What's new

Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Re 3.02b update, some feedback on the device client peer configuration:

- the iPone configuration that gets create during the install:
Code:
# iPhone
[Interface]
PrivateKey = 
Address = 10.50.1.12/32
DNS = 1.1.1.1

# RT-AX86U 'server' (wg21)
[Peer]
PublicKey = +oObWrCSDk1LdqJGCCPg7sxxaYfU2pDktq+nZAczBAY=
AllowedIPs = 0.0.0.0/0     # ALL Traffic
# DDNS my.DDNS.net
Endpoint = 1.1.1.1:51820
PersistentKeepalive = 25
# iPhone End
(note that it looks the same for any newly created device client peer) - The #DDNS and Endpoint = lines have the information reversed. When I put the DDNS information on the Endpoint line and the other way around. it all worked well. The client peer connects and can browse other devices on the host peer network.

- after disconnecting the client peer the following shows in the interface for the respective client peer::

Code:
latest handshake: 12 minutes, 48 seconds ago
                 transfer: 527.19 KiB received, 1.67 MiB sent
I guess once disconnected it's not anymore relevant that the latest handshake was 12 minutes ago - it's disconnected.

- option 9 doesn't allow to create a device client peer to the wg22 host peer - maybe in some next iteration.

- the (?) option does not print the expected information (it used too...)

Nice progress over a short period of time...

-
 
Last edited:
Re 3.02b update, some feedback on the device client peer configuration:

# RT-AX86U 'server' (wg21)
[Peer]
PublicKey = +oObWrCSDk1LdqJGCCPg7sxxaYfU2pDktq+nZAczBAY=
AllowedIPs = 0.0.0.0/0 # ALL Traffic
# DDNS my.DDNS.net
Endpoint = 1.1.1.1:51820

(note that it looks the same for any newly created device client peer) - The #DDNS and Endpoint = lines have the information reversed. When I put the DDNS information on the Endpoint line and the other way around. it all worked well. The client peer connects and can browse other devices on the host peer network.
Sorry I can't reproduce this error
Code:
Endpoint = 1.1.1.1:51820

This is the one-line code statement that writes the lines to the config file
Code:
cat > ${CONFIG_DIR}${DEVICE_NAME}.conf << EOF
# $DEVICE_NAME
[Interface]
PrivateKey = $PRI_KEY
Address = $VPN_POOL_IP
DNS = 1.1.1.1

# $HARDWARE_MODEL 'server' ($SERVER_PEER)
[Peer]
PublicKey = $PUB_SERVER_KEY
AllowedIPs = $ALLOWED_IPS     ${SPLIT_TXT}
# DDNS $ROUTER_DDNS
Endpoint = $ROUTER_DDNS_IP:51820
PersistentKeepalive = 25
# $DEVICE_NAME End
EOF

Can you please enable debug mode, then at the prompt use option '9' to create a new device
Code:
e  = Exit Script [?]

E:Option ==> debug

     WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Update Wireguard modules                        7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [list] | [ {Peer} [ add | del | {auto [y|n|p]}] ] ]
                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                                    
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                     
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                    
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                    

?  = About Configuration                    
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')        

e  = Exit Script [?]

E:Debug mode enabledOption ==> 9 myphone

If you examine the few lines of debug (or PM me) you should see something like
Code:
+ nvram get ddns_hostname_x
+ local ROUTER_DDNS=
+ [ -z  ]
+ ip+ grep -E ^0\.|^128\.
 route show table main
+ [ -z  ]
+ curl -s ipecho.net/plain
+ ROUTER_DDNS_IP=xxx.xxx.xxx.xxx
Now don't post the actual values assigned to either ROUTER_DDNS or ROUTER_DDNS_IP, but if ROUTER_DDNS_IP is set to '1.1.1.1' then that is clearly weird.

(NOTE: I am testing on a downstream router, so deliberately do not have a DDNS name defined, but if there are no VPN clients active, the curl command is used because nslookup won't work)

- option 9 doesn't allow to create a device client peer to the wg22 host peer - maybe in some next iteration.
If you want the script to automatically add the new device to a specific 'server' Peer, then that 'server' Peer must be the ONLY one UP!, otherwise it uses the first 'server' Peer found in the config.

(I'll add the option to specify the target 'server' Peer)

- the (?) option does not print the expected information (it used too...)
Can't reproduce this either?
Code:
+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v3.02b by Martineau                     |
|                                                                      |
+======================================================================+
     WireGuard ACTIVE Peer Status: Clients 3, Servers 2

    [✔] Push to Github PENDING for (Major) wg_manager.sh UPDATE v3.02b >>>> v2.02




1  = Update Wireguard modules                        7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [list] | [ {Peer} [ add | del | {auto [y|n|p]}] ] ]
                                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                                    
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                     
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                    
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                    

?  = About Configuration                    
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')        

e  = Exit Script [?]

E:Option ==> ?

    v3.02b WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=bc6d8b50fe035a7035b37dc398fe0e3c /jffs/addons/wireguard/wg_manager.sh

    wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

    [✔] WireGuard Module is LOADED

    MD5=07a24a0efa926b3ad2c564d18b12312f wireguard-kernel_1.0.20210219-k27_aarch64-3.10.ipk
    MD5=d7fdc2f1a770856a66c2c677ecb64d1b wireguard-tools_1.0.20210223-1_aarch64-3.10.ipk

    [✔] DNSmasq is listening on ALL WireGuard interfaces 'wg*'

    [✔] nat-start is monitoring WireGuard Firewall rules

    [✖] WAN KILL-Switch is DISABLED

     WireGuard ACTIVE Peer Status: Clients 3, Servers 2

Can you run the '?' command in debug mode, and post the output?
 
@Torson

Thanks for the debug output, the DDNS bug is fixed see



Unfortunately, I have no idea why you have a spurious text string suddenly assigned to variable menu1 i.e. '2 i l t w z' :(

Your debug is on the left, mine is on the right
Code:
e  = Exit Script [?]                                e  = Exit Script [?]

E:Debug mode enabledOption ==> ?                    E:Debug mode enabledOption ==> ?
+ + sed s/^[ \t]*//;s/[ \t]*$//                     + printf %s ?
printf %s ?                                         + sed s/^[ \t]*//;s/[ \t]*$//
+ menu1=?                                           + menu1=?
+ Validate_User_Choice 2 i l t w z                  + Validate_User_Choice ?
+ local menu1=2 i l t w z                           + local menu1=?
+ [ Y == Y ]                                        + [ Y == Y ]
                                                    + echo ?
                                                    + menu1=?
                                                    + [ -n Debug mode enabled ]
                                                    + set -x
                                                    + printf %s ?
                                                    + sed s/^[ \t]*//;s/[ \t]*$//
                                                    + menu1=?
                                                    + Process_User_Choice ?
                                                    + local menu1=?
                                                    + echo ?
                                                    + awk {print $1}
                                                    + local ACTION=?

Does the '?' command still fail after you logout/login to your SSH session?

Upgrade to Beta wg_manager v3.02b2 to fix the DDNS resolve failure
Code:
e  = Exit Script [?]

E:Option ==> uf dev
and I'll investigate further.
 
I can confirm that the DDNS resolve now technically works:

Code:
# test
[Interface]
PrivateKey =
Address = 10.50.1.2/32
DNS = 1.1.1.1

# RT-AX86U 'server' (wg21)
[Peer]
PublicKey = +oObWrCSDk1LdqJGCCPg7sxxaYfU2pDktq+nZAczBAY=
AllowedIPs = 0.0.0.0/0     # ALL Traffic
# DDNS my.DDNS.net
Endpoint = my.wan.I.P:51820
PersistentKeepalive = 25
# test End
However, once you determine that a DDNS configuration exists (in the commented line above Endpoint =) why not set the endpoint to that value? If the DDNS is not configured, then the WAN IP should be used.

The '?' command yields the same result whether run from the current session, a newly opened one or after a router reboot.
 
I can confirm that the DDNS resolve now technically works:

Code:
# test
[Interface]
PrivateKey =
Address = 10.50.1.2/32
DNS = 1.1.1.1

# RT-AX86U 'server' (wg21)
[Peer]
PublicKey = +oObWrCSDk1LdqJGCCPg7sxxaYfU2pDktq+nZAczBAY=
AllowedIPs = 0.0.0.0/0     # ALL Traffic
# DDNS my.DDNS.net
Endpoint = my.wan.I.P:51820
PersistentKeepalive = 25
# test End
However, once you determine that a DDNS configuration exists (in the commented line above Endpoint =) why not set the endpoint to that value? If the DDNS is not configured, then the WAN IP should be used.
AFAIK I didn't think Endpoint = my.DDNS.net:51820 was allowed? i.e. it must be a valid resolved IP?...but I suppose I wanted to verify the DDNS so if it is out of date then yes there will be issues.
 
@Martineau:
script 3.02 reads the 1st DNS entry from "DNS-Server1", see GUI,
v3.02b3 reads the current WAN IP, not the DynDNS entry (HOSTNAME / DDNS). I hope you can do something with it ...
 
AFAIK I didn't think Endpoint = my.DDNS.net:51820 was allowed? i.e. it must be a valid resolved IP?...but I suppose I wanted to verify the DDNS so if it is out of date then yes there will be issues.
Using the WAN IP kind of defeats the purpose of having a DDNS, I think.

I've pushed this commit.



If you could please test wg_manager v3.02b3 when convenient.

Code:
e  = Exit Script [?]

E:Option ==> uf dev
The same outcome for '?':
Code:
E:Debug mode enabledOption ==> ?
+ printf %s ?
+ sed s/^[ \t]*//;s/[ \t]*$//
+ menu1=?
+ Validate_User_Choice 2 i l t w z
+ local menu1=2 i l t w z
+ [ Y == Y ]
+ printf \n\a\t%bInvalid Option%b "%s"%b Please enter a valid option\n \e[91m \e[0m 2 i l t w z \e[91m
+ menu1=
+ echo
+ menu1=
        Invalid Option "2 i l t w z" Please enter a valid option
+ [ -n Debug mode enabled ]
+ set -x
+ printf+ sed s/^[ \t]*//;s/[ \t]*$//
 %s
        Invalid Option "2 i l t w z" Please enter a valid option
+ menu1=
        Invalid Option "2 i l t w z" Please enter a valid option
+ Process_User_Choice  Invalid Option "2 i l t w z" Please enter a valid option
+ local menu1= Invalid Option "2 i l t w z" Please enter a valid option
+ ShowHelp
+ echo -en \e[97m
+ awk /^#==/{f=1} f{print; if (!NF) exit} /jffs/addons/wireguard/wg_manager.sh
#============================================================================================ © 2021 Martineau v3.02b3
#
#       wg_manager   {start|stop|restart|show|create|peer} [ [client [policy|nopolicy] |server]} [wg_instance] ]
#
#       wg_manager   start 0
#                    Initialises remote peer 'client' 'wg0'
#       wg_manager   start client 0
#                    Initialises remote peer 'client' 'wg0'
#       wg_manager   start 1
#                    Initialises local peer 'server' 'wg1'
#       wg_manager   start server 1
#                    Initialises local peer 'server' 'wg21'
#       wg_manager   start client 1
#                    Initialises remote peer 'client' 'wg11' uses interface naming convention as per OpenVPN e.g. tun11
#       wg_manager   start client 1 policy
#                    Initialises remote peer 'client' 'wg11' in 'policy' Selective Routing mode
#       wg_manager   stop client 3
#                    Terminates remote peer 'client' 'wg13'
#       wg_manager   stop 1
#       wg_manager   restart SGS8
#                    Restart legacy-named Peer and auto-detect if it's a 'client' or 'server'
#

+ echo -en \e[0m
+ echo -e \e[97mv3.02b3 wg_manager.sh WireGuard Session Manager\n\n\t\e[91m***ERROR Invalid/missing arg ''\n\e[0m
v3.02b3 wg_manager.sh WireGuard Session Manager

        ***ERROR Invalid/missing arg ''

+ set +x

        WireGuard ACTIVE Peer Status: Clients 1, Servers 1
 
v3.02b3
@Martineau: unfortunately I have to disappoint you!

# DDNS xxxxx.ddnss.eu
Endpoint = 89.12.0.xxx:51820

Endpoint should be the DDNS alias, was it already before .-) ???
 
.. something else, i would like to support the project financially ... how does the division work among all those involved .. from merlin to the active script actors?
 
.. something else, i would like to support the project financially ... how does the division work among all those involved .. from merlin to the active script actors?
 
Beta wg_manager v3.03b is available on the Github 'dev' development branch.


  • Change: Revert dumb DDNS IP usage, and allow user to either manually supply the DDNS name or use the current WAN IP.

...probably this post was in the back of my mind...​

  • Add: Ability to specify multiple Peers on Start/Stop/Restart requests.
  • Add: Ability to generate a new 'server' Peer.
  • Add: Allow specification of 'server' Peer when creating a Road-Warrior device.

Existing Beta v3.xx users may update using:
Code:
e  = Exit Script [?]

E:Option ==> uf dev

    Forced Update

    Downloading scripts
    wg_manager.sh downloaded successfully Github 'dev/development' branch
    wg_client downloaded successfully Github 'dev/development' branch
    wg_server downloaded successfully Github 'dev/development' branch

Code:
e  = Exit Script [?]

E:Option ==> start wg13 wg24

    Requesting WireGuard VPN Peer start (wg13 wg24)

    wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) in Policy Mode to 103.231.88.18:51820 (# Mullvad Oz, Melbourne)
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.3 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.123 to 1.1.1.1 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.1 through WAN
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.0/24 through VPN 'client' Peer wg13
    wireguard-client3: Initialisation complete.

    wireguard-server4: Initialising Wireguard VPN 'Server' Peer (wg24) on 10.88.84.1/24:11504 (# RT-AC86U Host Peer)
    wireguard-server4: Initialisation complete.


     WireGuard ACTIVE Peer Status: Clients 1, Servers 1

Code:
e  = Exit Script [?]

E:Option ==> new

    Press y to Create 'server' Peer (wg24) 10.88.84.1/24:11504 or press [Enter] to SKIP.
y
    Creating WireGuard Private/Public key-pair for 'server' Peer wg24 on RT-AC86U (v386.2)
    Press y to Start 'server' Peer (wg24) or press [Enter] to SKIP.
y

    Requesting WireGuard VPN Peer start (wg24)

    wireguard-server4: Initialising Wireguard VPN 'Server' Peer (wg24) on 10.88.8.1:11504 (# RT-AC86U Host Peer)
    wireguard-server4: Initialisation complete.


Code:
e  = Exit Script [?]

E:Option ==> 9 iPhone wg24 tag="Apple fan boi!!"

    Creating Wireguard Private/Public key pair for device 'iPhone'
    Device 'iPhone' Public key=558GVzbS/tPAaQdxrpMlJRVbqcB14MszTbG8MFN9Klk=

    Using Public key for 'server' Peer 'wg24'

    Warning: No DDNS is configured!
    Press y to use the current WAN IP or enter DDNS name or press [Enter] to SKIP.
my.ddns.home

    WireGuard config for Peer device 'iPhone' created (Allowed IP's 0.0.0.0/0 # ALL Traffic)

    Press y to Display QR Code for Scanning into WireGuard App on device 'iPhone' or press [Enter] to SKIP.

    Press y to ADD device 'iPhone' to 'server' Peer (wg24) or press [Enter] to SKIP.
y

    Adding device Peer 'iPhone' 10.88.84.1/32 to RT-AC86U 'server' (wg24) and WireGuard config


    WireGuard 'server' Peer needs to be restarted to listen for 'client' Peer iPhone "Apple fan boi!!"
    Press y to restart 'server' Peer (wg24) or press [Enter] to SKIP.
y

    Requesting WireGuard VPN Peer restart (wg24)

    Restarting Wireguard 'server' Peer (wg24)
    wireguard-server4: Wireguard VPN '' Peer (wg24) on 10.88.8.1:11504 (# RT-AC86U Host Peer) DELETED

    wireguard-server4: Initialising Wireguard VPN 'Server' Peer (wg24) on 10.88.8.1:11504 (# RT-AC86U Host Peer)
    wireguard-server4: Initialisation complete.

    interface: wg24     10.88.84.1/24 VPN Tunnel Network    ('server'        # RT-AC86U Host Peer)
        peer: 558GVzbS/tPAaQdxrpMlJRVbqcB14MszTbG8MFN9Klk=     ('server client'    # iPhone "Apple fan boi!!"    10.88.84.1/32

     WireGuard ACTIVE Peer Status: Clients 0, Servers 3
 
Beta wg_manager v3.03b is available on the Github 'dev' development branch.

E:Option ==> start wg13 wg24

Requesting WireGuard VPN Peer start (wg13 wg24)

wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) in Policy Mode to 103.231.88.18:51820 (# Mullvad Oz, Melbourne)
wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.3 through VPN 'client' Peer wg13
wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.123 to 1.1.1.1 through VPN 'client' Peer wg13
wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.1 through WAN
wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.0/24 through VPN 'client' Peer wg13
wireguard-client3: Initialisation complete.

wireguard-server4: Initialising Wireguard VPN 'Server' Peer (wg24) on 10.88.84.1/24:11504 (# RT-AC86U Host Peer)
wireguard-server4: Initialisation complete.
Thanks for the changes to the device client peer to now call the DDNS rather than the WAN IP... and the option to chose the host peer.

Could you post the relevant entries to WireguardVPN.conf that generate the output highlighted above for wg13?
 
E:Option ==> start wg13 wg24

Requesting WireGuard VPN Peer start (wg13 wg24)

wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) in Policy Mode to 103.231.88.18:51820 (# Mullvad Oz, Melbourne)
wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.3 through VPN 'client' Peer wg13
wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.123 to 1.1.1.1 through VPN 'client' Peer wg13
wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.1 through WAN
wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.0/24 through VPN 'client' Peer wg13
wireguard-client3: Initialisation complete.

Could you post the relevant entries to WireguardVPN.conf that generate the output highlighted above for wg13?
As per the Github Readme

Code:
e.g.

    wg13    P      xxx.xxx.xxx.xxx/32    103.231.88.18:51820    193.138.218.74    # Mullvad Oz, Melbourne

is used to auto-start WireGuard VPN 'client' Peer 3 ('wg13')' in Policy mode, where the associated Policy rules are defined as

    rp13    <Dummy VPN 3>172.16.1.3>>VPN<Plex>172.16.1.123>1.1.1.1>VPN<Router>172.16.1.1>>WAN<All LAN>172.16.1.0/24>>VPN

which happens to be in the same format as the Policy rules created by the GUI for OpenVPN clients i.e.

Use the GUI to generate the rules using a spare VPN Client and simply copy'n'paste the resulting NVRAM variable

    vpn_client?_clientlist etc.
 
@Martineau, both the client and server peers work well now. I much appreciate your effort, patience and efficiency to make it happen. Thank you.
 
Beta wg_manager v3.04 is available
  • Fix: When 'u'/'uf' used, script does not auto refresh header splash box to reflect the new version.
  • Fix: New Road-Warrior device Peers should only use port 51820 for 'server' Peer 'wg21' - for other 'server' Peers use their actual unique custom port.
  • Fix 'diag' errorcode- fails to display interfaces
  • Fix: Display of ACTIVE 'server' Peers does not show Listening port.
  • Change: Don't attempt to check on Github when starting the script (defer to explicit use of 'u' command)
  • Change: Layout of Peer status report.
  • Change: Enhanced Peer management functionality:
8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]​
  • Change: When requesting deletion of a 'server' Peer, warn if there are 'client' Peers defined i.e. Cell/mobiles

  • New: Ability to define/use categories in addition to the two hardcoded categories 'clients/servers'
  • New: Enhance Peer query with the ability to show a Peer configuration file e.g. 'wg??.conf'. If a 'server' Peer is requested, then show a condensed summary report, unless overridden
To upgrade
Code:
e  = Exit Script [?]

E:Option ==> u

Code:
e  = Exit Script [?]

E:Option ==> peer wg21 show

    'server' Peer wg21 Configuration Summary


    Peers (Start=P - Policy, Start=X - External i.e. Cell/Mobile)

Peer  Start  IP/Subnet                                        
wg21  Y      10.88.81.1/24  #  RT-AC86U  Host  Peer  1
Public Key = Hgshd/d++jGEQXNgfaz/+VnoweGsq5D1k/+62ppeeee=
PrivateKey = yC3gY/8I4Ba9N/oVne+NIuVfn/AymCB5nxaK/61mS1k=
ListenPort = 51820
Client Peer: SGS20
Client Peer: SGS20x
Code:
e  = Exit Script [?]

E:Option ==> peer wg21 del

    Deleting 'server' Peer (wg21)


    Warning: 'server' Peer wg21 has 2 'client' Peer

# SGS20
[Peer]
PublicKey = gCXt/GHnhUnvJBMXCEAIWbgSiSb//3u356U/h9WIVWI=
AllowedIPs = 0.0.0.0/0
# SGS20 End
--
# SGS20x
[Peer]
PublicKey = DdxSvQH7F1GP//bjpsFc4cb/yfLV/eZvbZQVluWLsBY=
AllowedIPs = 192.168.1.0/24
# SGS20x End

    You can manually reassign them to a different 'server' Peer by recreating the 'client' Peer then rescan the QR code on the device
    Press y to CONFIRM or press [Enter] to SKIP.

Code:
e  = Exit Script [?]

E:Option ==> peer category

    Peer categories

HK=wg12
Asia=wg12 wg13


e  = Exit Script [?]

E:Option ==> peer category TEST add wg11 wg99 wg22

    Peer 'wg99' not found... ignored

    'Peer category 'TEST' created


e  = Exit Script [?]

E:Option ==> peer category

    Peer categories

TEST=wg11 wg22
HK=wg12
Asia=wg12 wg13


e  = Exit Script [?]

E:Option ==> start TEST

    Requesting WireGuard VPN Peer start expanded category... (wg11 wg22)

    wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) to 86.106.143.93:51820 (# Mullvad USA, New York)
    wireguard-client1: Initialisation complete.

    Warning: WireGuard 'server' Peer (wg22) ALREADY ACTIVE

    wireguard-server2: Initialising Wireguard VPN 'Server' Peer (wg22) on 10.88.8.1:1151 (# Martineau RT-AC86U Host Peer 2)
    wireguard-server2: Initialisation complete.
Code:
e  = Exit Script [?]

E:Option ==> 3

         WireGuard VPN Peer Status

    interface: wg21     Port:51820  10.88.81.1/24               VPN Tunnel Network  # Martineau RT-AC86U Host Peer 1
         public key: 1NA7MI+aKtOVYSkyzdMae1ipTGGqXj+HG2siZua6xkY=
         private key: (hidden)
         listening port: 51820
      
        peer: gCXt/GHnhUnvfBMX/+AIWbgSiSbi83u356USh9WIVWI=      10.88.81.3/32       # SGS20 "Martineau Access" 
         endpoint: 213.205.198.143:48012
         allowed ips: (none)
         latest handshake: 3 hours, 47 minutes, 12 seconds ago
         transfer: 508 B received, 404 B sent
      
        peer: j7U8It5OHFEtBt8BMT0G9kOPpkg/dBuixCgN/Own6xk=      10.88.81.4/32       # SGS20x "Device"  
         endpoint: 213.205.198.143:48145
         allowed ips: 0.0.0.0/0
         latest handshake: 3 hours, 47 minutes, 58 seconds ago
         transfer: 4.05 KiB received, 11.50 KiB sent

    interface: wg22     Port:1151   10.88.82.1/24               VPN Tunnel Network  # Martineau RT-AC86U Host Peer 2
         public key: Y9qA4lcndvop2U++wog6xWrezU/Qx8tDz3q4ZWqFXEg=
         private key: (hidden)
         listening port: 1151

    interface: wg25     Port:11505  10.88.85.1/24               VPN Tunnel Network  # RT-AC86U Host Peer
         public key: 2U2fGFd5AM30/V4Y/yYn3//8Y26Gk+8A1QLKsOZFzAA=
         private key: (hidden)
         listening port: 11505
      
        peer: 0gE4aiCJ7mIHpL/Rvbejz/ixOScUqXG7Q96LPrSmVXo=      10.88.85.2/32       # TESET "Device"  
         endpoint: 10.88.8.1:52399
         allowed ips: 0.0.0.0/0
         latest handshake: 2 hours, 37 minutes, 20 seconds ago
         transfer: 8.19 KiB received, 29.27 KiB sent
      
        peer: Iyll9ls9qecr2ZKEkD2fXWCB259XSg3HaTeD5WquiE0=      10.88.85.1/32       # TEST "Device"
         allowed ips: (none)

    interface: wg24     Port:11504  10.88.84.1/24               VPN Tunnel Network  # RT-AC86U Host Peer
         public key: osG/cv9WmPqPSY2mTp/kNfsIyGvSfcToS/Z+1gSJpn8=
         private key: (hidden)
         listening port: 11504
      
        peer: 9VV+riRjbWJjgyKYgL//l6hPCximzVRVorSX9WiphDM=      10.88.84.2/32       # multi "Device"  
         endpoint: 213.205.198.143:38625
         allowed ips: 192.168.1.0/24, 10.88.8.1/32, 10.88.8.132/32
         latest handshake: 1 hour, 3 minutes, 29 seconds ago
         transfer: 688 B received, 528 B sent
      
        peer: /Sj/X0zsDj997wlBoDWO+rhai+4yqrA2cbOGyQYkGho=      10.88.84.1/32       # Pixel5 "Device" 
         allowed ips: 0.0.0.0/0

    WireGuard ACTIVE Peer Status: Clients 0, Servers 4
 
Beta wg_manager v3.04 is available
  • Fix: When 'u'/'uf' used, script does not auto refresh header splash box to reflect the new version.
  • Fix: New Road-Warrior device Peers should only use port 51820 for 'server' Peer 'wg21' - for other 'server' Peers use their actual unique custom port.
  • Fix 'diag' errorcode- fails to display interfaces
  • Fix: Display of ACTIVE 'server' Peers does not show Listening port.
  • Change: Don't attempt to check on Github when starting the script (defer to explicit use of 'u' command)
  • Change: Layout of Peer status report.
  • Change: Enhanced Peer management functionality:
8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]​
  • Change: When requesting deletion of a 'server' Peer, warn if there are 'client' Peers defined i.e. Cell/mobiles

  • New: Ability to define/use categories in addition to the two hardcoded categories 'clients/servers'
  • New: Enhance Peer query with the ability to show a Peer configuration file e.g. 'wg??.conf'. If a 'server' Peer is requested, then show a condensed summary report, unless overridden
To upgrade
Code:
e  = Exit Script [?]

E:Option ==> u

Code:
e  = Exit Script [?]

E:Option ==> peer wg21 show

    'server' Peer wg21 Configuration Summary


    Peers (Start=P - Policy, Start=X - External i.e. Cell/Mobile)

Peer  Start  IP/Subnet                                       
wg21  Y      10.88.81.1/24  #  RT-AC86U  Host  Peer  1
Public Key = Hgshd/d++jGEQXNgfaz/+VnoweGsq5D1k/+62ppeeee=
PrivateKey = yC3gY/8I4Ba9N/oVne+NIuVfn/AymCB5nxaK/61mS1k=
ListenPort = 51820
Client Peer: SGS20
Client Peer: SGS20x
Code:
e  = Exit Script [?]

E:Option ==> peer wg21 del

    Deleting 'server' Peer (wg21)


    Warning: 'server' Peer wg21 has 2 'client' Peer

# SGS20
[Peer]
PublicKey = gCXt/GHnhUnvJBMXCEAIWbgSiSb//3u356U/h9WIVWI=
AllowedIPs = 0.0.0.0/0
# SGS20 End
--
# SGS20x
[Peer]
PublicKey = DdxSvQH7F1GP//bjpsFc4cb/yfLV/eZvbZQVluWLsBY=
AllowedIPs = 192.168.1.0/24
# SGS20x End

    You can manually reassign them to a different 'server' Peer by recreating the 'client' Peer then rescan the QR code on the device
    Press y to CONFIRM or press [Enter] to SKIP.

Code:
e  = Exit Script [?]

E:Option ==> peer category

    Peer categories

HK=wg12
Asia=wg12 wg13


e  = Exit Script [?]

E:Option ==> peer category TEST add wg11 wg99 wg22

    Peer 'wg99' not found... ignored

    'Peer category 'TEST' created


e  = Exit Script [?]

E:Option ==> peer category

    Peer categories

TEST=wg11 wg22
HK=wg12
Asia=wg12 wg13


e  = Exit Script [?]

E:Option ==> start TEST

    Requesting WireGuard VPN Peer start expanded category... (wg11 wg22)

    wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) to 86.106.143.93:51820 (# Mullvad USA, New York)
    wireguard-client1: Initialisation complete.

    Warning: WireGuard 'server' Peer (wg22) ALREADY ACTIVE

    wireguard-server2: Initialising Wireguard VPN 'Server' Peer (wg22) on 10.88.8.1:1151 (# Martineau RT-AC86U Host Peer 2)
    wireguard-server2: Initialisation complete.
Code:
e  = Exit Script [?]

E:Option ==> 3

         WireGuard VPN Peer Status

    interface: wg21     Port:51820  10.88.81.1/24               VPN Tunnel Network  # Martineau RT-AC86U Host Peer 1
         public key: 1NA7MI+aKtOVYSkyzdMae1ipTGGqXj+HG2siZua6xkY=
         private key: (hidden)
         listening port: 51820
     
        peer: gCXt/GHnhUnvfBMX/+AIWbgSiSbi83u356USh9WIVWI=      10.88.81.3/32       # SGS20 "Martineau Access"
         endpoint: 213.205.198.143:48012
         allowed ips: (none)
         latest handshake: 3 hours, 47 minutes, 12 seconds ago
         transfer: 508 B received, 404 B sent
     
        peer: j7U8It5OHFEtBt8BMT0G9kOPpkg/dBuixCgN/Own6xk=      10.88.81.4/32       # SGS20x "Device" 
         endpoint: 213.205.198.143:48145
         allowed ips: 0.0.0.0/0
         latest handshake: 3 hours, 47 minutes, 58 seconds ago
         transfer: 4.05 KiB received, 11.50 KiB sent

    interface: wg22     Port:1151   10.88.82.1/24               VPN Tunnel Network  # Martineau RT-AC86U Host Peer 2
         public key: Y9qA4lcndvop2U++wog6xWrezU/Qx8tDz3q4ZWqFXEg=
         private key: (hidden)
         listening port: 1151

    interface: wg25     Port:11505  10.88.85.1/24               VPN Tunnel Network  # RT-AC86U Host Peer
         public key: 2U2fGFd5AM30/V4Y/yYn3//8Y26Gk+8A1QLKsOZFzAA=
         private key: (hidden)
         listening port: 11505
     
        peer: 0gE4aiCJ7mIHpL/Rvbejz/ixOScUqXG7Q96LPrSmVXo=      10.88.85.2/32       # TESET "Device" 
         endpoint: 10.88.8.1:52399
         allowed ips: 0.0.0.0/0
         latest handshake: 2 hours, 37 minutes, 20 seconds ago
         transfer: 8.19 KiB received, 29.27 KiB sent
     
        peer: Iyll9ls9qecr2ZKEkD2fXWCB259XSg3HaTeD5WquiE0=      10.88.85.1/32       # TEST "Device"
         allowed ips: (none)

    interface: wg24     Port:11504  10.88.84.1/24               VPN Tunnel Network  # RT-AC86U Host Peer
         public key: osG/cv9WmPqPSY2mTp/kNfsIyGvSfcToS/Z+1gSJpn8=
         private key: (hidden)
         listening port: 11504
     
        peer: 9VV+riRjbWJjgyKYgL//l6hPCximzVRVorSX9WiphDM=      10.88.84.2/32       # multi "Device" 
         endpoint: 213.205.198.143:38625
         allowed ips: 192.168.1.0/24, 10.88.8.1/32, 10.88.8.132/32
         latest handshake: 1 hour, 3 minutes, 29 seconds ago
         transfer: 688 B received, 528 B sent
     
        peer: /Sj/X0zsDj997wlBoDWO+rhai+4yqrA2cbOGyQYkGho=      10.88.84.1/32       # Pixel5 "Device"
         allowed ips: 0.0.0.0/0

    WireGuard ACTIVE Peer Status: Clients 0, Servers 4
Hotfix

To update use
Code:
e  = Exit Script [?]

E:Option ==> u
Code:
E:Option ==> ?

    v3.04 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
    MD5=4fa5ad37c5e8fbc5f8395dadb95f7afa /jffs/addons/wireguard/wg_manager.sh
 
Great work Martineau. Wireguard installed in a few minutes : server on the AC86U and client using QR in the iphone! Any way to route all trafic on the iPhone through the tunnel? Thanks.
 
Great work Martineau. Wireguard installed in a few minutes : server on the AC86U and client using QR in the iphone! Any way to route all trafic on the iPhone through the tunnel? Thanks.

I believe, on the client (IPhone), AllowedIPs = 0.0.0.0/0 should do it.
 
Great work Martineau. Wireguard installed in a few minutes : server on the AC86U and client using QR in the iphone! Any way to route all trafic on the iPhone through the tunnel? Thanks.
By default wgm routes ALL traffic on the device using 0.0.0.0/0 (and if IPv6 is enabled on the router, includes ::/0 although IPv6 isn't available from my ISP, but perhaps an IPv6 user could confirm if this works?)

e.g.
Code:
E:Option ==> peer TEST show

    'client' Peer TEST Configuration Detail

# TEST
[Interface]
PrivateKey = OPRKY/pQrGJu90ayKmzPmkshjJRknk/KFCnrB1EZT0M=
Address = 10.88.85.1/32
DNS = 1.1.1.1

# RT-AC86U 'server' (wg21)
[Peer]
PublicKey = 2U2fGFd5AM30/V4YwyYn3On8Y26Gk+8A1QLKsOZFzAA=
AllowedIPs = 0.0.0.0/0     # ALL Traffic
# DDNS xxxxxxxxxxxxxxxxx
Endpoint = xxxxxxxxxxxx:51820
PersistentKeepalive = 25
# TEST End

unless you have specifically instructed wgm to create a 'Split Tunnel' for the device

e.g. LAN and two specific devices on a downstream reachable LAN
Code:
E:Option ==> peer multi show

    'client' Peer multi Configuration Detail

# multi
[Interface]
PrivateKey = yCqzBJwd1+IFqaLnBoFLCBNQaFceT7H0X7nwjnWLDHY=
Address = 10.88.84.2/32
DNS = 1.1.1.1

# RT-AC86U 'server' (wg24)
[Peer]
PublicKey = osG/cv9WmPqPSY2mTpVkNfsIyGvSfcToS/Z+1gSJpn8=
AllowedIPs = 192.168.1.0/24,10.88.8.1/32,10.88.8.132/32     # Split Traffic LAN Only
# DDNS xxxxxxxxxxxxxxx
Endpoint = xxxxxxxxxxxxxxx:11504
PersistentKeepalive = 25
# multi End
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top