Wireguard Session Manager - Discussion (3rd) thread

[JGrana]

It wasn't implemented by me, it was done by either Broadcom or Asus.

I'm sure your version would have been much cleaner ;-)

 

[p1r473]

I thought you would have better speeds with this router, atleast 400-600Mb/s. You're not running the speed-test on the router, right?

Sorry, no good solution to this one. Wireguard is not compatible with our router hw-accelleration, so it needs to be disabled one way or the other.
1. Convince @RMerlin to add the 0x01/0x7 fwmark to disable hw-accelleration on newer ax model firmwares, just as AC86U and AX88U has (only when TrendMicro is not used?).
2. Run wireguard on rpi instead.
3. Use openVPN instead

So today my AXE11000 has returned to poor speeds, even with flow cache disabled.
It was working well up until today

Disconnecting from Wireguard tunnel fixes this, so I think its related to flow cache.

I have tried disabling and also enabling flow control (through fc disable/enable and also commenting/uncommenting DISABLE_FLOW_CACHE, and rebooting between each step) and currently, both settings are causing poor speeds. The only fix right now for me is to disconnect from the Wireguard tunnel.

 

[ZebMcKayhan]

It was working well up until today

Did you upgrade firmware or anything that could have caused this? Do you see a ton of blog mcast error in the log when speed is low and fc disabled?

 

[p1r473]

Did you upgrade firmware or anything that could have caused this? Do you see a ton of blog mcast error in the log when speed is low and fc disabled?

Nope, did not upgrade firmware nor many any significant changes. Went to bed with it working and woke up to it not working and been battling it all day. It was working great.
I do not see anything about blog or mcast errors
heres the last 5 minutes of logs after I connected to the VPN

https://pastebin.com/raw/M3r2VpJb

Side question, where do the logs live on the disk?

 

[ZebMcKayhan]

Nope, did not upgrade firmware nor many any significant changes. Went to bed with it working and woke up to it not working and been battling it all day. It was working great.
I do not see anything about blog or mcast errors
heres the last 5 minutes of logs after I connected to the VPN

https://pastebin.com/raw/M3r2VpJb

Side question, where do the logs live on the disk?

Hmm, doesnt appear that Asus has any special treatment for this router:
https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/wireguard.c

however, maybee for some reason something is resetting the flow cache on your system. Check flow cache status by executing at the prompt (not in wgm):

fc status

and to turn it off manually

fc disable

test to turn it off manually and see if it makes a difference and if your speed drops again check the syslog if anything got restarted.

Also check your processor usage, is it constantly at 100% check with top and see if something is hogging your resources.

Disconnect all clients to make sure there is nothing saturating your line (virus, malware or just some persistent app)

 

[p1r473]

Hmm, doesnt appear that Asus has any special treatment for this router:
https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/wireguard.c

however, maybee for some reason something is resetting the flow cache on your system. Check flow cache status by executing at the prompt (not in wgm):

fc status

and to turn it off manually

fc disable

test to turn it off manually and see if it makes a difference and if your speed drops again check the syslog if anything got restarted.

Also check your processor usage, is it constantly at 100% check with top and see if something is hogging your resources.

Disconnect all clients to make sure there is nothing saturating your line (virus, malware or just some persistent app)

fc status
        Flow Timer Interval = 10000 millisecs
        Pkt-HW Activate Deferral rate = 1
        Pkt-HW Idle Deactivate = 0
        Pkt-SW Activate Deferral count = 0
        Flow Low Pkt Rate = 10
        Acceleration Mode: <L2 & L3>
        MCast Learning <Disabled>
        MCast Acceleration IPv4<Enabled> IPv6<Enabled>
        IPv6 Learning <Enabled>
        GRE Learning <Enabled>
        4o6 Fragmentation <Enabled>
        TCP Ack Prioritization <Enabled>
        HW Acceleration <Enabled>
        Notify Processing Mode <Hybrid>
        OVS Flow Learning <Disabled>
        Flow Learning Disabled : Max<16383>, Active<11>, Cummulative [ 383 - 372 ]

fc disable
Broadcom Packet Flow Cache learning via BLOG disabled.

top looks fine:

Logs still dont have any mcast blob spam:

https://pastebin.com/raw/ekreF5PX

CPU looks fine:

The only client is the router itself

I do not have any viruses and nothing is saturating the line

So fc is disabled, but speeds still suck

Edit: I am currently investigating whether its an issue with the Mullvad servers in my city Toronto, as it seems to happen also on the Android and Windows app- but only in Toronto. Seems like other cities like Montreal are working faster in Windows and Android. However Ive been battling this for about 12 hours today so will try it again tomorrow.

