What's new

Wireguard Session Manager - Discussion (2nd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I've pushed a HOTFIX (wg_server script)


Can you please test?

Upgrade using
Code:
e  = Exit Script [?]

E:Option ==> uf dev
then you should specify MTU = 1400 in .conf then restart the 'server' Peer

NOTE: I think you could also specify the PostUP = ip link %i set mtu 1400 directive in the .conf as per wg-quick
Thanks for the fix! With @ZebMcKayhan's hint about the required hashtags and one edit to wg_server I was able to make the "#MTU = 1400" directive work:

MTU=$(awk '/^#MTU/ {print $3}' ${CONFIG_DIR}${VPN_ID}.conf) # v4.15.5

The current dev code is missing the hashtag in the above line and thus doesn't read the value.
 
Thanks for the fix! With @ZebMcKayhan's hint about the required hashtags and one edit to wg_server I was able to make the "#MTU = 1400" directive work:

MTU=$(awk '/^#MTU/ {print $3}' ${CONFIG_DIR}${VPN_ID}.conf) # v4.15.5

The current dev code is missing the hashtag in the above line and thus doesn't read the value.
Unlike wg-quick, wireguard_manager is, with hindsight, probably poorly designed with the decision to import .conf(s) into an SQL database, requiring the confusing commenting-out of certain .conf directives that are not handled correctly by the WireGuard UserSpace Tools wg binary.

So if wg-quick meets your needs then you should ditch wireguard_manager

I don't think a wireguard_manager redesign rewrite is on the cards, given you are actually the first (and only?) to apparently need to customise the 'server' Peer MTU.

I snatched a hurried 15 min opportunity to try and address the two reported issues reported early this morning (so one out of two ain't bad) but I will correct the following (given the workarounds) at my leisure
Code:
MTU=$(awk '/^MTU/ {print $3}' ${CONFIG_DIR}${VPN_ID}.conf)  # v4.15.5
to ensure that either ^MTU = 1400 or ^#MTU = 1400 is acceptable and also review the Pre/Post .conf directives processing.

Mea Culpa :oops:, but thanks for the feedback.
 
Last edited:
Unlike wg-quick, wireguard_manager is, with hindsight, probably poorly designed with the decision to import .conf(s) into an SQL database, requiring the confusing commenting-out of certain .conf directives that are not handled correctly by the WireGuard UserSpace Tools wg binary.

So if wg-quick meets your needs then you should ditch wireguard_manager

I don't think a wireguard_manager redesign rewrite is on the cards, given you are the actually the first (and only?) to apparently need to customise the 'server' Peer MTU.

I snatched a hurried 15 min opportunity to try and address the two reported issues reported early this morning (so one out of two ain't bad) but I will correct the following (given the workarounds) at my leisure
Code:
MTU=$(awk '/^MTU/ {print $3}' ${CONFIG_DIR}${VPN_ID}.conf)  # v4.15.5
to ensure that either ^MTU = 1400 or ^#MTU = 1400 is acceptable and also review the Pre/Post .conf directives processing.

Mea Culpa :oops:, but thanks for the feedback.
I totally understand. I already tried going the Entware wg-quick way but was unable to make it run stably on my RT-AC86U. I keep getting freezes/disconnects and errors such as

Code:
BLOG ERROR blog_request :blog_key corruption when adding flow net_p=ffffffc00a062a60  dir=1 old_key=0x20002f3b new_key=0x20002f3c
BLOG ERROR blog_request :blog_key corruption when deleting flowfor net_p=ffffffc00a062a60

in syslog with it. This doesn't happen with wgm. My solution was to move the wireguard endpoint to an Ubuntu server inside the LAN but would prefer to have it on the router. Is the wg-quick2 script (referenced in the wgm-generated conf file) available somewhere? The only mention I could find was in one of the posts in this thread.

Thanks for all your help!
 
Quick update.

