Wireguard Session Manager - Discussion (3rd) thread

[ZebMcKayhan]

1-i didnt set up any size of mtu for wg, what size u suggest ?

1412

is it safe to change ipv4 dns and ipv6 dns ?(is it gonna decrease security ?)

Cant answer that, depending on what you do and what security means to you.

3-between these topics which one work with ula(default route) for making some routes

a-Using Yazfi and WGM to route different SSIDs to different VPNs
- This is to setup YazFi to route IPV4 guest network out to WG VPN, no ipv6 info here.
b-Setup Yazfi for IPv6 subnet to route out wg vpn
- This is to Setup IPv6 for Guest network to co-operate with YazFi IPv4 so your guest networks becomes dual-stack (works with ULA).
c-Setup a reverse policy based routing
- Have never been tested for IPv6 but should work with some modifications. but the main problem with policy routes for IPv6 is SLAAC and changing ips. not sure it is the best idea to use this for ipv6 but if you want to give it a try I could try to adjust the scripts to work with ipv6 so you could try it.
d-Setup Transmission and/or Unbound to use WG Client
- only Unbound has been tested and confirmed working for ipv6. I abandoned Transmission on router some time ago and moved to separate NAS. dont even know if Transmission uses IPv6.
e-Setup Transmission and/or Unbound to use WG Client (alternative way)
- I have only added IPv4 in the text, but it is possible for ipv6 but a bit tricky (as @archiel found out it could interfere with IPv6 WAN so timing must be good). try the normal way first.

4-can i use <dual wan load balancer> with wg ? is it stable for mining ?

I have no idea. Why dont you test?.

5-can i use <dual wan load balancer> with ula ?

Well, not ula, need to modify ula to fake gua (fd --> aa). But for dual wan, dont know.

6-can i use <dual wan load balancer routing wans with ips> with ula

Dont understand this one.

Edit: It should be mentioned maybee that if you run dual-wan for speed reasons (WAN > 1Gb) then Wireguard might be a bad choice to run on the router as your speed will be limited to 400-600 Mb/s. but if you run it for redundancy reason with lower speeds it seems more proper. but still have no idea about how load balancer works so dont know if it will conflict or impact with wireguard.

 

[amplatfus]

Hi,

I saw below section in wg_manager.sh and I was wondering how RPDB rule 220 can be interpreted.
In my setup I have a rule of this kind.
I did a little search without success.

wg_manager.sh:

Rogue RPDB rule 220 FOUND
 if [ "$ANS" == "y" ];then
        ip rule del prio 220
        ip -6 rule del prio 220
        clear
    else
        exit 99
    fi

my setup:

/tmp/home/root#:ip -6 rule | grep -E "^220:"
0:    from all lookup local
220:    from all lookup 220
32766:    from all lookup main

Could you please help?
Thanks,
amplatfus

 

[Martineau]

I just noticed that the TrimDB cronjob references "/jffs/addons/wireguard/wireguard_manager.sh" rather that presumablty "wg_manager.sh".

Whoops! - many thanks.

I've uploaded wireguard_manager Beta v4.17b2

To upgrade/test use:

e  = Exit Script [?]

E:Option ==> uf dev

then you should now be able to issue trimdb cron 99 to apply the patch, otherwise the patch will be applied when wireguard_manager is initialized at the next boot.

If a reboot isn't convenient, you can manually issue the trimdb command to action the tidy-up without waiting for the next cron invocation.

e  = Exit Script [?]

E:Option ==> trimdb 99

Update wg_manager.sh · MartineauUK/wireguard@b4f1cb8

FIX: The SQL database maintenance function 'trimdb' cron job stupidly references non-existent script 'wireguard_manager.sh' rather than 'wg_manager.sh' - Thanks SNB Forum me...

github.com

In addition to the specific trimdb cron fix, there are several other minor feature changes, and like most of my Betas, things can (and do frequently) break and Beta v4.17b2 includes one fundamental change in operation that is worthy of a detailed explanation.

• CHANGE: WireGuard® now determines/sets the 'client' Peer MTU rather than being explicitly set to 1420.

i.e. Running a debug, shows that wireguard_manager Beta v17b2 no longer explicitly executes ifconfig mtu 1420 for wg11; but explicitly issues ifconfig mtu 1292 for wg14 because TorGuard includes MTU = 1292 in its generated imported profile.

e  = Exit Script [?]

E:Option ==> start wg11 debug

[#] iptables -t nat -N WGDNS1
[#] ip link set up dev wg11
[ ] Auto MTU:1420 determined by WireGuard®
[#] ifconfig wg11 txqueuelen 1000
<snip>

e  = Exit Script [?]

