [0]
Nov  8 22:55:00 RT-AC86U-DBA8 wan-event: Completed [0 connected]
Nov  8 22:55:00 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/nat-start
Nov  8 22:55:00 RT-AC86U-DBA8 nat-start: Started []
Nov  8 22:55:00 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Nov  8 22:55:00 RT-AC86U-DBA8 firewall-start: Started [ppp0]

Code:

Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:01
Tue Nov  8 22:55:01 MYT 2022
Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:02
Tue Nov  8 22:55:02 MYT 2022
Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:03
Tue Nov  8 22:55:03 MYT 2022
Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:04
Tue Nov  8 22:55:04 MYT 2022
Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:05
Tue Nov  8 22:55:05 MYT 2022
Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:06
Tue Nov  8 22:55:06 MYT 2022

3. wg21 started, rules added
Nov 8 22:55:07 RT-AC86U-DBA8 wg21-up.sh: Executing Event:wgvpn-server wg21 up

Code:

Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:07
Tue Nov  8 22:55:07 MYT 2022
    0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server clients' to LAN */
    0     0 WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */
    0     0 ACCEPT     all  --  br0    wg21    0.0.0.0/0            0.0.0.0/0            /* LAN to WireGuard 'server clients' */
    0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

4. wg22 started, rules started
Nov 8 22:55:07 RT-AC86U-DBA8 wg22-up.sh: Executing Event:wgvpn-server wg22 up

Code:

Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:08
Tue Nov  8 22:55:08 MYT 2022
    0     0 ACCEPT     all  --  wg22   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server clients' to LAN */
    0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server clients' to LAN */
    0     0 WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */
    0     0 ACCEPT     all  --  br0    wg22    0.0.0.0/0            0.0.0.0/0            /* LAN to WireGuard 'server clients' */
    0     0 ACCEPT     all  --  wg22   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
    0     0 ACCEPT     all  --  br0    wg21    0.0.0.0/0            0.0.0.0/0            /* LAN to WireGuard 'server clients' */
    0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Everything is good until this point. All rules are restored properly.

However, the next second, all the rules get wiped. A few more seconds later, one rule is added.

Code:

Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:09
Tue Nov  8 22:55:09 MYT 2022
Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:10
Tue Nov  8 22:55:10 MYT 2022
Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:11
Tue Nov  8 22:55:11 MYT 2022
    0     0 WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */
Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:12
Tue Nov  8 22:55:12 MYT 2022
    0     0 WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */
Every 1s: clear; date;  iptables -vnL FORWARD | grep wg                                                                                                     2022-11-08 22:55:13
Tue Nov  8 22:55:13 MYT 2022
    0     0 WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */

Something happened around this time that cleared the rules.

Code:

