Wireguard Session Manager - Discussion (3rd) thread

[Martineau]

Aah, ok, so pressing delete under VPNDirector section will only delete current VPNDirector imports but leave other rules?

Correct (well that was the intention) as you may already have issued custom peer wg1X rule add commands for a 'client' Peer, plus VPN Director only supports 5 clients whereas you can use have 9 wg_manager clients - wg16 thru wg19.

I have created a couple of rules in VPNDirector. The rules are enabled but the ovpn clients are not (as I dont have any) and when I press Show It gives me:

Thu Jun 23 15:33:18 DST 2022
============================

No WireGuard® VPN Director Policy rules found

Do the ovpn clients need to be connected for this to work?

OVPN?....WireGuard 'client' Peers most certainly have to be ACTIVE for them to be physically defined/honoured (which occurs during their initialisation), but the VPN Director rules need to be cloned into the SQL database first.

 

[Martineau]

@Martineau , not a big deal, but for some reason on my AX88U, whenever I do a uf dev it takes 2 restarts of wg_manager to get the version forced.

For example, this morning I was on 4.17bA - did the uf dev then tried www refresh. I told me “refresh” was not valid.
Quit wg_manager, restarted and I saw it still showed 4.17bA. Quit one more time and restarted. Now it shows 4.17bC and www refresh worked.

IIRC You have previous form (earliest reported 2020?) about being unable to issue uf [dev] not just for wg_manager but other ADDons?

Invariably you always ultimately manage to overcome the issue, and successfully upgrade, so I'm not sure why you have issues? - temporary DNS resolve failure for GitHub? - but consequently I don't think I need to investigate further.

Just an FYI - I would prefer you continue on the Web UI rather then my issue.
Tell you what, let me investigate further.

Unfortunately, I doubt any new immediate future wg_manager WebUI developments would benefit you.
Clearly your site-to-site setup is unique and the WebUI is already getting crowded, so I'll probably leave site-to-site until last for implementation (if at all).

Hopefully the WebUI currently provides the necessary basics to get a 'non-Selective Routing' 'client' Peer up an running (a fix to always set auto=p for each new import will be available in v4.17bD) without needing to use SSH, although you can't install wg_manager without having skills to use SSH in the first place.!

 

[amomp3]

So, i read several threads and i did this:

1 installed amtm, used ir to format a 16 kingston usb 3 pendrive and reboot router
2 used amtm to install entware on the pendrive
3 used amtm to install wg_manager

This is the outcome of the installation:

View attachment 42130
then I created a peer and succesfully QR to my android BUT when I replied YES to start 'server' Peer (wg21) this error came out:

View attachment 42131

i did nothing different than using the interface options... what should i have done different or how do i fix this errors ?

This is the outcome of the command asked by @Martineau:

Thank You.

Then, inside the script i choose option 4 to start and started! So i grabbed my android and teste the tunnel but it happens that as a new router i have it connected to my main router while i do the configs so the wan ip it's a lan ip so the endpoint ended up something like A85A95C.asuscomm.comm something...

 

[ZebMcKayhan]

So, i read several threads and i did this:

1 installed amtm, used ir to format a 16 kingston usb 3 pendrive and reboot router
2 used amtm to install entware on the pendrive
3 used amtm to install wg_manager

This is the outcome of the installation:

View attachment 42130
then I created a peer and succesfully QR to my android BUT when I replied YES to start 'server' Peer (wg21) this error came out:

View attachment 42131

i did nothing different than using the interface options... what should i have done different or how do i fix this errors ?

This is the outcome of the command asked by @Martineau:

View attachment 42134
Thank You.

Then, inside the script i choose option 4 to start and started! So i grabbed my android and teste the tunnel but it happens that as a new router i have it connected to my main router while i do the configs so the wan ip it's a lan ip so the endpoint ended up something like A85A95C.asuscomm.comm something...

Error loading wireguard kernel module... what router and firmware are you on?

I need to run the find command from root folder for it to work:

cd /
find -name wireguard.ko

wgm is an alias for wg_manager so you need to log out from your ssh session and log in again for it to work. Or use wg_manager instead.

