What's new

Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thanks for your tips guys! Diversion ad block does not seem to kick in when i connect to my router through wireguard contrary to openvpn. I’ll look into it when I get back home.
 
Thanks for your tips guys! Diversion ad block does not seem to kick in when i connect to my router through wireguard contrary to openvpn. I’ll look into it when I get back home.
I don't use diversion, but the default DNS 1.1.1.1 :oops:should be changed manually in the WireGuard config on the iPhone.

EDIT: Hotfix


To update use
Code:
e  = Exit Script [?]

E:Option ==> u
Code:
E:Option ==> ?

    v3.04 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)
    MD5=b074e6ebed695f34cdd4203bc4ac29ed /jffs/addons/wireguard/wg_manager.sh
 
Last edited:
Changing the DNS server on the client to the router address fixed the issue. Thanks Guys.
 
I am currently running wireguard in Ubuntu vm on my Mac as a test. I suppose after reading all messages here that I can re-use my current Ubuntu /etc/wireguard/w0.conf only rename it to w11.cong. I have a question about the DNS and policy routing for the clients. I use Unbound DNS on my AC86U as primary DNS - dnsmasq is disabled. Do I need to add DNS entry in the new wg11.conf under [Interface] section and point it to my router default IP?
As for the policy routing, I can modify current [Peer] AllowedIPs and change it to 192.168.50.2/27as an example.
Am I correct with these points?
 
I am currently running wireguard in Ubuntu vm on my Mac as a test. I suppose after reading all meges here that I can re-use my current Ubuntu /etc/wireguard/w0.conf only rename it to w11.cong. I have a question about the DNS and policy routing for the clients. I use Unbound DNS on my AC86U as primary DNS - dnsmasq is disabled. Do I need to add DNS entry in the new wg11.conf under [Interface] section and point it to my router default IP?
Yes, expect it to work :). There are 2 parts to it:
1. Modify the sample /opt/etc/wireguard.d/wg11.conf with your information based on the provider's configuration - make sure to leave the commented lines as they are -.

2. At the WireGuard Manager menu prompt type vx - that will open /jffs/addons/wireguard/WireguardVPN.conf in the editor (nano).
Make your changes as appropriate on the wg11 line and use P for policy mode and use your provider's DNS or your Unbound internal IP DNS. Then on the rp11 line add
Code:
<Internal_Range>192.168.50.2/27>>VPN
Pres F3 to save, F2 to exit the editor. Then
Code:
E:Option ==> 4 wg11
to start the client peer. Once started you can check the status with
Code:
E:Option ==> 3
If you see lively figures as received / sent you're in.
 
Yes, expect it to work :). There are 2 parts to it:
1. Modify the sample /opt/etc/wireguard.d/wg11.conf with your information based on the provider's configuration - make sure to leave the commented lines as they are -.

2. At the WireGuard Manager menu prompt type vx - that will open /jffs/addons/wireguard/WireguardVPN.conf in the editor (nano).
Make your changes as appropriate on the wg11 line and use P for policy mode and use your provider's DNS or your Unbound internal IP DNS. Then on the rp11 line add
Code:
<Internal_Range>192.168.50.2/27>>VPN
Pres F3 to save, F2 to exit the editor. Then
Code:
E:Option ==> 4 wg11
to start the client peer. Once started you can check the status with
Code:
E:Option ==> 3
If you see lively figures as received / sent you're in.
Thanks for the information and details. Appreciate it.
 
Now that a bunch of people are onboard with this and using it, I'm curious if anyone has looked to see just how resource-intensive this is on their router.
Does it require the use of a swap on the entware drive to keep RAM on ac86u's happy? Or am I overthinking things?
I've only a 50/10 DSL service to my router - does a client connecting to wireguard server on my router have the potential to saturate the upload so that everything on my LAN is slowed down, or will my QoS (cake) keep everything humming along, both at home and remotely?
psychologically I'm ready to push the go-button on installing this, but I don't want any troubles from (at) home when I'm connected remotely
 
Or am I overthinking things?
I'm inclined to say yes, but I'll give you some pointers and let you come up with the final answer...

