What's new

Wireguard Session Manager - Discussion (3rd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Weirdly (given the context of the error message) it seems script wg_client has somehow assumed text string 'ip=10.50.1.3/32' to be a WireGuard interface? such as wg11 and possibly extracted from the SQL database?

Could you please wgm stop wg11 then start it manually in full debug/trace mode using the appropriate command

i.e. If wg11 has auto=p issue
Code:
sh -x /jffs/addons/wireguard/wg_client wg11 policy
otherwise issue
Code:
sh -x /jffs/addons/wireguard/wg_client wg11
then PM me the top half of the debug trace output upto the point where the error message 'grep: /opt/etc/wireguard.d/ip=10.50.1.3/32.conf: No such file or directory' occurs.
I removed pho21 and laptop from passthru (and the associated rules) but when I add
peer wg21 passthru add wg11 ip=10.50.1.3/32 ipv6=aa36:7ef1:2add:aa88:100::3/128
I now get
***ERROR: 'device' Peer (ip=10.50.1.3/32) doesn't exist!
even though
Code:
E:Option ==> 8

        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet                                       Port   Annotate
wg21    N     10.50.1.1/24,aa36:7ef1:2add:aa88:100::1/120  11501  # RT-AX88U (IPv4/IPv6) Server 1

Client  Auto  IP                                              Endpoint                   DNS                                   MTU  Annotate
wg11    P     <vpn_ipv4>/19, <vpn_ipv6>/64                    endpoint:nnnn       10.55.63.1,fe80::aa5e:45ff:feae:5050       # N/A

        Peers (Auto=X - External i.e. Cell/Mobile/Site)
Device  Auto  IP                                           DNS                                   Allowed IPs      Annotate
pho21   X     10.50.1.2/32,aa36:7ef1:2add:aa88:100::2/128  10.50.1.1,aa36:7ef1:2add:aa88:100::1  0.0.0.0/0, ::/0  # pho21 "Device"
laptop  X     10.50.1.3/32,aa36:7ef1:2add:aa88:100::3/128  10.50.1.1,aa36:7ef1:2add:aa88:100::1  0.0.0.0/0, ::/0  # laptop "Device"
(I have removed the unused peers & devices from the above)
As I don't seem to be able to re-add the passthru by IP, do you still want the debug & trace?

Also
Code:
grep -i "^version" /jffs/addons/wireguard/wg_server
VERSION="v4.16.12"
 
I don't seem to be able to re-add the passthru by IP, do you still want the debug & trace?
As per the help
Code:
e  = Exit Script [?]

E:Option ==> peer help

    peer help                               - This text
    peer                                    - Show ALL Peers in database

<snip>

                                                       peer wg21 passthru add wg11 SGS8
                                                       peer wg21 passthru add wg15 all
                                                       peer wg21 passthru add wg12 10.100.100.0/27
                                                       peer wg21 passthru del SGS8
                                                       peer wg21 passthru del all

the prefix 'ip=' has never been required (for the add request, the IP/CIDR must be the 6th positional parameter and therefore cannot be confused with another parameter), but as per the changelog for v4.16bD the Road-Warrior 'device' now must pass validation.

So for Dual-stack IPv4+IPv6 use CIDR format (but the 'device' Peer name will probably be more human-friendly assuming that it resolves to a single IP - rather than a true CIDR range)
Code:
peer wg21 passthru add wg11 10.50.1.3/32,aa36:7ef1:2add:aa88:100::3/128
 
Last edited:
As per the help
Code:
e  = Exit Script [?]

E:Option ==> peer help

    peer help                               - This text
    peer                                    - Show ALL Peers in database

<snip>

                                                       peer wg21 passthru add wg11 SGS8
                                                       peer wg21 passthru add wg15 all
                                                       peer wg21 passthru add wg12 10.100.100.0/27
                                                       peer wg21 passthru del SGS8
                                                       peer wg21 passthru del all

the prefix 'ip=' has never been required (for the add request, the IP/CIDR must be the 6th positional parameter and therefore cannot be confused with another parameter), but as per the changelog for v4.16bD the Road-Warrior 'device' now must pass validation.
if i want to add ipv4 and ipv6 for a device, can I add them together or one at a time - does it matter?
 
Last edited:
see updated post #122
After changing to
Code:
peer wg21 passthru add wg11 10.50.1.3/32 aa36:7ef1:2add:aa88:100::3/128
I still got the error - this may be as I separated IPv4 and IPv6 using a [space] rather than a , so I will delete, reboot and try again.

