What's new

Wireguard Session Manager - Discussion (2nd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Code:
E:Option ==> diag

        WireGuard VPN Peer Status
interface: wg21
  public key: FSRDl
  private key: (hidden)
  listening port: 51820

peer: TB3Cv
  preshared key: (hidden)
  allowed ips: 10.50.1.2/32

interface: wg11
  public key: SM
  private key: (hidden)
  listening port: 51820

peer: RR93
  endpoint: 192..xxx.xxx.xxx:1443
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

        WireGuard VPN Peers

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX88U Server #1

Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    N     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config

Device              Auto  IP            DNS            Allowed IPs  Annotate
Chewie_iPhone12Pro  X     10.50.1.2/32  64.71.255.204  0.0.0.0/0    # Chewie_iPhone12Pro "Device"

        DEBUG:  Routing info MTU etc.

33: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/24 scope global wg21
       valid_lft forever preferred_lft forever
34: wg11: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none
    inet 10.13.53.185/24 scope global wg11
       valid_lft forever preferred_lft forever

        DEBUG:  Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

        DEBUG:  RPDB rules

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
10010:  from 192.168.5.103 lookup main
10011:  from 192.168.5.109 lookup main
10012:  from 192.168.56.0/24 lookup main
10013:  from 192.168.50.0/24 lookup main
10014:  from 192.168.224.0/24 lookup main
32766:  from all lookup main
32767:  from all lookup default

        DEBUG:  Routing Table 121 (wg11) # TorGuard WireGuard Config

192.168.5.0/24 dev br0 proto kernel scope link src 192.168.5.1

        DEBUG: Netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.50.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wg21

        DEBUG: UDP sockets.

udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -

        DEBUG:  Firewall rules


        DEBUG:  -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 1086 packets, 190K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

        DEBUG:  -t nat

Chain PREROUTING (policy ACCEPT 110 packets, 22021 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        2   123 WGDNS1     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client1 DNS' */
2        0     0 WGDNS1     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client1 DNS' */
3        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 1 packets, 68 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      wg11    192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client' */

Chain WGDNS1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        1    62 DNAT       all  --  *      *       192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1

        DEBUG:  -t mangle

Chain FORWARD (policy ACCEPT 111 packets, 22351 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  *      wg11    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 TCPMSS     tcp  --  wg11   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3        0     0 TCPMSS     tcp  --  *      wg11    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4        0     0 MARK       all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7
5        0     0 TCPMSS     tcp  --  wg21   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6        0     0 TCPMSS     tcp  --  *      wg21    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 280 packets, 58013 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  wg11   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 MARK       all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients   fwmark    passthru  servers   traffic
devices   ipset     policy    session

             e.g. diag sql traffic will show the traffic stats SQL table


        WireGuard ACTIVE Peer Status: Clients 1, Servers 1

I think I am getting much close now because in the wgm status it does show my VPN IP and not my ISP but when I got to waht is myip.com on PC it still shows ISP IP.
 
I am still having issues with it not connecting and I am not sure what I am doing wrong.
Probably my shoddy script! :cool:
I don't want to upset anyone with my lack of knowledge I was just hoping to get it working.
We all started as noobs, and I assure you, despite my manky coding skills, the script does actually work....eventually!:D
 
Probably my shoddy script! :cool:

We all started as noobs, and I assure you, despite my manky coding skills, the script does actually work....eventually!:D
I think it has more to do with me not knowing enough. I am getting closer and closer to having it work. I think. I just not sure if I am missing anything obvious. I posted my results from diag above is there anything else I can post to help get this working?
 
Code:
E:Option ==> diag

        WireGuard VPN Peer Status
interface: wg21
  public key: FSRDl
  private key: (hidden)
  listening port: 51820

peer: TB3Cv
  preshared key: (hidden)
  allowed ips: 10.50.1.2/32

interface: wg11
  public key: SM
  private key: (hidden)
  listening port: 51820

peer: RR93
  endpoint: 192..xxx.xxx.xxx:1443
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

        WireGuard VPN Peers

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX88U Server #1

Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    N     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config

Device              Auto  IP            DNS            Allowed IPs  Annotate
Chewie_iPhone12Pro  X     10.50.1.2/32  64.71.255.204  0.0.0.0/0    # Chewie_iPhone12Pro "Device"

        DEBUG:  Routing info MTU etc.

