Wireguard Session Manager - Discussion (2nd) thread

[DragonOfJustice]

Yea i tried these suggestions as well but out of luck, that's fine i can just use app Mullvad instead, no big problem, thanks for all the help

 

[ZebMcKayhan]

I was thinking about something like:

iptables -t mangle -I OUTPUT -p udp --sport 51820 -j MARK --set-mark 0x8000
ip rule add fwmark 0x8000 table 117 prio 9997
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Don't know if it should be PREROUTING or OUTPUT but I'm guessing PREROUTING since the packages should come from wg21.
We could add a -s [SourceIP] to further specify this but I don't know if to use wg21 ip or phone ip so maybee test without.

If anyone has any interest to test this it might be good to know for others?

@DragonOfJustice it is not for sure your internet would work (from phone) if you do this, but hopefully the handshake works and you get access to your internal network. We might need to look over masquarading of wg11 to get internet access to work.

//Zeb

Edit: updated with -i wg21 so we don't mark incoming packages from wan to wg21.

Edit2: updated again since realizing the encrypted udp packages will actually come from local. No wg21 and in output chain

 

[Martineau]

Yea i tried these suggestions as well but out of luck, that's fine i can just use app Mullvad instead, no big problem, thanks for all the help

Given your lack of success with the OpenVPN passthru' technique that I originally posted, I am curious... what precisely did you try (command/scripting) for the WireGuard implementation?

NOTE: I acknowledge your statement that the Mullvad app now adequately meets your needs, so obviously this question is now altogether moot so there is no obligation for you to reply.

 

[DragonOfJustice]

Given your lack of success with the OpenVPN passthru' technique that I originally posted, I am curious... what precisely did you try (command/scripting) for the WireGuard implementation?

NOTE: I acknowledge your statement that the Mullvad app now adequately meets your needs, so obviously this question is now altogether moot so there is no obligation for you to reply.

i know nothing about scirpting so i just follow basic guides for Wireguard implementation, i tried with OpenVPN server options in WebUI, that one i actually managed to get connection success from client and route through mullvad client in OpenVPN client 1, but for some reason i can't access to local lan. i don't know what is OpenVPN passthrough techniqe you said but i'll look into that as well

 

[DragonOfJustice]

I was thinking about something like:

iptables -t mangle -I PREROUTING -i wg21 -p udp --dport 51820 -j MARK --set-mark 0x8000
ip rule add fwmark 0x8000 table 117 prio 9997
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Don't know if it should be PREROUTING or OUTPUT but I'm guessing PREROUTING since the packages should come from wg21.
We could add a -s [SourceIP] to further specify this but I don't know if to use wg21 ip or phone ip so maybee test without.

If anyone has any interest to test this it might be good to know for others?

@DragonOfJustice it is not for sure your internet would work (from phone) if you do this, but hopefully the handshake works and you get access to your internal network. We might need to look over masquarading of wg11 to get internet access to work.

//Zeb

Edit: updated with -i wg21 so we don't mark incoming packages from wan to wg21.

i added 3 rules and retried the handshake, there's no connection to both vpn and local access though,
in the Wireguard client, the transfer status is always: rx: 0b tx: few kbs

Edit: Okay so as soon as turn off wg11 interface, the handshake is succesful and i can access both LAN and internet.

 

[ZebMcKayhan]

i added 3 rules and retried the handshake, there's no connection to both vpn and local access though,
in the Wireguard client, the transfer status is always: rx: 0b tx: few kbs

Edit: Okay so as soon as turn off wg11 interface, the handshake is succesful and i can access both LAN and internet.

Sorry for the confusion, but I've updated the rules above again. Just realized that the encrypted wireguard udp packets will come from a local process, thus it needs to be in the OUTPUT chain and also not having a source interface (which is why "ip rule iif wg21..." failed). The good thing is that it will never be any conflict in this chain with the wan replies.

//Zeb

 

[DragonOfJustice]

Sorry for the confusion, but I've updated the rules above again. Just realized that the encrypted wireguard udp packets will come from a local process, thus it needs to be in the OUTPUT chain and also not having a source interface (which is why "ip rule iif wg21..." failed). The good thing is that it will never be any conflict in this chain with the wan replies.

//Zeb

Okay i restarted the router to remove old rules, i add new rules but it doesn't work. i found something interesting that if i keep WIFI connected, i can get some data in transfer: rx 2.15kb, tx: 8.32kb.
When i connect through outside network (4G), i got none of these: rx: 0b, tx: 444b
the Wireguard client is connect throught ddns though, i'm still doubting it's the ddns problem, do you have any idea?

