What's new

Wireguard Session Manager (4th) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I want to give a big thanks to @Martineau for the creation and support of wgm and @ZebMcKayhan for all his detailed instructions on his Github! I really wanted to figure out how to use dnsmasq to automatically allow a few sites to bypass my VPN, I was sick of manually hunting for and adding IP's of blocked sites to the routing table every other day. Problem was I am a noob with networking and would not have been able to figure any of this out on my own. For example, I had never even heard of IPSET's and FWMark's before using wgm and reading these Session Manager threads. But after re-reading Zeb's instructions many times it started to click. I got it working and I've been using dnsmasq with IPSET's for a couple weeks now and it's all working beautifully. It's so nice to not be messing with IP's now, it's the simple things that make me happy lol
 
Solved - Thank you. Although wireguardVPN.conf had

I needed to run
Code:
loadmodules
and after completing
Code:
Requesting WireGuard® VPN Peer stop (wg21 wg12 wg11)
Code:
Initialising WireGuard® module 'wireguard-kernel'
Installing wireguard-kernel (1.0.20220627-RT-AX88U) to root...
Configuring wireguard-kernel.
Initialising WireGuard® module 'wireguard-tools'
Installing wireguard-tools (1.0.20210914-1) to root...
Configuring wireguard-tools.
and now running

I can see
Code:
[✔] WireGuard® Module LOADED Sat Nov 12 00:14:51 GMT 2022

MD5=70a85a1bed5f6313add595e2a95423c4 wireguard-kernel_1.0.20220627-RT-AX88U_aarch64-3.10.ipk
MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

So need to note that after a dirty upgrade
Code:
loadmodules
needs to be re-run.
Sorry, I'm running Wireguard Manager in my RT-AX86U and I have not modules loaded
What's the difference between having kernel modules loaded or not?
Thanks.
 
Sorry, I'm running Wireguard Manager in my RT-AX86U and I have not modules loaded
What's the difference between having kernel modules loaded or not?
Thanks.
If Wireguard is working you most certenly have Wireguard kernel modules loaded but you probably run on the ones compiled in the firmware. Ive managed to compile the latest released one from the Wireguard team for RT-AC86U and RT-AX88U. This is what @archiel is running.

Sadly I never manage to do it for RT-AX86U. After spending maybee 100h on it I just gave up. The firmware compiles just fine but some symlink or something is missing in the kernel build folder causing the kernel module build to fail. I likely wont attempt it anymore unless someone express their need for it while at the same time offers their help in resolving the issue.

I dont know if updated kernel modules have any impact on anything. Checking the change logs there are mostly compatibility related changes.
 
If Wireguard is working you most certenly have Wireguard kernel modules loaded but you probably run on the ones compiled in the firmware. Ive managed to compile the latest released one from the Wireguard team for RT-AC86U and RT-AX88U. This is what @archiel is running.

Sadly I never manage to do it for RT-AX86U. After spending maybee 100h on it I just gave up. The firmware compiles just fine but some symlink or something is missing in the kernel build folder causing the kernel module build to fail. I likely wont attempt it anymore unless someone express their need for it while at the same time offers their help in resolving the issue.

I dont know if updated kernel modules have any impact on anything. Checking the change logs there are mostly compatibility related changes.
Well, last month I loaded kernel modules and it resulted in a complete corruption on Wireguard Manager. I had to reinstall and configure it from scratch.
I don't know yet if it was caused by a faulty USB stick, which I replaced, or by some compatibility issue with my RT-AX86U and Wireguard Kernel Modules, but for now, I will keep on the firmware modules.
Thanks for your quick reply.
 
Since I switched to Wireguard Manager (instead of OpenVPN), Unbound barely gets to block any ads, they mostly all go trough. I used to have over 98% ad blocking hit rate previously.
What did I forget to enable, link, configure?
 
Last edited:
Since I switched to Wireguard Manager (instead of OpenVPN), Unbound barely gets to block any ads, they mostly all go trough. I used to have over 98% ad blocking hit rate previously.
What did I forget to enable, link, configure?
https://github.com/ZebMcKayhan/WireguardManager#why-is-diversion-not-working-for-wg-clients

bottom line: Wireguard changes dns lookup to dns in wireguard config. If you want to use unbound (or any other local dns) you need to set wireguard dns to router ip.
 
Hi I need an advise on iptables (i think). I successfully created a site to site mesh network using the guide from this forum. Below is the topology;

SiteA: wgIP 10.60.1.1 LAN 192.168.1.0/24
SiteB: wgIP 10.60.1.2 LAN 192.168.2.0/24
SiteC: wgIP 10.60.1.3 LAN 192.168.3.0/24

If I'm in siteA network, I am able to access the devices in SiteB and C and vice versa.
Then I created another wg client in siteA with wgIP 10.60.1.4 which is I am using on my phone.

When I connect to siteA through wg on my phone while outside, I only able to access the devices behind siteA ip address but not siteB and siteC.
May I know how to access to siteB and siteC ip addresses while I am connected to siteA using wireguard? I think it has to do with iptables. I already try and error several commands but still cannot work.

Thanks for the help
 
Hi I need an advise on iptables (i think). I successfully created a site to site mesh network using the guide from this forum. Below is the topology;

SiteA: wgIP 10.60.1.1 LAN 192.168.1.0/24
SiteB: wgIP 10.60.1.2 LAN 192.168.2.0/24
SiteC: wgIP 10.60.1.3 LAN 192.168.3.0/24

If I'm in siteA network, I am able to access the devices in SiteB and C and vice versa.
Then I created another wg client in siteA with wgIP 10.60.1.4 which is I am using on my phone.