Nov  8 22:55:07 RT-AC86U-DBA8 wg22-up.sh: Executing Event:wgvpn-server wg22 up
Nov  8 22:55:07 RT-AC86U-DBA8 wg_manager-serverwg22: Initialisation complete.
Nov  8 22:55:07 RT-AC86U-DBA8 wgvpn-server: WireGuard VPN Server 2 coming up ...
Nov  8 22:55:08 RT-AC86U-DBA8 (wg_manager.sh): 537778 v4.19b3 Initialising Wireguard® VPN 'client' Peer (wg11)
Nov  8 22:55:08 RT-AC86U-DBA8 wg_manager-clientwg11: Initialising WireGuard® VPN client Peer (wg11) in Policy Mode to x.x.x.x:51820 (# NordLynx xx 'client' (wg11))
Nov  8 22:55:08 RT-AC86U-DBA8 wg_manager-clientwg11: Adding WireGuard 'client' Peer route 192.168.1.251 through VPN 'client' Peer wg11
Nov  8 22:55:08 RT-AC86U-DBA8 wg_manager-clientwg11: Executing Event:wg11-up.sh
Nov  8 22:55:08 RT-AC86U-DBA8 wg11-up.sh: Executing Event:wgvpn-client wg11 up
Nov  8 22:55:08 RT-AC86U-DBA8 wgvpn-client: WireGuard VPN Client 1 coming up ...
Nov  8 22:55:08 RT-AC86U-DBA8 wg_manager-clientwg11: Initialisation complete.
Nov  8 22:55:09 RT-AC86U-DBA8 (wg_manager.sh): 537778 v4.19b3 Initialising Wireguard® VPN 'client' Peer (wg12)
Nov  8 22:55:09 RT-AC86U-DBA8 wg_manager-clientwg12: Initialising WireGuard® VPN client Peer (wg12) in Policy Mode to xx.xxx.xxx.xxx:51820 (# NordLynx xxx 'client' (wg12))
Nov  8 22:55:09 RT-AC86U-DBA8 wg_manager-clientwg12: Adding WireGuard 'client' Peer route 192.168.1.252 through VPN 'client' Peer wg12
Nov  8 22:55:09 RT-AC86U-DBA8 wg_manager-clientwg12: Executing Event:wg12-up.sh
Nov  8 22:55:09 RT-AC86U-DBA8 wg12-up.sh: Executing Event:wgvpn-client wg12 up
Nov  8 22:55:09 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/nat-start
Nov  8 22:55:09 RT-AC86U-DBA8 wgvpn-client: WireGuard VPN Client 2 coming up ...
Nov  8 22:55:09 RT-AC86U-DBA8 nat-start: Started []
Nov  8 22:55:09 RT-AC86U-DBA8 nat-start: Add ip rule 9880 for main routing table
Nov  8 22:55:09 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Nov  8 22:55:09 RT-AC86U-DBA8 firewall-start: [ppp0] already run
Nov  8 22:55:09 RT-AC86U-DBA8 nat-start: Route IPSET beINSports through WAN
Nov  8 22:55:09 RT-AC86U-DBA8 zcip_client: configured 169.254.236.60
Nov  8 22:55:09 RT-AC86U-DBA8 nat-start: Route IPSET Netflix through WAN
Nov  8 22:55:10 RT-AC86U-DBA8 wg_manager-clientwg12: Initialisation complete.

chongnt · Nov 8, 2022

I think I know what happened. I added lock file to prevent firewall-start script re-run during startup. There was no problem during reboot or power cycle.
in this case, firewall-start run twice but the second run was blocked because the first run is not completed and lock file is not deleted at that time. I think the rules will be restored if firewall-start script is run again.

Code:

Nov  8 22:55:00 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Nov  8 22:55:00 RT-AC86U-DBA8 firewall-start: Started [ppp0]
Nov  8 22:55:09 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Nov  8 22:55:09 RT-AC86U-DBA8 firewall-start: [ppp0] already run
Nov  8 22:55:54 RT-AC86U-DBA8 firewall-start: Completed [ppp0]

Update: It works after remove the lock file. I put back the lock and added a 3 sec delay in firewall-start script. It seems to to work well during reboot, power cycle, and WAN disconnect/reconnect scenario.

ZebMcKayhan · Nov 8, 2022

chongnt said:
in this case, firewall-start run twice but the second run was blocked because the first run is not completed and lock file is not deleted at that time.

So, was it some script error preventing the completion of firewall-start or just some issue with the lock-file removal part?

chongnt · Nov 8, 2022

ZebMcKayhan said:
So, was it some script error preventing the completion of firewall-start or just some issue with the lock-file removal part?

The issue is I don't know what is calling firewall-start.

