Wireguard Session Manager - Discussion (2nd) thread

[heysoundude]

Just need to figure out how github works and how to commit files. Guessing compiling the kernel module was the easy part ;-)

https://github.com/new Take their hand and follow along...

 

[abir1909]

This thread reported a performance issue

Wireguard - Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

Here are some of my observations and input from a new install of wg_manager v4.11b3: 1. On a remote peer server I created a device peer: Device Auto IP DNS Allowed IPs Annotate MSG X 10.50.1.3/32 192.168.2.1 0.0.0.0/0 # MSG "Device" From the local PC I logged...

www.snbforums.com

so back in May 2021, a patch was applied to wireguard_manager on the Github dev branch.......

Update wg_manager.sh · MartineauUK/wireguard@2d7b475

Fix Do not allow 'device' Road-Warrior Peers 'auto=X' to be changed. Fix 'peer wgxx dump' command selection typo to use correct SQL table for 'client' rather 'c...

github.com

Not sure if it is still relevant/warranted or should now be backed-out as the RT-AX86U kernel seemingly controls it anyway?

Wireguard - Session Manager - Discussion (2nd) thread

This thread http://www.snbforums.com/threads/session-manager.70787/ has now expired. Thanks for the heads-up SNB Forum member @Ubimo

www.snbforums.com

So should we wait on the RC3 or? i can test speeds with and without the patch if needed.

 

[Martineau]

@ZebMcKayhan
Testing your Wireguard Tools module....

Manually copied your Tools module

mv /jffs/addons/wireguard/wireguard-tools_1.0.20210315-1_aarch64-3.10.ipk /jffs/addons/wireguard/wireguard-tools_1.0.20210315-1_aarch64-3.10.ipkZ

cp /tmp/wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk /jffs/addons/wireguard/wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

Install using wireguard_manager

e  = Exit Script [?]

E:Option ==> loadmod

    Loading WireGuard Kernel module and Userspace Tool for RT-AC86U (v386.4)
Package wireguard-kernel (1.0.20210606-ac) installed in root is up to date.
Upgrading wireguard-tools on root from 1.0.20210315-1 to 1.0.20210914-1...
Removing obsolete file /opt/etc/wireguard/S50wireguard.
Removing obsolete file /opt/etc/wireguard/wg-policy.
Removing obsolete file /opt/etc/wireguard/wg-down.
Removing obsolete file /opt/etc/wireguard/wg-up.
Removing obsolete file /opt/etc/wireguard/wg-server.
Not deleting modified conffile /opt/etc/wireguard/S50wireguard.
Not deleting modified conffile /opt/etc/wireguard/wg-policy.
Not deleting modified conffile /opt/etc/wireguard/wg-down.
Not deleting modified conffile /opt/etc/wireguard/wg-up.
Not deleting modified conffile /opt/etc/wireguard/wg-server.
Configuring wireguard-tools.
Collected errors:
* file_sha256sum_alloc: Failed to open file /opt/etc/wireguard/S50wireguard: No such file or directory.
* file_sha256sum_alloc: Failed to open file /opt/etc/wireguard/wg-policy: No such file or directory.
* file_sha256sum_alloc: Failed to open file /opt/etc/wireguard/wg-down: No such file or directory.
* file_sha256sum_alloc: Failed to open file /opt/etc/wireguard/wg-up: No such file or directory.
* file_sha256sum_alloc: Failed to open file /opt/etc/wireguard/wg-server: No such file or directory.
    wireguard: WireGuard 1.0.20210606 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

wireguard_manager doesn't use any of the above, so it is just spurious noise that can be ignored

Rebooted

wg -v

wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/

Looks good again!

 

[Martineau]

So should we wait on the RC3 or? i can test speeds with and without the patch if needed.

Your call/choice

 

[abir1909]

Your call/choice

I would love to test it without the patch. Is there a way of doing it?

 

[Martineau]

I would love to test it without the patch. Is there a way of doing it?

Remove the three lines from the script

if [ "$HARDWARE_MODEL" == "RT-AX86U" ];then
    [ -n "$(fc status | grep "Flow Learning Enabled")" ] && { fc disable; Say "Broadcom Packet Flow Cache learning via BLOG (Flow Cache) DISABLED"; }   # v4.11 @Torson
fi

and issue

fc enable

Broadcom Packet Flow Cache learning via BLOG enabled.

 

[ZebMcKayhan]

@ZebMcKayhan
Testing your Wireguard Tools module....

Manually copied your Tools module

mv /jffs/addons/wireguard/wireguard-tools_1.0.20210315-1_aarch64-3.10.ipk /jffs/addons/wireguard/wireguard-tools_1.0.20210315-1_aarch64-3.10.ipkZ

cp /tmp/wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk /jffs/addons/wireguard/wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

Install using wireguard_manager

e  = Exit Script [?]

E:Option ==> loadmod

    Loading WireGuard Kernel module and Userspace Tool for RT-AC86U (v386.4)
Package wireguard-kernel (1.0.20210606-ac) installed in root is up to date.
Upgrading wireguard-tools on root from 1.0.20210315-1 to 1.0.20210914-1...
Removing obsolete file /opt/etc/wireguard/S50wireguard.
Removing obsolete file /opt/etc/wireguard/wg-policy.
Removing obsolete file /opt/etc/wireguard/wg-down.
Removing obsolete file /opt/etc/wireguard/wg-up.
Removing obsolete file /opt/etc/wireguard/wg-server.
Not deleting modified conffile /opt/etc/wireguard/S50wireguard.
Not deleting modified conffile /opt/etc/wireguard/wg-policy.
Not deleting modified conffile /opt/etc/wireguard/wg-down.
Not deleting modified conffile /opt/etc/wireguard/wg-up.
Not deleting modified conffile /opt/etc/wireguard/wg-server.
Configuring wireguard-tools.
Collected errors:
* file_sha256sum_alloc: Failed to open file /opt/etc/wireguard/S50wireguard: No such file or directory.
* file_sha256sum_alloc: Failed to open file /opt/etc/wireguard/wg-policy: No such file or directory.
* file_sha256sum_alloc: Failed to open file /opt/etc/wireguard/wg-down: No such file or directory.
* file_sha256sum_alloc: Failed to open file /opt/etc/wireguard/wg-up: No such file or directory.
* file_sha256sum_alloc: Failed to open file /opt/etc/wireguard/wg-server: No such file or directory.
    wireguard: WireGuard 1.0.20210606 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

wireguard_manager doesn't use any of the above, so it is just spurious noise that can be ignored

Rebooted

wg -v

wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/

Looks good again!

Thanks again!

Just updated both kernel modules and tools as well with no surprises...

If all continous to work good I can look into setting up github this weekend if I find the time.

//Zeb

 

[heysoundude]

Thanks again!

Just updated both kernel modules and tools as well with no surprises...

If all continous to work good I can look into setting up github this weekend if I find the time.

//Zeb

The toughest thing(s) about github are your handle and your repo names.
"I've been working on this for a while to do something clever and NOW I need to find a clever name for it too?" lol

 

[Ubimo]

How can I update to the latest kernel module and tools?

 

[Martineau]

How can I update to the latest kernel module and tools?

Be patient - @ZebMcKayhan's modules are effectively in ALPHA testing, and there is no point rolling out the modules to the general public without proper testing.

Beside, if you read the official Wireguard change logs, what new feature(s) are you currently missing?

 

[Ubimo]

OK!
I don't miss anything, it's a great script/tool, thanks!
I just feel more safe if I use the latest kernel module and tools. Call me paranoiac. :-D

 

[Martineau]

I just feel more safe if I use the latest kernel module and tools. Call me paranoiac. :-D

More unsubstantiated claims regarding WireGuard's potential security flaws certainly doesn't motivate me to continue with script development, wireguard_manager is just a wrapper but I cannot categorically state if @ZebMcKayhan's modules are (by accident or design) riddled with security exposures/threats or are in fact actually more secure than the @Odkrys modules simply by virtue of the fact that the modules have newer version numbers/compile timestamps.

Perhaps you should stick with OpenVPN to reduce your paranoia

Regards,

 

[ZebMcKayhan]

OK!
I don't miss anything, it's a great script/tool, thanks!
I just feel more safe if I use the latest kernel module and tools. Call me paranoiac. :-D

@Ubimo for your information, according to @Odkrys Makefile Entware builder will by its own fetch source files directly from zx2c4.com and compile them.
PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/
PKG_HASH:=3f5d990006e6eabfd692d925ec314fff2c5ee7dcdb869a6510d579acfdd84ec0

but as always, the problem with open source, you cannot guarantee that me or @Odkrys haven't tampered with the sources. the only way to guarantee that is to build it yourself. please give it a try!

I will be happy to send out the log files from my compilation, but it wouldn't really prove anything (see spoiler for the first lines, were you can compare the hash after you have figured out the hash from the 20210606 sources from the link). again, not proving anything though.

you can read about the updates for these backports here:
wireguard-linux-compat - WireGuard kernel module backport for Linux 3.10 - 5.5 (zx2c4.com)

currently, since 2021-02-19 - 2021-06-06:
* version: bumpv1.0.20210606 Jason A. Donenfeld 2021-06-06
* qemu: increase default dmesg log size
* qemu: add disgusting hacks for RHEL 8
* allowedips: add missing __rcu annotation to satisfy sparse
* allowedips: free empty intermediate nodes when removing single node
* allowedips: allocate nodes in kmem_cache
* allowedips: remove nodes in O(1)
* allowedips: initialize list head in selftest
* peer: allocate in kmem_cache
* global: use synchronize_net rather than synchronize_rcu
* kbuild: do not use -O3
* netns: make sure rp_filter is disabled on vethc

* version: bumpv1.0.20210424 Jason A. Donenfeld 2021-04-24
* Revert "compat: skb_mark_not_on_list will be backported to Ubuntu 18.04"
* compat: update and improve detection of CentOS Stream 8 Peter Georg
* compat: icmp_ndo_send functions were backported extensively

I dont see any reason for anyone to worry, seems most functional and compatibility updates.
curious about rp_filter though...

//Zeb

Spoiler: first lines from build

Collecting package info: done
make[1]: Entering directory '/USERNAME/Entware'
make[2]: Entering directory '/USERNAME/Entware/package/libs/toolchain'
make[2]: Leaving directory '/USERNAME/Entware/package/libs/toolchain'
time: package/libs/toolchain/compile#0.09#0.00#0.08
make[2]: Entering directory '/USERNAME/Entware/feeds/packages/net/wireguard-kernel'
mkdir -p /USERNAME/Entware/dl
SHELL= flock /USERNAME/Entware/tmp/.wireguard-linux-compat-1.0.20210606.tar.xz.flock -c ' /USERNAME/Entware/scripts/download.pl "/USERNAME/Entware/dl" "wireguard-linux-compat-1.0.20210606.tar.xz" "3f5d990006e6eabfd692d925ec314fff2c5ee7dcdb869a6510d579acfdd84ec0" "" "https://git.zx2c4.com/wireguard-linux-compat/snapshot/" '
touch /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/.prepared_72982f5608cd6f9757b0f2b4df8ac4f4_6664517399ebbbc92a37c5bb081b5c53_check
. /USERNAME/Entware/include/shell.sh; xzcat /USERNAME/Entware/dl/wireguard-linux-compat-1.0.20210606.tar.xz | tar -C /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/.. -xf -
[ ! -d ./src/ ] || cp -fpR ./src/. /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606
# XXX Entware specific: arch specific patches (e.g. patches-2.6)
touch /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/.prepared_72982f5608cd6f9757b0f2b4df8ac4f4_6664517399ebbbc92a37c5bb081b5c53
rm -f /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/.configured_*
rm -f /USERNAME/Entware/staging_dir/target-aarch64_cortex-a53_glibc-2.27/stamp/.wireguard-kernel_installed
(cd /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/./; if [ -x ./configure ]; then find /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/ -name config.guess | xargs -r chmod u+w; find /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/ -name config.guess | xargs -r -n1 cp --remove-destination /USERNAME/Entware/scripts/config.guess; find /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/ -name config.sub | xargs -r chmod u+w; find /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/ -name config.sub | xargs -r -n1 cp --remove-destination /USERNAME/Entware/scripts/config.sub; AR="aarch64-openwrt-linux-gnu-gcc-ar" AS="aarch64-openwrt-linux-gnu-gcc -c -O2 -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result " LD=aarch64-openwrt-linux-gnu-ld NM="aarch64-openwrt-linux-gnu-gcc-nm" CC="aarch64-openwrt-linux-gnu-gcc" GCC="aarch64-openwrt-linux-gnu-gcc" CXX="aarch64-openwrt-linux-gnu-g++" RANLIB="aarch64-openwrt-linux-gnu-gcc-ranlib" STRIP=aarch64-openwrt-linux-gnu-strip OBJCOPY=aarch64-openwrt-linux-gnu-objcopy OBJDUMP=aarch64-openwrt-linux-gnu-objdump SIZE=aarch64-openwrt-linux-gnu-size CFLAGS="-O2 -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result " CXXFLAGS="-O2 -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result " CPPFLAGS="-I/USERNAME/Entware/staging_dir/toolchain-aarch64_cortex-a53_gcc-8.4.0_glibc-2.27/include " LDFLAGS="-Wl,--dynamic-linker=/opt/lib/ld-linux-aarch64.so.1 -Wl,-rpath=/opt/lib -L/USERNAME/Entware/staging_dir/toolchain-aarch64_cortex-a53_gcc-8.4.0_glibc-2.27/lib " ./configure --target=aarch64-openwrt-linux --host=aarch64-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix="" --program-suffix="" --prefix=/opt --exec-prefix=/opt --bindir=/opt/bin --sbindir=/opt/sbin --libexecdir=/opt/lib --sysconfdir=/opt/etc --datadir=/opt/share --localstatedir=/opt/var --mandir=/opt/man --infodir=/opt/info --disable-nls ; fi; )
touch /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/.configured_68b329da9893e34099c7d8ad5cb9c940
rm -f /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/.built
touch /USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/.built_check
make -C /USERNAME/amng-build/release/src-rt-5.02hnd/kernel/linux-4.1 KCFLAGS="" HOSTCFLAGS="-O2 -I/USERNAME/Entware/staging_dir/host/include -I/USERNAME/Entware/staging_dir/hostpkg/include -I/USERNAME/Entware/staging_dir/target-aarch64_cortex-a53_glibc-2.27/host/include -Wall -Wmissing-prototypes -Wstrict-prototypes" CROSS_COMPILE="aarch64-openwrt-linux-gnu-" ARCH="arm64" KBUILD_HAVE_NLS=no KBUILD_BUILD_USER="" KBUILD_BUILD_HOST="" KBUILD_BUILD_TIMESTAMP="Thu Sep 30 19:14:12 2021" KBUILD_BUILD_VERSION="0" HOST_LOADLIBES="-L/USERNAME/Entware/staging_dir/host/lib" KBUILD_HOSTLDLIBS="-L/USERNAME/Entware/staging_dir/host/lib" CONFIG_SHELL="bash" V='' cmd_syscalls= KERNELRELEASE=3.10.108 CC="aarch64-openwrt-linux-gnu-gcc" M="/USERNAME/Entware/build_dir/target-aarch64_cortex-a53_glibc-2.27/linux-aarch64-3.10/wireguard-linux-compat-1.0.20210606/src" modules EXTRA_CFLAGS="-O2 -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -fno-pie"
make[3]: Entering directory '/USERNAME/amng-build/release/src-rt-5.02hnd/kernel/linux-4.1'

 

[heysoundude]

Be patient - @ZebMcKayhan's modules are effectively in ALPHA testing, and there is no point rolling out the modules to the general public without proper testing.

what we have here is a good ol' fashioned horse race between two small teams of devs to bring something to users- the Asus team, and the SNB-Merlin team.
My cryptocurrency (see what I did there?) is on the SNB-Merlin devs

 

[ZebMcKayhan]

For a long time now I've had this rare problem that whenever I poke too much at my router so I get a nat-start event I loose connection to my ipset ips. Everything else works.

I route everything out wg11 except for 2 ipsets which is marked 0x8000 (netflix+myip) so they go out wan. Obviously kill switch is off in wgm.

I have previously checked rp_filter and ip rule and everything looks ok.
Usually there is little time to debug this as I have a horde of angry family members chasing me.
This just happened again this evening which made me do some debug. Looks like the wan kill switch is applied by wg_firewall even though it is disabled in wgm. wg_firewall gets the setting from wireguard.conf and surely enough I have the KILLSWITCH in there.
Execute

killswitch off

Does nothing regarding this entry.

The killswitch is not enabled during a normal boot despite this entry. Are there any difference regarding killswitch detection at boot vs nat-start event?

//Zeb

 

[Torson]

I remember seeing this issue during the early days. What I think changed the behavior was commenting out the KILLSWITCH line in /jffs/addons/wireguard/WireguardVPN.conf. Never had that issue since.

 

[ZebMcKayhan]

I remember seeing this issue during the early days. What I think changed the behavior was commenting out the KILLSWITCH line in /jffs/addons/wireguard/WireguardVPN.conf. Never had that issue since.

Thanks, I will try that.

Just tried executing wg_firewall manually and it seems to break wg11 and not completing so I aborted after like 5min. After that wg11 got out of sync so needed to reboot.
Wonder if my WireguardVPN.conf is funky:

# WireGuard Session Manager v4.01

# Categories
clients=wg11
Clients=wg11
None=

# WAN KILL-Switch
KILLSWITCH

# Statistics Gathering
STATS

Why is there 2 wg11 and no wg12?

//Zeb

Edit: never mind, figured it out... I must be blind. I commented killswitch and now it works. Thanks again!

 

[Martineau]

Thanks, I will try that.

Just tried executing wg_firewall manually and it seems to break wg11 and not completing so I aborted after like 5min. After that wg11 got out of sync so needed to reboot.
Wonder if my WireguardVPN.conf is funky:

# WireGuard Session Manager v4.01

# Categories
clients=wg11
Clients=wg11
None=

# WAN KILL-Switch
KILLSWITCH

# Statistics Gathering
STATS

Why is there 2 wg11 and no wg12?

I don't believe that wireguard_manager auto updates the categories?, so any categories must be manually defined.

However, given Linux is case sensitive, there is a difference between 'clients' and 'Clients'.

e  = Exit Script [?]

E:Option ==> peer category clients add wg11


    'Peer category 'clients' created

e  = Exit Script [?]

E:Option ==> peer category Clients add wg11


    'Peer category 'Clients' created

e  = Exit Script [?]

E:Option ==> peer category

    Peer categories

Clients=wg11
clients=wg11

Edit: never mind, figured it out... I must be blind. I commented killswitch and now it works. Thanks again!

I may have originally included 'KILLSWITCH' by default rather than '#KILLSWITCH', but decided that whilst command killswitch disable can be used, it is temporary, given that the killswitch feature should be hard to be permanently disabled by accident or on a whim..

 

[ZebMcKayhan]

I don't believe that wireguard_manager auto updates the categories?, so any categories must be manually defined.

I may have originally included 'KILLSWITCH' by default rather than '#KILLSWITCH', but decided that whilst command killswitch disable can be used, it is temporary, given that the killswitch feature should be hard to be permanently disabled by accident or on a whim..

Thanks, guess it was kind of late last night and I jumped to the wrong conclusion, sorry about that.

during my initial testing a long time ago I created the 2 categories, before wg12 existed. I dont use categories so I have kind of forgotten about them. completely missed the headline stating categories and assumed it had something to do with identifying clients to restart... well, you cant always be at your best and the lessons learned: dont post questions in forums when you instead should go to bed.

I hade a quick glance at the code but could really find any way of actually making the script change the .conf file, but you are saying that

killswitch disable

would create the # for you?

however it was a really nice experience to use the

vx

command and put the # there.

but I'm still confused about why the killswitch isnt engaged at normal boot even though the # is not there. does wgm have multiple means of tracking whieter the killswitch should be engaged or not? cant seem to find any setting for it in the sql database.

//Zeb

 

[Martineau]

I hade a quick glance at the code but could really find any way of actually making the script change the .conf file, but you are saying that

killswitch disable

would create the # for you?

No, as explained in the previous post, the killswitch command never alters the .conf file.

I'm still confused about why the killswitch isnt engaged at normal boot even though the # is not there.

Wasn't aware that it wasn't applied if appropriate @boot - could be an embarrassing bug.

EDIT: Just did a reboot and Syslog shows that wg_firewall was executed (if not explicitly proven to be called from nat-start)

Oct 15 09:55:07 RT-AC86U-6160 WAN_Connection: WAN was restored.

Oct 15 09:55:07 RT-AC86U-6160 Samba_Server: daemon is started
Oct 15 09:55:07 RT-AC86U-6160 wsdd2[3237]: starting.
Oct 15 09:55:07 RT-AC86U-6160 kernel: wireguard: WireGuard 1.0.20210606 loaded. See www.wireguard.com for information.
Oct 15 09:55:07 RT-AC86U-6160 kernel: wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
Oct 15 09:55:07 RT-AC86U-6160 miniupnpd[3244]: HTTP listening on port 56809
Oct 15 09:55:07 RT-AC86U-6160 miniupnpd[3244]: Listening for NAT-PMP/PCP traffic on port 5351
Oct 15 09:55:07 RT-AC86U-6160 avahi-daemon[3168]: Server startup complete. Host name is RT-AC86U-6160.local. Local service cookie is 650580588.
Oct 15 09:55:07 RT-AC86U-6160 avahi-daemon[3168]: Alias name "RT-AC86U" successfully established.
Oct 15 09:55:08 RT-AC86U-6160 wireguard-clientwg12: Initialising Wireguard VPN client Peer (wg12) in Policy Mode to 209.58.188.180:51820 (# Mullvad)
Oct 15 09:55:08 RT-AC86U-6160 wireguard-clientwg12: Executing Event:wg12-route-up.sh
Oct 15 09:55:08 RT-AC86U-6160 wireguard-clientwg12: Warning: No Selective Routing rules found
Oct 15 09:55:08 RT-AC86U-6160 wireguard-clientwg12: ***ERROR IPSet 'Netflix' does NOT EXIST! for routing through VPN 'client' Peer wg12
Oct 15 09:55:08 RT-AC86U-6160 wireguard-clientwg12: Initialisation complete.
Oct 15 09:55:08 RT-AC86U-6160 (wg_manager.sh): 2804 v4.11bC Initialising Wireguard VPN 'server' Peer (wg21)
Oct 15 09:55:08 RT-AC86U-6160 wireguard-server1: Initialising Wireguard VPN 'Server' Peer (\e[95mwg21\e[92m) on 192.168.0.1:51820
Oct 15 09:55:08 RT-AC86U-6160 wireguard-server1: Initialisation complete.

Oct 15 09:55:11 RT-AC86U-6160 (wg_firewall): 4321 Checking if WireGuard VPN Peer KILL-Switch is required.....
Oct 15 09:55:11 RT-AC86U-6160 (wg_firewall): 4321 Restarting WireGuard to reinstate RPDB/firewall rules

Oct 15 09:55:11 RT-AC86U-6160 (wg_manager.sh): 4342 v4.11bC Requesting WireGuard VPN Peer stop (wg12 wg21)
Oct 15 09:55:11 RT-AC86U-6160 (wg_manager.sh): 4342 v4.11bC Requesting termination of WireGuard VPN 'client' Peer ('wg12')
Oct 15 09:55:12 RT-AC86U-6160 (wg_manager.sh): 4342 wg12:[97m transfer: 92 B received, 180 B sent            [97m0 Days, 00:00:04 from 2021-10-15 09:55:08 >>>>>>[0m
Oct 15 09:55:12 RT-AC86U-6160 (wg_manager.sh): 4342 wg12: period : 92 Bytes received, 180 Bytes sent (Rx=92;Tx=180)