Wireguard Session Manager - Discussion (2nd) thread

[Martineau]

Thanks! had not the guts to test before I had confirmation.

Oh ye of little faith!

Maybee this will get rid of the error messages I get when attempting to start a dual stack peer with ipv4 dns only. Will test tonight.
Still, maybee my suggestion above is a good idea to get rid of the error message?

I've hacked wireguard_manager Beta v4.14b9 (no doubt with more error messages, although different!) to accommodate your dual stack

Testing scenario (opkg install xtables-addons_legacy) and defined both IPv4 and IPv6 DNS, and with Policy routing for source IPs (one IPv4 and one IPv6 ) it appears to now correctly NAT each IP with its appropriate DNS...

e  = Exit Script [?]

E:Option ==> peer wg15

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP                               Endpoint                       DNS                             MTU  Public                                        Private                                       Annotate
wg15    N     fc00:bbbb:bbbb:bb01::4:fd0f/128  [2001:ac8:20:308::a15f]:51820  193.138.218.74,2620:119:35::35       dead5B6gTRAcgb+78RpfGTw1UaNJ//ciQTS0/tKjyE=  Doom4czAgW+zLEk/oPFH+eMFlRBkPv62W2XX3wieiVA=  # Mullvad Germany, Frankfurt (IPv6)

    Selective Routing RPDB rules
ID  Peer  Interface  Source        Destination  Description
2   wg15  VPN        fcdd::23      Any         
1   wg15  VPN        172.16.123.1  Any         

IPSet    Enable  Peer  FWMark  DST/SRC
Netflix  Y       wg15  0x3000  dst

    DEBUG:  -t nat

Chain PREROUTING (policy ACCEPT 42 packets, 15350 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        2   122 WGDNS5     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* WireGuard 'client5 DNS' */
2        0     0 WGDNS5     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* WireGuard 'client5 DNS' */

Chain POSTROUTING (policy ACCEPT 9 packets, 916 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 MASQUERADE  all  --  *      wg15    192.168.50.0/24      0.0.0.0/0            /* WireGuard 'client' */

Chain WGDNS5 (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DNAT       all  --  *      *       172.16.123.1         0.0.0.0/0            /* WireGuard 'client5 DNS' */ to:193.138.218.74

    DEBUG: IPv6 -t nat

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 WGDNS5     udp      *      *       ::/0                 ::/0                 udp dpt:53 /* WireGuard 'client5 DNS' */
2        0     0 WGDNS5     tcp      *      *       ::/0                 ::/0                 tcp dpt:53 /* WireGuard 'client5 DNS' */

Chain POSTROUTING (policy ACCEPT 2 packets, 162 bytes)
num   pkts bytes target     prot opt in     out     source               destination        

Chain WGDNS5 (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DNAT       all      *      *       fcdd::23             ::/0                 /* WireGuard 'client5 DNS' */ to:2620:119:35::35

Usual method to try it

e  = Exit Script [?]

E:Option ==> uf dev

 

[ZebMcKayhan]

Usual method to try it

Thanks!

Stopped all peers and deleted residual ip -6 rules. Commented my dns entries in userscript. Updated and added both dns in wgm

An error message appears when starting a peer (every time):

E:Option ==> start wg12

        Requesting WireGuard VPN Peer start (wg12)

        wireguard-clientwg12: Initialising Wireguard VPN 'client' Peer (wg12)
in Policy Mode to us.wireguard.kjhg.net:42911 (# Integrity USA) DNS=9.9.9.9
,2620:fe::fe
RTNETLINK answers: File exists
        wireguard-clientwg12: Initialisation complete.


        WireGuard ACTIVE Peer Status: Clients 1, Servers 0

The dns rules looks ok now!

Stopped the peer (no error messages)
Went through all iptables and ip6tables but there we're no leftovers I could find.

Wgm still doesn't remove the ip -6 rules though (because purge_clients() does not have ipv6 removal?):

admin@RT-AC86U-D7D8:/# ip -6 rule
0:      from all lookup local
9921:   from fdff:a37f:fa75:6::/64 lookup 122
32766:  from all lookup main
admin@RT-AC86U-D7D8:/#

So the rule is still there after peer is stopped.

