Wireguard Session Manager - Discussion (2nd) thread

[chongnt]

In order to configure multi-site/devices to implement a WireGuard topology from any of the following

1. Point to Point
2. Hub and Spoke
3. Point to Site
4. Site to Site

then clearly each 'client' Peer .conf legitimately needs to include the 'ListenPort = 51820' directive, and with appropriate firewall rules it will be secure.

In the interim, wireguard_manager 'client' Peers can function without the directive, so I will need to give some thought on how to allow its use.
Obviously changing 'wg21' to listen on a different Port would be one simple/quick hack, but most 'client' peers expect the default 51820 on the 'Server' Peer.

Interesting. So the config file comes with listen port 51820. Does this mean the provider ‘server’ peer listening on different port number? I suppose this will be included in the config file endpoint. Why wouldn’t it work?

Say we deactivate peering in phone client apps, can the provider still initiate peering to phone listening port? It seems to be a potential backdoor access.

 

[ZebMcKayhan]

Just uploaded the latest kernel model builds to my github.
Included now is the RT-AX88U 20211208 kernel module.

RT-AC86U / GT-AC2900:
wireguard-kernel_1.0.20211208-RT-AC86U_2_aarch64-3.10.ipk
wireguard-kernel_1.0.20211208-k27_2_aarch64-3.10.ipk

RT-AX88U / GT-AX11000:
wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk
wireguard-kernel_1.0.20211208-k51_2_aarch64-3.10.ipk

The 2 files for each model is binary identical, only the name is updated to be more easily enterpretaded.

To update your kernel module:

E:Option ==> getmodules

        Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20211208-RT-AC86U_2_aarch64-3.10.ipk' for RT-AC86U (v) @ZebMcKayhan
Success!

And please pay attention to which file gets downloaded so it matches your system (don't know if the reason for wgm downloading wrong modules were ever found and corrected @Martineau ?)

After correct modules are downloaded, load them in the system

E:Option ==> loadmodules

Personally I would reboot after this action to be sure the right module is actually loaded, but it may/should not be needed. You decide.

//Zeb

 

[Martineau]

Don't know if the reason for wgm downloading wrong modules were ever found and corrected @Martineau ?

Nope,...may have been fat-fingers? but hopefully now that the retrieval will be based on the actual model name there should be no future ambiguity?

 

[ZebMcKayhan]

@Martineau
Just updated wgm to latest main version but wgm ended up without wg-tools so I updated to the dev version, but right now wgm does not appear to get the wireguard-tools:

E:Option ==> getmodules

        Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20211208-RT
-AC86U_2_aarch64-3.10.ipk' for RT-AC86U (v) @ZebMcKayhan
Success!

        WireGuard ACTIVE Peer Status: Clients 0, Servers 0
/jffs/addons/wireguard/wg_manager.sh: line 5186: wg: not found

Whilst it does remove my existing wireguard tools, so everytime I do getmodulesI need to copy it back to /jffs/addons/wireguard/ myself and execute loadmodules

Have I messed up something on my github? The wireguard-tools appear to be there.

 

[Martineau]

Hi @Martineau ,

I do a fresh install of the wg manager and found out that there's maybe issue with the script. Currently trying to install the and found some issue

View attachment 37822

a fresh install return error with this. Upon trying to see which place it failed, i found some error

View attachment 37823

View attachment 37824

i usually do wgm to enter the manager instead of wg_manager. Not sure what happen to hope you can help me. Both dev and main branch throw the same error
Let me know if you need any additional info i can extract from the router. Cheers!

Abject apologies.

I have been running the v386.4 Alphas (and now Beta) where the modules are included in the Firmware, and with the changes to allow switching to 3rd-Party modules/naming convention, completely borked the Download_Modules() function.

I have pushed a hotfix.

Update wg_manager.sh · MartineauUK/wireguard@4f34339

HOTFIX: WireGuard User-soace Tools never downloaded. (Regression to accommodate RMerlin Alpha release which has it in Firmware) and also correct Kernel module filename to download for RT-AX86U

github.com

Can you please remove wireguard_manager, then reinstall from the 'main' Production branch.

 

[Martineau]

@Martineau
Just updated wgm to latest main version but wgm ended up without wg-tools so I updated to the dev version, but right now wgm does not appear to get the wireguard-tools:

E:Option ==> getmodules

        Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20211208-RT
-AC86U_2_aarch64-3.10.ipk' for RT-AC86U (v) @ZebMcKayhan
Success!

        WireGuard ACTIVE Peer Status: Clients 0, Servers 0
/jffs/addons/wireguard/wg_manager.sh: line 5186: wg: not found

Whilst it does remove my existing wireguard tools, so everytime I do getmodulesI need to copy it back to /jffs/addons/wireguard/ myself and execute loadmodules

Have I messed up something on my github? The wireguard-tools appear to be there.

Yup, embarrassing or what?

see

Wireguard - Session Manager - Discussion (2nd) thread

In order to configure multi-site/devices to implement a WireGuard topology from any of the following Point to Point Hub and Spoke Point to Site Site to Site then clearly each 'client' Peer .conf legitimately needs to include the 'ListenPort = 51820' directive, and with appropriate firewall...

www.snbforums.com

 

[ZebMcKayhan]

Yup, embarrassing or what?

see

Wireguard - Session Manager - Discussion (2nd) thread

In order to configure multi-site/devices to implement a WireGuard topology from any of the following Point to Point Hub and Spoke Point to Site Site to Site then clearly each 'client' Peer .conf legitimately needs to include the 'ListenPort = 51820' directive, and with appropriate firewall...

www.snbforums.com

Thanks, updated with uf and it works perfectly!

E:Option ==> getmodules

        Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20211208-RT-AC86U_2_aarch64-3.10.ipk' for RT-AC86U (v) @ZebMcKayhan
Success!

        Downloading WireGuard User space Tool 'wireguard-tools_1.0.20210914-1_aarch64-3.10.ipk' for RT-AC86U (v) @ZebMcKayhan
Success!

        WireGuard ACTIVE Peer Status: Clients 0, Servers 0

E:Option ==> loadmodules
/jffs/addons/wireguard/wg_manager.sh: line 5181: wg: not found

        Loading WireGuard Kernel module and Userspace Tool for RT-AC86U (v)
Installing wireguard-kernel (1.0.20211208-k27_2) to root...
Configuring wireguard-kernel.
Installing wireguard-tools (1.0.20210914-1) to root...
Configuring wireguard-tools.
        wireguard: WireGuard 1.0.20211208 loaded. See www.wireguard.com for information.
        wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.


        WireGuard ACTIVE Peer Status: Clients 2, Servers 0

 

[ZebMcKayhan]

In order to configure multi-site/devices to implement a WireGuard topology from any of the following

1. Point to Point
2. Hub and Spoke
3. Point to Site
4. Site to Site

then clearly each 'client' Peer .conf legitimately needs to include the 'ListenPort = 51820' directive, and with appropriate firewall rules it will be secure.

In the interim, wireguard_manager 'client' Peers can function without the directive, so I will need to give some thought on how to allow its use.
Obviously changing 'wg21' to listen on a different Port would be one simple/quick hack, but most 'client' peers expect the default 51820 on the 'Server' Peer.

circling back to this... while all these topologies requires special care and attention to access rights and the possibility for the user to get it wrong is virtually endless.

for example a site to site would enable full access back and forth throughout the networks since it is a trusted network connection. you wouldn't want that for your Torguard internet client.
what would the reason be for Torguard wanting to talk back to you (except for the RELATED, ESTABLISHED sockets)? and if one decides to even setup the server to allow it, what would the access be?

 

[ZebMcKayhan]

To accomodate the new kernel module naming I uploaded additional modules (still binary identical).

RT-AC86U / GT-AC2900:
wireguard-kernel_1.0.20211208-RT-AC86U_2_aarch64-3.10.ipk
wireguard-kernel_1.0.20211208-GT-AC2900_2_aarch64-3.10.ipk
wireguard-kernel_1.0.20211208-k27_2_aarch64-3.10.ipk

RT-AX88U / GT-AX11000:
wireguard-kernel_1.0.20211208-RT-AX88U_2_aarch64-3.10.ipk
wireguard-kernel_1.0.20211208-GT-AX11000_2_aarch64-3.10.ipk
wireguard-kernel_1.0.20211208-k51_2_aarch64-3.10.ipk

I will not remove the k27/k51 modules for this release but I will not make them for the next release.

//Zeb

 

[Martineau]

circling back to this... while all these topologies requires special care and attention to access rights and the possibility for the user to get it wrong is virtually endless.

for example a site to site would enable full access back and forth throughout the networks since it is a trusted network connection. you wouldn't want that for your Torguard internet client.

Agreed.

what would the reason be for Torguard wanting to talk back to you (except for the RELATED, ESTABLISHED sockets)? and if one decides to even setup the server to allow it, what would the access be?

No idea, nor is it clear why they push a /24 Subnet rather than a /32?

However as shown in the WireGuard use-case examples on the web, setting up ACLs is easily implemented using iptables,

 

[ZebMcKayhan]

Agreed.

No idea, nor is it clear why they push a /24 Subnet rather than a /32?

However as shown in the WireGuard use-case examples on the web, setting up ACLs is easily implemented using iptables,

Ooh, just found that Torguard offers port-forwarding... that would kind of explain the listenport directive I guess:

TorGuard FAQ | TorGuard

Find answers to your frequently asked questions regarding TorGuard VPN here.

torguard.net

Setup TorGuard for port forwarding - TRaSH Guides

Guides mainly for Sonarr/Radarr/Bazarr and everything related to it.

trash-guides.info

//Zeb

 

[Martineau]

Ooh, just found that Torguard offers port-forwarding... that would kind of explain the listenport directive I guess:

It would indeed - well spotted.

 

[thelonelycoder]

It's finally here: amtm adds support for WireGuard Session Manager by @Martineau - Manage/Install WireGuard® on applicable ASUS routers.
See here for full release text.

 

[ZebMcKayhan]

It's finally here: amtm adds support for WireGuard Session Manager by @Martineau - Manage/Install WireGuard® on applicable ASUS routers.
See here for full release text.

Congratulations @Martineau on a well deserved achievement!

 

[here1310]

amtm3.2.1: the mere update already causes /jffs/addons/wireguard to be emptied...and an existing installation no longer works.

amtm i wireguard_manager creates a new /opt/etc/wireguard.d/wireguard.db and recreates wg21.conf (server) even though a setup exists.

Wouldn't it be better to add a check here and continue using the existing setup?

Recommendation for tests before updating amtm:
copy /jffs/amtm to amtm_bak, /jffs/addons to addons_bak or before backup /jffs from the gui for restore jffs

and copy mnt/sda(x)/entware to entware_bak

 

[thelonelycoder]

amtm3.2.1: the mere update already causes /jffs/addons/wireguard to be emptied...and an existing installation no longer works.

amtm i wireguard_manager creates a new /opt/etc/wireguard.d/wireguard.db and recreates wg21.conf (server) even though a setup exists.

Wouldn't it be better to add a check here and continue using the existing setup?

Recommendation for tests before updating amtm:
copy /jffs/amtm to amtm_bak, /jffs/addons to addons_bak or before backup /jffs from the gui for restore jffs

and copy mnt/sda(x)/entware to entware_bak

It will be safe now to update amtm, I have made some changes, read here for the reasons: https://www.snbforums.com/threads/a...merlin-terminal-menu.73585/page-3#post-730191

 

[heysoundude]

It's finally here: amtm adds support for WireGuard Session Manager by @Martineau - Manage/Install WireGuard® on applicable ASUS routers.
See here for full release text.

wow. this is a big day. I didn't think it would happen that quickly.

 

[ZNP_83]

What exactly does it mean now that WG Session Manager is included in amtm? Is Wireguard able to be run as the router-wide VPN connection instead of OpenVPN?

Pardon my ignorance of the latest status of this, I've been hoping this would become available before I finally sat down and just built a PFsense system.

 

[L&LD]

It means that you now have an opportunity to easily test if it works as you would like/expect.

Jump in! The sharks have been fed already.

 

[heysoundude]

My only concern is that when WG is worked out in Asus' firmware, and then @RMerlin does his thing for us, there is a nice smooth transition of setups while the flash is happening so we don't have to remember how to make it all work all over again. Maybe the only way to do that is with a setup wizard? (cart before the horse, I realize, but...)

(Or do I have it all bass-ackwards and Asus is following the lead of the folks here who are working it out? If that's the case...spectacular! Go Teamwork! Keep making the dream work!!!)

Ok, now a serious question for @ZebMcKayhan and @Martineau - if I want to use WG on my phone to connect to my router at home, I have to have a stable/static IP address for the router endpoint, right? This means DDNS for me...which I think is neat, because I can (theoretically) assign the WG server on my router its own subdomain & IP (correct?) in the IPv6 /48 that I have from tunnelbroker.net, and when my ISP rotates my WAN address, my LAN endpoint won't change...but at the same time my ISP's Native v6 is quite nice, so losing that simplicity will be tough. but it may be worthwhile, once I dig deeper...thinking now, if I can do it for WG, my unbound can have its own subdomain as well...and maybe ntpMerlin... Or am I asking for too much from my SOHO router?