Wireguard Session Manager - Discussion (3rd) thread

[ZebMcKayhan]

The help pages don't really show (seems like) half the options and commands.

It gets better all the time but it is a sensitive balancing act between readability, ease of usage versus getting all info into working screen. Infact it may be that my guide is actually counter-productive in this sense.

This command is referenced to in wgm using peer help

This type=server option is also mentioned in my guide in "import client" and in "site 2 site" but not in server section. I might add it. I deliberately wrote my guide as a tutorial to aid users with most common setup. As this it may serve as command reference, but a poor one. Given that this format may not be best for Advanced users they are likely better equipped to understand and adjust accordingly. Not sure if I would change anything if I were to start fresh again.

Edit: I'm still alittle fuzzy on the type=device import. I know Wireguard dont need it but wgm seems to benefit somehow but it may only be cosmetic (like to provide a cosmetic name to your device peer). I'm not sure what you are actually importing and what type of .conf file that is required.
I'm myself behind cgnat and have limited possibilities to experiment with server peers and imports.

 

[sfatula]

It gets better all the time but it is a sensitive balancing act between readability, ease of usage versus getting all info into working screen. Infact it may be that my guide is actually counter-productive in this sense.

This type=server option is also mentioned in my guide in "import client" and in "site 2 site" but not in server section. I might add it. I deliberately wrote my guide as a tutorial to aid users with most common setup. As this it may serve as command reference, but a poor one. Given that this format may not be best for Advanced users they are likely better equipped to understand and adjust accordingly. Not sure if I would change anything if I were to start fresh again.

I'm myself behind cgnat and have limited possibilities to experiment with server peers and imports.

Yeah, I get it. Your guide serves it's purpose, it's a little counter productive for me but that's one guy. It's a lot of reading to extract different scenarios and options to commands!

I don't dislike cgnat at all really, I know a lot of people do. The provider using it here is way faster than the providers not using it here. It is what actually prompted me to get wireguard going, might not have done so otherwise. And with auto triggering it, it's just like I never left the house since it's all automatic. So much easier and secure than worrying about port forwarding, etc. Only downside is you need a public facing server. That was no issue as I simply used a free Oracle cloud server.

 

[ZebMcKayhan]

Only downside is you need a public facing server. That was no issue as I simply used a free Oracle cloud server

You don't need to pay for data amount going through the server? If not, maybee I should look into this myself...

 

[sfatula]

You don't need to pay for data amount going through the server? If not, maybee I should look into this myself...

That is correct, they have a free tier. As an example, I run emby at home for dvr and play them just fine on trips from resorts. It's linked via Wireguard, even did so from St Thomas and Mexico. Kind of a learning experience to set up, but once you do, just works day in and out.

 

[numminorih]

Edit: OK, try to execute this at the shell (not from wgm):

iptables -t nat -I POSTROUTING -s 10.50.1.1/24 -o wg11 -j MASQUERADE -m comment --comment "WireGuard 'client'"

this will allow wg21 clients to access out wg11 whenever the destination rules are matched. If it seems to fix your issue, put it to autostart with wg11:

nano /jffs/addons/wireguard/Scripts/wg11-up.sh

populate with:

#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.50.1.1/24 -o wg11 -j MASQUERADE -m comment --comment "WireGuard 'client'"

Save & exit

Make the file executable:

chmod +x /jffs/addons/wireguard/Scripts/wg11-up.sh

Crossing my fingers that this is what you wanted and that it is working for you.

Dear ZebMcKayhan,

Unfortunately, I have to ask for your help again. After updating to the latest version (uf dev), the access of wg21 clients to wg11 rules stopped working

wg21 users from internet can connect to router, can access to lan and internet, but can't access to sites that in IPSet unblockip and wg11 rules (like 1 wg11 VPN Any 185.41.185.73)
From native LAN all is ok.

Router firmware - 386.7_2
WireGuard Mgr - v4.19b3
AdGuardHome - v1.5.7
wg_manager start/stop - no error

iptables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 6157 packets, 719K bytes)
pkts bytes target     prot opt in     out     source               destination
    9   492 MASQUERADE  all  --  *      wg11    192.168.0.0/24       0.0.0.0/0            /* WireGuard 'client' */
    0     0 MASQUERADE  all  --  *      wg11    10.50.1.0/24         0.0.0.0/0            /* WireGuard 'client wg21 to wg11' */
    1    60 MASQUERADE  all  --  *      br0     10.50.1.0/24         0.0.0.0/0            /* WireGuard 'server clients to LAN' */
26731 3911K PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
25608 3831K MASQUERADE  all  --  *      eth0   !176.37.222.84        0.0.0.0/0
  514  155K MASQUERADE  all  --  *      br0     192.168.0.0/24       192.168.0.0/24