E:Option ==> start wg13 debug

[#] iptables -t nat -N WGDNS4
[#] ip link set up dev wg14
[#] ifconfig wg14 mtu 1292
[#] ifconfig wg14 txqueuelen 1000
<snip>

Now this probably shouldn't break anything (default 1420 is still applied), but may assist those with PPoE/IPv6 connections where 1420 is inappropriate.

e.g. The default 1420 works fine for my Mullvad connections

E:Option ==> peer

    Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX58U Server 1
wg22    N     10.50.2.1/24  11502  # RT-AX58U Server 2
wg23    N     10.50.3.1/24  11503  # RT-AX58U Server 3

Client  Auto  IP                                                Endpoint              DNS             MTU   Annotate
wg11    N     10.65.232.232/32,fc00:bbbb:bbbb:bb01::2:e8e7/128  89.45.90.54:51820     193.138.218.74  Auto  # Mullvad USA, Los Angeles
wg12    N     10.65.232.232/32,fc00:bbbb:bbbb:bb01::2:e8e7/128  86.106.143.93:51820   193.138.218.74  Auto  # Mullvad USA, New York
wg13    N     10.65.232.232/32,fc00:bbbb:bbbb:bb01::2:e8e7/128  194.110.113.83:51820  193.138.218.74  1440  # Mullvad France, Paris
wg14    N     10.13.55.61/24                                    146.70.51.98:1443     1.1.1.1         1292  # TorGuard USA, Miami
wg15    N     10.64.85.207/32,fc00:bbbb:bbbb:bb01::1:55ce/128   86.107.21.50:51820    193.138.218.74  Auto  # Mullvad Austria, Vienna (IPv4+IPv6)
wg16    N     10.65.232.232/32,fc00:bbbb:bbbb:bb01::2:e8e7/128  89.44.10.178:51820    193.138.218.74        # Mullvad Oz, Sydney

and in a pure FTTH IPv4 environment I can increase this manually to 1440 and it still works - see wg13 although not sure of tangible performance increase.

So it will be interesting to see if WireGuard® can indeed actually intelligently determine the optimal MTU in say Dual-stack environments e.g 1432/1412/1280 or if I may need to modify wireguard_manager to intelligently compute (and explicitly apply) an appropriate MTU.

@ZebMcKayhan - For your environment, did you intuitively know that you must override MTU 1420 with 1412?

 

[Martineau]

Hi,

I saw below section in wg_manager.sh and I was wondering how RPDB rule 220 can be interpreted.
In my setup I have a rule of this kind.
I did a little search without success.

wg_manager.sh:

Rogue RPDB rule 220 FOUND
if [ "$ANS" == "y" ];then
        ip rule del prio 220
        ip -6 rule del prio 220
        clear
    else
        exit 99
    fi

my setup:

/tmp/home/root#:ip -6 rule | grep -E "^220:"
0:    from all lookup local
220:    from all lookup 220
32766:    from all lookup main

Could you please help?
Thanks,
amplatfus

I previously asked if anyone else had/has the rogue RPDB 220: from all lookup 220 rule(s)...

Wireguard - Session Manager - Discussion (2nd) thread

The point is that even when no clients are connected via Wireguard I was only able to measure about a third of regular speed.

www.snbforums.com

So something (as yet unidentified) is creating the rule(s), so assumed it was most likely only within my environment, but clearly it wasn't compatible with wireguard_manager, so I unilaterally hacked its removal if found.

P.S. If you legitimately need the RPDB rule as-as, or more importantly that you have found that is my manky script at fault then please advise.

 

[ZebMcKayhan]

@ZebMcKayhan - For your environment, did you intuitively know that you must override MTU 1420 with 1412?

Uuh, not really.... it was something I read like 1,5 years ago. I guess it comes from 1420-8. It has just always worked for me.

I've never seen any Performance gain/loss when changing this but then I'm only on a 100/100 line...

 

[Martineau]

Uuh, not really.... it was something I read like 1,5 years ago. I guess it comes from 1420-8. It has just always worked for me.

OK thanks.

I was going to assume it was derived as follows:

• If WAN Fibre MTU 1500 then 1440 (-60) for IPv4 and 1420 (-80) for IPv6
• if WAN PPoE MTU 1492 then 1432 (-60) for IPv4 and 1412 (-80) for IPv6

 

[ZebMcKayhan]

So something (as yet unidentified) is creating the rule(s), so assumed it was most likely only within my environment, but clearly it wasn't compatible with wireguard_manager, so I unilaterally hacked its removal if found.

