Wireguard Session Manager - Discussion (2nd) thread

[Martineau]

Its been a while since I checked the traffic metrics on my wgm fork github (the one with wgm tutorial):
137 unique visitors the last 2 weeks. That is way more then I'd ever thought!

Really makes me wonder how many is actually using wgm?? Could be more than we think?

Wasn't aware GitHub could now provide such detailed metrics?...with Pastebin it was only possible to see the important download count; consequently back in the day I was annoyed to detect >1000 unauthorised downloads of my non-public VLANSwitch script.

I just hope that users are not put off by the wireguard_manager design/menu, and hopefully the hits to your GitHub is a reflection on the helpful detail you have provided, rather than frustration with the script itself...

i.e. if wireguard_manager is installed it simply functions fuss-free as expected, and hopefully any unhappy users aren't failing to report issues/bugs/feedback etc.

 

[JGrana]

I wrote a filter for scribe to store wg_managers logging to a separate file.

I noticed that "period" data always shows 0's. Is this correct?

Feb 24 03:59:00 RT-AX86U-Cabin (wg_manager.sh): 21734 Clients 0, Servers 1
Feb 24 03:59:00 RT-AX86U-Cabin (wg_manager.sh): 21734 Home: transfer: 94.80 MiB received, 163.31 MiB sent               1 days 09:39:35 from 2022-02-22 18:19:25
Feb 24 03:59:00 RT-AX86U-Cabin (wg_manager.sh): 21734 Home: period : 0 Bytes received, 0 Bytes sent (Rx=0;Tx=0)
Feb 24 04:59:00 RT-AX86U-Cabin (wg_manager.sh): 32155 Clients 0, Servers 1
Feb 24 04:59:00 RT-AX86U-Cabin (wg_manager.sh): 32155 Home: transfer: 2.25 GiB received, 244.13 MiB sent                1 days 10:39:35 from 2022-02-22 18:19:25
Feb 24 04:59:00 RT-AX86U-Cabin (wg_manager.sh): 32155 Home: period : 0 Bytes received, 0 Bytes sent (Rx=0;Tx=0)
Feb 24 05:59:00 RT-AX86U-Cabin (wg_manager.sh): 9054 Clients 0, Servers 1
Feb 24 05:59:00 RT-AX86U-Cabin (wg_manager.sh): 9054 Home: transfer: 2.25 GiB received, 248.78 MiB sent         1 days 11:39:35 from 2022-02-22 18:19:25
Feb 24 05:59:00 RT-AX86U-Cabin (wg_manager.sh): 9054 Home: period : 0 Bytes received, 0 Bytes sent (Rx=0;Tx=0)

This is site to site BTW

 

[ZebMcKayhan]

I wrote a filter for scribe to store wg_managers logging to a separate file.

I noticed that "period" data always shows 0's. Is this correct?

Feb 24 03:59:00 RT-AX86U-Cabin (wg_manager.sh): 21734 Clients 0, Servers 1
Feb 24 03:59:00 RT-AX86U-Cabin (wg_manager.sh): 21734 Home: transfer: 94.80 MiB received, 163.31 MiB sent               1 days 09:39:35 from 2022-02-22 18:19:25
Feb 24 03:59:00 RT-AX86U-Cabin (wg_manager.sh): 21734 Home: period : 0 Bytes received, 0 Bytes sent (Rx=0;Tx=0)
Feb 24 04:59:00 RT-AX86U-Cabin (wg_manager.sh): 32155 Clients 0, Servers 1
Feb 24 04:59:00 RT-AX86U-Cabin (wg_manager.sh): 32155 Home: transfer: 2.25 GiB received, 244.13 MiB sent                1 days 10:39:35 from 2022-02-22 18:19:25
Feb 24 04:59:00 RT-AX86U-Cabin (wg_manager.sh): 32155 Home: period : 0 Bytes received, 0 Bytes sent (Rx=0;Tx=0)
Feb 24 05:59:00 RT-AX86U-Cabin (wg_manager.sh): 9054 Clients 0, Servers 1
Feb 24 05:59:00 RT-AX86U-Cabin (wg_manager.sh): 9054 Home: transfer: 2.25 GiB received, 248.78 MiB sent         1 days 11:39:35 from 2022-02-22 18:19:25
Feb 24 05:59:00 RT-AX86U-Cabin (wg_manager.sh): 9054 Home: period : 0 Bytes received, 0 Bytes sent (Rx=0;Tx=0)

This is site to site BTW

It works for me, so I guess its not a generic problem, maybee a server thingy?

Feb 24 15:59:01 RT-AC86U-D7D8 (wg_manager.sh): 30586 Clients 2, Servers 0
Feb 24 15:59:01 RT-AC86U-D7D8 (wg_manager.sh): 30586 wg11: transfer: 22.47 GiB received, 691.28 MiB sent        2 days 18:37:15 from 2022-02-21 21:21:46 >>>>>>
Feb 24 15:59:01 RT-AC86U-D7D8 (wg_manager.sh): 30586 wg11: period : 727.04 MiB received, 21.80 MiB sent (Rx=762356695;Tx=22858957)
Feb 24 15:59:02 RT-AC86U-D7D8 (wg_manager.sh): 30586 wg12: transfer: 1.29 MiB received, 961.71 KiB sent        2 days 18:37:14 from 2022-02-21 21:21:48 >>>>>>
Feb 24 15:59:02 RT-AC86U-D7D8 (wg_manager.sh): 30586 wg12: period : 0 Bytes received, 9.59 KiB sent (Rx=0;Tx=9820)
Feb 24 16:59:00 RT-AC86U-D7D8 (wg_manager.sh): 2727 Clients 2, Servers 0
Feb 24 16:59:01 RT-AC86U-D7D8 (wg_manager.sh): 2727 wg11: transfer: 23.79 GiB received, 739.62 MiB sent        2 days 19:37:15 from 2022-02-21 21:21:46 >>>>>>
Feb 24 16:59:01 RT-AC86U-D7D8 (wg_manager.sh): 2727 wg11: period : 1.32 GiB received, 48.34 MiB sent (Rx=1417339208;Tx=50688164)
Feb 24 16:59:01 RT-AC86U-D7D8 (wg_manager.sh): 2727 wg12: transfer: 1.29 MiB received, 971.28 KiB sent        2 days 19:37:13 from 2022-02-21 21:21:48 >>>>>>
Feb 24 16:59:01 RT-AC86U-D7D8 (wg_manager.sh): 2727 wg12: period : 0 Bytes received, 9.57 KiB sent (Rx=0;Tx=9800)

//Zeb

Looks like the previous values are fetched from the SQL database:

Parse "$(sqlite3 $SQL_DATABASE "SELECT rxtotal,txtotal FROM traffic WHERE peer='$WG_INTERFACE' order by timestamp desc limit 1;")" "|" RX_OLD TX_OLD

But set to 0 if the fetched value was invalid:

if [ "$RX_OLD" != "*" ] && [ -n "$RX" ] && [ -n "$RX_OLD" ];then
local RX_DELTA=$(expr "$RX" - "$RX_OLD")
else
local RX_DELTA=0
fi

Perhaps something is going on with your database?

What do you get if you run:

admin@RT-AC86U-D7D8:/tmp/home/root# cd /opt/etc/wireguard.d/
admin@RT-AC86U-D7D8:/tmp/mnt/UsbDrv/entware/etc/wireguard.d# sqlite3 WireGuard.db "SELECT rxtotal,txtotal FROM traffic WHERE peer='Home' order by timestamp desc limit 1;"

On my wg11, I get:

27283779748|823362847

As this was the previous data...

 

[JGrana]

Perhaps something is going on with your database?

What do you get if you run:

admin@RT-AC86U-D7D8:/tmp/home/root# cd /opt/etc/wireguard.d/
admin@RT-AC86U-D7D8:/tmp/mnt/UsbDrv/entware/etc/wireguard.d# sqlite3 WireGuard.db "SELECT rxtotal,txtotal FROM traffic WHERE peer='Home' order by timestamp desc limit 1;"

On my wg11, I get:

27283779748|823362847

As this was the previous data...

Hmm, value look reasonable:

/tmp/mnt/Entware/entware/etc/wireguard.d# sqlite3 WireGuard.
db "SELECT rxtotal,txtotal FROM traffic WHERE peer='Home' order by timestamp des
c limit 1;"
113780982|61027123

Let me do some additional checking.

 

[Martineau]

I noticed that "period" data always shows 0's. Is this correct?

