Wireguard Session Manager - Discussion (2nd) thread

[DragonOfJustice]

hmm... noticing that both WAN rules end up with the same priority... have never seen this (actually didnt think this was possible)... try to delete your camera rule so you only have one prio 9910. dont know if this changes anything... probably @chongnt is right... this rabbit hole goes way deeper. but it could be worth a final test before giving up...

I would probably recommend you switch to default routing and handle your single computer outside:

E:Option ==> peer wg11 auto=Y
E:Option ==> restart wg11

then you should have all you want except for your camera will be on VPN but that is easier to fix. could you please confirm that this works for you?

one word of caution however, you will probably end up with Camera DNS lookup will be over VPN. but Im guessing you only use this to get to your camera from outside so it should be ok right?

//Zeb

i tried auto=Y and everything works, ddns seems works either and it's reporting my isp wan ip, but somehow i can't view camera using outside network except using same wifi network in my home. That's the reason i spent days to figured it out that i route camera ip 192.168.50.150 to WAN fixed this issue.

just curious If i use auto=Y, isn't it will force all routes goes through VPN? how would i able to route the camera ip through WAN?

Thanks for all the trouble Zeb, i learned something

 

[chongnt]

somehow, yes... thinking that this all would be solved by the "local" routing table sorting out all local interface business but apparently not... wouldnt you get the same if you use default routing?

I’m currently outside. Will test it when I get back.
Based on latest reply from @DragonOfJustice, default routing is working mostly except for the camera. Like you mentioned, I think there is way to leak this out to WAN.

Edit:
Here is my output with default routing

ip route show table main
0.0.0.0/1 dev wg11 scope link 
default via (WAN IP) dev ppp0 
...snipped...

I tested add another ip rule for specific host. Say in this case, the main is priority 9910. I add another rule for camera with a higher priority.

ip rule add from 192.168.50.150 table 9909 prio 9909

Then I added default route to ppp0 as this is my WAN to this new table. It should be the same dev as shown in the table main above.

 ip route add default dev ppp0 scope link table 9909

 

[ZebMcKayhan]

just curious If i use auto=Y, isn't it will force all routes goes through VPN? how would i able to route the camera ip through WAN?

well, no, not really. the main routing table is the routing "last resort". it just overrides the default route (via WAN) to be via VPN if no other routes could be found (for unknown destinations). but the main routing table is maintained by the kernel mostly and contains a lot of routes throughout your system that i.e. local packages will use to find their way to the target.
when you use policy routing an extra table is created but this only containes the very basic routes (as a measure to make sure that routing will be to VPN and nowhere else). forcing local packages to use this sparse table obviously doesnt work. maybee @chongnt has some time to experiment to see if he can make it work.

so what you need to do is to reverse the process to create a routing table without VPN routing and a rule for your camera to use this table instead.

create a wgm custom script:

nano /jffs/addons/wireguard/Scripts/wg11-up.sh

populate the file with:

#!/bin/sh
#
#################################
# Create ip table 117 without VPN
#################################
ip route flush table 117 2>/dev/null # Clear table 117
ip route show table main | while read ROUTE # Copy all routes from main table to table 117 except wg11 routes
do
    {
        if ! echo "$ROUTE" | grep 'wg11' ; then
                ip route add table 117 $ROUTE
        fi
    } 1> /dev/null
done
###############################

#################################
# Add rules for which to use this table
#################################
ip rule add from 192.168.50.150 table 117 prio 9990
# More rules for single ip's could be added here if needed....
#################################

#################################
# Clear route cache so routing will start over
#################################
ip route flush cache
#################################

create another wgm custom script:

nano /jffs/addons/wireguard/Scripts/wg11-down.sh

populate it with:

#!/bin/sh

# Delete rules:
ip rule del prio 9990

# Delete table 117:
ip route flush table 117 2>/dev/null

Set your files to be executable:

chmod +x /jffs/addons/wireguard/Scripts/wg11-up.sh
chmod +x /jffs/addons/wireguard/Scripts/wg11-down.sh

run up- script manually to get it started right away (it will from now on be executed after wgm starts wg11)

/jffs/addons/wireguard/Scripts/wg11-up.sh

if you experience any problems you could just run the -down script manually and if you dont wont them you could delete them or move them somewhere else....

good luck!

//Zeb

 

[chongnt]

well, no, not really. the main routing table is the routing "last resort". it just overrides the default route (via WAN) to be via VPN if no other routes could be found (for unknown destinations). but the main routing table is maintained by the kernel mostly and contains a lot of routes throughout your system that i.e. local packages will use to find their way to the target.
when you use policy routing an extra table is created but this only containes the very basic routes (as a measure to make sure that routing will be to VPN and nowhere else). forcing local packages to use this sparse table obviously doesnt work. maybee @chongnt has some time to experiment to see if he can make it work.

so what you need to do is to reverse the process to create a routing table without VPN routing and a rule for your camera to use this table instead.

create a wgm custom script:

nano /jffs/addons/wireguard/Scripts/wg11-up.sh

populate the file with:

#!/bin/sh
#
#################################
# Create ip table 117 without VPN
#################################
ip route flush table 117 2>/dev/null # Clear table 117
ip route show table main | while read ROUTE # Copy all routes from main table to table 117 except wg0 routes
do
    {
        if ! echo "$ROUTE" | grep 'wg11' ; then
                ip route add table 117 $ROUTE
        fi
    } 1> /dev/null
done
###############################

#################################
# Add rules for which to use this table
#################################
ip rule add from 192.168.50.150 table 117 prio 9990
# More rules for single ip's could be added here if needed....
#################################

#################################
# Clear route cache so routing will start over
#################################
ip route flush cache
#################################

create another wgm custom script:

nano /jffs/addons/wireguard/Scripts/wg11-down.sh

populate it with:

#!/bin/sh

# Delete rules:
ip rule del prio 9990

# Delete table 117:
ip route flush table 117 2>/dev/null

Set your files to be executable:

chmod +x /jffs/addons/wireguard/Scripts/wg11-up.sh
chmod +x /jffs/addons/wireguard/Scripts/wg11-down.sh

run up- script manually to get it started right away (it will from now on be executed after wgm starts wg11)

/jffs/addons/wireguard/Scripts/wg11-up.sh

if you experience any problems you could just run the -down script manually and if you dont wont them you could delete them or move them somewhere else....

good luck!

//Zeb

Nicely done. @ZebMcKayhan.
Much better than my basic test which just add a single route in the new table. Yours copy all except the route to wg into the new table. I look at his screen capture earlier, his main table is prio 9910. He might need to change the prio 9990 in your script to something lower than 9910.

 

[DragonOfJustice]

I’m currently outside. Will test it when I get back.
Based on latest reply from @DragonOfJustice, default routing is working mostly except for the camera. Like you mentioned, I think there is way to leak this out to WAN.

well, no, not really. the main routing table is the routing "last resort". it just overrides the default route (via WAN) to be via VPN if no other routes could be found (for unknown destinations). but the main routing table is maintained by the kernel mostly and contains a lot of routes throughout your system that i.e. local packages will use to find their way to the target.
when you use policy routing an extra table is created but this only containes the very basic routes (as a measure to make sure that routing will be to VPN and nowhere else). forcing local packages to use this sparse table obviously doesnt work. maybee @chongnt has some time to experiment to see if he can make it work.

so what you need to do is to reverse the process to create a routing table without VPN routing and a rule for your camera to use this table instead.

create a wgm custom script:

nano /jffs/addons/wireguard/Scripts/wg11-up.sh

populate the file with:

#!/bin/sh
#
#################################
# Create ip table 117 without VPN
#################################
ip route flush table 117 2>/dev/null # Clear table 117
ip route show table main | while read ROUTE # Copy all routes from main table to table 117 except wg0 routes
do
    {
        if ! echo "$ROUTE" | grep 'wg11' ; then
                ip route add table 117 $ROUTE
        fi
    } 1> /dev/null
done
###############################

#################################
# Add rules for which to use this table
#################################
ip rule add from 192.168.50.150 table 117 prio 9990
# More rules for single ip's could be added here if needed....
#################################

#################################
# Clear route cache so routing will start over
#################################
ip route flush cache
#################################

create another wgm custom script:

nano /jffs/addons/wireguard/Scripts/wg11-down.sh

populate it with:

#!/bin/sh

# Delete rules:
ip rule del prio 9990

# Delete table 117:
ip route flush table 117 2>/dev/null

Set your files to be executable:

chmod +x /jffs/addons/wireguard/Scripts/wg11-up.sh
chmod +x /jffs/addons/wireguard/Scripts/wg11-down.sh

run up- script manually to get it started right away (it will from now on be executed after wgm starts wg11)

/jffs/addons/wireguard/Scripts/wg11-up.sh

if you experience any problems you could just run the -down script manually and if you dont wont them you could delete them or move them somewhere else....

good luck!

//Zeb

Thank you a lot Zeb and chongnt for helping, it actually works and camera ip works ok outside the network. Thank you both of you

Edit
Here's the IP rule after i restart to test -up and -down sh to see if it run properly

i guess this is it.

 

[ZebMcKayhan]

I look at his screen capture earlier, his main table is prio 9910. He might need to change the prio 9990 in your script to something lower than 9910

right you are, however these rules all originates from wg11 policy rules, which is never applied now that wg11 is put in default mode...

Edit
Here's the IP rule after i restart to test -up and -down sh to see if it run properly

looking good! glad we finally made it!

//Zeb

 

[DragonOfJustice]

right you are, however these rules all originates from wg11 policy rules, which is never applied now that wg11 is put in default mode...

looking good! glad we finally made it!

//Zeb

Okay i have another scenario, this is optional but please advise me if there's someway to get this

I'm now setup a Wireguard server wg21 with ip 10.8.0.1/24, then created a Peer named it phone, it will be used when i roam outside my house but i want to use my router as the main internet.
the phone client is created with ip 10.8.0.2/32 and added to my Android phone.
However, as soon as i hit connect button on the phone, no internet on my phone.

is there any else i need to setup, the Wireguard client on phone is using my DDNS:51820 as endpoint

 

[chongnt]

This is a tough one. I am not sure if this is possible with wg11 in default mode. You dial in from remote via WAN, but somehow the router/wg vpn server now is sending everything out to your VPN provider instead of WAN. It should works in policy mode.
By the way, you may want to remove/hide your public ip in the screenshot above.

 

[ZebMcKayhan]

This is a tough one. I am not sure if this is possible with wg11 in default mode. You dial in from remote via WAN, but somehow the router/wg vpn server now is sending everything out to your VPN provider instead of WAN. It should works in policy mode.

I dont see any principal problems why this should not work. I assume the kernel has put in routing information in the main table for packages to the wg server... the only thing will be that packets to unknown addresses (internet) will be routed out VPN client...

but I have never setup a server so I wouldn't know how this is supposed to work.

@DragonOfJustice you could check so this has been created for you server by issuing:

ip route show table main

and remove any public ip-adresses you might have....

//Zeb

 

[chongnt]

I dont see any principal problems why this should not work. I assume the kernel has put in routing information in the main table for packages to the wg server... the only thing will be that packets to unknown addresses (internet) will be routed out VPN client...

but I have never setup a server so I wouldn't know how this is supposed to work.

@DragonOfJustice you could check so this has been created for you server by issuing:

ip route show table main

and remove any public ip-adresses you might have....

//Zeb

Yes, packets to unknown address (internet) is routed out to WG11 in this case. However, his DDNS address is his WAN IP. I am not sure at this point the incoming packet will reach the wg vpn server properly or not. From remote device there is only sent packet but nothing received. From router wg server end, there is nothing received.
Any idea what to test? I have wgvpn server setup so can test it out.

