Wireguard Session Manager (4th) thread

[ZebMcKayhan]

As the a core reason for using a VPN on the clients is for the BitTorrent traffic, that might be a pyrrhic result. I could configure using Deluge or qBitorrent, but I would assume that the packet types would be the the same.

I understand and the point was not to stop using it forever, but to localize the problem.

Im running qbittorrent on rpi via docker and I don't get this issue.

 

[ZebMcKayhan]

@Martineau (or anyone else who might know) I recently managed to setup a cloud server (Oracle Free tier) and was planning on having it to access my lan from the outside (so, kind of hub & spoke) but when fiddling with this I saw my router eth0 have a public ipv6, so my infrastructure provider finally came through.

Anyhow, as there are not much places I have ipv6 support I better use my vps for ipv4 Endpoint but direct for ipv6 endpoint.

In order to get everything just the way I want it I simply created all config files by hand.

So I ended up with a config file intended for the router like this:

# Router - 192.168.100.1  aaff:a37f:fa75:100::1
[Interface]
PrivateKey = <Router private key>
Address = 192.168.100.1/24, aaff:a37f:fa75:100::1/64
ListenPort = <Router listen port>

# VPS - 192.168.100.2 (-192.168.100.127)
[Peer]
PublicKey = <VPS public key>
Endpoint = <VPS ipv4 Endpoint>:port
AllowedIPs = 192.168.100.0/25, aaff:a37f:fa75:100::/120
PersistentKeepalive = 25

# Phone (ipv6 direct only)
[Peer]
PublicKey = <Phone public key>
AllowedIPs = 192.168.100.128/32, aaff:a37f:fa75:100::128/128

Putting this file in the wireguard.d folder and import using type=server. Wgm complained about missing key files so I added them and all works beutifully.

However, being a complete novice on server setups I dont appear to see any of my server peers in wgm but they show under "wg show" command. I feel that I somehow missed a step. Should I have imported the devices as well? Does this mean the server import should only contain the [Interface] part. And put each [Peer] part under separate files and import these as type=device?

Or do I just import the vps and phone configs as they are? But the vps config contains several peers itself. Guess wgm will only be tracking the vps connection and not peers connected/forwarded via vps?

I could probably experiment my way forward but Im getting alot of grief from my family so I thought I ask instead.

//Zeb

 

[Martineau]

@Martineau (or anyone else who might know) I recently managed to setup a cloud server (Oracle Free tier) and was planning on having it to access my lan from the outside (so, kind of hub & spoke) but when fiddling with this I saw my router eth0 have a public ipv6, so my infrastructure provider finally came through.

Anyhow, as there are not much places I have ipv6 support I better use my vps for ipv4 Endpoint but direct for ipv6 endpoint.

In order to get everything just the way I want it I simply created all config files by hand.

So I ended up with a config file intended for the router like this:

# Router - 192.168.100.1  aaff:a37f:fa75:100::1
[Interface]
PrivateKey = <Router private key>
Address = 192.168.100.1/24, aaff:a37f:fa75:100::1/64
ListenPort = <Router listen port>

# VPS - 192.168.100.2 (-192.168.100.127)
[Peer]
PublicKey = <VPS public key>
Endpoint = <VPS ipv4 Endpoint>:port
AllowedIPs = 192.168.100.0/25, aaff:a37f:fa75:100::/120
PersistentKeepalive = 25

# Phone (ipv6 direct only)
[Peer]
PublicKey = <Phone public key>
AllowedIPs = 192.168.100.128/32, aaff:a37f:fa75:100::128/128

Putting this file in the wireguard.d folder and import using type=server. Wgm complained about missing key files so I added them and all works beutifully.

However, being a complete novice on server setups I dont appear to see any of my server peers in wgm but they show under "wg show" command. I feel that I somehow missed a step. Should I have imported the devices as well? Does this mean the server import should only contain the [Interface] part. And put each [Peer] part under separate files and import these as type=device?


//Zeb

Assuming the import type=server correctly imported the .conf into the correct SQL database table (diag sql server), and it is eligible to be started by wgm, then there may be an undisclosed error during the status query - then you would need to supply a debug output for the status command.

 

[ZebMcKayhan]

Assuming the import type=server correctly imported the .conf into the correct SQL database table (diag sql server), and it is eligible to be started by wgm, then there may be an undisclosed error during the status query - then you would need to supply a debug output for the status command.

Thanks!

The server import turned out ok and I can connect via phone or vps and auto=S works and it autostarts. I think I looked at the wrong place in wgm ("peer wg21" does not show clients connected to wg21) I had to use option 3 (list) to list my connected clients.