On the AX86U I'm working with I see little if any resource-intensiveness I could attribute to the WireGuard client and host. The swap file which is there because Skynet insists upon it has never been used while running WireGuard and/or any other workload, scripts etc. At all... There is though more memory and CPUs (double) on the AX86U than on AC86U and that makes a difference. Everything else, as in use cases, network configuration etc. is the other part of the difference.

As for the upload saturation potential - that's real, but in Cake and FlexQoS you have 2 solid options to mitigate that (not what goes through the tunnel though). I don't use QoS and don't have any resource intensive requirements while remote so I can't speak to that.

The WireGuard session manager (while still work in progress) is quite easy to install, configure and removes itself well. So, give it a try and let us know what the final answer is.
 
I'm inclined to say yes, but I'll give you some pointers and let you come up with the final answer...

On the AX86U I'm working with I see little if any resource-intensiveness I could attribute to the WireGuard client and host. The swap file which is there because Skynet insists upon it has never been used while running WireGuard and/or any other workload, scripts etc. At all... There is though more memory and CPUs (double) on the AX86U than on AC86U and that makes a difference. Everything else, as in use cases, network configuration etc. is the other part of the difference.

As for the upload saturation potential - that's real, but in Cake and FlexQoS you have 2 solid options to mitigate that (not what goes through the tunnel though). I don't use QoS and don't have any resource intensive requirements while remote so I can't speak to that.

The WireGuard session manager (while still work in progress) is quite easy to install, configure and removes itself well. So, give it a try and let us know what the final answer is.
Right, double the processors and double the RAM in the AX over the AC 86...
Thank you. I'm leaning towards waiting for 386.2 with cake built-in, but I think I'll sleep on your recommendation and make a decision in the morning. Weekends are much easier to fool with these sorts of things without major disruptions to network users.

(If there's one good thing about Covid for me, it's how much I've learned about networking. It used to be a bit of black magic, now it's just magic, and I can wave my wand tentatively)
 
Will Diversion and Skynet still work when using WG?

Edit:
Wireguard Manager won't install:
I'm on 386.2_beta1

Code:
ASUSWRT-Merlin RT-AC86U 386.2_beta1 Wed Mar 10 16:45:39 UTC 2021
admin@RT-AC86U-9AD0:/tmp/home/root# curl --retry 3 "https://raw.githubusercontent.com/MartineauUK/wireguard/main/wg_manager.sh" --create-dirs -o "/jffs/addons/wireguard/wg_manager.sh" && chmod 755 "/jffs/addons/wireguard/wg_manager.sh" &
& /jffs/addons/wireguard/wg_manager.sh install
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  107k  100  107k    0     0   212k      0 --:--:-- --:--:-- --:--:--  235k

+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v3.04 by Martineau                      |
|                                                                      |
| Requirements: USB drive with Entware installed                       |
|                                                                      |
|   1 = Install WireGuard                                              |
|       o1. Enable nat-start protection for Firewall rules             |
|       o2. Enable DNS                                                 |
|                                                                      |
|                                                                      |
+======================================================================+

        WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Begin WireGuard Installation Process

e  = Exit Script [?]

E:Option ==> 1

        Installing WireGuard Manager - Router RT-AC86U (v386.2)

        Downloading scripts
        wg_client downloaded successfully
        wg_server downloaded successfully

Package column (2.36-2) installed in root is up to date.
        Downloading Wireguard Kernel module for RT-AC86U (v386.2)

        Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20210219-k27_aarch64-3.10.ipk' for RT-AC86U (v386.2)...