You can always change the Endpoint manually in the config if you want
https://github.com/ZebMcKayhan/WireguardManager#setup-wg-server
(Scroll down to device peer setup)

But as long and the wireguard.ko kernel module fails to load its not going to work.

 

[Martineau]

So, i read several threads and i did this:

1 installed amtm, used ir to format a 16 kingston usb 3 pendrive and reboot router
2 used amtm to install entware on the pendrive
3 used amtm to install wg_manager

This is the outcome of the installation:

View attachment 42130
then I created a peer and succesfully QR to my android BUT when I replied YES to start 'server' Peer (wg21) this error came out:

View attachment 42131

i did nothing different than using the interface options... what should i have done different or how do i fix this errors ?

This is the outcome of the command asked by @Martineau:

View attachment 42134
Thank You.

Then, inside the script i choose option 4 to start and started! So i grabbed my android and teste the tunnel but it happens that as a new router i have it connected to my main router while i do the configs so the wan ip it's a lan ip so the endpoint ended up something like A85A95C.asuscomm.comm something...

If the wgm alias can't be found then try the full path

sh /jffs/addons/wireguard/wg_manager.sh

then

e  = Exit Script [?]

E:Option ==> ?

You could try using @ZebMcKayhan's kernel module.....

e  = Exit Script [?]

E:Option ==> vx

then scroll down using the 'down-arrow' key, then uncomment the line #USE_ENTWARE_KERNEL_MODULE

Press F2 to save the modification; Press 'Y'

Once the config has been updated, retrieve the 3rd Party modules

e  = Exit Script [?]


E:Option ==> getmodules

e  = Exit Script [?]

E:Option ==> loadmodules

e  = Exit Script [?]

E:Option ==> restart wg21

 

[amomp3]

what router and firmware are you on?

I need to run the find command from root folder for it to work:

cd /
find -name wireguard.ko

But as long and the wireguard.ko kernel module fails to load its not going to work.

 

[ZebMcKayhan]

@Martineau
Just updated to 386.7 and tried to check out new ipv6 dnat so I removed entware iptables, but wgm currently dont populate any wgdnsx rules? I'm on latest dev version

admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL DNSFILTER -t nat
Chain DNSFILTER (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
   51  4371 DNAT       all      *      *       ::/0                 ::/0
            to:aaff:a37f:fa75:1::1
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL WGDNS1 -t nat
Chain WGDNS1 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL WGDNS2 -t nat
Chain WGDNS2 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
admin@RT-AC86U-D7D8:/tmp/home/root# iptables -nvL WGDNS1 -t nat
Chain WGDNS1 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
admin@RT-AC86U-D7D8:/tmp/home/root# iptables -nvL WGDNS2 -t nat
Chain WGDNS2 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on

E:Option ==> start wg12 debug

        Requesting WireGuard® VPN Peer start (wg12)

        wg_manager-clientwg12: Initialising WireGuard® VPN 'client' Peer (wg1
2) in Policy Mode to us.wireguard.5july.net:42911 (# Integrity USA) DNS=9.9.9
.9,2620:fe::fe