iptables -nvL FORWARD -t filter
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            224.0.0.0/4
233K   73M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2981  414K WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */
    0     0 ACCEPT     all  --  br0    wg21    0.0.0.0/0            0.0.0.0/0            /* LAN to WireGuard 'server clients' */
  282 71673 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
80500 9833K OVPNSF     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
   57  3468 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
  260 10946 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
80183 9818K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
32446 4146K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
47737 5672K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
    0     0 DNSFILTER_DOT  tcp  --  br+    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853
    0     0 OVPNCF     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

E:Option ==> peer wg11


Client  Auto  IP                              Endpoint              DNS              MTU   Annotate
wg11    P     10.66.66.2/24,fd42:42:42::2/64  XXX:63665  8.8.8.8,8.8.4.4  1460  # N/A

        Selective Routing RPDB rules
ID  Peer  Interface  Source        Destination    Description
2   wg11  WAN        10.50.1.0/24  Any            wg21UseWan
1   wg11  VPN        Any           185.41.185.73
IPSet      Enable  Peer  FWMark  DST/SRC
unblockip  Y       wg11  0x1000  dst
     
        WireGuard® ACTIVE Peer Status: Clients 1, Servers 1

E:Option ==> peer wg21
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51830  # RT-AC86U Server #1
        Configuration rules for Peer wg21
PresharedKey = XXX
PresharedKey = XXX
PresharedKey = XXX
PresharedKey = XXX
PresharedKey = XXX

        WireGuard® ACTIVE Peer Status: Clients 1, Servers 1

 

[Martineau]

Dear ZebMcKayhan,

Unfortunately, I have to ask for your help again. After updating to the latest version (uf dev), the access of wg21 clients to wg11 rules stopped working

wg21 users from internet can connect to router, can access to lan and internet, but can't access to sites that in IPSet unblockip and wg11 rules (like 1 wg11 VPN Any 185.41.185.73)
From native LAN all is ok.

Router firmware - 386.7_2
WireGuard Mgr - v4.19b3
AdGuardHome - v1.5.7
wg_manager start/stop - no error

iptables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 6157 packets, 719K bytes)
pkts bytes target     prot opt in     out     source               destination
    9   492 MASQUERADE  all  --  *      wg11    192.168.0.0/24       0.0.0.0/0            /* WireGuard 'client' */
    0     0 MASQUERADE  all  --  *      wg11    10.50.1.0/24         0.0.0.0/0            /* WireGuard 'client wg21 to wg11' */
    1    60 MASQUERADE  all  --  *      br0     10.50.1.0/24         0.0.0.0/0            /* WireGuard 'server clients to LAN' */
26731 3911K PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
25608 3831K MASQUERADE  all  --  *      eth0   !176.37.222.84        0.0.0.0/0
  514  155K MASQUERADE  all  --  *      br0     192.168.0.0/24       192.168.0.0/24

iptables -nvL FORWARD -t filter
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            224.0.0.0/4
233K   73M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2981  414K WGM_ACL_F  all  --  wg+    *       0.0.0.0/0            0.0.0.0/0            /* Wireguard ACL */
    0     0 ACCEPT     all  --  br0    wg21    0.0.0.0/0            0.0.0.0/0            /* LAN to WireGuard 'server clients' */
  282 71673 ACCEPT     all  --  wg21   *       0.0.0.0/0            0.0.0.0/0            /* WireGuard 'server' */
80500 9833K OVPNSF     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
   57  3468 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
  260 10946 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
80183 9818K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
32446 4146K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
47737 5672K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
    0     0 DNSFILTER_DOT  tcp  --  br+    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:853
    0     0 OVPNCF     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

E:Option ==> peer wg11


Client  Auto  IP                              Endpoint              DNS              MTU   Annotate
wg11    P     10.66.66.2/24,fd42:42:42::2/64  XXX:63665  8.8.8.8,8.8.4.4  1460  # N/A

        Selective Routing RPDB rules
ID  Peer  Interface  Source        Destination    Description
2   wg11  WAN        10.50.1.0/24  Any            wg21UseWan
1   wg11  VPN        Any           185.41.185.73
IPSet      Enable  Peer  FWMark  DST/SRC
unblockip  Y       wg11  0x1000  dst
 
        WireGuard® ACTIVE Peer Status: Clients 1, Servers 1

E:Option ==> peer wg21
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51830  # RT-AC86U Server #1
        Configuration rules for Peer wg21
PresharedKey = XXX
PresharedKey = XXX
PresharedKey = XXX
PresharedKey = XXX
PresharedKey = XXX

        WireGuard® ACTIVE Peer Status: Clients 1, Servers 1

So the previous wg_manager version...whatever that was....did work, but the latest wg_manager version now doesn't?

