Wireguard support to Voxel FW?

[jrbmw]

Sorry Wrong file uploaded in previous post. opvn was turned off and wireguard enabled

 

[HawaiianJoe]

Hi all!

Here are uploaded init.d/wireguard scripts You will have to rename them.

Regards,

Aloha! Thanks for the files! Great work!

I'm using them on Voxel's V1.0.4.42HF for the r9000. I seem to have everything running for "wireguard server" on the r9000 (client connects, bytes received both ways on the tunnel) can ping both ways to the vpn IPs, but no routing between the wg0 interface and the private networks on the router (vpn server) side. I seem to remember in another implementation binding the wg0 interface to another interface to pass VPN traffic. What did I miss on the r9000? Thanks for any guidance you may willing to share. I have entware installed and updated.

Joe

 

[R. Gerrits]

I guess using WireGuard on the router as a WG server, is similar to using OpenVPN as a OVPN server.
So probably if you copy the OpenVPN server firewall script (/etc/openvpn/vpn-firewall.sh ), replace tun0 with wg0, at the top define mask and tun_subnet and remove the last line, then you should have a script that sets the correct iptables firewall rules.

 

[R. Gerrits]

If the above works, then that modified script should be added to /opt/scripts/firewall-start.sh, so that it runs everytime the router modifies / restarts the firewall.

But I was also thinking, if you have given your WG interface an IP from the same range as your LAN, then it might be more similar to the OpenVPN tap0 scenario.

In that case, you'd need to add the wg0 interface to the bridge br0.
something like:
brctl addif bro wg0
(and the earlier mentioned firewall script is then not needed)

 

[HawaiianJoe]

Thanks!!! Great suggestions. Haven't played with iptables (directly) in a while. Will post back when I get back to it. Thanks again for the suggestions! My setup has the VPN with it's own 10x.x.x/24 net and a 172.x.x.x/24 for the local net. (Just FYI)

 

[KW.]

A quick question I hope.

I want to set up my Wireguard to reboot every night with the cron job provided in Kamojs addon. The reason is that wireguard do not delete the IP-adresses that it was connected to it under a wireguard session. Many VPN:s as the one I use do delete this after a session restart. As my connections is rock solid thanks to the great work of Voxel and Kamoj my sessions never do restart.

So what should I put in the cron job to have it restart?

EDIT I also wonder if the killswitch provided with wireguard do kick in with a controlled wireguard reboot, that is what I wish for. I want to the internet to die under this short reboot.

 

[R. Gerrits]

this should restart your wireguard session:

/etc/init.d/wg-client restart

Currently, this does a stop, followed by a start
And during stop it removes the iptables rules for the kill-switch.

I get your point, and ideally, one might indeed want to keep the kill-switch active if wg-client restart is called, and only remove it when wg-client stop is called.
But this is not how the init-script currently works.

 

[KW.]

Thank you! Well this is no big deal... But Im thinking out loud. @R. Gerrits would it be possible to at the same time as the wireguard restart set a cron job to restart the internet connection and maybe with some sleep command make it have bit of saftey buffert to be make sure that wireguard is up running again?

But maybe that make the wireguard to fail to start if its no internet?

 

[R. Gerrits]

logic would say that using /etc/init.d/net-wan restart or /etc/init.d/net-wan restart_from_detwan should restart the WAN connection.
But I my case, these commands give a bunch of errors and then my internet is down.
I then have to go to the GUI, see the red cross at the internet connect, then click on the "ERROR not connected" and then the internet will come back.
(unfortunately I cannot see which function that link is calling).

But perhaps a simple ifconfig ethwan down && sleep 5 && ifconfig ethwan up is sufficient to reset your internet connection?

 

[KW.]

Thank you so much @R. Gerrits. I did test it. Your commands do what they should do. When internet is down the wireguard start to wait for internet to come back and then it launches. I killed internet for 30 sec.

So the commands will work as cron jobs.

I guess for a millisecond its a risk the real ip maybe do break free so its maybe not the best solution if your life depends on it.

For fun maybe it is possible to log whats IP-number is on the web when you do these commands together?

EDIT. The idea thou is that not much activity happens when this cronjob is active, so this last questions is more about what is possible and for fun

 

[KW.]

I think the only thing that would be active, is maybe transmission. So if it would be possible to put transmission to sleep under that short restart without closing down cause then what it is doing will get lost I think.

