Wireguard Session Manager - Discussion (2nd) thread

[Martineau]

@JGrana,

Here is the public release of the Site-to-Site feature to assist in creating the two .conf files to be used by wireguard_manager or wg-quick.

e.g. default invocation still creates 'SiteA.conf' and 'SiteB.conf'

e  = Exit Script [?]

E:Option ==> site2site

Hopefully the new command options should cover most of your custom requirements, and should be self-explanatory.

• Home location will use tunnel IP 10.10.10.99 and thus Cabin will be assigned +1 i.e. 10.10.10.100
• Home location will Listen on Port 54321 and thus Cabin will Listen on Port +1 i.e. 54322
• Cabin LAN is 192.168.111.0, and if allowedips= is not specified; allowedips=192.168.111.0/24 will be used

e  = Exit Script [?]

E:Option ==> site2site Home ip=10.10.10.99 port=54321 Cabin lan=192.168.111.0 allowips=10.1.1.0/24,192.168.111.4/30

    Creating WireGuard Private/Public key-pair for Site-to-Site Peers Home/Cabin

    Enter Cabin Endpoint remote IP, or Cabin DDNS name or press [Enter] to SKIP.
cabin.ip.ddns

    Warning: No DDNS is configured! to reach local Home Endpoint from remote Cabin
    Press y to use the current WAN IP or enter Home Endpoint IP or DDNS name or press [Enter] to SKIP.
home.ip.ddns

========== Home configuration =====================================================

# Home - 192.168.50.0/24
[Interface]
PrivateKey = gM0zxua/Rtoleno7XyldBfHoZ4Euj4AYE6NMyHkDiEM=
Address = 10.10.10.99/32
ListenPort = 54321

# Cabin LAN
[Peer]
PublicKey = vIv7WLtox3rE8P8B55LeK1yOtFDMYobMi+VYEVsnfXw=
AllowedIPs = 10.10.10.100/32, 10.1.1.0/24, 192.168.111.4/30
Endpoint = cabin.ip.ddns:54322

========== Cabin configuration =====================================================

# Cabin - 192.168.111.0/24
[Interface]
PrivateKey = oBTWIGljYEKB755s+mA91oyZpHE6XtEugeQktOcCIGs=
Address = 10.10.10.100/32
ListenPort = 54322

# Home LAN
[Peer]
PublicKey = E3to5PstMXrbCv5//wMvqHWc61O9GfaZhQX06fbFxDo=
AllowedIPs = 10.10.10.99/32, 192.168.50.0/24
Endpoint = home.ip.ddns:54321

=======================================================================================


    WireGuard Site-to-Site Peers Home and Cabin created


    Copy Cabin/Home files:

-rw-rw-rw-    1 admin    root           651 Jan 20 15:26 Cabin.conf
-rw-rw-rw-    1 admin    root            45 Jan 20 15:26 Cabin_private.key
-rw-rw-rw-    1 admin    root            45 Jan 20 15:26 Cabin_public.key
-rw-rw-rw-    1 admin    root            45 Jan 20 15:26 Home_public.key

    to remote location

    Press y to import Home or press [Enter] to SKIP.
y

    [✔] Config Home import as wg22 (FORCED as 'server') success

    WireGuard ACTIVE Peer Status: Clients 0, Servers 1

e  = Exit Script [?]

E:Option ==> start wg22

    Requesting WireGuard VPN Peer start (wg22)

    wireguard-server2: Initialising Wireguard VPN 'Server' Peer (wg22) on 192.168.0.1:54321 (# Home - 192.168.50.0/24)

    wireguard-server2: Initialisation complete.


    WireGuard ACTIVE Peer Status: Clients 0, Servers 2

e  = Exit Script [?]