33: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/24 scope global wg21
       valid_lft forever preferred_lft forever
34: wg11: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none
    inet 10.13.53.185/24 scope global wg11
       valid_lft forever preferred_lft forever

        DEBUG:  Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

        DEBUG:  RPDB rules

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
10010:  from 192.168.5.103 lookup main
10011:  from 192.168.5.109 lookup main
10012:  from 192.168.56.0/24 lookup main
10013:  from 192.168.50.0/24 lookup main
10014:  from 192.168.224.0/24 lookup main
32766:  from all lookup main
32767:  from all lookup default

        DEBUG:  Routing Table 121 (wg11) # TorGuard WireGuard Config

192.168.5.0/24 dev br0 proto kernel scope link src 192.168.5.1

        DEBUG: Netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.50.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wg21

        DEBUG: UDP sockets.

udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -

        DEBUG:  Firewall rules


        DEBUG:  -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 1086 packets, 190K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

        DEBUG:  -t nat

Chain PREROUTING (policy ACCEPT 110 packets, 22021 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        2   123 WGDNS1     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client1 DNS' */
2        0     0 WGDNS1     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client1 DNS' */
3        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 1 packets, 68 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      wg11    192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client' */

Chain WGDNS1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        1    62 DNAT       all  --  *      *       192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1

        DEBUG:  -t mangle

Chain FORWARD (policy ACCEPT 111 packets, 22351 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  *      wg11    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 TCPMSS     tcp  --  wg11   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3        0     0 TCPMSS     tcp  --  *      wg11    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4        0     0 MARK       all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7
5        0     0 TCPMSS     tcp  --  wg21   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6        0     0 TCPMSS     tcp  --  *      wg21    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 280 packets, 58013 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  wg11   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 MARK       all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients   fwmark    passthru  servers   traffic
devices   ipset     policy    session

             e.g. diag sql traffic will show the traffic stats SQL table


        WireGuard ACTIVE Peer Status: Clients 1, Servers 1

I think I am getting much close now because in the wgm status it does show my VPN IP and not my ISP but when I got to waht is myip.com on PC it still shows ISP IP.
Did you use the vpndirector clone command, as shown in post:
then you need to set 'client' Peer 'wg11' to Policy mode
Code:
e  = Exit Script [?]

E:Option ==> peer wg11 auto=p

    [✔] Updated 'wg11' AUTO=P
then restart the 'client' Peer 'wg11' in Policy mode
Code:
e  = Exit Script [?]
e.g.
E:Option ==> start wg11

    Requesting WireGuard VPN Peer start (wg11)

    wireguard-clientwg13: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 96.44.189.98:51820 (# Mullvad USA, Dallas) DNS=193.138.218.74
    wireguard-clientwg13: Initialisation complete.
 
Did you use the vpndirector clone command, as shown in post:
then you need to set 'client' Peer 'wg11' to Policy mode
Code:
e  = Exit Script [?]

E:Option ==> peer wg11 auto=p

    [✔] Updated 'wg11' AUTO=P
then restart the 'client' Peer 'wg11' in Policy mode
Code:
e  = Exit Script [?]
e.g.
E:Option ==> start wg11

    Requesting WireGuard VPN Peer start (wg11)

    wireguard-clientwg13: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 96.44.189.98:51820 (# Mullvad USA, Dallas) DNS=193.138.218.74
    wireguard-clientwg13: Initialisation complete.

Ok I did that and yes I ran uf dev and clone the VPN Director Settings.

<CODE>wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 192..xxx.xxx.xxx:1443 (# TorGuard WireGuard Config) DNS=1.1.1.1
iptables: Chain already exists.</CODE>
 
Last edited:
Ok I did that and yes I ran uf dev and clone the VPN Director Settings.
OK,

So if
Code:
e  = Exit Script [?]

E:Option ==> vpndirector list
shows the cloned VPN Dircetor rules are in the SQL database, the diag doesn't show them as having been applied in the RPDB rule section,

Why, because you posted this?
Code:
Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    N     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config
which indicates 'client' Peer 'wg11' is NOT in Policy mode since you haven't followed the advice to issue the three commands in this post
 
Code:
wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 192..xxx.xxx.xxx:1443 (# TorGuard WireGuard Config) DNS=1.1.1.1

iptables: Chain already exists.
 
It is indeed a bug :eek:,

i.e. if you stop a 'server' Peer that is configured to use passthru', then the Passthru( del ) function incorrectly overwrites the variable;
$VPN_ID="wg22" becomes $VPN_ID="wg11" :oops:

Consequently, if you have a custom 'wg22-down.sh' script then it wouldn't be executed - instead 'wg11-down.sh' would be executed (if it existed).

I have patched 'wg_server' on the 'dev branch, so you will need to update using
Code:
e  = Exit Script [?]

E:Option ==> uf dev
and once you have tested/confirmed the patch, I'll get it rolled out to the main branch ASAP.
Thanks for your fast reply. passthru is working as expected now.
 
OK,

So if
Code:
e  = Exit Script [?]

E:Option ==> vpndirector list
shows the cloned VPN Dircetor rules are in the SQL database, the diag doesn't show them as having been applied in the RPDB rule section,

Why, because you posted this?
Code:
Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    N     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config
which indicates 'client' Peer 'wg11' is NOT in Policy mode since you haven't followed the advice to issue the three commands in this post
Sorry I did miss doing that but I have done it now.
 
Code:
wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 192..xxx.xxx.xxx:1443 (# TorGuard WireGuard Config) DNS=1.1.1.1

iptables: Chain already exists.
If all else fails...

REBOOT

then hopefully in Syslog you will see both the 'server' Peer 'wg21' and the Torguard 'client' Peer 'wg11' auto started/initiialised.

diag should now also show lots of RPDB rules? and data transfers for 'client' Peer 'wg11'
 
Sorry for the confusion I ended up removing wgm last night after I couldn't get it working and since I figured that doing the VPN Director stuff would be beyond me. When I woke up today and saw you updated your script I decided to try again but I did forget to set the policy.
 
If all else fails...

REBOOT

then hopefully in Syslog you will see both the 'server' Peer 'wg21' and the Torguard 'client' Peer 'wg11' auto started/initiialised.

diag should now also show lots of RPDB rules? and data transfers for 'client' Peer 'wg11'

rebooted and still not working :(
 
If all else fails...

REBOOT

then hopefully in Syslog you will see both the 'server' Peer 'wg21' and the Torguard 'client' Peer 'wg11' auto started/initiialised.

diag should now also show lots of RPDB rules? and data transfers for 'client' Peer 'wg11'
Code:
       WireGuard VPN Peer Status
interface: wg21
  public key: FSRDlT
  private key: (hidden)
  listening port: 51820

peer: TB3Cv
  preshared key: (hidden)
  allowed ips: 10.50.1.2/32

interface: wg11
  public key: SMGjy
  private key: (hidden)
  listening port: 51820

peer: RR93D1BA9XeVRV
  endpoint: 192.xxx.xxx.xxx:1443
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

        WireGuard VPN Peers

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX88U Server #1

Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    P     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config

Device              Auto  IP            DNS            Allowed IPs  Annotate
Chewie_iPhone12Pro  X     10.50.1.2/32  64.71.255.204  0.0.0.0/0    # Chewie_iPhone12Pro "Device"

        DEBUG:  Routing info MTU etc.

31: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/24 scope global wg21
       valid_lft forever preferred_lft forever
32: wg11: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none
    inet 10.13.53.185/24 scope global wg11
       valid_lft forever preferred_lft forever

        DEBUG:  Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

        DEBUG:  RPDB rules

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
9910:   from 192.168.56.0/24 lookup main
9910:   from 192.168.50.0/24 lookup main
9910:   from 192.168.5.109 lookup main
9910:   from 192.168.5.103 lookup main
9910:   from 192.168.224.0/24 lookup main
9911:   from 192.168.55.0/24 lookup 121
9911:   from 192.168.5.0/24 lookup 121
9911:   from 192.168.24.0/24 lookup 121
10010:  from 192.168.5.103 lookup main
10011:  from 192.168.5.109 lookup main
10012:  from 192.168.56.0/24 lookup main
10013:  from 192.168.50.0/24 lookup main
10014:  from 192.168.224.0/24 lookup main
32766:  from all lookup main
32767:  from all lookup default

        DEBUG:  Routing Table 121 (wg11) # TorGuard WireGuard Config

192.168.5.0/24 dev br0 proto kernel scope link src 192.168.5.1

        DEBUG: Netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.50.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wg21

        DEBUG: UDP sockets.

udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -

        DEBUG:  Firewall rules


        DEBUG:  -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 23977 packets, 6177K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

        DEBUG:  -t nat

Chain PREROUTING (policy ACCEPT 3248 packets, 647K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     7294  523K WGDNS1     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client1 DNS' */
2        0     0 WGDNS1     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client1 DNS' */
3        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 84 packets, 7469 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      wg11    192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client' */

Chain WGDNS1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1     4004  279K DNAT       all  --  *      *       192.168.55.0/24      0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1
2       72  4837 DNAT       all  --  *      *       192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1
3     3148  234K DNAT       all  --  *      *       192.168.24.0/24      0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1

        DEBUG:  -t mangle

Chain FORWARD (policy ACCEPT 12334 packets, 1062K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  *      wg11    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 TCPMSS     tcp  --  wg11   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3        0     0 TCPMSS     tcp  --  *      wg11    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4        0     0 MARK       all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7
5        0     0 TCPMSS     tcp  --  wg21   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6        0     0 TCPMSS     tcp  --  *      wg21    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 35811 packets, 5615K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  wg11   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 MARK       all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients   fwmark    passthru  servers   traffic
devices   ipset     policy    session

             e.g. diag sql traffic will show the traffic stats SQL table


        WireGuard ACTIVE Peer Status: Clients 1, Servers 1
 
Code:
       WireGuard VPN Peer Status
interface: wg21
  public key: FSRDlT
  private key: (hidden)
  listening port: 51820

peer: TB3Cv
  preshared key: (hidden)
  allowed ips: 10.50.1.2/32

interface: wg11
  public key: SMGjy
  private key: (hidden)
  listening port: 51820

peer: RR93D1BA9XeVRV
  endpoint: 192.xxx.xxx.xxx:1443
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

        WireGuard VPN Peers

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX88U Server #1

Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    P     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config

Device              Auto  IP            DNS            Allowed IPs  Annotate
Chewie_iPhone12Pro  X     10.50.1.2/32  64.71.255.204  0.0.0.0/0    # Chewie_iPhone12Pro "Device"

        DEBUG:  Routing info MTU etc.

31: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/24 scope global wg21
       valid_lft forever preferred_lft forever
32: wg11: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none
    inet 10.13.53.185/24 scope global wg11
       valid_lft forever preferred_lft forever

        DEBUG:  Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

        DEBUG:  RPDB rules

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
9910:   from 192.168.56.0/24 lookup main
9910:   from 192.168.50.0/24 lookup main
9910:   from 192.168.5.109 lookup main
9910:   from 192.168.5.103 lookup main
9910:   from 192.168.224.0/24 lookup main
9911:   from 192.168.55.0/24 lookup 121
9911:   from 192.168.5.0/24 lookup 121
9911:   from 192.168.24.0/24 lookup 121
10010:  from 192.168.5.103 lookup main
10011:  from 192.168.5.109 lookup main
10012:  from 192.168.56.0/24 lookup main
10013:  from 192.168.50.0/24 lookup main
10014:  from 192.168.224.0/24 lookup main
32766:  from all lookup main
32767:  from all lookup default

        DEBUG:  Routing Table 121 (wg11) # TorGuard WireGuard Config

192.168.5.0/24 dev br0 proto kernel scope link src 192.168.5.1

        DEBUG: Netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.50.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wg21

        DEBUG: UDP sockets.

udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -

        DEBUG:  Firewall rules


        DEBUG:  -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 23977 packets, 6177K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

        DEBUG:  -t nat

Chain PREROUTING (policy ACCEPT 3248 packets, 647K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     7294  523K WGDNS1     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client1 DNS' */
2        0     0 WGDNS1     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client1 DNS' */
3        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 84 packets, 7469 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      wg11    192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client' */

Chain WGDNS1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1     4004  279K DNAT       all  --  *      *       192.168.55.0/24      0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1
2       72  4837 DNAT       all  --  *      *       192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1
3     3148  234K DNAT       all  --  *      *       192.168.24.0/24      0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1

        DEBUG:  -t mangle

Chain FORWARD (policy ACCEPT 12334 packets, 1062K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  *      wg11    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 TCPMSS     tcp  --  wg11   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3        0     0 TCPMSS     tcp  --  *      wg11    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4        0     0 MARK       all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7
5        0     0 TCPMSS     tcp  --  wg21   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6        0     0 TCPMSS     tcp  --  *      wg21    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 35811 packets, 5615K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  wg11   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 MARK       all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients   fwmark    passthru  servers   traffic
devices   ipset     policy    session

             e.g. diag sql traffic will show the traffic stats SQL table


        WireGuard ACTIVE Peer Status: Clients 1, Servers 1
Are you sure your wireguard internet client wg11 is actually working?

If you issue:
Code:
E:Option ==> show

Under wg11, do you see
Code:
latest handshake: 1 minute, 32 seconds ago

Or is that line missing, or timer over 3 minutes?

If ok, then these ips
Code:
192.168.55.0/24
192.168.5.0/24
192.168.24.0/24
Except for 5.103 and 5.109 are routed out via wg11.
So make sure you are you are using these ips when testing.

What is up with all these subnets? This is one of the most complex setups I've ever seen...
 
Last edited:
Are you sure your wireguard internet client wg11 is actually working?

If you issue:
Code:
E:Option ==> show

Under wg11, do you see
Code:
latest handshake: 1 minute, 32 seconds ago

Or is that line missing, or timer over 3 minutes?

If ok, then these ips
Code:
192.168.55.0/24
192.168.5.0/24
192.168.24.0/24
Except for 5.103 and 5.109.
So make sure you are you are using these ips when testing.
Hi I am testing and using 192.168.5.100 no I am not sure and if I had to guess I would say that it is not working.

here are the results from "show" I have not made a successful handshake just shows my torguard IP which it wasn't yesterday so I thought it was working for a minute.

E:Option ==> show

interface: wg11 192.xxx.xxx.xxx:1443 10.13.53.185/24 # TorGuard WireGuard Config
peer: R

interface: wg21 Port:51820 10.50.1.1/24 VPN Tunnel Network # RT-AX88U Server #1
peer: TB3 10.50.1.2/32 # Chewie_iPhone12Pro "Device"

WireGuard ACTIVE Peer Status: Clients 1, Servers 1
 
Last edited:
Are you sure your wireguard internet client wg11 is actually working?

If you issue:
Code:
E:Option ==> show

Under wg11, do you see
Code:
latest handshake: 1 minute, 32 seconds ago

Or is that line missing, or timer over 3 minutes?

If ok, then these ips
Code:
192.168.55.0/24
192.168.5.0/24
192.168.24.0/24
Except for 5.103 and 5.109.
So make sure you are you are using these ips when testing.
I just want to make sure I am understanding this because I could be way off. My intention is to have my router connect to my Torguard VPN and hide my IP for all systems on 192.168.5.0/24 except for 192.168.5.103 and 109.

That is how my OpenVPN was setup in GUI. I am not trying to have it so I can use my iPhone to connect to LAN. I have PiVPN setup for that and will use it until I can get WG working.

I just wanted to make sure I am able to do this and I am not mistaken with what I am trying to do.
 
My intention is to have my router connect to my Torguard VPN and hide my IP for all systems on 192.168.5.0/24 except for 192.168.5.103 and 109.
This sounds very doable.

But you seem to have alot of rules you are not using? Where do these come from:
Code:
9910: from 192.168.56.0/24 lookup main
9910: from 192.168.50.0/24 lookup main
9910: from 192.168.224.0/24 lookup main
9911: from 192.168.55.0/24 lookup 121
9911: from 192.168.24.0/24 lookup 121
10012: from 192.168.56.0/24 lookup main
10014: from 192.168.224.0/24 lookup main
Are these subnets you are not using? If soo, could you remove them.

Anyhow, until you get your peer to handshake, there is no point in working with the rules but try to reduce complexity of your system. So it is understandable. Just make a single rule for your test computer and scrap all else. add more as it starts to work.

Try out your Torguard conf file on another system (I.e android wireguard) just to check that the conf file is good (some seem to die after some inactivity and you need to generate a new one).
 
What is up with all these subnets? This is one of the most complex setups I've ever seen...

I have 192.168.50.0/24 for my 5 GHz Guest wifi
I have 192.168.50.0/24 for my 5 GHz IoT devices wifi
I have 192.168.24.0/24 for my 2.4 GHz Guest wifi
I have 192.168.224.0/24 for my 2.4 GHz IoT devices wifi
I also had 192.168.56.0/24 setup for my Work Devices and set not to use VPN
 
I have 192.168.50.0/24 for my 5 GHz Guest wifi
I have 192.168.50.0/24 for my 5 GHz IoT devices wifi
I have 192.168.24.0/24 for my 2.4 GHz Guest wifi
I have 192.168.224.0/24 for my 2.4 GHz IoT devices wifi
I also had 192.168.56.0/24 setup for my Work Devices and set not to use VPN
Ok, but if none of these are going out vpn, then no rules would be needed for them. In Policy mode any ips not matching any rule will naturally be sent to wan. In my opinion you would only need these 3 rules:
Code:
9910: from 192.168.5.109 lookup main
9910: from 192.168.5.103 lookup main
9911: from 192.168.5.0/24 lookup 121
Which would translate to wgm commands:
Code:
peer wg11 rule add wan 192.168.5.109 comment 109ToWan
peer wg11 rule add wan 192.168.5.103 comment 103ToWan
peer wg11 rule add vpn 192.168.5.0/24 comment Subnet2VPN

It would be even better to change the ips on .103 and .109 and devide your network to not have to make exception rules. This makes vpn dns work properly, more info here:

Still, 1st priority is just to get your handshakes going. Start with testing your .conf file.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top