Wireguard Session Manager - Discussion (2nd) thread

[Martineau]

There were no directives regarding the DNS in the test.conf file that I created on my router and imported to my laptop, I had to add the whole line (DNS= 10.50.1.1) by myself.

Thanks for taking the time to PM me with the debugging info.

Not sure that it is possible for the DNS = line directive to be completely missing?
i.e. the line DNS = is always created ...just seemingly in your case that the target DNS IP Address is missing.

I have uploaded wireguard_manager Beta v4.12.bB to use the 'server' Peer IP if nvram get wan0_dns is blank, rather than deliberately force the import of the .conf file to fail by using an invalid DNS reference such as 'Missing!'

To upgrade use:

e  = Exit Script [?]

E:Option ==> uf dev

    Router RT-AX86U Firmware (v3.0.0.4.386.4_alpha2-g952c6bdecc)

    [✔] Entware Architecture arch=aarch64


    v4.12bB WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=15e9c9ec99c098cb27c2c00b85400aa7 /jffs/addons/wireguard/wg_manager.sh

<snip>

 

[DreaZ]

Are there some issue recently with WGM? I get this error
Error: no such table: passthru
when i start/stop my peer. And my PC with 192.168.1.20 is suddenly on VPN, should be on WAN.

Rules have been the same for a while now.
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg11 WAN 192.168.1.20 Any PC
2 wg11 VPN 192.168.1.1/24 Any RestVPN

And if I exit WGM and try to start it again I get -sh: wgm: not found. Have to restart the session to be bale to start the manager.

 

[ZebMcKayhan]

Are there some issue recently with WGM? I get this error
Error: no such table: passthru
when i start/stop my peer. And my PC with 192.168.1.20 is suddenly on VPN, should be on WAN.

Rules have been the same for a while now.
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg11 WAN 192.168.1.20 Any PC
2 wg11 VPN 192.168.1.1/24 Any RestVPN

And if I exit WGM and try to start it again I get -sh: wgm: not found. Have to restart the session to be bale to start the manager.

What did you do before this started? Updated firmware or wgm? What fw and wgm version are you using? Could it be a failing usb drive?

I'm running latest wgm dev version and latest released fw on ac86u and not seeing any of these problems.

//Zeb

 

[DreaZ]

What did you do before this started? Updated firmware or wgm? What fw and wgm version are you using? Could it be a failing usb drive?

I'm running latest wgm dev version and latest released fw on ac86u and not seeing any of these problems.

//Zeb

Updated WGM (4.12b) fw 386_3_2. Removed and reinstalled and updated with uf dev numerous times. The error persits and it's like my policy rules doesn't apply.

Tried different conf files from OVPN and Mullvad.

Edit: Tried with another USB-drive, no difference.

 

[ZebMcKayhan]

Are there some issue recently with WGM? I get this error
Error: no such table: passthru
when i start/stop my peer. And my PC with 192.168.1.20 is suddenly on VPN, should be on WAN.

Rules have been the same for a while now.
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg11 WAN 192.168.1.20 Any PC
2 wg11 VPN 192.168.1.1/24 Any RestVPN

And if I exit WGM and try to start it again I get -sh: wgm: not found. Have to restart the session to be bale to start the manager.

The problem with passtru table is that you probably updated wgm without update the database. But as long as you are not using the passtru function it should not matter.

Wierd if your rules don't get applied... well, obviously the vpn rule gets applied. Check your rules from the shell by:

ip rule

And remove your public wan ip before posting (if it's there).

wgm is just a link. Try start wgm with:

wg_manager

And if that don't work:

/jffs/addons/wireguard/wg_manager.sh

//Zeb

 

[Martineau]

Are there some issue recently with WGM? I get this error
Error: no such table: passthru

Try

e  = Exit Script [?]

E:Option ==> diag sql passthru

    DEBUG: SQL '/opt/etc/wireguard.d/WireGuard.db'

    Invalid SQL table 'passthru'

    Valid tables:    clients   fwmark    servers   traffic 
devices   ipset     policy    session

e  = Exit Script [?]

E:Option ==> initdb keep

    No Peer entries to auto-migrate from '/jffs/addons/wireguard/WireguardVPN.conf', but you will need to manually import the 'device' Peer '*.conf' files:

e  = Exit Script [?]