###################################################################################################################################################################################################################################### 100.0%

        Downloading WireGuard User space Tool 'wireguard-tools_1.0.20210223-1_aarch64-3.10.ipk' for RT-AC86U (v386.2)

###################################################################################################################################################################################################################################### 100.0%

        Loading WireGuard Kernel module and Userspace Tool for RT-AC86U (v386.2)
Unknown package 'wireguard-kernel'.
Collected errors:
* pkg_hash_fetch_best_installation_candidate: Packages for wireguard-kernel found, but incompatible with the architectures configured
* opkg_install_cmd: Cannot install package wireguard-kernel.
Unknown package 'wireguard-tools'.
Collected errors:
* pkg_hash_fetch_best_installation_candidate: Packages for wireguard-tools found, but incompatible with the architectures configured
* opkg_install_cmd: Cannot install package wireguard-tools.




        Creating WireGuard configuration file '/jffs/addons/wireguard/WireguardVPN.conf'
        Creating WireGuard 'Client' and 'Server' Peer templates 'wg11.conf' and wg21.conf'
        Creating WireGuard Private/Public key-pairs for RT-AC86U (v386.2)

        ***ERROR: WireGuard install FAILED!


        nat-start updated to protect WireGuard firewall rules
        Added 'wg*' interfaces to DNSMasq

Done.
        Creating 'wg_manager' alias for 'wg_manager.sh'
        Adding Peer Auto-start @BOOT
        Installing QR rendering module
Package qrencode (4.1.1-1) installed in root is up to date.
/jffs/addons/wireguard/wg_manager.sh: line 2470: wg: not found

        Creating Wireguard Private/Public key pair for device 'iPhone'
/jffs/addons/wireguard/wg_manager.sh: line 2470: wg: not found
/jffs/addons/wireguard/wg_manager.sh: line 2470: wg: not found
        Device 'iPhone' Public key=

cat: can't open '/opt/etc/wireguard.d/wg21_public.key': No such file or directory
        Using Public key for 'server' Peer 'wg21'

        Warning: No DDNS is configured!
        Press y to use the current WAN IP or enter DDNS name or press [Enter] to SKIP.
1.PNG

What can I do?
 
Last edited:
@Martineau: could you please publish a changelog of the dev branch. A lot has changed in v 4.01b2 ...

WireguardVPN.conf:
# RPDB Selection Routing rules same format as 'nvram get vpn_clientX_clientlist'
# <Desciption> Source IP / CIDR> [Target IP / CIDR]> WAN_or_VPN [...]
# WireGuard Session Manger v4.01
# Categories None =
# WAN KILL switch KILLSWITCH = N
# Statistics gathering STATS = Y

Where has the possibility of changing the IP addresses of the servers "gone?

Menu: 9 cl1_peer

# cl1_peer [Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = .1 / 32 DNS = 9.9.9.9 1.1.1.2

I now have a lot of unanswered questions .....
 
Will Diversion and Skynet still work when using WG?

Edit:
Wireguard Manager won't install:
I'm on 386.2_beta1

Code:
ASUSWRT-Merlin RT-AC86U 386.2_beta1 Wed Mar 10 16:45:39 UTC 2021
admin@RT-AC86U-9AD0:/tmp/home/root# curl --retry 3 "https://raw.githubusercontent.com/MartineauUK/wireguard/main/wg_manager.sh" --create-dirs -o "/jffs/addons/wireguard/wg_manager.sh" && chmod 755 "/jffs/addons/wireguard/wg_manager.sh" &
& /jffs/addons/wireguard/wg_manager.sh install
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  107k  100  107k    0     0   212k      0 --:--:-- --:--:-- --:--:--  235k

+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v3.04 by Martineau                      |
|                                                                      |
| Requirements: USB drive with Entware installed                       |
|                                                                      |
|   1 = Install WireGuard                                              |
|       o1. Enable nat-start protection for Firewall rules             |
|       o2. Enable DNS                                                 |
|                                                                      |
|                                                                      |
+======================================================================+

        WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Begin WireGuard Installation Process

e  = Exit Script [?]