UPDATE: changing to
Code:
peer wg21 passthru add wg11 10.50.1.3/32,aa36:7ef1:2add:aa88:100::3/128
just changes the error from
Code:
grep: /opt/etc/wireguard.d/10.50.1.3/32.conf: No such file or directory
to
Code:
grep: /opt/etc/wireguard.d/10.50.1.3/32,aa36:7ef1:2add:aa88:100::3/128.conf: No such file or directory
 
Last edited:
UPDATE: changing to
Code:
peer wg21 passthru add wg11 10.50.1.3/32,aa36:7ef1:2add:aa88:100::3/128
just changes the error from
Code:
grep: /opt/etc/wireguard.d/10.50.1.3/32.conf: No such file or directory
to
Code:
grep: /opt/etc/wireguard.d/10.50.1.3/32,aa36:7ef1:2add:aa88:100::3/128.conf: No such file or directory
Thanks - This innocuous error is due to trying to extract the description tag (originally for your Passthru Road-Warrior 'device' Peer 'pho21'), but clearly now you are manually explicitly specifying multiple CIDR IPs, the script shouldn't attempt to examine (as a fallback) the non-existent '.conf'.
Hopefully fixed:

So it seem that adding a device adds the required rules but removing it (or at least removing all) leaves the rules intact.
Thanks - I've uploaded wireguard_manager Beta v4.16bE
To Upgrade/apply the patches use:
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 
Last edited:
Thanks - This innocuous error is due to trying to extract the description tag (originally for your Passthru Road-Warrior 'device' Peer 'pho21'), but clearly now you are manually explicitly specifying multiple CIDR IPs, the script shouldn't attempt to examine (as a fallback) the non-existent '.conf'.
Hopefully fixed:


Thanks - I've uploaded wireguard_manager Beta v4.16bE
To Upgrade/apply the patches use:
Code:
e  = Exit Script [?]

E:Option ==> uf dev
I have updated and rebooted (just in case) and wg_server is now v4.16.13

The grep errors from specified IPs rather than a device name are now all gone, however I am still having issues if I remove a passthru rule

So if I load the rule as
peer wg21 passthru add wg11 laptop
then whether I try
peer wg21 passthru del all, or
peer wg21 passthru del wg11 all, or
peer wg21 passthru del wg11 laptop
the rules are not removed (if I run ip rule or ip -6 rule they are still there). So a stupid question - I am assuming the SQL database for WGM is /opt/etc/wireguard.d/WireGuard.db and that when routing rules are setup they are added here as well as to RPDB; when the passthru is taken down and the rules removed from WireGuard.db are they also removed from RPDB?
 
Rules are not removed (if I run ip rule or ip -6 rule they are still there). So a stupid question - I am assuming the SQL database for WGM is /opt/etc/wireguard.d/WireGuard.db and that when routing rules are setup they are added here as well as to RPDB; when the passthru is taken down and the rules removed from WireGuard.db are they also removed from RPDB?
I've Uploaded wg_client v4.16.18

To apply the patch use:
Code:
e  = Exit Script [?]

E:Option ==> uf dev

Implementation of the RPDB Passthru rules is handled by wg_client, hence the (current) need to stop/start the 'client' Peer after using command
Code:
peer wg2X passthru [ add | del ] xxxxxxxxxxx

If the Passthru 'client' Peer is DOWN when the Passthru rules are deleted from the SQL database, then the physical management of the Passthru RPDB rules are managed correctly.

The design allows deletion of the rules from the SQL database to legitimately occur whilst the 'client' Peer is UP, and the RPDB rules will actively remain (without causing disruption) until the 'client' Peer is restarted at a convenient (OoH) time.

The flaw is that having removed the Passthru rules from the SQL database, how does wg_client know which Passthru rules to delete on termination?!!
 
Last edited:
I've Uploaded wg_client v4.16.18

To apply the patch use:
Code:
e  = Exit Script [?]

E:Option ==> uf dev

Implementation of the RPDB Passthru rules is handled by wg_client, hence the (current) need to stop/start the 'client' Peer after using command
Code:
peer wg2X passthru [ add | del ] xxxxxxxxxxx

If the Passthru 'client' Peer is DOWN when the Passthru rules are deleted from the SQL database, then the physical management of the Passthru RPDB rules are managed correctly.

The design allows deletion of the rules from the SQL database to legitimately occur whilst the 'client' Peer is UP, and the RPDB rules will actively remain (without causing disruption) until the 'client' Peer is restarted at a convenient (OoH) time.

The flaw is that having removed the Passthru rules from the SQL database, how does wg_client know which Passthru rules to delete on termination?!!
I have updated and the revised client 4.16.18 is showing however after removing the passthu the ip / ip -6 rules are not being removed. What am I missing / can I do?
 
I have updated and the revised client 4.16.18 is showing however after removing the passthu the ip / ip -6 rules are not being removed. What am I missing / can I do?


Update to wg_client v4.16.19
Code:
e  = Exit Script [?]

E:Option ==> uf dev

Enter the following commands
Code:
wgm stop wg11;  ip rule;ip -6 rule
Code:
wgm start wg11; ip rule;ip -6 rule
Code:
wgm stop wg11;  ip rule;ip -6 rule

If both the IPv4 prio 9981 rule(s) and the IPv6 prio 9981 rule(s) remain, you will have to run a debug/trace
Code:
wgm start wg11

sh -x /jffs/addons/wireguard/wg_client wg11 disable
and post the output on Pastebin
 
Last edited:

Update to wg_client v4.16.19
Code:
e  = Exit Script [?]