Don't know where the error message comes from...

Testing the dns function atleast shows byte movements, which is as good as I can test except for the lookup.

admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL WGDNS2 -t nat
Chain WGDNS2 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
   71  5674 DNAT       all      *      *       fdff:a37f:fa75:6::/64  ::/0
              /* WireGuard 'client2 DNS' */ to:2620:fe::fe

So, one annoying bug to be found (the error msg) and a fix for the rules but good progress!

 

[Martineau]

An error message appears when starting a peer (every time):

E:Option ==> start wg12

        Requesting WireGuard VPN Peer start (wg12)

        wireguard-clientwg12: Initialising Wireguard VPN 'client' Peer (wg12) in Policy Mode to us.wireguard.kjhg.net:42911 (# Integrity USA) DNS=9.9.9.9,2620:fe::fe
RTNETLINK answers: File exists
        wireguard-clientwg12: Initialisation complete.

Don't know where the error message comes from...

Can you run a debug...

e  = Exit Script [?]

E:Option ==> stop wg12

e  = Exit Script [?]

E:Option ==> start wg12 debug

and post the output.

 

[ZebMcKayhan]

Can you run a debug...

What a great function you put in!

[#] iptables -t nat -N WGDNS2
[#] ip6tables -t nat -N WGDNS2
[#] ip link add dev wg12 type wireguard
[#] wg setconf wg12 /opt/etc/wireguard.d/wg12.conf
[#] ip address add dev wg12 10.0.93.103/24
[#] ip link set up dev wg12
[#] ip -6 address add dev wg12 fdab:xxxx:xxxx:93::103/64
[#] ip -6 link set up dev wg12
[#] ifconfig wg12 mtu 1412
[#] ifconfig wg12 txqueuelen 1000
[#] ip route add 68.xxx.xx.50 via xxx.xxx.96.1
RTNETLINK answers: File exists
[#] ip -6 route add ::/0 dev wg12 table 122
<snip>

So it appears that the ipv4 specific route in the main table does not get removed properly... you will squash this bug in no-time.

Edit: just confirmed that the ipv4 route is still in main routing table after I stopped the peer.

 

[ZebMcKayhan]

Updated section about IPv6:

WireguardManager/README.md at main · ZebMcKayhan/WireguardManager

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

not too much to put there since wgm does all the "heavy lifting"...

Perhaps good to mention disclamer here:

Disclamer: while adding an Ipv6 DNS wgm will attempt to redirect ipv6 DNS packages to your selected VPN DNS via DNAT. This is however not really supported by all softwares. the kernel module/function/hooks are there but not implemented in userspace iptables. this will mean that you might get an error when starting the peer, something like "--to-destination extension not found" if this is the case you have the option to install Entware iptables:

opkg install iptables
but you need to be aware that the main purpose of iptables is to match extensions and send them to hooks in kernel module netfilter which is very integrated into firmware/processor with HW acceleration and what not. there is a substantial risk that something breaks when you do this. altough I have been running this on 386.4 on my RT-AC86U for several weeks with no obvious problems but I can NOT guarantee that this will be the case for you or that it is causing your system to be less secure. Use at your own risk! /Disclamer

will add some more info in different sections (IPSETs, Rules, YazFi et.c.) during the weekend...

 

[Martineau]

Wgm still doesn't remove the ip -6 rules though (because purge_clients() does not have ipv6 removal?):

So it appears that the ipv4 specific route in the main table does not get removed properly... you will squash this bug in no-time.

Edit: just confirmed that the ipv4 route is still in main routing table after I stopped the peer.

I've uploaded a patched wg_client v4.14.9 to hopefully fix both of the bugs you reported - many thanks.

So no change in the wireguard_manager Beta v4.14b9 version number, but usual method to retrieve update

e  = Exit Script [?]

E:Option ==> uf dev

 

[Martineau]

Updated section about IPv6:

WireguardManager/README.md at main · ZebMcKayhan/WireguardManager

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

not too much to put there since wgm does all the "heavy lifting"...

