Wireguard Session Manager - Discussion (3rd) thread

[ZebMcKayhan]

Is this the latest kernel/module?

Well, it is the one and only supplied with the firmware. Latest source released from Wireguard team is 20220627. I've compiled it for AC86U and AX88U and as far as I know those are the only available ones.

How can I update the kernel/module?

Change wgm config file by typing vx in wgm menu. It will open config file in nano editor. Remove the # for this line:

# For Routers that include WireGuard Kernel/User Space tools, allow overriding with supported 3rd-Party/Entware versions
# Use command 'vx' to edit this setting.
#USE_ENTWARE_KERNEL_MODULE

then let wgm download the modules:

E:Option ==> getmodules

then load the updated modules into the kernel:

E:Option ==> loadmodules

If all goes well you should now be running on modules compiled from the latest available source code.

 

[ZebMcKayhan]

wg_manager-serverwg21: Initialising WireGuard® VPN 'Server' Peer (wg21) on 10.50.1.1:51820 (# RT-AC86U Server #1)
RTNETLINK answers: Operation not supported
Unable to modify interface: Protocol not supported
Unable to modify interface: Protocol not supported
Cannot find device "wg21"

***ERROR Initialisation ABORTED - 'wg setconf wg21 /tmp/wg21.27321 (/opt/etc/wireguard.d/wg21.conf)' FAILED

Looks like wgm failed to load the built-in kernel modules. Maybee using the 3rd party modules will solve your issue. Altough there might be something here for @Martineau to look at.

 

[Martineau]

Looks like wgm failed to load the built-in kernel modules. Maybee using the 3rd party modules will solve your issue. Altough there might be something here for @Martineau to look at.

Just tried a clean v4.18 install via amtm and it doesn't produce the error.

Just tried a clean v4.19b3 install from the Github dev branch page and it too doesn't report the error.

You would need to enable debug mode for the installation, then save the output to say Pastebin, then PM me the link.

 

[sambosoul]

Hello everyone,

I have successfully set up Wireguard on my Asus AC86U, however, I am having an issue with policy routing. I am getting an error message (see below). I am not sure what I am doing wrong but I want my AppleTV with local IP address 192.168.1.34 to peer with the wg12 client.

Any help is highly appreciated

Edit:

Ok, I figured it out. I had a syntax error. Now I have also changed the peer to P=Policy, however, now all my LAN devices e.g. iPhone or iMac are still going through the Wireguard VPN client connection.. but I only want my AppleTV to do so. Have I forgotten anything?

 

[ZebMcKayhan]

Now I have also changed the peer to P=Policy, however, now all my LAN devices e.g. iPhone or iMac are still going through the Wireguard VPN client connection.. but I only want my AppleTV to do so. Have I forgotten anything?

Check how your rule actually turned out in wgm:

E:Option ==> peer wg12

Perhaps still some typo when you entered the command. Or perhaps some earlier attemp not deleted?

you could also check how the routing rules turned out (not in wgm)

ip rule

 

[sambosoul]

Check how your rule actually turned out in wgm:

E:Option ==> peer wg12

Perhaps still some typo when you entered the command. Or perhaps some earlier attemp not deleted?

you could also check how the routing rules turned out (not in wgm)

ip rule

Peer wg12 result:

ip rule result

 

[ZebMcKayhan]

Peer wg12 result:

You used cidr notation /24 which does exactly what you discovered: Put your whole network to vpn.
This rule should be deleted:

E:Option ==> peer wg12 rule del 1

try:

E:Option ==> peer wg12 rule add vpn 192.168.1.34 comment AppleTV

See
https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm
for info on how to create and manage rules.

 

[sambosoul]

You used cidr notation /24 which does exactly what you discovered: Put your whole network to vpn.
This rule should be deleted:

E:Option ==> peer wg12 rule del 1

try:

E:Option ==> peer wg12 rule add vpn 192.168.1.34 comment AppleTV

See
https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm
for info on how to create and manage rules.