. The lock file part is working as expected. I simply stop it from duplicate run concurrently.
I think the event sequence and timing is causing this behavior. When I remove the lock-file and simulate WAN disconnect/reconnect, firewall-start script will run twice. I can see wg connection come up, go down then up again. This works but I don't like to see such flap. Now I put back the lock-file and added 3 sec delay in firewall-start. All works fine without flap. Perhaps another alternative is use INITDELAY in WireguardVPN.conf.

juanantonio · Nov 9, 2022

Good night everyone.
I don't know if this is the correct thread to post my problem. In this case, feel free to move it.
Yesterday, I suffered from some type of corruption on my USB drive, which is hosting Entware and Wireguard Manager.
I unplugged it and ran e2fsck on my Debian Linux. After that, I tried to run my Wireguad Client with no luck. The error message I am receiving is as follows:

Code:

E:Option ==> start wg11

        Requesting WireGuard® VPN Peer start (wg11)

sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32
sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32
sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32
sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32
sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32
sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32

        ***ERROR: WireGuard 'client' doesn't have a LOCAL IP Address! - try 'peer wg11 ip=xxx.xxx.xxx.xxx/32'?


        WireGuard® ACTIVE Peer Status: Clients 0, Servers 0

Can someone help me, please? Thanks in advance.

Edit: Solved it myself, installing libsqlite3 and libedit with opkg

Bash:

opkg install libsqlite3
opkg install libedit

Edit: Well, I talked a little bit soon. Now I'm having this error:

Code:

Error: stepping, database disk image is malformed (11)

ZebMcKayhan · Nov 9, 2022

juanantonio said:
Good night everyone.
I don't know if this is the correct thread to post my problem. In this case, feel free to move it.
Yesterday, I suffered from some type of corruption on my USB drive, which is hosting Entware and Wireguard Manager.
I unplugged it and ran e2fsck on my Debian Linux. After that, I tried to run my Wireguad Client with no luck. The error message I am receiving is as follows:

Code:

E:Option ==> start wg11 Requesting WireGuard® VPN Peer start (wg11) sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32 sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32 sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32 sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32 sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32 sqlite3: error while loading shared libraries: libsqlite3.so.0: wrong ELF class: ELFCLASS32 ***ERROR: WireGuard 'client' doesn't have a LOCAL IP Address! - try 'peer wg11 ip=xxx.xxx.xxx.xxx/32'? WireGuard® ACTIVE Peer Status: Clients 0, Servers 0

Can someone help me, please? Thanks in advance.

Perhaps time for a new usb drive and a fresh reinstall of everything?

If you would like to try to get this working try to remove and re-install sqlite3:

Code:

opkg remove sqlite3-cli
opkg install sqlite3-cli

But if your drive is damaged who knows what else is broken....

archiel · Nov 11, 2022

@Martineau @ZebMcKayhan Just upgraded to 388.1beta1. Everything went fine, only observation is that I am now using the default Wireguard Module, not the updated versions - possibly they will need to be updated to work with 388

Before

After
[✔] Entware Architecture arch=aarch64

v4.19b3 WireGuard® Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
MD5=6a21afc0337d8593ad8dd197800700d9 /jffs/addons/wireguard/wg_manager.sh

v4.17.9 (wg_client)
v4.17.1 (wg_server)

[✔] WireGuard® Kernel module/User Space Tools included in Firmware (1.0.20210124)

[✔] DNSmasq is listening on ALL WireGuard® interfaces 'wg*'

As I am running dual stack on the router, lan and Wireguard clients I am sticking with WGM as it seems far more configurable than using VPN Director.

ZebMcKayhan · Nov 11, 2022

archiel said:
@Martineau @ZebMcKayhan Just upgraded to 388.1beta1. Everything went fine, only observation is that I am now using the default Wireguard Module, not the updated versions - possibly they will need to be updated to work with 388

Before
View attachment 45376
After
[✔] Entware Architecture arch=aarch64

v4.19b3 WireGuard® Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
MD5=6a21afc0337d8593ad8dd197800700d9 /jffs/addons/wireguard/wg_manager.sh

v4.17.9 (wg_client)
v4.17.1 (wg_server)

[✔] WireGuard® Kernel module/User Space Tools included in Firmware (1.0.20210124)

[✔] DNSmasq is listening on ALL WireGuard® interfaces 'wg*'

As I am running dual stack on the router, lan and Wireguard clients I am sticking with WGM as it seems far more configurable than using VPN Director.

Have you checked vx so that Entware modules are still enabled?

