What's new

Wireguard Session Manager - Discussion (3rd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I've updated wg_client to v4.17.9
Now thats more like it!

Code:
admin@RT-AC86U-D7D8:/tmp/home/root# grep -iE "^version" /jffs/addons/wireguard/wg_c*
/jffs/addons/wireguard/wg_client:VERSION="v4.17.9"
admin@RT-AC86U-D7D8:/tmp/home/root# iptables -nvL WGDNS1 -t nat
Chain WGDNS1 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
    2   120 DNAT       all  --  *      *       192.168.1.0/24       0.0.0.0/0
            /* WireGuard 'client1 DNS' */ to:192.168.1.1
admin@RT-AC86U-D7D8:/tmp/home/root# iptables -nvL WGDNS2 -t nat
Chain WGDNS2 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
    0     0 DNAT       all  --  *      *       192.168.6.0/24       0.0.0.0/0
            /* WireGuard 'client2 DNS' */ to:9.9.9.9
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL WGDNS1 -t nat
Chain WGDNS1 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
   37  3349 DNAT       all      *      *       aaff:a37f:fa75:1::/64  ::/0
              /* WireGuard 'client1 DNS' */ to:aaff:a37f:fa75:1::1
admin@RT-AC86U-D7D8:/tmp/home/root# ip6tables -nvL WGDNS2 -t nat
Chain WGDNS2 (2 references)
 pkts bytes target     prot opt in     out     source               destinati
on
    0     0 DNAT       all      *      *       aaff:a37f:fa75:6::/64  ::/0
              /* WireGuard 'client2 DNS' */ to:2620:fe::fe
admin@RT-AC86U-D7D8:/tmp/home/root#
Thanks!

Interesting that my system seems to get 10 times more hit-count on ipv6 dns lookup, so it seems prefferred by our Android units...
 
Could someone help me please, tried almost everything - nothing helps.

In auto=P mode my router leaking ISP DNS address for some reason on any device.
In auto=Y mode everything works as intended - DNS displayed as VPN DNS during tests.

I know it's somehow connected to issue that in Policy mode the default routing is done over WAN and router itself not using VPN server to access internet.
Only possible workaround I found involves creating reverse policy routing, but it's not a best option in my opinion.

Maybe it's possible to solve this issue in a more "elegant" way? DNS Leak in auto=P mode making Policy mode almost useless.

Thank you in advance.
 
Maybe it's possible to solve this issue in a more "elegant" way? DNS Leak in auto=P mode making Policy mode almost useless.
It should work but there has been an issue with dns in wgm the last dev versions. A fix released today fixed it

Update to latest dev version in wgm by uf dev then check so you are on latest version:
Code:
admin@RT-AC86U-D7D8:/tmp/home/root# grep -iE "^version" /jffs/addons/wireguard/wg_c*
it should return:
Code:
/jffs/addons/wireguard/wg_client:VERSION="v4.17.9"

restart all peers and dns shall be properly redirected to your vpn dns in policy mode.

I know it's somehow connected to issue that in Policy mode the default routing is done over WAN and router itself not using VPN server to access internet.
That is only relevant when wg dns is set to router. As long as you keep your DNS from your wireguard config file, DNS from policy client should be intercepted and redirected to wg DNS and request out Wireguard.
 
Last edited:
Just just pushed the 20220627 kernel modules to main branch (the others moved to stale branch 20210606_2 for manual download/install). Since I havnt heard anything, I assume they are running just as well on AX88U as on my AC86U (@JGrana ?)

I've figure it will tie in nicely with what's coming next...
 
Just just pushed the 20220627 kernel modules to main branch (the others moved to stale branch 20210606_2 for manual download/install). Since I havnt heard anything, I assume they are running just as well on AX88U as on my AC86U (@JGrana ?)

I've figure it will tie in nicely with what's coming next...
On my AX88U, running great!
 
wgmExpo.sh updated to v 0.5 to work with latest wgm release (WireGuard --> WireGuard® tag changed).

To update just issue:
Code:
E:Option ==> addon wgmExpo.sh

        wgmExpo.sh downloaded successfully

Usage:
Code:
admin@RT-AC86U-D7D8:/# wgmExpo --help
   wgmExpo Version 0.5 by ZebMcKayhan

   Execute menu command in Wireguard Session Manager

   Usage:
      wgmExpo <Option> "command 1" "command 2" "command n"

   Options:
      -h       - Help
      -v       - Version
      -s       - Silent mode, no output
      -c       - Monocrome output (no ASCII escape characters)
      -t       - Display WireGuard® ACTIVE Peer Status: each command
      -e       - Expose all display output (no filtering)
      -remove  - Remove wgmExpo

   Example:
      wgmExpo "peer wg11 comment Italy"
      wgmExpo -c "peer wg11 dns=9.9.9.9" "restart wg11"
      wgmExpo -ct "livin wg11 192.168.10.53"
 
Last edited:
Just went through my router logs and to my suprise the blog mcast error messages seems to have stopped cooming 12th of May

Last logs:
Code:
May 12 16:16:20 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:20 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:41 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:41 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:17:01 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:17:01 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m

It may be that I updated fw to 386.5_2 then but I'm not sure. @chongnt are you still getting them?
 