Thank you so much for your help, it is working now

 

[here1310]

i have set up a new client peer again for some time. contrary to before, there is now a pre-shared key and the new client simply does not establish a connection to the server (dns), all previous clients (peers) work, only the newly created one does not...

i suspect the dns server is not set cleanly, so far i used: peer 200_ph_here dns=192.168.27.4
this also changed the .conf of the peer so far;
I edit the dns server in the conf, but without success...

v4.19.b3

 

[Martineau]

i have set up a new client peer again for some time. contrary to before, there is now a pre-shared key and the new client simply does not establish a connection to the server (dns), all previous clients (peers) work, only the newly created one does not...

Does wg_manager show the PreSharedKey = clause when you issue the diagnostic raw command?

e.g. My 'client' Peer wg16 doesn't need/use a PresharedKey so it isn't shown

e  = Exit Script [?]

E:Option ==> raw wg16

    ================Config===============
# Mullvad Austria, Vienna (IPv4+IPv6)
[Interface]
PrivateKey = G/l0ByrmwBphwxx//cn0GVk4PPPXGLQjiQxFii5262k=
Address = 10.64.85.207/32,fc00:bbbb:bbbb:bb01::1:55ce/128
DNS = 193.138.218.74
[Peer]
PublicKey = a/araeY/NU7Vl+UB2//pXTZv8RM1fZ/a/gt4zTksP14=
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 86.107.21.50:51820

    ================Active===============
[Interface]
PrivateKey = GIK//yrmw8xhifjURcn9GVk4PPPXGLQjiQxFgg52111k=
[Peer]
PublicKey = hZpr/eYrgg7Vl+UB2NSpXT2vBRM1fZ/a/gt4ToksP14=
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 86.107.21.50:51820

but you should see the PresharedKey = clause for your latest client (that needs it) displayed in the Active section

 

[Rajjco]

So i added

peer wg11 rule add vpn 192.168.1.161

to in wsm but wireguard is routing all my devices on my network.

I just want to route this ip through wireguard tunnel.

What did i do wrong?

nvm had to restart wireguard to apply rules policy.

 

[chongnt]

So i added

peer wg11 rule add vpn 192.168.1.161

to in wsm but wireguard is routing all my devices on my network.

I just want to route this ip through wireguard tunnel.

What did i do wrong?

Seems like you need to enable policy mode

E:Option ==> peer wg11 auto=P

GitHub - ZebMcKayhan/WireguardManager: Manage/Install WireGuard on applicable ASUS routers

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

 

[Martineau]

From GitHub issue list:

 

[sfatula]

Well, it is the one and only supplied with the firmware. Latest source released from Wireguard team is 20220627. I've compiled it for AC86U and AX88U and as far as I know those are the only available ones.


Change wgm config file by typing vx in wgm menu. It will open config file in nano editor. Remove the # for this line:

# For Routers that include WireGuard Kernel/User Space tools, allow overriding with supported 3rd-Party/Entware versions
# Use command 'vx' to edit this setting.
#USE_ENTWARE_KERNEL_MODULE

then let wgm download the modules:

E:Option ==> getmodules

then load the updated modules into the kernel:

E:Option ==> loadmodules

If all goes well you should now be running on modules compiled from the latest available source code.

I got the exact same error as Ubimo. New RT-AX88u router, installed latest Merlin, set to default, installed amtm, used it to install flexqos then wg manager. Got his error. Used your suggestions, what it shows is this now:

Router RT-AX88U Firmware (v386.8_0)

    [✔] Entware Architecture arch=aarch64


    v4.18 WireGuard® Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
    MD5=1036fe1ca4df245cb50db0e069550da4 /jffs/addons/wireguard/wg_manager.sh

        v4.17.9 (wg_client)
        v4.17.1 (wg_server)

    [ℹ ] WireGuard® Kernel module/User Space Tools included in Firmware (1.0.20210124) but 3rd-Party modules installed...

    wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

    [✔] WireGuard® Module LOADED Fri Sep  9 23:55:06 CDT 2022

    MD5=70a85a1bed5f6313add595e2a95423c4 wireguard-kernel_1.0.20220627-RT-AX88U_aarch64-3.10.ipk
    MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

    [✔] DNSmasq is listening on ALL WireGuard® interfaces 'wg*'

    [✔] firewall-start is monitoring WireGuard® Firewall rules

    [✖] WAN KILL-Switch is DISABLED (use 'vx' command for info)
    [✖] UDP monitor is DISABLED

    [✔] Flow Cache is ENABLED

    [✖] IPv6 Service is DISABLED
    [ℹ ] IPv4,52.144.111.235,v1.1,,,See http://ip6.me/docs/ for api documentation

