Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

[ZebMcKayhan]

Do you mean everything through vpn except a single ip? If yes, then:

For that to work, the peer must be in policy mode, not default mode...

You also need to add a rule for everything else to go out vpn, so in total:

E:Option ==> peer wg11 rule add wan src=192.168.1.x comment SingleUseWAN
E:Option ==> peer wg11 rule add vpn src=192.168.1.1/24 comment RestUseVPN
E:Option ==> peer wg11 auto=p

Wan rules have higher priority than vpn rules so the single ip will be directed to wan before compared with the larger vpn range.

You can add as many single ip rules as you want but there could be a priority problem if you create more than 10 wan or vpn rules (?). If that is the case you might start to lump ips together and use cidr notation (ie /28 to cover 16 adresses within a single rule)

//Zeb

Edit: worth to mention is that if no matching rule is found in policy mode then it will go through wan. So if you only want a single ip through vpn and the rest to wan you only need (and only should) to add the "single ip to vpn" rule. The rest will go naturally through wan.

 

[DreaZ]

I just got OpenVPN (VPN provider OVPN) to work with Unbound with AD-Blocking a week ago. And then learned about Wireguard. And as i'm on fiber 1000/1000 WG is so much better. I got WG to work following -> https://www.snbforums.com/threads/e...r-rt-ac86u-gt-ac2900-rt-ax88u-rt-ax86u.46164/

But didn't know how to make my entire LAN except one IP (my main computer) go through the VPN tunnel. I run WG directly on my main comp, because then I get 900/900mbit.

And now I found out about this WGSM, But tbh don't understand if it is something I should use. I generate and download my WG keys from my VPN provider. What is Server for in the WGSM? Is it something for me? Don't really understand the syntax to create client peers.

Maybe it is better to wait until its been out a bit longer for a amateur techie?

 

[chongnt]

I just got OpenVPN (VPN provider OVPN) to work with Unbound with AD-Blocking a week ago. And then learned about Wireguard. And as i'm on fiber 1000/1000 WG is so much better. I got WG to work following -> https://www.snbforums.com/threads/e...r-rt-ac86u-gt-ac2900-rt-ax88u-rt-ax86u.46164/

But didn't know how to make my entire LAN except one IP (my main computer) go through the VPN tunnel. I run WG directly on my main comp, because then I get 900/900mbit.

And now I found out about this WGSM, But tbh don't understand if it is something I should use. I generate and download my WG keys from my VPN provider. What is Server for in the WGSM? Is it something for me? Don't really understand the syntax to create client peers.

Maybe it is better to wait until its been out a bit longer for a amateur techie?

You achieved a very good speed with WG. To connect to our VPN provider, we use WG client to peer with provider server. This is similar with OpenVPN client. WG server is like OpenVPN server where our router act as server so that we can remotely dial-in to have LAN access from our remote pc/mobile. I have set this up for about 3 months and it has been very stable. Others have been using this for much longer. The guide from @ZebMcKayhan above is a good start to set it up for your requirement. You can also see the peer syntax with "peer help" command from wgm interface.

 

[ZebMcKayhan]

I just got OpenVPN (VPN provider OVPN) to work with Unbound with AD-Blocking a week ago. And then learned about Wireguard. And as i'm on fiber 1000/1000 WG is so much better. I got WG to work following -> https://www.snbforums.com/threads/e...r-rt-ac86u-gt-ac2900-rt-ax88u-rt-ax86u.46164/

But didn't know how to make my entire LAN except one IP (my main computer) go through the VPN tunnel. I run WG directly on my main comp, because then I get 900/900mbit.

And now I found out about this WGSM, But tbh don't understand if it is something I should use. I generate and download my WG keys from my VPN provider. What is Server for in the WGSM? Is it something for me? Don't really understand the syntax to create client peers.

Maybe it is better to wait until its been out a bit longer for a amateur techie?

wgm does virtually the same thing as @Odkrys scripts but to more automated and lets you work in menus and issue commands instead of working in scripts. wgm is actually built on the same kernel modules.

what you want is very doable using @Odkrys scripts, but you will need to add on more scripts/commands. an example on how to exclude a single computer (using default routing) could be found here. but it requires you to create scripts and set them up to run automatically. if this feels uncomfortable for you, then wgm might be a better way since it was created to aid in this process, with pre-defined commands instead of scripting.

wgm does not have it's own vpn internet server service, although it lets you setup a private server to open a tunnel into your private network so you can access your internal stuff from internet, but you are after internet connection as it sounds.
in wgm (/wgsm) you import your vpn config file you received from your service provider pretty much as you did in your current setup, with the difference that you dont need to copy/paste in it to/from the scripts, this is all done in wgm "behind the scenes". when the file is imported you could just issue commands inside wgm menu (through SSH) like the ones above to control routing and much, much more.

after installing wgm (instructions in the first post in this thread). rename you wireguard config file to "wg11.conf" and copy it to /opt/etc/wireguard.d
then inside wgm, you just import it:

E:Option ==> import wg11

//Zeb

Edit: I have never heard of anyone achieving 900/900Mb/s on an asus router, so I think you could expect a speed drop when shifting to run this on the router, presumable somewhere in the 400-700Mb/s range depending on your router. if you only need a single computer on VPN, then running wireguard on that machine will probably give you best results.