E:Option ==> list

    interface: wg21  Port:51820 10.50.1.1/24                VPN Tunnel Network  # RT-AX86U Server #1
        peer: /mflDLvPdPVusLONOq0yV462tVXpBW2eeXFgvPICpRk=  10.50.1.2/32        # myPhone "Device"

    interface: wg22  Port:54321 10.10.10.99/32              VPN Tunnel Network  # Home - 192.168.50.0/24
        peer: vIv7WLtox3rE8P8B55LeK1yOtFDMYobMi+VYEVsnfXw=  10.10.10.100/32     # Cabin - 192.168.111.0/24

    WireGuard ACTIVE Peer Status: Clients 0, Servers 2

To upgrade use

e  = Exit Script [?]

E:Option ==> uf dev

 

[JGrana]

Thanks @Martin2021 , the latest (v4.14bC) is working out great setting up a Wireguard Site-to-Site tunnel!

I ended up removing the older wg_manager, backed up (then removed) my older /opt/etc/wireguard directory and files and installed new on both my home router (AX88U) and cabin (AX86U).

Did the uf dev to make sure I was now on v4.14bC on both sides.
On the home side, I did the site2site command. Answered the questions and it created the wg22 home server and the SiteA.conf and (more important) SiteB.conf files and keys.
I then copied the SiteB.conf and key files over to the cabin.
Ran wg_manager at the cabin and did the "import SiteB.conf type=server"
It created a wg22 and started it as well. I also set wg22 auto=y to make sure it starts after boot.

I now have both networks tunneled and can access clients/devices either direction.
Great job and thanks to both you and @ZebMcKayhan for assistance the last few days.

For others reading this post, I had been using wg-quick and some of the Entware tools. Got it working (with help!) but really wanted the benefit of wg_manager. Rather than hack together a start up script for wg-quick (and worry about ntp time sync, disable fc, etc.) I really wanted wg_manager to handle all that.

It is now handling all that well.
I was using OpenVPN for site-to-site but wanted the performance increase of Wireguard.
At this point, it's working well and I am getting anywhere from 50% or more performance gain.

 

[JGrana]

I tried to add a server peer to wg my mobile phone into "home".
When I do the
E:Option ==> create myphone

wg_manager doesn't like something about the site2site wg22:

***ERROR Invalid WireGuard 'server' Peer 'wg22

For info, here is what Option ==> peer shows:

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    N     10.50.1.1/24  51820  # RT-AX88U Server #1
wg22    Y     10.9.8.1/32   61820  # SiteA - 192.168.1.0/24

 

[ZebMcKayhan]

I now have both networks tunneled and can access clients/devices either direction.
Great job and thanks to both you and @ZebMcKayhan for assistance the last few days.

Great News!

@JGrana Whenever you have the time, could you please post each command you filled into wgm on both sides. I could try to use this for adding a section about this in my tutoral (obfuscate your ip/ddns and keys ofcourse). I think I got it all but just to be sure.

//Zeb

 

[Martineau]

I tried to add a server peer to wg my mobile phone into "home".
When I do the
E:Option ==> create myphone

wg_manager doesn't like something about the site2site wg22:

***ERROR Invalid WireGuard 'server' Peer 'wg22

For info, here is what Option ==> peer shows:

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    N     10.50.1.1/24  51820  # RT-AX88U Server #1
wg22    Y     10.9.8.1/32   61820  # SiteA - 192.168.1.0/24

Can you try binding the Road Warrior device to 'server' Peer 'wg21'

e  = Exit Script [?]

E:Option ==> create myphone wg21

then

e  = Exit Script [?]

E:Option ==> start wg21

e  = Exit Script [?]

E:Option ==> list

Then once you have scanned the 'myphone' QRCode into your phone you should see the connection.

I'll take a look at the code for the 'wg22' error when I get back later.

 

[Martineau]

I tried to add a server peer to wg my mobile phone into "home".
When I do the
E:Option ==> create myphone

wg_manager doesn't like something about the site2site wg22:

***ERROR Invalid WireGuard 'server' Peer 'wg22

For info, here is what Option ==> peer shows:

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet        Port   Annotate
wg21    N     10.50.1.1/24  51820  # RT-AX88U Server #1
wg22    Y     10.9.8.1/32   61820  # SiteA - 192.168.1.0/24

I've uploaded wireguard_manager Beta v4.14bDEF (EDIT:Additional design fixes)

e  = Exit Script [?]