Just went through my router logs and to my suprise the blog mcast error messages seems to have stopped cooming 12th of May

Last logs:
Code:
May 12 16:16:20 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:20 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:41 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:41 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:17:01 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:17:01 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m

It may be that I updated fw to 386.5_2 then but I'm not sure. @chongnt are you still getting them?
I’m not sure if it’s still there. I use syslog-ng to specifically drop this message. Will have to disable it and see. You just update to 386.5_2? Why not update to 386.7_0?
 
I’m not sure if it’s still there. I use syslog-ng to specifically drop this message. Will have to disable it and see. You just update to 386.5_2? Why not update to 386.7_0?
Nope, but 12th of May might be when I did that update. I'm currently on 386.7.
 
Nope, but 12th of May might be when I did that update. I'm currently on 386.7.
I still see the error in 386.7_0. Going to enable syslog-ng to drop it again.

Code:
Jul  7 22:38:26 RT-AC86U-DBA8 kernel: [ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure
Jul  7 22:38:26 RT-AC86U-DBA8 kernel: [ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure
Jul  7 22:38:26 RT-AC86U-DBA8 kernel: [ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure
Jul  7 22:38:26 RT-AC86U-DBA8 kernel: [ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure
Jul  7 22:38:41 RT-AC86U-DBA8 kernel: [ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure
Jul  7 22:38:41 RT-AC86U-DBA8 kernel: [ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure
 
Waitasecond!
I've not been checking in here for a while, so I probably missed the announcement, but I just logged into the GUI of my router, and almost fell out of my chair at the WGM tab in my addons section.
yes it's beta...but holy cow! thats awesome! congrats!
 
Waitasecond!
I've not been checking in here for a while, so I probably missed the announcement, but I just logged into the GUI of my router, and almost fell out of my chair at the WGM tab in my addons section.
yes it's beta...but holy cow! thats awesome! congrats!
The current WireGuard® Manager WebUI Beta v0.13 isn't perfect, but it's a very crude addon in lieu of the ASUS VPN Fusion slated for firmware v388 later in the year.
 
I'm unable to repro the performance issues from (Wireguard - Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/) | Page 13 | SmallNetBuilder Forums) on my RT-AX86U with AsusWRT 386.7. Have a Site-to-Site connection bridging several networks, and from what I can tell they max out the upload speed of each network so far (CPU usage seems also to be pretty light). It would be great if there would be an option to disable to forced disabling of "Flow Control" without having to modify manually wg_manager.sh each time.
 
I'm unable to repro the performance issues from (Wireguard - Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/) | Page 13 | SmallNetBuilder Forums) on my RT-AX86U with AsusWRT 386.7. Have a Site-to-Site connection bridging several networks, and from what I can tell they max out the upload speed of each network so far (CPU usage seems also to be pretty light). It would be great if there would be an option to disable to forced disabling of "Flow Control" without having to modify manually wg_manager.sh each time.
Thats wierd... so full speed and no log entries with blog mcast messages???? Wonder what's so special with your setup? A site2site are basically a server peer, perhaps ordinary server peers dont need it also? Or perhaps its because of no internet traffic takes place over the tunnel, only lan packages. Would be interesting to know.
Wonder what happens if you were to attempt this:
https://github.com/ZebMcKayhan/Wire...n/README.md#route-site-2-site-internet-access

I understand your problem. Only @Martineau could fix it.
 
Thats wierd... so full speed and no log entries with blog mcast messages???? Wonder what's so special with your setup? A site2site are basically a server peer, perhaps ordinary server peers dont need it also? Or perhaps its because of no internet traffic takes place over the tunnel, only lan packages. Would be interesting to know.
Wonder what happens if you were to attempt this:
https://github.com/ZebMcKayhan/Wire...n/README.md#route-site-2-site-internet-access

I understand your problem. Only @Martineau could fix it.
Previously (based on real-world feedback) two HND router models (RT-AX86U/RT-AX58U) were hard-coded to DISABLE Flow Cache.

