Wireguard Session Manager - Discussion (2nd) thread

[Martineau]

Yes :\ I've confirmed that there was a issue with the killswitch in 4.11 and have permanently disabled it in 4.12b2 for now. But I still have the same issue when I start wg11 Internet dies, I can't reach 'anything'. As soon as I stop it, Internet works again. I don't have this issue with OpenVPN on the router or when I try the exact same Wireguard key in another device.

And I can't see anything wrong in the imported Wireguard key in WGM. The only difference I see is that I DNS and Address is disabled with # in front of them.

I'm not familiar with Linux and iptables at all, so the wgm diag doesn't say anything to me. But I did sent it to @Martineau

I'm on Merlin fw RT-AC86U_386.3_2 for my Asus RT-AC86U

WAN on the Router:
I have tried different DNS (Cloudflare and my VPN Provider) and automatic from ISP
Disabled Rebind protection and DNSSEC

LAN on the router:
DNSFilter is enabled and Global set to Router

Restarted router within the gui and also tried a hard restart.

Disabled Skynet and Diversion just in case.

But yea... the issue remains...

I don't appear to have received feedback on explicit ping/nslookup diagnostics.

However, the diag shows

Chain WGDNS1 (2 references)

num pkts bytes target prot opt in out source destination
1 23 1528 DNAT all -- * * 192.168.1.0/24 0.0.0.0/0 /* WireGuard 'client1 DNS' */ to:192.165.9.158

So I assume that you are using VPN provider OVPN.COM? and just contacted them....

I guess unless I formally sign-up for a minimum 1-month €11 subscription they have clearly stated their position unless you can think of another option?

Not sure if @ZebMcKayhan's tip about using a different DNS will work?

 

[DreaZ]

ok, lets hope @Martineau finds anything that could be fixed.

if you, from the terminal issue "wg show" (not inside wgm) do you see any traffic (rx/tx) bytes or are they both 00?

if the peer is working and you have at least any rx/tx bytes you could check if it is DNS related by pinging an ip that does not need to be resolved (like www.google.com):

ping 142.250.74.36

and see if you get any replies... if you do, the connection works you just cant resolve names (which usually appears as not being able to access anything).

some VPN ISP blocks access to other DNS servers than their own, which is included in the .conf file. I dont know how this is with OVPN, but using the DNS from the original .conf file might be required. DNS in @Odkrys scripts works differently depending if you use default routing or policy routing.
when you had this working did you use default or policy routing? did you use the DNS from the original .conf file and moved into wg scripts?

wgm usually overrides WAN DNS from the router GUI from the one you specify inside wgm. The DNS should be changed inside wgm by:

peer wg11 dns=9.9.9.9

then restart the client:

restart wg11

make a note of your original DNS from the .conf file and try to swap back and forth. but this all ofcource requires the peer to work, meaning you have some rx/tx bytes and can ping ipadresses.

//Zeb

I'm pretty sure @Martineau saw that the wg11 was clearly up and there was traffic. I will try adding the DNS inside WGM as you suggested and ping google.com

I tried both default and policy when I used @Odkrys guide, DNS and address was disabled in .conf file and DNS was added under WAN in the router gui (I did not add anything in wg scripts) DNSLeakTest showed IP from OVPN.com and their DNS.

I don't appear to have received feedback on explicit ping/nslookup diagnostics.

However, the diag shows

Chain WGDNS1 (2 references)

num pkts bytes target prot opt in out source destination
1 23 1528 DNAT all -- * * 192.168.1.0/24 0.0.0.0/0 /* WireGuard 'client1 DNS' */ to:192.165.9.158

So I assume that you are using VPN provider OVPN.COM? and just contacted them....

View attachment 36941

I guess unless I formally sign-up for a minimum 1-month €11 subscription they have clearly stated their position unless you can think of another option?

Not sure if @ZebMcKayhan's tip about using a different DNS will work?

That is correct, OVPN.com is a Swedish provider i'm using. Following @Odkrys guide I got Wireguard easily to work though using both default and policy. DNS and address disabled in the conf and the DNS was added under WAN in the router gui. So it should not be an issue with my OVPN.com. But if it happens to be that, I just have to change VPN provider, probably Mullvad (I think my one-year subscription at OVPN.com is closing in to it's end anyway).

I can try later tonight adding the DNS in WGM following @ZebMcKayhan advice.

I missed the part I don't appear to have received feedback on explicit ping/nslookup diagnostics.

Will take a look at that as well.

I'm not a network techie so I apologize for any inconvenience.

 

[ZebMcKayhan]

I guess unless I formally sign-up for a minimum 1-month €11 subscription they have clearly stated their position unless you can think of another option?

Since @DreaZ actually had this working using @Odkrys scripts it should not be that far away. we just need to figure out what is different between that working setup and the current wgm setup.

//Zeb

 

[Martineau]

I'm pretty sure @Martineau saw that the wg11 was clearly up and there was traffic.

Spoiler: My PM reply in respect to diag output

The WireGuard wg11 interface is clearly UP, as indicated by the explicit handshake message (and the transfer metrics)

latest handshake: 1 minute, 59 seconds ago
transfer: 444 B received, 112.86 KiB sent

Also, hopefully in Syslog, wireguard_manager should be writing messages showing the increasing RX/TX metrics every hour?

e.g.

Oct 20 16:59:01 RT-AC86U-6160 (wg_manager.sh): 24753 wg12: transfer: 95.32 KiB received, 352.91 KiB sent        1 days 12:57:00 from 2021-10-19 04:02:01 >>>>>>
Oct 20 16:59:01 RT-AC86U-6160 (wg_manager.sh): 24753 wg12: period : 2.60 KiB received, 9.59 KiB sent (Rx=2663;Tx=9820)

Since you are not using Selective RPDB Routing, ALL LAN devices are routed via the WireGuard interface 'wg11' as indicated by the clever routing rules 0.0.0.0/1 and 128.0.0.0/1

DEBUG: Routing Table main

0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
10.50.1.0/24 dev wg21 proto kernel scope link src 10.50.1.1

If the same .conf still works i.e. it hasn't expired (sometimes indicated by a very low received Byte count e.g. 444 B for the Handshake message) then it would suggest a DNS issue. Did you remove The OVPN DNS from the WAN configuration page after temporarily removing the @Odkrys method?

I can try later tonight adding the DNS in WGM following @ZebMcKayhan advice.

I'm not a network techie so I apologize for any inconvenience.

No problem.

 

[Martineau]

Since @DreaZ actually had this working using @Odkrys scripts it should not be that far away. we just need to figure out what is different between that working setup and the current wgm setup.

//Zeb

No doubt it is probably staring me in the face, or perhaps it is simply destiny subtly nudging me again to take down/retire wireguard_manager.

 

[ZebMcKayhan]

Chain WGDNS1 (2 references) num pkts bytes target prot opt in out source destination 1 23 1528 DNAT all -- * * 192.168.1.0/24 0.0.0.0/0 /* WireGuard 'client1 DNS' */ to:192.165.9.158

Are dns DNAT used even for default routing? Guess it makes sense to eliminate leaks.

Wonder if it is an idea for @DreaZ to test to put in the OVPN dns in wan page and issue in wgm:

peer wg11 dns=192.168.1.1
restart wg11

Then router and dnsmasq would handle dns request and if there is anything blocking access it would be bypassed?
So if this works there are probably some gui setting causing the router to block dns dnat??

This solution would not be sustainable but could give us a clue what is going on?

Noticing @DreaZ said: "DNSFilter is enabled and Global set to Router" This would enforce dns requests to router? Wouldn't this conflict with dnat? Maybee dns filter should be disabled? Atleast worth to test?

//Zeb

Edit: just checked my own setting and dns-filter is enabled, Global filter set to Router and the client list is empty and wgm dns dnat works for me...

 

[Martineau]

Are dns DNAT used even for default routing? Guess it makes sense to eliminate leaks.

Wonder if it is an idea for @DreaZ to test to put in the OVPN dns in wan page and issue in wgm:

peer wg11 dns=192.168.1.1
restart wg11

Then router and dnsmasq would handle dns request and if there is anything blocking access it would be bypassed?
So if this works there are probably some gui setting causing the router to block dns dnat??

This solution would not be sustainable but could give us a clue what is going on?

Noticing @DreaZ said: "DNSFilter is enabled and Global set to Router" This would enforce dns requests to router? Wouldn't this conflict with dnat? Maybee dns filter should be disabled? Atleast worth to test?

//Zeb

Edit: just checked my own setting and dns-filter is enabled, Global filter set to Router and the client list is empty and wgm dns dnat works for me...

All very puzzling....and starting to have self-doubt regarding the possibility of a serious flaw with wireguard_manager

Consequently, I have just signed up for a FREE (no credit card details asked for) three day trial with Cactus VPN to use their WireGuard service, and their online configurator

Clicking the Download Configuration File button created 'dallas.conf' and having duly imported the .config it worked as expected (NOTE: the use of DNS 1.1.1.1)

e  = Exit Script [?]

E:Option ==> import dallas comment Cactus USA, Dallas

    [✔] Config dallas import as wg15 success

Closed ALL running 'server'/'client' peers

e  = Exit Script [?]

E:Option ==> stop

then started the imported wg1x interface (in my case wg15)

e  = Exit Script [?]

E:Option ==> start wg15

    Requesting WireGuard VPN Peer start (wg15 )

    wireguard-clientwg15: Initialising Wireguard VPN 'client' Peer (wg15) to xxx.xxx.xxx.xxx:ppppp (# Cactus USA, Dallas) DNS=1.1.1.1
    wireguard-clientwg15: Initialisation complete.

and all is fine....geo location puts me in Texas USA, and stopping the connection shows expected traffic metrics:

e  = Exit Script [?]

E:Option ==> stop wg15

    Requesting WireGuard VPN Peer stop (wg15 )

    wg15: transfer: 35.77 MiB received, 11.18 MiB sent      0 Days, 00:54:50 from 2021-10-22 16:43:13 >>>>>>
    wg15: period : 13.49 MiB received, 4.76 MiB sent (Rx=14145291;Tx=4991222)
    wireguard-clientwg15: Wireguard VPN 'client' Peer (wg15) to xxx.xxx.xxx.xxx:ppppp (# Cactus USA, Dallas) Terminated

@DreaZ, if you have time/motivation, perhaps you could care to quickly try Cactus VPN, to see if wireguard_manager still fails even with a different provider?

 

[DreaZ]

All very puzzling....and starting to have self-doubt regarding the possibility of a serious flaw with wireguard_manager

Consequently, I have just signed up for a FREE (no credit card details asked for) three day trial with Cactus VPN to use their WireGuard service, and their online configurator

View attachment 36957

Clicking the Download Configuration File button created 'dallas.conf' and having duly imported the .config it worked as expected (NOTE: the use of DNS 1.1.1.1)

e  = Exit Script [?]

E:Option ==> import dallas comment Cactus USA, Dallas

    [✔] Config dallas import as wg15 success

Closed ALL running 'server'/'client' peers

e  = Exit Script [?]

E:Option ==> stop

then started the imported wg1x interface (in my case wg15)

e  = Exit Script [?]

E:Option ==> start wg15

    Requesting WireGuard VPN Peer start (wg15 )

    wireguard-clientwg15: Initialising Wireguard VPN 'client' Peer (wg15) to xxx.xxx.xxx.xxx:ppppp (# Cactus USA, Dallas) DNS=1.1.1.1
    wireguard-clientwg15: Initialisation complete.

and all is fine....geo location puts me in Texas USA, and stopping the connection shows expected traffic metrics:

e  = Exit Script [?]

E:Option ==> stop wg15

    Requesting WireGuard VPN Peer stop (wg15 )

    wg15: transfer: 35.77 MiB received, 11.18 MiB sent      0 Days, 00:54:50 from 2021-10-22 16:43:13 >>>>>>
    wg15: period : 13.49 MiB received, 4.76 MiB sent (Rx=14145291;Tx=4991222)
    wireguard-clientwg15: Wireguard VPN 'client' Peer (wg15) to xxx.xxx.xxx.xxx:ppppp (# Cactus USA, Dallas) Terminated

@DreaZ, if you have time/motivation, perhaps you could care to quickly try Cactus VPN, to see if wireguard_manager still fails even with a different provider?

Tried some more today with OVPN.

Generated a brand new WG-key and imported it.

Changed the DNS inside WGM to OVPN 46.227.67.134
192.165.9.158
DNS inside router gui as Automatic from ISP. No luck.

Changed to OVPN DNS in router gui and 192.168.1.1 on peer in WGM, restarted peer - no luck.

Tried ping Google - 142.250.74.3 - Request timed out

Rx/tx is not empty. But other than that, no improvement.

Tried Cactus and worked instantly. DNS is 1.1.1.1 and geo loc puts me in Stockholm.

 

[DreaZ]

After comparing a .conf file from Cactus to OVPN. I noticed some differences. And made som changes to OVPN. Imported to WGM and voila.

I will post so you can see the differences and what I changed.

 

[DreaZ]

Cactus conf
[Interface]
Address =
DNS = 1.1.1.1
PrivateKey =

[Peer]
PublicKey =
Endpoint =
AllowedIPs =

OVPN original conf
[Interface]
Privatekey =
Address =
DNS = 46.227.67.134, 192.165.9.158

[Peer]
PublicKey =
AllowedIPs =
Endpoint =

OVPN modified/imported
Interface]
#Address =
#DNS = 46.227.67.134
PrivateKey =

[Peer]
PublicKey =
Endpoint =
AllowedIPs =

I’ve noticed an issue when peer is up in WGM with Skynet firewall though. When entering the menu for Skynet, it takes and it says Lock file detected and no internet connectivity.

Shutting down WGM peer and the issue is gone.

Hmm…

Edit: Skynet issue seems to have resolved itself.

 

[ZebMcKayhan]

Cactus conf
[Interface]
Address = 10.1.84.70/32
DNS = 1.1.1.1
PrivateKey =

[Peer]
PublicKey =
Endpoint = 185.117.88.249:60100
AllowedIPs = 0.0.0.0/0

OVPN original conf
[Interface]
Privatekey =
Address = 172.16.228.253/32, fd00:0000:1337:cafe:1111:1111:7abe:95b1/128
DNS = 46.227.67.134, 192.165.9.158

[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn01.prd.malmo.ovpn.com:9929

OVPN modified/imported
Interface]
#Address = 172.16.228.253/32
#DNS = 46.227.67.134
PrivateKey =

[Peer]
PublicKey =
Endpoint = vpn01.prd.malmo.ovpn.com:9929
AllowedIPs = 0.0.0.0/0

I’ve noticed an issue when peer is up in WGM with Skynet firewall though. When entering the menu for Skynet, it takes and it says Lock file detected and no internet connectivity.

Shutting down WGM peer and the issue is gone.

Hmm…

Edit: Skynet issue seems to have resolved itself.

Really glad you made it work!

From what I can see you changed the location of the PrivateKey, allowedips and removed ipv6. I have ipv6 adresses to and that's no problem.
I checked my files and all have privatekey first. I do however got the position of your working allowedips. Could that order really matter??

Well, now you should be able to get this working as you want:

E:Option ==> peer wg11 rule add wan src=192.168.1.x comment SingleUseWAN
E:Option ==> peer wg11 rule add vpn src=192.168.1.1/24 comment RestUseVPN
E:Option ==> peer wg11 auto=p

I usually get lockfile after reinstall or aborting some command. Don't really know the meaning but usually it is resolved by itself after 10min or so.

//Zeb

 

[Martineau]

Cactus conf
[Interface]
Address = 10.1.84.70/32
DNS = 1.1.1.1
PrivateKey =

[Peer]
PublicKey =
Endpoint = 185.117.88.249:60100
AllowedIPs = 0.0.0.0/0

OVPN original conf
[Interface]
Privatekey =
Address = 172.16.228.253/32, fd00:0000:1337:cafe:1111:1111:7abe:95b1/128
DNS = 46.227.67.134, 192.165.9.158

[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn01.prd.malmo.ovpn.com:9929

OVPN modified/imported
Interface]
#Address = 172.16.228.253/32
#DNS = 46.227.67.134
PrivateKey =

[Peer]
PublicKey =
Endpoint = vpn01.prd.malmo.ovpn.com:9929
AllowedIPs = 0.0.0.0/0

I’ve noticed an issue when peer is up in WGM with Skynet firewall though. When entering the menu for Skynet, it takes and it says Lock file detected and no internet connectivity.

Shutting down WGM peer and the issue is gone.

Hmm…

Edit: Skynet issue seems to have resolved itself.

So effectivly you manually removed ALL IPv6 related fields?

OVPN original conf                                                          OVPN modified/imported

[Interface]                                                                 [Interface]
Privatekey =                                                                PrivateKey =
Address = 172.16.228.253/32, fd00:0000:1337:cafe:1111:1111:7abe:95b1/128    #Address = 172.16.228.253/32
DNS = 46.227.67.134, 192.165.9.158                                          #DNS = 46.227.67.134

[Peer]                                                                      [Peer]
PublicKey =                                                                 PublicKey =
AllowedIPs = 0.0.0.0/0, ::/0                                                AllowedIPs = 0.0.0.0/0
Endpoint = vpn01.prd.malmo.ovpn.com:9929                                    Endpoint = vpn01.prd.malmo.ovpn.com:9929

So I tried the import aginst the OVPN.conf containing the IPv6 stuff

e  = Exit Script [?]

E:Option ==> import ovpn comment OVPN failing conf

    [✔] Config ovpn import as wg11 success

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AC86U Server #1

Client  Auto  IP                                              Endpoint                       DNS             MTU  Annotate
wg11    N     fd00:0000:1337:cafe:1111:1111:7abe:95b1/128/32  vpn01.prd.malmo.ovpn.com:9929  192.165.9.158        # OVPN failing conf

Clearly I can see that wireguard_manager has corrupted the IPv6 address by incorrectly appending the additional '/32' suffix.

Given wireguard_manager has apparently decided that ONLY IPv6 should be configured, am I correct in assuming that IPv6 is ENABLED on your router?

nvram get ipv6_service

As I have no access to IPv6, I did pay nominal lip-service to IPv6 and tried to guess what should be added to the IPv6 iptables, but clearly I've failed at the first step and can't even process/extract the IPv6 address correctly (and unnecessarily dropped the IPv4 address?)

I'll have to investigate the import logic and identify what needs to be done to fix/alert of the show-stopper IPv6 import function.

Thanks for trying Cactus VPN, and your assistance in identifying the bug(s)!

P.S. I don't use skynet so no idea if you are referring to wireguard_manager 'lock-file' ?

 

[Martineau]

I can see you changed the location of the PrivateKey, allowedips

Could that order really matter??

So I am aware that the whilst it shouldn't matter, I recall statement order discussions, and started to think about ensuring the 'correct' order in the script

https://github.com/MartineauUK/wireguard/blob/main/wg_manager.sh#L857

but found in this instance it didn't actually impact the working configuration.

 

[DreaZ]

So effectivly you manually removed ALL IPv6 related fields?

OVPN original conf                                                          OVPN modified/imported

[Interface]                                                                 [Interface]
Privatekey =                                                                PrivateKey =
Address = 172.16.228.253/32, fd00:0000:1337:cafe:1111:1111:7abe:95b1/128    #Address = 172.16.228.253/32
DNS = 46.227.67.134, 192.165.9.158                                          #DNS = 46.227.67.134

[Peer]                                                                      [Peer]
PublicKey =                                                                 PublicKey =
AllowedIPs = 0.0.0.0/0, ::/0                                                AllowedIPs = 0.0.0.0/0
Endpoint = vpn01.prd.malmo.ovpn.com:9929                                    Endpoint = vpn01.prd.malmo.ovpn.com:9929

So I tried the import aginst the OVPN.conf containing the IPv6 stuff

e  = Exit Script [?]

E:Option ==> import ovpn comment OVPN failing conf

    [✔] Config ovpn import as wg11 success

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AC86U Server #1

Client  Auto  IP                                              Endpoint                       DNS             MTU  Annotate
wg11    N     fd00:0000:1337:cafe:1111:1111:7abe:95b1/128/32  vpn01.prd.malmo.ovpn.com:9929  192.165.9.158        # OVPN failing conf

Clearly I can see that wireguard_manager has corrupted the IPv6 address by incorrectly appending the additional '/32' suffix.

Given wireguard_manager has apparently decided that ONLY IPv6 should be configured, am I correct in assuming that IPv6 is ENABLED on your router?

nvram get ipv6_service

As I have no access to IPv6, I did pay nominal lip-service to IPv6 and tried to guess what should be added to the IPv6 iptables, but clearly I've failed at the first step and can't even process/extract the IPv6 address correctly (and unnecessarily dropped the IPv4 address?)

I'll have to investigate the import logic and identify what needs to be done to fix/alert of the show-stopper IPv6 import function.

Thanks for trying Cactus VPN, and your assistance in identifying the bug(s)!

P.S. I don't use skynet so no idea if you are referring to wireguard_manager 'lock-file' ?

I also changed location of PrivateKey, DNS and Address

and Endpoint and AllowedIPs.

ipv6 is disabled.

 

[Martineau]

I also changed location of PrivateKey, DNS and Address

and Endpoint and AllowedIPs.

ipv6 is disabled.

Since both the DNS and Address directives will be auto-commented out by wireguard_manager anyway, the Private key effectively remains as the first line in the .conf, so it would appear that the crucial change was the Endpoint directive relocation, i.e. perhaps I should uncomment the clause in the import process to ensure it must be at the end of the .config

 

[ZebMcKayhan]

perhaps I should uncomment the clause in the import process to ensure it must be at the end of the .config

I have:
[Peer]
PublicKey =
Endpoint =
AllowedIps =
PersistKeepAlive =

My enterpretation is that Endpoint must be after PublicKey but not further down?

 

[chongnt]

I have:
[Peer]
PublicKey =
Endpoint =
AllowedIps =
PersistKeepAlive =

My enterpretation is that Endpoint must be after PublicKey but not further down?

Interesting discussion. My wg11.conf looks like this:

[Interface]
PrivateKey =
#Address =
#DNS =

[Peer]
PublicKey =
AllowedIPs =
Endpoint =
PersistentKeepalive =

Edit: I just check Wireguard apps in my phone. Looks like your sequence matches the sequence in the apps.

 

[ZebMcKayhan]

Edit: I just check Wireguard apps in my phone. Looks like your sequence matches the sequence in the apps.

But your sequence worked for you, right? But we both have persistantkeepalive after so its not the last statement... puzzling indeed.

 

[chongnt]

But your sequence worked for you, right? But we both have persistantkeepalive after so its not the last statement... puzzling indeed.

Yes, it worked for me.

 

[DreaZ]

Ok, so now I know for sure what is the real deal in my conf if I want it to work.

Its the ipv6 in Address and Allowedips. I must remove those, otherwise it wont work. Nothing else needs changed.


Interface]
PrivateKey =
#Address = Must remove ipv6
#DNS =

[Peer]
PublicKey =
AllowedIPs = must remove ipv6
Endpoint =
PersistentKeepalive =