Wireguard Wireguard Client Help

[sammyano]

See post 43 https://www.snbforums.com/threads/wireguard-client-help.91103/post-919473

Okay, got it. one thing, you know Diversion uses .2 ip, what will change Diversion server IP to?

 

[ZebMcKayhan]

Okay, got it. one thing, you know Diversion uses .2 ip, what will change Diversion server IP to?

Leave it at .2 it does not matter but it's good to keep it at wan (<.16) so it will use the more complete main route table. Use .3 - .15 for your wan clients

 

[sammyano]

Leave it at .2 it does not matter but it's good to keep it at wan (<.16) so it will use the more complete main route table. Use .3 - .15 for your wan clients

Cool, tested working, though speed test shows WG less than 80mb when I have 500mb. WAN going through wan rule. I noticed that if i turn on OVPN while Wg is on, WAN clients uses the OVPN, though i changed the VPN Director. Ayways, thanks for your time and at least I was able to get it working and have learnt abit about WG

 

[ZebMcKayhan]

Cool, tested working, though speed test shows WG less than 80mb when I have 500mb.

You can test the same config on your android phone and see what speeds you get. If you are getting much higher speeds there could possibly be some opportunity. Experiment with XMARK (wgm vx command) and or turning off nat hw acceleration (wgm 'fc disable' command).

Ayways, thanks for your time and at least I was able to get it working and have learnt abit about WG

That's a worthy goal!

 

[sammyano]

You can test the same config on your android phone and see what speeds you get. If you are getting much higher speeds there could possibly be some opportunity. Experiment with XMARK (wgm vx command) and or turning off nat hw acceleration (wgm 'fc disable' command).



That's a worthy goal!

Please what is Experiment with XMARK and what does it do?

 

[ZebMcKayhan]

Please what is Experiment with XMARK and what does it do?

Wireguard is incompatible with router NAT acceleration. Wgm uses packet marks in the firewall to bypass this. If you enter vx in wgm it lets you edit the config file:

# Override setting of the -t mangle FORWARD/PREROUTING '-j MARK --set-xmark 0x01/0x7' fwmarks
# (NOT the user Selective Routing fwmarks for Ports/IPSETs etc.)
#     Use command 'vx' to edit this setting.
#NOSETXMARK

By removing the # before NOSETXMARK you can toggle these rules on and off.

However, your best try would be to disable fc completely. You can do this in wgm by command 'fc disable'.

The reason is that the xmark doesn't always do good enough job and this incompability could lead to reduced speed.

Try 'fc disable' then run speed test again.

Any difference?

 

[sammyano]

Wireguard is incompatible with router NAT acceleration. Wgm uses packet marks in the firewall to bypass this. If you enter vx in wgm it lets you edit the config file:

# Override setting of the -t mangle FORWARD/PREROUTING '-j MARK --set-xmark 0x01/0x7' fwmarks
# (NOT the user Selective Routing fwmarks for Ports/IPSETs etc.)
#     Use command 'vx' to edit this setting.
#NOSETXMARK

By removing the # before NOSETXMARK you can toggle these rules on and off.

However, your best try would be to disable fc completely. You can do this in wgm by command 'fc disable'.

The reason is that the xmark doesn't always do good enough job and this incompability could lead to reduced speed.

Try 'fc disable' then run speed test again.

Any difference?

Okay, thanks again. I have disabled fc but no difference. youve done enough. The main reason i wanted this was the thought it was fast than OVPN, but in my case is not. Thanks again for working me through it all

 

[sammyano]

It's not about commands.
Just a note of cation first, as you swap between ovpn and wg this change will affect ovpn too and you need to remake vpndirector rules. But you will get a more robust setup for both ovpn and wg.

Head into router gui. LAN -> DHCP Server. Here there is a field "IP Pool Starting Address" this is probably 192.168.1.2 for you.
Change this to 192.168.1.16.

this means no clients will be assigned ip below 16.

Change Enable Manual Assignment to yes if not already.

then further down in "Manually Assigned IP around the DHCP list" you probably have your wan clients here. Change all wan clients to have ip below 16 (Like 192.168.1.5, 192.168.1.6, 192.168.1.7). If you have other static assigned ip here for vpn make sure they are above 16.

Now head into wgm and stop wg11, remove all rules in wg11.

then create new rules:

E:Option ==> peer wg11 rule add vpn 192.168.1.128/25 comment 128-255
E:Option ==> peer wg11 rule add vpn 192.168.1.64/26 comment 64-127
E:Option ==> peer wg11 rule add vpn 192.168.1.32/27 comment 32-63
E:Option ==> peer wg11 rule add vpn 192.168.1.16/28 comment 16-31

Reset dns to the one in your wg config:

E:Option ==> peer wg11 dns=10.100.0.1

Now start wg11 again.

Now the rules for vpn only covers ip above 16 which means your router and any ip below 16 will be completely unaffected by vpn. So if you want other clients to go out wan, just assign it an ip below 16 and your done.

the same goes for ovpn and vpndirector. Remove all rules and assign above ip/cidr to ovpn.




No tweaks for this in wgm. Your router is not your bottleneck.

It's not about commands.
Just a note of cation first, as you swap between ovpn and wg this change will affect ovpn too and you need to remake vpndirector rules. But you will get a more robust setup for both ovpn and wg.

Head into router gui. LAN -> DHCP Server. Here there is a field "IP Pool Starting Address" this is probably 192.168.1.2 for you.
Change this to 192.168.1.16.

this means no clients will be assigned ip below 16.

Change Enable Manual Assignment to yes if not already.

then further down in "Manually Assigned IP around the DHCP list" you probably have your wan clients here. Change all wan clients to have ip below 16 (Like 192.168.1.5, 192.168.1.6, 192.168.1.7). If you have other static assigned ip here for vpn make sure they are above 16.

Now head into wgm and stop wg11, remove all rules in wg11.

then create new rules:

E:Option ==> peer wg11 rule add vpn 192.168.1.128/25 comment 128-255
E:Option ==> peer wg11 rule add vpn 192.168.1.64/26 comment 64-127
E:Option ==> peer wg11 rule add vpn 192.168.1.32/27 comment 32-63
E:Option ==> peer wg11 rule add vpn 192.168.1.16/28 comment 16-31

Reset dns to the one in your wg config:

E:Option ==> peer wg11 dns=10.100.0.1

Now start wg11 again.

Now the rules for vpn only covers ip above 16 which means your router and any ip below 16 will be completely unaffected by vpn. So if you want other clients to go out wan, just assign it an ip below 16 and your done.

the same goes for ovpn and vpndirector. Remove all rules and assign above ip/cidr to ovpn.




No tweaks for this in wgm. Your router is not your bottleneck.

Zeb, please when ever you're free can you explain to me a little bit of the below, want to know how you separated the network below. Please in a simple terms thanks
E:Option ==> peer wg11 rule add vpn 192.168.1.128/25 comment 128-255
E:Option ==> peer wg11 rule add vpn 192.168.1.64/26 comment 64-127
E:Option ==> peer wg11 rule add vpn 192.168.1.32/27 comment 32-63
E:Option ==> peer wg11 rule add vpn 192.168.1.16/28 comment 16-31

 

[ZebMcKayhan]

Zeb, please when ever you're free can you explain to me a little bit of the below, want to know how you separated the network below. Please in a simple terms thanks
E:Option ==> peer wg11 rule add vpn 192.168.1.128/25 comment 128-255
E:Option ==> peer wg11 rule add vpn 192.168.1.64/26 comment 64-127
E:Option ==> peer wg11 rule add vpn 192.168.1.32/27 comment 32-63
E:Option ==> peer wg11 rule add vpn 192.168.1.16/28 comment 16-31

The /nn is called CIDR which is basically another way of specifying a mask. Most of us have seen the windows network mask 255.255.255.0. The origin of why it's 255 is that in ip addresses each number between the dots are 1 Byte = 8 bits. Maximum value is 255 (binary 1111 1111, hexadecimal FF).
In the network mask ones are added from the left, basically telling the windows machine how large the network is that it's a part of.
255.255.255.0 means that the trusted network ip is starting with 192.168.1. so the first 3 bytes are trusted network ip.
255.255.0.0 would mean a much larger network, ip starting with 192.168.