Whilst it was previously presumed/stated that WireGuard® was incompatible with Flow Cache, it is now the responsibility of the user to manually DISABLE Flow Cache - either permanently by using command vx to uncomment directive DISABLE_FLOW_CACHE or for a temporary period issue
Bash:
e  = Exit Script [?]

E:Option ==> fc disable


    Broadcom Packet Flow Cache learning via BLOG disabled.
    Broadcom Packet Flow Cache flushing the flows

    Flow Cache Disabled
    (Use 'vx' command to uncomment config option 'DISABLE_FLOW_CACHE' to DISABLE permanently)

I've uploaded wg_manager Beta v4.18b3

To upgrade use:
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 
Last edited:
WireGuard® Session Manager v4.18 Released.

Improved support for the Addon WebUI v1.01 release.

i.e. most of the 'client' Peer configuration data fields can now be modified via the WebUI and changes are reflected in the SQL database;

Description​
Auto Start Type​
Address​
DNS​
MTU​
Allowed IPs​
Endpoint​

plus some keywords such as MTU and Allowed IPs etc. have popup Tool Tips if you hover the mouse over them.

NOTE: The following fields cannot be altered in the WebUI

Public Key​
Private Key​
Preshared Key​
Persistent Keepalive​

Many wg_manager features available via the command line are still missing from the WebUI such as

'server' Peer configuration editing​
IPSET management/Policy rule definition​
Road-Warrior 'device' Peer Creation/QRcode display​
Passthru' rule management etc.​

but basic 'client' Peer management functionality should be covered.

Upgrade using
Code:
e  = Exit Script [?]

E:Option ==> uf

    Router RT-AX86U Firmware (v386.7_1-gd1340bd88e)

    [✔] Entware Architecture arch=aarch64


    v4.18b5 WireGuard® Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=b0c219086fbff4d1ae736e7ba2b93d66 /jffs/addons/wireguard/wg_manager.sh

        v4.17.9 (wg_client)
        v4.17.1 (wg_server)




    [✔] WireGuard® Module LOADED

    Checking for WireGuard® Kernel and Userspace Tool updates...

    [✔] WireGuard® Kernel module/User Space Tools included in Firmware RT-AX86U (v386.7_1-gd1340bd88e) (1.0.20210124)

        WireGuard® exists in firmware      - use 'vx' command to override with 3rd-Party/Entware (if available)
        User Space tool exists in firmware - use 'vx' command to override with 3rd-Party/Entware (if available)


    Forced Update

    Downloading scripts
    wg_manager.sh downloaded successfully
    wg_client downloaded successfully
    wg_server downloaded successfully
    UDP_Updater.sh downloaded successfully
    wg_ChkEndpointDDNS.sh downloaded successfully
    wg_manager.asp downloaded successfully
    Help.md downloaded successfully
    wgmExpo.sh downloaded successfully

    WebUI page 'user2.asp' ('wg_manager.asp') unmounted
    WebUI page ('wg_manager.asp') mounted as 'user2.asp'
    [✔] Restarted service_httpd for WebUI

+======================================================================+
|  Welcome to the WireGuard® Manager/Installer script (Asuswrt-Merlin) |
|                                                                      |
|                      Version v4.18 by Martineau                      |
|                                                                      |
+======================================================================+
 
Last edited:
Previously (based on real-world feedback) two HND router models (RT-AX86U/RT-AX58U) were hard-coded to DISABLE Flow Cache.

Whilst it was previously presumed/stated that WireGuard® was incompatible with Flow Cache, it is now the responsibility of the user to manually DISABLE Flow Cache - either permanently by using command vx to uncomment directive DISABLE_FLOW_CACHE or for a temporary period issue
Bash:
e  = Exit Script [?]

E:Option ==> fc disable


    Broadcom Packet Flow Cache learning via BLOG disabled.
    Broadcom Packet Flow Cache flushing the flows

    Flow Cache Disabled
    (Use 'vx' command to uncomment config option 'DISABLE_FLOW_CACHE' to DISABLE permanently)

I've uploaded wg_manager Beta v4.18b3

To upgrade use:
Code:
e  = Exit Script [?]

E:Option ==> uf dev
Thats great!

Considering that most models currently require fc to be turned off, maybe the sample config should by default turn it off. It would be a risk of getting a lot "why is wg so slow" questions??
 
Considering that most models currently require fc to be turned off, maybe the sample config should by default turn it off.
I can't win either way, so wg_managerv4.18 will NOT DISABLE Flow Cache unless the user explicitly uncomments the DISABLE_FLOW_CACHE directive.

Furthermore, if Flow Cache has been temporarily DISABLED, wg_manager will now always ENABLE Flow Cache when the last 'client' Peer is terminated.

No doubt ASUS firmware v388.xx will formally address this incompatibility issue.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top