E:Option ==> 1

        Installing WireGuard Manager - Router RT-AC86U (v386.2)

        Downloading scripts
        wg_client downloaded successfully
        wg_server downloaded successfully

Package column (2.36-2) installed in root is up to date.
        Downloading Wireguard Kernel module for RT-AC86U (v386.2)

        Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20210219-k27_aarch64-3.10.ipk' for RT-AC86U (v386.2)...

###################################################################################################################################################################################################################################### 100.0%

        Downloading WireGuard User space Tool 'wireguard-tools_1.0.20210223-1_aarch64-3.10.ipk' for RT-AC86U (v386.2)

###################################################################################################################################################################################################################################### 100.0%

        Loading WireGuard Kernel module and Userspace Tool for RT-AC86U (v386.2)
Unknown package 'wireguard-kernel'.
Collected errors:
* pkg_hash_fetch_best_installation_candidate: Packages for wireguard-kernel found, but incompatible with the architectures configured
* opkg_install_cmd: Cannot install package wireguard-kernel.
Unknown package 'wireguard-tools'.
Collected errors:
* pkg_hash_fetch_best_installation_candidate: Packages for wireguard-tools found, but incompatible with the architectures configured
* opkg_install_cmd: Cannot install package wireguard-tools.




        Creating WireGuard configuration file '/jffs/addons/wireguard/WireguardVPN.conf'
        Creating WireGuard 'Client' and 'Server' Peer templates 'wg11.conf' and wg21.conf'
        Creating WireGuard Private/Public key-pairs for RT-AC86U (v386.2)

        ***ERROR: WireGuard install FAILED!


        nat-start updated to protect WireGuard firewall rules
        Added 'wg*' interfaces to DNSMasq

Done.
        Creating 'wg_manager' alias for 'wg_manager.sh'
        Adding Peer Auto-start @BOOT
        Installing QR rendering module
Package qrencode (4.1.1-1) installed in root is up to date.
/jffs/addons/wireguard/wg_manager.sh: line 2470: wg: not found

        Creating Wireguard Private/Public key pair for device 'iPhone'
/jffs/addons/wireguard/wg_manager.sh: line 2470: wg: not found
/jffs/addons/wireguard/wg_manager.sh: line 2470: wg: not found
        Device 'iPhone' Public key=

cat: can't open '/opt/etc/wireguard.d/wg21_public.key': No such file or directory
        Using Public key for 'server' Peer 'wg21'

        Warning: No DDNS is configured!
        Press y to use the current WAN IP or enter DDNS name or press [Enter] to SKIP.

What can I do?
It seems you need to set up DDNS, first off. I would guess that the script is looking for some indication that is not yet present because you may not have DDNS configured - this makes sense, because your end of the tunnel needs to be static, and DDNS makes it appear as such. If you don't do this, every time your ISP reassigns you an IP address, your WG server will "crash"

truthfully, though, you haven't given us enough details about your network setup to be able to help beyond this. sharing that will help people sort out why the install seems to have failed. in the meantime, you can get DDNS going for yourself
 
Will Diversion and Skynet still work when using WG?

Loading WireGuard Kernel module and Userspace Tool for RT-AC86U (v386.2)
Unknown package 'wireguard-kernel'.
Collected errors:
* pkg_hash_fetch_best_installation_candidate: Packages for wireguard-kernel found, but incompatible with the architectures configured
* opkg_install_cmd: Cannot install package wireguard-kernel.
Unknown package 'wireguard-tools'.
Collected errors:
* pkg_hash_fetch_best_installation_candidate: Packages for wireguard-tools found, but incompatible with the architectures configured
* opkg_install_cmd: Cannot install package wireguard-tools.

***ERROR: WireGuard install FAILED!

What can I do?
It looks like the install failed due to some compatibility issues with wireguard-kernel and wireguard-tools.

Try removing the install (option 2), then run:
Code:
opkg remove wireguard-kernel wireguard-tools
Check for any errors generated by the wireguard kernel packages removal.