 

[ZebMcKayhan]

i'm still doubting it's the ddns problem

me too... the problem is forcing udp packages from wg21 to your phone via wan. these packages wants to sneak out wg11 as this is your default route (at least that is my interpretation). without the ability to trace these packages myself, this will just be an endless series of tests.

do you have any idea?

frankly: no...

The problem originates from your requirement of having router local processes (curl) to use wg11 VPN - thus causing your server to use wg11 as well which simply doesnt work (Im sure there is a way but despite our efforts we just cant re-route these packages, or maybe we are getting at this from the wrong perspective?).

I think you will have to choose between having router local processes use wg11 VPN or be able to use wg server and set wg11 back to policy mode.

//Zeb

 

[DragonOfJustice]

me too... the problem is forcing udp packages from wg21 to your phone via wan. these packages wants to sneak out wg11 as this is your default route (at least that is my interpretation). without the ability to trace these packages myself, this will just be an endless series of tests.


frankly: no...

The problem originates from your requirement of having router local processes (curl) to use wg11 VPN - thus causing your server to use wg11 as well which simply doesnt work (Im sure there is a way but despite our efforts we just cant re-route these packages, or maybe we are getting at this from the wrong perspective?).

I think you will have to choose between having router local processes use wg11 VPN or be able to use wg server and set wg11 back to policy mode.

//Zeb

I see, let's just say i'm fine with router running in ISP mode. The reason i want router in VPN mode is i'm torrent using aria2 and from document it doesn't support proxy (at least mullvad doesn't have proxy) also can't binding ip like Transmission. However i can use Transmission if i can solve my case, i can set it back to Policy mode
now my clients route in wg11 is using VPN, while my phone using wg server is running in ISP mode, how would i route the phone to wg11? is it possible? If i have server with ip 10.8.0.1/24 and phone with ip 10.8.0.2, will peer wg11 rule add vpn src=10.8.0.2 works?

If not either then i'll keep it as it is and forget about wg server. It's optional anyway so it doesn't really matter and i learned something new

Edit: found a post about binding ip Transmission: https://www.snbforums.com/threads/transmission-for-asuswrt-merlin.31278/page-3#post-266164

 

[chongnt]

I see, let's just say i'm fine with router running in ISP mode. The reason i want router in VPN mode is i'm torrent using aria2 and from document it doesn't support proxy (at least mullvad doesn't have proxy) also can't binding ip like Transmission. However i can use Transmission if i can solve my case, i can set it back to Policy mode
now my clients route in wg11 is using VPN, while my phone using wg server is running in ISP mode, how would i route the phone to wg11? is it possible? If i have server with ip 10.8.0.1/24 and phone with ip 10.8.0.2, will peer wg11 rule add vpn src=10.8.0.2 works?

If not either then i'll keep it as it is and forget about wg server. It's optional anyway so it doesn't really matter and i learned something new

Edit: found a post about binding ip Transmission: https://www.snbforums.com/threads/transmission-for-asuswrt-merlin.31278/page-3#post-266164

In policy mode, it is possible to route phone dial in from wgvpn server to wg11. This can be done by make use of the wg21-up.sh script.

nano /jffs/addons/wireguard/Scripts/wg21-up.sh

In wg21-up.sh

#!/bin/sh

logger -t $(basename $0) "WireGuard VPN Server 1 coming up ..."

#Create RPDB rules
wgvpn_server1_sn="$(ifconfig wg21 | grep -m1 "inet addr" | awk '{print $2}' | awk -F: '{print $2}' | awk -F\. '{ print $1"."$2"."$3"."0 }')"

ip rule del prio 9910 2>/dev/null
ip rule add from "$wgvpn_server1_sn"/24 table 121 prio 9910         # Allow tunnel from wg21 to wg11

#add custom config here
iptables -t nat -D POSTROUTING -s "$wgvpn_server1_sn"/24 -o wg11 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s "$wgvpn_server1_sn"/24 -o wg11 -j MASQUERADE

#ensure WireGuardVPN Client 1 routing policy table contains WGVPN Server 1 IP network in the tunnel
while read route; do
   ip route add $route table 121 2>/dev/null  && routing_changed=
done << EOR
$(ip route | grep "wg21")
EOR

# force routing system to recognize any changes
[ ${routing_changed+x} ] && ip route flush cache

Then make it executable

chmod +x /jffs/addons/wireguard/Scripts/wg21-up.sh

Update:
In the event we stop wg11 while wg21 has already come up, table 121 will be deleted. When wg11 is started again, the above rules will not be added back unless wg21 restart. Add the following in wg11-up.sh will cover such event so that the same will be recreated if wg21 is already up.

In wg11-up.sh

#!/bin/sh

logger -t $(basename $0) "WireGuard VPN Client 1 coming up ..."

if [ -d "/sys/class/net/wg21/" ]; then
# create RPDB rules
   wgvpn_server1_sn="$(ifconfig wg21 | grep -m1 "inet addr" | awk '{print $2}' | awk -F: '{print $2}' | awk -F\. '{ print $1"."$2"."$3"."0 }')"
   ip rule del prio 9910 2>/dev/null
   ip rule add from "$wgvpn_server1_sn"/24 table 121 prio 9910              # Allow tunnel from wg21 to wg11

# ensure WireGuardVPN Client 1 routing policy table contains WGVPN Server 1 IP network in the tunnel
while read route; do
   ip route add $route table 121 2>/dev/null  && routing_changed=
done << EOR
$(ip route | grep "wg21")
EOR

# force routing system to recognize any changes
[ ${routing_changed+x} ] && ip route flush cache
fi

 

[ZebMcKayhan]

However i can use Transmission if i can solve my case, i can set it back to Policy mode

as I said in my first reply to you in this matter, certain programs (like Transmission) could be linked to your router ip (192.168.50.1) by editing "/opt/etc/transmission/settings.json" and set "bind-address-ipv4": "192.168.50.1" and if I remember correctly according to your original policy rules, this will go out wg11... use a ip tracking magnet link to find out it is working. I had this setup before and it worked!

this is a much better (and scalable) solution (if deemed acceptable)!

you should probably remove or rename your wg11-up.sh and wg11-down.sh script we created before, since you wouldn't want them interfering with wgm's policy routes...

//Zeb

 

[DragonOfJustice]

as I said in my first reply to you in this matter, certain programs (like Transmission) could be linked to your router ip (192.168.50.1) by editing "/opt/etc/transmission/settings.json" and set "bind-address-ipv4": "192.168.50.1" and if I remember correctly according to your original policy rules, this will go out wg11... use a ip tracking magnet link to find out it is working. I had this setup before and it worked!

this is a much better (and scalable) solution (if deemed acceptable)!

you should probably remove or rename your wg11-up.sh and wg11-down.sh script we created before, since you wouldn't want them interfering with wgm's policy routes...

//Zeb

Okay so forcing Transmission to use 192.168.50.3 and it routed succesfully through VPN, tested the IP from torrent and it returned Mullvad. I switch back to policy rules and DDNS works again.

In policy mode, it is possible to route phone dial in from wgvpn server to wg11. This can be done by make use of the wg21-up.sh script.

nano /jffs/addons/wireguard/Scripts/wg21-up.sh

In wg21-up.sh

#!/bin/sh

logger -t $(basename $0) "WireGuard VPN Server 1 coming up ..."

#Create RPDB rules
wgvpn_server1_sn="$(ifconfig wg21 | grep -m1 "inet addr" | awk '{print $2}' | awk -F: '{print $2}' | awk -F\. '{ print $1"."$2"."$3"."0 }')"

ip rule del prio 9910 2>/dev/null
ip rule add from "$wgvpn_server1_sn"/24 table 121 prio 9910         # Allow tunnel from wg21 to wg11

#add custom config here
iptables -t nat -D POSTROUTING -s "$wgvpn_server1_sn"/24 -o wg11 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s "$wgvpn_server1_sn"/24 -o wg11 -j MASQUERADE

#ensure WireGuardVPN Client 1 routing policy table contains WGVPN Server 1 IP network in the tunnel
while read route; do
   ip route add $route table 121 2>/dev/null
done << EOR
$(ip route | grep "wg21")
EOR

ip route flush cache

Then make it executable

chmod +x /jffs/addons/wireguard/Scripts/wg21-up.sh

Using code from @chongnt i can route wg21 clients through VPN, my phone can do the handshake succesfully. The rule 9910 is interfering with rule 1 of wg11, i changed it to 9909. Can confirm my phone is working with Diversion and Unbound with no issue

Thank you both of you so much.

 

[chongnt]

Okay so forcing Transmission to use 192.168.50.3 and it routed succesfully through VPN, tested the IP from torrent and it returned Mullvad. I switch back to policy rules and DDNS works again.



