Wireguard Session Manager - Discussion (2nd) thread

[ZebMcKayhan]

With a lot of effort and help of ZebMcKayhan it was resolved. To also help others who struggle with this issue about using smb shares on a nas (not your router, but for instance synology) add on ssh router this:

"iptables -t nat -I POSTROUTING -s 10.50.X.0/24 -d 192.168.1.Y -j SNAT --to-source 192.168.1.Z -m comment --comment "WireGuard 'server'" where 10.50.x.0/24 stands for your wireguard server ip-range, 192.168.1.Y is the ip of your nas/samba share device, 192.168.1.z is the local ip-adress of your router.

All credit goes to zeb for this one, thx!

Btw the samba shares can't be reached with the samba server name but you got to use the ip-adress like for example \\ip-adress of your nas or samba share device, this is because wireguard is udp-based.

Really glad we (finally) made it work, even though it's not the most elegant solution.

I will write something about it here

WireguardManager/README.md at main · ZebMcKayhan/WireguardManager

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

And equally glad you are testing out the new ax88u 20211208 kernel module version!

//Zeb

 

[ZebMcKayhan]

Just released the RT-AC86U - 20211208 kernel module.

To get the updated modules:

E:Option ==> getmodules

           Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20211208-k2 7_1_aarch64-3.10.ipk' for RT-AC86U (v) @ZebMcKayhan

And reboot router to get the new module loaded.

//Zeb

 

[Martineau]

E:Option ==> getmodules

           Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20211208-k2 7_1_aarch64-3.10.ipk' for RT-AC86U (v) @ZebMcKayhan

And reboot router to get the new module loaded.

or to save a reboot...issue

e  = Exit Script [?]

E:Option ==> loadmodules

 

[chongnt]

or to save a reboot...issue

e  = Exit Script [?]

E:Option ==> loadmodules

on both command I get this in syslog. Everything is working fine.

Dec 14 18:41:13 RT-AC86U-DBA8 kernel: wireguard: version magic '4.1.51 SMP preempt mod_unload aarch64' should be '4.1.27 SMP preempt mod_unload aarch64'
Dec 14 19:17:41 RT-AC86U-DBA8 kernel: wireguard: version magic '4.1.51 SMP preempt mod_unload aarch64' should be '4.1.27 SMP preempt mod_unload aarch64'

 

[ZebMcKayhan]

on both command I get this in syslog. Everything is working fine.

Dec 14 18:41:13 RT-AC86U-DBA8 kernel: wireguard: version magic '4.1.51 SMP preempt mod_unload aarch64' should be '4.1.27 SMP preempt mod_unload aarch64'
Dec 14 19:17:41 RT-AC86U-DBA8 kernel: wireguard: version magic '4.1.51 SMP preempt mod_unload aarch64' should be '4.1.27 SMP preempt mod_unload aarch64'

Interesting... I did not see this, but I upgraded differently (not via github), but it should have made any difference. almost looks like there is some 4.1.51 (AX88) leftover in there...

my builds are completely separate so I don't see how they could be mixed up.
will this pop up each time you reboot (or load the modules?).

 

[chongnt]

Interesting... I did not see this, but I upgraded differently (not via github), but it should have made any difference. almost looks like there is some 4.1.51 (AX88) leftover in there...

my builds are completely separate so I don't see how they could be mixed up.
will this pop up each time you reboot (or load the modules?).

I noticed it after run getmodules and loadmodules. I have not reboot yet. I also did uf dev update before run these commands.

 

[Chewie420]

Hi I am still having some issue with getting wireguard working was hoping I could get some help.

I am now to the point where I have the torguard config file I generated imported and the server and client seem to be running from my limited knowledge. When I go to whatismyip.com I still see my ISP IP.

-------------------------

E:Option ==> diag

WireGuard VPN Peer Status
interface: wg21
public key: xxx
private key: (hidden)
listening port: 51820

WireGuard VPN Peers

Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server Auto Subnet Port Annotate
wg21 Y 10.50.1.1/24 51820 # RT-AX88U Server #1

Client Auto IP Endpoint DNS MTU Annotate
wg11 N 10.13.53.185/24 192.252.213.114:1443 9.9.9.9.9 1412 # TorGuard WireGuard Config


DEBUG: Routing info MTU etc.

37: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.50.1.1/24 scope global wg21
valid_lft forever preferred_lft forever

DEBUG: Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

DEBUG: RPDB rules

0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
10010: from 192.168.5.103 lookup main
10011: from 192.168.5.109 lookup main
10012: from 192.168.56.0/24 lookup main
10210: from 192.168.24.0/24 lookup ovpnc1
10211: from 192.168.224.0/24 lookup ovpnc1
10212: from 192.168.50.0/24 lookup ovpnc1
10213: from 192.168.55.0/24 lookup ovpnc1
10214: from 192.168.5.0/24 lookup ovpnc1
10215: from 192.168.24.0/24 lookup ovpnc1
10216: from 192.168.224.0/24 lookup ovpnc1
10217: from 192.168.50.0/24 lookup ovpnc1
10218: from 192.168.55.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

DEBUG: Netstat

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.50.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wg21

DEBUG: UDP sockets.

udp 0 0 0.0.0.0:51820 0.0.0.0:* -
udp 0 0 :::51820 :::* -

DEBUG: Firewall rules


DEBUG: -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
2 0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 608 packets, 147K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */

DEBUG: -t nat

Chain PREROUTING (policy ACCEPT 129 packets, 14407 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 35 packets, 2616 bytes)
num pkts bytes target prot opt in out source destination

DEBUG: -t mangle

Chain FORWARD (policy ACCEPT 110 packets, 11540 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- * wg21 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */ MARK xset 0x1/0x7
2 0 0 TCPMSS tcp -- wg21 * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
3 0 0 TCPMSS tcp -- * wg21 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 548 packets, 87288 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

Valid SQL Database tables: clients fwmark passthru servers traffic
devices ipset policy session

e.g. diag sql traffic will show the traffic stats SQL table

 

[Martineau]

Hi I am still having some issue with getting wireguard working was hoping I could get some help.

I am now to the point where I have the torguard config file I generated imported and the server and client seem to be running from my limited knowledge. When I go to whatismyip.com I still see my ISP IP.

-------------------------

E:Option ==> diag

        WireGuard VPN Peer Status
interface: wg21
  public key: xxx
  private key: (hidden)
  listening port: 51820

        WireGuard VPN Peers

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX88U Server #1

Client  Auto  IP               Endpoint              DNS        MTU   Annotate
wg11    N     10.13.53.185/24  192.252.213.114:1443  9.9.9.9.9  1412  # TorGuard WireGuard Config


        DEBUG:  Routing info MTU etc.

37: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/24 scope global wg21
       valid_lft forever preferred_lft forever

        DEBUG:  Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

        DEBUG:  RPDB rules

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
10010:  from 192.168.5.103 lookup main
10011:  from 192.168.5.109 lookup main
10012:  from 192.168.56.0/24 lookup main
10210:  from 192.168.24.0/24 lookup ovpnc1
10211:  from 192.168.224.0/24 lookup ovpnc1
10212:  from 192.168.50.0/24 lookup ovpnc1
10213:  from 192.168.55.0/24 lookup ovpnc1
10214:  from 192.168.5.0/24 lookup ovpnc1
10215:  from 192.168.24.0/24 lookup ovpnc1
10216:  from 192.168.224.0/24 lookup ovpnc1
10217:  from 192.168.50.0/24 lookup ovpnc1
10218:  from 192.168.55.0/24 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

        DEBUG: Netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.50.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wg21

        DEBUG: UDP sockets.

udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -

        DEBUG:  Firewall rules


        DEBUG:  -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 608 packets, 147K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

        DEBUG:  -t nat

Chain PREROUTING (policy ACCEPT 129 packets, 14407 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 35 packets, 2616 bytes)
num   pkts bytes target     prot opt in     out     source               destination

        DEBUG:  -t mangle

Chain FORWARD (policy ACCEPT 110 packets, 11540 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7
2        0     0 TCPMSS     tcp  --  wg21   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
3        0     0 TCPMSS     tcp  --  *      wg21    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 548 packets, 87288 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients   fwmark    passthru  servers   traffic
devices   ipset     policy    session

             e.g. diag sql traffic will show the traffic stats SQL table

Firstly, please post diagnostic text into the CODE tag...it makes it so much easier to read as shown above, by retaining column formatted text, and for long text blocks, we can use the scroll bar....

So from this.....can I confirm....

Router RT-AX88U Firmware (v3.0.0.4.384.18_0)

[✔] Entware Architecture arch=aarch64


v4.12 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
MD5=c9a6b7d4cb671b32e971dcae99b57c8d /jffs/addons/wireguard/wg_manager.sh

[✔] WireGuard Module LOADED Tue Dec 14 08:48:18 EST 2021

MD5=38054ddf88fb9b455646fb68d94e13ef wireguard-kernel_1.0.20210606-k51_1_aarch64-3.10.ipk
MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

[✔] DNSmasq is listening on ALL WireGuard interfaces 'wg*'

[✔] firewall-start is monitoring WireGuard Firewall rules

[✖] WAN KILL-Switch is DISABLED (use 'vx' command for info)
[✖] UDP monitor is DISABLED

[ℹ ] Reverse Path Filtering DISABLED

[ℹ ] Speedtest quick link https://fast.com/en/gb/

[✔] Statistics gathering is ENABLED

WireGuard ACTIVE Peer Status: Clients 1, Servers 1

are you really so far behind with your Firmware version v3.0.0.4.384.18_0 ??????


OK, from this info

        DEBUG:  Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

        DEBUG:  RPDB rules

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
10010:  from 192.168.5.103 lookup main
10011:  from 192.168.5.109 lookup main
10012:  from 192.168.56.0/24 lookup main
10210:  from 192.168.24.0/24 lookup ovpnc1
10211:  from 192.168.224.0/24 lookup ovpnc1
10212:  from 192.168.50.0/24 lookup ovpnc1
10213:  from 192.168.55.0/24 lookup ovpnc1
10214:  from 192.168.5.0/24 lookup ovpnc1
10215:  from 192.168.24.0/24 lookup ovpnc1
10216:  from 192.168.224.0/24 lookup ovpnc1
10217:  from 192.168.50.0/24 lookup ovpnc1
10218:  from 192.168.55.0/24 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

From the wireguard_manager perspective, the Torguard 'client' peer should be redirecting ALL LAN traffic thru' its tunnel, but it appears you still have OpenVPN rules active, and in order to debug, I suggest you stop the OpenVPN client, then restart the WireGuard Torguard 'client' Peer tunnel, as two default WireGuard firewall rules are missing?

what does the following show?

e  = Exit Script [?]

E:Option ==> list

e  = Exit Script [?]

E:Option ==> wg

 

[ZebMcKayhan]

Client Auto IP Endpoint DNS MTU Annotate
wg11 N 10.13.53.185/24 192.252.213.114:1443 9.9.9.9.9 1412 # TorGuard WireGuard Config

And your internet client is in auto=N mode.

 

[Martineau]

And your internet client is in auto=N mode.

Indeed but before the OP can set 'auto=P' he will need to define the Selective Routing Policy rules!

At the moment the default for starting the Torguard 'client' Peer should be everything over the tunnel, but the necessary firewall rules are missing

Probably not connected to the back-level Firmware, but until we can prove that WireGuard is actually functional it's easier to keep it simple.

 

[DreaZ]

Sorry, typo, rmmod should be correct

rmmod -f wireguard

And it should be executed at ssh prompt, not in wgm.

That had no effect either.

 

[ZebMcKayhan]

There seems to be some (for me, unkown) reason for some system downloading and loading the wrong kernel module (as for @chongnt ).

currently residing modules on my github are:

for RT-AC86U / GT-AC2900: [wireguard-kernel_1.0.20211208-k27_1_aarch64-3.10.ipk]
for RT-AX88U / GT-AX11000: [wireguard-kernel_1.0.20210606-k51_1_aarch64-3.10.ipk]

make sure you get the right one for your system. check this when updating:

E:Option ==> getmodule

    Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20210606-k51_1_aarch64-3.10.ipk' for RT-AX88U (v3.0.0.4.386.3_beta3) @ZebMcKayhan

if you updated without noticing, check out the:

/jffs/addons/wireguard/

folder to find which .ipk you are currently running (.ipkZ are backups that are not used anymore)

it appears as running the AX88U module on an AC86U appears to be working, except for some kernel error message so there might not be an immediate issue, but could cause issues in your system later (?).

to make kernel module names more clear, there will (soon) be updated names, but both names will be kept for some time for backwards compatibility:
for RT-AC86U / GT-AC2900:
wireguard-kernel_1.0.20211208-RT-AC86U_2_aarch64-3.10.ipk
wireguard-kernel_1.0.20211208-k27_2_aarch64-3.10.ipk

for RT-AX88U / GT-AX11000:
wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk
wireguard-kernel_1.0.20211208-k51_2_aarch64-3.10.ipk

I've made new, clean firmware builds yesterday and compiled new kernel modules, which are currently under test. I will release them in a couple of days when we have tested them. they will be the first modules released with the new names alongside the old names.

//Zeb

 

[Martineau]

Do you know if this one works with VPN director I want to make sure that only certain subnets use my VPN connection.

I have uploaded wireguard_manager Beta 4.13b4 which now includes VPN Director Policy rule clone support.

i.e. To upgrade use

e  = Exit Script [?]

E:Option ==> uf dev

then request the VPN Director Policy rule clone process

e.g.

e  = Exit Script [?]

E:Option ==> vpndirector clone

    Auto clone VPN Director rules

    peer wg11 rule add wan 192.168.5.103 comment .5.103 via WAN
    [✔] Updated RPDB Selective Routing rule for wg11

    peer wg11 rule add wan 192.168.5.109 comment .5.109 via WAN
    [✔] Updated RPDB Selective Routing rule for wg11

    peer wg11 rule add wan dst=172.16.1.99 comment Test Target via WAN
    [✔] Updated RPDB Selective Routing rule for wg11

    peer wg11 rule add vpn 192.168.224.0/24 comment .244 Subnet
    [✔] Updated RPDB Selective Routing rule for wg11

    peer wg11 rule add vpn 192.168.56.0/24 comment .56 Subnet
    [✔] Updated RPDB Selective Routing rule for wg11

    peer wg11 rule add vpn 192.168.55.0/24 comment .55 Subnet
    [✔] Updated RPDB Selective Routing rule for wg11

    peer wg11 rule add vpn 192.168.50.0/24 comment .50 Subnet
    [✔] Updated RPDB Selective Routing rule for wg11

    peer wg11 rule add vpn 192.168.24.0/24 comment .24 Subnet
    [✔] Updated RPDB Selective Routing rule for wg11

    peer wg11 rule add vpn 192.168.5.0/24 comment .5 Subnet
    [✔] Updated RPDB Selective Routing rule for wg11

    peer wg12 rule add vpn 172.16.33.123 comment
    [✔] Updated RPDB Selective Routing rule for wg12

    peer wg13 rule add vpn dst=172.168.11.44 comment
    [✔] Updated RPDB Selective Routing rule for wg13

e  = Exit Script [?]

E:Option ==> vpndirector list

    VPN Director Selective Routing RPDB rules

ID  Peer  Interface  Source            Destination    Description
1   wg11  WAN        192.168.5.103     Any            VPN Director: .5.103 via WAN
2   wg11  WAN        192.168.5.109     Any            VPN Director: .5.109 via WAN
3   wg11  WAN        Any               172.16.1.99    VPN Director: Test Target via WAN
4   wg11  VPN        192.168.224.0/24  Any            VPN Director: .244 Subnet
5   wg11  VPN        192.168.56.0/24   Any            VPN Director: .56 Subnet
6   wg11  VPN        192.168.55.0/24   Any            VPN Director: .55 Subnet
7   wg11  VPN        192.168.50.0/24   Any            VPN Director: .50 Subnet
8   wg11  VPN        192.168.24.0/24   Any            VPN Director: .24 Subnet
9   wg11  VPN        192.168.5.0/24    Any            VPN Director: .5 Subnet
10  wg12  VPN        172.16.33.123     Any            VPN Director:
11  wg13  VPN        Any               172.168.11.44  VPN Director:

This will save you having to tediously manually clone the VPN Director Policy rules.

NOTE: The WireGuard Policy rules will take priority, so will coexist concurrently with the OpenVPN Policy rules

i.e. use the diagnostics to review the RPDB rules

e  = Exit Script [?]

E:Option ==> diag rpdb

 

[ZebMcKayhan]

That had no effect either.

well, atleast good news that the kernel module is not immediately affecting your system... then I dont get why uninstalling wgm would make any difference. besides this and stopping all peers it just removes various files...

maybee you could try to update the the new kernel module to see if it makes any difference. there are some changes that affect compatibility, but it is a long shot.

//Zeb

 

[chongnt]

Just realized passthru seems broken. I have not dial-in wg22 for some time so not sure when it started.

E:Option ==> ?

        Router RT-AC86U Firmware (v3.0.0.4.386.1_2)

        [✔] Entware Architecture arch=aarch64


        v4.13b3 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
        MD5=632599ec0af700a0478e0dd5893611ea /jffs/addons/wireguard/wg_manager.sh



        [✔] WireGuard Module LOADED Wed Dec 15 13:00:20 MYT 2021

        MD5=917ce059b508078ef3fbbf7cee2bf311 wireguard-kernel_1.0.20211208-k27_1_aarch64-3.10.ipk
        MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

...snipped...
Server  Client  Passthru
wg22    wg11    all

This is the error from tcpdump. There is no problem with wg21 which does not use passthru.

20:08:12.921895 IP RT-AC86U-DBA8. > 10.50.22.2: ICMP RT-AC86U-DBA8. udp port domain unreachable, length 72

I try to restart wg22. This is the syslog for stop and start wg22. It seems there is a typo that the log show wireguard server 1 peer terminated.

Dec 15 20:16:03 RT-AC86U-DBA8 (wg_manager.sh): 16641 v4.13b3 Requesting termination of WireGuard VPN 'server' Peer ('wg22')
Dec 15 20:16:04 RT-AC86U-DBA8 wireguard-server: Initialising Wireguard 3rd-Party/Entware Kernel module '/opt/lib/modules/wireguard.ko'
Dec 15 20:16:04 RT-AC86U-DBA8 wireguard-server1: Wireguard VPN 'server' Peer (wg11) on x.x.x.x:yyyyy Terminated
...snipped...
Dec 15 20:16:34 RT-AC86U-DBA8 (wg_manager.sh): 16641 v4.13b3 Initialising Wireguard VPN 'server' Peer (wg22)
Dec 15 20:16:34 RT-AC86U-DBA8 wireguard-server: Initialising Wireguard 3rd-Party/Entware Kernel module '/opt/lib/modules/wireguard.ko'
Dec 15 20:16:34 RT-AC86U-DBA8 wireguard-server2: Initialising Wireguard VPN 'Server' Peer (\e[95mwg22\e[92m) on x.x.x.x:yyyyy

 

[Chewie420]

are you really so far behind with your Firmware version v3.0.0.4.384.18_0 ??????

I need to install ASUS firmware updates as well as Merlin? If so I didn't know I just install Merllin updates.

If I install firmware update from Asus will I need to re-install merlin?

 

[Martineau]

Just realized passthru seems broken. I have not dial-in wg22 for some time so not sure when it started.

This is the error from tcpdump. There is no problem with wg21 which does not use passthru.

20:08:12.921895 IP RT-AC86U-DBA8. > 10.50.22.2: ICMP RT-AC86U-DBA8. udp port domain unreachable, length 72

Hmmm, perhaps I may have dropped a rule....?

Does it work if you issue

ip rule add from 10.50.2.0/24 table 121

assuming 10.50.2.0/24 is the subnet used by 'server' Peer 'wg22' and the intended passthru is via 'client' Peer 'wg11'

 

[Chewie420]

Ok I feel rather stupid now. I thought by updating Merlin I would also update Asus firmware I guess I was way wrong. I have updated firmware to version 3.0.0.4.386.45934 and then re-installed Merlin and I have all my settings back.

 

[Martineau]

I try to restart wg22. This is the syslog for stop and start wg22. It seems there is a typo that the log show wireguard server 1 peer terminated.

Dec 15 20:16:03 RT-AC86U-DBA8 (wg_manager.sh): 16641 v4.13b3 Requesting termination of WireGuard VPN 'server' Peer ('wg22')
Dec 15 20:16:04 RT-AC86U-DBA8 wireguard-server: Initialising Wireguard 3rd-Party/Entware Kernel module '/opt/lib/modules/wireguard.ko'
Dec 15 20:16:04 RT-AC86U-DBA8 wireguard-server1: Wireguard VPN 'server' Peer (wg11) on x.x.x.x:yyyyy Terminated

It is indeed a bug ,

i.e. if you stop a 'server' Peer that is configured to use passthru', then the Passthru( del ) function incorrectly overwrites the variable;
$VPN_ID="wg22" becomes $VPN_ID="wg11"

Consequently, if you have a custom 'wg22-down.sh' script then it wouldn't be executed - instead 'wg11-down.sh' would be executed (if it existed).

I have patched 'wg_server' on the 'dev branch, so you will need to update using

e  = Exit Script [?]

E:Option ==> uf dev

and once you have tested/confirmed the patch, I'll get it rolled out to the main branch ASAP.

 

[Chewie420]

This will save you having to tediously manually clone the VPN Director Policy rules.

I really appreciate you doing that. What a great feature add. I am still having issues with it not connecting and I am not sure what I am doing wrong. I don't want to upset anyone with my lack of knowledge I was just hoping to get it working.

I really really really appreciate all your time.