<snip>

[#] ip route add table 122 192.168.1.0/24 proto kernel scope link src 192.168
.1.1 dev br0
[#] ip -6 route add table 122 aaff:a37f:fa75:1::/64 proto kernel metric 256 p
ref medium dev br0
[#] ip -6 route add table 122 fe80::/64 proto kernel metric 256 pref medium d
ev br0
[+] wg12-up.sh
[#] iptables -t mangle -I FORWARD -o wg12 -p tcp -m tcp --tcp-flags SYN,RST S
YN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I FORWARD -i wg12 -p tcp -m tcp --tcp-flags SYN,RST S
YN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] iptables -t mangle -I FORWARD -o wg12 -j MARK --set-xmark 0x01/0x7 -m com
ment --comment WireGuard 'client'
[#] iptables -t mangle -I PREROUTING -i wg12 -j MARK --set-xmark 0x01/0x7 -m
comment --comment WireGuard 'client'
[#] iptables -t nat -I POSTROUTING -s 192.168.1.1/24 -o wg12 -j MASQUERADE -m
 comment --comment WireGuard 'client'
[#] iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j WGDNS2 -m comme
nt --comment WireGuard 'client2 DNS'
[#] iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j WGDNS2 -m comme
nt --comment WireGuard 'client2 DNS'
[#] ip6tables -t mangle -I FORWARD -o wg12 -p tcp -m tcp --tcp-flags SYN,RST
SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I FORWARD -i wg12 -p tcp -m tcp --tcp-flags SYN,RST
SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment WireGuard 'client'
[#] ip6tables -t mangle -I FORWARD -o wg12 -j MARK --set-xmark 0x01/0x7 -m co
mment --comment WireGuard 'client'
[#] ip6tables -t mangle -I PREROUTING -i wg12 -j MARK --set-xmark 0x01/0x7 -m
 comment --comment WireGuard 'client'
[#] ip6tables -t nat -I POSTROUTING -s aaff:a37f:fa75:1::1/64 -o wg12 -j MASQ
UERADE -m comment --comment WireGuard 'client'
[#] ip6tables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j WGDNS2 -m comm
ent --comment WireGuard 'client2 DNS'
[#] ip6tables -t nat -I PREROUTING -p udp -m udp --dport 53 -j WGDNS2 -m comm
ent --comment WireGuard 'client2 DNS'
        wg_manager-clientwg12: Initialisation complete.

I have no time to dig into this today and I dont know if this started when updated to wgm to latest dev version or when I updated to 386.7

Edit: sent you a pm from the output of

sh -x /jffs/addons/wireguard/wg_client wg12 policy > "/opt/tmp/wg12_start" 2>&1

 

[Martineau]

View attachment 42182

OK, the modules (as expected) are included in the firmware.

Can you provide the debug output for the loading request

e  = Exit Script [?]

E:Option ==> debug

e  = Exit Script [?]

E:Debug mode enabledOption ==> loadmodules

 

[ZebMcKayhan]

@Martineau

Added some debug lines in wg_client right before line 213 where dns rules are added to echo out what the variables are at this point:

E:Option ==> restart wg12

        Requesting WireGuard® VPN Peer restart (wg12)

        Restarting Wireguard® 'client' Peer (wg12)

        wg_manager-clientwg12: WireGuard® VPN 'client' Peer (wg12) to us.wireguard.5july.net:42911 (# Integrity USA) Terminated
        wg_manager-clientwg12: Initialising WireGuard® VPN 'client' Peer (wg12) in Policy Mode to us.wireguard.5july.net:42911 (# Integrity USA) DNS=9.9.9.9,2620:fe::fe
PEER_DNS =
TARGET_LOOKUP = 122
VPN_IP = aaff:a37f:fa75:6::1/64
PEERDNS_LIST =
PEER_DNS =
TARGET_LOOKUP = 122
VPN_IP = 192.168.6.0/24
PEERDNS_LIST =
        wg_manager-clientwg12: Initialisation complete.

$PEER_DNS and $PEERDNS_LIST are empty at this point, that's why no dns rules are added.

This is about as far my scripting skills allow me to debug

Edit: yea, OK... I did add a line at the top of the function, seems to fix the problem but probably just band-aid:ing. Don't know if the real problem is typo or local/global variables:

create_client_list(){

    local PEER_DNS=$PEER_DNS_LIST #Added line for dns fix
    local PEERDNS_LIST=${PEER_DNS//,/ }

 

[abir1909]

Hi Martineau, all of a sudden the wg_manager doesn't work in siri shortcuts. not sure what changed... thanks

 

[ZebMcKayhan]

Hi Martineau, all of a sudden the wg_manager doesn't work in siri shortcuts. not sure what changed... thanks

You updated to 386.7 maybee? Looks like some firmware issue with paths (shortcuts and some ssh apps):
https://www.snbforums.com/threads/ios-shortcut-for-diversion.55974/post-771557

Try using the full path in iOS Shortcuts meanwhile:
/opt/bin/wg_manager

Looks like a released fix could take some time.

 

[amomp3]

Eebug mode enabledOption ==> loadmodules
+ printf %s loadmodules
+ sed s/^[ \t]*//;s/[ \t]*$//
+ menu1=loadmodules
+ Validate_User_Choice loadmodules
+ local menu1=loadmodules
+ [ Y == Y ]
+ echo loadmodules
+ menu1=loadmodules
+ Process_User_Choice loadmodules
+ local menu1=loadmodules
+ Load_UserspaceTool
+ local USE_ENTWARE_KERNEL_MODULE=N
+ [ -f /jffs/addons/wireguard/WireguardVPN.conf ]
+ grep -oE ^USE_ENTWARE_KERNEL_MODULE /jffs/addons/wireguard/WireguardVPN.conf
+ [ -n USE_ENTWARE_KERNEL_MODULE ]
+ local USE_ENTWARE_KERNEL_MODULE=Y
+ [ ! -d /jffs/addons/wireguard/ ]
+ + sort -r
+ tr \n
wg show interfaces
+ tr \n
+ echo wg21
+ local ACTIVE_WG_INTERFACES=wg21
+ local STATUS=0
+ [ ! -f /usr/sbin/wg ]
+ [ Y == Y ]
+ echo -e \e[96m\n\tLoading WireGuard Kernel module and Userspace Tool for RT-AX88U (v386.7_0)\e[0m

Loading WireGuard Kernel module and Userspace Tool for RT-AX88U (v386.7_0)
+ ls /jffs/addons/wireguard/wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk /jffs/addons/wireguard/wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk
+ [ -n /jffs/addons/wireguard/wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk
/jffs/addons/wireguard/wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk ]
+ [ -n wg21 ]
+ Manage_Wireguard_Sessions stop wg21
+ local ACTION=stop
+ shift
+ local WG_INTERFACE=wg21
+ shift
+ local CATEGORY=
+ local SHOWCMDS=
+ local WG_QUICK=
+ [ -z wg21 ]
+ [ wg21 == all ]
+ echo -en \e[96m
+ local PEERS=wg21
+ [ wg21 == debug ]
+ [ wg21 == wg-quick ]
+ [ wg21 == policy ]
+ [ wg21 == nopolicy ]
+ [ wg != wg ]
+ local INTERFACES= wg21
+ WG_INTERFACE= wg21
+ printf %s wg21
+ + sed s/wgs[1-5]//gsed
s/wgc[1-5]//g
+ sed s/^[ \t]*//;s/[ \t]*$//
+ WG_INTERFACE=wg21
+ local TMP_SERVERS=
+ local TMP_CLIENTS=
+ echo
+ grep -w wg21
+ [ -z ]
+ TMP_SERVERS= wg21
+ echo wg21+ tr \n

+ sort
+ tr \n
+ local TMP_SERVERS= wg21
+ WG_INTERFACE= wg21
+ echo wg21
+ awk {$1=$1};1
+ WG_INTERFACE=wg21
+ [ -n wg21 ]
+ echo -e \e[97m\n\tRequesting WireGuard VPN Peer stop (\e[95mwg21\e[0m) \e[41m\e[0m

Requesting WireGuard VPN Peer stop (wg21)
+ [ -z wg21 ]
+ echo -e

+ [ wg21 == debug ]
+ wg show wg21
+ [ -n interface: wg21
public key: tvegMrMUlXUbSnJsE8EQq5LaIv4m28LUb81Zg9bKKyM=
private key: (hidden)
listening port: 51820