E:Option ==> diag sql passthru

    DEBUG: SQL '/opt/etc/wireguard.d/WireGuard.db'

    Table:passthru

 

[Martineau]

And if I exit WGM and try to start it again I get -sh: wgm: not found. Have to restart the session to be bale to start the manager.

Can you check if there is a wgm() function defined....

grep "wgm()" /jffs/configs/profile.add

wgm()  { /jffs/addons/wireguard/wg_manager.sh $@; }          # WireGuard Session Manager

 

[DreaZ]

Try

e  = Exit Script [?]

E:Option ==> diag sql passthru

    DEBUG: SQL '/opt/etc/wireguard.d/WireGuard.db'

    Invalid SQL table 'passthru'

    Valid tables:    clients   fwmark    servers   traffic
devices   ipset     policy    session

e  = Exit Script [?]

E:Option ==> initdb keep

    No Peer entries to auto-migrate from '/jffs/addons/wireguard/WireguardVPN.conf', but you will need to manually import the 'device' Peer '*.conf' files:

e  = Exit Script [?]

E:Option ==> diag sql passthru

    DEBUG: SQL '/opt/etc/wireguard.d/WireGuard.db'

    Table:passthru

That seems to have solved the error I got. Now I just need to get the rules table to work as before.

Rules in WGM:
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
3 wg11 VPN 192.168.1.64/26 Any 64-127
2 wg11 VPN 192.168.1.32/27 Any 32-63
4 wg11 VPN 192.168.1.128/25 Any 128-255

And in router:

But my PC with ip 192.168.1.20 still get ip from VPN provider and their DNS.

What am I missing?

 

[DreaZ]

Can you check if there is a wgm() function defined....

grep "wgm()" /jffs/configs/profile.add

wgm()  { /jffs/addons/wireguard/wg_manager.sh $@; }          # WireGuard Session Manager

Seems right.

 

[Martineau]

But my PC with ip 192.168.1.20 still get ip from VPN provider and their DNS.
What am I missing?

ID  Peer  Interface  Source            Destination  Description
3   wg11  VPN        192.168.1.64/26   Any          64-127
2   wg11  VPN        192.168.1.32/27   Any          32-63
4   wg11  VPN        192.168.1.128/25  Any          128-255

No idea.

Perhaps you can issue

e  = Exit Script [?]

E:Option ==> uf dev

then obfuscate the sensitive WAN IP address etc. and PM the output from

e  = Exit Script [?]

E:Option ==> diag

 

[ZebMcKayhan]

That seems to have solved the error I got. Now I just need to get the rules table to work as before.

Rules in WGM:
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
3 wg11 VPN 192.168.1.64/26 Any 64-127
2 wg11 VPN 192.168.1.32/27 Any 32-63
4 wg11 VPN 192.168.1.128/25 Any 128-255

And in router:
View attachment 37463

But my PC with ip 192.168.1.20 still get ip from VPN provider and their DNS.

What am I missing?

Just a quick thought: could you verify that the peer is still in policy mode (auto=P) and have not slipped back to default(all) mode (auto=Y/N).
Check in wgm:

E:Option ==> peer

And make sure that it is a "P" under Auto.

If not, you need to put the peer in policy mode, like:

E:Option ==> peer wg11 auto=P
E:Option ==> peer wg11 restart

//Zeb

 

[DreaZ]

Its in Y mode. God damn it.

Edit: And it's all my own fault Silly me.

 

[ZebMcKayhan]

I tried to get a public ipv4 from my isp this week but they wanted quite alot of money for this so I rejected.
They enlightened me that they give out ipv6 for free if my supply chain handles it.

This got me thinking.... will this mean I have to use my cgnat ipv4 to access ipv4 internet and my ipv6 to access ipv6 internet?
If I want to connect via wireguard regardless of destination ipv does this mean I have to setup 2 wireguard interfaces, one for ipv4 and another for ipv6?

My wan port obviously gets both adresses, would it be possible to setup i.e wg11 to also have both adresses, via 2 tunnels.

A.f.a.i.k wgm sets up either ipv4 or ipv6. But could you setup one of each?

Or am I going at this the wrong way?