E:Option ==> uf dev

Enter the following commands
Code:
wgm stop wg11;  ip rule;ip -6 rule
Code:
wgm start wg11; ip rule;ip -6 rule
Code:
wgm stop wg11;  ip rule;ip -6 rule

If both the IPv4 prio 9981 rule(s) and the IPv6 prio 9981 rule(s) remain, you will have to run a debug/trace
Code:
wgm start wg11

sh -x /jffs/addons/wireguard/wg_client wg11 disable
and post the output on Pastebin
Client v4.16.19 nailed it. Code removed for both ipv4 and ipv6. :D:D
 
Now that FiOS FINALLY has IPv6 in my area as of yesterday I have been looking into getting it working over WG.

From the sound of this thread, it is still up in the air. Am I reading into this right?
 
Now that FiOS FINALLY has IPv6 in my area as of yesterday I have been looking into getting it working over WG.

From the sound of this thread, it is still up in the air. Am I reading into this right?
Both client and server works with ipv6 but there could be some features not tested yet on ipv6 (like site-2-site ipv6).

There is also a variety of ipv6 connections but if you set it up and report if you run into problems here I'm sure we could fix it together.

https://github.com/ZebMcKayhan/WireguardManager#table-of-content[/CODE]
 
WireGuard Manager Release v4.16

Github md5=9db9936e2a55b956274ee1c2419ab14b​

Main goal of this release was to improve IPv6 compatibility - Many thanks for the diligent/patient Dual-stack (advanced) IPv4+IPv6 testing by @archiel , supported by @ZebMcKayhan

To upgrade use
Code:
e  = Exit Script [?]

E:Option ==> uf
and it is advised to issue the following
Code:
e  = Exit Script [?]

E:Option ==> createconfig

    Warning: WireGuard configuration file '/jffs/addons/wireguard/WireguardVPN.conf' already exists!...renamed to 'WireguardVPN.conf20220430-101031'

    Creating/Updating WireGuard configuration file '/jffs/addons/wireguard/WireguardVPN.conf'
to take advantage of any new customisable configuration features.

Change log etc.
Code:
e  = Exit Script [?]

E:Option ==> ?

    Router RT-AX86U Firmware (v386.5_2)

    [✔] Entware Architecture arch=aarch64


    v4.16 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
    MD5=9db9936e2a55b956274ee1c2419ab14b /jffs/addons/wireguard/wg_manager.sh

    [✔] WireGuard Kernel module/User Space Tools included in Firmware (1.0.20210124)

<snip>
 
Last edited:
In case it was not obvious, everything should be included in the above stable release 4.16 which is installable directly from AMTM.
HA HA! Excellent. Thank you.

EDIT: And it is working!
Oh is there any major difference between a 'aa' prefix and a 'fd' prefix?
 
Last edited:
OK I take that back. Ugh.

Installed wgm through amtm.
peer wg21 del
peer new ipv6
peer wg21 auto=y
create test wg21

Code:
E:Option ==> 8

        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet                        Port   Annotate
wg21    Y     10.50.1.1/24,fd00:50:1::1/64  11501  # GT-AXE11000 (IPv4/IPv6) Server 1


        Peers (Auto=X - External i.e. Cell/Mobile/Site)
Device  Auto  IP                             DNS         Allowed IPs      Annotate
test    X     10.50.1.2/32,fd00:50:1::2/128  10.50.1.1,  0.0.0.0/0, ::/0  # test "Device"

        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

I can connect but only ipv4 works.
 
OK I take that back. Ugh.

Installed wgm through amtm.
peer wg21 del
peer new ipv6
peer wg21 auto=y
create test wg21

Code:
E:Option ==> 8

        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet                        Port   Annotate
wg21    Y     10.50.1.1/24,fd00:50:1::1/64  11501  # GT-AXE11000 (IPv4/IPv6) Server 1


        Peers (Auto=X - External i.e. Cell/Mobile/Site)
Device  Auto  IP                             DNS         Allowed IPs      Annotate
test    X     10.50.1.2/32,fd00:50:1::2/128  10.50.1.1,  0.0.0.0/0, ::/0  # test "Device"

        WireGuard ACTIVE Peer Status: Clients 0, Servers 1

I can connect but only ipv4 works.
Guess you did not read through:
https://github.com/ZebMcKayhan/WireguardManager#setup-wg-server

Altough your setup should work to access lan ipv6 but not wan, so when you say it's not working are you referring to wan or lan?
 
I fail at scrolling down pages. :(

Its working working now.

Is there any reason I should NOT run it on port 80?
Why would I want to do this? Hospital I go to often... their wireless is locked down like a mofo. Can't even check iCloud e-mail on it because it uses STANDARD secure SMTP ports which are blocked. And can't use VPN. My guess is all 80/443 traffic is allowed.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top