Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

[JGrana]

Is it something wrong with existing wireguard-go package?

Nothing wrong with Entware wireguard-go except it is not available for the AX58U.
I see it available for the AX88U (aarch64) but not for the AX58U (armv7l).

 

[dave14305]

Nothing wrong with Entware wireguard-go except it is not available for the AX58U.
I see it available for the AX88U (aarch64) but not for the AX58U (armv7l).

amtm doesn’t differentiate armv7sf-k2.6 (no wireguard-go) and armv7sf-k3.2 (has wireguard-go) when installing Entware. Might be something for @thelonelycoder to look into.

amtm/amtm_modules/entware_setup.mod at d971563ed90e1594113008855209ec9b08b6410c · decoderman/amtm

amtm - the Asuswrt-Merlin Terminal Menu. Contribute to decoderman/amtm development by creating an account on GitHub.

github.com

 

[thelonelycoder]

Nothing wrong with Entware wireguard-go except it is not available for the AX58U.
I see it available for the AX88U (aarch64) but not for the AX58U (armv7l).

amtm doesn’t differentiate armv7sf-k2.6 (no wireguard-go) and armv7sf-k3.2 (has wireguard-go) when installing Entware. Might be something for @thelonelycoder to look into.

I'll get that fixed right now.

 

[Kingp1n]

As it stands, it's still in beta (a very solid one, though.)
About the OpenVPN questions - the wg_manager.sh script does not disable OpenVPN, and depending on how you wish to proceed there may be no need to disable it.

I still have 4 OVPN clients with some @Xentrk selective routing full steam on for things that (I believe) need the proven OVPN platform. At the same time I have 4 wg client peers and one server peer running in parallel with the same kind of selective routing (manually setup.) They coexist and perform very well in parallel. Selective IPset routing works among clients of the same sort.
The decision point though is if you want to route you're entire network through a tunnel, or not. In my case, I never felt the need to have every single device on the network redirected through a VPN. I selectively route IPs and CIDRs through different VPN clients and that's how it all works together.

Even so, there is a very important aspect to consider - OVPN has a client based kill-switch while the wg_manager.sh has a global one. In other words, if you want to redirect all the network through a VPN client the simple, reasonable approach would be to use one or another.

Thanks for the response.

Is there a way to run wg with a similar setup on how I currently use OVPN?

With OPVN I have to set 2 policy rules

192.168.1.0/24 = for all traffic to go thru VPN
192.168.1.1 = for Router to go thru WAN

Basically I would like to try 'wg' without OPVN, so can I disabled OPVN and setup wg with those 2 policy rules above?

If so can someone smarter than help me setup the 2 policy rules?

 

[thelonelycoder]

Nothing wrong with Entware wireguard-go except it is not available for the AX58U.
I see it available for the AX88U (aarch64) but not for the AX58U (armv7l).

I have pushed a hotfix for amtm that fixes this, see here.

 

[chongnt]

Thanks for the response.

Is there a way to run wg with a similar setup on how I currently use OVPN?

With OPVN I have to set 2 policy rules

192.168.1.0/24 = for all traffic to go thru VPN
192.168.1.1 = for Router to go thru WAN

Basically I would like to try 'wg' without OPVN, so can I disabled OPVN and setup wg with those 2 policy rules above?

If so can someone smarter than help me setup the 2 policy rules?

It can be done as @Torson mentioned.
In wgm,

E:Option ==> peer wg11 rule add vpn 192.168.1.0/24 comment All_to_WGVPN

Then restart then peer

E:Option ==> 6 wg11

 

[Torson]

Is there a way to run wg with a similar setup on how I currently use OVPN?

Yes, that is doable and well documented in prior posts in this thread.

However, the pre-requisite to doing so (at the router level) is having valid wg.conf files from your VPN service provider (or 3rd party.) The likes of .ovpn configurations you can download or generate on the provider's site for OpenVPN tunneling.