What is the content of routing table 220? Perhaps it could give some clue of what is putting the rule there?

ip route show table 220
ip -6 route show table 220

 

[chongnt]

I just update from v4.15b9. I can see handshake is on-going with VPN provider suggesting the peering is up. However, I cannot ping through it. Any idea what could be the cause?

ping -c1 -w1 -I wg11 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Required key not available

 

[Martineau]

I just update from v4.15b9.

Updated to which wireguard_manager version? i.e. v4.16 or v4.17b2

Did you migrate the .conf files to the wg-quick format?

e  = Exit Script [?]

E:Option ==> formatwg-quick

    Checking Peer Config for conversion to wg-quick format:

I can see handshake is on-going with VPN provider suggesting the peering is up. However, I cannot ping through it. Any idea what could be the cause?

ping -c1 -w1 -I wg11 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Required key not available

I would restart wg11, then re-check (I'm using wg14)

ip r get 8.8.8.8

8.8.8.8 dev wg14 src 10.13.55.61
    cache

ping -c1 -w1 -I wg14 8.8.8.8

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=119 time=189.577 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 189.577/189.577/189.577 ms

curl --connect-timeout 5 --interface wg14 "http://ipecho.net/plain"

nnn.70.5n.n8

 

[chongnt]

Updated to which wireguard_manager version? i.e. v4.16 or v4.17b2

Did you migrate the .conf files to the wg-quick format?

e  = Exit Script [?]

E:Option ==> formatwg-quick

    Checking Peer Config for conversion to wg-quick format:

I would restart wg11, then re-check (I'm using wg14)

ip r get 8.8.8.8

8.8.8.8 dev wg14 src 10.13.55.61
    cache

ping -c1 -w1 -I wg14 8.8.8.8

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=119 time=189.577 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 189.577/189.577/189.577 ms

curl --connect-timeout 5 --interface wg14 "http://ipecho.net/plain"

nnn.70.5n.n8

I try both version. I missed the step to migrate the config file.
I have uninstall and try to reinstall wg. Now I cannot get pass option 1.

Update: I copy the backup copy over and now I can start wgm v4.17b2. Earlier I did manually remove the hash key in wg config file.

admin@RT-AC86U-DBA8:/jffs/addons/wireguard# wg show wg12
interface: wg12
  public key: <<key>>
  private key: (hidden)
  listening port: 44740

peer: <<key>>
  endpoint: xxxx:51820
  allowed ips: (none)
  latest handshake: 16 seconds ago
  transfer: 92 B received, 180 B sent
  persistent keepalive: every 25 seconds

admin@RT-AC86U-DBA8:/jffs/addons/wireguard# ip r get 8.8.8.8
8.8.8.8 via <<WAN GW>> dev ppp0 src <<WAN IP>>
    cache
admin@RT-AC86U-DBA8:/jffs/addons/wireguard# ping -c1 -w1 -I wg12 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Required key not available
admin@RT-AC86U-DBA8:/jffs/addons/wireguard#

Now I see some difference. in wg show wg12, allowed ips is none. But in wg12.conf, I have
AllowedIPs = 0.0.0.0/0 # ALL Traffic

I think it is working now, after remove the # ALL Traffic in AllowedIPs field.
AllowedIPs = 0.0.0.0/0

 

[Martineau]

I try both version. I missed the step to migrate the config file.
I have uninstall and try to reinstall wg. Now I cannot get pass option 1.

admin@RT-AC86U-DBA8:/tmp/home/root# wgm

(wg_manager.sh): 903 DEBUG= *********************************WTF!? Rogue RPDB rule 220 FOUND?????!!!!!*******************************

        IPv6 RPDB

0:      from all lookup local
220:    from all lookup wgs2
32766:  from all lookup main

        IPv6 Route Table wgs2


        Press y to Delete rogue RPDB PRIO 220 rules or press [Enter] to SKIP.
y
RTNETLINK answers: No such file or directory

+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v4.16 by Martineau                      |
|                                                                      |
| Requirements: HND or AX router with Kernel 4.1.xx or later           |
|                         e.g. RT-AC86U or RT-AX86U etc.               |
|                                                                      |
|               USB drive with Entware installed                       |
|                                                                      |
|   1 = Install WireGuard                                              |
|       o1. Enable firewall-start protection for Firewall rules        |
|       o2. Enable DNS                                                 |
|                                                                      |
|                                                                      |
+======================================================================+

        WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Begin WireGuard Installation Process

e  = Exit Script [?]