E:Option ==> list

    interface: wg21  Port:51820    10.50.1.1/24                VPN Tunnel Network    # RT-AX86U Server #1
        peer: u13CcJ9//NuGbF3+OS2y26ElO7X/Tkg989iMSaN77mU=     10.50.1.2/32          # SGS20 "Device"

    interface: wg22  Port:61820    10.9.8.1/32                 VPN Tunnel Network    # Home - 192.168.50.0/24
        peer: gGXydEl930NVRay/NnrQjw/7BoZKehIWKybwyrCVSSI=     10.9.8.2/32           # Cabin Site-to-Site LAN 192.168.51.0/24
        peer: Sa5a+l+wRGP7l+L/QPWw9jQ9UuU7KPHTPcFKTyo3vxg=     10.9.8.3/32           # myphone device Multi Site-to-Site

Can you please test when convenient.

To upgrade

e  = Exit Script [?]

E:Option ==> uf dev

 

[JGrana]

It still complained. I am going to start fresh tomorrow. Uninstall wg_manager, clean up the .confs and redo everything.
Plus, @ZebMcKayhan asked if I would write down the steps. Might as well do both ;-)

 

[JGrana]

@Martineau , I have tried uf dev twice and wg_manager still shows v4.14bE?

 

[Martineau]

@Martineau , I have tried uf dev twice and wg_manager still shows v4.14bE?

It was updated 6 hours ago?

Just tried it here...try forcing downgrade to v4.13..

e  = Exit Script [?]

E:Option ==> uf

then

e  = Exit Script [?]

E:Option ==> uf dev

    Router RT-AX86U Firmware (v3.0.0.4.386.4_0)

    [✔] Entware Architecture arch=aarch64


    v4.13 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
    MD5=e4f628ef021820bbc3ce7e143cc973fb /jffs/addons/wireguard/wg_manager.sh

    wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

    [✔] WireGuard Module LOADED


    ***ERROR: MD5= ???? - WireGuard exists in firmware for  (v3.0.0.4.386.4_0)

    Checking for WireGuard Kernel and Userspace Tool updates...

    [✔] WireGuard Kernel module/User Space Tools included in Firmware RT-AX86U (v3.0.0.4.386.4_0) (1.0.20210124)

        WireGuard exists in firmware       - use 'vx' command to override with 3rd-Party/Entware (if available)
        User Space tool exists in firmware - use 'vx' command to override with 3rd-Party/Entware (if available)


    [✔] WireGuard Kernel module/User Space Tools included in Firmware (1.0.20210124)

    wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.


    Requesting WireGuard VPN Peer start (wg21)

    wireguard-server1: Initialising Wireguard VPN 'Server' Peer (wg21) on 192.168.0.1:51820 (# RT-AX86U Server #1)
    wireguard-server1: Initialisation complete.


    Forced Update

    Downloading scripts
    wg_manager.sh downloaded successfully Github 'dev/development' branch
    wg_client downloaded successfully Github 'dev/development' branch
    wg_server downloaded successfully Github 'dev/development' branch
    UDP_Updater.sh downloaded successfully Github 'dev/development' branch

+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v4.14bF by Martineau                    |
|                                                                      |
+======================================================================+
     WireGuard ACTIVE Peer Status: Clients 0, Servers 1

 

[JGrana]

Hmm:

E:Option ==> uf dev

        Router RT-AX88U Firmware (v386.4_0)

        [?] Entware Architecture arch=aarch64


        v4.14bE WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
        MD5=d2f977084ade4af7b7e46c4be313726d /jffs/addons/wireguard/wg_manager.sh

        [407947.606696] wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
        [407947.606706] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

        [?] WireGuard Module LOADED

        Checking for WireGuard Kernel and Userspace Tool updates...

        Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk' for RT-AX88U (v386.4_0) @ZebMcKayhan
Success!

        Downloading WireGuard User space Tool 'wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk' for RT-AX88U (v386.4_0) @ZebMcKayhan
Success!