Added option -E that shows everything, useful for debugging.
Also added -install (creates the symlink) and -remove (removes symlink and script)

Code:
admin@RT-AC86U-D7D8:/tmp/home/root# wgmExpo --help
   wgmExpo Version 0.4 by ZebMcKayhan

   Execute menu command in Wireguard Session Manager

   Usage:
      wgmExpo <Option> "command 1" "command 2" "command n"

   Options:
      -h       - Help
      -v       - Version
      -s       - Silent mode, no output
      -c       - Monocrome output (no ASCII escape characters)
      -t       - Display Wireguard ACTIVE Peer Status: each command
      -e       - Expose all display output (no filtering)
      -remove  - Remove wgmExpo

   Example:
      wgmExpo "peer wg11 comment Italy"
      wgmExpo -c "peer wg11 dns=9.9.9.9" "restart wg11"
      wgmExpo -ct "livin wg11 192.168.10.53"

To install:
Code:
curl --retry 3 "https://raw.githubusercontent.com/ZebMcKayhan/WireguardManager/main/wgmExpo.sh" -o "/jffs/addons/wireguard/wgmExpo.sh" && chmod 755 "/jffs/addons/wireguard/wgmExpo.sh" && /jffs/addons/wireguard/wgmExpo.sh -install

To remove, just execute:
Code:
wgmExpo -remove

I will shortly remove wgmExpo (without .sh) from my github.

@Martineau I would still appreciate if wgm installs this along side but you decide.

//Zeb
 
Last edited:
I just realized whenever client start, there is a "duplicate;skipped!" message. Whenever I run "peer', these are the only two peers configured. I try removed and import again, delete and add back peer rule and yet I get the same message whenever I start the clients. I trace the messages started after I update to 4.15b5. The clients are working no issue.

Code:
Feb  6 19:22:43 RT-AC86U-DBA8 (wg_manager.sh): 9058 v4.15b5 Initialising Wireguard VPN 'client' Peer (wg12)
Feb  6 19:22:43 RT-AC86U-DBA8 wireguard-clientwg12: Initialising Wireguard VPN client Peer (wg12) in Policy Mode to xxx.nordvpn.com 'client' (wg12))
Feb  6 19:22:43 RT-AC86U-DBA8 wireguard-clientwg12: ..........duplicate; skipped!
Feb  6 19:22:44 RT-AC86U-DBA8 wireguard-clientwg12: Executing Event:wg12-route-up.sh
...snipped...
Feb  6 19:22:44 RT-AC86U-DBA8 (wg_manager.sh): 9058 v4.15b5 Initialising Wireguard VPN 'client' Peer (wg11)
Feb  6 19:22:44 RT-AC86U-DBA8 wireguard-clientwg11: Initialising Wireguard VPN client Peer (wg11) in Policy Mode to yyy.nordvpn.com 'client' (wg11))
Feb  6 19:22:44 RT-AC86U-DBA8 wireguard-clientwg11: ..........duplicate; skipped!
Feb  6 19:22:44 RT-AC86U-DBA8 wireguard-clientwg11: Executing Event:wg11-route-up.sh

Update: I try "downgrade" to v4.14 and the "duplicate;skipped!" message is gone.
 
I just realized whenever client start, there is a "duplicate;skipped!" message. Whenever I run "peer', these are the only two peers configured. I try removed and import again, delete and add back peer rule and yet I get the same message whenever I start the clients. I trace the messages started after I update to 4.15b5. The clients are working no issue.

Code:
Feb  6 19:22:43 RT-AC86U-DBA8 (wg_manager.sh): 9058 v4.15b5 Initialising Wireguard VPN 'client' Peer (wg12)
Feb  6 19:22:43 RT-AC86U-DBA8 wireguard-clientwg12: Initialising Wireguard VPN client Peer (wg12) in Policy Mode to xxx.nordvpn.com 'client' (wg12))
Feb  6 19:22:43 RT-AC86U-DBA8 wireguard-clientwg12: ..........duplicate; skipped!
Feb  6 19:22:44 RT-AC86U-DBA8 wireguard-clientwg12: Executing Event:wg12-route-up.sh
...snipped...
Feb  6 19:22:44 RT-AC86U-DBA8 (wg_manager.sh): 9058 v4.15b5 Initialising Wireguard VPN 'client' Peer (wg11)
Feb  6 19:22:44 RT-AC86U-DBA8 wireguard-clientwg11: Initialising Wireguard VPN client Peer (wg11) in Policy Mode to yyy.nordvpn.com 'client' (wg11))
Feb  6 19:22:44 RT-AC86U-DBA8 wireguard-clientwg11: ..........duplicate; skipped!
Feb  6 19:22:44 RT-AC86U-DBA8 wireguard-clientwg11: Executing Event:wg11-route-up.sh

