Menu
What's new
By:
Filters Better Search

Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I just took the latest wgm version for a spin (I removed the previous version and all S50wireguard occurrences.)

Is it me?

Code: 
wg11  P  10.13.128.161/24  xx.xx.xx.xx:1443  1.1.1.1      #  Torguard  USA,  Place1
wg12  Y  10.13.129.153/24  xx.xx.xx.xx:1443  1.1.1.1      #  Torguard  USA,  Place2
_____________________________________________________________________________________
E:Option ==> 4 clients

        Requesting WireGuard VPN Peer start for Category 'Clients' ()


        WireGuard ACTIVE Peer Status: Clients 0, Servers 0
______________________________________________________________________________________
E:Option ==> 4 wg11

        Requesting WireGuard VPN Peer start (wg11)

        wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) to  (# Unidentified)
RTNETLINK answers: Operation not supported
        wireguard-client1: Initialisation complete.
Note that the wg11.conf and wg12.conf are in /opt/etc/wireguard/ - basically the same entries that worked in previous versions.
 
Martineau said:
I'm not sure if I understand the reasoning behind your suggestion.

As I'm lazy, a free format text-based configuration file (whilst crude) was/is easy to implement/comprehend and doesn't require special tools/skills to modify.

So if I decided to use a formal TOML/JSON etc. format config file (or even an SQL database), would you still need to retain wg_manager.sh's esoteric config file when you have elected to remove WireGuard Session Manager from your router?
Click to expand...
From my perspective, "As I'm lazy" too :), why would I have to modify a file that I already have.
While troubleshooting the slowness issue on my AX86, I removed the script a number of times and then reinstalled clean.

Maybe that's an extreme case, but I liked more your original take in the early versions where you renamed the file if it existed and created a new one.
 
Torson said:
I just took the latest wgm version for a spin (I removed the previous version and all S50wireguard occurrences.)

Is it me?

Code: 
wg11  P  10.13.128.161/24  xx.xx.xx.xx:1443  1.1.1.1      #  Torguard  USA,  Place1
wg12  Y  10.13.129.153/24  xx.xx.xx.xx:1443  1.1.1.1      #  Torguard  USA,  Place2
_____________________________________________________________________________________
E:Option ==> 4 clients

        Requesting WireGuard VPN Peer start for Category 'Clients' ()


        WireGuard ACTIVE Peer Status: Clients 0, Servers 0
______________________________________________________________________________________
E:Option ==> 4 wg11

        Requesting WireGuard VPN Peer start (wg11)

        wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) to  (# Unidentified)
RTNETLINK answers: Operation not supported
        wireguard-client1: Initialisation complete.
Note that the wg11.conf and wg12.conf are in /opt/etc/wireguard/ - basically the same entries that worked in previous versions.
Click to expand...
I have just retestd and it works :confused:

Code: 
+======================================================================+
|  Welcome to the WireGuard Manager/Installer script (Asuswrt-Merlin)  |
|                                                                      |
|                      Version v2.02 by Martineau                      |
|                                                                      |
+======================================================================+
    WireGuard ACTIVE Peer Status: Clients 0, Servers 0

    v2.02 - No WireGuard Manager updates available - you have the latest version


1  = Update Wireguard modules                        7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [list] | [ {Peer} [ add | del | {auto [y|n|p]}] ] ]
                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers [3x - lists ALL details]                                    
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                     
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                    
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                    

?  = About Configuration                    
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')        

e  = Exit Script [?]

E:Option ==> 8      

    List of WireGuard Peers

wg11           Y  xxx.xxx.xxx.xxx/32  86.106.143.93:51820   193.138.218.74   #         Mullvad  USA,     New        York
wg12           Y  xxx.xxx.xxx.xxx/32  209.58.188.180:51820  193.138.218.74   #         Mullvad  China,   Hong       Kong
wg13           P  xxx.xxx.xxx.xxx/32  103.231.88.18:51820   193.138.218.74   #         Mullvad  Oz,      Melbourne
<snip>                                                                                             



    WireGuard ACTIVE Peer Status: Clients 0, Servers 0



1  = Update Wireguard modules                        7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [list] | [ {Peer} [ add | del | {auto [y|n|p]}] ] ]
                                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers [3x - lists ALL details]                                    
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                     
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                    
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                    

?  = About Configuration                    
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')        

e  = Exit Script [?]

E:Option ==> 4 clients

    Requesting WireGuard VPN Peer start for Category 'Clients' (wg11 wg12 wg13)

    wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) to 86.106.143.93:51820 (# Mullvad USA, New York)
    wireguard-client1: Initialisation complete.

    wireguard-client2: Initialising Wireguard VPN 'client' Peer (wg12) to 209.58.188.180:51820 (# Mullvad China, Hong Kong)
    wireguard-client2: Initialisation complete.

    wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) in Policy Mode to 103.231.88.18:51820 (# Mullvad Oz, Melbourne)
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.3 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.123 to 1.1.1.1 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.1 through WAN
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.0/24 through VPN 'client' Peer wg13
    wireguard-client3: Initialisation complete.


    WireGuard ACTIVE Peer Status: Clients 3, Servers 0

Can you check wg_manager v2.02 MD5 hash ?
Code: 
cat /jffs/addons/wireguard/wg_manager.sh.md5

8807b2d9706569219a5b3b14092eba46
 
Torson said:
From my perspective, "As I'm lazy" too :), why would I have to modify a file that I already have.
While troubleshooting the slowness issue on my AX86, I removed the script a number of times and then reinstalled clean.

Maybe that's an extreme case, but I liked more your original take in the early versions where you renamed the file if it existed and created a new one.
Click to expand...
Originally the .conf file was located in ''/jffs/configs/' but 'Addons' are expected to keep all their files within a single directory, so it was relocated to '/jffs/addons/wireguard/'.

I suppose I could relocate the .conf to '/opt/etc/wireguard/' along with all the other files.

Also, to accommodate the scenario where a dirty reinstall is being performed/requested, if .conf exists, then the install process should forego overwriting it with the sample templete .conf and also omit creating the sample 'client' and 'server' Peer configs 'wg11.conf' and 'wg21.conf'.
 
Martineau said:
I have just retestd and it works :confused:

Can you check wg_manager v2.02 MD5 hash ?
Code: 
cat /jffs/addons/wireguard/wg_manager.sh.md5

8807b2d9706569219a5b3b14092eba46
Click to expand...
Code: 
cat /jffs/addons/wireguard/wg_manager.sh.md5

8807b2d9706569219a5b3b14092eba46
...which makes me put a break on trying to troubleshoot things on an ailing AX86.

I'll resurface from a new router...
 
Martineau said:
I suppose I could relocate the .conf to '/opt/etc/wireguard/' along with all the other files.

Also, to accommodate the scenario where a dirty reinstall is being performed/requested, if .conf exists, then the install process should forego overwriting it with the sample templete .conf and also omit creating the sample 'client' and 'server' Peer configs 'wg11.conf' and 'wg21.conf'.
Click to expand...
Yes, I would say, that's a sensible approach.
 
Torson said:
Code: 
cat /jffs/addons/wireguard/wg_manager.sh.md5

8807b2d9706569219a5b3b14092eba46
...which makes me put a break on trying to troubleshoot things on an ailing AX86.

I'll resurface from a new router...
Click to expand...
OK I understand.

Thanks for Beta testing - much appreciated.

P.S. I assume you have been through two consecutive 'format /jffs reboot' cycles?
 
Martineau said:
I suppose I could relocate the .conf to '/opt/etc/wireguard/'
Click to expand...
except it should be wireguard.d

I so want to try this but I'm about to be dependent on my stable setup for several remote weeks. Ironically through a travel router on OpenVPN that is working well with WG. Watching this closely. Rock On!!
 
@Martineau: thank you for this great project! I switched to these scripts on a test basis.

Until now, I have always kept the IP addresses of the wg-servers on several asus routers different in terms of routing.
asus1: 10.150.41.1
asus2: 10.150.51.1
....

# For each 'server' Peer you need to allocate a unique VPN subnet
# VPN Subnet
wg21 Y 10.150.41.1/24 # RT-AX88U Local Host Peer 1
wg22 N 10.150.42.1/24 # RT-AX88U Local Host Peer 2

in WireguardVPN.conf but is not used.
Use iptables 10.50.1.1 default

Connect from client to server is possible, but access to lan or wan are not possible ?
 
Last edited:
Martineau said:
Says who?
Click to expand...
To quote Miss Piggy: little ol' moi. So you are entitled to quote Peter Ustinov: not even for little ol' vous. :)

Your script, your style. In /opt/etc we have the example of init.d, syslog-ng.d, logrotate.d. And over in /jffs/addons that styling is now being followed by @Jack Yaz and @dev_null. Helps to avoid situations like /jffs/addons/cake-qos/cake-qos where the directory and the scripts have the same name; in your convention I know you avoid that by giving each different names.
 
Lots of great work. I will hold off setting up a Wireguard client connection until it is as easy as an openVPN client. There are way too many hoops to jump through for my old brain.
 
elorimer said:
To quote Miss Piggy: little ol' moi. So you are entitled to quote Peter Ustinov: not even for little ol' vous. :)

Your script, your style. In /opt/etc we have the example of init.d, syslog-ng.d, logrotate.d. And over in /jffs/addons that styling is now being followed by @Jack Yaz and @dev_null. Helps to avoid situations like /jffs/addons/cake-qos/cake-qos where the directory and the scripts have the same name; in your convention I know you avoid that by giving each different names.
Click to expand...
Is this a case of "do as I say...not as I do" ? :rolleyes:

Short Answer: Your pedantry is directed at the wrong guy. o_O


TL;DR






My script performing its install....
Code: 
e  = Exit Script [?]

E:Option ==> 1

    Installing WireGuard Manager - Router RT-AC86U (v386.2)


    Warning obsolete WireGuard Session Manager v1.xx config directory Found!!! ('/opt/etc/wireguard'{})

    Downloading scripts
    wg_client downloaded successfully Github 'dev/development' branch
    wg_server downloaded successfully Github 'dev/development' branch

Package column (2.36-2) installed in root is up to date.
    Downloading Wireguard Kernel module for RT-AC86U (v386.2)

    Downloading WireGuard Kernel module 'wireguard-kernel_1.0.20210219-k27_aarch64-3.10.ipk' for RT-AC86U (v386.2)...

##################################################################################################################################################################################### 100.0%##################################################################################################################################################################################### 100.0%

    Downloading WireGuard User space Tool 'wireguard-tools_1.0.20210223-1_aarch64-3.10.ipk' for RT-AC86U (v386.2)

##################################################################################################################################################################################### 100.0%##################################################################################################################################################################################### 100.0%

    Loading WireGuard Kernel module and Userspace Tool for RT-AC86U (v386.2)
Installing wireguard-kernel (1.0.20210219-k27) to root...
Configuring wireguard-kernel.
Installing wireguard-tools (1.0.20210223-1) to root...
Configuring wireguard-tools.

<snip>

Q. Guess what happens when opkg install *.ipk was run?

A. Bingo! - It creates '/opt/etc/wireguard'

which would have been the case prior to using my script i.e. @Odkrys created the .ipk.

However, rather than use the repository created/required by existing (manual) early adopters of WireGuard on ASUS routers, I have now decided wg_manager v2.03 will physically create/use repository '/opt/etc/wireguard.d/' during the install so there should be no conflict.

i.e. opkg install (NOTE the file creation dates!)
Code: 
ls -lah /opt/etc/wireguard

drwxr-xr-x    2 admin    root        4.0K Mar 11 14:56 .
drwxr-xr-x   11 admin    root        4.0K Feb  1 12:31 ..
-rwxr-xr-x    1 admin    root        1012 Feb  1 12:31 S50wireguard
-rwxr-xr-x    1 admin    root        1.8K Feb  1 12:31 wg-down
-rwxr-xr-x    1 admin    root        2.3K Feb  1 12:31 wg-policy
-rwxr-xr-x    1 admin    root        1.6K Feb  1 12:31 wg-server
-rwxr-xr-x    1 admin    root        1.7K Feb  1 12:31 wg-up

My script install
Code: 
ls -lah /opt/etc/wireguard.d

drwxrwxrwx    2 admin    root        4.0K Mar 11 14:56 .
drwxr-xr-x   11 admin    root        4.0K Feb  1 12:31 ..
-rw-rw-rw-    1 admin    root          45 Mar 11 14:56 mobilephone_private.key
-rw-rw-rw-    1 admin    root          45 Mar 11 14:56 mobilephone_public.key
-rw-rw-rw-    1 admin    root         255 Mar 11 14:56 wg11.conf
-rw-rw-rw-    1 admin    root          45 Mar 11 14:56 wg11_private.key
-rw-rw-rw-    1 admin    root          45 Mar 11 14:56 wg11_public.key
-rw-rw-rw-    1 admin    root         412 Mar 11 14:56 wg21.conf
-rw-rw-rw-    1 admin    root          45 Mar 11 14:56 wg21_private.key
-rw-rw-rw-    1 admin    root          45 Mar 11 14:56 wg21_public.key
-rw-rw-rw-    1 admin    root          45 Mar 11 14:56 wg22_private.key
-rw-rw-rw-    1 admin    root          45 Mar 11 14:56 wg22_public.key
 
here1310 said:
@Martineau: thank you for this great project! I switched to these scripts on a test basis.

Until now, I have always kept the IP addresses of the wg-servers on several asus routers different in terms of routing.
asus1: 10.150.41.1
asus2: 10.150.51.1
....

# For each 'server' Peer you need to allocate a unique VPN subnet
# VPN Subnet
wg21 Y 10.150.41.1/24 # RT-AX88U Local Host Peer 1
wg22 N 10.150.42.1/24 # RT-AX88U Local Host Peer 2

in WireguardVPN.conf but is not used.
Use iptables 10.50.1.1 default

Connect from client to server is possible, but access to lan or wan are not possible ?
Click to expand...
Thanks for reporting the bug.

If you could spare the time, would you like to test a new version of the Beta wg_manager v3.01b ?

Normally a simple uf dev would suffice, but a change in the repository names has been forced upon me and I want to ensure you can migrate easily.

Backup your existing configs
Code: 
cp /jffs/addons/wireguard/WireguardVPN.conf /opt/tmp/

mv /opt/etc/wireguard /opt/etc/wireguard.b

Uninstall wg_manager Beta v2.02
Code: 
e  = Exit Script [?]

E:Option ==> 2

    Deleting Wireguard install directories and files
    Press Y to delete ALL WireGuard DATA files (Peer *.config etc.) ('/opt/etc/wireguard/') or press [Enter] to keep custom WireGuard DATA files.

    Deleted Peer Auto-start @BOOT

    nat-start updated - no longer protecting WireGuard firewall rules
    Deleted aliases for 'wg_manager.sh'

Done.


Install wg_manager Beta v3.01b from the Github development 'dev' branch
Code: 
curl --retry 3 "https://raw.githubusercontent.com/MartineauUK/wireguard/dev/wg_manager.sh" --create-dirs -o "/jffs/addons/wireguard/wg_manager.sh" && chmod 755 "/jffs/addons/wireguard/wg_manager.sh" && /jffs/addons/wireguard/wg_manager.sh install

Now restore your previous configuration
Code: 
cp /opt/tmp/WireguardVPN.conf /jffs/addons/wireguard/

cp /opt/etc/wireguard.b/wg*.conf /opt/etc/wireguard.d/

Now start the servers, and see if 10.50.* subnet has been replaced by your expected subnet(s)

i.e. display the firewall rules etc.
Code: 
e  = Exit Script [?]

E:Option ==> diag
 
@Martineau: thank you! now everything works as desired! I will continue to test...
 
Dear @Martineau can you please add support for R7000 it has the same architecture as the RT-AC86U. I successfully installed the armv7 kernel but the script is hard-coded for specific models, would be better to look which architecture it's running.

Thank you.
 
here1310 said:
@Martineau: thank you! now everything works as desired! I will continue to test...
Click to expand...
Thanks for the feedback.

If you are a glutton for punishment, there is a new Beta wg_manager v3.01b5

  • Change: The list option '3' now allows a selective list of Peers to be shown either in short summary or fully detailed.
  • New: Experiental (old-skool) KILL-Switch feature either by command or 'KILLSWITCH' directive in the config

To upgrade
Code: 
e  = Exit Script [?]

E:Option ==> uf dev

Code: 
1  = Update Wireguard modules                        7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                     8  = Peer management [list] | [ {Peer} [ add | del | {auto [y|n|p]}] ] ]
                                                     9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]                                    
<snip>

e  = Exit Script [?]

E:Option ==> list wg12 wg21

         WireGuard VPN Peer Status

    interface: wg12     ('client' # Mullvad China, Hong Kong)
        peer: oS4+R1RH+Ftpevzl2KLUjqDH9AiLwnh9/HBMiB55VgM=
         transfer: 6.46 MiB received, 2.36 MiB sent
    interface: wg21     ('server' # Martineau RT-AC86U Host Peer 1)
        peer: AqKi4xtdrKVV1gryFXJd/K6F8sfRsLpt++l0mvBE4QA=     ('server client' # Unidentified)
        peer: cfOavVqYvrrfGsfl2O70RN/pTyNlDZ+AZ4x4MI1/4RQ=     ('server client' # EE "this is a TAG!")

     WireGuard ACTIVE Peer Status: Clients 3, Servers 2

Code: 
e  = Exit Script [?]

E:Option ==> ?

    v3.01b5 WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=beb42656627bb95977c680f753bd3d0e /jffs/addons/wireguard/wg_manager.sh

    wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information.
    wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

    [✔] WireGuard Module is LOADED

    MD5=07a24a0efa926b3ad2c564d18b12312f wireguard-kernel_1.0.20210219-k27_aarch64-3.10.ipk
    MD5=d7fdc2f1a770856a66c2c677ecb64d1b wireguard-tools_1.0.20210223-1_aarch64-3.10.ipk

    [✔] DNSmasq is listening on ALL WireGuard interfaces 'wg*'

    [✔] nat-start is monitoring WireGuard Firewall rules

    [✖] WAN KILL-Switch is DISABLED

     WireGuard ACTIVE Peer Status: Clients 3, Servers 2
 
You must log in or register to reply here.

Similar threads

A
Splitting Wireguard between Router and client
2 3
Replies
53
Views
2K
ZebMcKayhan
Z
Martineau
Wireguard Session Manager (4th) thread
11 12 13
Replies
241
Views
24K
kfahoo
K
A
Wireguard Session Manager - Discussion (3rd) thread
27 28 29
Replies
571
Views
64K
RMerlin
RMerlin
J
Wireguard Standalone wg-quick alternative (no Entware/USB Drive required)
2 3
Replies
48
Views
5K
Jeffrey Young
J
D
GT-AX6000 - 3004_388.6_0 - Wireguard client - No Access to Servers local LAN
Replies
5
Views
583
Drihha
D
Similar threads
Thread starter Title Forum Replies Date
JGrana New Addon - ChatAI - have a chat session with Googles Gemini AI Bot Asuswrt-Merlin AddOns 2
J connmon Making config changes invokes password manager in MacOS Asuswrt-Merlin AddOns 4
Viktor Jaep VPNMON VPNMON-R3 - Early, early alpha discussion, progress & screenshots Asuswrt-Merlin AddOns 17

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 553 (members: 12, guests: 541)
Top