Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

[Martineau]

wg_manager Beta v4.08 available on Github dev branch

The new beta no longer uses the single clunky typo-prone Policy rules definition entry, instead the RPDB rules are managed in a more human-friendly manner (in lieu of the pending GUI)

However, the old Policy database table needs to be discarded and one conforming to the new layout created.

Unfortunately there is no auto-migration of the old-style entries, so print the current definition for each policy Peer, as you will need to manually reenter them. - sorry

To update

e  = Exit Script [?]

E:Option ==> uf dev

Delete the old style 'policy' database table by entering the two commands drop table policy; and .quit at the sqlite> prompt

e  = Exit Script [?]

E:Option ==> diag sqlX


Use command 'diag sql [ table_name ]' to see the SQL data (might be many lines!)

       Valid SQL Database tables: clients  devices  fwmark   ipset    policy   servers  session  traffic

             e.g. diag sql traffic will show the traffic stats SQL table

    DEBUG: Interactive SQL '/opt/etc/wireguard.d/WireGuard.db'
    Tables: clients  devices  fwmark   ipset    policy   servers  session  traffic

SQLite version 3.33.0 2020-08-14 13:23:32
Enter ".help" for usage hints.
sqlite> drop table policy;
sqlite> .quit


    WireGuard ACTIVE Peer Status: Clients 0, Servers 0

Now keep all of the other existing database tables and data but recreate the empty Policy RPDB database table.

e  = Exit Script [?]

E:Option ==> initdb keep

    No Peer entries to auto-migrate from '/jffs/addons/wireguard/WireguardVPN.conf', but you will need to manually import the 'device' Peer '*.conf' files:

<snip>

Error: near line 1: table servers already exists                <<== These errors are expected but assist in confirmation of the 'initdb' actions i.e NO Line 4 error!
Error: near line 2: table clients already exists
Error: near line 3: table devices already exists
Error: near line 5: table fwmark already exists
Error: near line 6: table ipset already exists
Error: near line 7: table traffic already exists
Error: near line 8: table session already exists

    WireGuard ACTIVE Peer Status: Clients 0, Servers 0

and there should now be an empty 'policy' database table

e  = Exit Script [?]

E:Option ==> diag sql policy

    DEBUG: SQL '/opt/etc/wireguard.d/WireGuard.db'

    Table:policy

Now enter your Policy RPDB rules per Peer (see example at the bottom of this post) - one rule per line (unlike previously where it was a single line containing multiple cryptic unreadable rules)

There are examples shown by

e  = Exit Script [?]

E:Option ==> peer help

    peer help                               - This text

<snip>

    peer peer_name {rule [del {id_num} |add [wan] rule_def]}        - Manage Policy rules e.g. peer wg13 rule add 172.16.1.0/24 comment All LAN
                                                                                               peer wg13 rule add wan 52.97.133.162 comment smtp.office365.com
                                                                                               peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS

 

[Martineau]

@Torson
Yes, this might be the solution to my problem!
I remember now, when "do not use WARP for local network devices" was introduced in the Windows WARP beta client, the problem was gone.
Maybe @Martineau is able to introduce a "switch" to "bypass VPN for local devices/IP ranges/local network connectivity".

View attachment 32639

@Ubimo Not sure why I would need to implement

• a "switch" to "bypass VPN for local devices/IP ranges/local network connectivity".

as this appears to be uniquely specific to the Cloudflare WARP-App's WireGuard 'client' Peer configuration?

i.e. what infallible logic would wgm need to use in order to ENABLE/DISABLE the 'switch'?

 

[Torson]

wg_manager Beta v4.08 available on Github dev branch

...and I was scratching my head last night to understand why the RPDB rules in your reply look so different than mine '

but the contents of the Event files are expected to be managed externally and not from within wgm unless you are suggesting a vx shortcut to edit the event scripts?

Yes, what I am asking is if possible to have an event management link in vx or any other format that would also work with the "pending GUI".

I apologize for the lack of coherence in my posting yesterday, but you answered my questions. Thank you!

 

[Torson]

EDIT: Perhaps it is prudent to prevent setting Auto=P if there are no Policy rules defined for the 'client' Peer?
e.g.

e  = Exit Script [?]

E:Option ==> peer wg12 auto=p

    ***ERROR No Policy rules exist for wg12 (use 'peer wg12 rule add' command first)

although it is very convenient to be able to quickly temporarily establish the now converted non-Policy Peer connection for say immediate testing?