Ok, it did update!

Also, after running site2site, it asks if I want to import it. Should I?

 

[Martineau]

Hmm:

E:Option ==> uf dev

        Router RT-AX88U Firmware (v386.4_0)

        [?] Entware Architecture arch=aarch64


        v4.14bE WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
        MD5=d2f977084ade4af7b7e46c4be313726d /jffs/addons/wireguard/wg_manager.sh

        [407947.606696] wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
        [407947.606706] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

        [?] WireGuard Module LOADED

        Checking for WireGuard Kernel and Userspace Tool updates...

        Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk' for RT-AX88U (v386.4_0) @ZebMcKayhan
Success!

        Downloading WireGuard User space Tool 'wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk' for RT-AX88U (v386.4_0) @ZebMcKayhan
Success!

Also, after running site2site, it asks if I want to import it. Should I?

Did you manage to downgrade to v4.13?...simply to ascertain if there is a general issue with the GItHub repository or a specific 'dev' branch issue.

The import is necessary to create the wireguard_manager 'wg2x' 'server' Peer interface from whatever name you decided to create for the local (and remote) site

e.g. 'Home' and 'Cabin'

rather than accept the default uninformative 'SiteA' and 'SiteB' names which could be accidently overwritten by mistake!

 

[JGrana]

Alright, looks good! Very easy to setup. Simply type:
E:Option: ==> site2site

Answer the question on SiteB's DDNS or public IP
Import SiteA - and all the files and wg confs are created well!

Site A (Home)

E:Option ==> peer

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet       Port   Annotate
wg22    Y     10.9.8.1/32  61820  # SiteA - 192.168.1.0/24


Device  Auto  IP           DNS  Allowed IPs                  Annotate
SiteB   X     10.9.8.2/32       10.9.8.1/32, 192.168.1.0/24  # SiteB Site-to-Site LAN 192.168.2.0/24

        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

E:Option ==> list

        interface: wg22  Port:61820     10.9.8.1/32                     VPN Tunnel Network      # SiteA - 192.168.1.0/24
                peer: duuAoVBe6HLHAMHrOM/TBCEDRkfcwVMbM8UsyHXjpyU=      10.9.8.2/32             # SiteB Site-to-Site LAN 192.168.2.0/24
                 latest handshake: 1 minute, 15 seconds ago
                 transfer: 1.31 MiB received, 1.37 MiB sent             0 Days, 00:17:25 from 2022-01-23 16:50:51

        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

SiteB (Cabin)

E:Option ==> peer

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet       Port   Annotate
wg21    Y     10.9.8.2/32  61821  # SiteB - 192.168.2.0/24



        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

E:Option ==> list

        interface: wg21  Port:61821     10.9.8.2/32                     VPN Tunnel Network      # SiteB - 192.168.2.0/24
                peer: s/vfjJ0OxmVlLzpW3DI43Ydh1dEOxLhzWPznwVdjaTE=      10.9.8.1/32             # SiteA - 192.168.1.0/24
                 latest handshake: 30 seconds ago
                 transfer: 1.40 MiB received, 1.33 MiB sent             19015 days 22:09:30 from 1642975770

        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

Tunnels are running great - I can access devices on both sides.

A few things -
#1 - even though both routers are hnd, I decided to use the Entware tools and module.
#2 In addition to copying the 4 files v4.14bF tells you to, I needed to also copy SiteA.conf over to SiteB.
wg_manager v4.14bF printed a few errors (can't find SiteA.conf) when I did the "list" command. Tunnel still worked fine.
#3 I had remote ssh enabled (for now ;-) for cabin. All the files needed to copy over are so small, I simply created each (using vi) and copy/pasted the information.

 

[Swistheater]

Wireguard fails to install

it just hangs here.

After it did finally moved along this was an error I had

ERR: bdmf_attrelem_add_as_num#4276: system: status:No resources. attribute:ipv4_host_address_table  index:0 value:171049217

another error was

Failed to send flush request: No such process

 

[Martineau]

Wireguard fails to install

ERR: bdmf_attrelem_add_as_num#4276: system: status:No resources. attribute:ipv4_host_address_table  index:0 value:171049217

another error was

Failed to send flush request: No such process

Only appears to have been previously experienced/reported by RT-AX88U owners?

Not sure if/when/how it got fixed, but whilst the WireGuard kernel module may have changed, there are several users successfully running WireGuard on RT-AX88U.

Perhaps a simple reboot will fix it?

Help replacing OpenVPN with Wireguard on Asus RT-AX88U

Hello I just realized that with OpenVPN I was getting limited speeds. I only had 160 mbps service until today I upgraded to 500 mbps. If I use my VPN I only get 200 mbps and if I disconnect I am getting 500 mbps. I am using Torguard as my VPN provided and wanted to install wireguard but wasn't...

www.snbforums.com

 

[Martineau]

Alright, looks good! Very easy to setup. Simply type:
E:Option: ==> site2site

Answer the question on SiteB's DDNS or public IP
Import SiteA - and all the files and wg confs are created well!

Site A (Home)

E:Option ==> peer

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet       Port   Annotate
wg22    Y     10.9.8.1/32  61820  # SiteA - 192.168.1.0/24


Device  Auto  IP           DNS  Allowed IPs                  Annotate
SiteB   X     10.9.8.2/32       10.9.8.1/32, 192.168.1.0/24  # SiteB Site-to-Site LAN 192.168.2.0/24

        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

E:Option ==> list

        interface: wg22  Port:61820     10.9.8.1/32                     VPN Tunnel Network      # SiteA - 192.168.1.0/24
                peer: duuAoVBe6HLHAMHrOM/TBCEDRkfcwVMbM8UsyHXjpyU=      10.9.8.2/32             # SiteB Site-to-Site LAN 192.168.2.0/24
                 latest handshake: 1 minute, 15 seconds ago
                 transfer: 1.31 MiB received, 1.37 MiB sent             0 Days, 00:17:25 from 2022-01-23 16:50:51

        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

SiteB (Cabin)

E:Option ==> peer

        Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Server  Auto  Subnet       Port   Annotate
wg21    Y     10.9.8.2/32  61821  # SiteB - 192.168.2.0/24



        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

E:Option ==> list

        interface: wg21  Port:61821     10.9.8.2/32                     VPN Tunnel Network      # SiteB - 192.168.2.0/24
                peer: s/vfjJ0OxmVlLzpW3DI43Ydh1dEOxLhzWPznwVdjaTE=      10.9.8.1/32             # SiteA - 192.168.1.0/24
                 latest handshake: 30 seconds ago
                 transfer: 1.40 MiB received, 1.33 MiB sent             19015 days 22:09:30 from 1642975770

        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

Tunnels are running great - I can access devices on both sides.

A few things -

Many thanks for the feedback.

(Still think I should force the user to explicitly supply two custom name arguments to the site2site command request )

#1 - even though both routers are hnd, I decided to use the Entware tools and module.

I think they are probably exactly the same versions as now included in the firmware?

#2 In addition to copying the 4 files v4.14bF tells you to, I needed to also copy SiteA.conf over to SiteB.
wg_manager v4.14bF printed a few errors (can't find SiteA.conf) when I did the "list" command. Tunnel still worked fine.

??? it may be cosmetic if it is missing physically at location SiteB, but 'SiteA.conf' is renamed as part of the import process to 'wg21.conf' anyway?

#3 All the files needed to copy over are so small, I simply created each (using vi) and copy/pasted the information.

TIP: If you are an experienced vi user then that's fine, but Asuswrt-Merlin has a built in editor called nano, IMHO far superior to the esoteric vi or if you use Win, then WinSCP's internal editor is even better, or you can replace WinSCP's internal editor with the truly excellent notepad++


If you decide to create a Road Warrior device, for the time being, it MUST be created on SiteA (otherwise if performed on SiteB, for each mobile device it will probably create a conflicting duplicate tunnel IP address to be assigned to the device.)

e.g. Create a mobile device that can connect primarily to 'SiteA', but the optional site=SiteB directive should (in theory) also include/allow a direct connection to the 'SiteB' Endpoint (needs testing! )

e  = Exit Script [?]

E:Option ==> create iPhone site=SiteB

NOTE: Having two concurrent Site-to-Site Endpoints defined in a single Road Warrior profile may not be desired? - the alternative would be to have/enforce two separate profiles on the Road Warrior device, each with its single discrete Endpoint to either 'SiteA' or 'SiteB'.

Also a small bug .....(fixed in v4.15b) if you don't specify the DNS, the Road Warrior device DNS will be assigned as '1.1.1.1' rather than include the tunnel 'server' Peer address as the first DNS e.g. '10.9.8.1, 1.1.1.1' or even '10.9.8.1,10.9.8.2,1.1.1.1' (needs testing! )

 

[amplatfus]

Only appears to have been previously experienced/reported by RT-AX88U owners?

Not sure if/when/how it got fixed, but whilst the WireGuard kernel module may have changed, there are several users successfully running WireGuard on RT-AX88U.

Perhaps a simple reboot will fix it?

Help replacing OpenVPN with Wireguard on Asus RT-AX88U

Hello I just realized that with OpenVPN I was getting limited speeds. I only had 160 mbps service until today I upgraded to 500 mbps. If I use my VPN I only get 200 mbps and if I disconnect I am getting 500 mbps. I am using Torguard as my VPN provided and wanted to install wireguard but wasn't...

www.snbforums.com

Hi,

Thank you @Martineau, all developers and snbforums.com for hosting us
Tested on AX88U with default config for 1 server and works fine. Tested with 2 phones. All fine.
Good luck!

 

[Jeffrey Young]

TIP: If you are an experienced vi user then that's fine, but Asuswrt-Merlin has a built in editor called nano, IMHO far superior to the esoteric vi or if you use Win, then WinSCP's internal editor is even better, or you can replace WinSCP's internal editor with the truly excellent notepad++

Amen Brother! Seldom do I ever use nano any more - Notepad++ all the way.

@Martineau , love your script. Glad you kept with it. I don't use it personally (moved my site to site server to a separate Linux box prior to your script development due to Entware slaughtering the startup scripts on each update).

Just one inquiry, during your site to site setup, can you, or rather does the Asus/Enware implementation of wireguard, allow for search domains to be added to the tunnel? I know it's a mute point on a site to site, but am curious at a general level.

 

[JGrana]

Many thanks for the feedback.

(Still think I should force the user to explicitly supply two custom name arguments to the site2site command request )

I had no issues with SiteA and SiteB. It would be nice though to be able to actually name them on the location. In my case, Home and Cabin.

I think they are probably exactly the same versions as now included in the firmware?

On my AX88U running 386.4, the Asus supplied version is:
6wireguard: WireGuard 1.0.20210124

The one supplied in Entware:
6wireguard: WireGuard 1.0.20211208

So, a little newer.

??? it may be cosmetic if it is missing physically at location SiteB, but 'SiteA.conf' is renamed as part of the import process to 'wg21.conf' anyway?

Here are the errors output on SiteB when doing a wg_manager list (without the SiteA.conf file present):

E:Option ==> list

        interface: wg21  Port:61821     10.9.8.2/32                     VPN Tunnel Network      # SiteB - 192.168.2.0/24
grep: /opt/etc/wireguard.d/SiteA.conf: No such file or directory
awk: /opt/etc/wireguard.d/SiteA.conf: No such file or directory
                peer: s/vfjJ0OxmVlLzpW3DI43Ydh1dEOxLhzWPznwVdjaTE=                      #
                 latest handshake: 28 seconds ago
                 transfer: 34.98 MiB received, 64.39 MiB sent           0 Days, 00:00:00 from >>>>>>

        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

TIP: If you are an experienced vi user then that's fine, but Asuswrt-Merlin has a built in editor called nano, IMHO far superior to the esoteric vi or if you use Win, then WinSC [/QUOTE] [QUOTE="Martineau, post: 739681, member: 13215"] P's internal editor is even better, or you can replace WinSCP's internal editor with the truly excellent notepad++

Sorry, old hacker habits don't die easily. I've used vi for 90% of my former professional career (the other 10% was ed and ex - don't ask ;-)

I forgot all about WinSCP as a good method to transfer the files to SiteB! But, since they are so small, most any method is ok!

