What's new

Wireguard Session Manager - Discussion (3rd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi @Martineau Not sure if this is intended, but I can only have one device passthru rule working at a time. So if I add
peer wg21 passthru add wg11 pho21
then I see
9981: from 10.50.1.2 lookup 121
9981: from aa36:7ef1:2add:aa88:100::2 lookup 121
Added to ip and ip -6 rules as expected, but if I then add
peer wg21 passthru add wg11 laptop
then while the command completes without error and peer wg11 shows
Code:
        Selective Routing RPDB rules
ID  Peer  Interface  Source                      Destination  Description
10  wg11  VPN        fd36:7ef1:2add:aa88:100::1  Any          Unbound6VPN
9   wg11  VPN        192.168.3.1                 Any          Unbound4VPN

IPSet     Enable  Peer  FWMark  DST/SRC
wg11-mac  Y       wg11  0x1000  src

Server  Client  Passthru
wg21    wg11    laptop
wg21    wg11    pho21
but in the rules I only see
9981: from 10.50.1.3 lookup 121
9981: from aa36:7ef1:2add:aa88:100::3 lookup 121
where I had expected
9981: from 10.50.1.2 lookup 121
9981: from 10.50.1.3 lookup 121
9981: from aa36:7ef1:2add:aa88:100::2 lookup 121
9981: from aa36:7ef1:2add:aa88:100::3 lookup 121
and the passthru for pho21 is lost
Removing either passthru rule leaves the remaining one in place and working as expected
 
I fail at scrolling down pages. :(

Its working working now.

Is there any reason I should NOT run it on port 80?
Why would I want to do this? Hospital I go to often... their wireless is locked down like a mofo. Can't even check iCloud e-mail on it because it uses STANDARD secure SMTP ports which are blocked. And can't use VPN. My guess is all 80/443 traffic is allowed.
I have no idea. But suggest you test ephemeral ports first (49152–65535) and if that dont work, test user ports (1024–49151). If you need to use system ports, and I have no idea about the implications of this, try one that is not in use for udp:
https://en.m.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports.

Are they really that locked down so you are only allowed to make new connections on acouple of ports? Perhaps only certain system ports are locked down?
 
I can only have one device passthru rule working at a time.
Thanks, stable v4.16 didn't last long!:rolleyes:

I've uploaded wireguard_manager Beta v4.17b

To upgrade/test use:
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 
Working as hoped, can add and remove passthru devices in any order and all work as desired. Thanks again for all your effort is getting this to work.
 
Working as hoped, can add and remove passthru devices in any order and all work as desired. Thanks again for all your effort is getting this to work.
By the way, did you ever test if you still need the "To main" rules when using passthru? Can you access other resources/computers that are routed out wg11 from wg21 clients?
 
By the way, did you ever test if you still need the "To main" rules when using passthru? Can you access other resources/computers that are routed out wg11 from wg21 clients?
I did not explicitly test (by adding / removing the these rules), but I can confirm that for my particular setup, they are not included in my scripts and with passthru I can also assess local resources on other LAN devices (including those that are routed out wg11), whether desktops by RDP, or services via https://device_name:nnnn/menu or https://ip_address:mmm/menu.
 
Last edited:
I did not explicitly test (by adding / removing the these rules), but I can confirm that for my particular setup, they are not included in my scripts and with passthru I can also assess local resources on other LAN devices (including those that are routed out wg11), whether desktops by RDP, or services via https://device_name:nnnn/menu or https://ip_address:mmm/menu.
Thats great news!

Well, now that everything is up and running for you, would you mind sharing what you ended up with in your wg11-up.sh and wg21-up.sh (mask any sensitive stuff ofcource).
 
Thats great news!