//Zeb

 

[Martineau]

I tried to get a public ipv4 from my isp this week but they wanted quite alot of money for this so I rejected.
They enlightened me that they give out ipv6 for free if my supply chain handles it.

This got me thinking.... will this mean I have to use my cgnat ipv4 to access ipv4 internet and my ipv6 to access ipv6 internet?
If I want to connect via wireguard regardless of destination ipv does this mean I have to setup 2 wireguard interfaces, one for ipv4 and another for ipv6?

My wan port obviously gets both adresses, would it be possible to setup i.e wg11 to also have both adresses, via 2 tunnels.

A.f.a.i.k wgm sets up either ipv4 or ipv6. But could you setup one of each?

Or am I going at this the wrong way?

//Zeb

I have little experience with IPv6 (my ISP doesn't support it) so assumed that this query was aimed at more knowledgeable IPv6 forum members.

However, your comment

A.f.a.i.k wgm sets up either ipv4 or ipv6. But could you setup one of each?

does appear to be true, so I have had another wild stab at the 'client' peer IPv6 support, so if IPv6 is ENABLED on the router wireguard_manager now mangles the interface for concurrent IPv4 and IPv6 rather than mutually exclusive.

e  = Exit Script [?]

E:Option ==> diag


    WireGuard VPN Peers

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  11501  # RT-AC86U Server 1
wg22    N     10.50.2.1/24  11502  # RT-AC86U Server 2
wg23    N     10.50.3.1/24  11503  # RT-AC86U Server 3

Client  Auto  IP                                               Endpoint             DNS             MTU  Annotate
wg11    P     10.72.31.150/32                                  89.45.90.2:51820     193.138.218.74       # Mullvad USA, Los Angeles
wg12    N     10.67.146.14/32,fc00:bbbb:bbbb:bb01::4:920d/128  193.32.126.66:51820  193.138.218.74       # Mullvad France, Paris

<snip>

25: wg12: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.67.146.14/32 scope global wg12
       valid_lft forever preferred_lft forever
    inet6 fc00:bbbb:bbbb:bb01::4:920d/128 scope global
       valid_lft forever preferred_lft forever

25: wg12: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet6 fc00:bbbb:bbbb:bb01::4:920d/128 scope global
       valid_lft forever preferred_lft forever

And if in Policy mode, with say the two rules (one IPv4 and one IPv6)

e  = Exit Script [?]

E:Option ==> peer wg12

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP                                               Endpoint             DNS             MTU  Public                                        Private                                       Annotate
wg12    N     10.67.146.14/32,fc00:bbbb:bbbb:bb01::4:920d/128  193.32.126.66:51820  193.138.218.74       ov323GyDOEHLT0sNRUUPYiE3BkvFDjpmi1a4fzv49hE=  eK//dD40ozIv7rG08t3ssglrselxDY3YD4BTEdeiol0=  # Mullvad France, Paris

    Selective Routing RPDB rules
ID  Peer  Interface  Source        Destination               Description
4   wg12  VPN        Any           fdc8:5f76:2ad1:bd81::/64  Dummy IPv6
5   wg12  VPN        172.16.1.123  Any                       Dummy IPv4


     WireGuard ACTIVE Peer Status: Clients 2, Servers 1

it should at least attempt to create the appropriate IPv4 and IPv6 RPDB rules and routes etc.

e  = Exit Script [?]

E:Option ==> diag

<snip>

    DEBUG: RPDB IPv6 rules

0:        from all lookup local
9921:     from all to fdc8:5f76:2ad1:bd81::/64 lookup 122
32766:    from all lookup main

    DEBUG: RPDB rules

0:        from all lookup local
9810:     from all fwmark 0xd2 lookup 210
9921:     from 172.16.1.123 lookup 122
<snip>
32766:    from all lookup main
32767:    from all lookup default

You can update using

e  = Exit Script [?]

E:Option ==> uf dev

NOTE: It probably won't work (so feel free to pass on this).......worst case scenario is that it borks the IPv4 connections

 

[ZebMcKayhan]

I have little experience with IPv6 (my ISP doesn't support it) so assumed that this query was aimed at more knowledgeable IPv6 forum members.