What does the following command show?

ip rule

 

[ZebMcKayhan]

can't access to sites that in IPSet unblockip and wg11 rules (like 1 wg11 VPN Any 185.41.185.73)
From native LAN all is ok.

Well, Your rule 2 states wg21 ip should go to wan. Last time I checked ip rules have higher priority then ipset package marks so you might have bypassed your ipset when putting in this rule.

It is not needed anyway since you dont have any other rule covering these ip. If no rules match it will go go wan.

Try to remove it:

E:Option ==> peer wg11 rule del 2

And I think it should work again. More strange that it worked before... maybee priority numbers changed in wgm if you were on an older version.

 

[numminorih]

So the previous wg_manager version...whatever that was....did work, but the latest wg_manager version now doesn't?

yes, but unfortunately, I don't remember version

ip rule

ip rule
0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
9910:   from 10.50.1.0/24 lookup main
9911:   from all to 185.41.185.73 lookup 121
9991:   from all fwmark 0x1000/0x1000 lookup 121
32766:  from all lookup main
32767:  from all lookup default

 

[numminorih]

Try to remove it:

E:Option ==> peer wg11 rule del 2

Yes, it worked, thank you!

 

[numminorih]

one more question, please advise, how can I change dns settings for existing clients wg21 to 192.168.0.1

E:Option ==> peer


        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51830  # RT-AC86U Server #1


Client  Auto  IP                              Endpoint              DNS              MTU   Annotate
wg11    P     10.66.66.2/24,fd42:42:42::2/64  XXXXXXX:63665  8.8.8.8,8.8.4.4  1460  # N/A


        Peers (Auto=X - External i.e. Cell/Mobile/Site)
Device     Auto  IP            DNS           Allowed IPs  Annotate
SGTchip    X     10.50.1.2/32  192.168.0.10  0.0.0.0/0    # 1 "Device"
iochip     X     10.50.1.3/32  192.168.0.10  0.0.0.0/0    # 2 "Device"
pixelchip  X     10.50.1.4/32  192.168.0.10  0.0.0.0/0    # 3 "Device"
motolenka  X     10.50.1.5/32  192.168.0.10  0.0.0.0/0    # 4 "Device"
SGTlenka   X     10.50.1.6/32  192.168.0.10  0.0.0.0/0    # 5 "Device"

peer wg21 dns=192.168.0.1 doesn't work.

Thank you

 

[ZebMcKayhan]

peer wg21 dns=192.168.0.1 doesn't work

Peer wg21 dns was determined when you created the device peers. You had the option during creation.

But you could always add something in DNSfilter (if you use it) to redirect it or do it manually using iptables (there are some examples in my guide but maybe scattered abit). Let me know how you want to play it and I will try to help/assist you.

Still the best way is to re-create or edit your device config files.

 

[numminorih]

Peer wg21 dns was determined when you created the device peers. You had the option during creation.

But you could always add something in DNSfilter (if you use it) to redirect it or do it manually using iptables (there are some examples in my guide but maybe scattered abit). Let me know how you want to play it and I will try to help/assist you.

Still the best way is to re-create or edit your device config files.

I've tried, already, change DNS in ( nano /mnt/sda1/entware/etc/wireguard.d/1.conf ), but this had no affect, and in wg I still see SGTchip X 10.50.1.2/32 192.168.0.10 0.0.0.0/0 # 1 "Device"

At this moment, I have changed already setting directly on devices, but my questing was about changing in wg_manager

 

[ZebMcKayhan]

At this moment, I have changed already setting directly on devices, but my questing was about changing in wg_manager

That wont really change anything, I guess it is from wgm sql database.

Try

E:Option ==> peer 1 dns=8.8.8.8

If that dont work you will have to edit the sql file.

As far as I know wgm does not have any active dns management for server clients so they are free to use any but will normally use what is imported with wireguard .conf. as you have already changed this on the clients (imported new configs) then the rest would be only cosmetic.

 

[Stingray123]

I'm still using wgm v4.12b, I haven't wanted to mess with it because it's been very stable for me. I just noticed with newer versions there is also a WebUI and I'd like to check that out. I'm using an AC86u running 386.3_2. If it matters, what is the recommended Merlin FW to use with wgm v4.19b3?