Well wireguard_manager IPv6 still not perfect

Perhaps good to mention disclamer here:
opkg install iptables
but you need to be aware that the main purpose of iptables is to match extensions and send them to hooks in kernel module netfilter which is very integrated into firmware/processor with HW acceleration and what not. there is a substantial risk that something breaks when you do this. altough I have been running this on 386.4 on my RT-AC86U for several weeks with no obvious problems but I can NOT guarantee that this will be the case for you or that it is causing your system to be less secure. Use at your own risk! /Disclamer

However, the availability of Entware's iptables

/opt/sbin/iptables -V

iptables v1.4.21

effectively renders wireguard_manager obsolete, as you can now run wg-quick directly against a native WireGuard .conf (well almost with a couple of tweaks for ASUS routers) - which should satisfy a simple site-to-site scenario.

e.g. IPv6 'client' Peer

/opt/bin/bash /jffs/addons/wireguard/wg-quick2 up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /proc/self/fd/63
[#] ip -6 address add fc00:bbbb:bbbb:bb01::4:fd0f/128 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] /opt/sbin/ip6tables-restore -n
*raw
-I PREROUTING ! -i wg0 -d fc00:bbbb:bbbb:bb01::4:fd0f -m addrtype ! --src-type LOCAL -j DROP -m comment --comment "wg-quick(8) rule for wg0"
COMMIT
*mangle
-I POSTROUTING -m mark --mark 51820 -p udp -j CONNMARK --save-mark -m comment --comment "wg-quick(8) rule for wg0"
-I PREROUTING -p udp -j CONNMARK --restore-mark -m comment --comment "wg-quick(8) rule for wg0"
COMMIT

wg

interface: wg0
  public key: rLs1qARpOlT2oRhzSl0u4yXSv0MPvBv6vWYR9uMkHwg=
  private key: (hidden)
  listening port: 53262
  fwmark: 0xca6c

peer: 7YN0g5B6gTRAcgb+78RpfGTw1UaNJprciQTSO/tKjyE=
  endpoint: [2001:ac8:20:308::a15f]:51820
  allowed ips: ::/0
  latest handshake: 18 seconds ago
  transfer: 12.56 KiB received, 39.04 KiB sent

Confirmation of Mullvad Germany, Frankfurt connection

curl --interface wg0 "https://am.i.mullvad.net/connected"

You are connected to Mullvad (server de15-wireguard). Your IP address is 2001:ac8:20:308::a15e

ping6 [2001:ac8:20:308::a15f]

PING [2001:ac8:20:308::a15f] (2001:ac8:20:308::a15f): 56 data bytes
64 bytes from 2001:ac8:20:308::a15f: seq=0 ttl=64 time=25.296 ms
64 bytes from 2001:ac8:20:308::a15f: seq=1 ttl=64 time=24.864 ms
64 bytes from 2001:ac8:20:308::a15f: seq=2 ttl=64 time=25.426 ms
64 bytes from 2001:ac8:20:308::a15f: seq=3 ttl=64 time=24.697 ms
^C
--- [2001:ac8:20:308::a15f] ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 24.697/25.070/25.426 ms

ip -6 route get 2001:ac8:20:308::a15f

2001:ac8:20:308::a15f dev wg0 table 51820 src fc00:bbbb:bbbb:bb01::4:fd0f metric 0 pref medium

 

[ZebMcKayhan]

effectively renders wireguard_manager obsolete, as you can now run wg-quick directly against a native WireGuard .conf (well almost with a couple of tweaks for ASUS routers) - which should satisfy a simple site-to-site scenario.

I'm not too sure about using Entware iptables (neither as included in xtables-addons_legacy) is perfectly safe (hence my disclamer), maybee I'm just over-worried...

here is a link were @RMerlin is explaining that updating iptables may brake things:

Can iptables be updated to a newer version in Asuswrt-Merlin ?

Asuswrt-Merlin 380.66_alpha3 uses iptables version 1.4.14 which is almost five years old. Is it possible to update to version 1.6 ?

www.snbforums.com

however, it is old, he is not answering this specific question and I dont know if it applies in this situation. you decide.

effectively renders wireguard_manager obsolete

no way! wgm is soo much more! you cant beat the ease of usage of wgm and wg-quick will not setup an as complete system as wgm does unless you put in alot of work writing all the asus specific stuff (policy routing, ipsets a.s.o.). But for site-site which wgm was not designed for it could be an alternative.