 

[R. Gerrits]

if you really want kill-switch to remain active during wireguard restart, then you could make some small modifications in /etc/init.d/wg-client:
change

restart() {
   stop
   start
}

into

restart() {
   stop restart
   start
}

change

   #------------------------------------------------------------------------------
   # Delete the WireGuard Client killswitch from iptables:
   #------------------------------------------------------------------------------
   tmpfirewall="$tmpwireguarddir"/"$kill_file_name"
   if [ -f "$tmpfirewall" ]; then
      logit "Information: Stop: Delete the WireGuard Client killswitch from iptables."
      \rm -f "$tmpfirewall"
   fi

   #------------------------------------------------------------------------------
   # Restart firewall if wireguard or killswitch rules are still present
   #------------------------------------------------------------------------------
   if [ -n "$(iptables -t nat -vnL POSTROUTING | grep -F "wg0")" ] || [ -n "$(iptables -t filter -vnL FORWARD | grep -E "REJECT.*all.*br0.*$WAN_IF")" ]; then
      logit "Information: Stop: Restart firewall to remove iptables rules for WireGuard client."
      #net-wall rule
      net-wall restart
   fi

into

if [ $1 -ne "restart" ]; then 
   #------------------------------------------------------------------------------
   # Delete the WireGuard Client killswitch from iptables:
   #------------------------------------------------------------------------------
   tmpfirewall="$tmpwireguarddir"/"$kill_file_name"
   if [ -f "$tmpfirewall" ]; then
      logit "Information: Stop: Delete the WireGuard Client killswitch from iptables."
      \rm -f "$tmpfirewall"
   fi

   #------------------------------------------------------------------------------
   # Restart firewall if wireguard or killswitch rules are still present
   #------------------------------------------------------------------------------
   if [ -n "$(iptables -t nat -vnL POSTROUTING | grep -F "wg0")" ] || [ -n "$(iptables -t filter -vnL FORWARD | grep -E "REJECT.*all.*br0.*$WAN_IF")" ]; then
      logit "Information: Stop: Restart firewall to remove iptables rules for WireGuard client."
      #net-wall rule
      net-wall restart
   fi
fi

(The first modification passes the restart parameter to the stop function in restart. The second modification only removes the killswitch if stop was not called with that restart parameter)

(Note, I did not test the modifications.)

 

[KW.]

Thank you so much will do this a much better solution. Again thank you!

 

[KW.]

@R. Gerrits it works perfectly!

But... When I was inside that script.... I've been damn impressed of @kamoj and @Voxel and those like you who have contributed to this addon and router all the time.

Now I was inside this script a tiny bit of the add-on and I realised that I have had no idea how f good you are. I lack words and even breath to describe how damn impressed I am. It's like been in a artist mind to be in that place.

You are so great I almost get tears to see it all the code that you make and that comes out to the user as a daily routine to use as a new product better then before.

I also see the love within @kamoj where he write cred to those who have contributed to his art, it's tatood in the code, the very veins.

Just now R. Gerrits You gave me a language I do not understand, but when i use it, it works like magic. I got a taste.

I get why you love what you do, you create and control a beast after your whim and ideas. You are artists, magicians. F great! Offcaurse I just did copy paste what you gave me, still what rush to test the code and see it behaved just as I wanted. Born from an idea that popped in my mind and now is realised.

The @kamoj addon with it's complexity all that need to speak to etch other and work in harmony. This tiny bit of the addon tell so much.

And you guys here share it for free and give so much joy.

Thank you.

 

[SR22T]

Aloha! Thanks for the files! Great work!

I'm using them on Voxel's V1.0.4.42HF for the r9000. I seem to have everything running for "wireguard server" on the r9000 (client connects, bytes received both ways on the tunnel) can ping both ways to the vpn IPs, but no routing between the wg0 interface and the private networks on the router (vpn server) side. I seem to remember in another implementation binding the wg0 interface to another interface to pass VPN traffic. What did I miss on the r9000? Thanks for any guidance you may willing to share. I have entware installed and updated.

Joe

Hi Joe,

Were you able to get the wireguard server to work eventually?
I have been following the same guide, wg0 is up, but I'm not able to connect to the server from a client. I get no packets received.

Regards,
SR22T