I think I worked out the device import. I checked the sql database for what values it imported and I stripped the config files from non-interesting stuff, basically leaving [Interface] section and only the relevant [peer] section and imported.

However, I have 2 minor bugs to report:
1. An import (regardless of type) always gives a ":missing" first but the imports turns out ok anyway.
2. When importing device i.e "import phone.conf type=device" the device gets imported as "phone" in sql database but it imports it as wg13 and creates wg13.conf and renames phone.conf_imported. Then when listing peers it throughs an error that phone.conf does not exist. There are no references to wg13 in wgm so I had to manually rename wg13.conf back to phone.conf.

But this aside, everything is working beautifully!

 

[Martineau]

However, I have 2 minor bugs to report:
1. An import (regardless of type) always gives a ":missing" first but the imports turns out ok anyway

Hmmm, Beta dev version v4.19b2 (JUL 2022) should have included this patch?

2. When importing device i.e "import phone.conf type=device" the device gets imported as "phone" in sql database but it imports it as wg13 and creates wg13.conf and renames phone.conf_imported. Then when listing peers it throughs an error that phone.conf does not exist. There are no references to wg13 in wgm so I had to manually rename wg13.conf back to phone.conf.

I'll take a look.

Thanks for the bug report/feedback.

 

[archiel]

I understand and the point was not to stop using it forever, but to localize the problem.

Im running qbittorrent on rpi via docker and I don't get this issue.

I swapped out transmission for qbitorrent and still get this issue (fine under low traffic, mcast_blog under anything over 35Mbs). I don't know how other RT-AX88U owners have tested, but for me (or at least this router) wireguard+bitorrent+flowcache+load=bcm_mcast_blog_process,819: blog allocation failure.

Other than Wireguard Manager I am only currently running Diversion, Scribe, nptMerlin (set to Chrony), SCMerlin and Skynet, all other custom scripts removed.

Unless you can think of anything else to try, I will be disabling flowcache, moving to beta2 and rebuilding from scratch.

 

[ZebMcKayhan]

Hmmm, Beta dev version v4.19b2 (JUL 2022) should have included this patch?

Im still on 4.18 public release so its already fixed then.

 

[ZebMcKayhan]

Unless you can think of anything else to try, I will be disabling flowcache, moving to beta2 and rebuilding from scratch

No, sorry. Best of luck!

 

[ZebMcKayhan]

@Martineau Im still struggling with setting up my server and device peers. I scrapped my attempt with server import as it seems wgm assumes this to be site-2-site and are missing Site-B info so I couldnt create more peers.

So I started over with a new server peer and try to setup everything from wgm. I made it through the VPS peer but I stumbled on trying to create ordinary road worrior device. The problem comes from I need the Endpoint to be my wan ipv6.

I tried to enter the ipv6 instead of ddns when I create the peer but it comes up blank (found that line #7427 of wg_manager requires atleast 1 . So this check fails).

I also tried to update it using "peer test endpoint=[2001:aaaa:bbbb::ccc]" and it report successful change but nothing happens either in .conf file or sql database (which doesn't contain any server/device endpoints). Looks like device peer endpoint change is unexpected for this code part.

After changing line #7427 adding | tr ":" "." Before the other tr and it works for using ipv6 instead of ddns when asked. But its perhaps alittle ugly.

Its not a biggie and its easy enough just to edit the conf file, but just letting you know.

//Zeb

 

[heysoundude]

This popped up in my reddit feed earlier, and I thought I should bring it to your attention:

Surpassing 10Gb/s over Tailscale

Hi, it’s us again. You might remember us from when we made significant performance-related changes to wireguard-go, the userspace WireGuard® implementation that Tailscale uses. We’re releasing a set of changes that further improves client throughput on Linux. We intend to upstream these changes...

tailscale.com

If they've had some breakthroughs for speed, and they're being forwarded to the Linux Foundation for kernel inclusion...well, eventually they'll trickle down.
Pretty exciting that they've set a new speed limit on "commodity" equipment if you ask me.

 

[ZebMcKayhan]

Ive just finalized setting up a cloud server to be able to connect into my lan despite Im behind cgnat. It works very well, I seem to max out slightly below 100Mbit/s but I dont really understand why as neither my traffic is maxing out nor my processor usage. And the latency is not super as Im relaying everything via a cloud server on the other side of my country. But Im still able to stream hd video content from my nas without issues.