Probably not

Feb 24 05:59:00 RT-AX86U-Cabin (wg_manager.sh): 9054 Home: transfer: 2.25 GiB received, 248.78 MiB sent         1 days 11:39:35 from 2022-02-22 18:19:25
Feb 24 05:59:00 RT-AX86U-Cabin (wg_manager.sh): 9054 Home: period : 0 Bytes received, 0 Bytes sent (Rx=0;Tx=0)

This is site to site BTW

If you could please create and PM the debug output to me I can take a look.

e  = Exit Script [?]

E:Option ==> debug

e  = Exit Script [?]

E:Debug mode enabledOption ==> generatestats

 

[JGrana]

Probably not

If you could please create and PM the debug output to me I can take a look.


Done, sent! Good luck

 

[Martineau]

@JGrana

Many thanks.

The first line of Debug Part 2 appears to show the error...the traffic RX/TX values are stored as '*' in the SQL database when the Site-to-Site Peers initialise...and presumably never get updated

+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT rxtotal,txtotal FROM traffic WHERE peer='Cabin' order by timestamp desc limit 1;
+ Parse *|* | RX_OLD TX_OLD

I'll try and look at a fix later,

 

[Martineau]

@JGrana

Many thanks.

The first line of Debug Part 2 appears to show the error...the traffic RX/TX values are stored as '*' in the SQL database when the Site-to-Site Peers initialise...and presumably never get updated

+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT rxtotal,txtotal FROM traffic WHERE peer='Cabin' order by timestamp desc limit 1;
+ Parse *|* | RX_OLD TX_OLD

I'll try and look at a fix later,

@JGrana

Could you please try the following commands (...it may simply be the case that I have erroneously inserted the '*' tracking record for the Site-to-Site environment)

e  = Exit Script [?]

E:Option ==> diag sqlX

<snip>

SQLite version 3.33.0 2020-08-14 13:23:32
Enter ".help" for usage hints.

then at the SQL subsystem sqlite> prompt....two commands

sqlite> DELETE FROM traffic WHERE peer='Cabin' AND RXTOTAL='*';

sqlite> .quit

then manually request the generation of the stats

e  = Exit Script [?]

E:Option ==> generatestats

 

[archiel]

I have am just starting with WireGuard and cannot understand how get it to work with Unbound and IPv6

I ran the install from AMTM and setup a remote client for my android phone - and this works. I also disabled the OpenVPN server on the router, just in case.
I have not setup a client, so my only local Peer is the server wg21.

However when I looked at my IPv6 (native, DHCP-PD) and checked with IPv6 test - IPv6/4 connectivity and speed test (ipv6-test.com) and Test your IPv6. (test-ipv6.com) I found that I had lost my IPv6 connectivity.

I had been looking into DNS leaking using @eibgrad's script how-to-monitor-dns-traffic-in-real-time with additional from help @ZebMcKayhan. In case this was a contributing factor I reversed all the changes out, so I had a basic Unbound setup, with no VPN routing. However this did not help.

Eventually I found that if I disabled Unbound with WireGuard running then my IPv6 connectivity returned. Stopping WireGuard and then enabling Unbound did not work. If I want to use Unbound I had to uninstall WireGuard. I have looked at Setup-transmission-and or-unbound-to-use-wg-client but cannot see how I should apply it, as I do not have any WireGuard clients.

I am still running a OpenVPN client, using Policy Routing, so WAN DNS requests are going through Cloudflare DOT as are client requests when Unbound is off and all looks fine when using the Cloudflare check at https://1.1.1.1/help.

 

[JGrana]

[sqlite> DELETE FROM traffic WHERE peer='Cabin' AND RXTOTAL='*';

sqlite> .quit[/CODE]
then manually request the generation of the stats

e  = Exit Script [?]

E:Option ==> generatestats

Ok, did the sqlite command (on both Home and Cabin) and both are showing data for period.
I will keep an eye on it for a few days.

Thanks!

 

[ZebMcKayhan]

However when I looked at my IPv6 (native, DHCP-PD) and checked with IPv6 test - IPv6/4 connectivity and speed test (ipv6-test.com) and Test your IPv6. (test-ipv6.com) I found that I had lost my IPv6 connectivity.

I'm not sure I'm getting what you are saying. You mean that the install of wgm and wg21 somehow made you lose ipv6 capabilities on your LAN? Is it really lost as your test site is not really detecting your ip anymore? Or is it just dns not working for ipv6?

Eventually I found that if I disabled Unbound with WireGuard running then my IPv6 connectivity returned. Stopping WireGuard and then enabling Unbound did not work. If I want to use Unbound I had to uninstall WireGuard. I have looked at Setup-transmission-and or-unbound-to-use-wg-client but cannot see how I should apply it, as I do not have any WireGuard clients.

Cant install unbound without removing wgm?? Meaning actually can't as you get some error message? What's the message? Or you just mean that ipv6 is gone if wgm and Unbound is installed?

Whenever you loose ipv6, see if your clients still get an ipv6 or they don't. On 386.4 I experience some issues with dnsmasq and I sometimes have to execute:

service restart_dnsmasq

As dnsmasq fails to renew the leases.

Anything in the syslog?

I don't really see how wgm or wg server could have anything to do with Unbound or your lan ipv6 setup at all... but unbound certainly could affect ipv6 dns but not wireguard server...

 

[Martineau]

Ok, did the sqlite command (on both Home and Cabin) and both are showing data for period.
I will keep an eye on it for a few days.

Thanks!

OK thanks for testing.

I've pushed a patched wg_server Beta v4.15.9 to ensure each restart of the Site-to-Site connection will now correctly report the Period Rx/Tx metrics.

Update wg_server · MartineauUK/wireguard@379f5af

FIX: Generate Stats for Site-to-Site configuration ALWAYS shows Bytes received Rx=0; Bytes sent Tx=0 for 'Period:' - Thanks SNB forums member @JGrana Feb 24 03:59:00 RT-AX86U-Cabin (wg_m...

github.com

Update using

e  = Exit Script [?]

E:Option ==> uf dev

 

[archiel]

I'm not sure I'm getting what you are saying. You mean that the install of wgm and wg21 somehow made you lose ipv6 capabilities on your LAN? Is it really lost as your test site is not really detecting your ip anymore? Or is it just dns not working for ipv6?

Cant install unbound without removing wgm?? Meaning actually can't as you get some error message? What's the message? Or you just mean that ipv6 is gone if wgm and Unbound is installed?

Whenever you loose ipv6, see if your clients still get an ipv6 or they don't. On 386.4 I experience some issues with dnsmasq and I sometimes have to execute:

service restart_dnsmasq

As dnsmasq fails to renew the leases.

Anything in the syslog?

I don't really see how wgm or wg server could have anything to do with Unbound or your lan ipv6 setup at all... but unbound certainly could affect ipv6 dns but not wireguard server...

Typo in unbound.conf when re-enabling IPv6. Move along... nothing to see here...

 

[JGrana]

OK thanks for testing.

I've pushed a patched wg_server Beta v4.15.9 to ensure each restart of the Site-to-Site connection will now correctly report the Period Rx/Tx metrics.

Update wg_server · MartineauUK/wireguard@379f5af

FIX: Generate Stats for Site-to-Site configuration ALWAYS shows Bytes received Rx=0; Bytes sent Tx=0 for 'Period:' - Thanks SNB forums member @JGrana Feb 24 03:59:00 RT-AX86U-Cabin (wg_m...

github.com

Update using

e  = Exit Script [?]

E:Option ==> uf dev

Getting closer ;-)

I noticed yesterday that stats for both 0 bytes sent. I thought I would give it a few hours.
In the mean time I did the update to v4.15.9.

On the Home side, period sent is still showing 0. On the Cabin, the numbers are large negative.

Home generatestats:

E:Option ==> generatestats

        Cabin: transfer: 406.20 MiB received, 2.37 GiB sent             3 days 23:18:48 from 2022-02-23 10:10:18
        Cabin: period : 153.60 KiB received, 0 Bytes sent (Rx=157286;Tx=0)

Cabin generatestats:

E:Option ==> generatestats

        Home: transfer: 2.62 MiB received, 3.05 MiB sent                0 Days, 03:36:07 from 2022-02-27 05:53:37
        Home: period : -2584970527 Bytes received, -525126861 Bytes sent (Rx=-2584970527;Tx=-525126861)

I will run a debug trace on both sides and send you a pastebin via PM

 

[Martineau]

Getting closer ;-)

I noticed yesterday that stats for both 0 bytes sent. I thought I would give it a few hours.
In the mean time I did the update to v4.15.9.

On the Home side, period sent is still showing 0. On the Cabin, the numbers are large negative.

Home generatestats:

E:Option ==> generatestats

        Cabin: transfer: 406.20 MiB received, 2.37 GiB sent             3 days 23:18:48 from 2022-02-23 10:10:18
        Cabin: period : 153.60 KiB received, 0 Bytes sent (Rx=157286;Tx=0)

Cabin generatestats:

E:Option ==> generatestats

        Home: transfer: 2.62 MiB received, 3.05 MiB sent                0 Days, 03:36:07 from 2022-02-27 05:53:37
        Home: period : -2584970527 Bytes received, -525126861 Bytes sent (Rx=-2584970527;Tx=-525126861)

I will run a debug trace on both sides and send you a pastebin via PM

Hmmmm

Being lazy..... when convenient, can you please reboot both ends......

If it still fails, then I suspect my original idea of initialising the 'traffic' SQL table with '*' was indeed valid; just poorly executed.

 

[ZebMcKayhan]

Typo in unbound.conf when re-enabling IPv6. Move along... nothing to see here...

Glad you figured it out!

It just occurred to me that if you plan on keeping Unbound outgoing-interface to a br0 alias 192.168.3.1 and a rule for this ip to go out a wireguard client, you need to add to wg custom config:

iptables -t nat -I POSTROUTING -s 192.168.3.1/32 -o wg11 -j MASQUERADE

Otherwise these packages will likely be dropped at the receiving end. You will find this in the YazFi part of my guide (as that's the only place I encounter other subnets)

I think the methode of br0 alias for this purpose proposed by @eibgrad is really clever and neat and takes care of not needing the ToLocalUseMain rule. However, not really sure if bottom end brings less complexity or more compared to using the actual br0 adress, could be dependant on how well you are in control over the routing rules/tables perhaps.

 

[eibgrad]

I think the methode of br0 alias for this purpose proposed by @eibgrad is really clever and neat and takes care of not needing the ToLocalUseMain rule. However, not really sure if bottom end brings less complexity or more compared to using the actual br0 adress, could be dependant on how well you are in control over the routing rules/tables perhaps.

You make a valid point. And it was something I had considered. But I decided it was better to *target* the change to just that one process for the time being, for the precisely the same concerns you expressed. I didn't know the full implications of binding *everything* on the router's LAN ip and network interface (br0) to the VPN.

Truth be told, you can make the argument either way. It all depends on the rest of your configuration and expectations as to behavior. And given the number of configurations possible, esp. w/ all these various AddOns, the possible implications are just too difficult to anticipate. So as I said, I "punted" and just kept the change narrowly scoped to Unbound.

 

[ZebMcKayhan]

You make a valid point. And it was something I had considered. But I decided it was better to *target* the change to just that one process for the time being, for the precisely the same concerns you expressed. I didn't know the full implications of binding *everything* on the router's LAN ip and network interface (br0) to the VPN.

Truth be told, you can make the argument either way. It all depends on the rest of your configuration and expectations as to behavior. And given the number of configurations possible, esp. w/ all these various AddOns, the possible implications are just too difficult to anticipate. So as I said, I "punted" and just kept the change narrowly scoped to Unbound.

Your right, as always. You never know what effect this have on other system.
Hope you don't mind, I added your method as an alternative way to be used. Altough requires more scripting it leaves the routing changes a much smaller footprint on the router:
#Setup Transmission and/or Unbound to use WG Client (alternate way)

 

[JGrana]

Hmmmm

Being lazy..... when convenient, can you please reboot both ends......

If it still fails, then I suspect my original idea of initialising the 'traffic' SQL table with '*' was indeed valid; just poorly executed.

Not sure who is lazy, certainly not you! Me, we that’s a different matter ;-)

I rebooted both ends.

Now, both are showing rather large negative numbers for both Tx and Rx. This is just with the period stats.

Let me sit tight for a few hours and do a generatsats again.

If need be, I can tear down the tunnel, uninstall wg and wg_manager and re-install and try from scratch.
Tomorrow - I am lazy ;-). LOL

 

[Martineau]

If need be, I can tear down the tunnel, uninstall wg and wg_manager and re-install and try from scratch.
Tomorrow - I am lazy ;-). LOL

No need, the reboot should have been sufficient, so clearly there is a logic issue on my part rather than a possible SQL issue.