That is what I was alluding to in yesterday's blurb. Testing or pass through the tunnel traffic generated by external events (without forcing all traffic through it hence making it an 'auto=y' tunnel.) My workaround was to keep the tunnel open by assigning a dummy client peer to it. Not sure if that would work with the new rule format though...

 

[Martineau]

That is what I was alluding to in yesterday's blurb. Testing or pass through the tunnel traffic generated by external events (without forcing all traffic through it hence making it an 'auto=y' tunnel.)

My workaround was to keep the tunnel open by assigning a dummy client peer to it.

A 'client' Peer is either in Policy mode or it isn't.

Defining either a dummy Policy rule or a real one forces the 'client' Peer as expected.

Not sure if that would work with the new rule format though...

P.S. The new rule format is irrelevant

 

[Torson]

New install of the latest version. I imported a client peer and created the policy rules. Then changed the auto start to policy. Here is the outcome:

E:Option ==> 4 wg11

        Requesting WireGuard VPN Peer start (wg11)

        wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to engage.cloudflareclient.com:2408 (# N/A) DNS=1.1.1.1
Error: no such column: rules
        wireguard-client1: Initialisation complete.

If changing

auto=n

and manually starting the client peer it's all good.

 

[Martineau]

New install of the latest version. I imported a client peer and created the policy rules. Then changed the auto start to policy. Here is the outcome:

E:Option ==> 4 wg11

        Requesting WireGuard VPN Peer start (wg11)

        wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) in Policy Mode to engage.cloudflareclient.com:2408 (# N/A) DNS=1.1.1.1
Error: no such column: rules
        wireguard-client1: Initialisation complete.

If changing

auto=n

and manually starting the client peer it's all good.

Whoops. You should have script wg_client v4.09

It seemingly wasn't re-loaded on Github dev branch

I suggest you perform

e  = Exit Script [?]

E:Option ==> uf dev

and try the Policy mode agian.

 

[Ubimo]

I'm no expert, but it seems v4.09 got reverted 5h ago?

 

[Torson]

It now works -thank you.

 

[Ubimo]

@Torson
Do you also use Cloudflare WARP?
Can you please share your config and setup? (.conf, router ip, routing, network...)
It might give me some hints on why WARP isn't working on my side.
Thanks!

 

[jobhax]

I get this when trying to check policy after following steps to migrate

 

[Martineau]

I get this when trying to check policy after following steps to migrate
View attachment 32661

That looks like a corrupted script?

Can you try running the command in debug mode and post the output.

e  = Exit Script [?]

E:Option ==> debug

e  = Exit Script [?]

E:Debug mode enabledOption ==> diag sql policy

If you can post a copy of the script to pastebin etc. I'll try and see why it is corrupt.

In the interim I suggest you turn off debug and refresh the script

e  = Exit Script [?]

E:Debug mode enabledOption ==> debug
+ printf %s debug
+ sed s/^[ \t]*//;s/[ \t]*$//
+ menu1=debug
+ Validate_User_Choice debug
+ local menu1=debug
+ [ Y == Y ]
+ echo debug
+ menu1=debug
+ Process_User_Choice debug
+ local menu1=debug
+ [ -z Debug mode enabled ]
+ DEBUGMODE=
+ set +x

e  = Exit Script [?]

E:Option ==> uf dev

 

[jobhax]

That looks like a corrupted script?

Can you try running the command in debug mode and post the output.

e  = Exit Script [?]

E:Option ==> debug

e  = Exit Script [?]

E:Debug mode enabledOption ==> diag sql policy

If you can post a copy of the script to pastebin etc. I'll try and see why it is corrupt.

In the interim I suggest you turn off debug and refresh the script

e  = Exit Script [?]

E:Debug mode enabledOption ==> debug
+ printf %s debug
+ sed s/^[ \t]*//;s/[ \t]*$//
+ menu1=debug
+ Validate_User_Choice debug
+ local menu1=debug
+ [ Y == Y ]
+ echo debug
+ menu1=debug
+ Process_User_Choice debug
+ local menu1=debug
+ [ -z Debug mode enabled ]
+ DEBUGMODE=
+ set +x

e  = Exit Script [?]