 

[ZebMcKayhan]

I'm still using wgm v4.12b, I haven't wanted to mess with it because it's been very stable for me. I just noticed with newer versions there is also a WebUI and I'd like to check that out. I'm using an AC86u running 386.3_2. If it matters, what is the recommended Merlin FW to use with wgm v4.19b3?

I dont think it matters with regards to WGM.
However if you are using ipv6 I would recommend 386.7 since it included ipv6 dnat. But if you are ipv4 only and 386.3_2 works for you, wgm would not benefit from updated firmware.
Why don't you try and see for yourself.

 

[Stingray123]

@Martineau

Long story short, my USB drive died so I decided to update everything. My AC86U is now running 386.7_2 and I installed v4.19b3. During the wgm install, I got the same errors as Ubimo. Also the WebUI looks exactly the same as evlo had, it's showing v1.03, the wireguard version boxes are empty and nothing is clickable.

I tried reformatting the jffs and USB drive and reinstalling, but still had the same results. wgm is the only add-on I use and I don't do anything fancy with it, just as a basic client to another VPN server.

EDIT - I did get a peer client working, so I guess the install errors won't make a difference for me.

wg_manager-serverwg21: Initialising WireGuard® VPN 'Server' Peer (wg21) on 10.50.1.1:51820 (# RT-AC86U Server #1)
RTNETLINK answers: Operation not supported
Unable to modify interface: Protocol not supported
Unable to modify interface: Protocol not supported
Cannot find device "wg21"

***ERROR Initialisation ABORTED - 'wg setconf wg21 /tmp/wg21.27321 (/opt/etc/wireguard.d/wg21.conf)' FAILED

evlo said:
should web ui work? For me clicking anything apart from import config does not do anything, also version etc is not even filled
this is how it looks for me

 

[Martineau]

@Martineau

Long story short, my USB drive died so I decided to update everything. My AC86U is now running 386.7_2 and I installed v4.19b3. During the wgm install, I got the same errors as Ubimo. Also the WebUI looks exactly the same as evlo had, it's showing v1.03, the wireguard version boxes are empty and nothing is clickable.

EDIT - I did get a peer client working, so I guess the install errors won't make a difference for me.

Yes the install error is for the 'server' Peer wg21 but on reboot it should initialise correctly; and you are correct, it doesn't impact the 'client' Peers.

For what it's worth, I have tried to HOTFIX v4.18 (no version number change - you will simply see 20-Sep-2022 in the script header), so hopefully the annoying initial install error should go away for future installs!

As for the GUI, you should be able to switch from v1.03 to v1.04.....

e  = Exit Script [?]

E:Option ==> uf

then FORCE refresh the GUI manually

e  = Exit Script [?]

E:Option ==> www refreshX

    WebUI page 'user1.asp' ('wg_manager.asp') unmounted
    WebUI page ('wg_manager.asp') mounted as 'user1.asp'
    [✔] Restarted service_httpd for WebUI

If all else fails a reboot usually magically works!

 

[Stingray123]

As for the GUI, you should be able to switch from v1.03 to v1.04.....

[CODE]e  = Exit Script [?]

E:Option ==> uf

then FORCE refresh the GUI manually

e  = Exit Script [?]

E:Option ==> www refreshX

    WebUI page 'user1.asp' ('wg_manager.asp') unmounted
    WebUI page ('wg_manager.asp') mounted as 'user1.asp'
    [✔] Restarted service_httpd for WebUI

If all else fails a reboot usually magically works!

Thanks for the info! During my first install I tried the www refreshX (and reboots) but it didn't work. I just tried that refresh again now and that did the trick. Don't know what changed but I'll take it, lol

Regarding changing 1.03 to 1.04, I am using v4.19b3 from 2 days ago. Is uf still the command I want to use or uf dev?

 

[Martineau]

Thanks for the info! During my first install I tried the www refreshX (and reboots) but it didn't work. I just tried that refresh again now and that did the trick. Don't know what changed but I'll take it, lol

Regarding changing 1.03 to 1.04, I am using v4.19b3 from 2 days ago. Is uf still the command I want to use or uf dev?

There are additional (usually minor) bug fixes in the dev version that I haven't yet propagated to the main stable branch, so I'd recommend using

[CODE]e  = Exit Script [?]

E:Option ==> uf dev

 

[dony71]

guys,
how to update wireguard session manager under amtm?
i try press option wg and press 1, but still not updated