 

[ZebMcKayhan]

Yes, packets to unknown address (internet) is routed out to WG11 in this case. However, his DDNS address is his WAN IP. I am not sure at this point the incoming packet will reach the wg vpn server properly or not. From remote device there is only sent packet but nothing received. From router wg server end, there is nothing received.
Any idea what to test? I have wgvpn server setup so can test it out.

His DDNS name could not be used when he is connected via wg server... he could setup unbound to resolve these addresses locally (?) if needed when he now is connected via the server.

@DragonOfJustice seems to loose all internet connection from his phone as he connects to his server, which should not be related to DDNS (?). I dont see how this could be related to using default routing instead of policy based routing. somehow, some information does not seem to get routed or accessed properly.

@chongnt if you have the possibility to set your client in default mode and test if you can access internet via wg server?

//Zeb

 

[chongnt]

His DDNS name could not be used when he is connected via wg server... he could setup unbound to resolve these addresses locally (?) if needed when he now is connected via the server.

@DragonOfJustice seems to loose all internet connection from his phone as he connects to his server, which should not be related to DDNS (?). I dont see how this could be related to using default routing instead of policy based routing. somehow, some information does not seem to get routed or accessed properly.

@chongnt if you have the possibility to set your client in default mode and test if you can access internet via wg server?

//Zeb

The moment I set wg11 auto=Y and restarted it. My device lost connection. Only packet sending out from device. On the router wg vpnserver end, there is no packet received already. handshake could not be completed.

 

[ZebMcKayhan]

The moment I set wg11 auto=Y and restarted it. My device lost connection. Only packet sending out from device. On the router wg vpnserver end, there is no packet received already. handshake could not be completed.

you mean the handshake between your phone and wg server does not complete? so the packages for the server gets routed out wg client? kind of makes sense now that I think about it (guess that was what you tried to tell me before, but I'm a bit slow).

wonder if it's possible to bind the wg21 interface to a specific socket... will have to search around...

meanwhile, would you mind trying out

ip rule add iif wg21 table 117 prio xxxx

and see if this works to send the wireguard interface reply to a routing table which defaults to wan?
of course you might need to manually make your routing table again and alter the table and put in a suitable priority...

//Zeb

Edit: there still could be a problem accessing internet, I dont know how masquarading is done in default mode, but hopefully the handshakes should work...

 

[chongnt]

you mean the handshake between your phone and wg server does not complete? so the packages for the server gets routed out wg client? kind of makes sense now that I think about it (guess that was what you tried to tell me before, but I'm a bit slow).

wonder if it's possible to bind the wg21 interface to a specific socket... will have to search around...

meanwhile, would you mind trying out

ip rule add iif wg21 table 117 prio xxxx

and see if this works to send the wireguard interface reply to a routing table which defaults to wan?
of course you might need to manually make your routing table again and alter the table and put in a suitable priority...

//Zeb

My last test was using laptop connected to my phone mobile internet. From laptop I use WG client dial in to my router. In this setup, once I restart wg11 in auto=Y, my laptop internet connection is down.
Now I use my phone on mobile data and use wg apps to dial in. Once I restart wg11 in auto=Y, my phone lost internet connection too.
Both test started with wg11 in auto=p.

I run tcpdump when doing this.

Spoiler: tcpdump auto=p

21:33:00.742291 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 96
21:33:00.750680 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 96
21:33:00.815519 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 112
21:33:00.818140 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 112
21:33:00.818856 IP WAN_IP.51820 > Phone_IP.26368: UDP, length 128
21:33:00.830353 IP WAN_IP.51820 > Phone_IP.26368: UDP, length 176
21:33:00.897712 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 96
21:33:00.898169 IP WAN_IP.51820 > Phone_IP.26368: UDP, length 96
21:33:00.966366 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 96
21:33:00.973380 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 608
21:33:00.973777 IP WAN_IP.51820 > Phone_IP.26368: UDP, length 96
21:33:01.000513 IP WAN_IP.51820 > Phone_IP.26368: UDP, length 1312
21:33:01.000566 IP WAN_IP.51820 > Phone_IP.26368: UDP, length 976
21:33:01.073446 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 96
21:33:01.078004 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 96
21:33:01.078332 IP WAN_IP.51820 > Phone_IP.26368: UDP, length 96
21:33:01.154070 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 96
21:33:01.948927 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 96

Spoiler: tcpdump auto=Y

21:33:59.170314 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 112
21:33:59.170411 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 112
21:33:59.173067 IP 10.5.0.2.51820 > Phone_IP.26368: UDP, length 224
21:33:59.173100 IP 10.5.0.2.51820 > Phone_IP.26368: UDP, length 192
21:34:03.310731 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 112
21:34:03.313247 IP 10.5.0.2.51820 > Phone_IP.26368: UDP, length 224
21:34:03.318809 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 112
21:34:03.321273 IP 10.5.0.2.51820 > Phone_IP.26368: UDP, length 192
21:34:11.663589 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 112
21:34:11.665764 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 112
21:34:11.666120 IP 10.5.0.2.51820 > Phone_IP.26368: UDP, length 224
21:34:11.667210 IP 10.5.0.2.51820 > Phone_IP.26368: UDP, length 192
21:34:12.200271 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 148
21:34:12.201743 IP 10.5.0.2.51820 > Phone_IP.26368: UDP, length 92
21:34:17.511223 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 148
21:34:17.512707 IP 10.5.0.2.51820 > Phone_IP.26368: UDP, length 92
21:34:22.795170 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 148
21:34:22.796705 IP 10.5.0.2.51820 > Phone_IP.26368: UDP, length 92
21:34:28.036998 IP Phone_IP.26368 > WAN_IP.51820: UDP, length 148
21:34:28.038401 IP 10.5.0.2.51820 > Phone_IP.26368: UDP, length 92

 

[ZebMcKayhan]

My last test was using laptop connected to my phone mobile internet. From laptop I use WG client dial in to my router. In this setup, once I restart wg11 in auto=Y, my laptop internet connection is down.
Now I use my phone on mobile data and use wg apps to dial in. Once I restart wg11 in auto=Y, my phone lost internet connection too.
Both test started with wg11 in auto=p.

yep... the response from the wg21 server gets routed out wg11...

if you try your:

ip route add default dev ppp0 scope link table 9909
ip rule add iif wg21 table 9909 prio xxxx

does your handshake work then?

 

[chongnt]

yep... the response from the wg21 server gets routed out wg11...

if you try your:

ip route add default dev ppp0 scope link table 9909
ip rule add iif wg21 table 9909 prio xxxx

does your handshake work then?

I tried change prio to higher and lower number but nothing seems to changed. tcpdump still shows 10.5.0.2 (wg11 P-t-P IP) as wg vpnserver source ip.

 

[ZebMcKayhan]

I tried change prio to higher and lower number but nothing seems to changed. tcpdump still shows 10.5.0.2 (wg11 P-t-P IP) as wg vpnserver source ip.

What if you try "oif" instead of "iif"... have never used this but worth a try??

 

[chongnt]

What if you try "oif" instead of "iif"... have never used this but worth a try??

same result.

 

[ZebMcKayhan]

same result.

Ok, thanks for all testing... well, I'm out of ideas on how to make the server packages go out wan and no ability to test for myself.

Sorry.

Perhaps using the firewall and mark udp packages with wg21 port number and a rule for route these out wan table, but I'm too tired right now...

//Zeb

 

[chongnt]

Ok, thanks for all testing... well, I'm out of ideas on how to make the server packages go out wan and no ability to test for myself.

Sorry.

//Zeb

Thanks for the idea.
There are some discussions on similar setup but for OpenVPN in this forum. Not sure if those will be helpful.