Well, now that everything is up and running for you, would you mind sharing what you ended up with in your wg11-up.sh and wg21-up.sh (mask any sensitive stuff ofcource).
I have included them below. It should be noted that I am still in the process of fully documenting exactly where I have ended up after testing various different options, so I may have missed some steps (I will edit this later if if find I have). The setup includes
  • An ISP that provides a native but dynamic IPv6 (/56 range)
  • Using SLAAC (not DHCP6 or similar) for IPv6 address allocation on the LAN
  • Using a VPN provider that supports (not blocks) IPv6 tunnels.
  • On the Router,
    • setting WAN>Connect to DNS Server automatically to No
    • leaving DNS1 and DNS2 blank
    • Setting DNS Privacy to DoT (Strict) and adding IPv4 and IPv6 servers
    • in IPv6 > Connect to DNS Server automatically to No and adding external DNS servers (does not work if blank)
    • LAN > DNSFilter > Enable DNS-based Filtering > ON - Router
  • Using Unbound as the local caching DNS
  • Using Diversion for ad blocking, therefore needing dnsmasq in the mix
  • Preventing any DNS queries going out in plain text (i.e need to be directly encrypted for Router queries and routed via VPN for lan enquiries.
    • adding private address aliases on (or routed through) br0 <alias4>, <alias6>
    • adding these private addresses as 'outgoing interfaces' to unbound
    • adding these private addresses as rules to wg1x
  • adding the wg1x devices via MAC ipsets (using SLAAC the IPv6 addresses will change over time), Devices routed over wg1x will need fixed MACs
  • wg1x is run in policy mode (not default)
  • these scripts require entware iptables - they can be modified to run without - @ZebMcKayhan is the expert on this.
In wan-event (to add aliases)
Code:
if [ "$1" = "0" ] && [ "$2" = "connected" ]; then
  ifconfig br0:1 <alias4> netmask 255.255.255.255
  ip -6 address add dev eth5 <alias6>
  fi
Notes: <alias6> is derived from creating a ULA (fdxx.xxxx.xxxx.xxxx::/64) then adding :100::1/128 so fdxx.xxxx.xxxx.xxxx:100::1/128
Adding the alias directly to br0 during startup so it was ready for when unbound started proved problematic. On testing, as all of eth1-eth8 route through br0 (unless explicitly routed elsewhere), it was easier to add the alias here, providing the interface is showing as up
i.e. ip addr show | grep eth shows br0 state UP. For an RT-AX88U, eth5 is the bridge to LAN5-LAN8 and will always be up
In services-start (to backup mac-ipset)
Code:
cru a <mac-ipset> "45 6 * * * ipset save wg11-mac > /opt/tmp/<mac-ipset>"
in unbound.conf
Code:
server:
....
outgoing-interface: <alias4>        # routing to wan-event + wgm policy rules
outgoing-interface: <alias6>        # routing to wan-event + wgm policy rules
from wgm create wg1x from VPN_provider.conf as normal
to update DNS (to use dnsmasq, aliases)
Code:
peer wg1x=dns=<local_4>,<link-local_6>
where <local_4> is LAN IP and <local_6> is the router's link-local address (e.g. fe80::xxxx:xxxx:xxxx:xxxx). This is generated based on the Router's MAC and (AFAIK) will not change.
to add aliases
Code:
peer wg1x rule add <alias_4>  comment Unbound4VPN
peer wg1x rule add <alias_6>  comment Unbound6VPN
from ssh prompt to create mac-ipset
Code:
ipset create <ipset-mac> hash:mac
ipset add <ipset-mac> XX:XX:XX:XX:XX:XX
ipset add <ipset-mac> YY:YY:YY:YY:YY:YY
...
from wgm to add<ipset-mac>
Code:
peer wg1x add ipset <ipset-mac>
Server Configuration
create a new server wg2x in the format
peer new ip=<wg2x_4_range>,<wg2x_6_range>
for <wg2x_4_range> use any non-overlapping (with other subnets on the router) range e.g. 10.50.1.1/24
for <wg2x_6_range> modify the ULA to a GUA by replacing the leading fd (private) with a public starter (e.g. aa) and defining scope, so
ULA (fdxx.xxxx.xxxx.xxxx::/64) > aaxx.xxxx.xxxx.xxxx:100::1/120 = <wg2x_range> - amend as necessary for additional servers.
wg21-up.sh
Code:
#!/bin/sh
###############################################################################
# Example for Wg21 ipv6 = aa00:aaaa:bbbb:cccc:100::1/120
# Change to your needs but keep formatting
Wg21Prefix=aa00:aaaa:bbbb:cccc:: #Wg21 ULA prefix with aa instead of fd
Wg21Suffix=100::1  #Wg21 Device suffix (last 64 bits)
Wg21PrefixLength=120   #Wg21 Prefix Length (120 recommended)
WanInterface=eth0
# Changing below lines should not be needed:
WanIp6Prefix=$(nvram get ipv6_prefix)     #WanIp6Prefix=2001:1111:2222:3333::
Wg21_PrefIp=${Wg21Prefix%:*}${Wg21Suffix}/${Wg21PrefixLength}      #aa00:aaaa:bbbb:cccc:100::1/120
WanWg21_PrefIp=${WanIp6Prefix%:*}${Wg21Suffix}/${Wg21PrefixLength}   #2001:1111:2222:3333:100::1/120
# Execute firewall commands:
ip6tables -t nat -I POSTROUTING -s ${Wg21_PrefIp} -o ${WanInterface} -j NETMAP --to ${WanIp6Prefix}/64
ip6tables -t nat -I PREROUTING -i ${WanInterface} -d ${WanWg21_PrefIp} -j NETMAP --to ${Wg21Prefix}/64
###############################################################################
wg11-route-up.sh (to make sure ipset in place)
Code:
#!/bin/sh
IPSET_NAME=<ipset-mac>
if [ "$(ipset list -n "$IPSET_NAME" 2>/dev/null)" != "$IPSET_NAME" ]; then #if ipset does not already exist
   if [ -s "/opt/tmp/$IPSET_NAME" ]; then #if a backup file exists
      ipset restore -! <"/opt/tmp/$IPSET_NAME" #restore ipset
    fi
fi
wg11-up.sh
Code:
#!/bin/sh
###############################################################################
#for use in default mode only
#ip -6 route add 0::/1 dev wg11
#ip -6 route add 8000::/1 dev wg11
#for use in policy mode only
WanIp6=$(nvram get ipv6_rtr_addr)     #WanIp6=2001:1111:2222:3333::1
iptables -t nat -I POSTROUTING ! -s <vpn_ipv4> -o wg11 -j MASQUERADE
ip6tables -t nat -I POSTROUTING ! -s <vpn_ipv6> -o wg11 -j MASQUERADE
#emulates DNSFilter on Router for IPv6, needs entware iptables
ip6tables -t nat -A WGDNS1 -i br0 -j DNAT --to-destination ${WanIp6}
###############################################################################
Finally ensure that that wg2x-down and wg1x down are also created.
 
Last edited:
That is some setup @archiel, many thanks for sharing!

Just a tiny comment:
cru a <mac-ipset> "45 6 * * * ipset save wg11-mac > /jffs/addons/wireguard/<mac-ipset>"
Are you saving the ipset to /jffs every day? Don't know if there is any risk for wear-out? This is a built in nv-ram and if it dies your Router is turned into a book-stand. I don't know the technology used but suspect it is flash memory which don't have infinite write cycles. Once a day is probably OK, but not nessisary since usb drive is up when wgm starts (wgm config is in /opt/etc/wireguard.d).

Also wgm might remove the content of /jffs/addons/wireguard if accidently uninstalled (now, you may wonder how I know that... well, don't ask)...
 
That is some setup @archiel, many thanks for sharing!

Just a tiny comment:

Are you saving the ipset to /jffs every day? Don't know if there is any risk for wear-out? This is a built in nv-ram and if it dies your Router is turned into a book-stand. I don't know the technology used but suspect it is flash memory which don't have infinite write cycles. Once a day is probably OK, but not nessisary since usb drive is up when wgm starts (wgm config is in /opt/etc/wireguard.d).

Also wgm might remove the content of /jffs/addons/wireguard if accidently uninstalled (now, you may wonder how I know that... well, don't ask)...
when we were first testing (and having all the issues around adding the <alias6> to br0) I moved this from usb (/opt/tmp) to jffs 'just in case'. I will move it back there now.
 
Last edited:
hi thanks for your helps
ax86u
i got this error :
E:Option ==> start wg11

Requesting WireGuard VPN Peer start (wg11)


***ERROR: WireGuard 'client' doesn't have a LOCAL IP Address! - try 'peer wg11 ip=xxx.xxx.xxx.xxx/32'?


WireGuard ACTIVE Peer Status: Clients 0, Servers 1
---------------------------------------------------------------------------------------------------------------------------

and i have a wg.conf in this directory
nano /opt/etc/wireguard/azirevpn-uk2.conf
with these

code :

[Interface]
PrivateKey = hidden=
#Address = 10.20.23.224/19, 2a07:241:1:4000::17e1/64
#DNS = 10.20.0.1, 2a07:241:1:4000::1

[Peer]
PublicKey = j3Yw1nWiSgz8YAGp95KrvyvUhVLCFZ5msO33KR/A0Dc=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = uk1.wg.azirevpn.net:51820
PersistentKeepalive = 25
--------------------------------------------------------------------------------------------------------------------------

and init file

/opt/etc/init.d/S50wireguard

code :

Mode=client

export LocalIP=10.20.23.224/19, 2a07:241:1:4000::17e1/64
Route=default #default or policy
export wgdns=10.20.0.1, 2a07:241:1:4000::1
export Nipset=wgvpn
---------------------------------------------------------------------------------------------------------------------------

and wg-policy file

/opt/etc/wireguard/wg-policy

code :

#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997 2>/dev/null
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq
---------------------------------------------------------------------------------------------------------------------------
and nat start

/jffs/scripts/nat-start

code :

#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
/opt/etc/init.d/S50wireguard restart
fi
----------------------------------------------------------------------------------------------------------
and i installed diversion(lite) - x3mrouting - unound manager - uidivstats - yazDHCP - wireguard - entware package - swap file

sorry if i am noob.
i just tried several times last time i could connect but had iptables 1.4.15 error and it was not working
then i formated the flash again and started from beggining but this time i got this error

***ERROR: WireGuard 'client' doesn't have a LOCAL IP Address! - try 'peer wg11 ip=xxx.xxx.xxx.xxx/32'?

plz help me xD

thanks really
 
Last edited:
hi thanks for your helps
ax86u
i got this error :
E:Option ==> start wg11

Requesting WireGuard VPN Peer start (wg11)


***ERROR: WireGuard 'client' doesn't have a LOCAL IP Address! - try 'peer wg11 ip=xxx.xxx.xxx.xxx/32'?


WireGuard ACTIVE Peer Status: Clients 0, Servers 1
---------------------------------------------------------------------------------------------------------------------------

and i have a wg.conf in this directory
nano /opt/etc/wireguard/azirevpn-uk2.conf
with these

code :

[Interface]
PrivateKey = hidden=
#Address = 10.20.23.224/19, 2a07:241:1:4000::17e1/64
#DNS = 10.20.0.1, 2a07:241:1:4000::1

[Peer]
PublicKey = j3Yw1nWiSgz8YAGp95KrvyvUhVLCFZ5msO33KR/A0Dc=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = uk1.wg.azirevpn.net:51820
PersistentKeepalive = 25
--------------------------------------------------------------------------------------------------------------------------

and init file

/opt/etc/init.d/S50wireguard

code :

Mode=client

export LocalIP=10.20.23.224/19, 2a07:241:1:4000::17e1/64
Route=default #default or policy
export wgdns=10.20.0.1, 2a07:241:1:4000::1
export Nipset=wgvpn
---------------------------------------------------------------------------------------------------------------------------

and wg-policy file

/opt/etc/wireguard/wg-policy

code :

#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997 2>/dev/null
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq
---------------------------------------------------------------------------------------------------------------------------
and nat start

/jffs/scripts/nat-start

code :