What happens if you run loadmodules???

archiel · Nov 11, 2022

ZebMcKayhan said:
Have you checked vx so that Entware modules are still enabled?

What happens if you run loadmodules???

Solved - Thank you. Although wireguardVPN.conf had

# For Routers that include WireGuard Kernel/User Space tools, allow overriding with supported 3rd-Party/Entware versions
# Use command 'vx' to edit this setting.
USE_ENTWARE_KERNEL_MODULE

I needed to run

Code:

loadmodules

and after completing

Code:

Requesting WireGuard® VPN Peer stop (wg21 wg12 wg11)

Code:

Initialising WireGuard® module 'wireguard-kernel'
Installing wireguard-kernel (1.0.20220627-RT-AX88U) to root...
Configuring wireguard-kernel.
Initialising WireGuard® module 'wireguard-tools'
Installing wireguard-tools (1.0.20210914-1) to root...
Configuring wireguard-tools.

and now running

? = About Configuration

I can see

Code:

[✔] WireGuard® Module LOADED Sat Nov 12 00:14:51 GMT 2022

MD5=70a85a1bed5f6313add595e2a95423c4 wireguard-kernel_1.0.20220627-RT-AX88U_aarch64-3.10.ipk
MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

So need to note that after a dirty upgrade

Code:

loadmodules

needs to be re-run.

ZebMcKayhan · Nov 12, 2022

archiel said:

Solved - Thank you. Although wireguardVPN.conf had

I needed to run

Code:

loadmodules

and after completing

Code:

Requesting WireGuard® VPN Peer stop (wg21 wg12 wg11)

Code:

Initialising WireGuard® module 'wireguard-kernel'
Installing wireguard-kernel (1.0.20220627-RT-AX88U) to root...
Configuring wireguard-kernel.
Initialising WireGuard® module 'wireguard-tools'
Installing wireguard-tools (1.0.20210914-1) to root...
Configuring wireguard-tools.

and now running

I can see

Code:

[✔] WireGuard® Module LOADED Sat Nov 12 00:14:51 GMT 2022

MD5=70a85a1bed5f6313add595e2a95423c4 wireguard-kernel_1.0.20220627-RT-AX88U_aarch64-3.10.ipk
MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

So need to note that after a dirty upgrade

Code:

loadmodules

needs to be re-run.

Great! But after reboot are you back on firmware modules?

archiel · Nov 12, 2022

ZebMcKayhan said:
Great! But after reboot are you back on firmware modules?

Yes, and still on modules after upgrade this morning to 388 beta2, so it may just be an issue for the version jump (386 to 388).

juanantonio · Nov 23, 2022

ZebMcKayhan said:
Perhaps time for a new usb drive and a fresh reinstall of everything?

If you would like to try to get this working try to remove and re-install sqlite3:

Code:

opkg remove sqlite3-cli opkg install sqlite3-cli

But if your drive is damaged who knows what else is broken....

Well, I did as @ZebMcKayhan said and replaced my USB stick for a new brand one.
I've spent last few days as expected, without issues, but now I'e encountered a problem.
My goal is to run a Wireguard server with passthru so my clients will be redirected to my VPN provider.
The problem is that server runs fine, I can connect all my clients, but at the moment I connect my client to VPN provider so the passthru have effect, my clients stop connecting to my server.
Can someone help me, please? I have tried many things, with no luck.
Thanks in advance.

ZebMcKayhan · Nov 23, 2022

juanantonio said:
Well, I did as @ZebMcKayhan said and replaced my USB stick for a new brand one.
I've spent last few days as expected, without issues, but now I'e encountered a problem.
My goal is to run a Wireguard server with passthru so my clients will be redirected to my VPN provider.
The problem is that server runs fine, I can connect all my clients, but at the moment I connect my client to VPN provider so the passthru have effect, my clients stop connecting to my server.
Can someone help me, please? I have tried many things, with no luck.
Thanks in advance.