Update: I try "downgrade" to v4.14 and the "duplicate;skipped!" message is gone.
On a suggestion by @ZebMcKayhan, wireguard_manager should attempt to eliminate creating duplicate RPDB/iptables rules .....not duplicate WireGuard interfaces...that could occur as a consequence of wireguard_manager now supporting (as per wg-quick) Pre*/Post* directives in .conf files
e.g. 'server' Peer test case
Code:
Feb 13 10:40:17 RT-AX86U wireguard-server2: Initialising Wireguard VPN 'Server' Peer (wg22) on 192.168.0.1:61820
Feb 13 10:40:18 RT-AX86U wireguard-wg22: Executing PostUp: 'iptables -I INPUT -p udp --dport 61820 -j ACCEPT'
Feb 13 10:40:18 RT-AX86U wireguard-wg22: ..........duplicate; skipped!
Feb 13 10:40:18 RT-AX86U wireguard-wg22: Executing PostUp: 'iptables -I INPUT -i wg22 -j ACCEPT'
Feb 13 10:40:18 RT-AX86U wireguard-wg22: ..........duplicate; skipped!
Feb 13 10:40:18 RT-AX86U wireguard-wg22: Executing PostUp: 'iptables -I FORWARD -i wg22 -j ACCEPT'
Feb 13 10:40:18 RT-AX86U wireguard-server2: Initialisation complete.
....but it appears that the spurious 'duplicate;skipped' message is erroneously issued even if there is no preceding Pre*/Post* command executed.
 
Last edited:
Unlike wg-quick, wireguard_manager is, with hindsight, probably poorly designed with the decision to import .conf(s) into an SQL database, requiring the confusing commenting-out of certain .conf directives that are not handled correctly by the WireGuard UserSpace Tools wg binary.

So if wg-quick meets your needs then you should ditch wireguard_manager
As one that has used both wg_manager and wg-quick and has a fairly simple wg site2site, I still much prefer wg_manager.
My reasons -
1) Setting up the various firewall and iptables rules without wg_manager is too much work.
2) If you have an AX86U, remembering to disable flow cache (and re-enable after bringing the tunnel down) requires you to "remember" - else, the dreaded _blog_emit fills syslog.
3) Having the tunnel automatically come up after reboot/powerup is great. Writting a script that safely does this (and where to put it!!!) is cumbersome and prone to errors.
4) @ZebMcKayhan extensive documentation covering how to use wireguard and wg_manager

Don't get me wrong, wg-quick is simple. A little too simple (the author of it admits it ;-)

At a minimum, at least having wg_manager create the .conf files and using wg-quick to bring the tunnel up and down is at least ok.
Having wg_manager create and manage the starting/stopping/restarting and auto-starting tunnels is (IMHO) the real value over wg-quick.

(and a rumor there might be a WebUI?)
 
I will shortly remove wgmExpo (without .sh) from my github.

@Martineau I would still appreciate if wgm installs this along side but you decide.
I've uploaded wireguard_manager Beta v4.15b7 which will install/include your wgmExpo.sh script by default.

You may also manually manage the addon using
Code:
e  = Exit Script [?]

E:Option ==> addon wgmExpo.sh

    wgmExpo.sh downloaded successfully
Code:
e  = Exit Script [?]

E:Option ==> addon wgmExpo.sh del

    Addon 'wgmExpo.sh' removed
Code:
e  = Exit Script [?]

E:Option ==> addon wgmExpo.sh dev

    'https://raw.githubusercontent.com/ZebMcKayhan/WireguardManager/dev/wgmExpo.sh' download FAILED with curl error 404

Upgrade using
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 
Last edited:
I've uploaded wireguard_manager Beta v4.15b7 which will install/include your wgmExpo.sh script by default.
Thank you!

However it did not install it by uf dev alone, but:
Code:
E:Option ==> addon wgmExpo.sh

        wgmExpo.sh downloaded successfully
Did the trick!

Also, don't know if this is a printf/concatenate issue, missing a /?
Code:
ireguardManager/devwgmExpo.sh

//Zeb

Edit: just occurred to me that the uf dev is actually running on the old version...

Nope, ran uf dev again. But maybee this was your intention.

Edit2: The more I think about it, it makes sense if you have removed wgmExpo that wgm does not re-apply wgmExpo each update.
 
Last edited:
Thank you!

However it did not install it by uf dev alone, but:
Code:
E:Option ==> addon wgmExpo.sh

        wgmExpo.sh downloaded successfully
Did the trick!

Also, don't know if this is a printf/concatenate issue, missing a /?
Code:
ireguardManager/devwgmExpo.sh

//Zeb

Edit: just occurred to me that the uf dev is actually running on the old version...

Nope, ran uf dev again. But maybee this was your intention.

Edit2: The more I think about it, it makes sense if you have removed wgmExpo that wgm does not re-apply wgmExpo each update.

:oops:
 
With v4.15b7 getting an awk error on a restart:
Code:
E:Option ==> restart

        Requesting WireGuard VPN Peer restart (wg22)

        Restarting Wireguard 'server' Peer (wg22)
        wireguard-server2: Wireguard VPN 'Server' Peer (wg22) on 67.253.144.1:61820 (# Home - 192.168.1.0/24) Terminated

        wireguard-server2: Initialising Wireguard VPN 'Server' Peer (wg22) on 67.253.144.1:61820 (# Home - 192.168.1.0/24)

awk: cmd. line:1: Unexpected end of string
        wireguard-server2: Initialisation complete.


        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

Here is a snippet from running debug:

Code:
+ SayT v4.15b7 Initialising Wireguard VPN 'server' Peer (wg22)
+ echo -e 3166 v4.15b7 Initialising Wireguard VPN 'server' Peer (wg22)
+ basename /opt/bin/wg_manager
+ logger -t (wg_manager)
+ ifconfig
+ grep -E ^wg22
+ [ -n  ]
+ [ -f /opt/etc/wireguard.d/wg22.conf ]
+ [ server == server ]
+ date +%s
+ local TS=1644783219
+ chmod +x /jffs/addons/wireguard/wg_server
+ /jffs/addons/wireguard/wg_server wg22
        wireguard-server2: Initialising Wireguard VPN 'Server' Peer (wg22) on 67.253.144.1:61820 (# Home - 192.168.1.0/24)

awk: cmd. line:1: Unexpected end of string
        wireguard-server2: Initialisation complete.

+ awk /^PublicKey/ {print $3} /opt/etc/wireguard.d/wg22.conf
+ tr \n
+ local DEVICE_PUB_KEYS=zw5ORqvUj5fMQAuGsT/OKsWdrbRwoVGuru9X8B1+IAQ= uNDsT/5H7kA0kgl5IqH1grZZHi39eR1kbuMztCCtoCY= jMMrR4NAtrpnyOW0XwwV0ySi6aY8767myNTC/cPLLG8=
+ date +%s
+ local TIMESTAMP=1644783219
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT name FROM devices WHERE pubkey='zw5ORqvUj5fMQAuGsT/OKsWdrbRwoVGuru9X8B1+IAQ=';
+ DEVICE=Cabin
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db INSERT into session values('Cabin','Start','1644783219');
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db UPDATE devices SET conntrack='1644783219' WHERE name='Cabin';
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT name FROM devices WHERE pubkey='uNDsT/5H7kA0kgl5IqH1grZZHi39eR1kbuMztCCtoCY=';
+ DEVICE=iphone13

Tunnels are up and running fine though.
 
With v4.15b7 getting an awk error on a restart:
Code:
E:Option ==> restart

        Requesting WireGuard VPN Peer restart (wg22)

        Restarting Wireguard 'server' Peer (wg22)
        wireguard-server2: Wireguard VPN 'Server' Peer (wg22) on 67.253.144.1:61820 (# Home - 192.168.1.0/24) Terminated

        wireguard-server2: Initialising Wireguard VPN 'Server' Peer (wg22) on 67.253.144.1:61820 (# Home - 192.168.1.0/24)

awk: cmd. line:1: Unexpected end of string
        wireguard-server2: Initialisation complete.


        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

Here is a snippet from running debug:

Code:
+ SayT v4.15b7 Initialising Wireguard VPN 'server' Peer (wg22)
+ echo -e 3166 v4.15b7 Initialising Wireguard VPN 'server' Peer (wg22)
+ basename /opt/bin/wg_manager
+ logger -t (wg_manager)
+ ifconfig
+ grep -E ^wg22
+ [ -n  ]
+ [ -f /opt/etc/wireguard.d/wg22.conf ]
+ [ server == server ]
+ date +%s
+ local TS=1644783219
+ chmod +x /jffs/addons/wireguard/wg_server
+ /jffs/addons/wireguard/wg_server wg22
        wireguard-server2: Initialising Wireguard VPN 'Server' Peer (wg22) on 67.253.144.1:61820 (# Home - 192.168.1.0/24)

awk: cmd. line:1: Unexpected end of string
        wireguard-server2: Initialisation complete.