 

[p1r473]

Made a lot of progress with V2 of the randomzier script

/jffs/scripts/firewall-start:
cru a cycleVPN "0 1 * * * /bin/bash /opt/etc/wireguard.d/randomize.sh start [policy]"
/bin/bash /opt/etc/wireguard.d/randomize.sh start [policy]

To run it manually:
/opt/etc/wireguard.d/randomize.sh start [policy]

Usage: randomize.sh start [policy] | stop | restart [policy] | status

/opt/etc/wireguard.d/randomize.sh:

#!/bin/bash

# -e option instructs bash to immediately exit if any command [1] has a non-zero exit status
# we don't want to continue execution of the script if something is broken. This may potentially
# complicate IP routing table entries which may require manual intervention to fix thereafter.
set -e

# Declare global variables here
# Modify the variables in this section in conformity with the naming convention of your Mullvad
# configuration files in /etc/wireguard
mullvadVpnInterfaceRegex="wg.*"
wireguardConfigurationDirectory="/opt/etc/wireguard.d/"
connectedWireguardConfiguration=""

# A method to retrieve the current connected Mullvad interface.
checkMullvadConnectivity() {
    # Check if Mullvad VPN is already connected.
    connectedWireguardConfiguration=$(wg| grep wg | grep -v wg21 | cut -c 12-16)
    # Return an arbitrary integer value | This value is not checked right now
    return 0
}

case $1 in
    stop)
        STOP="true"
    ;;
    status)
        curl -sS https://am.i.mullvad.net/connected
        exit
    ;;
    checkIP)
        # This shell script is used to keep a track of which server the VPN is current connected to 
        # in a format that is easily readable. Let's face it,  mullvad-lv1 isn\'t very descriptive.
        # This script on its own is a little useless but particularly useful when queried from an 
        # external system.

        # A good use case to use this script with is in the shortcuts iOS application or with IFTTT to query the 
        # client that runs the VPN to check which server it is connected to. My previous implementation 
        # was to keep this logic on the shortcuts application but realised that executing all curl commands
        # may take sometime and I did not always have the patience to wait for a response.

        # Retrieve the current status of the VPN client. The general output of this is
        # You are connected to Mullvad (server us107-wireguard). Your IP address is 86.106.121.248
        # We strip out the sections we don't require and use the rest.
        connectedStatus=$(curl --silent https://am.i.mullvad.net/connected)
        if [[ "$connectedStatus" == *"("* ]]; then
            status=$(echo $connectedStatus | cut -d "(" -f 1 | sed 's/ *$//g')
            ip=$(echo $connectedStatus | cut -d "." -f 2-5 | sed 's/ *$//g')

            # This returns a country name.
            country=$(curl --silent https://am.i.mullvad.net/country | sed 's/ *$//g')

            # This returns a city name
            city=$(curl --silent https://am.i.mullvad.net/city | sed 's/ *$//g')

            echo "$status server in $city, $country.$ip" #1> /tmp/.checkip
        else
            echo "$(echo $connectedStatus | cut -d "." -f 1 | sed 's/ *$//g')." #1> /tmp/.checkip
        fi
        exit
    ;;

    start)
        STOP="false"
    ;;
    restart)
        STOP="false"
    ;;
    *) 
        echo "Usage: $0 {status|stop|start [policy]|restart [policy]}"
        exit
    ;;
esac

checkMullvadConnectivity

# Debug log
# echo " ip addr command returned $connectedWireguardConfiguration"

# Extract the wireguard configuration list that is available in /etc/wireguard
# newWireguardConfigurationList=$(ls $wireguardConfigurationDirectory | grep --word-regexp "$mullvadVpnInterfaceRegex")

if [ -z "$(ls $wireguardConfigurationDirectory | grep $mullvadVpnInterfaceRegex | grep .conf$ | grep -v "wg21.conf")" ]; then
    echo "Wireguard Configuration files are missing. Expecting filed matching regex $mullvadVpnInterfaceRegex in $wireguardConfigurationDirectory. Exiting."
fi
if [ "$STOP" == "true" ];then
    if [[ -n "$connectedWireguardConfiguration" ]]; then
        echo "Disconnecting from $connectedWireguardConfiguration"
        echo "Stopping $connectedWireguardConfiguration"
        /opt/bin/wg_manager stop $interface

