Wireguard Session Manager - Discussion (2nd) thread

[ZebMcKayhan]

menu show

or

menu on

Thanks!

I've made a wrapper script:

nano /opt/bin/wgmExpo

Populate with:

#!/bin/sh

commands=""
pad="\n"
for arg in "$@"
  do
    commands="${commands}${arg}${pad}"
  done
commands="${commands}e"

echo -e "$commands" | wg_manager | awk '/Option ==>/{flag=1; next} /WireGuard ACTIVE Peer Status/{flag=0} flag'

Save & exit
Make executable

chmod +x /opt/bin/wgmExpo

So now you could run commands inside wgm by:

wgmExpo "colour off" "peer wg11 dns=9.9.9.9" "restart wg11"

I will put it on my github wgm fork shortly and make some install instruction when I have time...

 

[ZebMcKayhan]

Ripped the installer command from wg_manager and tweaked it to my needs:

To Install wgmExpo, run:

curl --retry 3 "https://raw.githubusercontent.com/ZebMcKayhan/WireguardManager/main/wgmExpo" -o "/opt/bin/wgmExpo" && chmod 755 "/opt/bin/wgmExpo"

it will download the file to /opt/bin/ folder, which is in the router path so you could access it from anywhere.

added some header texts:

admin@RT-AC86U-D7D8:/tmp/home/root# wgmExpo
wgmExpo Version 0.1 by ZebMcKayhan
wgmExpo --help for usage info

admin@RT-AC86U-D7D8:/tmp/home/root# wgmExpo --help
wgmExpo Version 0.1 by ZebMcKayhan

usage:
wgmExpo "command 1" "command 2" "command n"

example:
wgmExpo "colour off" "peer wg11 dns=9.9.9.9" "restart wg11"

admin@RT-AC86U-D7D8:/tmp/home/root#

There are no checks in the scripts that the commands you are running in wgm are ok, but it will output any error message from wgm while processing the commands. It will always end with exiting wgm so you return to shell prompt.

if you wish to remove the script, simply execute:

rm /opt/bin/wgmExpo

suggestions & feedback are always welcome

//Zeb

 

[ZebMcKayhan]

Had some time today, so extended wgmExpo abilities alittle:

admin@RT-AC86U-D7D8:/tmp/home/root# wgmExpo --help
   wgmExpo Version 0.2 by ZebMcKayhan

   Execute menu command in Wireguard Session Manager

   usage:
      wgmExpo <Option> "command 1" "command 2" "command n"

   Options:
      -h     - help
      -v     - version
      -s     - Silent mode, no output
      -c     - Monocrome output (no ASCII escape characters)
      -t     - Display Wireguard ACTIVE Peer Status: each command

   example:
      wgmExpo -c "peer wg11 dns=9.9.9.9" "restart wg11"
      wgmExpo -ct "livin wg11 192.168.10.53"

c & t are the only options that work together (and the only to make sense)

Be careful with -s it will not produce any outputs att all (>/dev/null 2>&1).

@Martineau when I block outputs with 1>/dev/null there are still 1 output line from start wg12. Do wgm produce ERR outputs normally? This line:

wireguard-clientwg12: Initialisation complete.

The file is updated on github, install with same command:

curl --retry 3 "https://raw.githubusercontent.com/ZebMcKayhan/WireguardManager/main/wgmExpo" -o "/opt/bin/wgmExpo" && chmod 755 "/opt/bin/wgmExpo"

Again suggestions & feedback are always welcome

@abir1909 if you install this wrapper you could use the simpler command in Shortcuts:

wgmExpo -c "livin @home 192.168.1.94"

And it should produce a neat output and also provide you with any unexpected output.

//Zeb

 

[Martineau]

Ripped the installer command from wg_manager and tweaked it to my needs:

To Install wgmExpo, run:

curl --retry 3 "https://raw.githubusercontent.com/ZebMcKayhan/WireguardManager/main/wgmExpo" -o "/opt/bin/wgmExpo" && chmod 755 "/opt/bin/wgmExpo"

it will download the file to /opt/bin/ folder, which is in the router path so you could access it from anywhere.

I believe the accepted convention adopted by script authors (and used by the wireguard_manager installer ) is to create an '/opt/bin' alias to the actual .sh script, so you would install (assuming you didn't want to add the .sh suffix to 'wgmExpo' in your repository) as say

curl --retry 3 "https://raw.githubusercontent.com/ZebMcKayhan/WireguardManager/main/wgmExpo" -o "/jffs/addons/wireguard/wgmExpo.sh" && chmod 755 "/jffs/addons/wireguard/wgmExpo.sh"

Consequently, using the above install location (rather than '/jffs/scripts'), when the parent wireguard_manager is uninstalled then your wgmExpo.sh child script will also automatically get removed.

Create the alias...

ln -s /jffs/addons/wireguard/wgmExpo.sh /opt/bin/wgmExpo

NOTE: If the alias is orphaned, hopefully you should be able to identify where the actual script is supposed to be located

e.g the following hack should hopefully show all the symlinks

ls -l /opt/bin | grep ^l

and a couple of scripts can then conveniently assist in showing the status of available Entware packages/3rd-Party addons

P.S. Of course I could amend wireguard_manager to always remove your alias or indeed quietly have wireguard_manager fully manage the availability/install of your addon direct from your Github?

 

[Martineau]

ps: One minor issue with wg_manager. When you first setup the Home server/peer, wg_manager tells you to copy the Home and Cabin files to the remote (Cabin) site.

One of those is Home.conf. But, if you look in the /opt/etc/wireguard.d directory, there is only Home.conf_imported. Makes sense since I selected "y" to import.
Maybe keep another version - Home.conf as well to reduce confusion.

Given there is no obligation to import 'Home.conf', I suppose it might be better to actually zip the files that are to be manually exported to the remote Site-to-Site location, and simply only refer to the zip file name (rather than its content)?

i.e. having the rogue 'Home.conf' sitting alongside 'Home.conf_Imported' will surely lead to increased confusion!?

 

[Martineau]

@Martineau when I block outputs with 1>/dev/null there are still 1 output line from start wg12. outputs normally? This line:

wireguard-clientwg12: Initialisation complete.

.....Do wgm produce ERR outputs normally?

Who knows with my manky coding skills, but the message isn't issued by the wireguard_manager.sh script...it originates from a different script - either wg_client or wg_server

but....

wgmExpo "stop wg13"

    Requesting WireGuard VPN Peer stop (wg13)


    wg13: transfer: 16.21 KiB received, 11.22 KiB sent        0 Days, 00:00:16 from >>>>>>
    wg13: period : 16.21 KiB received, 11.22 KiB sent (Rx=16599;Tx=11489)
    wireguard-clientwg13: Wireguard VPN 'client' Peer (wg13) to 193.27.13.194:51820 (# Mullvad USA, Dallas) Terminated

and then with the -s option, I didn't receive the standard Initialisation message (except in Syslog)

wgmExpo -s "start wg13"

 wgmExpo -v

   wgmExpo Version 0.2 by ZebMcKayhan

 

[ZebMcKayhan]

quietly have wireguard_manager fully manage the availability/install of your addon direct from your Github?

That would really be fantastic! The tool is anyway quite useless without wireguard manager, and clearly you know your way around the router file system and what is deemed proper and not.
I would like to have the .sh but it is really in the way when typing the command. a symlink is a convenient way to get around this indeed. I will duplicate wgmExpo to EgmExpo.sh on my github (shortly) if you like to start implementing.

and then with the -s option, I didn't receive the standard Initialisation message (except in Syslog)

no, you wouldnt, because I changed the Silent Mode to use

echo -e "$commands" | wg_manager >/dev/null 2>&1

so, currently both std and err output is sent to /dev/null/

my initial intention was that only std out would be piped so any script errors and similar would still show. so if you execute:

echo -e "stop wg13\nstart wg13\ne" | wg_manager 1>/dev/null

you will get the one line still but all else hidden. The thought crossed my mind too if it shows because a 3rd script outputs it, but I really have no idea.

//Zeb

 

[Clark Griswald]

@Martineau
Your "manky coding skills" are working great, Thank You!
I'm still working on my "copy/paste" skills for the Pi.

 

[JGrana]

@Martineau , can you check to see if you are setting up a route on site-2-site from the server to the peer?
On v4.15b6, the tunnel comes up fine (wg shows both sides sending and receiving) but I can't access devices across the tunnel.
Using the conf files created by wg_manager and using wg-quick, I can see a route added and I can access devices on both sides. Here are the routing tables from the remote (Cabin) with wg_manager and wg-quick:

wg-quick:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         108.12.6.1      0.0.0.0         UG    0      0        0 eth0
10.9.8.1        *               255.255.255.255 UH    0      0        0 Cabin
68.237.161.12   108.12.6.1      255.255.255.255 UGH   1      0        0 eth0
71.250.0.12     108.12.6.1      255.255.255.255 UGH   1      0        0 eth0
108.12.6.0      *               255.255.255.0   U     0      0        0 eth0
108.12.6.1      *               255.255.255.255 UH    0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.1.0     *               255.255.255.0   U     0      0        0 Cabin
192.168.2.0     *               255.255.255.0   U     0      0        0 br0
default via 108.12.6.1 dev eth0
10.9.8.1 dev Cabin  scope link
68.237.161.12 via 108.12.6.1 dev eth0  metric 1
71.250.0.12 via 108.12.6.1 dev eth0  metric 1
108.12.6.0/24 dev eth0  proto kernel  scope link  src 108.12.6.5
108.12.6.1 dev eth0  proto kernel  scope link
127.0.0.0/8 dev lo  scope link
192.168.1.0/24 dev Cabin  scope link
192.168.2.0/24 dev br0  proto kernel  scope link  src 192.168.2.1

wg_manager:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         108.12.6.1      0.0.0.0         UG    0      0        0 eth0
68.237.161.12   108.12.6.1      255.255.255.255 UGH   1      0        0 eth0
71.250.0.12     108.12.6.1      255.255.255.255 UGH   1      0        0 eth0
108.12.6.0      *               255.255.255.0   U     0      0        0 eth0
108.12.6.1      *               255.255.255.255 UH    0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.1.0     *               255.255.255.0   U     0      0        0 wg22
192.168.2.0     *               255.255.255.0   U     0      0        0 br0
default via 108.12.6.1 dev eth0
68.237.161.12 via 108.12.6.1 dev eth0  metric 1
71.250.0.12 via 108.12.6.1 dev eth0  metric 1
108.12.6.0/24 dev eth0  proto kernel  scope link  src 108.12.6.5
108.12.6.1 dev eth0  proto kernel  scope link
127.0.0.0/8 dev lo  scope link
192.168.1.0/24 dev wg22  scope link
192.168.2.0/24 dev br0  proto kernel  scope link  src 192.168.2.1

wg_quick adds the route to 10.9.8.1 but it seems wg_manager does not.

 

[Bearnet]

Is there a way to set the MTU for a server from wgm? I'm setting up a site2site connection between my home and cabin where the cabin side is connected over LTE and has a lower than normal MTU of 1460. This means that the max MTU for Wireguard is 1400 instead of the default 1420.

I've already set the MTU at 1400 on the cabin ("client", a Teltonika RUTX09) side. Doing this alone doesn't seem to help though, as I get interrupted connections. Wgm doesn't seem to read the MTU option from the server conf file - as an Ubuntu Wireguard server would do - nor does it support setting MTU manually:

E:Option ==> peer wg21 mtu 1400 ***ERROR 'server' Peer 'wg21' cannot set MTU

I can fix the MTU and connection issues by running "ip link wg21 set mtu 1400" from the command line or hacking the "cmd ifconfig $VPN_ID mtu" line in wg_server to make the change persist over reboots. This is not very elegant, though.

The home server is an RT-AC86U running the latest release Merlin fw.

 

[Martineau]

@Martineau , can you check to see if you are setting up a route on site-2-site from the server to the peer?
On v4.15b6, the tunnel comes up fine (wg shows both sides sending and receiving) but I can't access devices across the tunnel.
Using the conf files created by wg_manager and using wg-quick, I can see a route added and I can access devices on both sides. Here are the routing tables from the remote (Cabin) with wg_manager and wg-quick:

wg-quick:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         108.12.6.1      0.0.0.0         UG    0      0        0 eth0
10.9.8.1        *               255.255.255.255 UH    0      0        0 Cabin
68.237.161.12   108.12.6.1      255.255.255.255 UGH   1      0        0 eth0
71.250.0.12     108.12.6.1      255.255.255.255 UGH   1      0        0 eth0
108.12.6.0      *               255.255.255.0   U     0      0        0 eth0
108.12.6.1      *               255.255.255.255 UH    0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.1.0     *               255.255.255.0   U     0      0        0 Cabin
192.168.2.0     *               255.255.255.0   U     0      0        0 br0
default via 108.12.6.1 dev eth0
10.9.8.1 dev Cabin  scope link
68.237.161.12 via 108.12.6.1 dev eth0  metric 1
71.250.0.12 via 108.12.6.1 dev eth0  metric 1
108.12.6.0/24 dev eth0  proto kernel  scope link  src 108.12.6.5
108.12.6.1 dev eth0  proto kernel  scope link
127.0.0.0/8 dev lo  scope link
192.168.1.0/24 dev Cabin  scope link
192.168.2.0/24 dev br0  proto kernel  scope link  src 192.168.2.1

wg_manager:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         108.12.6.1      0.0.0.0         UG    0      0        0 eth0
68.237.161.12   108.12.6.1      255.255.255.255 UGH   1      0        0 eth0
71.250.0.12     108.12.6.1      255.255.255.255 UGH   1      0        0 eth0
108.12.6.0      *               255.255.255.0   U     0      0        0 eth0
108.12.6.1      *               255.255.255.255 UH    0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.1.0     *               255.255.255.0   U     0      0        0 wg22
192.168.2.0     *               255.255.255.0   U     0      0        0 br0
default via 108.12.6.1 dev eth0
68.237.161.12 via 108.12.6.1 dev eth0  metric 1
71.250.0.12 via 108.12.6.1 dev eth0  metric 1
108.12.6.0/24 dev eth0  proto kernel  scope link  src 108.12.6.5
108.12.6.1 dev eth0  proto kernel  scope link
127.0.0.0/8 dev lo  scope link
192.168.1.0/24 dev wg22  scope link
192.168.2.0/24 dev br0  proto kernel  scope link  src 192.168.2.1

wg_quick adds the route to 10.9.8.1 but it seems wg_manager does not.

I've pushed a HOTFIX. (wg_server script)

Update wg_server · MartineauUK/wireguard@891366f

HOTFIX: SIte-to-Site: Revert detection of possible duplicate routes - SNB Forums member @JGrana

github.com

Could you please see if it fixes your issue.

 

[Martineau]

Is there a way to set the MTU for a server from wgm? I'm setting up a site2site connection between my home and cabin where the cabin side is connected over LTE and has a lower than normal MTU of 1460. This means that the max MTU for Wireguard is 1400 instead of the default 1420.

I've already set the MTU at 1400 on the cabin ("client", a Teltonika RUTX09) side. Doing this alone doesn't seem to help though, as I get interrupted connections. Wgm doesn't seem to read the MTU option from the server conf file - as an Ubuntu Wireguard server would do - nor does it support setting MTU manually:

E:Option ==> peer wg21 mtu 1400 ***ERROR 'server' Peer 'wg21' cannot set MTU

I can fix the MTU and connection issues by running "ip link wg21 set mtu 1400" from the command line or hacking the "cmd ifconfig $VPN_ID mtu" line in wg_server to make the change persist over reboots. This is not very elegant, though.

The home server is an RT-AC86U running the latest release Merlin fw.

I've pushed a HOTFIX (wg_server script)

Update wg_server · MartineauUK/wireguard@8415641

CHANGE: Allow use of 'MTU =' in .conf to override 1420 default - SNB Forums member @bearnet

github.com

Can you please test?

Upgrade using

e  = Exit Script [?]

E:Option ==> uf dev

then you should specify MTU = 1400 in .conf then restart the 'server' Peer

NOTE: I think you could also specify the PostUP = ip link %i set mtu 1400 directive in the .conf as per wg-quick

 

[Bearnet]

I've pushed a HOTFIX (wg_server script)

Update wg_server · MartineauUK/wireguard@f15fbd7

CHANGE: Allow use of 'MTU =' in .conf to override 1420 default - SNB Forums member @Bearnet

github.com

Can you please test?

Upgrade using

e  = Exit Script [?]

E:Option ==> uf dev

then you should specify MTU = 1400 in .conf then restart the 'server' Peer

NOTE: I think you could also specify the PostUP = ip link %i set mtu 1400 directive in the .conf as per wg-quick

Thanks for the extremely quick response and attempt at resolution!

I upgraded the script and edited the wg21.conf file as follows:

# Home - 192.168.1.0/24
[Interface]
PrivateKey = <redacted>
#Address = 10.8.0.1/32
ListenPort = 51516
MTU = 1400

Running "restart servers" now produces the following output and doesn't work:

E:Option ==> restart servers

Requesting WireGuard VPN Peer restart for Category 'Servers' (wg21)

Restarting Wireguard 'server' Peer (wg21)
wireguard-server1: Wireguard VPN 'Server' Peer (wg21) on XXX:51516 (# Home - 192.168.1.0/24) Terminated

wireguard-server1: Initialising Wireguard VPN 'Server' Peer (wg21) on XXX:51516
(# Home - 192.168.1.0/24)
Line unrecognized: `MTU=1400'
Configuration parsing error

***ERROR Initialisation ABORTED - 'wg setconf wg21 /opt/etc/wireguard.d/wg21.conf' FAILED

Also, I think the latter "1420" in the change you made to wg_server should be "$MTU":

[ -z "$MTU" ] && cmd ifconfig $VPN_ID mtu 1420 || cmd ifconfig $VPN_ID mtu 1420 # v4.15.5 v1.02

Also, your pointer at adding the PostUp directive to wg21.conf doesn't work:

Line unrecognized: `PostUP=iplink%isetmtu1400'
Configuration parsing error

 

[ZebMcKayhan]

Line unrecognized: `PostUP=iplink%isetmtu1400'
Configuration parsing error

Not sure if this is a copy-paste and/or output error but it looks as the blanks are removed. Did you add it without the blanks?

It needs to to be added in conf file as:

PostUP = ip link %i set mtu 1400

Think the spaces are vital for correct parsing.

 

[Bearnet]

Not sure if this is a copy-paste and/or output error but it looks as the blanks are removed. Did you add it without the blanks?

It needs to to be added in conf file as:

PostUP = ip link %i set mtu 1400

Think the spaces are vital for correct parsing.

The wg21.conf file has the line exactly as instructed with spaces:
PostUp = ip link %i set mtu 1400

Maybe your parser drops the spaces from the error message?

 

[ZebMcKayhan]

The wg21.conf file has the line exactly as instructed with spaces:
PostUp = ip link %i set mtu 1400

Maybe your parser drops the spaces from the error message?

Ok, wierd. Looks like the parser dont get the spaces. What editor did you use?
Perhaps a

dos2unix wg21.conf

Would fix if there is some ASCII conversation error (long shot)

 

[Bearnet]

Ok, wierd. Looks like the parser dont get the spaces. What editor did you use?
Perhaps a

dos2unix wg21.conf

Would fix if there is some ASCII conversation error (long shot)

I'm using nano in the router's terminal... Did you try that the command worked on your setup?

Edit: Just realised that error output is coming from wg itself. I wonder if the Asus-built wg binaries are to blame?

 

[ZebMcKayhan]

I'm using nano in the router's terminal... Did you try that the command worked on your setup?

Edit: Just realised that error output is coming from wg itself. I wonder if the Asus-built wg binaries are to blame?

Ok, then I don't know...

While waiting for a fix, add it to wg21 custom start script:

nano /jffs/addons/wireguard/Scripts/wg21-up.sh

Populate with:

#!/bin/sh

ip link wg21 set mtu 1400

Save, exit, make executable and restart wg21

 

[JGrana]

I've pushed a HOTFIX. (wg_server script)

Update wg_server · MartineauUK/wireguard@891366f

HOTFIX: SIte-to-Site: Revert detection of possible duplicate routes - SNB Forums member @JGrana

github.com

Could you please see if it fixes your issue.

Fixed the issue, route is back!

Thanks

 

[ZebMcKayhan]

I'm using nano in the router's terminal... Did you try that the command worked on your setup?

Edit: Just realised that error output is coming from wg itself. I wonder if the Asus-built wg binaries are to blame?

Aha... that's right, this config is already imported and will be sent to wg as-is.
You need to comment it:

#PostUp = ip link %i set mtu 1400

Wgm will still parse and execute the command but wg will disregard it...

This comment is usually placed there by wgm during import process, but this is created locally so you need to place it or it will be sent to wg that can't process this.