Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

[Martineau]

I only have one client peer configured for the closest server peer. I rebooted the router in between tests. First I activated the wireguard client peer software from WireGuard and ran fast.com and speedtest.net. After reboot I've done the same thing but instead of the software client peer I ran 'wgstart client 1 policy' (pointing the the laptop). Again the same fast.com and speedtest.net.
I posted the results - they were very close between the 2 test sites.

EDIT: @Martineau, it looks like you're getting more than double the throughput on wg - good for you . Then I'll have to dig deeper at my end...

OK, I decided that it was about time I truly wiped my sandpit RT-AC86U and ditched the v385.2 Alphas and reverted to v386.1

Only thing I installed was S50wireguard from Github 'dev' branch.

I reran the 500MB download again via the the same Mullvad New York Server.

./Speedtest.sh --big



  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  500M  100  500M    0     0  1140k      0  0:07:28  0:07:28 --:--:-- 1619k

wgshow

(S50wireguard): 17648 v1.12b WireGuard VPN Peer Status check.....

    interface: wg11     ('client' # Mullvad USA, New York)
         public key: BAM+9SUqhEAYgzFUbaYnL5jKK9h1jzpwadGH7G4Z3U4=
         private key: (hidden)
         listening port: 58807
        
        peer: ru9aQRxYBkK5pWvNkdFlCR8VMPSqcEENBPGkIGEN0XU=
         endpoint: 86.106.143.93:51820
         allowed ips: 0.0.0.0/0
         latest handshake: 1 minute, 20 seconds ago
         transfer: 572.50 MiB received, 30.99 MiB sent
         persistent keepalive: every 25 seconds

Duration 0:07:28 @Avg 1140k vs last night's 0:14:20 @Avg 595k

Undoubtedly not a scientific approach and probably doesn't raise your spirits with your current quest for a resolution, but for me WireGuard is now within 95% of my ISP WAN Speed!

I'll start adding back all the other stuff to see if there is a point where the throughput dramatically drops back to its former paltry level.

 

[Torson]

@Martineau, thank you for the follow-up...

I believe that the issue is related to the hundreds of identical entries logged when I start the wg client peer. Even on a factory reset AX86 the issue is the same. ...and the log entry is not something that pops up with a resolution in any search I tried.
It may be related to AX86 only, but I'll have to wait until someone has the same issue or reads my post on the addons forum.

Mar  7 00:09:08 kernel: blog_link: overwriting ct_p=ffffffc02d1c1650, new_ct=ffffffc02ad9b970 at idx=0

 

[Martineau]

v2.0 Released.

WireGuard Manager (wg_manager.sh)

I've now formally renamed the script to wg_manager, and the new script now uses the '/jffs/addons/wireguard' directory for its installation.

The legacy /init.d/S50wireguard is no longer used so a trial install should not interfere with any existing script.

If you do wish to try the script (on compatible routers) then the script will create both a sample 'client' and 'server' Peer i.e. '/opt/etc/wireguard/w11.conf' and '/opt/etc/wireguard/wg21.conf', together with their associated Public/Private Key-pair files.

NOTE: If you choose to use the uninstall function, you will be presented with the option to keep '/opt/etc/wireguard' if you already have custom WireGuard Peer configuration files from your WIreGuard ISP.

Many thanks to @Odkrys for compiling/updating the Kernel modules (although at present the script screen scrapes his manual instruction post #1 in his thread to identify which files are used by the different modules)

 

[abir1909]

Interesting. I wonder when NordVPN will make it easy to locate WireGuard (aka NordLynx) servers and config files.

you can get your Config files (Private keys and public keys) using linux Nordlynx App.

 

[heysoundude]

Wow...a serious amount of work completed, and maybe a strong tailwind helped get to this destination.

Just to be clear, this script installs everything necessary to have a wireguard server on qualified routers for clients to connect to when off the LAN?
(this might be the kick in the pants I need to revisit DDNS on my router)

 

[Martineau]

Just to be clear, this script installs everything necessary to have a wireguard server on qualified routers for clients to connect to when off the LAN?

Indeed

e.g. Setup a tablet called iPad to securely connect to your WIregGuard 'server'

e  = Exit Script [?]

E:Option ==> 9 iPad

    Creating Wireguard Private/Public key pair for device 'iPad'

    Device 'iPad' Public key=LUTBQRI/3YXwXWK5EcPKwljYaWaH5QQ9qu3hQPfF2kk=

    Using 'server' Peer 'wg21's Public


    WireGuard config for Peer device 'iPad' created (Allowed IP's 0.0.0.0/0 # ALL Traffic)

    Press y to Display QR Code for Scanning into WireGuard App on device 'iPad' or press [Enter] to SKIP.
y

So assuming your device is capable of scanning QR codes, simply start the WireGuard App on the device (clearly it doesn't necessarily have to be the actual iPad), select 'Scan from QR code' and point the device at the screen and you should then be able to connect back to your router.