The lack of a DDNS should not be an issue. The script checks for the existence of the DDNS and if not defined it will use the WAN IP.

Re-install from the 'main' branch.

I have Diversion and Skynet working - I use the router's internal IP as DNS for the client peer configuration.
 
It looks like the install failed due to some compatibility issues with wireguard-kernel and wireguard-tools.
Unfortunately, this didn't work:
Code:
ASUSWRT-Merlin RT-AC86U 386.2_beta1 Wed Mar 10 16:45:39 UTC 2021
admin@RT-AC86U-9AD0:/tmp/home/root# opkg remove wireguard-kernel wireguard-tools
No packages removed.
admin@RT-AC86U-9AD0:/tmp/home/root# curl --retry 3 "https://raw.githubusercontent.com/MartineauUK/wireguard/main/wg_manager.sh" --create-dirs -o "/jffs/addons/wireguard/wg_manager.sh" && chmod 755 "/jffs/addons/wireguard/wg_manager.sh" &
& /jffs/addons/wireguard/wg_manager.sh install
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  107k  100  107k    0     0   266k      0 --:--:-- --:--:-- --:--:--  296k

+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v3.04 by Martineau                      |
|                                                                      |
| Requirements: USB drive with Entware installed                       |
|                                                                      |
|   1 = Install WireGuard                                              |
|       o1. Enable nat-start protection for Firewall rules             |
|       o2. Enable DNS                                                 |
|                                                                      |
|                                                                      |
+======================================================================+

        WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Begin WireGuard Installation Process

e  = Exit Script [?]

E:Option ==> 1

        Installing WireGuard Manager - Router RT-AC86U (v386.2)

        Downloading scripts
        wg_client downloaded successfully
        wg_server downloaded successfully

Package column (2.36-2) installed in root is up to date.
        Downloading Wireguard Kernel module for RT-AC86U (v386.2)

        Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20210219-k27_aarch64-3.10.ipk' for RT-AC86U (v386.2)...

###################################################################################################################################################################################################################################### 100.0%###################################################################################################################################################################################################################################### 100.0%

        Downloading WireGuard User space Tool 'wireguard-tools_1.0.20210223-1_aarch64-3.10.ipk' for RT-AC86U (v386.2)

###################################################################################################################################################################################################################################### 100.0%###################################################################################################################################################################################################################################### 100.0%

        Loading WireGuard Kernel module and Userspace Tool for RT-AC86U (v386.2)
Unknown package 'wireguard-kernel'.
Collected errors:
 * pkg_hash_fetch_best_installation_candidate: Packages for wireguard-kernel found, but incompatible with the architectures configured
 * opkg_install_cmd: Cannot install package wireguard-kernel.
Unknown package 'wireguard-tools'.
Collected errors:
 * pkg_hash_fetch_best_installation_candidate: Packages for wireguard-tools found, but incompatible with the architectures configured
 * opkg_install_cmd: Cannot install package wireguard-tools.




        Creating WireGuard configuration file '/jffs/addons/wireguard/WireguardVPN.conf'
        Creating WireGuard 'Client' and 'Server' Peer templates 'wg11.conf' and wg21.conf'
        Creating WireGuard Private/Public key-pairs for RT-AC86U (v386.2)

        ***ERROR: WireGuard install FAILED!


        nat-start updated to protect WireGuard firewall rules
        Added 'wg*' interfaces to DNSMasq

Done.
        Creating 'wg_manager' alias for 'wg_manager.sh'
        Adding Peer Auto-start @BOOT
        Installing QR rendering module
Package qrencode (4.1.1-1) installed in root is up to date.
/jffs/addons/wireguard/wg_manager.sh: line 2470: wg: not found

        Creating Wireguard Private/Public key pair for device 'iPhone'
/jffs/addons/wireguard/wg_manager.sh: line 2470: wg: not found
/jffs/addons/wireguard/wg_manager.sh: line 2470: wg: not found
        Device 'iPhone' Public key=

cat: can't open '/opt/etc/wireguard.d/wg21_public.key': No such file or directory
        Using Public key for 'server' Peer 'wg21'

        Warning: No DDNS is configured!
        Press y to use the current WAN IP or enter DDNS name or press [Enter] to SKIP.
 
Unfortunately, this didn't work:
Check /opt/etc/entware-release. The wireguard module requires Entware-aarch64.
 
@Martineau: could you please publish a changelog of the dev branch. A lot has changed in v 4.01b2 ...

WireguardVPN.conf:
# RPDB Selection Routing rules same format as 'nvram get vpn_clientX_clientlist'
# <Desciption> Source IP / CIDR> [Target IP / CIDR]> WAN_or_VPN [...]
# WireGuard Session Manger v4.01
# Categories None =
# WAN KILL switch KILLSWITCH = N
# Statistics gathering STATS = Y

Where has the possibility of changing the IP addresses of the servers "gone?

Menu: 9 cl1_peer

# cl1_peer [Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = .1 / 32 DNS = 9.9.9.9 1.1.1.2

I now have a lot of unanswered questions .....
Err,....it's an ALPHA development branch, so all sort of junk is there., so NO, there is no formal change log.

However, under wg_manager Alpha v4.0 the text config file '/WireguardVPN.conf' has been reduced to

Code:
# WireGuard Session Manager v4.01

# Categories
None=

# WAN KILL-Switch
KILLSWITCH=N

# Statistics Gathering
STATS=Y"
and is no longer used to hold the Peer definitions, however there is a migrate command used during the install to assist in converting from v3.0 and also import command if needed.

To create a new 'server' Peer you use the same peer command as used in v3.0
Code:
peer new [ip=xxx.xxx.xxx.1/24] [port=nnnnn] [auto={y|n}]]

e.g. a custom 'server' Peer...
Code:
[CODE]e  = Exit Script [?]

E:Option ==> peer new wg27 ip=1.2.3.4 port=54321

    *** Ensure Upstream router Port Foward entry for port:54321 ***

    Press y to Create 'server' Peer (wg27) 1.2.3.4:54321 or press [Enter] to SKIP.
y
    Creating WireGuard Private/Public key-pair for 'server' Peer wg27 on RT-AC86U (v386.2)

    Press y to Start 'server' Peer (wg27) or press [Enter] to SKIP.
y
    Requesting WireGuard VPN Peer start (wg27)

    wireguard-server7: Initialising Wireguard VPN 'Server' Peer (wg27) on 10.88.8.1:54321 (# RT-AC86U Server 7)
    wireguard-server7: Initialisation complete.


    interface: wg13     103.231.88.18:51820                    10.67.146.14/32,fc00:bbbb:bbbb:bb01::4:920d/128        "Mullvad France, Paris"
        peer: D2ltFd7TbpYNq9PejAeGwlaJ2bEFLqOSYywdY9N5xCY=
         latest handshake: 1 minute, 19 seconds ago
         transfer: 4.80 KiB received, 265.20 KiB sent          0 Days, 00:23:32 from 2021-03-20 20:47:52 >>>>>>

    interface: wg21     Port:51820    10.50.1.1/24             VPN Tunnel Network    # RT-AC86U Server #1
        peer: Sum4Y+e4l/8EpJUcVu9Y7s8D6biTiID3TllTVF9Mskc=     10.50.1.1/32          # SGS8 "Device"
         latest handshake: 17 minutes, 3 seconds ago
         transfer: 720 B received, 1.17 KiB sent               0 Days, 00:23:32 from 2021-03-20 20:47:53
        peer: J0cEI4UoXVsK920nMViQGUky3Y/gbG9iFI2bG0JW2gk=     10.50.1.2/32          # iPhone "Device"

    interface: wg22     Port:11502    10.50.2.1/24             VPN Tunnel Network    # RT-AC86U Server 2

    interface: wg27     Port:54321    1.2.3.0/24               VPN Tunnel Network    # RT-AC86U Server 7

     WireGuard ACTIVE Peer Status: Clients 1, Servers 3

v4.0 has been rewritten to potentially allow monitoring of the connections

e.g. session duration and traffic per Peer

1616275943572.png


I have also decided to move the firewall rules into their own chain..

e.g.
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            224.0.0.0/4       
2      200 31302 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3     1182  105K WireGuard  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* WireGuard */
4        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0         
5        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0

NOTE: It is an ALPHA so things may not work or may/will change before the formal Beta.
 
Last edited:
Check /opt/etc/entware-release. The wireguard module requires Entware-aarch64.
This in this file:
Code:
release=entware
arch=arm
cpu=cortex-a9
cpu_subtype=unknown
float=soft
gcc=8.4.0
gcc_flags=-O2 -pipe -mtune=cortex-a9 -fno-caller-saves -mfloat-abi=soft
libc=glibc
libc_version=2.23
Is this good or bad?
How do I install Entware on the USB drive?

Edit:
I managed to install Entware-aarch64 on my USB drive.
 
Last edited:
Hello Monsieur @Martineau
Thank you very much for this useful script, it works fine but I have 2 problems.
If you have 2 dns in your client configuration, the qr code import failed on wireguard Android client => so I delete the second dns ip and voila it works with qr scan import.
My second problem, after a router reboot my client still connects but nothing works, no internet, no access to local computers in my lan ...
Wireguard server is up and runnning, even if I stop it and restart it, nothing works and I can't find any log to help ..?
I have Diversion lite and Skynet running on amtm Asuswrt-Merlin 384.17
It seems like my wireguard server configuration can't survive a reboot?
 
Last edited:
I managed to install wireguard manager. I want to use Cloudflare WARP (not WARP+) on my router.
I edited wg11.conf to this:
Code:
[Interface]
#DNS = 1.1.1.1
#Address = 172.16.0.2/32
PrivateKey = xxx

[Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/0
Endpoint = engage.cloudflareclient.com:2408
PersistentKeepalive = 25
I also replaced the private key in the file wg11_private.key, the same with the public key in the file wg11_public.key (same keys as in wg11.conf)
Do I also need to edit WireguardVPN.conf besides "Y" at wg11? The rest of the wg11 line is cosmetic, correct?
I think, I do not need a server, so I put "N" at wg21.
I can ping 1.1.1.1 when wireguard vpn client wg11 is active, but I cannot resolve names.
At least I see some traffic: transfer: 17.20 KiB received, 48.46 KiB sent
To obtain the keys, I ran https://github.com/ViRb3/wgcf on my PC.
192.168.1.1. is my router
DNS Filter is set to "Router"
Under WAN, I've set 1.1.1.1 and 1.0.0.1 with DoT.

This is my WireguardVPN.conf
Code:
# NOTE: Auto=Y  Command 'wg_manager.sh start' will auto-start this Peer
#       Auto=P  Command 'wg_manager.sh start' will auto-start this Peer using it's Selective Routing RPDB Policy rules if defined e.g 'rp11'
#
#
# VPN   Auto   Local Peer IP         Remote Peer Socket     DNS               Annotation Comment
wg11    Y      172.16.0.2/32      engage.cloudflareclient.com:2408    1.1.1.1    # ****THIS IS NOT A REAL PEER** Edit 'wg11.conf' with real DATA!
wg12    N      xxx.xxx.xxx.xxx/32    209.58.188.180:51820   193.138.218.74    # Mullvad China, Hong Kong
wg13    N      xxx.xxx.xxx.xxx/32    103.231.88.18:51820    193.138.218.74    # Mullvad Oz, Melbourne
wg14    N      xxx.xxx.xxx.xxx/32    193.32.126.66:51820    193.138.218.74    # Mullvad France, Paris
wg15    N                                                                     #

# For each 'server' Peer you need to allocate a unique VPN subnet
#              VPN Subnet
wg21    N      10.50.1.1/24                                                   # RT-AC86U Local Host Peer 1
wg22    N      10.50.2.1/24                                                   # RT-AC86U Local Host Peer 2

# The following default 'wg0' interface retained for backward compatibility!
wg0     N      xxx.xxx.xxx.xxx/32     86.106.143.93:51820    193.138.218.74   # Mullvad USA, New York

#       RPDB Selection Routing rules same format as 'nvram get vpn_clientX_clientlist'
#       < Desciption > Source IP/CIDR > [Target IP/CIDR] > WAN_or_VPN[...]
rp11    <>
rp12
rp13    <Dummy VPN 3>172.16.1.3>>VPN<Plex>172.16.1.123>1.1.1.1>VPN<Router>172.16.1.1>>WAN<All LAN>172.16.1.0/24>>VPN
rp14
rp15    <Router>192.168.1.0/24>>VPN<LAN>192.168.1.1>>WAN

# Custom 'client' Peer interfaces - simply to annotate
SGS8    N      1.2.3.4            xxx.xxx.xxx.xxx        dns.xxx.xxx.xxx      # A comment here
wg0-client5 N  4.3.2.1                                                        # Mullvad UK, London

# Categories
NoNe=

# WAN KILL-Switch
#KILLSWITCH

# Optionally define the 'server' Peer 'clients' so they can be identified by name in the enhanced WireGuard Peer status report
# (These entries are automatically added below when the 'create' command is used)
# Public Key                                      DHCP IP             Annotation Comment
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=      10.50.1.11/32       # A Cell phone for 'server' 1

My S50wireguard
#!/bin/sh

PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Mode=client #server or client

#server
export Subnet= #e.g.)10.50.50.1/24
export wgport=

#client
export LocalIP=192.168.1.1 #e.g.)10.50.50.2
Route=default #default or policy
export wgdns=1.1.1.1
export Nipset=wgvpn

case $1 in
start)
logger "Starting WireGuard service."
if [ "$Mode" == "server" ] ; then
/opt/etc/wireguard/wg-server

elif [ "$Mode" == "client" ] && [ "$Route" != "policy" ] ; then
/opt/etc/wireguard/wg-up
else
/opt/etc/wireguard/wg-policy
fi
;;
stop)
logger "Stopping WireGuard service."
/opt/etc/wireguard/wg-down
;;
restart)
logger "Restarting WireGuard service."
/opt/etc/wireguard/wg-down
sleep 2
if [ "$Mode" == "server" ] ; then
/opt/etc/wireguard/wg-server

elif [ "$Mode" == "client" ] && [ "$Route" != "policy" ] ; then
/opt/etc/wireguard/wg-up
else
/opt/etc/wireguard/wg-policy
fi
;;
*)
echo "Usage: $0 {start|stop|restart}"
;;
esac



Please help, what did I do/set wrong?
 
Last edited:
Hello Monsieur @Martineau
Thank you very much for this useful script, it works fine but I have 2 problems.
If you have 2 dns in your client configuration, the qr code import failed on wireguard Android client => so I delete the second dns ip and voila it works with qr scan import.
Thanks for the feeback.

wg_manager Beta Hotfix v3.05 available and Hotfix v1.13

My second problem, after a router reboot my client still connects but nothing works, no internet, no access to local computers in my lan ...
Wireguard server is up and runnning, even if I stop it and restart it, nothing works and I can't find any log to help ..?
I have Diversion lite and Skynet running on amtm Asuswrt-Merlin 384.17
It seems like my wireguard server configuration can't survive a reboot?

EDIT:


Do you see the 'device' Peer connect to your 'server' Peer?


Assuming your 'server' Peer in listening on port 51820, run the following, then try to connect

Code:
conntrack -E --event-mask UPDATE -p udp -o timestamp | grep 51820
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top