When I connect to siteA through wg on my phone while outside, I only able to access the devices behind siteA ip address but not siteB and siteC.
May I know how to access to siteB and siteC ip addresses while I am connected to siteA using wireguard? I think it has to do with iptables. I already try and error several commands but still cannot work.

Thanks for the help
Are your mesh really a mesh or a star topology?

Did you set it up so that there is only one wg peer at each site?

How does your phone config file look like (redact any keys and mask ip/ddns)

Most likely you need to put your added phone wg ip (10.60.1.4) On list of AllowedIPs on siteB and siteC. But if you run star topology this could be simpler so it will work even for newly added devices.
 
Last edited:
Are your mesh really a mesh or a star topology?

Did you set it up so that there is only one wg peer at each site?

How does your phone config file look like (redact any keys and mask ip/ddns)

Most likely you need to put your added phone wg ip (10.60.1.4) On list of AllowedIPs on siteB and siteC. But if you run star topology this could be simpler so it will work even for newly added devices.

Yes it is working by adding the wg ip. Based on your advice, I added AllowedIp as per attached file. Thanks again
 

Attachments

  • s2s setting.txt
    6.7 KB · Views: 55
Yes it is working by adding the wg ip. Based on your advice, I added AllowedIp as per attached file. Thanks again
Thanks for sharing your setup, this is the first time I hear someone using mesh topology. really cool that its working!

When adding road-worrier devices like this I guess it could be played 2 ways. either the road-worrier device could participate in the full mesh and connect to all other sites. but this would mean that the new peer would need to be added to all other sites.

I think the way you did it, by connecting roaming devices to a dedicated site is the way to do it. but what you are doing is creating a star topology from one of the mesh devices. but this setup allows for a little more flexibility when it comes to configuration. for example, instead of adding 10.60.1.5/32 to siteA AllowedIPs on siteB and siteC you could add a larger range, say 10.60.1.16/28.
this includes ip 10.60.1.16 - 10.60.1.32 then you could add more roaming devices to site A without the need of updating AllowedIPs on the other sites. just make sure to keep the added devices within this ip range. of course larger ranges like 10.60.1.32/27 (10.60.1.32 - 10.60.1.63) or 10.60.1.64/26 (10.60.1.64-10.60.1.127) or 10.60.1.128/25 (10.60.1.128-10.60.1.254) works also.
 
Using Merlin 388.1 and wireguard do Diversion and other AMTM scripts still work in RT-AX88U?
 
Using Merlin 388.1 and wireguard do Diversion and other AMTM scripts still work in RT-AX88U?
If they are working in 386.5_2 then hopefully they should still work in 388.1 I have done dirty upgrades 386.5 > 386.7 > 386.8 > 388.1 betas > 388.1 final and all the my extra scripts have continued to work. However I am not running either uiDivStats, FlexQoS or vnStat.
 
As Asus is implementing a Flowcache bypass for Wireguard and @RMerlin is porting this into 388.2 currently in Alpha testing:
https://www.snbforums.com/threads/388-2-alpha-build-s-testing-available-build-s.82784/

As it looks in the github commits, looks like Asus/Rmerlin is using fwmarks to mark packages for bypass similar to what WGM uses but only seem effective for AC86U and AX88U.
#ifdef RTCONFIG_HND_ROUTER fprintf(fp, "iptables -t mangle -I PREROUTING -i %s -j MARK --or 0x1\n", ifname);
fprintf(fp, "iptables -t mangle -I POSTROUTING -o %s -j MARK --or 0x1\n", ifname);
fprintf(fp, "ip6tables -t mangle -I PREROUTING -i %s -j MARK --or 0x1\n", ifname);
fprintf(fp, "ip6tables -t mangle -I POSTROUTING -o %s -j MARK --or 0x1\n", ifname);
#endif

If we could duplicate the mark into WGM then we could have the same benefit.

If there are any interest that is?
 
Last edited:
Definitely interested and happy to run any tests (on AX88U).
 
As it looks in the github commits, looks like Asus/Rmerlin is using fwmarks to mark packages for bypass similar to what WGM uses but only seem effective for AC86U and AX88U.
These are just failback rules, which won`t intercept all traffic. The real flow cache bypass which works for newer HND models is here:

 
These are just failback rules, which won`t intercept all traffic.
Thanks!
Guess its not that simple. I dont really have what it takes to put all that code into context to figure out wheither or not this bypass could be used on other Wireguard interfaces than the ones created by the firmware.
 
Thanks!
Guess its not that simple. I dont really have what it takes to put all that code into context to figure out wheither or not this bypass could be used on other Wireguard interfaces than the ones created by the firmware.
Basically you need to keep track of which CIDR you use, and write them the the userspace /proc interface. Need to keep track of them because if you have two clients with the same IP address and you stop one client, you don't want to remove the IP until both clients are stopped.
 
Basically you need to keep track of which CIDR you use, and write them the the userspace /proc interface. Need to keep track of them because if you have two clients with the same IP address and you stop one client, you don't want to remove the IP until both clients are stopped.
Thanks!

I could see Wireguard.c writes to
#define BLOG_SKIP_PORT "/proc/blog/skip_wireguard_port"
#define BLOG_SKIP_NET "/proc/blog/skip_wireguard_network"
So for ordinary policy routing based on source or destination ip it for sure seems do-able. Altough not sure how to handle when routing is based on ipset which could be thousands of destination ips or ips and port combinations.

But its not really something quick and easy to add on to wgm, probably needs to be integrated into wgm but dont know if @Martineau are motivated to update wgm with this?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top