(NOTE: You can always use option 7 = Display QR code for a Peer {device} to redisplay the QR code at any time.)

Apologies for the small screenshot

 

[jobhax]

Unsure if routing is correctly working as everything is going out of the wg11 interface event though I setup rp11 and have added the P. Also is there a way for a killswitch so if wg dies then no traffic to it?

 

[Martineau]

Unsure if routing is correctly working as everything is going out of the wg11 interface event though I setup rp11 and have added the P.

Whoops!

Please download v2.01bE

e  = Exit Script [?]

E:Option ==> uf

    Forced Update

    Downloading scripts
    wg_manager.sh downloaded successfully
    wg_client downloaded successfully
    wg_server downloaded successfully

then please retry

e.g.

e  = Exit Script [?]

E:Option ==> 4 wg13

    wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) in Policy Mode to 103.231.88.18:51820 (# Mullvad Oz, Melbourne)
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.3 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.123 to 1.1.1.1 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.1 through WAN
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.0/24 through VPN 'client' Peer wg13
    wireguard-client3: Initialisation complete.


    WireGuard ACTIVE Peer Status: Clients 1, Servers 0

 

[Torson]

@Martineau, nice touch with the new release. I took it for a spin on an AC86U and it works wonders.
The messages in sylsog and throughput are as expected (unlike the AX86).

Both wg client and server work for me on the latest release.
Moving forward as you refine the code I would suggest to allow for multiple commands on option 4 (start) and 5 (stop) i.e: Option: 4 wg22 & wg12 policy & wg 13.
I'm uncertain if that is supported as is, but I see that issuing a 'wgm start wg 22' at the CLI works for starting (and stopping) instances. However 'wgm start wg11 policy' will discard 'policy' and just start the peer.

You may also consider adding to the read me the pre and post-routing chain commands for people to check that the packets route through the intended interface.

Great work - much appreciated...

 

[Martineau]

@Martineau, nice touch with the new release. I took it for a spin on an AC86U and it works wonders.
The messages in sylsog and throughput are as expected (unlike the AX86).

Both wg client and server work for me on the latest release.
Moving forward as you refine the code I would suggest to allow for multiple commands on option 4 (start) and 5 (stop) i.e: Option: 4 start wg22 & wg12 policy & wg 13.
I'm uncertain if that is supported as is, but I see that issuing a 'wgm start wg 22' at the CLI works for starting (and stopping) instances. However 'wgm start wg11 policy' will discard 'policy' and just start the peer.

You may also consider adding to the read me the pre and post-routing chain commands for people to check that the packets route through the intended interface.

Great work - much appreciated...

If you do not specify a Peer, menu options 4 = Start WireGuard Peer [Peer] and 5 = Stop WireGuard Peer [Peer] ( and their command line equivalents wgm start and wgm stop ) will act on ALL Peers as appropriate .

i.e. For a start/restart request, ALL Peers where Auto=Y or Auto=P is specified will be initiated.

For a stop request, ALL ACTIVE Peers will be terminated.


Regarding the wgm syntax, as it is still a Beta, I broke the menu system as clearly the script can identify if a Policy is defined for a Peer (Auto=P) and its matching 'rpxx <>' configuration entry, so explicitly specifying the 'policy' directive is redundant. However, it may be useful to manually override the Auto=P so I proposed the new syntax wgm wg11 nopolicy but borked it in the initial v2.0 release but I can fix that.

I have already fixed the 'policy' discarded issue - see commit please upgrade the script

e.g.

wgm start wg13 policy

    wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) in Policy Mode to 103.231.88.18:51820 (# Mullvad Oz, Melbourne)
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.3 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.123 to 1.1.1.1 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.1 through WAN
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.0/24 through VPN 'client' Peer wg13
    wireguard-client3: Initialisation complete.



wgm stop


    Requesting termination of Active WireGuard VPN Peers (wg13)


(wg_manager.sh): 18036 v2.01bE Requesting termination of WireGuard VPN 'client' Peer ('wg13')
    wireguard-client3: Removing Wireguard 'client' Peer rule 9930 from routing policy
    wireguard-client3: Removing Wireguard 'client' Peer rule 9931 from routing policy
    wireguard-client3: Removing Wireguard 'client' Peer rule 9931 from routing policy
    wireguard-client3: Removing Wireguard 'client' Peer rule 9931 from routing policy
    wireguard-client3: Wireguard VPN 'client' Peer (wg13) to 103.231.88.18:51820 (# Mullvad Oz, Melbourne) DELETED



wgm start wg13

    wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) in Policy Mode to 103.231.88.18:51820 (# Mullvad Oz, Melbourne)
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.3 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.123 to 1.1.1.1 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.1 through WAN
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.0/24 through VPN 'client' Peer wg13
    wireguard-client3: Initialisation complete.

 

[jobhax]

Whoops!

Please download v2.01bE

e  = Exit Script [?]

E:Option ==> uf

    Forced Update

    Downloading scripts
    wg_manager.sh downloaded successfully
    wg_client downloaded successfully
    wg_server downloaded successfully

then please retry

e.g.

e  = Exit Script [?]

E:Option ==> 4 wg13

    wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) in Policy Mode to 103.231.88.18:51820 (# Mullvad Oz, Melbourne)
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.3 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.123 to 1.1.1.1 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.1 through WAN
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.0/24 through VPN 'client' Peer wg13
    wireguard-client3: Initialisation complete.


    WireGuard ACTIVE Peer Status: Clients 1, Servers 0

Updated and working! Thanks so much

 

[Martineau]

Is there a way for a killswitch so if wg dies then no traffic to it?

I use Mullvad and their support page has an entry for KILL-Switch......

Now I personally have no need for a KILL-Switch, so haven't verified if this solution is applicable on the router!

The WireGuard Session Manager hopefully does what it says on the tin, and for the time being, I'll leave the contents of the Peer config files for the WireGuard gurus to discuss/recommend.

 

[Torson]

If you do not specify a Peer, menu options 4 = Start WireGuard Peer [Peer] and 5 = Stop WireGuard Peer [Peer] ( and their command line equivalents wgm start and wgm stop ) will act on ALL Peers as appropriate .

i.e. For a start/restart request, ALL Peers where Auto=Y or Auto=P is specified will be initiated.

For a stop request, ALL ACTIVE Peers will be terminated.


Regarding the wgm syntax, as it is still a Beta, I broke the menu system as clearly the script can identify if a Policy is defined for a Peer (Auto=P) and its matching 'rpxx <>' configuration entry, so explicitly specifying the 'policy' directive is redundant. However, it may be useful to manually override the Auto=P so I proposed the new syntax wgm wg11 nopolicy but borked it in the initial v2.0 release but I can fix that.

I have already fixed the 'policy' discarded issue - see commit please upgrade the script

One more thing re wgm removal - you offer the option to save the configuration files in /etc/opt/wireguard which is great. I believe that WireguardVPN.conf should be saved too for reference - anyway, if it exists, I see you already add a suffix to it and create a new one.

 

[Kingp1n]

This script is not doable at this time with PIA VPN correct? Looks really good. Awesome job @Martineau !!!

 

[Martineau]

Updated and working! Thanks so much

Apologies - one day I will learn how to properly test my scripts

FYI, you can check on the Peer RPDB rules by using the diag command

e  = Exit Script [?]

E:Option ==> diag

         WireGuard VPN Peer Status

    interface: wg13     ('client' # Mullvad Oz, Melbourne)
        peer: D2ltFd7TbpYNq9PejAeGwlaJ2bEFLqOSYywdY9N5xCY=
         transfer: 1.17 KiB received, 4.29 KiB sent

    DEBUG: Routing Table main


    DEBUG: Routing Table 123
0.0.0.0/1 dev wg13 scope link
128.0.0.0/1 dev wg13 scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1

    DEBUG: RPDB rules
0:    from all lookup local
9930:    from 172.168.1.1 lookup main
9931:    from 172.168.1.3 lookup 123
9931:    from 172.168.1.123 to 1.1.1.1 lookup 123
9931:    from 172.168.1.0/24 lookup 123
32766:    from all lookup main
32767:    from all lookup default

    DEBUG: Routing info MTU etc.

68: wg13: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.67.146.14/32 scope global wg13
       valid_lft forever preferred_lft forever


    WireGuard ACTIVE Peer Status: Clients 1, Servers 0

 

[Martineau]

This script is not doable at this time with PIA VPN correct? Looks really good. Awesome job @Martineau !!!

Don't know.

If you can generate/obtain a config file for a PIA WireGuard 'client' Peer then I don't see why not.

I believe NordLynx requires their own proprietary App so there is no Nordlynx 'client' Peer to manage.

 

[Martineau]

One more thing re wgm removal - you offer the option to save the configuration files in /etc/opt/wireguard which is great. I believe that WireguardVPN.conf should be saved too for reference -

I'm not sure if I understand the reasoning behind your suggestion.

As I'm lazy, a free format text-based configuration file (whilst crude) was/is easy to implement/comprehend and doesn't require special tools/skills to modify.

So if I decided to use a formal TOML/JSON etc. format config file (or even an SQL database), would you still need to retain wg_manager.sh's esoteric config file when you have elected to remove WireGuard Session Manager from your router?

 

[Martineau]

Moving forward as you refine the code I would suggest to allow for multiple commands on option 4 (start) and 5 (stop) i.e: Option: 4 wg22 & wg12 policy & wg 13.

I have uploaded wg_manager.sh v2.02 with the following changes

• Fix: Command uf dev does not honour the 'dev' directive.
• 
  
• Add: Allow use of a 'category' (of which there are currently only two i.e. 'clients' and 'servers') for Peer Start/Stop/Restart requests.
• Add: Allow use of multiple Peers for Start/Stop/Restart requests.
• Add: Allow overriding Policy mode for a 'client' Peer for Start requests.
• Add: Command '?' now displays Clickable URL (Change Log: https://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh)

e.g. 'category' stop request

    WireGuard ACTIVE Peer Status: Clients 3, Servers 2

e  = Exit Script [?]

E:Option ==> 5 servers                          

    Requesting WireGuard VPN Peer stop for Category 'Servers' (wg21 wg22)

    wireguard-server1: Wireguard VPN '' Peer (wg21) on 0.0.0.0:1151 (# Martineau RT-AC86U Host Peer 1) DELETED

    wireguard-server2: Wireguard VPN '' Peer (wg22) on 0.0.0.0:51820 (# Martineau RT-AC86U Host Peer 2) DELETED


    WireGuard ACTIVE Peer Status: Clients 3, Servers 0

wgm start clients

    Requesting WireGuard VPN Peer start for Category 'Clients' (wg11 wg12 wg13)

    ***ERROR: WireGuard '' Peer (wg11) ALREADY ACTIVE

    wireguard-client2: Initialising Wireguard VPN 'client' Peer (wg12) to 209.58.188.180:51820 (# Mullvad China, Hong Kong)
    wireguard-client2: Initialisation complete.

    ***ERROR: WireGuard 'client' Peer (wg13) ALREADY ACTIVE

multi-Peer requests

wgm start wg11 wg22

    Requesting WireGuard VPN Peer start (wg11 wg22)

    wireguard-client1: Initialising Wireguard VPN 'client' Peer (wg11) to 86.106.143.93:51820 (# Mullvad USA, New York)
    wireguard-client1: Initialisation complete.

    wireguard-server2: Initialising Wireguard VPN 'Server' Peer (wg22) on 0.0.0.0:51820 (# Martineau RT-AC86U Host Peer 2)
    wireguard-server2: Initialisation complete.

Policy override

wgm start wg13

    Requesting WireGuard VPN Peer start (wg13)

    wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) in Policy Mode to 103.231.88.18:51820 (# Mullvad Oz, Melbourne)
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.3 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.123 to 1.1.1.1 through VPN 'client' Peer wg13
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.1 through WAN
    wireguard-client3: Adding Wireguard 'client' Peer route for 172.168.1.0/24 through VPN 'client' Peer wg13
    wireguard-client3: Initialisation complete.

wgm stop wg13

    Requesting WireGuard VPN Peer stop (wg13)

    wireguard-client3: Removing Wireguard 'client' Peer rule 9930 from routing policy
    wireguard-client3: Removing Wireguard 'client' Peer rule 9931 from routing policy
    wireguard-client3: Removing Wireguard 'client' Peer rule 9931 from routing policy
    wireguard-client3: Removing Wireguard 'client' Peer rule 9931 from routing policy
    wireguard-client3: Wireguard VPN 'client' Peer (wg13) to 103.231.88.18:51820 (# Mullvad Oz, Melbourne) DELETED

wgm start wg13 nopolicy

    Requesting WireGuard VPN Peer start (wg13 nopolicy)

    wireguard-client3: Initialising Wireguard VPN 'client' Peer (wg13) to 103.231.88.18:51820 (# Mullvad Oz, Melbourne)
    wireguard-client3: Initialisation complete.

 

[Clark Griswald]

Are you missing a bullet point above (#2), or just spacing between Fix/Added for the Elder Members. Asking for a friend

 

[Martineau]

Are you missing a bullet point above (#2), or just spacing between Fix/Added for the Elder Members. Asking for a friend

Good point -geddit

Whilst it does act as an eye-catcher to differentiate between needful changes and frivolous ones, there was indeed originally another Fix bullet point, but decided it was probably due to PEBKAC in my environment.