And its free!!

https://github.com/ZebMcKayhan/WireguardManager#setup-private-server-via-cloud-server

 

[wgetmerlin]

Hi

I have a really quick question. As per the documentation, the killswitch is global, meaning my policy routing isn't really protected. I also cannot exclude certain devices to go through the wan (For obvious reasons) with the killswitch on.

Does anyone have a way of putting a killswitch on for all devices, except this one? Similar to the OpenVPN one?

EDIT: What I'm trying to do
I'm hoping to route every device through the VPN. I would like resilience on this and do not want devices to fall back to WAN. I would rather go reconfigure the route. That being said, there are certain devices that are NOT supposed to be going through the VPN. The policy routing works perfectly, but using the killswitch out of the box means those devices do not work whereas the others do.

 

[juanantonio]

Good morning everyone.

I've successfully configured Wireguard Manager some time ago, routing my LAN devices to my VPN supplier using IPv4.

Now, I've changed my ISP provider and this new provider supports IPv6.

I've been following the excellent tutorial on https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm, but that doesn't seem to work.

My IPv6 public address continues being that of my ISP and not that of my VPN supplier.

Another thing I would like to know is what IP6 address I have to put in Wireguard Manager peer rule.

From Windows Ethernet connection properties dialog, I have three different IP6 addresses. Which one have I to configure in Wireguard Manager rules? I attach some picture to illustrate this.

Many thanks in advance.

 

[ZebMcKayhan]

meaning my policy routing isn't really protected.

hmm... I think this have been discussed enough so I wont rant on about it. Search this forums to find out why.

Does anyone have a way of putting a killswitch on for all devices, except this one? Similar to the OpenVPN one?

same answer as above.

if something brakes so badly in your router that Wireguard does not start, how would you imagine any script would be kicked off or not broken as well? Wireguard has no sense of connection, it will start regardless if no one answers and it will replace your routes so your connection will break if the connection is not up, but wireguard wont really care or notice.

that being said, wgm killswitch puts this is the firewall forward chain:

iptables -I FORWARD -i br0 -o \$WAN_IF -j REJECT

so, you could put in, say wg11-up.sh (assuming eth0 is your wan interface and you wish to exclude ip 192.168.1.23)

iptables -I FORWARD -s 192.168.1.23 -o eth0 -j ACCEPT

and ofcource also in wg11-down.sh:

iptables -D FORWARD -s 192.168.1.23 -o eth0 -j ACCEPT

not sure if Killswitch have more resets then during restart of interfaces so more hacking might be needed.

 

[wgetmerlin]

hmm... I think this have been discussed enough so I wont rant on about it. Search this forums to find out why.

I've seen your post from a few pages ago before making this one.

if something brakes so badly in your router that Wireguard does not start, how would you imagine any script would be kicked off or not broken as well? Wireguard has no sense of connection, it will start regardless if no one answers and it will replace your routes so your connection will break if the connection is not up, but wireguard wont really care or notice.

It's not a worry that the router will break. What I'm worried about is the config stops working. i.e. the server I'm connected to goes down. There's no notification (other than checking your IP every so often) to indicate the connection broke. Unless I'm mistaken and everything freezes?

that being said, wgm killswitch puts this is the firewall forward chain:

iptables -I FORWARD -i br0 -o \$WAN_IF -j REJECT

so, you could put in, say wg11-up.sh (assuming eth0 is your wan interface and you wish to exclude ip 192.168.1.23)

iptables -I FORWARD -s 192.168.1.23 -o eth0 -j ACCEPT

and ofcource also in wg11-down.sh:

iptables -D FORWARD -s 192.168.1.23 -o eth0 -j ACCEPT

not sure if Killswitch have more resets then during restart of interfaces so more hacking might be needed.

I'll give this a go!

Thanks a lot for your response

 

[ZebMcKayhan]

My IPv6 public address continues being that of my ISP and not that of my VPN supplier.

if you imported your config file back when you were using ipv4 only there is a good chance that wgm only imported the ipv4 part of it. you may need to make a new import to get the ipv6 part imported which it will now that ipv6 is enabled.

also make sure your config file allows for ipv6, not all vpn suppliers offer this and even then sometimes you need to explicitly choose dual-stack config when you generate it.

Another thing I would like to know is what IP6 address I have to put in Wireguard Manager peer rule.

yea, this is tricky... the problem is that the router has no control over which ip the devices gets. stateless means that the device only gets the prefix then the device assigns itself the last part. this means it could be changing over time (privacy extension). anyway, the ip you should use is your 2a0c addresses, and I cant see in your picture properly but one is probably based on mac. you could test both but I would guess the top one is the one being used for external data. but beware that it may be changing and your rule may loose effect.

as an additional complication, if your prefix is dynamic, this may change over time as well, also rendering your rule worthless.

a better way of doing this for ipv6 could be by using mac-addresses in an ipset:
https://github.com/ZebMcKayhan/WireguardManager#create-and-setup-ipsets
that would simultaneously take care of both ipv4 and ipv6.

you could either add the mac address(es) manually or you could have the firewall populate the ipset with mac address based on ipv4.

 

[ZebMcKayhan]

What I'm worried about is the config stops working. i.e. the server I'm connected to goes down. There's no notification (other than checking your IP every so often) to indicate the connection broke. Unless I'm mistaken and everything freezes?

Wireguard will never know the server stops responding, or even if its not responding during start. as it is connection-less it will setup the connection anyway and your connection over VPN will just not work. so any devices set to use vpn will have a broken internet connection. so kind of the same thing as a kill-switch.

 

[wgetmerlin]

Wireguard will never know the server stops responding, or even if its not responding during start. as it is connection-less it will setup the connection anyway and your connection over VPN will just not work. so any devices set to use vpn will have a broken internet connection. so kind of the same thing as a kill-switch.

Oh. That's cool!
Logically speaking, can I test this by connecting to a random IP that IS NOT an active connection? By your logic it would fail successfully (for this test)?

 

[ZebMcKayhan]

Logically speaking, can I test this by connecting to a random IP that IS NOT an active connection? By your logic it would fail successfully (for this test)?

Yep!

 

[juanantonio]

a better way of doing this for ipv6 could be by using mac-addresses in an ipset:
https://github.com/ZebMcKayhan/WireguardManager#create-and-setup-ipsets
that would simultaneously take care of both ipv4 and ipv6.

Thanks for you quick reply.

As you can see in following attached code, my Wireguard Client has both IPv4 and IPv6 addresses and DNS.

E:Option ==> peer wg11 add ipset wg11-mac


        [✔] Ipset 'wg11-mac' Selective Routing added wg11

Client  Auto  IP                                                            Endpoint            DNS                                MTU   Annotate
wg11    P     10.151.13.172/32,fd7d:76ee:e68f:a993:d0c0:1334:273a:628b/128  185.183.106.2:1637  10.128.0.1,fd7d:76ee:e68f:a993::1  Auto  # N/A

        Selective Routing RPDB rules
ID  Peer  Interface  Source                                      Destination                                 Description
14  wg11  WAN        Any                                         192.168.0.0/24
13  wg11  WAN        192.168.0.0/24                              Any
11  wg11  VPN        fe80::782b:cf7b:fb37:c62b/64                Any
15  wg11  VPN        Any                                         2a0c:5a80:460a:b00:4923:d086:abcd:1763/64
17  wg11  VPN        Any                                         2a0c:5a80:460a:b00:4923:d086:abcd:1763
16  wg11  VPN        Any                                         2a0c:5a80:460a:b00:29c3:eed3:5bc9:df21/128
18  wg11  VPN        Any                                         2a0c:5a80:460a:b00:29c3:eed3:5bc9:df21
19  wg11  VPN        2a0c:5a80:460a:b00:4923:d086:abcd:1763/64   Any
20  wg11  VPN        2a0c:5a80:460a:b00:4923:d086:abcd:1763      Any
21  wg11  VPN        2a0c:5a80:460a:b00:29c3:eed3:5bc9:df21/128  Any
22  wg11  VPN        2a0c:5a80:460a:b00:29c3:eed3:5bc9:df21      Any
8   wg11  VPN        192.168.1.207                               Any
5   wg11  VPN        192.168.1.18                                Any
4   wg11  VPN        192.168.1.16                                Any
7   wg11  VPN        192.168.1.140                               Any
3   wg11  VPN        192.168.1.14                                Any
6   wg11  VPN        192.168.1.137                               Any
2   wg11  VPN        192.168.1.12                                Any
12  wg11  VPN        192.168.1.11                                Any
1   wg11  VPN        192.168.1.10                                Any

IPSet     Enable  Peer  FWMark  DST/SRC
wg11-mac  Y       wg11  0x1000  src

Server  Client  Passthru
wg21    wg11    10.50.1.1/24

        Configuration rules for Peer wg11

Also, you can see that I've added an MAC based ipset, still with no luck.
Additionally, I've added rules to my wg11 client for every IPv6 addresses I've noted in my Net Properties dialog, which neither worked.


Edit: After a 'restart wg11' command, all worked flawlessly. Thanks a lot!