E:Option ==> uf dev

I just blew it all away and started fresh. I got wg11 to work now just trying to setup selective routing which I am having a hard time understanding. This is what I want added
"/tmp/home/root# nvram get vpn_client1_clientlist
<server>192.168.50.3>0.0.0.0/0>VPN"

 

[Jumpstarter]

Do the WireGuard modules supplied by @Odkrys support IPv6?

Since I have no access to IPv6 the initial short answer is NO, but I have paid lip-service to IPv6 but the script by and large only checks to strip IPv6 stuff if IPv6 isn't enabled.

i.e. if you have IPv6 enabled and already manually installed WireGuard, when creating the Road-Warrior 'device' Peer the Github main branch script does add this to the Peer to the Allowed IPs:

[ "$USE_IPV6" == "Y" ] && IPV6=", ::/0"

However, if you wish to test IPv6, I have uploaded to the Github dev branch



a crude IPv6 version for creating/testing an IPv6 'server' Peer for an IPv6 Road-Warrior 'device' Peer (it may be borked who knows!)

e.g. Normally a new 'server' Peer is created as IPv4

e  = Exit Script [?]

E:Option ==> peer new

    *** Ensure Upstream router Port Foward entry for port:11503 ***

    Press y to Create 'server' Peer (wg23) 10.50.3.1/24:11503 or press [Enter] to SKIP.

but you can try

e  = Exit Script [?]

E:Option ==> peer new ipv6

    *** Ensure Upstream router Port Foward entry for port:11503 ***

    Press y to Create (IPv6) 'server' Peer (wg23) fc00:50:3::1/64:11503 or press [Enter] to SKIP.
y
    Creating WireGuard Private/Public key-pair for (IPv6) 'server' Peer wg23 on RT-AC86U (v386.2)
    Press y to Start (IPv6) 'server' Peer (wg23) or press [Enter] to SKIP.
y

    Requesting WireGuard VPN Peer start (wg23)

    wireguard-server3: Initialising Wireguard VPN (IPv6) 'Server' Peer (wg23) on 10.88.8.1:11503 (# RT-AC86U (IPv6) Server 3)
    wireguard-server3: Initialisation complete.


    interface: wg23     Port:11503             VPN Tunnel Network    # RT-AC86U (IPv6) Server 3

     WireGuard ACTIVE Peer Status: Clients 0, Servers 1

e  = Exit Script [?]

E:Option ==> peer wg23

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Server  Auto  Subnet           Port   Public                                        Private                                       Annotate
wg23    N     fc00:50:3::1/64  11503  AGc+n42YCNDdDY/eA7ZchreaeW5cfEYvz3DEwyrW0Hw=  ++c1n42XDNCdDYDe&ZAchreaeW5cfEYvxxxwVrW0Hw=  # RT-AC86U (IPv6) Server 3

Now create a Road-Warrior 'device' Peer and attach it to the new IPv6 'server' Peer

e  = Exit Script [?]

E:Option ==> 9 MyIPv6Phone wg23

    Creating Wireguard Private/Public key pair for device 'MyIPv6Phone'
    Device 'MyIPv6Phone' Public key=yhhpomh0OWTEBcCQzGXdsYjmFy85otcHXoX/a0j+yTE=

    Using Public key for 'server' Peer 'wg23'


    WireGuard config for Peer device 'MyIPv6Phone' created (Allowed IP's 0.0.0.0/0, ::/0 # ALL Traffic)

    Press y to Display QR Code for Scanning into WireGuard App on device 'MyIPv6Phone' or press [Enter] to SKIP.
y

<QR code here>

    Press y to ADD device 'MyIPv6Phone' to 'server' Peer (wg23) or press [Enter] to SKIP.
y

    Adding device Peer 'MyIPv6Phone' fc00:50:3::2/128 to RT-AC86U 'server' (wg23) and WireGuard config


    WireGuard 'server' Peer needs to be restarted to listen for 'client' Peer MyIPv6Phone "Device"
    Press y to restart 'server' Peer (wg23) or press [Enter] to SKIP.
y

    Requesting WireGuard VPN Peer restart (wg23)

    Restarting Wireguard 'server' Peer (wg23)
    wireguard-server3: Wireguard VPN '' Peer (wg23) on 10.88.8.1:11503 (# RT-AC86U (IPv6) Server 3) Terminated

    wireguard-server3: Initialising Wireguard VPN (IPv6) 'Server' Peer (wg23) on 10.88.8.1:11503 (# RT-AC86U (IPv6) Server 3)
    wireguard-server3: Initialisation complete.


    interface: wg23     Port:11503                             VPN Tunnel Network      # RT-AC86U (IPv6) Server 3
        peer: yhhpomh0OWTEBcCQzGXdsYjmFy85otcHXoX/a0j+yTE=     fc00:50:3::2/128        # MyIPv6Phone "Device"

     WireGuard ACTIVE Peer Status: Clients 0, Servers 1

I am not seeing an ipv6 address while using IPV6 site tunnel.