E:Option ==> 1

        [✔] WireGuard Kernel module/User Space Tools included in Firmware RT-AC86U (v386.5_2) (1.0.20210124)

                WireGuard exists in firmware       - use 'vx' command to override with 3rd-Party/Entware (if available)
                User Space tool exists in firmware - use 'vx' command to override with 3rd-Party/Entware (if available)


        [✔] WireGuard Kernel module/User Space Tools included in Firmware (1.0.20210124)


        No WireGuard VPN Peers ACTIVE for Termination request


        Initialising WireGuard Kernel module '/lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko'
        wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
        wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.



        WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Begin WireGuard Installation Process

e  = Exit Script [?]

E:Option ==>

Hmmm,....presumably you have a customised '/etc/iproute2/rt_tables' ?

220:    from all lookup wgs2

I would uninstall, and ensure that directories '/jffs/addons/wireguard/' and '/opt/etc/wireguard.d/' do not exist.
(You can rename '/opt/etc/wireguard.d/' if you wish to preserve its content)

Then start the wireguard_manager download either via amtm; i; wg or using the curl command from the Github page) to create '/jffs/addons/wireguard/wg_manager.sh'

At the prompt do not answer '1'; instead reply 'debug'.

+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v4.16 by Martineau                      |
|                                                                      |
| Requirements: HND or AX router with Kernel 4.1.xx or later           |
|                         e.g. RT-AC86U or RT-AX86U etc.               |
|                                                                      |
|               USB drive with Entware installed                       |
|                                                                      |
|   1 = Install WireGuard                                              |
|       o1. Enable firewall-start protection for Firewall rules        |
|       o2. Enable DNS                                                 |
|                                                                      |
|                                                                      |
+======================================================================+

     WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Begin WireGuard Installation Process                       

e  = Exit Script [?]

E:Option ==> debug

then reply '1' to commence the actual install

     WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Begin WireGuard Installation Process                       

e  = Exit Script [?]

E:Debug mode enabledOption ==> 1

Hopefully the debug/trace will show if/how the installation stalls.

 

[chongnt]

Hmmm,....presumably you have a customised '/etc/iproute2/rt_tables' ?

220:    from all lookup wgs2

.

Ahh, now I remember. Originally I have table 210 and 220. And I rename it in the file to wgs1 and wgs2. Let me try to remove these.

 

[chongnt]

Eebug mode enabledOption ==> 1[/CODE]
Hopefully the debug/trace will show if/how the installation stalls.

When I replaced with the old copy I can start wg. Now that I uninstall and reinstall I still have issue. Here is the logs:

Update: I got it now. It is the custom cronjob with wireguard naming in post-mount scripts. After temporarily removed those the installation can proceed. Thanks a lot @Martineau

Spoiler: debug

_____________________________________________

Enter option  wg
_____________________________________________

This installs WireGuard Session Manager
on your router.

Author: Martineau
https://www.snbforums.com/forums/asuswrt-merlin-addons.60/?prefix_id=32&starter_id=13215

Contributors: odkrys, Torson, ZebMcKayhan, jobhax, elorimer
Sh0cker54, here1310, defung, The Chief
_____________________________________________

Continue? [1=Yes e=Exit] 1


        Creating 'wg_manager' alias for 'wg_manager.sh'

(wg_manager.sh): 29218 DEBUG= *********************************WTF!? Rogue RPDB rule 220 FOUND?????!!!!!*******************************

        IPv6 RPDB

0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main

        IPv6 Route Table 220


        Press y to Delete rogue RPDB PRIO 220 rules or press [Enter] to SKIP.
y
RTNETLINK answers: No such file or directory

+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v4.16 by Martineau                      |
|                                                                      |
| Requirements: HND or AX router with Kernel 4.1.xx or later           |
|                         e.g. RT-AC86U or RT-AX86U etc.               |
|                                                                      |
|               USB drive with Entware installed                       |
|                                                                      |
|   1 = Install WireGuard                                              |
|       o1. Enable firewall-start protection for Firewall rules        |
|       o2. Enable DNS                                                 |
|                                                                      |
|                                                                      |
+======================================================================+

        WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Begin WireGuard Installation Process

e  = Exit Script [?]

E:Option ==> debug

        WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Begin WireGuard Installation Process

e  = Exit Script [?]