If you decide to create a Road Warrior device, for the time being, it MUST be created on SiteA (otherwise if performed on SiteB, for each mobile device it will probably create a conflicting duplicate tunnel IP address to be assigned to the device.)

e.g. Create a mobile device that can connect primarily to 'SiteA', but the optional site=SiteB directive should (in theory) also include/allow a direct connection to the 'SiteB' Endpoint (needs testing! )

e  = Exit Script [?]

E:Option ==> create iPhone site=SiteB

NOTE: Having two concurrent Site-to-Site Endpoints defined in a single Road Warrior profile may not be desired? - the alternative would be to have/enforce two separate profiles on the Road Warrior device, each with its single discrete Endpoint to either 'SiteA' or 'SiteB'.

For now, I am just going to add a road warrior to SiteA. At some point, I can test out the alternate. Good idea though.

Also a small bug .....(fixed in v4.15b) if you don't specify the DNS, the Road Warrior device DNS will be assigned as '1.1.1.1' rather than include the tunnel 'server' Peer address as the first DNS e.g. '10.9.8.1, 1.1.1.1' or even '10.9.8.1,10.9.8.2,1.1.1.1' (needs testing! )

Hmm, I'm using a nice addon called Unbound at both sites ;-) (thanks again, again)
So, are you saying I should make the DNS for the Road Warrior as the tunnel address? That way, it also uses unbound?

Thanks again, working well!

 

[Martineau]

I had no issues with SiteA and SiteB. It would be nice though to be able to actually name them on the location. In my case, Home and Cabin.

So invoke the command with the desired two names

e.g.

e  = Exit Script [?]

E:Option ==> site2site Home Cabin

On my AX88U running 386.4, the Asus supplied version is:
6wireguard: WireGuard 1.0.20210124

The one supplied in Entware:
6wireguard: WireGuard 1.0.20211208

So, a little newer.

Of course , abject apologies to @ZebMcKayhan who graciously compiled the updated Kernel module for your RT-AX88U.

Here are the errors output on SiteB when doing a wg_manager list (without the SiteA.conf file present):

E:Option ==> list

        interface: wg21  Port:61821     10.9.8.2/32                     VPN Tunnel Network      # SiteB - 192.168.2.0/24
grep: /opt/etc/wireguard.d/SiteA.conf: No such file or directory
awk: /opt/etc/wireguard.d/SiteA.conf: No such file or directory
                peer: s/vfjJ0OxmVlLzpW3DI43Ydh1dEOxLhzWPznwVdjaTE=                      # 
                 latest handshake: 28 seconds ago
                 transfer: 34.98 MiB received, 64.39 MiB sent           0 Days, 00:00:00 from >>>>>>

        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

Cosmetic indeed as it fails trying to annotate the Peer(s) that are bound to 'wg21'

        interface: wg21  Port:61821     10.9.8.2/32                     VPN Tunnel Network      # SiteB - 192.168.2.0/24
                peer: s/vfjJ0OxmVlLzpW3DI43Ydh1dEOxLhzWPznwVdjaTE=      10.9.8.1/32             # SiteA - 192.168.1.0/24

 

[Martineau]

Just one inquiry, during your site to site setup, can you, or rather does the Asus/Enware implementation of wireguard, allow for search domains to be added to the tunnel? I know it's a mute point on a site to site, but am curious at a general level.

Unlike the OpenVPN Endpoint, there is no mechanism (that I have found) that allows the WireGuard Endpoint to interrogate/pass-on/react to any form of environment configuration/feature ....dhcp-option or otherwise.

In fact, you can't guarantee/deduce that the WireGuard Endpoint is even capable of responding to DNS requests locally - particularly relevant to Mullvad Endpoints etc.