    [✔] Reverse Path Filtering ENABLED

    [✔]Use 3rd-party Entware/Userspace Tools modules is ALLOWED

    [✔] Use of 'Pg-Up' Key for command retrieval is ENABLED

    [✔] Statistics gathering is ENABLED

    [ℹ ] Speedtest link https://fast.com/en/gb/

    [ℹ ] IPv6 Test link https://ipv6-test.com/

    [ℹ ] WireGuard© Official Site https://www.wireguard.com/

    [ℹ ] @ZebMcKayhan's Hint's and Tips Guide https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#table-of-content

So, hopefully, all will be well though it seems very strange. On to setting it up!

Well.... This is so much different than just generic wireguard which has been simple to me. I have all sort of clients and a single server. Kind of lost on the terminology being used in this addon.

Essentially, I am behind CGNAT. I have a public server on the internet with wireguard. It has everything set up, a bunch of "clients" to it. I have currently an ubuntu machine at home, behind cgnat, that connects to the public server running wireguard. All my mobile devices, travel routers, and other machines connect to the public wireguard machine, and that machine sends all traffic destined for my home lan ips to the ubuntu machine on my home lan, which forwards all that traffic to my lan. I want to do the same, but replace my ubuntu machine with the ASUS router.

From what I can tell, wgm is setup to make configurations for all involved devices, I don't want that. It's all setup. All I want is to create the interface for ASUS device, with the already existing public server as it's peer, it already has it's own keys. So, that is the ASUS peer section endpoint, the public server. I don't want any traffic going there from the LAN except to the WG ip assigned to the public server. The other part is I need the Asus device to forward traffic sent to it to my LAN.

So, how do I accomplish this? Essentially, I want to duplicate what I have for my ubuntu configuration. In the end, the Asus wireguard config (assuming plain wireguard) would look like:

[Interface]
PrivateKey = notgonnashowit
Address = 192.168.10.6/32
DNS = 1.1.1.1,1.0.0.1
MTU = 1404
a bunch of PostUp and PostDown iptables rules

[Peer]
PublicKey = notgonnatellyou
AllowedIPs = 192.168.10.0/24
Endpoint = publicserverip:somepport
PersistentKeepalive = 25


I already have the keys, etc. for the public machine and all it's other clients and I don't want to redo it all. All clients not on my lan connect to the public server, and have access to my home lan even though it's behind CGNAT.

Or, maybe wgm, isn't really what I need anyway in this case. Maybe I can just use wireguard as I always use it on other machines.

 

[chongnt]

I got the exact same error as Ubimo. New RT-AX88u router, installed latest Merlin, set to default, installed amtm, used it to install flexqos then wg manager. Got his error. Used your suggestions, what it shows is this now:

Router RT-AX88U Firmware (v386.8_0)

    [✔] Entware Architecture arch=aarch64


    v4.18 WireGuard® Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
    MD5=1036fe1ca4df245cb50db0e069550da4 /jffs/addons/wireguard/wg_manager.sh

        v4.17.9 (wg_client)
        v4.17.1 (wg_server)

    [ℹ ] WireGuard® Kernel module/User Space Tools included in Firmware (1.0.20210124) but 3rd-Party modules installed...

    wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

    [✔] WireGuard® Module LOADED Fri Sep  9 23:55:06 CDT 2022

    MD5=70a85a1bed5f6313add595e2a95423c4 wireguard-kernel_1.0.20220627-RT-AX88U_aarch64-3.10.ipk
    MD5=3c3fef331578bcd20714a148b96257f8 wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk

    [✔] DNSmasq is listening on ALL WireGuard® interfaces 'wg*'

    [✔] firewall-start is monitoring WireGuard® Firewall rules

    [✖] WAN KILL-Switch is DISABLED (use 'vx' command for info)
    [✖] UDP monitor is DISABLED

    [✔] Flow Cache is ENABLED

    [✖] IPv6 Service is DISABLED
    [ℹ ] IPv4,52.144.111.235,v1.1,,,See http://ip6.me/docs/ for api documentation

    [✔] Reverse Path Filtering ENABLED

    [✔]Use 3rd-party Entware/Userspace Tools modules is ALLOWED

    [✔] Use of 'Pg-Up' Key for command retrieval is ENABLED

    [✔] Statistics gathering is ENABLED

    [ℹ ] Speedtest link https://fast.com/en/gb/

    [ℹ ] IPv6 Test link https://ipv6-test.com/

    [ℹ ] WireGuard© Official Site https://www.wireguard.com/

    [ℹ ] @ZebMcKayhan's Hint's and Tips Guide https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#table-of-content

So, hopefully, all will be well though it seems very strange. On to setting it up!

Well.... This is so much different than just generic wireguard which has been simple to me. I have all sort of clients and a single server. Kind of lost on the terminology being used in this addon.

Essentially, I am behind CGNAT. I have a public server on the internet with wireguard. It has everything set up, a bunch of "clients" to it. I have currently an ubuntu machine at home, behind cgnat, that connects to the public server running wireguard. All my mobile devices, travel routers, and other machines connect to the public wireguard machine, and that machine sends all traffic destined for my home lan ips to the ubuntu machine on my home lan, which forwards all that traffic to my lan. I want to do the same, but replace my ubuntu machine with the ASUS router.

From what I can tell, wgm is setup to make configurations for all involved devices, I don't want that. It's all setup. All I want is to create the interface for ASUS device, with the already existing public server as it's peer, it already has it's own keys. So, that is the ASUS peer section endpoint, the public server. I don't want any traffic going there from the LAN except to the WG ip assigned to the public server. The other part is I need the Asus device to forward traffic sent to it to my LAN.

So, how do I accomplish this? Essentially, I want to duplicate what I have for my ubuntu configuration. In the end, the Asus wireguard config (assuming plain wireguard) would look like:

[Interface]
PrivateKey = notgonnashowit
Address = 192.168.10.6/32
DNS = 1.1.1.1,1.0.0.1
MTU = 1404
a bunch of PostUp and PostDown iptables rules

[Peer]
PublicKey = notgonnatellyou
AllowedIPs = 192.168.10.0/24
Endpoint = publicserverip:somepport
PersistentKeepalive = 25


I already have the keys, etc. for the public machine and all it's other clients and I don't want to redo it all. All clients not on my lan connect to the public server, and have access to my home lan even though it's behind CGNAT.

Sounds like you want a wg “server” for remote dial in to home. But because of CGNAT, you connect to a public server which has a vpn tunnel to your home network. Is this the use case?

It seems like you can create wg “client” like most of us normally do to peer with wg provider “server”. Instead you will peer with your dedicated server. You can import your config file as wg11.

 E:Option ==> import filename name=wg11

Next to make sure all LAN devices do not go through this tunnel, you need to enable policy mode. The catch for policy mode is at least one rule is required. A dummy rule will do. Just make sure the ip is not assigned to any LAN devices and not in your DHCP range. For example,

 E:Option ==> peer wg11 rule add vpn 192.168.1.254 comment Dummy To VPN

I haven’t figured out on the return path to your public server for remote dial in devices. I suppose it can be done too.

By the way, @ZebMcKayhan documentation has some site to site writeup including cgnat scenario which probably can address this in a better way.

 

[sfatula]

By the way, @ZebMcKayhan documentation has some site to site writeup including cgnat scenario which probably can address this in a better way.

Yeah, I read it, his site to site is a different example though and I get lost in the many details and differences. I am guessing there is no issue simply using wg without wgm. opkg seems to have a wireguard package and even a wg-quick.

But yes, a dial home is correct. And it already works, just want to replace my wg gateway at home with asus at home.

 

[ZebMcKayhan]

All I want is to create the interface for ASUS device, with the already existing public server as it's peer, it already has it's own keys. So, that is the ASUS peer section endpoint, the public server.

Good question! I have been wondering this myself... you would definately need to setup a server so routes and firewall rules gets correct. I'm thinking maybe:

E:Option ==> peer import wg1.conf type=server

But your file includes both server and client so dont know if some copy/paste is needed (@Martineau ?)

Another option is ofcourse to use wg-quick but you will need to setup all firewall rules and auto start and restart yourself.

By the way, your modules seems loaded but not the Entware ones. Perhaps a reboot needed. Or maybee it could be that you dont have any active peers. Anyhow I think your good!

Edit: you should probably remove your old post/pre up/down commands from the file before the import as they are presumably for your Ubuntu machine and will not work on Asus router. If the import of server succeed there are no need for them.

The server import is also used for site2site so if your "device" have an endpoint WG will still attempt to connect to it.

An import type Server is needed as you dont want internet data through the tunnel, nor do you want any policy routing and you want to allow incoming connection to your LAN. The only difference from a typical wgm server is that your "device"(the internet server with public ip) has an endpoint and your router is behind cgnat. But as you import the server/device with an endpoint I believe it should work more or less out of the box.

 

[sfatula]

By the way, your modules seems loaded but not the Entware ones. Perhaps a reboot needed. Or maybee it could be that you dont have any active peers. Anyhow I think your good!

Edit: you should probably remove your old post/pre up/down commands from the file before the import as they are presumably for your Ubuntu machine and will not work on Asus router. If the import of server succeed there are no need for them.

The server import is also used for site2site so if your "device" have an endpoint WG will still attempt to connect to it.

An import type Server is needed as you dont want internet data through the tunnel, nor do you want any policy routing and you want to allow incoming connection to your LAN. The only difference from a typical wgm server is that your "device"(the internet server with public ip) has an endpoint and your router is behind cgnat. But as you import the server/device with an endpoint I believe it should work more or less out of the box.

Ok, so, added type=server as you noted, thanks. I connect and can ping the wireguard server on the internet via it's wg ip 192.168.10.4. From the wireguard "server", I can ping the asus via it's wireguard ip 192.168.10.6. But I cannot ping anything on the LAN. I suspect it has to do with this:

wgm start wg22

    Requesting WireGuard® VPN Peer start (wg22)

    wg_manager-serverwg22: Initialising WireGuard® VPN 'Server' Peer (wg22) on 192.168.10.6: (# N/A)
Invalid argument: fwmark
iptables v1.4.15: Port "-j" does not resolve to anything.

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.15: Port "-j" does not resolve to anything.

Try `iptables -h' or 'iptables --help' for more information.
    wg_manager-serverwg22: Initialisation complete.

Perhaps a reboot is in fact needed. Since it's apparently trying to setup some iptables rules and failing... So I rebooted the router. I have no iptables rules in the configuration I imported. Same result after a reboot. Can't get anywhere on my lan from the internet via the public wireguard server. Easily works if ubuntu is the client.

So, the question is why the iptables and fwmark errors? I suspect that is the key.

UPDATE: It still does the iptables error stuff, however, I can in fact connect to anything on my LAN behind CGNAT from outside the LAN, say a restaurant. The only thing I changed was uninstalling the script and reinstalling it. Used the same config, and it works. Something somewhere must have got messed up during attempts to make it work. I had deleted the config many times and re-imported it to no avail previously. I'll try and reboot at a later time (network busy right now) and see if it comes up and just works. I just did the wgm import myconfig.conf type=server, nothing else.

I presume like "regular" wireguard, if wan goes down, when it eventually comes back up, it will reconnect? And if I ever restart networking on the router or firewall, it will also come back up? Does anyone know?

 

[ZebMcKayhan]

Cool sounds like its working!

I presume like "regular" wireguard, if wan goes down, when it eventually comes back up,

Wireguard is connectionless so the peer will still remains active without wan, just not working. But yes, as soon as wan is reconnected it will work again.

And if I ever restart networking on the router or firewall, it will also come back up?

It shall, but for it to autostart at boot you may need:

E:Option ==> peer wg22 auto=Y

It still does the iptables error stuff,

Wgm adds the proper iptables rules needed for a typical server. Wireguard uses fwmark for routing reason. Cant see really which command that fails. Perhaps try to start wg22 with:

E:Option ==> start wg22 debug

to see which command that fails. If you post here, make sure to scrub out public ip, keys and such.

 

[sfatula]

It shall, but for it to autostart at boot you may need:

E:Option ==> peer wg22 auto=Y

Don't need Y, S is fine (and you note this in the site to site section of your doc). Rebooting router, wireguard came up, connection works. Thanks for all the tips. In the end, there was nothing much to do once installed properly except the import with type=server. The help pages don't really show (seems like) half the options and commands. So, gets a little confusing. Once you mentioned the key options, it became pretty simple and better than messing around with iptables rules, etc. with entware wireguard.