peer: Z44NfqUinwaCC43HzzbtsdHP+vaVUl/KG9T+wPUJCmc=
preshared key: (hidden)
allowed ips: 10.50.1.2/32 ]
+ Server_or_Client wg21
+ local WG_INTERFACE=wg21
+ local PEER_TYPE=**ERROR**
+ local SOURCE_DIR=/opt/etc/wireguard.d/
+ [ -n ]
+ [ **ERROR** == **ERROR** ]
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT peer FROM servers WHERE peer='wg21';
+ [ -n wg21 ]
+ local PEER_TYPE=server
+ [ server == **ERROR** ]
+ [ server == **ERROR** ]
+ [ server == **ERROR** ]
+ echo server
+ Mode=server
+ [ server == server ]
+ local TABLE=servers
+ wg show wg21
+ grep -F interface:
+ [ -n interface: wg21 ]
+ [ ! -f /opt/etc/wireguard.d/wg21.conf ]
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT tag FROM servers WHERE peer='wg21';
+ local DESC=# RT-AX88U Server #1
+ echo -en \e[96m
+ SayT v4.16 Requesting termination of WireGuard VPN 'server' Peer ('wg21')
+ echo -e 6746 v4.16 Requesting termination of WireGuard VPN 'server' Peer ('wg21')
+ basename /jffs/addons/wireguard/wg_manager.sh
+ logger -t (wg_manager.sh)
+ wg show interfaces
+ grep -w wg21
+ [ -z wg21 ]
+ [ server == server ]
+ awk /^PublicKey/ {print $3} /opt/etc/wireguard.d/wg21.conf
+ tr \n
+ local DEVICE_PUB_KEYS=Z44NfqUinwaCC43HzzbtsdHP+vaVUl/KG9T+wPUJCmc=
+ date +%s
+ local TIMESTAMP=1656307136
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT name FROM devices WHERE pubkey='Z44NfqUinwaCC43HzzbtsdHP+vaVUl/KG9T+wPUJCmc=';
+ DEVICE=5T
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db INSERT into session values('5T','End','1656307136');
+ /jffs/addons/wireguard/wg_server wg21 disable
WireGuard-serverwg21: WireGuard VPN 'Server' Peer (wg21) on 10.50.1.1:51820 (# RT-AX88U Server #1) Terminated

+ wg show interfaces
+ + grep wg2[1-9]
tr + wc -w
\n
+ [ 0 -eq 0 ]
+ Manage_UDP_Monitor server disable
+ local TYPE=server
+ local ACTION=disable
+ local WATCH=
+ [ -z ]
+ WATCH=&
+ date +%Y%m%d-%H%M%S
+ local TS=20220627-021857
+ [ -n disable ]
+ [ disable == disable ]
+ pidof conntrack
+ killall
+ pidof UDP_Monitor.sh
+ killall
+ pidof UDP_Updater.sh
+ killall
+ rm /tmp/UDP_Updater.pid
+ rm /tmp/UDP_Monitor.pid
+ rm /tmp/WireGuard_UDP.log
+ rm /jffs/addons/wireguard/UDP_Monitor.sh
+ pidof UDP_Monitor.sh
+ [ -n ]
+ pidof UDP_Updater.sh
+ [ -n ]
+ echo -e N
+ local UDP_MONITOR=N
+ WG_show
+ local SHOW=
+ [ == Y ]
+ ls /jffs/addons/wireguard/wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk /jffs/addons/wireguard/wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk
+ + basenamesed /jffs/addons/wireguard/wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk
s/_.*$//
+ echo wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk
+ local MODULE_NAME=wireguard-kernel
+ SayT Initialising WireGuard module 'wireguard-kernel'
+ echo -e 6746 Initialising WireGuard module 'wireguard-kernel'
+ basename /jffs/addons/wireguard/wg_manager.sh
+ logger -t (wg_manager.sh)
+ echo -e \e[96m\tInitialising WireGuard module \e[0m'wireguard-kernel'
Initialising WireGuard module 'wireguard-kernel'
+ opkg install /jffs/addons/wireguard/wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk
Package wireguard-kernel (1.0.20211208-k51_1) installed in root is up to date.
+ [ 0 -eq 0 ]
+ md5sum /jffs/addons/wireguard/wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk
+ sed -i s~/jffs/addons/wireguard/~~ /jffs/addons/wireguard/wireguard-kernel.md5
+ + basename /jffs/addons/wireguard/wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk
sed s/_.*$//
+ echo wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk
+ local MODULE_NAME=wireguard-tools
+ SayT Initialising WireGuard module 'wireguard-tools'
+ echo -e 6746 Initialising WireGuard module 'wireguard-tools'
+ basename /jffs/addons/wireguard/wg_manager.sh
+ logger -t (wg_manager.sh)
+ echo -e \e[96m\tInitialising WireGuard module \e[0m'wireguard-tools'
Initialising WireGuard module 'wireguard-tools'
+ opkg install /jffs/addons/wireguard/wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk
Package wireguard-tools (1.0.20210914-1) installed in root is up to date.
+ [ 0 -eq 0 ]
+ md5sum /jffs/addons/wireguard/wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk
+ sed -i s~/jffs/addons/wireguard/~~ /jffs/addons/wireguard/wireguard-tools.md5
+ [ 0 -eq 0 ]
+ insmod /opt/lib/modules/wireguard
+ dmesg
+ grep -a WireGuard
+ tail -n 1
+ echo -e \e[90m\twireguard: WireGuard 1.0.20211208 loaded. See www.wireguard.com for information.
wireguard: WireGuard 1.0.20211208 loaded. See www.wireguard.com for information.
+ dmesg
+ grep -a wireguard: Copyright
+ tail -n 1
+ echo -e \e[90m\twireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.\n\e[0m
wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