Wireguard server cannot be used with an internet client set in Auto=Y (Route ALL) mode simply because the Wireguard tunnel would be shifted over your VPN client while you try to connect over WAN:
https://github.com/ZebMcKayhan/WireguardManager#default-or-policy-routing

To resolv, change your client (wg11?) to policy mode, and if wanted, put your entire network as a policy rule to route all clients through vpn. Then both server and client and passthru works:
https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm
i.e.:

Code:

E:Option ==> stop wg11
E:Option ==> peer wg11 rule add vpn 192.168.1.0/24 comment All LAN to VPN
E:Option ==> peer wg11 auto=P
E:Option ==> start wg11

(change your LAN ip if it's not 192.168.1.x)

juanantonio · Nov 23, 2022

ZebMcKayhan said:
Wireguard server cannot be used with an internet client set in Auto=Y (Route ALL) mode simply because the Wireguard tunnel would be shifted over your VPN client while you try to connect over WAN:
https://github.com/ZebMcKayhan/WireguardManager#default-or-policy-routing

To resolv, change your client (wg11?) to policy mode, and if wanted, put your entire network as a policy rule to route all clients through vpn. Then both server and client and passthru works:
https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm
i.e.:

Code:

E:Option ==> stop wg11 E:Option ==> peer wg11 rule add vpn 192.168.1.0/24 comment All LAN to VPN E:Option ==> peer wg11 auto=P E:Option ==> start wg11

(change your LAN ip if it's not 192.168.1.x)

It worked!
Thank you once more, @ZebMcKayhan.

Novice321 · Nov 24, 2022

Im having trouble importing the Torguard config file for WireGuard into the client peer Asus router Web interface. When I import the config file the data doesn't upload but I can literally see the data. I tried a hard reboot and reset/reinstall still nothing. I cant add the data manually either.

ZebMcKayhan · Nov 24, 2022

Novice321 said:
Im having trouble importing the Torguard config file for WireGuard into the client peer Asus router Web interface. When I import the config file the data doesn't upload but I can literally see the data. I tried a hard reboot and reset/reinstall still nothing. I cant add the data manually either.

Try using ssh instead. It may not work but it may give you some clues as to what is going on. for convenience you could copy-paste the info in the config into i.e nano and save it in /opt/etc/wireguard.d/torguard.conf

Then import it in wgm cli:
https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#import-client

Martineau · Nov 25, 2022

Novice321 said:
Im having trouble importing the Torguard config file for WireGuard into the client peer Asus router Web interface. When I import the config file the data doesn't upload but I can literally see the data. I tried a hard reboot and reset/reinstall still nothing. I cant add the data manually either.

Rightly or wrongly, the GUI import is a two-step process...it will read the chosen config file, and display its content in the GUI for a visual confirmation, then you need to click the the IMPORT button.

If you have already done this, then there is probably an error shown in the Web Browser (F12) console?

ZebMcKayhan · Nov 26, 2022

silicon101 said:
***ERROR: Router RT-AC68W (v386.7_2) is not currently compatible with WireGuard®!

Didnt you say RT-AC86W? Then why is it reporting itself as RT-AC68W??

Thread starter	Title	Forum	Replies	Date
	chatai - version two - have a chat session with either Googles Gemini AI or Anthropics Claude (or both at once)	Asuswrt-Merlin AddOns	4	Jul 26, 2024
	New Addon - ChatAI - have a chat session with Googles Gemini AI Bot	Asuswrt-Merlin AddOns	2	Apr 9, 2024
D	Solved How do I remove WG Manager from amtm without resetting amtm?	Asuswrt-Merlin AddOns	2	Jun 13, 2024

Wireguard Session Manager (4th) thread

Very Senior Member

Part of the Furniture

Very Senior Member

Very Senior Member

Very Senior Member

Very Senior Member

Regular Contributor

Very Senior Member

Very Senior Member

Very Senior Member

Very Senior Member

Very Senior Member

Very Senior Member

Regular Contributor

Very Senior Member

Regular Contributor

New Around Here

Very Senior Member

Part of the Furniture

Very Senior Member

Similar threads

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest