Menu
What's new
By:
Filters Better Search

Wireguard Session Manager - Discussion (2nd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Code: 
E:Option ==> diag

        WireGuard VPN Peer Status
interface: wg21
  public key: FSRDl
  private key: (hidden)
  listening port: 51820

peer: TB3Cv
  preshared key: (hidden)
  allowed ips: 10.50.1.2/32

interface: wg11
  public key: SM
  private key: (hidden)
  listening port: 51820

peer: RR93
  endpoint: 192..xxx.xxx.xxx:1443
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

        WireGuard VPN Peers

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX88U Server #1

Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    N     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config

Device              Auto  IP            DNS            Allowed IPs  Annotate
Chewie_iPhone12Pro  X     10.50.1.2/32  64.71.255.204  0.0.0.0/0    # Chewie_iPhone12Pro "Device"

        DEBUG:  Routing info MTU etc.

33: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/24 scope global wg21
       valid_lft forever preferred_lft forever
34: wg11: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none
    inet 10.13.53.185/24 scope global wg11
       valid_lft forever preferred_lft forever

        DEBUG:  Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

        DEBUG:  RPDB rules

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
10010:  from 192.168.5.103 lookup main
10011:  from 192.168.5.109 lookup main
10012:  from 192.168.56.0/24 lookup main
10013:  from 192.168.50.0/24 lookup main
10014:  from 192.168.224.0/24 lookup main
32766:  from all lookup main
32767:  from all lookup default

        DEBUG:  Routing Table 121 (wg11) # TorGuard WireGuard Config

192.168.5.0/24 dev br0 proto kernel scope link src 192.168.5.1

        DEBUG: Netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.50.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wg21

        DEBUG: UDP sockets.

udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -

        DEBUG:  Firewall rules


        DEBUG:  -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 1086 packets, 190K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

        DEBUG:  -t nat

Chain PREROUTING (policy ACCEPT 110 packets, 22021 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        2   123 WGDNS1     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client1 DNS' */
2        0     0 WGDNS1     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client1 DNS' */
3        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 1 packets, 68 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      wg11    192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client' */

Chain WGDNS1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        1    62 DNAT       all  --  *      *       192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1

        DEBUG:  -t mangle

Chain FORWARD (policy ACCEPT 111 packets, 22351 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  *      wg11    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 TCPMSS     tcp  --  wg11   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3        0     0 TCPMSS     tcp  --  *      wg11    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4        0     0 MARK       all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7
5        0     0 TCPMSS     tcp  --  wg21   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6        0     0 TCPMSS     tcp  --  *      wg21    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 280 packets, 58013 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  wg11   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 MARK       all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients   fwmark    passthru  servers   traffic
devices   ipset     policy    session

             e.g. diag sql traffic will show the traffic stats SQL table


        WireGuard ACTIVE Peer Status: Clients 1, Servers 1

I think I am getting much close now because in the wgm status it does show my VPN IP and not my ISP but when I got to waht is myip.com on PC it still shows ISP IP.
 
Chewie420 said:
I am still having issues with it not connecting and I am not sure what I am doing wrong.
Click to expand...
Probably my shoddy script! :cool:
Chewie420 said:
I don't want to upset anyone with my lack of knowledge I was just hoping to get it working.
Click to expand...
We all started as noobs, and I assure you, despite my manky coding skills, the script does actually work....eventually!:D
 
Martineau said:
Probably my shoddy script! :cool:

We all started as noobs, and I assure you, despite my manky coding skills, the script does actually work....eventually!:D
Click to expand...
I think it has more to do with me not knowing enough. I am getting closer and closer to having it work. I think. I just not sure if I am missing anything obvious. I posted my results from diag above is there anything else I can post to help get this working?
 
Chewie420 said:
Code: 
E:Option ==> diag

        WireGuard VPN Peer Status
interface: wg21
  public key: FSRDl
  private key: (hidden)
  listening port: 51820

peer: TB3Cv
  preshared key: (hidden)
  allowed ips: 10.50.1.2/32

interface: wg11
  public key: SM
  private key: (hidden)
  listening port: 51820

peer: RR93
  endpoint: 192..xxx.xxx.xxx:1443
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

        WireGuard VPN Peers

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX88U Server #1

Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    N     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config

Device              Auto  IP            DNS            Allowed IPs  Annotate
Chewie_iPhone12Pro  X     10.50.1.2/32  64.71.255.204  0.0.0.0/0    # Chewie_iPhone12Pro "Device"

        DEBUG:  Routing info MTU etc.

33: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/24 scope global wg21
       valid_lft forever preferred_lft forever
34: wg11: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none
    inet 10.13.53.185/24 scope global wg11
       valid_lft forever preferred_lft forever

        DEBUG:  Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

        DEBUG:  RPDB rules

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
10010:  from 192.168.5.103 lookup main
10011:  from 192.168.5.109 lookup main
10012:  from 192.168.56.0/24 lookup main
10013:  from 192.168.50.0/24 lookup main
10014:  from 192.168.224.0/24 lookup main
32766:  from all lookup main
32767:  from all lookup default

        DEBUG:  Routing Table 121 (wg11) # TorGuard WireGuard Config

192.168.5.0/24 dev br0 proto kernel scope link src 192.168.5.1

        DEBUG: Netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.50.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wg21

        DEBUG: UDP sockets.

udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -

        DEBUG:  Firewall rules


        DEBUG:  -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 1086 packets, 190K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

        DEBUG:  -t nat

Chain PREROUTING (policy ACCEPT 110 packets, 22021 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        2   123 WGDNS1     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client1 DNS' */
2        0     0 WGDNS1     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client1 DNS' */
3        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 1 packets, 68 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      wg11    192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client' */

Chain WGDNS1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        1    62 DNAT       all  --  *      *       192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1

        DEBUG:  -t mangle

Chain FORWARD (policy ACCEPT 111 packets, 22351 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  *      wg11    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 TCPMSS     tcp  --  wg11   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3        0     0 TCPMSS     tcp  --  *      wg11    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4        0     0 MARK       all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7
5        0     0 TCPMSS     tcp  --  wg21   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6        0     0 TCPMSS     tcp  --  *      wg21    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 280 packets, 58013 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  wg11   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 MARK       all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients   fwmark    passthru  servers   traffic
devices   ipset     policy    session

             e.g. diag sql traffic will show the traffic stats SQL table


        WireGuard ACTIVE Peer Status: Clients 1, Servers 1

I think I am getting much close now because in the wgm status it does show my VPN IP and not my ISP but when I got to waht is myip.com on PC it still shows ISP IP.
Click to expand...
Did you use the vpndirector clone command, as shown in post:
www.snbforums.com

Wireguard - Session Manager - Discussion (2nd) thread

With a lot of effort and help of ZebMcKayhan it was resolved. To also help others who struggle with this issue about using smb shares on a nas (not your router, but for instance synology) add on ssh router this: "iptables -t nat -I POSTROUTING -s 10.50.X.0/24 -d 192.168.1.Y -j SNAT --to-source...
www.snbforums.com www.snbforums.com
then you need to set 'client' Peer 'wg11' to Policy mode
Code: 
e  = Exit Script [?]

E:Option ==> peer wg11 auto=p

    [✔] Updated 'wg11' AUTO=P
then restart the 'client' Peer 'wg11' in Policy mode
Code: 
e  = Exit Script [?]
e.g.
E:Option ==> start wg11

    Requesting WireGuard VPN Peer start (wg11)

    wireguard-clientwg13: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 96.44.189.98:51820 (# Mullvad USA, Dallas) DNS=193.138.218.74
    wireguard-clientwg13: Initialisation complete.
 
Martineau said:
Did you use the vpndirector clone command, as shown in post:
www.snbforums.com

Wireguard - Session Manager - Discussion (2nd) thread

With a lot of effort and help of ZebMcKayhan it was resolved. To also help others who struggle with this issue about using smb shares on a nas (not your router, but for instance synology) add on ssh router this: "iptables -t nat -I POSTROUTING -s 10.50.X.0/24 -d 192.168.1.Y -j SNAT --to-source...
www.snbforums.com www.snbforums.com
then you need to set 'client' Peer 'wg11' to Policy mode
Code: 
e  = Exit Script [?]

E:Option ==> peer wg11 auto=p

    [✔] Updated 'wg11' AUTO=P
then restart the 'client' Peer 'wg11' in Policy mode
Code: 
e  = Exit Script [?]
e.g.
E:Option ==> start wg11

    Requesting WireGuard VPN Peer start (wg11)

    wireguard-clientwg13: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 96.44.189.98:51820 (# Mullvad USA, Dallas) DNS=193.138.218.74
    wireguard-clientwg13: Initialisation complete.
Click to expand...

Ok I did that and yes I ran uf dev and clone the VPN Director Settings.

<CODE>wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 192..xxx.xxx.xxx:1443 (# TorGuard WireGuard Config) DNS=1.1.1.1
iptables: Chain already exists.</CODE>
 
Last edited:
Chewie420 said:
Ok I did that and yes I ran uf dev and clone the VPN Director Settings.
Click to expand...
OK,

So if
Code: 
e  = Exit Script [?]

E:Option ==> vpndirector list
shows the cloned VPN Dircetor rules are in the SQL database, the diag doesn't show them as having been applied in the RPDB rule section,

Why, because you posted this?
Code: 
Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    N     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config
which indicates 'client' Peer 'wg11' is NOT in Policy mode since you haven't followed the advice to issue the three commands in this post
www.snbforums.com

Wireguard - Session Manager - Discussion (2nd) thread

E:Option ==> diag WireGuard VPN Peer Status interface: wg21 public key: FSRDl private key: (hidden) listening port: 51820 peer: TB3Cv preshared key: (hidden) allowed ips: 10.50.1.2/32 interface: wg11 public key: SM private key: (hidden) listening port: 51820 peer...
www.snbforums.com www.snbforums.com
 
Code: 
wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 192..xxx.xxx.xxx:1443 (# TorGuard WireGuard Config) DNS=1.1.1.1

iptables: Chain already exists.
 
Martineau said:
It is indeed a bug :eek:,

i.e. if you stop a 'server' Peer that is configured to use passthru', then the Passthru( del ) function incorrectly overwrites the variable;
$VPN_ID="wg22" becomes $VPN_ID="wg11" :oops:

Consequently, if you have a custom 'wg22-down.sh' script then it wouldn't be executed - instead 'wg11-down.sh' would be executed (if it existed).

I have patched 'wg_server' on the 'dev branch, so you will need to update using
Code: 
e  = Exit Script [?]

E:Option ==> uf dev
and once you have tested/confirmed the patch, I'll get it rolled out to the main branch ASAP.
Click to expand...
Thanks for your fast reply. passthru is working as expected now.
 
Martineau said:
OK,

So if
Code: 
e  = Exit Script [?]

E:Option ==> vpndirector list
shows the cloned VPN Dircetor rules are in the SQL database, the diag doesn't show them as having been applied in the RPDB rule section,

Why, because you posted this?
Code: 
Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    N     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config
which indicates 'client' Peer 'wg11' is NOT in Policy mode since you haven't followed the advice to issue the three commands in this post
www.snbforums.com

Wireguard - Session Manager - Discussion (2nd) thread

E:Option ==> diag WireGuard VPN Peer Status interface: wg21 public key: FSRDl private key: (hidden) listening port: 51820 peer: TB3Cv preshared key: (hidden) allowed ips: 10.50.1.2/32 interface: wg11 public key: SM private key: (hidden) listening port: 51820 peer...
www.snbforums.com www.snbforums.com
Click to expand...
Sorry I did miss doing that but I have done it now.
 
Chewie420 said:
Code: 
wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to 192..xxx.xxx.xxx:1443 (# TorGuard WireGuard Config) DNS=1.1.1.1

iptables: Chain already exists.
Click to expand...
If all else fails...

REBOOT

then hopefully in Syslog you will see both the 'server' Peer 'wg21' and the Torguard 'client' Peer 'wg11' auto started/initiialised.

diag should now also show lots of RPDB rules? and data transfers for 'client' Peer 'wg11'
 
Sorry for the confusion I ended up removing wgm last night after I couldn't get it working and since I figured that doing the VPN Director stuff would be beyond me. When I woke up today and saw you updated your script I decided to try again but I did forget to set the policy.
 
Martineau said:
If all else fails...

REBOOT

then hopefully in Syslog you will see both the 'server' Peer 'wg21' and the Torguard 'client' Peer 'wg11' auto started/initiialised.

diag should now also show lots of RPDB rules? and data transfers for 'client' Peer 'wg11'
Click to expand...

rebooted and still not working :(
 
Martineau said:
If all else fails...

REBOOT

then hopefully in Syslog you will see both the 'server' Peer 'wg21' and the Torguard 'client' Peer 'wg11' auto started/initiialised.

diag should now also show lots of RPDB rules? and data transfers for 'client' Peer 'wg11'
Click to expand...
Code: 
       WireGuard VPN Peer Status
interface: wg21
  public key: FSRDlT
  private key: (hidden)
  listening port: 51820

peer: TB3Cv
  preshared key: (hidden)
  allowed ips: 10.50.1.2/32

interface: wg11
  public key: SMGjy
  private key: (hidden)
  listening port: 51820

peer: RR93D1BA9XeVRV
  endpoint: 192.xxx.xxx.xxx:1443
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

        WireGuard VPN Peers

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX88U Server #1

Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    P     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config

Device              Auto  IP            DNS            Allowed IPs  Annotate
Chewie_iPhone12Pro  X     10.50.1.2/32  64.71.255.204  0.0.0.0/0    # Chewie_iPhone12Pro "Device"

        DEBUG:  Routing info MTU etc.

31: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/24 scope global wg21
       valid_lft forever preferred_lft forever
32: wg11: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none
    inet 10.13.53.185/24 scope global wg11
       valid_lft forever preferred_lft forever

        DEBUG:  Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

        DEBUG:  RPDB rules

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
9910:   from 192.168.56.0/24 lookup main
9910:   from 192.168.50.0/24 lookup main
9910:   from 192.168.5.109 lookup main
9910:   from 192.168.5.103 lookup main
9910:   from 192.168.224.0/24 lookup main
9911:   from 192.168.55.0/24 lookup 121
9911:   from 192.168.5.0/24 lookup 121
9911:   from 192.168.24.0/24 lookup 121
10010:  from 192.168.5.103 lookup main
10011:  from 192.168.5.109 lookup main
10012:  from 192.168.56.0/24 lookup main
10013:  from 192.168.50.0/24 lookup main
10014:  from 192.168.224.0/24 lookup main
32766:  from all lookup main
32767:  from all lookup default

        DEBUG:  Routing Table 121 (wg11) # TorGuard WireGuard Config

192.168.5.0/24 dev br0 proto kernel scope link src 192.168.5.1

        DEBUG: Netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.50.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wg21

        DEBUG: UDP sockets.

udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -

        DEBUG:  Firewall rules


        DEBUG:  -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 23977 packets, 6177K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

        DEBUG:  -t nat

Chain PREROUTING (policy ACCEPT 3248 packets, 647K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     7294  523K WGDNS1     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client1 DNS' */
2        0     0 WGDNS1     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client1 DNS' */
3        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 84 packets, 7469 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      wg11    192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client' */

Chain WGDNS1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1     4004  279K DNAT       all  --  *      *       192.168.55.0/24      0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1
2       72  4837 DNAT       all  --  *      *       192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1
3     3148  234K DNAT       all  --  *      *       192.168.24.0/24      0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1

        DEBUG:  -t mangle

Chain FORWARD (policy ACCEPT 12334 packets, 1062K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  *      wg11    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 TCPMSS     tcp  --  wg11   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3        0     0 TCPMSS     tcp  --  *      wg11    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4        0     0 MARK       all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7
5        0     0 TCPMSS     tcp  --  wg21   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6        0     0 TCPMSS     tcp  --  *      wg21    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 35811 packets, 5615K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  wg11   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 MARK       all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients   fwmark    passthru  servers   traffic
devices   ipset     policy    session

             e.g. diag sql traffic will show the traffic stats SQL table


        WireGuard ACTIVE Peer Status: Clients 1, Servers 1
 
Chewie420 said:
Code: 
       WireGuard VPN Peer Status
interface: wg21
  public key: FSRDlT
  private key: (hidden)
  listening port: 51820

peer: TB3Cv
  preshared key: (hidden)
  allowed ips: 10.50.1.2/32

interface: wg11
  public key: SMGjy
  private key: (hidden)
  listening port: 51820

peer: RR93D1BA9XeVRV
  endpoint: 192.xxx.xxx.xxx:1443
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

        WireGuard VPN Peers

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX88U Server #1

Client  Auto  IP               Endpoint              DNS      MTU  Annotate
wg11    P     10.13.53.185/24  192.xxx.xxx.xxx:1443  1.1.1.1       # TorGuard WireGuard Config

Device              Auto  IP            DNS            Allowed IPs  Annotate
Chewie_iPhone12Pro  X     10.50.1.2/32  64.71.255.204  0.0.0.0/0    # Chewie_iPhone12Pro "Device"

        DEBUG:  Routing info MTU etc.

31: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/24 scope global wg21
       valid_lft forever preferred_lft forever
32: wg11: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN group default qlen 1000
    link/none
    inet 10.13.53.185/24 scope global wg11
       valid_lft forever preferred_lft forever

        DEBUG:  Routing Table main

10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

        DEBUG:  RPDB rules

0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
9910:   from 192.168.56.0/24 lookup main
9910:   from 192.168.50.0/24 lookup main
9910:   from 192.168.5.109 lookup main
9910:   from 192.168.5.103 lookup main
9910:   from 192.168.224.0/24 lookup main
9911:   from 192.168.55.0/24 lookup 121
9911:   from 192.168.5.0/24 lookup 121
9911:   from 192.168.24.0/24 lookup 121
10010:  from 192.168.5.103 lookup main
10011:  from 192.168.5.109 lookup main
10012:  from 192.168.56.0/24 lookup main
10013:  from 192.168.50.0/24 lookup main
10014:  from 192.168.224.0/24 lookup main
32766:  from all lookup main
32767:  from all lookup default

        DEBUG:  Routing Table 121 (wg11) # TorGuard WireGuard Config

192.168.5.0/24 dev br0 proto kernel scope link src 192.168.5.1

        DEBUG: Netstat

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.50.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wg21

        DEBUG: UDP sockets.

udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -

        DEBUG:  Firewall rules


        DEBUG:  -t filter

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain OUTPUT (policy ACCEPT 23977 packets, 6177K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */

        DEBUG:  -t nat

Chain PREROUTING (policy ACCEPT 3248 packets, 647K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     7294  523K WGDNS1     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client1 DNS' */
2        0     0 WGDNS1     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client1 DNS' */
3        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820 /* WireGuard 'server' */

Chain POSTROUTING (policy ACCEPT 84 packets, 7469 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      wg11    192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client' */

Chain WGDNS1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1     4004  279K DNAT       all  --  *      *       192.168.55.0/24      0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1
2       72  4837 DNAT       all  --  *      *       192.168.5.0/24       0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1
3     3148  234K DNAT       all  --  *      *       192.168.24.0/24      0.0.0.0/0            /* WireGuard 'client1 DNS' */ to:1.1.1.1

        DEBUG:  -t mangle

Chain FORWARD (policy ACCEPT 12334 packets, 1062K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  *      wg11    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 TCPMSS     tcp  --  wg11   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
3        0     0 TCPMSS     tcp  --  *      wg11    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'client' */ TCPMSS clamp to PMTU
4        0     0 MARK       all  --  *      wg21    0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7
5        0     0 TCPMSS     tcp  --  wg21   *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
6        0     0 TCPMSS     tcp  --  *      wg21    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU

Chain PREROUTING (policy ACCEPT 35811 packets, 5615K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  wg11   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'client' */ MARK xset 0x1/0x7
2        0     0 MARK       all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */ MARK xset 0x1/0x7


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients   fwmark    passthru  servers   traffic
devices   ipset     policy    session

             e.g. diag sql traffic will show the traffic stats SQL table


        WireGuard ACTIVE Peer Status: Clients 1, Servers 1
Click to expand...
Are you sure your wireguard internet client wg11 is actually working?

If you issue:
Code: 
E:Option ==> show

Under wg11, do you see
Code: 
latest handshake: 1 minute, 32 seconds ago

Or is that line missing, or timer over 3 minutes?

If ok, then these ips
Code: 
192.168.55.0/24
192.168.5.0/24
192.168.24.0/24
Except for 5.103 and 5.109 are routed out via wg11.
So make sure you are you are using these ips when testing.

What is up with all these subnets? This is one of the most complex setups I've ever seen...
 
Last edited:
ZebMcKayhan said:
Are you sure your wireguard internet client wg11 is actually working?

If you issue:
Code: 
E:Option ==> show

Under wg11, do you see
Code: 
latest handshake: 1 minute, 32 seconds ago

Or is that line missing, or timer over 3 minutes?

If ok, then these ips
Code: 
192.168.55.0/24
192.168.5.0/24
192.168.24.0/24
Except for 5.103 and 5.109.
So make sure you are you are using these ips when testing.
Click to expand...
Hi I am testing and using 192.168.5.100 no I am not sure and if I had to guess I would say that it is not working.

here are the results from "show" I have not made a successful handshake just shows my torguard IP which it wasn't yesterday so I thought it was working for a minute.

E:Option ==> show

interface: wg11 192.xxx.xxx.xxx:1443 10.13.53.185/24 # TorGuard WireGuard Config
peer: R

interface: wg21 Port:51820 10.50.1.1/24 VPN Tunnel Network # RT-AX88U Server #1
peer: TB3 10.50.1.2/32 # Chewie_iPhone12Pro "Device"

WireGuard ACTIVE Peer Status: Clients 1, Servers 1
 
Last edited:
ZebMcKayhan said:
Are you sure your wireguard internet client wg11 is actually working?

If you issue:
Code: 
E:Option ==> show

Under wg11, do you see
Code: 
latest handshake: 1 minute, 32 seconds ago

Or is that line missing, or timer over 3 minutes?

If ok, then these ips
Code: 
192.168.55.0/24
192.168.5.0/24
192.168.24.0/24
Except for 5.103 and 5.109.
So make sure you are you are using these ips when testing.
Click to expand...
I just want to make sure I am understanding this because I could be way off. My intention is to have my router connect to my Torguard VPN and hide my IP for all systems on 192.168.5.0/24 except for 192.168.5.103 and 109.

That is how my OpenVPN was setup in GUI. I am not trying to have it so I can use my iPhone to connect to LAN. I have PiVPN setup for that and will use it until I can get WG working.

I just wanted to make sure I am able to do this and I am not mistaken with what I am trying to do.
 
Chewie420 said:
My intention is to have my router connect to my Torguard VPN and hide my IP for all systems on 192.168.5.0/24 except for 192.168.5.103 and 109.
Click to expand...
This sounds very doable.