E:Debug mode enabledOption ==> 1
+ printf %s 1
+ sed s/^[ \t]*//;s/[ \t]*$//
+ menu1=1
+ Validate_User_Choice 1
+ local menu1=1
+ [ Y == Y ]
+ ls /jffs/addons/wireguard/*.ipk
+ [ -z  ]
+ echo 1
+ awk {print $2}
+ menu1=install
+ echo install
+ menu1=install
+ Process_User_Choice install
+ local menu1=install
+ grep -i WireGuard /jffs/scripts/post-mount
+ [ -z cru a wgc_summary_log "2,32 * * * * /jffs/addons/wireguard/Scripts/custom/WGVPNC_summary.sh"
cru a wgc_watchdog "* * * * * /jffs/addons/wireguard/Scripts/custom/wgc_watchdog.sh"
#cru a wgc_watchdog "* * * * * for i in 0 1 2; do /jffs/addons/wireguard/Scripts/custom/wgc_watchdog.sh & sleep 15; done; /jffs/addons/wireguard/Scripts/custom/wgc_watchdog.sh" ]
+ Download_Modules RT-AC86U
+ local ROUTER=RT-AC86U
+ local FROM_REPOSITORY=
+ [ -z  ]
+ local FROM_REPOSITORY=main
+ local REPOSITORY_OWNER=odkrys
+ local USE_ENTWARE_KERNEL_MODULE=N
+ [ -f /jffs/addons/wireguard/WireguardVPN.conf ]
+ [ N == Y ]
+ curl -sfL https://api.github.com/repos/odkrys/entware-makefile-for-merlin/git/trees/main
+ grep "path": "wireguard-.*\.ipk",
+ cut -d" -f 4
+ local WEBFILE_NAMES=wireguard-kernel_1.0.20210219-k27_1_aarch64-3.10.ipk
wireguard-kernel_1.0.20210219-k51_1_aarch64-3.10.ipk
wireguard-kernel_1.0.20210219-k52_1_aarch64-3.10.ipk
wireguard-tools_1.0.20210315-1_aarch64-3.10.ipk
+ [ ! -f /usr/sbin/wg ]
+ [ N == Y ]
+ modprobe --show-depends+ awk {print $2}
wireguard
+ local FPATH=/lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko
+ strings /lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko
+ cut -d= -f2
+ grep ^version
+ local FVERSION=1.0.20210124
+ echo -e \n\t[✔] WireGuard Kernel module/User Space Tools included in Firmware RT-AC86U (v386.5_2) (1.0.20210124)\n

        [✔] WireGuard Kernel module/User Space Tools included in Firmware RT-AC86U (v386.5_2) (1.0.20210124)

+ echo -e \a\t\tWireGuard exists in firmware       - use 'vx' command to override with 3rd-Party/Entware (if available)
                WireGuard exists in firmware       - use 'vx' command to override with 3rd-Party/Entware (if available)
+ [ ! -f /usr/sbin/wg ]
+ [ N == Y ]
+ echo -e \a\t\tUser Space tool exists in firmware - use 'vx' command to override with 3rd-Party/Entware (if available)\n
                User Space tool exists in firmware - use 'vx' command to override with 3rd-Party/Entware (if available)

+ Load_UserspaceTool
+ local USE_ENTWARE_KERNEL_MODULE=N
+ [ -f /jffs/addons/wireguard/WireguardVPN.conf ]
+ [ ! -d /jffs/addons/wireguard/ ]
+ wg show interfaces
+ tr \n
+ tr   \n
+ sort -r
+ echo
+ local ACTIVE_WG_INTERFACES=
+ local STATUS=0
+ [ ! -f /usr/sbin/wg ]
+ [ N == Y ]
+ find /lib/modules -name+ tr \n
wireguard.ko
+ awk {print $1}
+ local KERNEL_MODULE=/lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko
+ [ -n /lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko ]
+ + awk {print $2}
modprobe --show-depends wireguard
+ local FPATH=/lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko
+ strings /lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko
+ + cut -d= -f2
grep ^version
+ local FVERSION=1.0.20210124
+ echo -e \n\t[✔] WireGuard Kernel module/User Space Tools included in Firmware (1.0.20210124)\n

        [✔] WireGuard Kernel module/User Space Tools included in Firmware (1.0.20210124)