Using code from @chongnt i can route wg21 clients through VPN, my phone can do the handshake succesfully. The rule 9910 is interfering with rule 1 of wg11, i changed it to 9909. Can confirm my phone is working with Diversion and Unbound with no issue

Thank you both of you so much.

Includes script for wg11-up.sh in above post to cover the event wg11 restart after wg21 started.

 

[Martineau]

Includes script for wg11-up.sh in above post to cover the event wg11 restart after wg21 started.

@chongnt Whilst the use of the Passthru feature was something that I posted/provided for the OpenVPN environment, for WireGuard this was considered a minor feature.

Hope you don't mind, (you are obviously credited), but support is now included as a wireguard_manager feature and can be configured/managed using

e  = Exit Script [?]

E:Option ==> peer help

<snip>

peer serv_peer_name {passthru client_peer {[add|del] [device|IP/CIDR]}} - Manage passthu' rules for inbound 'server' peer devices/IPs/CIDR outbound via 'client' peer tunnel

e.g.
     peer wg21 passthru add wg11 SGS8
     peer wg21 passthru add wg15 all
     peer wg21 passthru add wg12 10.100.100.0/27

e.g.

e  = Exit Script [?]

E:Option ==> peer

          Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Server Auto Subnet       Port  Annotate
wg21   Y    10.50.1.1/24 11501 # RT-AC86U Server 1

Client Auto IP              Endpoint         DNS            MTU Annotate
wg11   P    10.72.31.150/32 89.45.90.2:51820 193.138.218.74     # Mullvad USA, Los Angeles

Device Auto IP           DNS         Allowed IPs Annotate
SGS8   X    10.50.1.2/32 192.168.0.1 0.0.0.0/0   # SGS8 "Device"

Server Client Passthru
wg21   wg11   all
wg21   wg11   10.100.100.0/27
wg21   wg11   SGS8

To test wireguard_manager Beta v4.12b, upgrade from the Github dev branch

e  = Exit Script [?]

E:Option ==> uf dev

and

e  = Exit Script [?]

E:Option ==> initdb keep

 

[DragonOfJustice]

Thanks for the update, by the way how would i issue port forwarding iptables to wg11?
I put these lines in the firewall-start but not sure if this is correctly setup, the port is on Transmission listening port and it's showing Closed.

 

[Martineau]

Thanks for the update, by the way how would i issue port forwarding iptables to wg11?
I put these lines in the firewall-start but not sure if this is correctly setup, the port is on Transmission listening port and it's showing Closed.

View attachment 37107

Try placing them in '/jffs/addons/wireguard/Scripts/wg11-up.sh' to ensure that they are persistent based on the UP state of wg11

 

[DragonOfJustice]

Try placing them in '/jffs/addons/wireguard/Scripts/wg11-up.sh' to ensure that they are persistent based on the UP state of wg11

Thanks, i have moved them to wg11-up.sh and reboot the router, wg11-up is ran but Transmission still reported the listening port is Closed. Is the iptables commands i used correctly? the Transmission is binded to ip 192.168.50.3 and i tried toggle "use port forwarding from router" but no luck. Am i missing something else?

 

[ZebMcKayhan]

Thanks, i have moved them to wg11-up.sh and reboot the router, wg11-up is ran but Transmission still reported the listening port is Closed. Is the iptables commands i used correctly? the Transmission is binded to ip 192.168.50.3 and i tried toggle "use port forwarding from router" but no luck. Am i missing something else?

If you run Transmission over vpn it really wouldn't work to open ports. Your supplier is typically not subjecting your wg client to the entire internet. You are likely behind one or mor cgnats.
Just remove your rules and accept to run with closed ports.

//Zeb

 

[DragonOfJustice]

If you run Transmission over vpn it really wouldn't work to open ports. Your supplier is typically not subjecting your wg client to the entire internet. You are likely behind one or mor cgnats.
Just remove your rules and accept to run with closed ports.

//Zeb

Yeah i afraid i have no choice, thank you

 

[ZebMcKayhan]

Whenever I have some spare time I'm trying to write together some kind of tutorial for using wgm. Trying too add information about common questions as well as some specific "how to's". It is not really finished yet but the headlines shows what information I would like to have there. For a sneak-peak check it out here
If you find any errors, please let me know.

When writing this I encountered the expected behavior of a peer in auto=n mode.

The obvious part is that it won't start on boot.
And by looking at the code it looks like it won't start on the generic:

E:Option ==> start

But it looks like it might start when explicitly started

E:Option ==> start wg11
or
E:Option ==> peer wg11 start

But what is the expected behavior of this peer when started like this? @Martineau ?

//Zeb