But you seem to have alot of rules you are not using? Where do these come from:
Code: 
9910: from 192.168.56.0/24 lookup main
9910: from 192.168.50.0/24 lookup main
9910: from 192.168.224.0/24 lookup main
9911: from 192.168.55.0/24 lookup 121
9911: from 192.168.24.0/24 lookup 121
10012: from 192.168.56.0/24 lookup main
10014: from 192.168.224.0/24 lookup main
Are these subnets you are not using? If soo, could you remove them.

Anyhow, until you get your peer to handshake, there is no point in working with the rules but try to reduce complexity of your system. So it is understandable. Just make a single rule for your test computer and scrap all else. add more as it starts to work.

Try out your Torguard conf file on another system (I.e android wireguard) just to check that the conf file is good (some seem to die after some inactivity and you need to generate a new one).
 
ZebMcKayhan said:
What is up with all these subnets? This is one of the most complex setups I've ever seen...
Click to expand...

I have 192.168.50.0/24 for my 5 GHz Guest wifi
I have 192.168.50.0/24 for my 5 GHz IoT devices wifi
I have 192.168.24.0/24 for my 2.4 GHz Guest wifi
I have 192.168.224.0/24 for my 2.4 GHz IoT devices wifi
I also had 192.168.56.0/24 setup for my Work Devices and set not to use VPN
 
Chewie420 said:
I have 192.168.50.0/24 for my 5 GHz Guest wifi
I have 192.168.50.0/24 for my 5 GHz IoT devices wifi
I have 192.168.24.0/24 for my 2.4 GHz Guest wifi
I have 192.168.224.0/24 for my 2.4 GHz IoT devices wifi
I also had 192.168.56.0/24 setup for my Work Devices and set not to use VPN
Click to expand...
Ok, but if none of these are going out vpn, then no rules would be needed for them. In Policy mode any ips not matching any rule will naturally be sent to wan. In my opinion you would only need these 3 rules:
Code: 
9910: from 192.168.5.109 lookup main
9910: from 192.168.5.103 lookup main
9911: from 192.168.5.0/24 lookup 121
Which would translate to wgm commands:
Code: 
peer wg11 rule add wan 192.168.5.109 comment 109ToWan
peer wg11 rule add wan 192.168.5.103 comment 103ToWan
peer wg11 rule add vpn 192.168.5.0/24 comment Subnet2VPN

It would be even better to change the ips on .103 and .109 and devide your network to not have to make exception rules. This makes vpn dns work properly, more info here:
github.com

GitHub - ZebMcKayhan/WireguardManager: Manage/Install WireGuard on applicable ASUS routers

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager
github.com github.com

Still, 1st priority is just to get your handshakes going. Start with testing your .conf file.
 
You must log in or register to reply here.

Similar threads

W
Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14
Replies
10
Views
1K
bennor
B
Martineau
Wireguard Session Manager (4th) thread
11 12 13
Replies
251
Views
30K
ZebMcKayhan
Z
A
Splitting Wireguard between Router and client
2 3
Replies
53
Views
3K
ZebMcKayhan
Z
Tech9
Malware damaging ASUS routers?
8 9 10
Replies
198
Views
12K
Jbennett360
J
K
Unbound Unbound_DNS_via_OVPN.sh with Wireguard
Replies
1
Views
2K
ZebMcKayhan
Z
Similar threads
Thread starter Title Forum Replies Date
JGrana chatai - version two - have a chat session with either Googles Gemini AI or Anthropics Claude (or both at once) Asuswrt-Merlin AddOns 4
JGrana New Addon - ChatAI - have a chat session with Googles Gemini AI Bot Asuswrt-Merlin AddOns 2
D Solved How do I remove WG Manager from amtm without resetting amtm? Asuswrt-Merlin AddOns 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 735 (members: 25, guests: 710)
Top