+ awk /^PublicKey/ {print $3} /opt/etc/wireguard.d/wg22.conf
+ tr \n
+ local DEVICE_PUB_KEYS=zw5ORqvUj5fMQAuGsT/OKsWdrbRwoVGuru9X8B1+IAQ= uNDsT/5H7kA0kgl5IqH1grZZHi39eR1kbuMztCCtoCY= jMMrR4NAtrpnyOW0XwwV0ySi6aY8767myNTC/cPLLG8=
+ date +%s
+ local TIMESTAMP=1644783219
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT name FROM devices WHERE pubkey='zw5ORqvUj5fMQAuGsT/OKsWdrbRwoVGuru9X8B1+IAQ=';
+ DEVICE=Cabin
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db INSERT into session values('Cabin','Start','1644783219');
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db UPDATE devices SET conntrack='1644783219' WHERE name='Cabin';
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT name FROM devices WHERE pubkey='uNDsT/5H7kA0kgl5IqH1grZZHi39eR1kbuMztCCtoCY=';
+ DEVICE=iphone13

Tunnels are up and running fine though.
:oops: - thanks

Hotfix
 
BTW, In doing some web searching about Wireguard, I came across this quote (or parts of it) a few times.
I'm not knocking OpenVPN, but the more I use Wireguard, the more I like the speed and simplicity.

I'm not the only one ;-)

Linus Torvalds himself declared "Can I just once again state my love for it."

Torvalds loved WireGuard because, "Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."
 
We're almost there ;). I think the line is now missing the "print" part which picks up the actual value

Code:
    MTU=$(awk '/^#?MTU/ {print $3}' ${CONFIG_DIR}${VPN_ID}.conf)            # v4.15.6[ICODE]
:eek::eek::oops::oops::rolleyes::rolleyes:
Remind me never to attempt scripting using a phone screen/consuming alcohol!
 
Unlike wg-quick, wireguard_manager is, with hindsight, probably poorly designed with the decision to import .conf(s) into an SQL database, requiring the confusing commenting-out of certain .conf directives that are not handled correctly by the WireGuard UserSpace Tools wg binary.
Just curious, how would you do it if you knew then what you know now?

I would probably import all info in sql and ditch the old conf file, then auto-generate new conf files, perhaps in ram (/tmp), and send to wg upon peer start. This way all information needed is kept in a single place.
 
Just curious, how would you do it if you knew then what you know now?

I would probably import all info in sql and ditch the old conf file, then auto-generate new conf files, perhaps in ram (/tmp), and send to wg upon peer start. This way all information needed is kept in a single place.
For wg-quick, the '.conf' is the true repository of the WireGuard interface configuration, so arguably I should have adhered to this and simply published wg-quick2 i.e. my tweaked ASUS compatible version of wg-quick.

Subsequently, the use of SQL perhaps should have remained solely as an addon for the purpose of recording interface activity/throughput statistics?
(That reminds me to think about implementing future SQL database house-keeping requirements :rolleyes:)

So is it really imperative that you can annotate and therefore match active connections; or conveniently be able to simply request all interfaces tagged say as "USA" etc. by using the appropriate SQL query?

Anyway, as you said, perhaps I should make up my mind (for consistency and eliminate unnecessary confusion) to use one or the other.......either ALL SQL (together with the existing export feature) or (to retain cross-platform compatibility) ALL .conf and use transient discrete '/tmp' files ;)
 
So is it really imperative that you can annotate and therefore match active connections; or conveniently be able to simply request all interfaces tagged say as "USA" etc. by using the appropriate SQL query?
I would say: no, not imperative (but thats me, and my very simple setup).
Thinking that the author would be more in control if it auto-generated conf to wg and keep track of which part of the peer config that goes to wg, ip route, ip rule, iptables a.s.o
import/export would handle inter-compatibility.
Unexpected directives would either not be imported, or imported but not used until the author implemented it.

Wonder what reason ASUS choose to let the user fill in each field manually. Guess it is also about control. Only let the user fill in what we have implemented to lower the risk of some directive sneaking in that they didn't consider.
 
Last edited:
Its been a while since I checked the traffic metrics on my wgm fork github (the one with wgm tutorial):
Screenshot_20220220-181600_Samsung Internet.jpg


137 unique visitors the last 2 weeks. That is way more then I'd ever thought!

Really makes me wonder how many is actually using wgm?? Could be more than we think?

//Zeb
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top