    # Satisfies this condition if a connected interface was not found.
    #elif [[ -z "$connectedWireguardConfiguration" ]]; then
        #echo "Not currently connected to any VPN."
    fi

    curl -sS https://am.i.mullvad.net/connected
    exit
else
    while : ; do
        if [[ -n "$connectedWireguardConfiguration" ]]; then
            fileCount=$(ls $wireguardConfigurationDirectory | grep -v "$connectedWireguardConfiguration".conf$ | grep .conf$ | grep -v "wg21.conf" | grep $mullvadVpnInterfaceRegex | wc -l)
            if [ "$fileCount" ==  0  ];then
                echo "Not enough config files to randomize. Reconnecting to $connectedWireguardConfiguration"
            else
                newWireguardConfigurationList=$(ls $wireguardConfigurationDirectory | grep -v "$connectedWireguardConfiguration".conf$ | grep .conf$ | grep -v "wg21.conf" | grep $mullvadVpnInterfaceRegex)
                newWireguardConfigurationListCount=$(ls $wireguardConfigurationDirectory | grep -v "$connectedWireguardConfiguration".conf$ | grep .conf$ | grep -v "wg21.conf" | grep $mullvadVpnInterfaceRegex | wc -l)
            fi
        elif [[ -z "$connectedWireguardConfiguration" ]]; then
            newWireguardConfigurationList=$(ls $wireguardConfigurationDirectory | grep $mullvadVpnInterfaceRegex | grep .conf$ | grep -v "wg21.conf")
            newWireguardConfigurationListCount=$(ls $wireguardConfigurationDirectory | grep $mullvadVpnInterfaceRegex | grep .conf$ | grep -v "wg21.conf" | wc -l)
        fi
        # Pick a wireguard interface at random to connect to next
        if [ "$fileCount" ==  0  ]; then
            newWireguardConfiguration=$connectedWireguardConfiguration
        else
            random=$(awk -v count="$newWireguardConfigurationListCount" 'BEGIN { srand(); print int( rand() * (count-1)+1);}')
            newWireguardConfiguration=$(echo "$newWireguardConfigurationList" | awk -v random="$random" 'FNR==random {print $1}' | grep -oE 'wg[0-9]{2,3}')
        fi
        # Satisfies this condition if a connected interface was found.
        if [[ -n "$connectedWireguardConfiguration" ]]; then
            echo "System is currently connected to $connectedWireguardConfiguration and will reconnect to $newWireguardConfiguration"
            echo "Stopping $connectedWireguardConfiguration"
            /opt/bin/wg_manager stop $connectedWireguardConfiguration
            sleep 5
            /opt/bin/wg_manager start $newWireguardConfiguration $2

        # Satisfies this condition if a connected interface was not found.
        elif [[ -z "$connectedWireguardConfiguration" ]]; then
            echo "System will attempt to connect to $newWireguardConfiguration"
            /opt/bin/wg_manager start $newWireguardConfiguration $2
        fi
        sleep 2
        checkMullvadConnectivity
        if [[ -n "$connectedWireguardConfiguration" ]]; then
            echo "Connected to $connectedWireguardConfiguration"
        elif [[ -z "$connectedWireguardConfiguration" ]]; then
            echo "You are not connected."
        fi
        IP=$(curl -sS https://am.i.mullvad.net/connected)
        DELIMITER=':'
        if [[ "$IP" == *"$DELIMITER"* ]]; then
            echo "$IP"
            echo "Connected to IPV6. Reconnecting."
            checkMullvadConnectivity

            # Debug log
            # echo " ip addr command returned $connectedWireguardConfiguration"

            # Extract the wireguard configuration list that is available in /etc/wireguard
            # newWireguardConfigurationList=$(ls $wireguardConfigurationDirectory | grep --word-regexp "$mullvadVpnInterfaceRegex")
            #if [[ -n "$connectedWireguardConfiguration" ]]; then
            #    newWireguardConfigurationList=$(ls $wireguardConfigurationDirectory | grep -v "$connectedWireguardConfiguration".conf$ | grep --word-regexp "$mullvadVpnInterfaceRegex" | grep conf$)

            #elif [[ -z "$connectedWireguardConfiguration" ]]; then
            #    newWireguardConfigurationList=$(ls $wireguardConfigurationDirectory | grep --word-regexp "$mullvadVpnInterfaceRegex" | grep conf$)
            #fi
        else
            curl -sS https://am.i.mullvad.net/connected
            exit
        fi
        [[ "$IP" == *"$DELIMITER"* ]] || break
    done
fi

 

[ZebMcKayhan]

Edit: I am currently investigating whether its an issue with the Mullvad servers in my city Toronto, as it seems to happen also on the Android and Windows app- but only in Toronto. Seems like other cities like Montreal are working faster in Windows and Android. However Ive been battling this for about 12 hours today so will try it again tomorrow.

I think this sounds like the most reasonable cause. you could also check your connection speed to your LAN via your server to see if it is really your router affected by Wireguard or if it is simply an external issue.

 

[p1r473]

I think this sounds like the most reasonable cause. you could also check your connection speed to your LAN via your server to see if it is really your router affected by Wireguard or if it is simply an external issue.

Can you please elaborate how to test that? Thanks

 

[ZebMcKayhan]

Can you please elaborate how to test that? Thanks

Ive never done it since I'm not running any active server (Im behind CGNAT). but as we are not really interested in exact full speed, we could make it easier, like any of:

1) turn off all your wg clients and keep the wg server running, connect to it from a client and run an internet speed test (internet connected via wg21 to WAN).
2) try to upload/download a 10-50Mb file to your router flash drive.
3) if you have any NAS/FTP server, use that and transfer some file.

if you want a more exact speed, install iperf3 on your router and the same on your connected client and set it up and run a test, but Ive never done this so I cant help you but hopefully its not too difficult.

 

[RMerlin]

Not sure if any of this will affect you, but just in case:

- MASQUERADE support for IPv6 should be now available on all router models that Asus includes Wireguard or OpenVPN support, starting with 386.7
- I have backported IPV6 DNAT support for all HND models. This will be included in 386.7, and will allow me to also implement DNSFilter on the IPv6 side of things.

 

[ZebMcKayhan]

Not sure if any of this will affect you, but just in case:

- MASQUERADE support for IPv6 should be now available on all router models that Asus includes Wireguard or OpenVPN support, starting with 386.7
- I have backported IPV6 DNAT support for all HND models. This will be included in 386.7, and will allow me to also implement DNSFilter on the IPv6 side of things.

Whoho!!! And it's not even Christmas.
Great work, cant wait for the stable release to try it out!

 

[RMerlin]

Whoho!!! And it's not even Christmas.
Great work, cant wait for the stable release to try it out!

The MASQUERADE backport is from Asus (they use it for both their OpenVPN and Wireguard implementation). The DNAT backport is mine (I needed it for DNSFilter).

 

[ZebMcKayhan]

The MASQUERADE backport is from Asus (they use it for both their OpenVPN and Wireguard implementation). The DNAT backport is mine (I needed it for DNSFilter).

Really appreciate your work on this! We (Wireguard/wgm community) have been enjoying ipv6 MASQUARADE from ASUS since 386.4 where it first appeared but have sorely been missing the ipv6 DNAT for dns redirecting policy clients (altough some of us have felt adventurous and installed Entware iptables and used ipv6 DNAT despite the risks). Now I can finally kick out Entware iptables and benefit from a more integrated system.

 

[RMerlin]

Really appreciate your work on this! We (Wireguard/wgm community) have been enjoying ipv6 MASQUARADE from ASUS since 386.4 where it first appeared but have sorely been missing the ipv6 DNAT for dns redirecting policy clients (altough some of us have felt adventurous and installed Entware iptables and used ipv6 DNAT despite the risks). Now I can finally kick out Entware iptables and benefit from a more integrated system.

Simple way to determine if the target system support it or not (without having to check both the platform and the firmware version):

 cat /proc/net/ip6_tables_targets  | grep DNAT

 

[DreaZ]

Heya!

Running

My PC is getting IP and DNS from ISP. All other devices get IP from VPN provider but the DNS is still from ISP. DNS on devices is set to router 192.168.1.1. Suggestions?

 

[ZebMcKayhan]

Heya!

Running
View attachment 41880

View attachment 41879

My PC is getting IP and DNS from ISP. All other devices get IP from VPN provider but the DNS is still from ISP. DNS on devices is set to router 192.168.1.1. Suggestions?

I'm guessing your entire network will all use OVPN public DNS server 46.227.67.134? but your device PC will use it via WAN and the rest will use it via VPN.

This is natural behaviour as wgm is redirecting DNS for VPN policy clients (192.168.1.0/24) but not for WAN policy clients. as your rule "RestUseVPN" includes your "PC" rule this will be the outcome.

your problem, and a proposed solution, is found half way down this section:
https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm

Spoiler: Alert!