+ [ -n   ]
+ Manage_Wireguard_Sessions stop
+ local ACTION=stop
+ shift
+ local WG_INTERFACE=
+ shift
+ local CATEGORY=
+ local SHOWCMDS=
+ local WG_QUICK=
+ [ -z   ]
+ [   == all ]
+ echo -en
+ local PEERS=
+ WG_INTERFACE=
+ printf %s
+ sed s/^[ \t]*//;s/[ \t]*$//
+ + sed s/wgs[1-5]//g
sed s/wgc[1-5]//g
+ WG_INTERFACE=
+ local TMP_SERVERS=
+ local TMP_CLIENTS=
+ tr \n
+ sort
+ tr   \n
+ echo
+ local TMP_SERVERS=
+ WG_INTERFACE=
+ awk {$1=$1};1
+ echo
+ WG_INTERFACE=
+ [ -n  ]
+ [ -z  ]
+ wg show interfaces
+ sed s/wgc[1-5] //g
+ sed s/wgs[1-5] //g
+ WG_INTERFACE=
+ [ -n  ]
+ echo -e \n\tNo WireGuard VPN Peers ACTIVE for Termination request\n

        No WireGuard VPN Peers ACTIVE for Termination request

+ SayT No WireGuard VPN Peers ACTIVE for Termination request
+ echo -e 29218+  Nobasename WireGuard VPN /jffs/addons/wireguard/wg_manager.sh Peers
ACTIVE for Termination request
+ logger -t (wg_manager.sh)
+ echo -e

+ return 0
+ SayT Initialising WireGuard Kernel module '/lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko'
+ echo -e 29218 Initialising WireGuard Kernel module '/lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko'
+ basename /jffs/addons/wireguard/wg_manager.sh
+ logger -t (wg_manager.sh)
+ echo -e \tInitialising WireGuard Kernel module '/lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko'
        Initialising WireGuard Kernel module '/lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko'
+ rmmod /lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko
+ insmod /lib/modules/4.1.27/kernel/net/wireguard/wireguard.ko
+ dmesg
+ grep -a WireGuard+ tail -n 1

+ echo -e \twireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
        wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
+ dmesg
+ tail -n 1
+ grep -a wireguard: Copyright
+ echo -e \twireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.\n
        wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

+ rm /jffs/addons/wireguard/*.ipk
+ opkg+ grep wireguard-kernel
list-installed
+ [ -n  ]
+ + grep wireguard-tools
opkg list-installed
+ [ -n  ]
+ [ -n   ]
+ Manage_Wireguard_Sessions start
+ local ACTION=start
+ shift
+ local WG_INTERFACE=
+ shift
+ local CATEGORY=
+ local SHOWCMDS=
+ local WG_QUICK=
+ [ -z   ]
+ [   == all ]
+ echo -en
+ local PEERS=
+ WG_INTERFACE=
+ printf %s
+ sed s/wgc[1-5]//g
+ sed s/^[ \t]*//;s/[ \t]*$//
+ sed s/wgs[1-5]//g
+ WG_INTERFACE=
+ local TMP_SERVERS=
+ local TMP_CLIENTS=
+ echo
+ tr \n
+ tr   \n
+ sort
+ local TMP_SERVERS=
+ WG_INTERFACE=
+ echo
+ awk {$1=$1};1
+ WG_INTERFACE=
+ [ -n  ]
+ + grep -w nopolicy
echo
+ [ -n  ]
+ echo -e

+ LOOKAHEAD=
+ WG_show
+ local SHOW=
+ [  == Y ]
+ return 0
+ set +x

        WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Begin WireGuard Installation Process

e  = Exit Script [?]

E:Debug mode enabledOption ==>

 

[archiel]

OK thanks.

I was going to assume it was derived as follows:

• If WAN Fibre MTU 1500 then 1440 (-60) for IPv4 and 1420 (-80) for IPv6
• if WAN PPoE MTU 1492 then 1432 (-60) for IPv4 and 1412 (-80) for IPv6

Not looked at MTU for years so some basic questions

My internet connection is VDSL and uses DHCP Option 61 rather then PPPoE and
in the Router WAN MTU it is currently set at 1500 (which is the default recommended by ISP)
checking with ifconfig br0: 1500, wg11: 1420 & wg21:1420

Checking the max fragment size for IPv4 not using the VPN (ping -4 -c 5 -M do -s nnnn <site>) I get 1472, reducing to 1452 for IPv6

Testing on wg11 clients these reduce to 1392 (IPv4) and 1372 (IPv6)

Testing on wg21 (from my phone) to the LAN address using Ping tools, size set 1252 (reported 1260) for IPv4, 1232 (reported 1240) for IPv6

Questions

• do I need to adjust the MTU in WAN > MTU or is packet size handled automatically by router?
• do I need to adjust the MTU settings on wg11, wg21 and/or any devices and if so how?
• how can I test if this makes any practical difference?