 

[ZebMcKayhan]

I've uploaded a patched wg_client v4.14.9 to hopefully fix both of the bugs you reported

Works perfectly! No error messages and everything cleaned out....

Except for a minor firewall rule I would say wgm client to be ipv6 compatible, great work!

 

[ZebMcKayhan]

I finally found a website that detects my ipv6 dns:

IP/DNS Detect

What is your IP, what is your DNS, check your torrent IP, what informations you send to websites.

ipleak.net

It confirmes that, using unbound, I only see my ipv4+ipv6 and using my USA output (set to quad9 ipv4, ipv6) I see USA quad9 servers.
So, wireguard Manager ipv6 dnat seems to work as expected with Entware iptables

Edit: it is abit tricky to perform dns test, as I later discovered from above tests my webbrowser only did dns lookup via ipv4 (the ip6tables wgdns2 rule hit-count was 0) even though ipv6 servers were found on the list so my request was later forwarded. Reverted to ping tools for Android set to ipv6 only and using router adress, then changing wg12 (usa) dns between quad 9 and back to the router (unbound, swe) gave 2 different lookups on ipv6.google.com and hit counts on dnat rule.

 

[Martineau]

Except for a minor firewall rule I would say wgm client to be ipv6 compatible, great work!

Err which firewall rule?

 

[ZebMcKayhan]

Err which firewall rule?

This rule http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/post-732961

 

[Martineau]

This rule http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/post-732961

Hmmm

wireguard/wg_client at dev · MartineauUK/wireguard

Manage/Install WireGuard on applicable ASUS routers - MartineauUK/wireguard

github.com

and for IPv4

wireguard/wg_client at dev · MartineauUK/wireguard

Manage/Install WireGuard on applicable ASUS routers - MartineauUK/wireguard

github.com

there is probably a (dumb) reason why I left them both commented out....

However, you can use the very clunky wireguard_manager method of adding the executable 'comment' (## denotes a true comment ) to 'wg11.conf'

#PostUp =   ip6tables -t filter -I FORWARD -i br0 -o %i -j ACCEPT -m comment --comment "LAN-to-WireGuard-'client'-Peer"
#PostDown = ip6tables -t filter -D FORWARD -i br0 -o %i -j ACCEPT -m comment --comment "LAN-to-WireGuard-'client'-Peer"

or add the appropriate commands to

'/jffs/addons/wireguard/Scripts/wg11-up.sh'
and
'/jffs/addons/wireguard/Scripts/wg11-down.sh'

 

[ZebMcKayhan]

there is probably a (dumb) reason why I left them both commented out....

However, you can use the very clunky wireguard_manager method of adding the executable 'comment' (## denotes a true comment ) to 'wg11.conf'

No problems.

I don't need the same rule for ipv4 since the firmware puts in:

  29M 31G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
            state RELATED,ESTABLISHED
42111 8505K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

But for ipv6 its different:

 918K 1167M ACCEPT all * * ::/0 ::/0
            state RELATED,ESTABLISHED
    0     0 ACCEPT     all      br0    eth0    ::/0                 ::/0

    0     0 ACCEPT     all      br0    br0     ::/0                 ::/0

Dont you have the same?

 

[Martineau]

But for ipv6 its different:

 918K 1167M ACCEPT all * * ::/0 ::/0
            state RELATED,ESTABLISHED
    0     0 ACCEPT     all      br0    eth0    ::/0                 ::/0

    0     0 ACCEPT     all      br0    br0     ::/0                 ::/0

I've uploaded a patched wg_client v4.14.10 to add the missing IPv6 rule(s) - many thanks.

So no change in the wireguard_manager Beta v4.14b9 version number, but usual method to retrieve update

e  = Exit Script [?]

E:Option ==> uf dev

 

[ZebMcKayhan]

I've uploaded a patched wg_client v4.14.10 to add the missing IPv6 rule(s) - many thanks.

So no change in the wireguard_manager Beta v4.14b9 version number, but usual method to retrieve update

e  = Exit Script [?]

E:Option ==> uf dev

Works great!

It makes some redundant rules however:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destinati
on
    0     0 ACCEPT     all      br0    wg11    ::/0                 ::/0
            /* LAN to WireGuard 'client' */
    0     0 ACCEPT     all      br0    wg12    ::/0                 ::/0
            /* LAN to WireGuard 'client' */
    0     0 ACCEPT     all      br0    *       ::/0                 ::/0
            /* Fix LAN to ANY by Martineau */

Dont know what reason ASUS has for not putting in the br0-to-any rule in ipv6, but having it there makes the other 2 rules redundant... it wouldn't hurt I guess

 

[Martineau]

Works great!

It makes some redundant rules however:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      br0    wg11    ::/0                 ::/0          /* LAN to WireGuard 'client' */
    0     0 ACCEPT     all      br0    wg12    ::/0                 ::/0          /* LAN to WireGuard 'client' */
    0     0 ACCEPT     all      br0    *       ::/0                 ::/0          /* Fix LAN to ANY by Martineau */

Dont know what reason ASUS has for not putting in the br0-to-any rule in ipv6, but having it there makes the other 2 rules redundant... it wouldn't hurt I guess

As I am still testing, having explicit/discrete 'LAN to specific 'client' Peer rules, allows me to see the hit count per interface - but when ALL WireGuard 'client' Peers are DOWN it may prove useful unless ASUS deliberately omitted it by design.

 

[ZebMcKayhan]

As I am still testing, having explicit/discrete 'LAN to specific 'client' Peer rules, allows me to see the hit count per interface - but when ALL WireGuard 'client' Peers are DOWN it may prove useful unless ASUS deliberately omitted it by design.

Not sure I'm reading your code right, but it looks as you are trying to insert the general rule after the drop of invalid packages. This position is not found on my system since:

14       0     0 logdrop    all      *      *       ::/0                 ::/0
                 state INVALID

so:

admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables --line -nvL FORWARD | grep -m 1
 "DROP .*all.*state INVALID"
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables --line -nvL FORWARD | grep -m 1
 "logdrop.*all.*state INVALID"
14       0     0 logdrop    all      *      *       ::/0                 ::/0
                 state INVALID
admin@RT-AC86U-D7D8:/tmp/home/root#

So on my system the rule ends up on top (which doesn't really matter, but thought I'd mention it)

 

[Martineau]

Not sure I'm reading your code right, but it looks as you are trying to insert the general rule after the drop of invalid packages. This position is not found on my system since:

14       0     0 logdrop    all      *      *       ::/0                 ::/0             state INVALID

So on my system the rule ends up on top (which doesn't really matter, but thought I'd mention it)

I thought it would be prudent to insert the missing IPv6 ASUS rule by using the IPv4 rule order as a guide (performance benefit?)

I've uploaded a patched wg_client v4.14.11 to ensure the rule's added as intended in the middle of the chain - many thanks.

So no change in the wireguard_manager Beta v4.14b9 version number, but usual method to retrieve update

e  = Exit Script [?]

E:Option ==> uf dev

 

[ZebMcKayhan]

I've uploaded a patched wg_clientv4.14.11 to ensure the rule's added as intended in the middle of the chain - many thanks.

Looking good!

11       0     0 logdrop    all      *      *       ::/0                 ::/0
                 state INVALID
12       0     0 ACCEPT     all      br0    wg11    ::/0                 ::/0
                 /* LAN to WireGuard 'client' */
13       0     0 ACCEPT     all      br0    wg12    ::/0                 ::/0
                 /* LAN to WireGuard 'client' */
14       0     0 ACCEPT     all      br0    *       ::/0                 ::/0
                 /* Fix LAN to ANY by Martineau */

Now there is no need to add extra commands for ipv4/ipv6 connection over Wireguard with wgm. This is good news for those who have ipv4/ipv6 WAN since they could now connect over wireguard without risking data slipping out over ipv6 and/or take extra measures to prevent this (except for getting a .conf file with ipv4+ipv6).

I have updated ipv6 section, rules and IPSET section and made a new section for YazFi and assignement of separate subnets for Guest wifi's for the sake of Policy routing. Also added a section about terminal options for those who have problems with backspace:

WireguardManager/README.md at main · ZebMcKayhan/WireguardManager

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com