Anyhow, I will certainly consider any answer better than none.
I'm mostly trying to wrap my head around how dual stack is meant to work but as far as I have been able to read up on these are operating rather independent and are not really compatible with each other. so all interfaces (LAN, WAN, Wifi, guestnetworks a.s.o) will need to have both ipv4 and ipv6. seems quite a handful to set everything up. wonder how much that will happen by itself by asuswrt-merlin when "flipping the switch". could I choose to let my guest network to only operate on ipv4 for example? that's a different topic I guess.

once the switch is flipped, ipv6 will be prioritized and I might not have control anymore where my data gets routed as I'm used to having, thus it would be nice to investigate how to setup wireguard for dual stack.

my .conf file includes both ipv6 and ipv4 but I remember that a wireguard tunnel could only handle one or the other. guess you indirectly answered some questions:
- 2 tunnels is setup with the same pri/pub keys with the same interface that are operating independently. this is a nice way of handling it (for dual stack). would the wireguard suppliers accept both connections with the same keys?

so, in general you could always import ipv4 and ipv6 but only start ipv6 interface if ipv6 is enabled? that way you would not have to make a new import as you enable/disable ipv6.

what if the ipv6 setting in router is not native but some tunnel variant. that would certainly affect how wireguard should be setup (tunnel 6 to 4 would still mean WAN is running on ipv4, right?).

NOTE: It probably won't work (so feel free to pass on this).......worst case scenario is that it borks the IPv4 connections

I have not yet received from my ISP if I can get native ipv6 yet and even so I will probably have to wait to test until I have some family-free time to test (to relieve the audio-visual effects of internet loss).

//Zeb

EDIT: In my. conf file I also got 2 ipv6 dns but only one Endpoint, which is a domain name.
Regarding DNS, ip6tables included in my firmware is 1.4.15 and nat table were not introduced until 1.4.18 so I guess ipv6 dns would have to be solved differently.
How come there is only one Endpoint? Will this domain name resolve to both ipv4 and ipv6 adress and would both be accessable to system (AFAIK ipv6 will be prioritized and forwarded if exists). Is there a risk that the ipv4 Endpoint won't get resolved?

Edit2: just attempted to create new custom chain in the nat table:

admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -t nat -N WGDNS1
ip6tables v1.4.15: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

Hmm... crap... policy based routing just got abit more complex...

 

[DreaZ]

Just curious about the:
expr: non-numeric argument
expr: non-numeric argument
expr: non-numeric argument
[: 0: unknown operand

 

[Martineau]

View attachment 37578


Just curious about the:
expr: non-numeric argument
expr: non-numeric argument
expr: non-numeric argument
[: 0: unknown operand

Which version?

i.e. if you upgrade to the latest dev version, does the error still occur?

e  = Exit Script [?]

E:Option ==> uf dev

NOTE: Dev versions are potentially even more prone to stupid typos

 

[DreaZ]

Which version?

i.e. if you upgrade to the latest dev version, does the error still occur?

e  = Exit Script [?]

E:Option ==> uf dev

NOTE: Dev versions are potentially even more prone to stupid typos

4.12bc

 

[ZebMcKayhan]

It appears I cannot get ipv6 because my infrastructure provider have not updated their stuff... I tried to get a target date but got something like "any year now" so there goes that dream...

Anyhow, really hope someone else with a dual stack ipv6 continues to elaborate this with wgm.

Unless asus updated the ip6tables in later releases we will have to handle everything without adress translation, which would mean handing out ips from our wan pool to everything (including clients connected to our wireguard server). Assuming wireguard vpn suppliers perform masquarading for us (which they should, I believe). Routing and rules should work as today.
The snag could be if stateless configuration is used, then the router has little control over which clients use which IP.

Regarding dns, I really have no idea how to do this.
- Let dnsmasq hand out vpn dns for clients routed to vpn??
- setup multiple dnsmasq instances??
- unbound??

Using mark for routing based on ipset, ports or similar looks possible, atleast does ip6tables support marking and ip -6 rule supports fwmark rules.

//Zeb

 

[ZebMcKayhan]

4.12bc

Wg_client (dev) was updated 29/11 whilst wg_manager (4.12bC) was updated 23/11.

Do you still have the same issues if you use wg client 4.13 (29/11)

//Zeb