 

[Torson]

@Torson[/USER]
Do you also use Cloudflare WARP?
Can you please share your config and setup? (.conf, router ip, routing, network...)
It might give me some hints on why WARP isn't working on my side.
Thanks!

I use Cloudflare Warp too. However, my configuration may be irrelevant or misleading in troubleshooting your DNS issues.

Have you looked into the possibility of changing that 172.16.x.x device address? Or could you turn it off or isolate it for troubleshooting?
On the WAN settings page do you use your provider's DNS or Cloudflare for example?
On the LAN page DNSFiltering tab where you said you have the Global Filter Mode set to Router, have you deleted (if there were any) Custom DNS entries on that page?

 

[Torson]

I just blew it all away and started fresh. I got wg11 to work now just trying to setup selective routing which I am having a hard time understanding. This is what I want added
"/tmp/home/root# nvram get vpn_client1_clientlist
<server>192.168.50.3>0.0.0.0/0>VPN"

The RPDB rules entry format has changed with latest release. You can find more details and some examples at the top of this page https://github.com/MartineauUK/wireguard/commit/31d5ba995d862c0baf00aa5aa76387cd1ec3f649.

The following will achieve what you're asking for:

peer wg11 rule add 192.168.50.3 comment server

 

[jobhax]

The RPDB rules entry format has changed with latest release. You can find more details and some examples at the top of this page https://github.com/MartineauUK/wireguard/commit/31d5ba995d862c0baf00aa5aa76387cd1ec3f649.

The following will achieve what you're asking for:

peer wg11 rule add 192.168.50.3 comment server

Well that's simple of enough Thank You for that. I guess I was over analyzing that and thought I had to have multiple rules to achieve that. Thank You!


At first glance it seemed to work but now i get this error


EDIT: all working now. Yay for case sensitivity.

One last question what do I need to edit to turn kill-switch on/off?

 

[Martineau]

One last question what do I need to edit to turn kill-switch on/off?

e  = Exit Script [?]

E:Option ==> killswitch on

ENABLED    WireGuard ACTIVE Peer Status: Clients 2, Servers 2

 

[Martineau]

I am not seeing an ipv6 address while using IPV6 site tunnel.

Neither do I.

My ISP does not provide IPv6 (nor do I run IPv6 internally on my network) so all I can do is try to ensure the script's IPv6 compatible by simply blindly replicating the IPv4 commands where appropriate.
i.e. if you require Selective Routing, then the script will attempt to mangle the LAN IPv6 configuration but this hopefully shouldn't have any impact on the router's ability to acquire/use an IPv6 stack.

So debugging is impossible at my end, but a savvy IPv6 user should be able to use the wgm diagnostics command (or native command line IPv6 tools if I haven't coded sufficiently detailed IPv6 diagnostic commands) to provide helpful feedback

e  = Exit Script [?]

E:Option ==> diag

Clearly if WireGuard was installed using wgm, you can simply uninstall wgm (Ignore prompt i.e. hit ENTER ( DON'T reply 'Y' DELETE) to keep the config directory which also retains the WireGuard kernel modules and User Space Tools) and then check if you do see an IPv6 address either for the 'server' or 'client' Peer using the current '.conf' files.

Not sure if the following statement on the WireGuard home page would have any bearing:

 

[Ubimo]

@Torson
I need this device for my Internet.
This is my setup: PC (192.168.1.139) -> Router (192.168.1.1) -> LTU Pro (Bridge, 172.16.253.6) -> LTU Rocket (Bridge, 172.16.253.2) -> ISP

Can I simply change this line in my warp.conf to another IP adress?

Address = 172.16.0.2/32

If so, to which IP adress?

Edit:
In the Windows Cloudflare WARP app, these IPs are excluded: