JGrana
Very Senior Member
Nothing wrong with Entware wireguard-go except it is not available for the AX58U.Is it something wrong with existing wireguard-go package?
I see it available for the AX88U (aarch64) but not for the AX58U (armv7l).
Nothing wrong with Entware wireguard-go except it is not available for the AX58U.Is it something wrong with existing wireguard-go package?
amtm doesn’t differentiate armv7sf-k2.6 (no wireguard-go) and armv7sf-k3.2 (has wireguard-go) when installing Entware. Might be something for @thelonelycoder to look into.Nothing wrong with Entware wireguard-go except it is not available for the AX58U.
I see it available for the AX88U (aarch64) but not for the AX58U (armv7l).
Nothing wrong with Entware wireguard-go except it is not available for the AX58U.
I see it available for the AX88U (aarch64) but not for the AX58U (armv7l).
I'll get that fixed right now.amtm doesn’t differentiate armv7sf-k2.6 (no wireguard-go) and armv7sf-k3.2 (has wireguard-go) when installing Entware. Might be something for @thelonelycoder to look into.
Thanks for the response.As it stands, it's still in beta (a very solid one, though.)
About the OpenVPN questions - the wg_manager.sh script does not disable OpenVPN, and depending on how you wish to proceed there may be no need to disable it.
I still have 4 OVPN clients with some @Xentrk selective routing full steam on for things that (I believe) need the proven OVPN platform. At the same time I have 4 wg client peers and one server peer running in parallel with the same kind of selective routing (manually setup.) They coexist and perform very well in parallel. Selective IPset routing works among clients of the same sort.
The decision point though is if you want to route you're entire network through a tunnel, or not. In my case, I never felt the need to have every single device on the network redirected through a VPN. I selectively route IPs and CIDRs through different VPN clients and that's how it all works together.
Even so, there is a very important aspect to consider - OVPN has a client based kill-switch while the wg_manager.sh has a global one. In other words, if you want to redirect all the network through a VPN client the simple, reasonable approach would be to use one or another.
I have pushed a hotfix for amtm that fixes this, see here.Nothing wrong with Entware wireguard-go except it is not available for the AX58U.
I see it available for the AX88U (aarch64) but not for the AX58U (armv7l).
It can be done as @Torson mentioned.Thanks for the response.
Is there a way to run wg with a similar setup on how I currently use OVPN?
With OPVN I have to set 2 policy rules
192.168.1.0/24 = for all traffic to go thru VPN
192.168.1.1 = for Router to go thru WAN
Basically I would like to try 'wg' without OPVN, so can I disabled OPVN and setup wg with those 2 policy rules above?
If so can someone smarter than help me setup the 2 policy rules?
E:Option ==> peer wg11 rule add vpn 192.168.1.0/24 comment All_to_WGVPN
E:Option ==> 6 wg11
Yes, that is doable and well documented in prior posts in this thread.Is there a way to run wg with a similar setup on how I currently use OVPN?
Whoops ...just updated my signature to reflect I'm now using VPN Unlimited.
They do support wireguard.
I read chongnt's post before yours and my question is how would I add the router policy rule (192.168.1.1) to go thru WAN?
He provided the rule for all traffic to go thru the VPN.
Thanks.
I'm think I'm making this too complicated : )
peer wg11 rule add wan 192.168.1.1 comment Router to WAN
So I'm in the process of installing wg.Code:peer wg11 rule add wan 192.168.1.1 comment Router to WAN
WireGuard ACTIVE Peer Status: Clients 0, Servers 1
1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers
? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')
e = Exit Script [?]
E:Option ==> 3
interface: wg21 Port:51820 10.50.1.1/24 VPN Tunnel Network # GT-AX11000 Server #1
WireGuard ACTIVE Peer Status: Clients 0, Servers
Yes, I think you want wg client as in wg11. If you have the wg11.conf file ready, you can put it in /opt/etc/wireguard.dSo I'm in the process of installing wg.
Can anyone assist on how do I upload my VPN wg.conf file to wgm?
Also upon wgm installation, it asked me I want to create a 'device' peer for 'server' peer (wg21) which I skipped since I want to setup wg11 correct?
Thanks and I apologize for the noob questions.
Thansk again.
Update: this is what is currently showing but it created this automatically for me.
Code:WireGuard ACTIVE Peer Status: Clients 0, Servers 1 1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone 2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ] 9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.) 3 = List ACTIVE Peers Summary [Peer...] [full] 10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ] 4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients 5 = Stop [ [Peer... ] | category ] e.g. stop clients 6 = Restart [ [Peer... ] | category ] e.g. restart servers ? = About Configuration v = View ('/jffs/addons/wireguard/WireguardVPN.conf') e = Exit Script [?] E:Option ==> 3 interface: wg21 Port:51820 10.50.1.1/24 VPN Tunnel Network # GT-AX11000 Server #1 WireGuard ACTIVE Peer Status: Clients 0, Servers
##create wg client, create wg11.conf in /opt/etc/wireguard.d
E:Option ==> import wg11
[✔] Config wg11 import success
##create wg client peer policy rule
E:Option ==> peer wg11 rule add vpn 192.168.1.111 comment MyVPNrule
[✔] Updated RPDB Selective Routing rule for wg11
##set wg client policy mode
E:Option ==> peer wg11 auto=p
[✔] Updated 'wg11' AUTO=P
E:Option ==> peer wg21 del
I have everything setup but my devices are not connecting to the internet. Any ideas what might be causing this?Yes, I think you want wg client as in wg11. If you have the wg11.conf file ready, you can put it in /opt/etc/wireguard.d
Code:##create wg client, create wg11.conf in /opt/etc/wireguard.d E:Option ==> import wg11 [✔] Config wg11 import success ##create wg client peer policy rule E:Option ==> peer wg11 rule add vpn 192.168.1.111 comment MyVPNrule [✔] Updated RPDB Selective Routing rule for wg11 ##set wg client policy mode E:Option ==> peer wg11 auto=p [✔] Updated 'wg11' AUTO=P
For the wg server, you can choose to delete it byCode:E:Option ==> peer wg21 del
I might have missed out the restart step. Have you restart your wg11 client?I have everything setup but my devices are not connecting to the internet. Any ideas what might be causing this?
I did restart the wg11 wirh no luck.I might have missed out the restart step. Have you restart your wg11 client?
Perhaps a bit more description of the problem will be helpful. Is your wg11 connected? Then if your devices can ping to something like 8.8.8.8 and google.com to check if it is DNS related issue or something else etc.
Some command may be helpful to check, like "wg show wg11". If you have persistent keepalive set, then you can see the latest handshake timer keep refreshed after sometime indicating it is running.
By the way, for initial setup I think is is easier to add rule for single test host ip rather than the whole network. After make sure the single host works then later we can add the whole network in.
Sorry for not being clear. What I mean is for first time setup, it may be better to route just one of your client into wg11 instead of the whole network 192.168.1.0/24. Reason being in case it breaks and does not work in the first setup, it only impact one client and other devices still have internet access.I did restart the wg11 wirh no luck.
So you're saying 1st setup the router to WAN rule and make sure everything works before putting the MyVPN rule for the whole network?
admin@RT-AC86U-DBA8:/tmp/home/root# wg show wg11
interface: wg11
public key: XXXXXXXXXXXXXXXX
private key: (hidden)
listening port: 42009
peer: XXXXXXXX
endpoint: xx.xx.xx.xx:51820
allowed ips: 0.0.0.0/0
latest handshake: 56 seconds ago
transfer: 1.94 GiB received, 21.90 MiB sent
persistent keepalive: every 25 seconds
admin@RT-AC86U-DBA8:/tmp/home/root# ifconfig wg11
wg11 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.5.0.2 P-t-P:10.5.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:1470748 errors:0 dropped:0 overruns:0 frame:0
TX packets:218523 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2086099340 (1.9 GiB) TX bytes:22990520 (21.9 MiB)
E:Option ==> peer wg11 rule add vpn 192.168.1.0/24 comment All_to_WGVPN
admin@RT-AC86U-DBA8:/tmp/home/root# ip rule
...snipped...
