What's new

Wireguard Session Manager - Discussion (3rd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi @ZebMcKayhan though you may like to know that having upgraded to 386.7_1 I was able to remove entware iptables from my setup, including removing
Code:
ip6tables -t nat -A WGDNS1 -i br0 -j DNAT --to-destination ${WanIp6}
from wg11-up.sh.

As far as I can tell, everything is working fine.
 
Hi @ZebMcKayhan though you may like to know that having upgraded to 386.7_1 I was able to remove entware iptables from my setup, including removing
Code:
ip6tables -t nat -A WGDNS1 -i br0 -j DNAT --to-destination ${WanIp6}
from wg11-up.sh.

As far as I can tell, everything is working fine.
I know! I've done the same.
But you also used NETMAP for your server2wan, is that also working? Or did you ditch NETMAP for MASQUARADE?

Remember those error messages when creating new peers (or interfaces)? Are these gone as well?
Code:
ERR: bdmf_attrelem_add_as_num#4276: system: status:No resources. attribute:ipv4_host_address_table index:0 value:171049217
 
Last edited:
I have not ditched NETMAP. On a quick check both a direct client connection (ubuntu vm) and a routed phone appear to working correctly (no ip leaks showing, adblocking functioning ,ipv6 tests all good)

However, although 'stop wg11' completed normally, 'stop wg21' generated
Code:
E:Option ==> stop wg21

        Requesting WireGuard® VPN Peer stop (wg21)

ip6tables v1.4.15: unknown option "--to"
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.15: unknown option "--to"
Try `ip6tables -h' or 'ip6tables --help' for more information.
which would seem to correspond to the last lines in wg21-down.sh
Code:
#!/bin/sh
###############################################################################
# Example for Wg21 ipv6 = aa00:aaaa:bbbb:cccc:100::1/120
# Change to your needs but keep formatting
Wg21Prefix=aa36:7ef1:2add:aa88:: #Wg21 ULA prefix with aa instead of fd
Wg21Suffix=100::1  #Wg21 Device suffix (last 64 bits)
Wg21PrefixLength=120   #Wg21 Prefix Length (120 recommended)
WanInterface=eth0
# Changing below lines should not be needed:
WanIp6Prefix=$(nvram get ipv6_prefix)     #WanIp6Prefix=2001:1111:2222:3333::
Wg21_PrefIp=${Wg21Prefix%:*}${Wg21Suffix}/${Wg21PrefixLength}      #aa00:aaaa:bbbb:cccc:100::1/120
WanWg21_PrefIp=${WanIp6Prefix%:*}${Wg21Suffix}/${Wg21PrefixLength}   #2001:1111:2222:3333:100::1/120
# Execute firewall commands:
ip6tables -t nat -I POSTROUTING -s ${Wg21_PrefIp} -o ${WanInterface} -j NETMAP --to ${WanIp6Prefix}/64
ip6tables -t nat -I PREROUTING -i ${WanInterface} -d ${WanWg21_PrefIp} -j NETMAP --to ${Wg21Prefix}/64
###############################################################################
and I get the matching error in wg21-up.sh

Also for wg11 I still get
Code:
ERR: bdmf_attrelem_add_as_num#4276: system: status:No resources. attribute:ipv4_host_address_table  index:0 value:167775100

I tried swapping out the above last two lines using SNTP (up) / DNTP (down)
Code:
ip6tables -t mangle -I POSTROUTING -s ${Wg21_PrefIp} -o eth0 -j SNPT --src-pfx ${Wg21Prefix}/64 --dst-pfx ${WanIp6Prefix}/64
but then this generated
ip6tables v1.4.15: unknown option "--src-pfx"
so presumably, unless i want to reinstall entware iptables (which does seem to work fine with 386.7) I presume I need to replace the NETMAP commands with MASQUERADE - can you point me at the correct syntax for this?
 
Hi all,
1. Thanks for the great work
2. Excuse me for the stupid questions
"latest version"
Questions:

1. From time to time, 1-2 days, my vg11 interface stops responding, and it needs to be rebooted manually. (go to the router and do "wgm restart wg11")
2. how to update the interface config without removing it completely

Kick me please how to do it automatically

THX
 
Last edited:
From time to time, 1-2 days, my vg11 interface stops responding, and it needs to be rebooted manually. (go to the router and do "wgm restart wg11")
Probably something restarting at your router removing some firewall rules and/or routes. Anything from the syslog?
Check with ? inside wgm that firewall-start or nat-start is monitor the firewall rules. Perhaps you need both?

how to update the interface config without removing it completely
Depending on what you want to change but most could be changed in the gui.
 
Probably something restarting at your router removing some firewall rules and/or routes. Anything from the syslog?
Check with ? inside wgm that firewall-start or nat-start is monitor the firewall rules. Perhaps you need both?

no its show as all is ok... only restarting the wg11 interface helps
 
I mean change some settings in wg11/wg21/etc without dell and import again
The Wireguard GUI is located under Addons menu. From there you could update peer information. You dont have to delete them but for the server peer you might not get the desired change until you generate new clients.

no its show as all is ok... only restarting the wg11 interface helps
Well, since Wireguard is a connectionless protocol the other end is not aware about you restarting wg11 so something is clearly interfering with wireguard on your router. Auto-restart wg11 periodically will not solve this and instead of creating scripts for checking and restarting I suggest we find what goes missing on your router and see if we can re-apply it at the right event(the same event that removes it)

Dump the output of these commands (from shell, not in wgm), you dont need to post them, instead dump and compared to when its not working:
Code:
iptables -nvL FORWARD -t filter

Code:
iptables -nvL POSTROUTING -t nat

Code:
wg show

Look for anything containing wg11, wg21.
if you choose to post them, make sure to remove wg private keys and public ips.
 
The Wireguard GUI is located under Addons menu. From there you could update peer information. You dont have to delete them but for the server peer you might not get the desired change until you generate new clients.

when I try to import corrected config (nano /mnt/sda1/entware/etc/wireguard.d/wg11.conf) i received error "configuration exists" and changes aren't applying.
 
when I try to import corrected config (nano /mnt/sda1/entware/etc/wireguard.d/wg11.conf) i received error "configuration exists" and changes aren't applying.
You typically dont need to import the config again (but that could depend on what you are trying to change).
Perhaps it is easier if you just state what type of information you want to change.
 
iptables -nvL FORWARD -t filter

iptables -nvL POSTROUTING -t nat

wg show

iptables -nvL FORWARD -t filter
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
3368K 655M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
954 269K WGM_ACL_F all -- wg+ * 0.0.0.0/0 0.0.0.0/0 /* Wireguard ACL */
0 0 ACCEPT all -- br0 wg21 0.0.0.0/0 0.0.0.0/0 /* LAN to WireGuard 'server clients' */
0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
1347K 165M OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
2319 145K ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
18915 960K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1326K 163M NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
970K 127M ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
356K 37M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0


iptables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 15290 packets, 1390K bytes)
pkts bytes target prot opt in out source destination
25287 3131K PUPNP all -- * eth0 0.0.0.0/0 0.0.0.0/0
24375 3076K MASQUERADE all -- * eth0 !176.XXX.XXX.84 0.0.0.0/0
4536 417K MASQUERADE all -- * br0 192.168.0.0/24 192.168.0.0/24


wg show
interface: wg21
public key: XXX
private key: (hidden)
listening port: 51830

peer: XXX
preshared key: (hidden)
allowed ips: 10.50.1.2/32

peer: XXX
preshared key: (hidden)
allowed ips: 10.50.1.3/32

peer: XXX
preshared key: (hidden)
allowed ips: 10.50.1.4/32

peer: XXX
preshared key: (hidden)
allowed ips: 10.50.1.5/32

peer: XXX
preshared key: (hidden)
allowed ips: 10.50.1.6/32

interface: wg11
public key: XXX
private key: (hidden)
listening port: 40131

peer: XXX
endpoint: XXX:63665
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 1 minute, 5 seconds ago. (sec:65)
transfer: 24.29 MiB received, 14.70 MiB sent
 
I mean change some settings in wg11/wg21/etc without dell and import again
Once the Peer .conf is imported (using peer import xxxxxx.conf) , the command line peer command can used to modify the Peer configuration (except for Keys) and most changes can now also be applied via the Beta WebUI

Code:
e  = Exit Script [?]

E:Option ==> peer help

    peer help                                                               - This text
    peer                                                                    - Show ALL Peers in database
    peer peer_name                                                          - Show Peer in database or for details e.g peer wg21 config
    peer peer_name {cmd {options} }                                         - Action the command against the Peer
    peer peer_name del                                                      - Delete the Peer from the database and all of its files *.conf, *.key
    peer peer_name ip=xxx.xxx.xxx.xxx                                       - Change the Peer VPN Pool IP
    peer category                                                           - Show Peer categories in database
    peer peer_name category [category_name {del | add peer_name[...]} ]     - Create a new category with 3 Peers e.g. peer category GroupA add wg17 wg99 wg11
    peer new [peer_name [options]]                                          - Create new server Peer             e.g. peer new wg27 ip=10.50.99.1/24 port=12345
    peer new [peer_name] {ipv6}                                             - Create new Dual-stack server Peer with 'aa' prefix e.g. peer new ipv6
    peer new [peer_name] {ipv6}                                             - Create new Dual-stack server Peer with 'fd' prefix e.g. peer new ipv6 ula
    peer new [peer_name] {ipv6 noipv4 [ula[4]]}                             - Create new IPv6 Only server Peer   e.g. peer new ipv6 noipv4
    peer new [peer_name] {ipv6 noipv4}                                      - Create new IPv6 Only server Peer   e.g. peer new ipv6 noipv4 ipv6=aaff:a37f:fa75:100:100::1/120
    peer import peer_conf [options]                                         - Import '.conf' into SQL database e.g. import Mullvad_Dallas
                                                                                                                    import SiteA type=server
    peer peer_name [del|add|upd] ipset {ipset_name[...]}                    - Selectively Route IPSets e.g. peer wg13 add ipset NetFlix Hulu
                                                                                                            peer wg12 upd ipset MACs dstsrc src
                                                                                                            peer wg12 upd ipset all enable n
    peer peer_name [add] subnet {IPSubnet[...]}                             - Configure downstream subnets e.g. peer wg13 add subnet 192.168.5.0/24
    peer peer_name {rule [del [all|id_num]|add [wan] rule_def]}             - Manage Policy rules e.g. peer wg13 rule add 172.16.1.0/24 comment All LAN
                                                                                                       peer wg13 rule add wan 52.97.133.162 comment smtp.office365.com
                                                                                                       peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS
                                                                                                       peer wg17 rule del 10
                                                                                                       peer wg17 rule del all
    peer serv_peer_name {passthru client_peer {[add|del] [device|IP/CIDR]}} - Manage Passthu rules; 'server' peer devices/IPs/CIDR outbound via 'client' peer
                                                                                     peer wg21 passthru add wg11 SGS8
                                                                                     peer wg21 passthru add wg15 all
                                                                                     peer wg21 passthru add wg12 10.100.100.0/27
                                                                                     peer wg21 passthru del wg15 all
                                                                                     peer wg21 passthru del SGS8
                                                                                     peer wg21 passthru del all
    peer serv_peer_name {bind device_peer}                                  - Bind a Road Warrior 'device' Peer to a 'server' Peer e.g. peer wg21 bind SGS20

    Visit @ZebMcKayhan's Hint's and Tips Guide https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#table-of-content
The peer command accepts the following directives to alter the associated field for the relevant 'client'/'server' Peer:

auto=​
allowedips=​
dns=​
endpoint=​
ip=​
mtu=​
port=​
subnet=​

and the following syntax is used to allow multi-word free-format modification of the Description/Annotate tag

comment xxxx xxxxx xxxxxx​
 
Once the Peer .conf is imported (using peer import xxxxxx.conf) , the command line peer command can used to modify the Peer configuration (except for Keys) and most changes can now also be applied via the Beta WebUI
Ouh... Beta WebUI - Is it available in the update or does it need to be installed separately?
 
iptables -nvL FORWARD -t filter
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
3368K 655M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
954 269K WGM_ACL_F all -- wg+ * 0.0.0.0/0 0.0.0.0/0 /* Wireguard ACL */
0 0 ACCEPT all -- br0 wg21 0.0.0.0/0 0.0.0.0/0 /* LAN to WireGuard 'server clients' */
0 0 ACCEPT all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */
1347K 165M OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
2319 145K ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
18915 960K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1326K 163M NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
970K 127M ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
356K 37M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0


iptables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 15290 packets, 1390K bytes)
pkts bytes target prot opt in out source destination
25287 3131K PUPNP all -- * eth0 0.0.0.0/0 0.0.0.0/0
24375 3076K MASQUERADE all -- * eth0 !176.XXX.XXX.84 0.0.0.0/0
4536 417K MASQUERADE all -- * br0 192.168.0.0/24 192.168.0.0/24


wg show
interface: wg21
public key: XXX
private key: (hidden)
listening port: 51830

peer: XXX
preshared key: (hidden)
allowed ips: 10.50.1.2/32

peer: XXX
preshared key: (hidden)
allowed ips: 10.50.1.3/32

peer: XXX
preshared key: (hidden)
allowed ips: 10.50.1.4/32

peer: XXX
preshared key: (hidden)
allowed ips: 10.50.1.5/32

peer: XXX
preshared key: (hidden)
allowed ips: 10.50.1.6/32

interface: wg11
public key: XXX
private key: (hidden)
listening port: 40131

peer: XXX
endpoint: XXX:63665
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 1 minute, 5 seconds ago. (sec:65)
transfer: 24.29 MiB received, 14.70 MiB sent
Wg11 seems to be running but no sign of any rules for accept forwarding or masquarade for it. But wg21 is there so nothing seems flushed. Any error messages from wgm when wg11 is started? clearly wg11 would not work like this, but you say it is working after restart of wg11 then turns into this later?

If wireguard tab doesnt show under addons, the webui could be activated within wgm:
Code:
E:Option ==> www mount
 
Wg11 seems to be running but no sign of any rules for accept forwarding or masquarade for it. But wg21 is there so nothing seems flushed. Any error messages from wgm when wg11 is started? clearly wg11 would not work like this, but you say it is working after restart of wg11 then turns into this later?
No errors, no other issues. From time to time (1-3) days, I need to restart wg11 (or full router reboot), as it's stop working without any errors.
 
Ouh... Beta WebUI - Is it available in the update or does it need to be installed separately?
Depending on which version you have it should already be installed automatically.

However, I suggest you manually upgrade to the latest v1.02 dev version .....you should perform the script upgrade twice, the first defines the existence of the necessary WebUI .asp file, and the second actually downloads the WebUI .asp file for installation.

e.g.
Code:
e  = Exit Script [?]

E:Option ==> uf dev
Code:
e  = Exit Script [?]

E:Option ==> uf dev
...then manually force the WebUI install (if it isn't already installed)
e.g.
Code:
e  = Exit Script [?]

E:Option ==> www mount

    WebUI page ('wg_manager.asp') mounted as 'user2.asp'
or to fully ensure that the Web server is restarted to load the new .asp file regardless.
Code:
e  = Exit Script [?]

E:Option ==> www refreshX

    WebUI page 'user2.asp' ('wg_manager.asp') unmounted
    WebUI page ('wg_manager.asp') mounted as 'user2.asp'
    [✔] Restarted service_httpd for WebUI

NOTE: The WebUI Beta is still pretty crude, but the 'client' Peer management should be fully functional.
 
Last edited:
No errors, no other issues. From time to time (1-3) days, I need to restart wg11 (or full router reboot), as it's stop working without any errors.
Really strange. So something is deleting wg11 rules while leaving wg21 rules intact. Must be wgm doing something, altough unlikely. Sounds like wg11 gets half-stopped or something, creating some failure when the peer is stopped (but still initially succeeds).

Wg11 is set to auto=Y or auto=P right?

Whenever some router process attempts to reset the firewall, wgm executes wg_firewall to restart all peers set to autostart. The next time this happens, try to execute the same lines wg_firewall does (run from shell, not in wgm):
Code:
wg_manager stop

Code:
wg_manager start

See if there is any error message and also if wg11 gets terminated in the first command and started in the next command.
 
No errors, no other issues. From time to time (1-3) days, I need to restart wg11 (or full router reboot), as it's stop working without any errors.
No errors, no other issues. From time to time (1-3) days, I need to restart wg11 (or full router reboot), as it's stop working without any errors.
I suggest you schedule a cron job to dump diagnostics to Syslog, to give you a definitive indication of when (and how) the issue occurs.

e.g. every 5mins
Code:
cru a debugwg "0/5 * * * *" wgm diag >>/tmp/syslog.log

cru l
 
Really strange. So something is deleting wg11 rules while leaving wg21 rules intact. Must be wgm doing something, altough unlikely. Sounds like wg11 gets half-stopped or something, creating some failure when the peer is stopped (but still initially succeeds).

Wg11 is set to auto=Y or auto=P right?

Whenever some router process attempts to reset the firewall, wgm executes wg_firewall to restart all peers set to autostart. The next time this happens, try to execute the same lines wg_firewall does (run from shell, not in wgm):
Code:
wg_manager stop

Code:
wg_manager start

See if there is any error message and also if wg11 gets terminated in the first command and started in the next command.

wg11 auto=P

wg_manager stop
Requesting WireGuard® VPN Peer stop (wg21 wg11)
wg_manager-serverwg21: WireGuard® VPN 'Server' Peer (wg21) on 10.50.1.1:51830 (# RT-AC86U Server #1) Terminated
wg_manager-clientwg11: WireGuard® VPN 'client' Peer (wg11) to XXX.XXX.XXX.XXX:63665 (# N/A) Terminated
wg11: transfer: 1.69 MiB received, 510.63 KiB sent 0 Days, 00:03:16 since Mon Jul 18 16:50:51 2022 >>>>>> Mon Jul 18 16:54:07 2022
wg11: period : 1.69 MiB received, 510.63 KiB sent (Rx=1772093;Tx=522885)

wg_manager start
Requesting WireGuard® VPN Peer start (wg21 wg11)
wg_manager-serverwg21: Initialising WireGuard® VPN 'Server' Peer (wg21) on 10.50.1.1:51830 (# RT-AC86U Server #1)
wg_manager-serverwg21: Initialisation complete.
wg_manager-clientwg11: Initialising WireGuard® VPN 'client' Peer (wg11) in Policy Mode to XXX.XXX.XXX.XXX:63665 (# N/A) DNS=8.8.8.8,8.8.4.4
wg_manager-clientwg11: Initialisation complete.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top