Cidr means instead of writing out the decimal variant of '1' we simply write the amount of 1's starting from the left. So /24 is your typical lan (ip starting with 192.168.1). /32 would mean a single ip address only (which is usually left out)

Cidr is not only used to tell how large a trusted network is, it could be used in various places when you wish to specify an ip range, as we do in wgm and vpndirector.

Going further deviding requires abit of binary math which could be overwhelming. But here are some commonly used (example applied on 192.168.1.1):
/0 = all ips = 0.0.0.0 - 255.255.255.255
/16 = 192.168.0.0 - 192.168.255.255
/23 = 192.168.0.0 - 192.168.1.255
/24 = 192.168.1.0 - 192.168.1.255
/25 = 192.168.1.0 - 192.168.1.127
/26 = 192.168.1.0 - 192.168.1.63
/27 = 192.168.1.0 - 192.168.1.31
/28 = 192.168.1.0 - 192.168.1.15
/29 = 192.168.1.0 - 192.168.1.7
/30 = 192.168.1.0 - 192.168.1.3
/31 = 192.168.1.0 - 192.168.1.1
/32 = 192.168.1.1

Now, this could also be applied on, say 192.168.1.16/28, that would mean 192.168.1.16 - 192.168.1.31. The reason is that 16 is binary 0001 0000 and /28 means first full 3 numbers and 4 bits more, so 1111 1111 . 1111 1111 . 1111 1111 . 1111 0000 (FF . FF . FF . F0). Our cidr means then the last 4 bits are wildcards
The ip stated ends with 16 (0001 0000). which means 16 (0001 0000) - 31 (0001 1111).

In this way we could design one or more rules to cover any area we need.
The comments I've made in the rules tell you what last ip number the rule covers.

There are cidr calculators online if you like to use. But as you can see it all moves towards 0, which makes it convenient to have our ip we would like to separate up on top of the range or the bottom.

It would help you to know binary, hexadecimal to calculate these yourself.

 

[ZebMcKayhan]

The reason for why we do what we do is that normally the main routing table is the only one. It is mostly managed by the kernel (dhcp info and interface ip/network). You can only specify destination ip in a routing rule. So if we add a vpn, now there are 2 ways to internet, and routing can't have 2 ways, the kernel will select route based on other things, such as metric.
In order to keep control the fw and wgm creates a new route table for vpn internet and uses ip rules (vpn director) to point source ip to the right routing table.

Problem is that the kernel only updates the main route table, not our created vpn table. So internet is always there, but all other routes may not be. This included vpn server, guest networks other local vpn networks et.c. wgm only keeps route to vpn for internet and to lan while fw takes a snapshot of main routing table during creation and updates periodically. But some routes are not copied to prevent unintentional routing.

router does normally only use it's lan ip (192.168.1.1) when communicating with lan but some application (like the gui) is set to use this ip. So you can see the issue if the router gui is set to use policy route table which may not be complete or up to date.

Another issue is with wgm and how it does dns redirecting. Creating a rule for your entire network will mean entire network will be redirected. Due to this we need to find a way to only create vpn rules for the ip needing it.
We didn't really sectionize your network. It's still the same size. We just prevented the lan dhcp server from handing out ips below 16. Then we setup acouple of host and told the dhcp server that these devices should get these specific ips (which could be below 16).
Then we created rules to send ip 16-255 to vpn. And since these does not cover any ip below 16 the router will always use the main table and we won't have any dns issues.