Since you're using PIA, the question to ask is if they provide those Wireguard configuration files. I don't know what the current situation is. Earlier this year when I used them I had it working with configuration files generated as described at https://github.com/hsand/pia-wg which is a 3rd party. Since I don't use that method anymore (or PIA for that matter) I don't know if that still works, or maybe PIA are now offering a method of their own to generate the .conf files.

So, find out what the current situation is.
Next, providing that you have valid .conf file(s) test them first with a known working wireguard client (i.e. https://www.wireguard.com/install/).

At that point we'll make your current OVPN configuration work with Wireguard.

 

[Kingp1n]

Whoops ...just updated my signature to reflect I'm now using VPN Unlimited.

They do support wireguard.

I read chongnt's post before yours and my question is how would I add the router policy rule (192.168.1.1) to go thru WAN?

He provided the rule for all traffic to go thru the VPN.

Thanks.

I'm think I'm making this too complicated : )

 

[Torson]

Whoops ...just updated my signature to reflect I'm now using VPN Unlimited.

They do support wireguard.

I read chongnt's post before yours and my question is how would I add the router policy rule (192.168.1.1) to go thru WAN?

He provided the rule for all traffic to go thru the VPN.

Thanks.

I'm think I'm making this too complicated : )

peer wg11 rule add wan 192.168.1.1 comment Router to WAN

 

[Kingp1n]

peer wg11 rule add wan 192.168.1.1 comment Router to WAN

So I'm in the process of installing wg.

Can anyone assist on how do I upload my VPN wg.conf file to wgm?

Also upon wgm installation, it asked me I want to create a 'device' peer for 'server' peer (wg21) which I skipped since I want to setup wg11 correct?

Thanks and I apologize for the noob questions.

Thansk again.

Update: this is what is currently showing but it created this automatically for me.

    WireGuard ACTIVE Peer Status: Clients 0, Servers 1



1  = Update Wireguard modules                        7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                     
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                   
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                   

?  = About Configuration                   
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')       

e  = Exit Script [?]

E:Option ==> 3

    interface: wg21     Port:51820    10.50.1.1/24         VPN Tunnel Network    # GT-AX11000 Server #1

     WireGuard ACTIVE Peer Status: Clients 0, Servers

 

[chongnt]

So I'm in the process of installing wg.

Can anyone assist on how do I upload my VPN wg.conf file to wgm?

Also upon wgm installation, it asked me I want to create a 'device' peer for 'server' peer (wg21) which I skipped since I want to setup wg11 correct?

Thanks and I apologize for the noob questions.

Thansk again.

Update: this is what is currently showing but it created this automatically for me.

    WireGuard ACTIVE Peer Status: Clients 0, Servers 1



1  = Update Wireguard modules                        7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                    
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                  
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                  

?  = About Configuration                  
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')      

e  = Exit Script [?]

E:Option ==> 3

    interface: wg21     Port:51820    10.50.1.1/24         VPN Tunnel Network    # GT-AX11000 Server #1

     WireGuard ACTIVE Peer Status: Clients 0, Servers

Yes, I think you want wg client as in wg11. If you have the wg11.conf file ready, you can put it in /opt/etc/wireguard.d

##create wg client, create wg11.conf in /opt/etc/wireguard.d
E:Option ==> import wg11

        [✔] Config wg11 import success


##create wg client peer policy rule
E:Option ==> peer wg11 rule add vpn 192.168.1.111 comment MyVPNrule

        [✔] Updated RPDB Selective Routing rule for wg11 

##set wg client policy mode
E:Option ==> peer wg11  auto=p

        [✔] Updated 'wg11' AUTO=P

For the wg server, you can choose to delete it by

E:Option ==> peer wg21 del

 

[Kingp1n]

Yes, I think you want wg client as in wg11. If you have the wg11.conf file ready, you can put it in /opt/etc/wireguard.d

##create wg client, create wg11.conf in /opt/etc/wireguard.d
E:Option ==> import wg11

        [✔] Config wg11 import success


##create wg client peer policy rule
E:Option ==> peer wg11 rule add vpn 192.168.1.111 comment MyVPNrule

        [✔] Updated RPDB Selective Routing rule for wg11

##set wg client policy mode
E:Option ==> peer wg11  auto=p

        [✔] Updated 'wg11' AUTO=P

For the wg server, you can choose to delete it by

E:Option ==> peer wg21 del

I have everything setup but my devices are not connecting to the internet. Any ideas what might be causing this?