A typical use case could be that we want the entire network to go out VPN except a single computer:

E:Option ==> peer wg11 rule add vpn 192.168.1.1/24 comment All LAN to VPN
E:Option ==> peer wg11 rule add wan 192.168.1.38 comment Except This Computer

this works just fine, with one exception. sadly this computer will still use wg DNS (because vpn rules gets a dns redirection rule but wan rules does not). So in this case it could be better to divide your network in 2 parts, like restrict the DHCP to only give out ip adresses 192.168.1.32 - 192.168.1.255 and manually assign the numbers below 32 and create rules for these ranges separately: 192.168.1.0/27 #0 - 31 (no rule needed for this) 192.168.1.32/27 #32-63 (wgm VPN rule) 192.168.1.64/26 #64-127 (wgm VPN rule) 192.168.1.128/25 #128-255 (wgm VPN rule)

so in wgm:

E:Option ==> peer wg11 rule add vpn 192.168.1.128/25 comment 128-255
E:Option ==> peer wg11 rule add vpn 192.168.1.64/26 comment 64-127
E:Option ==> peer wg11 rule add vpn 192.168.1.32/27 comment 32-63

no rules are needed for the 0-31 range since the above rules dont cover them so it will naturally go out WAN. now, every computer you manually assign an ip in the range 192.168.1.2 - 192.168.1.31 will go out WAN and the rest will go out VPN.

Then you could change wg11 DNS to something more private, like the one from your Wireguard Config file:

E:Option ==> peer wg11 dns=<Your wg11 .conf DNS here>

After this your WAN clients will use DNS from routers WAN setting via dnsmasq, via WAN just as without Wireguard but your VPN clients will be redirected to the dns you put in wgm wg11 via VPN.

hope this answers your question.

 

[DreaZ]

I'm guessing your entire network will all use OVPN public DNS server 46.227.67.134? but your device PC will use it via WAN and the rest will use it via VPN.

This is natural behaviour as wgm is redirecting DNS for VPN policy clients (192.168.1.0/24) but not for WAN policy clients. as your rule "RestUseVPN" includes your "PC" rule this will be the outcome.

your problem, and a proposed solution, is found half way down this section:
https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm

Spoiler: Alert!

A typical use case could be that we want the entire network to go out VPN except a single computer:

E:Option ==> peer wg11 rule add vpn 192.168.1.1/24 comment All LAN to VPN
E:Option ==> peer wg11 rule add wan 192.168.1.38 comment Except This Computer

this works just fine, with one exception. sadly this computer will still use wg DNS (because vpn rules gets a dns redirection rule but wan rules does not). So in this case it could be better to divide your network in 2 parts, like restrict the DHCP to only give out ip adresses 192.168.1.32 - 192.168.1.255 and manually assign the numbers below 32 and create rules for these ranges separately: 192.168.1.0/27 #0 - 31 (no rule needed for this) 192.168.1.32/27 #32-63 (wgm VPN rule) 192.168.1.64/26 #64-127 (wgm VPN rule) 192.168.1.128/25 #128-255 (wgm VPN rule)

so in wgm:

E:Option ==> peer wg11 rule add vpn 192.168.1.128/25 comment 128-255
E:Option ==> peer wg11 rule add vpn 192.168.1.64/26 comment 64-127
E:Option ==> peer wg11 rule add vpn 192.168.1.32/27 comment 32-63

no rules are needed for the 0-31 range since the above rules dont cover them so it will naturally go out WAN. now, every computer you manually assign an ip in the range 192.168.1.2 - 192.168.1.31 will go out WAN and the rest will go out VPN.

Then you could change wg11 DNS to something more private, like the one from your Wireguard Config file:

E:Option ==> peer wg11 dns=<Your wg11 .conf DNS here>

After this your WAN clients will use DNS from routers WAN setting via dnsmasq, via WAN just as without Wireguard but your VPN clients will be redirected to the dns you put in wgm wg11 via VPN.

hope this answers your question.

But the issue is tht my VPN clients doesn't get the DNS from my VPN provider. Instead they DNS from ISP. Doesn't matter what I put in peer wg11 dns=

Running dnsleaktest on a VPN client I have DNS 217.215.65.141 and that is from my ISP.

 

[ZebMcKayhan]

But the issue is tht my VPN clients doesn't get the DNS from my VPN provider. Instead they DNS from ISP. Doesn't matter what I put in peer wg11 dns=

Running dnsleaktest on a VPN client I have DNS 217.215.65.141 and that is from my ISP.

ok, hmm. what firmware are you on? have this been working differently before? Have you been changing the DNSFilter in the GUI and the rules in the iptables ended up in the wrong order maybe?

whats your output of:

iptables -nvL PREROUTING -t nat

and

iptables -nvL WGDNS1 -t nat

mask any sensitive data if there should be any.

 

[DreaZ]

ok, hmm. what firmware are you on? have this been working differently before? Have you been changing the DNSFilter in the GUI and the rules in the iptables ended up in the wrong order maybe?

whats your output of:

iptables -nvL PREROUTING -t nat

and

iptables -nvL WGDNS1 -t nat

mask any sensitive data if there should be any.

FW 386.5_2

No changes to DNS filter in GUI.