+ local STATUS=0
+ [ -n wg21 ]
+ Manage_Wireguard_Sessions start wg21
+ local ACTION=start
+ shift
+ local WG_INTERFACE=wg21
+ shift
+ local CATEGORY=
+ local SHOWCMDS=
+ local WG_QUICK=
+ [ -z wg21 ]
+ [ wg21 == all ]
+ echo -en \e[96m
+ local PEERS=wg21
+ [ wg21 == debug ]
+ [ wg21 == wg-quick ]
+ [ wg21 == policy ]
+ [ wg21 == nopolicy ]
+ [ wg != wg ]
+ local INTERFACES= wg21
+ WG_INTERFACE= wg21
+ printf %s wg21
+ sed s/wgs[1-5]//g
+ + sed s/^[ \t]*//;s/[ \t]*$//
sed s/wgc[1-5]//g
+ WG_INTERFACE=wg21
+ local TMP_SERVERS=
+ local TMP_CLIENTS=
+ echo
+ grep -w wg21
+ [ -z ]
+ TMP_SERVERS= wg21
+ echo wg21
+ tr \n
+ sort
+ tr \n
+ local TMP_SERVERS= wg21
+ WG_INTERFACE= wg21
+ echo wg21
+ awk {$1=$1};1
+ WG_INTERFACE=wg21
+ [ -n wg21 ]
+ echo -e \e[97m\n\tRequesting WireGuard VPN Peer start (\e[95mwg21\e[0m) \e[41m\e[0m

Requesting WireGuard VPN Peer start (wg21)
+ echo
+ grep -w nopolicy
+ [ -n ]
+ echo -e

+ LOOKAHEAD=wg21
+ Server_or_Client wg21
+ local WG_INTERFACE=wg21
+ local PEER_TYPE=**ERROR**
+ local SOURCE_DIR=/opt/etc/wireguard.d/
+ [ -n ]
+ [ **ERROR** == **ERROR** ]
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT peer FROM servers WHERE peer='wg21';
+ [ -n wg21 ]
+ local PEER_TYPE=server
+ [ server == **ERROR** ]
+ [ server == **ERROR** ]
+ [ server == **ERROR** ]
+ echo server
+ Mode=server
+ [ server == server ]
+ local TABLE=servers
+ [ -z ]
+ [ server == client ]
+ [ start == restart ]
+ echo -en \e[96m
+ SayT v4.16 Initialising Wireguard VPN 'server' Peer (wg21)
+ echo -e 6746 v4.16 Initialising Wireguard VPN 'server' Peer (wg21)
+ basename /jffs/addons/wireguard/wg_manager.sh
+ logger -t (wg_manager.sh)
+ ifconfig
+ grep -E ^wg21
+ [ -n ]
+ [ -f /opt/etc/wireguard.d/wg21.conf ]
+ [ server == server ]
+ date +%s
+ local TS=1656307137
+ chmod +x /jffs/addons/wireguard/wg_server
+ /jffs/addons/wireguard/wg_server wg21
WireGuard-serverwg21: Initialising WireGuard VPN 'Server' Peer (wg21) on 10.50.1.1:51820 (# RT-AX88U Server #1)
WireGuard-serverwg21: Initialisation complete.