 

[chongnt]

Checking the max fragment size for IPv4 not using the VPN (ping -4 -c 5 -M do -s nnnn <site>) I get 1472, reducing to 1452 for IPv6
Testing on wg11 clients these reduce to 1392 (IPv4) and 1372 (IPv6)

Ping ipv4 has 20 bytes ip header and 8 bytes icmp header. For payload of 1472 + 28 header you get 1500.
Since our wg MTU is set at 1420, ping payload over wg11 become 1420 - 28 = 1392

 

[Martineau]

When I replaced with the old copy I can start wg. Now that I uninstall and reinstall I still have issue. Here is the logs:

Update: I got it now. It is the custom cronjob with wireguard naming in post-mount scripts. After temporarily removed those the installation can proceed. Thanks a lot

OK, just to recap....

You obviously have advanced customisation....and I think I can modify wireguard_manager to accommodate/tolerate your tweaks

i.e. my brain dead checking of /jffs/scripts/post-mount for the text string 'wireguard' (rather than explicitly checking for 'wg_manager.sh init') and consequently (incorrectly) matching on your custom directory homed cron job '/jffs/addons/wireguard/Scripts/custom/WGVPNC_summary.sh' thereby ignoring the correct code execution path.


Furthermore, I wasn't aware that the directive AllowedIPs = cannot contain a comment

e.g. AllowedIPs = 0.0.0.0/0 # ALL Traffic results in AllowedIPs = (none) being actually used by wg

So wireguard_manager Beta v4.17b3 (as yet not publicly available) will include a patch for 'client' Peers

e  = Exit Script [?]

E:Option ==> start wg16

  Requesting WireGuard® VPN Peer start (wg16)

  ***ERROR: Directive 'AllowedIPs = 0.0.0.0/0,::0/0    # ALL Traffic' cannot contain comments (use command 'formatwg-quick'); Initialisation ABORTed!

and formatwg-quick can now be used to conveniently sanitise all .conf files by removing the illegal comment.
e.g.

e  = Exit Script [?]

E:Option ==> formatwg-quick

    Checking Peer Config for conversion to wg-quick format:

wg11.conf
wg12.conf
wg13.conf
wg14.conf
wg15.conf
wg16.conf
wg21.conf
wg22.conf
wg23.conf

    [✔] 'wg16.conf' converted to 'wg/wg-quick' format

 

[Martineau]

Questions

• do I need to adjust the MTU in WAN > MTU or is packet size handled automatically by router?

Hopefully automagically configured by the router

• do I need to adjust the MTU settings on wg11, wg21 and/or any devices and if so how?

You can set the MTU using (where nnnn is between 1280 and 1440 inclusive)

peer wg11 mtu=[ auto | nnnn ]

Do you need to adjust the WireGuard MTU ....moot point.

If you have a 'client' Peer say wg11; first check its current MTU

ifconfig wg11 | grep MTU

UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

then stop wg11 and start it in debugging mode

e  = Exit Script [?]

E:Option ==> start wg11 debug

[#] iptables -t nat -N WGDNS1
[#] ip link add dev wg11 type wireguard
[#] wg setconf wg11 /tmp/wg16.2885 #(/opt/etc/wireguard.d/wg11.conf)
[#] ip address add dev wg11 10.65.232.232/32
[#] ip link set up dev wg11
[ ] Auto MTU:1420 determined by WireGuard®
<snip>

and the MTU value used should be shown or again issue

ifconfig wg11 | grep MTU

If the MTU is 1420 then possibly I've made an invalid assumption, but if it isn't 1420, then clearly WireGuard can indeed determine/assign an appropriate non-default value.

However, with MTU, bigger isn't necessarily better, but I was trying to distance wireguard_manager from being responsible for poor throughput, whilst still honouring a VPN ISP provided MTU such as TorGuard's (conservative) 1292 value etc.

• how can I test if this makes any practical difference?

A repeatable set of iPerf transfers maybe? - between your site-to-site environments would probably be the most reliable?

Wireguard Optimal MTU

Wireguard Optimal MTU. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

 

[chongnt]

I previously asked if anyone else had/has the rogue RPDB 220: from all lookup 220 rule(s)...

Wireguard - Session Manager - Discussion (2nd) thread

The point is that even when no clients are connected via Wireguard I was only able to measure about a third of regular speed.

www.snbforums.com

So something (as yet unidentified) is creating the rule(s), so assumed it was most likely only within my environment, but clearly it wasn't compatible with wireguard_manager, so I unilaterally hacked its removal if found.

P.S. If you legitimately need the RPDB rule as-as, or more importantly that you have found that is my manky script at fault then please advise.

I have this rule created for table 220 whenever I add wg22 server peer.

# ip rule
0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
9820:   from all fwmark 0xdc lookup 220
...snipped...

Now, whenever I start wgm for the first time, I am greeted with this message

# wgm

(wg_manager.sh): 16001 DEBUG= *********************************WTF!? Rogue RPDB rule 220 FOUND?????!!!!!*******************************

        IPv6 RPDB

0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main

        IPv6 Route Table 220


        Press y to Delete rogue RPDB PRIO 220 rules or press [Enter] to SKIP.
y
RTNETLINK answers: No such file or directory

+======================================================================+
|  Welcome to the WireGuard® Manager/Installer script (Asuswrt-Merlin) |
|                                                                      |
|                      Version v4.17b2 by Martineau                    |
|                                                                      |
+======================================================================+
        WireGuard® ACTIVE Peer Status: Clients 3, Servers 2

 

[Martineau]

I have this rule created for table 220 whenever I add wg22 server peer.

# ip rule
0:      from all lookup local
9810:   from all fwmark 0xd2 lookup 210
9820:   from all fwmark 0xdc lookup 220
...snipped...

Now, whenever I start wgm for the first time, I am greeted with this message

# wgm

(wg_manager.sh): 16001 DEBUG= *********************************WTF!? Rogue RPDB rule 220 FOUND?????!!!!!*******************************

        IPv6 RPDB

0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main

        IPv6 Route Table 220


        Press y to Delete rogue RPDB PRIO 220 rules or press [Enter] to SKIP.
y
RTNETLINK answers: No such file or directory

+======================================================================+
|  Welcome to the WireGuard® Manager/Installer script (Asuswrt-Merlin) |
|                                                                      |
|                      Version v4.17b2 by Martineau                    |
|                                                                      |
+======================================================================+
        WireGuard® ACTIVE Peer Status: Clients 3, Servers 2

I put debugging statements (to be triggered primarily during the boot process) prior to the calls to wg_manager.sh init

/jffs/scripts/post-mount

Say() {
  # shellcheck disable=SC2068
   echo -e $$ $@ | logger -st "($(basename $0))"
}

Say "***DEBUG ===post-mount Pre wg_manager.sh init"
ip rule >> /tmp/syslog.log
Say "***DEBUG IPv6"
ip -6 rule >> /tmp/syslog.log
/jffs/addons/wireguard/wg_manager.sh init "" & # WireGuard Manager

and

/jffs/scripts/firewall-start

Say() {
    # shellcheck disable=SC2068
   echo -e $$ $@ | logger -st "($(basename $0))"
}

Say "***DEBUG ===firewall-start Pre wg_manager.sh init"
ip rule >> /tmp/syslog.log
Say "***DEBUG IPv6"
ip -6 rule >> /tmp/syslog.log

/jffs/addons/wireguard/wg_manager.sh init "" & # WireGuard Manager

It appears the firmware is generating the rules?, and I recall that they impacted wireguard_manager

 

[chongnt]

I put debugging statements (to be triggered primarily during the boot process) prior to the calls to wg_manager.sh init

/jffs/scripts/post-mount

Say() {
  # shellcheck disable=SC2068
   echo -e $$ $@ | logger -st "($(basename $0))"
}

Say "***DEBUG ===post-mount Pre wg_manager.sh init"
ip rule >> /tmp/syslog.log
Say "***DEBUG IPv6"
ip -6 rule >> /tmp/syslog.log
/jffs/addons/wireguard/wg_manager.sh init "" & # WireGuard Manager

and

/jffs/scripts/firewall-start

Say() {
    # shellcheck disable=SC2068
   echo -e $$ $@ | logger -st "($(basename $0))"
}

Say "***DEBUG ===firewall-start Pre wg_manager.sh init"
ip rule >> /tmp/syslog.log
Say "***DEBUG IPv6"
ip -6 rule >> /tmp/syslog.log

/jffs/addons/wireguard/wg_manager.sh init "" & # WireGuard Manager

It appears the firmware is generating the rules?, and I recall that they impacted wireguard_manager

Yes, it appears the first two rules are created from wg21 and wg22. I had this since the first time I enabled it in earlier release. I never have issue with it though. Later I learn from you to name table 121 etc to wgc1, I also name table 210 and 220 to wgs1 and wgs2.