You still may end up with issues if you setup a wg server. As no routes exist to wg server in policy table, your lan clients using vpn will not be able to communicate with vpn clients (like if you have a nas set to use vpn). The rules could be needed to send wg server ip /24 destinations to wan. Clearly we don't want them to go to wan, but wan means main route table which do contain routes to wg server

 

[sammyano]

The /nn is called CIDR which is basically another way of specifying a mask. Most of us have seen the windows network mask 255.255.255.0. The origin of why it's 255 is that in ip addresses each number between the dots are 1 Byte = 8 bits. Maximum value is 255 (binary 1111 1111, hexadecimal FF).
In the network mask ones are added from the left, basically telling the windows machine how large the network is that it's a part of.
255.255.255.0 means that the trusted network ip is starting with 192.168.1. so the first 3 bytes are trusted network ip.
255.255.0.0 would mean a much larger network, ip starting with 192.168.

Cidr means instead of writing out the decimal variant of '1' we simply write the amount of 1's starting from the left. So /24 is your typical lan (ip starting with 192.168.1). /32 would mean a single ip address only (which is usually left out)

Cidr is not only used to tell how large a trusted network is, it could be used in various places when you wish to specify an ip range, as we do in wgm and vpndirector.

Going further deviding requires abit of binary math which could be overwhelming. But here are some commonly used (example applied on 192.168.1.1):
/0 = all ips = 0.0.0.0 - 255.255.255.255
/16 = 192.168.0.0 - 192.168.255.255
/23 = 192.168.0.0 - 192.168.1.255
/24 = 192.168.1.0 - 192.168.1.255
/25 = 192.168.1.0 - 192.168.1.127
/26 = 192.168.1.0 - 192.168.1.63
/27 = 192.168.1.0 - 192.168.1.31
/28 = 192.168.1.0 - 192.168.1.15
/29 = 192.168.1.0 - 192.168.1.7
/30 = 192.168.1.0 - 192.168.1.3
/31 = 192.168.1.0 - 192.168.1.1
/32 = 192.168.1.1

Now, this could also be applied on, say 192.168.1.16/28, that would mean 192.168.1.16 - 192.168.1.31. The reason is that 16 is binary 0001 0000 and /28 means first full 3 numbers and 4 bits more, so 1111 1111 . 1111 1111 . 1111 1111 . 1111 0000 (FF . FF . FF . F0). Our cidr means then the last 4 bits are wildcards
The ip stated ends with 16 (0001 0000). which means 16 (0001 0000) - 31 (0001 1111).

In this way we could design one or more rules to cover any area we need.
The comments I've made in the rules tell you what last ip number the rule covers.

There are cidr calculators online if you like to use. But as you can see it all moves towards 0, which makes it convenient to have our ip we would like to separate up on top of the range or the bottom.

It would help you to know binary, hexadecimal to calculate these yourself.

Zeb, thanks again for your time, have really enjoyed and learnt something from you since yesterday. thanks man

 

[sammyano]

The reason for why we do what we do is that normally the main routing table is the only one. It is mostly managed by the kernel (dhcp info and interface ip/network). You can only specify destination ip in a routing rule. So if we add a vpn, now there are 2 ways to internet, and routing can't have 2 ways, the kernel will select route based on other things, such as metric.
In order to keep control the fw and wgm creates a new route table for vpn internet and uses ip rules (vpn director) to point source ip to the right routing table.

Problem is that the kernel only updates the main route table, not our created vpn table. So internet is always there, but all other routes may not be. This included vpn server, guest networks other local vpn networks et.c. wgm only keeps route to vpn for internet and to lan while fw takes a snapshot of main routing table during creation and updates periodically. But some routes are not copied to prevent unintentional routing.

router does normally only use it's lan ip (192.168.1.1) when communicating with lan but some application (like the gui) is set to use this ip. So you can see the issue if the router gui is set to use policy route table which may not be complete or up to date.

Another issue is with wgm and how it does dns redirecting. Creating a rule for your entire network will mean entire network will be redirected. Due to this we need to find a way to only create vpn rules for the ip needing it.
We didn't really sectionize your network. It's still the same size. We just prevented the lan dhcp server from handing out ips below 16. Then we setup acouple of host and told the dhcp server that these devices should get these specific ips (which could be below 16).
Then we created rules to send ip 16-255 to vpn. And since these does not cover any ip below 16 the router will always use the main table and we won't have any dns issues.