 

[Martineau]

I got WG to work following -> https://www.snbforums.com/threads/e...r-rt-ac86u-gt-ac2900-rt-ax88u-rt-ax86u.46164/https://www.snbforums.com/threads/e...r-rt-ac86u-gt-ac2900-rt-ax88u-rt-ax86u.46164/

But didn't know how to make my entire LAN except one IP (my main computer) go through the VPN tunnel.

If you are running wireguard on the router (as per the above original manual installation guide).....

The following shows how to use Selective Policy Routing to explicitly route ONLY two LAN devices via the wireguard tunnel

[Experimental] WireGuard for HND platform (4.1.x kernels)

1. Install WireGuard You need Entware-aarch64-3.10 to use wireguard without a new firmware build. ㅡ Kernel Module ㅡ RT-AC86U, GT-AC2900 - 4.1.27 https://github.com/odkrys/entware-makefile-for-merlin/raw/main/wireguard-kernel_1.0.20210219-k27_1_aarch64-3.10.ipk opkg install...

www.snbforums.com

and this shows an example of inverting the Selective Policy Routing to explicitly route ALL LAN devices via the wireguard tunnel, whilst excluding a single LAN device via the WAN.

[Experimental] WireGuard for HND platform (4.1.x kernels)

Hi, this has been super helpful! What would the policy be if I wanted to exclude an IP rather than include a specific IP? Yeah, I would also appreciate a bit more documentation on the syntax of the routing-policy file.

www.snbforums.com

And now I found out about this WGSM, But tbh don't understand if it is something I should use.

wireguard manager was written to provide an easy wireguard install/uninstall, and allow for multiple concurrent wireguard Clients and Servers to be active/managed without the need to manually hack/edit scripts/config files.

Don't really understand the syntax to create client peers.

wireguard_manager allows rapidly specifiying/configuring Selective Policy Routing rules (although some would say seemingly rather verbosely) in plain human-readable format without understanding the underlying technical routing tables and fwmarks etc., together with the ability to create/delete client peers in a simple command

e.g. if your wireguard provider has supplied a fully configured config file say 'VPN_ISP' that you have successfully downloaded, if you already have a working wireguard client say wg11, you can quickly configure a second client say wg12 simply using

e  = Exit Script [?]

E:Option ==> import VPN_ISP wg12

assuming you downloaded the file as '/opt/etc/wireguard.d/VPN_ISP' on the router and it will be copied to create the wireguard_manager compatible 'wg12.conf'

NOTE: If the file isn't located in '/opt/etc/wireguard.d' then simply supply the correct full path.

Maybe it is better to wait until its been out a bit longer for a amateur techie?

Indeed


EDIT: @ZebMcKayhan and @chongnt didn't see your excellent replies before posting

 

[DreaZ]

Thanks alot for all the replies. I will continue testing WGM after work

 

[The Chief]

How can I route like this: all my LAN (192.168.1.0/24 for ex.) to selected IPset (dst) thru wgm11 (imported and working)?

I've added ipset to wg11:

peer wg11 add ipset rublack-dns

But then:

peer wg11 auto=P


        ***ERROR No Policy rules exist for wg11 (use 'peer wg11 rule add' command first)

What's wrong?

 

[ZebMcKayhan]

How can I route like this: all my LAN (192.168.1.0/24 for ex.) to selected IPset (dst) thru wgm11 (imported and working)?

I've added ipset to wg11:

peer wg11 add ipset rublack-dns

But then:

peer wg11 auto=P


        ***ERROR No Policy rules exist for wg11 (use 'peer wg11 rule add' command first)

What's wrong?

Interesting... only use ipset for policy based routing with ni other rules might be a use case not considered in wgm?

Wgm was made to not accept policy mode if there are no rules, but I guess ipset is not part of that check. Something to look into @Martineau?

I guess you can circumvent this by adding a rule for some bogus ip that you will never have:

E:Option ==> peer wg11 rule add vpn src=192.168.152.214 comment BogusRule

If you by some freak-of-nature actually use this particular ip, then change it to one you dont use.

After adding the rule you should be able to put the peer in policy mode.

//Zeb

 

[The Chief]

I guess you can circumvent this by adding a rule for some bogus ip that you will never have

Yes, adding a bogus rule allows me to switch wg11 to Policy mode. But after starting wg11 there is no VPN routing to IPs in 'rublack-dns' ipset, all traffic goes to WAN. IPset exists, it's populated with some IPs . No IPtable rule in iptables as well. Any ideas?

 

[ZebMcKayhan]

Yes, adding a bogus rule allows me to switch wg11 to Policy mode. But after starting wg11 there is no VPN routing to IPs in 'rublack-dns' ipset, all traffic goes to WAN. IPset exists, it's populated with some IPs . No IPtable rule in iptables as well. Any ideas?

You also need to add the ipset rules in i.e nat-start (if you dont already have them):

Policy based Port routing (manual method)

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

You need to change the table name/number to match wgm. Wg11 is table 121 don't know what mark you use for your ipset though, check in peer config. The mark could be changed in wgm.

//Zeb

 

[The Chief]

You also need to add the ipset rules in i.e nat-start (if you dont already have them):

Oops… Why to have ipset settings in WGM if they do nothing?

 

[ZebMcKayhan]

Oops… Why to have ipset settings in WGM if they do nothing?

Wgm ads the rule in the firewall that matches ips in your set and markes them according your setting in wgm.

Rules for routing is part of something bigger than just wgm... guess this is why. I ones asked the same question.

//Zeb

Edit: oh, yeah, I almost forgot. You will probably run into problems with wg11 reverse path filter, wgm only handels rp filter on wan interface (I think).

You may have to put this line somewere:

echo 2 > /proc/sys/net/ipv4/conf/wg11/rp_filter

If connection to your ipset ips fail (I mean like no connection) you could try to execute it from the shell to see if it works...

 

[The Chief]

Rules for routing is part of something bigger than just wgm... guess this is why. I ones asked the same question.

Why then 'peer wg11 rule add vpn src=192.168.mysubnet.mycomputer' works in policy mode (it really works), so it creates all routing rules , but IPset setting doesn't? I don't understand it, totally confused.


Smth like 'peer wg11 rule add vpn ipset=ipsetname' (where ipsetname is dst) would be VERY helpful, making configuration MUCH more simple.

 

[ZebMcKayhan]

Ok, maybee I was not totally clear.

Wgm adds the rules for peers and it let's you add ipsets and it will setup the firewall to mark the packages for you but it will not create the rules for which mark that gets routed where. There are too many use cases for wgm too assume how you want to do this (I guess). But I could agree that it would be nice to atleast have the option to let it setup the basic, typical setup.

Working with ipsets are considered slightly more advanced and the possibilities are soo much more so I guess wgm assumes the rules are created by whoever have created the ipsets.

Just add the:

ip rule del prio 9901
ip rule add from 0/0 fwmark "0x1000/0x1000" table 121 prio 9901

In nat-start (Assuming your mark is 0x1000) and that should be it.
You might also need to consider the rp-filter but that must be executed after wgm has created the interface so let's worry about that later, if needed.

 

[The Chief]

In nat-start (Assuming your mark is 0x1000) and that should be it.

Yes, wg11 mark is 0x1000.

ip rule del prio 9901
ip rule add from 0/0 fwmark "0x1000/0x1000" table 121 prio 9901

Yeah I've figured it out (put it to wg11-route-up.sh), but what I've NOT figured is 'echo 0 > /proc/sys/net/ipv4/conf/wg11/rp_filter' magick. It works now, thanx a lot!

 

[Torson]

@ZebMcKayhan & @The Chief - regarding the selective routing of IPSets the wgm script allows adding, updating and deleting IPSets on all interfaces with the predefined fwmark (which are the same but set at higher priority than the OpenVPN ones.)
For example: peer wg11 add ipset Cloud would add the IPSet Cloud to peer wg11 with fwmark 0x1000. Now, if you need to route the IPSet Cloud through the WAN then peer wg11 upd ipset Cloud fwmark 0x8000 would do that.

 

[The Chief]

For example: peer wg11 add ipset Cloud would add the IPSet Cloud to peer wg11 with fwmark 0x1000. Now, if you need to route the IPSet Cloud through the WAN then peer wg11 upd ipset Cloud fwmark 0x8000 would do that.

What I needed to do is rather opposite — to route all my local clients to WAN, except when destination IP is from predefined IPset, then route to VPN (wg11).

 

[ZebMcKayhan]

@ZebMcKayhan & @The Chief - regarding the selective routing of IPSets the wgm script allows adding, updating and deleting IPSets on all interfaces with the predefined fwmark (which are the same but set at higher priority than the OpenVPN ones.)
For example: peer wg11 add ipset Cloud would add the IPSet Cloud to peer wg11 with fwmark 0x1000. Now, if you need to route the IPSet Cloud through the WAN then peer wg11 upd ipset Cloud fwmark 0x8000 would do that.

Thanks!

Yes, we got that. But the rules are not the same. They don't have the same prio and not the same table they only share the mark, but most importantly; they are not there.

I had the same problem when I setup wgm, everything looks and feels like it is setup by wgm but this particular piece is not. It was not obvious for me that I was to add these rules.

//Zeb

 

[abir1909]

Script doesn’t create wg11 only wg21 please advise what am I doing wrong? Thanks

 

[ZebMcKayhan]

Script doesn’t create wg11 only wg21 please advise what am I doing wrong? Thanks

wgm automatically installs a server wg21 when it installs, if you dont need/want the server you can just delete it:

E:Option ==> peer wg21 del

it wont create your client peer wg11 automatically, you will need to place the config file (the one you got from your wireguard VPN supplier) here: /opt/etc/wireguard.d/
then run in wgm:

E:Option ==> import <Config_Filename> wg11

replace <Config_Filename> with the filename of your config file (or exclude it if you name the config file wg11.conf).

//Zeb