9911: from 192.168.1.0/24 lookup 121
...snipped...
admin@RT-AC86U-DBA8:/tmp/home/root# ip route get 8.8.8.8 from 192.168.1.111 iif eth0
8.8.8.8 from 192.168.1.111 dev wg11
cache iif eth0
@ZebMcKayhan
X3m manages and routes ipsets only right? I use it myself but only to create and manage the ipsets.@ZebMcKayhan
Thanks for the follow-up.
I did give up last week since I could see never get my devices to get online. However, I have some free time again this week during the day so I will try to tackle wireguard again.
It seems everything installs correctly, I also upload the wg11.conf file and when I run the 'wg show wg11' & 'ip rule', everything shows as connected.
I am running x3mRouting (option 3) which may be the reason it may not be working.
Guess I can temporarily uninstall x3m and disable OVPN and start with a fresh wgm install. Any additional step-by-step you can recommend to get this working?
My 2 policy rules I use with OVPN are:
192.168.1.1 --> Router --> WAN
192.168.1.0/24 -->All traffic --> VPN
As a side note, what would be the reason some folks use both 'wg' and OPVN simultaneously?
peer wg11 dns 192.168.1.1
Peer wg11
ip rule
admin@RT-AC86U-D7D8:/tmp/home/root# ip rule
0: from all lookup local
9900: from 192.168.1.1/24 fwmark 0x8000 lookup main
9910: from all to 192.168.1.1/16 lookup main
9911: from 192.168.1.1/24 lookup 121
9921: from 192.168.6.0/24 lookup 122
32766: from all lookup main
32767: from all lookup default
# Comment of your choice (i.e. location)
[Interface]
PrivateKey = ???
ListenPort = 51820 - remove this line altogether; a dynamic port will be assigned
Address = ???
DNS = ???
[Peer]
PublicKey = ???
PresharedKey = ???
AllowedIPs = 0.0.0.0/0
Endpoint = ???
PersistentKeepalive = 25
import wg11
peer wg11 rule add 192.168.1.xxx comment wg test pc - replace 'xxx' as appropriate
peer wg11 auto=p
start wg11
list
peer wg11 rule add wan 192.168.1.1 comment Router to WAN
peer wg11 rule add 192.168.1.0/24 comment LAN to VPN
peer wg11 - you'll see 3 lines there - make note of the ID number of the original rule
peer wg11 rule del <ID> - ID is the number from the previous step (1 probably)
peer wg11 auto=y
peer wg11 dns=192.168.1.1
restart wg11
E:Option ==> peer wg11
Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Client Auto IP Endpoint DNS MTU Public Private Annotate
wg11 P 10.100.0.xxx/32 199.115.xxx.xx :51820 Wm/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= # N/A
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg11 VPN 192.168.1.222 Any wg test pc
WireGuard ACTIVE Peer Status: Clients 1, Servers 0
admin@GT-AX11000-xxxx:/tmp/home/root# ip rule
0: from all lookup local
9911: from 192.168.1.222 lookup 121
9990: from all fwmark 0x8000/0x8000 lookup main
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
E:Option ==> wg show wg11
WireGuard Userspace Tool:
interface: wg11
public key: dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
private key: (hidden)
listening port: 51820
peer: Wm/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
preshared key: (hidden)
endpoint: 199.115.xxx.xx:51820
allowed ips: 0.0.0.0/0
transfer: 0 B received, 6.65 KiB sent
persistent keepalive: every 25 seconds
ENABLED WireGuard ACTIVE Peer Status: Clients 1, Servers 0
dmin@GT-AX11000-xxxx:/tmp/home/root# ifconfig wg11
wg11 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.100.0.162 P-t-P:10.100.0.162 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:86 errors:0 dropped:1145 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:12728 (12.4 KiB)
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!