+ awk /^PublicKey/ {print $3} /opt/etc/wireguard.d/wg21.conf
+ tr \n
+ local DEVICE_PUB_KEYS=Z44NfqUinwaCC43HzzbtsdHP+vaVUl/KG9T+wPUJCmc=
+ date +%s
+ local TIMESTAMP=1656307138
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT name FROM devices WHERE pubkey='Z44NfqUinwaCC43HzzbtsdHP+vaVUl/KG9T+wPUJCmc=';
+ DEVICE=5T
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db INSERT into session values('5T','Start','1656307138');
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db UPDATE devices SET conntrack='1656307138' WHERE name='5T';
+ Route=
+ local FORCEPOLICY=
+ local POLICY_MODE=
+ WG_show
+ local SHOW=
+ [ == Y ]
+ return 0
+ set +x

 

[amomp3]

+ local USE_ENTWARE_KERNEL_MODULE=N

I noted this line but i swear i did the mod that u asked me in post #345 and i have just checked and the line #USE_ENTWARE_KERNEL_MODULE is still uncommented!

 

[ZebMcKayhan]

I noted this line but i swear i did the mod that u asked me in post #345 and i have just checked and the line #USE_ENTWARE_KERNEL_MODULE is still uncommented!

This is just initialization of the variable, 4 lines down the tag is evaluated and variable changed:

+ local USE_ENTWARE_KERNEL_MODULE=Y

looks like the Entware wireguard module is loaded successfully (now with the Entware module):

+ insmod /opt/lib/modules/wireguard
+ dmesg
+ grep -a WireGuard
+ tail -n 1
+ echo -e \e[90m\twireguard: WireGuard 1.0.20211208 loaded. See www.wireguard.com for information.
wireguard: WireGuard 1.0.20211208 loaded. See www.wireguard.com for information.
+ dmesg
+ grep -a wireguard: Copyright
+ tail -n 1
+ echo -e \e[90m\twireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.\n\e[0m
wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

I dont see any error messages in the log, so it might be working now?

 

[ZebMcKayhan]

New Wireguard Kernel module source code released as of today:
https://git.zx2c4.com/wireguard-linux-compat/

version: bumpHEADv1.0.20220627master Jason A. Donenfeld
* compat: handle backported rng and blake2s Jason A. Donenfeld
* qemu: give up on RHEL8 in CI Jason A. Donenfeld 2022-05-05
* qemu: set panic_on_warn=1 from cmdline Jason A. Donenfeld 2022-05-05
* qemu: use vports on arm Jason A. Donenfeld 2022-05-05
* netns: limit parallelism to $(nproc) tests at once Jason A. Donenfeld 2022-05-05
* netns: make routing loop test non-fatal Jason A. Donenfeld 2022-05-05
* device: check for metadata_dst with skb_valid_dst() Nikolay Aleksandrov 2022-04-14
* qemu: enable ACPI for SMP Jason A. Donenfeld 2022-04-06
* socket: ignore v6 endpoints when ipv6 is disabled Jason A. Donenfeld
* socket: free skb in send6 when ipv6 is disabled Wang Hai 2022-04-06
* qemu: simplify RNG seeding Jason A. Donenfeld 2022-03-03
* queueing: use CFI-safe ptr_ring cleanup function Jason A. Donenfeld 2022-03-02
* crypto: curve25519-x86_64: use in/out register constraints more precisely Jason A. Donenfeld 2021-12-13
* compat: drop Ubuntu 14.04 Jason A. Donenfeld 2021-12-13

Kernel modules for RT-AC86U and RT-AX88U are currently compiling

 

[abir1909]

You updated to 386.7 maybee? Looks like some firmware issue with paths (shortcuts and some ssh apps):
https://www.snbforums.com/threads/ios-shortcut-for-diversion.55974/post-771557

Try using the full path in iOS Shortcuts meanwhile:
/opt/bin/wg_manager

Looks like a released fix could take some time.

Yes I did. Updated last week. That’s more likely when it stopped working. I will try the full path.

 

[abir1909]

You updated to 386.7 maybee? Looks like some firmware issue with paths (shortcuts and some ssh apps):
https://www.snbforums.com/threads/ios-shortcut-for-diversion.55974/post-771557

Try using the full path in iOS Shortcuts meanwhile:
/opt/bin/wg_manager

Looks like a released fix could take some time.

full path works! thank you.

 

[ZebMcKayhan]

I have been running the new kernel module yesterday without issues. It was compiled using the same firmware compilation since last kernel module build so I'm feeling pretty confident there wouldn't be any issues. Altough I have only been running RT-AC86U so RT-AX88U is untested, so test at your own risk.

If anyone would like to try out the new 20220627 kernel modules (only: RT-AC86U, GT-AC2900, RT-AX88U, GT-AX11000):

Enable the use of Entware kernel modules:

E:Option ==> vx

Then uncomment this line:

# For Routers that include WireGuard Kernel/User Space tools, allow overriding with supported 3rd-Party/Entware versions
#     Use command 'vx' to edit this setting.
USE_ENTWARE_KERNEL_MODULE

Save & exit.

Download the kernel modules from my dev branch:

E:Option ==> getmodules dev

make sure it downloads kernel module for your router and 1.0.20220627 and wireguard tools 1.0.20210914-1

Install the modules:

E:Option ==> loadmodules

Reboot router.

If anyone tests the AX88U / GT-AX11000 then please drop me a note here so I know it has been tested.

If you are the first tester of AX88U kernel module, an easy/effective precaution would be to set all peers to auto=N so in case the router hangs (unlikely but still) and reboot is needed Wireguard isnt started automatically, so you have a chance to change modules back, after peers start ok after boot, change auto= back as it was.

 

[JGrana]

Ok @ZebMcKayhan , I went bravely. No auto=N, did your instructions above and did a reboot.
AX88U came up fine.

@Martineau , you will be glad to know I didn’t bother to fire up an SSH session to check on things. Went to the Web tab and saw:
Wireguard Kernel Module version 1.0.20220627
then did a list command and see that my site-to-site is happy.

I then connected my iPhone peer. Did another “list” command in the WebUI and it showed connected.

Looks like this new module is working fine on an AX88U.
Im (for now) still using the built in module on my remote AX86U and will be doing lots of site-to-site activity the next few days.

If anything odd happens, I will let you guys know.

BTW, @Martineau , could you consider allowing a different editor for the vx command? Us old timers much prefer vi. Maybe vix?

 

[numminorih]

Hi to all,

I have "strange" question, but I'm stuck on this. I will be grateful if someone can advise.

router - Asus RT-AC86U
firmware - Asus Merlin 386.7
instaled wireguard via AMTM

I set NordVPN connection and make exception what IPs should go throw this VPN. All devices from lan - work with it, and all trafic except ip in rules go directly to WAN, ip in rules go through wg11 NordVPN

Client Auto IP Endpoint DNS MTU Annotate
wg11 P 10.102.248.248/32 xxx:xxx xxxx # N/A

Selective Routing RPDB rules
ID Peer Interface Source Destination Description
59 wg11 VPN Any 95.213.0.0/18 VPN Director:
29 wg11 VPN Any 95.163.32.0/19 VPN Director:
etc

peer wg21

Server Auto Subnet Port Annotate
wg21 Y 10.50.1.1/24 xxx # RT-AC86U Server #1

when I connect may tablet to server (from internet to wg21), I see all my lan network, but policies from wg11 - doesn't work, and I cann't connect to 95.213.0.0/18, 95.163.32.0/19, etc... through wg11 NordVPN