 

[chongnt]

I have everything setup but my devices are not connecting to the internet. Any ideas what might be causing this?

I might have missed out the restart step. Have you restart your wg11 client?
Perhaps a bit more description of the problem will be helpful. Is your wg11 connected? Then if your devices can ping to something like 8.8.8.8 and google.com to check if it is DNS related issue or something else etc.
Some command may be helpful to check, like "wg show wg11". If you have persistent keepalive set, then you can see the latest handshake timer keep refreshed after sometime indicating it is running.
By the way, for initial setup I think is is easier to add rule for single test host ip rather than the whole network. After make sure the single host works then later we can add the whole network in.

 

[Kingp1n]

I might have missed out the restart step. Have you restart your wg11 client?
Perhaps a bit more description of the problem will be helpful. Is your wg11 connected? Then if your devices can ping to something like 8.8.8.8 and google.com to check if it is DNS related issue or something else etc.
Some command may be helpful to check, like "wg show wg11". If you have persistent keepalive set, then you can see the latest handshake timer keep refreshed after sometime indicating it is running.
By the way, for initial setup I think is is easier to add rule for single test host ip rather than the whole network. After make sure the single host works then later we can add the whole network in.

I did restart the wg11 wirh no luck.

So you're saying 1st setup the router to WAN rule and make sure everything works before putting the MyVPN rule for the whole network?

 

[chongnt]

I did restart the wg11 wirh no luck.

So you're saying 1st setup the router to WAN rule and make sure everything works before putting the MyVPN rule for the whole network?

Sorry for not being clear. What I mean is for first time setup, it may be better to route just one of your client into wg11 instead of the whole network 192.168.1.0/24. Reason being in case it breaks and does not work in the first setup, it only impact one client and other devices still have internet access.
There are a few possibility that I can think of.
1. If your wg11.conf file imported successfully?

2. Is wg11 connected to your VPN provider? Here is a sample of my wg11 which is connected. I am connected to NordVPN. With persistent keepalive set to every 25 seconds, the latest handshake timer will reset to 0 when it incremented to 2 minutes. This is a sign that wg11 is connected. ifconfig wg11 can also see if the tx and rx counter increases when there is traffic over wg11.

admin@RT-AC86U-DBA8:/tmp/home/root# wg show wg11
interface: wg11
public key: XXXXXXXXXXXXXXXX
private key: (hidden)
  listening port: 42009
peer: XXXXXXXX
endpoint: xx.xx.xx.xx:51820
allowed ips: 0.0.0.0/0
latest handshake: 56 seconds ago
transfer: 1.94 GiB received, 21.90 MiB sent
persistent keepalive: every 25 seconds

admin@RT-AC86U-DBA8:/tmp/home/root# ifconfig wg11
wg11      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.5.0.2  P-t-P:10.5.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:1470748 errors:0 dropped:0 overruns:0 frame:0
          TX packets:218523 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2086099340 (1.9 GiB)  TX bytes:22990520 (21.9 MiB)

3. Is your route is correctly applied? ip rule output should reflect the vpn rule added, eg

E:Option ==> peer wg11 rule add vpn 192.168.1.0/24 comment All_to_WGVPN

admin@RT-AC86U-DBA8:/tmp/home/root# ip rule 
...snipped...
9911:   from 192.168.1.0/24 lookup 121
...snipped...

4. Verify if the route is working properly. Example below show that for my client to reach google dns 8.8.8.8, it will go through wg11.

admin@RT-AC86U-DBA8:/tmp/home/root# ip route get 8.8.8.8 from 192.168.1.111 iif eth0
8.8.8.8 from 192.168.1.111 dev wg11
    cache iif eth0

5. Verify with client. Example from your pc, use command prompt ping and trace route to 8.8.8.8 and also google.com to check internet connectivity.

 

[ZebMcKayhan]

What's the status @Kingp1n ? I hope you have not given up.

//Zeb

 

[Kingp1n]

What's the status @Kingp1n ? I hope you have not given up.

//Zeb

@ZebMcKayhan

Thanks for the follow-up.

I did give up last week since I could see never get my devices to get online. However, I have some free time again this week during the day so I will try to tackle wireguard again.

It seems everything installs correctly, I also upload the wg11.conf file and when I run the 'wg show wg11' & 'ip rule', everything shows as connected.

I am running x3mRouting (option 3) which may be the reason it may not be working.

Guess I can temporarily uninstall x3m and disable OVPN and start with a fresh wgm install. Any additional step-by-step you can recommend to get this working?

My 2 policy rules I use with OVPN are:
192.168.1.1 --> Router --> WAN
192.168.1.0/24 -->All traffic --> VPN

As a side note, what would be the reason some folks use both 'wg' and OPVN simultaneously?

 

[ZebMcKayhan]

@ZebMcKayhan

Thanks for the follow-up.

I did give up last week since I could see never get my devices to get online. However, I have some free time again this week during the day so I will try to tackle wireguard again.

It seems everything installs correctly, I also upload the wg11.conf file and when I run the 'wg show wg11' & 'ip rule', everything shows as connected.

I am running x3mRouting (option 3) which may be the reason it may not be working.

Guess I can temporarily uninstall x3m and disable OVPN and start with a fresh wgm install. Any additional step-by-step you can recommend to get this working?

My 2 policy rules I use with OVPN are:
192.168.1.1 --> Router --> WAN
192.168.1.0/24 -->All traffic --> VPN

As a side note, what would be the reason some folks use both 'wg' and OPVN simultaneously?

X3m manages and routes ipsets only right? I use it myself but only to create and manage the ipsets.
I don't think this would be conflicting unless possible for sites included in your ipsets.

It is quite common that these problem is dns related. What dns did you put it the conf file?
You can test to change it online in wgm:

peer wg11 dns 192.168.1.1

(Hope I got that syntax right)
Wgm uses dnat for dns so client request are redirected to wg dns before routing. Setting it to router will make it use dnsmasq as other devices.
Are you using any dns scripts?

When testing, in wgm, please post the output of:

Peer wg11

And remove the sensitive Keys.

Also the output of

ip rule

From the ssh prompt. Remove sensitive data if any.

Using "ip rule" you could delete some rules from x3m if you suspect they interfer.
This is my output:

admin@RT-AC86U-D7D8:/tmp/home/root# ip rule
0:      from all lookup local
9900:   from 192.168.1.1/24 fwmark 0x8000 lookup main
9910:   from all to 192.168.1.1/16 lookup main
9911:   from 192.168.1.1/24 lookup 121
9921:   from 192.168.6.0/24 lookup 122
32766:  from all lookup main
32767:  from all lookup default

I also agree with @chongnt, start simple. Only rule you need is to add a single computer/ip so you don't bring down your entire network as you are debugging. Then add more as things are starting to work

//Zeb

Edit: take a look at post #310 @chongnt identified wan mark is out-proritized by wgm policy rules. Try adding an additional wan rule with higher priority as suggested in following posts.

 

[Torson]

@Kingp1n, some good news and some guidance to follow...

Late last week I configured for a relative Wireguard with VPN Unlimited. It works well (with the observations noted below.)
Here are the high level steps:

1. If Wireguard Session Manager is installed, remove it and choose to delete all configuration files.
2. Re-install the script from the dev branch at: https://github.com/MartineauUK/wireguard/tree/dev
3. Time saving tip! Install the Wireguard client on your smartphone (from the Android or iOS store as applicable.)
4. On the VPN Unlimited site, generate a Wireguard configuration file for the location of your choice (they have well defined streaming locations too.)
5. On the same page, after the configuration file was generated you'll see a QR code.
6. Load the QR code on the phone application ('+' and 'Scan from QR code'.) Do not skip this step - it's a time (and head banging) saver. I had 2 configuration (out of 5) that did not connect, so no reason to troubleshoot the script for that. Make sure it connects and works on the phone - remove the phone from your network WiFi for this exercise.)
7. Disconnect the OpenVPN client
8. Edit the .conf file on your PC (use Notepad++) and make it look similar to this:

# Comment of your choice (i.e. location)
[Interface]
PrivateKey = ???
ListenPort = 51820 - remove this line altogether; a dynamic port will be assigned
Address = ???
DNS = ???

[Peer]
PublicKey = ???
PresharedKey = ???
AllowedIPs = 0.0.0.0/0
Endpoint = ???
PersistentKeepalive = 25

Replace '???' with the values from your working .conf file.
9. Rename the file to wg11.conf and copy to /opt/etc/wireguard.d
10. On your PC start wgm and copy and paste the following one line at a time - make sure there are no errors.

import wg11
peer wg11 rule add 192.168.1.xxx comment wg test pc - replace 'xxx' as appropriate
peer wg11 auto=p
start wg11
list

11. At this point you should see that the client is connected.
12. Test connectivity (all other devices on the network are unaffected at this point since OpenVPN client is disconnected.) Only your configured PC is tunneled through the wg11 client.
13. If all looks good carry on with the following (to route the whole network through the tunnel)

peer wg11 rule add wan 192.168.1.1 comment Router to WAN
peer wg11 rule add 192.168.1.0/24 comment LAN to VPN
peer wg11 - you'll see 3 lines there - make note of the ID number of the original rule
peer wg11 rule del <ID> - ID is the number from the previous step (1 probably)
peer wg11 auto=y
peer wg11 dns=192.168.1.1
restart wg11

14. Hopefully that's the end .

NOTES:
- x3m can stay - it only routes IP sets through the OpenVPN clients - no harm done.
- if you use Unbound and use VPN redirection make sure you disable (delete) that such that it will work through the WAN (at least for now.)
- I still use OpenVPN for some real world work since it's the proven path. Wireguard is 2-2.5 times faster on my router and looks promising for the future and current personal stuff...

If I skipped a step, please post and I'll edit here. Good luck!

EDIT: Changed command line numeric entries to text as per @Martineau and modified the Router to WAN statement.

 

[Kingp1n]

Thanks for the assist.

So I believe I have everything setup correctly (or maybe not) since I can't use the internet at all. Any ideas what I'm doing wrong???? At this point, I know is user error haha

Here is the output fo peer wg11:

E:Option ==> peer wg11

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP               Endpoint              DNS  MTU  Public                                        Private                                       Annotate
wg11    P     10.100.0.xxx/32  199.115.xxx.xx :51820            Wm/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=  mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=  # N/A

    Selective Routing RPDB rules
ID  Peer  Interface  Source         Destination  Description
1   wg11  VPN        192.168.1.222  Any          wg test pc


     WireGuard ACTIVE Peer Status: Clients 1, Servers 0

This is what I get for IP Rule:

admin@GT-AX11000-xxxx:/tmp/home/root# ip rule
0:    from all lookup local
9911:    from 192.168.1.222 lookup 121
9990:    from all fwmark 0x8000/0x8000 lookup main
9995:    from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default

wg show wg11:

E:Option ==> wg show wg11

    WireGuard Userspace Tool:

interface: wg11
  public key: dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
  private key: (hidden)
  listening port: 51820

peer: Wm/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
  preshared key: (hidden)
  endpoint: 199.115.xxx.xx:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 6.65 KiB sent
  persistent keepalive: every 25 seconds

ENABLED    WireGuard ACTIVE Peer Status: Clients 1, Servers 0

ifconfig wg11:

dmin@GT-AX11000-xxxx:/tmp/home/root# ifconfig wg11
wg11      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.100.0.162  P-t-P:10.100.0.162  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:86 errors:0 dropped:1145 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:12728 (12.4 KiB)