You still may end up with issues if you setup a wg server. As no routes exist to wg server in policy table, your lan clients using vpn will not be able to communicate with vpn clients (like if you have a nas set to use vpn). The rules could be needed to send wg server ip /24 destinations to wan. Clearly we don't want them to go to wan, but wan means main route table which do contain routes to wg server

Re-WGM Sever - I will be using OVPN Server to access my lan if need up. I have that setup already and running. Cheers

 

[sammyano]

Zeb, I was trying to follow your steps for Geo-Location by creating a second VPN client 2 and adding a phone to it as the only device to use VPN. I created a rule via VPN Director in the GUI and though the client was not turned on, once saved, I lost connection to the internet. Went to the WG and restarted but made no difference. I removed the client added to VPN Director for Open VPN client 2 but still did not make any difference. I have stopped restarted WG but still no connection to the internet. PS - did not make any changes to the WG

 

[sammyano]

Notice this error on wg when i restarted it

grep: /proc/blog/skip_wireguard_port: No such file or directory
/jffs/addons/wireguard/wg_client: line 1345: can't create /proc/blog/skip_wireguard_port: nonexistent directory

 

[ZebMcKayhan]

Zeb, I was trying to follow your steps for Geo-Location by creating a second VPN client 2 and adding a phone to it as the only device to use VPN. I created a rule via VPN Director in the GUI and though the client was not turned on, once saved, I lost connection to the internet. Went to the WG and restarted but made no difference. I removed the client added to VPN Director for Open VPN client 2 but still did not make any difference. I have stopped restarted WG but still no connection to the internet. PS - did not make any changes to the WG

You mean you lost connection for that client? Or entire lan?

I would not recommend using VPN Director for wgm rules due to acouple of reasons. One being that if you are using openvpn this could create issues.

Better dump the usual suspects so we can see what is going on:

wg show
ip rule
ip route show table main
ip route show table 121
iptables -nvL PREROUTING -t nat
iptables -nvL WGDNS1 -t nat
iptables -nvL FORWARD

 

[sammyano]

The entier LAN connection, just like the initial time we where troubleshooting -

interface: wg21
public key: XZefddRyLXxKzf7Qds/9Vb2QaKk+5Pi9okleklk7TzE=
private key: (hidden)
listening port: 51820
peer: wU5KKKi0dbVgIePBLWprOnunWe2KiYOw9Dyj8iGaB2M=
preshared key: (hidden)
allowed ips: 10.50.1.2/32
interface: wg11
public key: VkP/u8ymi6tTibAJAw3c1TZiP6hOTXNoG5dSR5EnKH0=
private key: (hidden)
listening port: 55075
peer: EVTu6lQ+EDZ7Ut5pl9BGFlcWpL7LmZV2SN1jAvhIv3A=
preshared key: (hidden)
endpoint: 50.7.114.51:250
allowed ips: 0.0.0.0/0
transfer: 0 B received, 296 B sent
persistent keepalive: every 25 seconds
WireGuard® ACTIVE Peer Status: Clients 1, Servers 1

 

[sammyano]

You mean you lost connection for that client? Or entire lan?

I would not recommend using VPN Director for wgm rules due to acouple of reasons. One being that if you are using openvpn this could create issues.

Better dump the usual suspects so we can see what is going on:

wg show
ip rule
ip route show table main
ip route show table 121
iptables -nvL PREROUTING -t nat
iptables -nvL WGDNS1 -t nat
iptables -nvL FORWARD

Please what commands do you want to run ?

 

[ZebMcKayhan]

transfer: 0 B received, 296 B sent

Your wg11 does not seem to work. Just as before. Have you imported wrong config or your supplier killed it off if you have not been using it

 

[sammyano]

I did not do anything within the WG

 

[sammyano]

Your wg11 does not seem to work. Just as before. Have you imported wrong config or your supplier killed it off if you have not been using it

Zeb, just now you mentioned my supplier, I downloaded a new wg config from them that I wanted to use for Geo-Location steps, so do you think, I was re-download another wg server config and re-import again, though the previous one I downloaded for Geo-Location was a different location to the one in use in WG, please advise