#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
/opt/etc/init.d/S50wireguard restart
fi
----------------------------------------------------------------------------------------------------------
and i installed diversion(lite) - x3mrouting - unound manager - uidivstats - yazDHCP - wireguard - entware package - swap file

sorry if i am noob.
i just tried several times last time i could connect but had iptables 1.4.15 error and it was not working
then i formated the flash again and started from beggining but this time i got this error

***ERROR: WireGuard 'client' doesn't have a LOCAL IP Address! - try 'peer wg11 ip=xxx.xxx.xxx.xxx/32'?

plz help me xD

thanks really
your import has probably gone wrong, delete the peer:
Code:
E:Option ==> peer wg11 del

When importing your config file in wgm, it should be as-is from your VPN provider. so if you are re-using your config file from @Odkrys scripts you might need to remove the # in Address and DNS, like:
Code:
[Interface]
PrivateKey = hidden=
Address = 10.20.23.224/19, 2a07:241:1:4000::17e1/64
DNS = 10.20.0.1, 2a07:241:1:4000::1

[Peer]
PublicKey = j3Yw1nWiSgz8YAGp95KrvyvUhVLCFZ5msO33KR/A0Dc=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = uk1.wg.azirevpn.net:51820
PersistentKeepalive = 25

Then import it again (place the file in /opt/etc/wireguard.d/):
Code:
E:Option ==> import azirevpn-uk2.conf

guide: https://github.com/ZebMcKayhan/WireguardManager#table-of-content

//Zeb
 
It does. Can you check in /jffs/scripts/post-mount if you have this in it /jffs/addons/wireguard/wg_manager.sh init "" & # WireGuard Manager?
I do, yet i have to manually start my vpn server after a reboot.
 
I do, yet i have to manually start my vpn server after a reboot.
Have you set the server to start automatically (e.g. is wg_manager down or just the server)? If the latter have you set
peer wg2x auto=y
 
Have you set the server to start automatically (e.g. is wg_manager down or just the server)? If the latter have you set
How do i set it to start automatically in the wg_manager? I cannot see any such options
 
How do i set it to start automatically in the wg_manager? I cannot see any such options
if your server is say wg21 then as noted in option 8 (and from the wg_manager prompt) type
Code:
peer wg21 auto=y
to see more options type
Code:
peer help
 
your import has probably gone wrong, delete the peer:
Code:
E:Option ==> peer wg11 del

When importing your config file in wgm, it should be as-is from your VPN provider. so if you are re-using your config file from @Odkrys scripts you might need to remove the # in Address and DNS, like:
Code:
[Interface]
PrivateKey = hidden=
Address = 10.20.23.224/19, 2a07:241:1:4000::17e1/64
DNS = 10.20.0.1, 2a07:241:1:4000::1

[Peer]
PublicKey = j3Yw1nWiSgz8YAGp95KrvyvUhVLCFZ5msO33KR/A0Dc=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = uk1.wg.azirevpn.net:51820
PersistentKeepalive = 25

Then import it again (place the file in /opt/etc/wireguard.d/):
Code:
E:Option ==> import azirevpn-uk2.conf

guide: https://github.com/ZebMcKayhan/WireguardManager#table-of-content

//Zeb
thanks really, it worked at the end xD
my isp does nt provide ipv6 so i am using ula
i have 6 question i dont want take your time ,short answers are enough for me

1-i didnt set up any size of mtu for wg, what size u suggest ?

2-in this topic ---> -Why is Diversion not working for WG Clients
is it safe to change ipv4 dns and ipv6 dns ?(is it gonna decrease security ?)


3-between these topics which one work with ula(default route) for making some routes :

a-Using Yazfi and WGM to route different SSIDs to different VPNs
b-Setup Yazfi for IPv6 subnet to route out wg vpn
c-Setup a reverse policy based routing
d-Setup Transmission and/or Unbound to use WG Client
e-Setup Transmission and/or Unbound to use WG Client (alternative way)


4-can i use <dual wan load balancer> with wg ? is it stable for mining ?
5-can i use <dual wan load balancer> with ula ?
6-can i use <dual wan load balancer routing wans with ips> with ula ?

thanks for help have a good night
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top