Wireguard Session Manager (4th) thread

[Olivier L]

I have

PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

I was thinking it was put by wgm.

 

[ZebMcKayhan]

I have

I was thinking it was put by wgm.

No, wgm disables peer fwmark, which is why your command is failing:

admin@RT-AC86U-D7D8:/tmp/home/root# wg show wg11 fwmark
off

It would expect a mark value, instead it tries to use "off" as value which is an invalid mark, just as your error says.

Wgm disables fwmarks because there are potential conflicts with other router features that are also using these marks.

Your rule seems to block packets with a global destination (internet) from going out other interfaces than wg11. But only for the router itself. This rule is not suitable for a router and should be removed/commented.

 

[Olivier L]

Hello, I have seen the killswitch is global. It means there is no way to have the same killswitch behavior as ovpn ? Only related to client 1 for example ?

 

[Olivier L]

No, wgm disables peer fwmark, which is why your command is failing:

admin@RT-AC86U-D7D8:/tmp/home/root# wg show wg11 fwmark
off

It would expect a mark value, instead it tries to use "off" as value which is an invalid mark, just as your error says.

Wgm disables fwmarks because there are potential conflicts with other router features that are also using these marks.

Your rule seems to block packets with a global destination (internet) from going out other interfaces than wg11. But only for the router itself. This rule is not suitable for a router and should be removed/commented.

Thanks I have deleted these lines. All is OK.

 

[ZebMcKayhan]

Hello, I have seen the killswitch is global. It means there is no way to have the same killswitch behavior as ovpn ? Only related to client 1 for example ?

Nope, wgm killswitch will prevent any LAN to access WAN so as long as all lan clients are using other interfaces (wg11, wg12, ovpn a.s.o) its ok, but if any device is set to WAN it will break its internet connection.

 

[Olivier L]

Hello, is there a way to route clients connected to wg21 server (for example my smartphone) through the client wg11 ?
Idea is to connect to my router through an android wireguard client to share the connection, but the router used wg11 vpn connection.

 

[juanantonio]

Hello, is there a way to route clients connected to wg21 server (for example my smartphone) through the client wg11 ?
Idea is to connect to my router through an android wireguard client to share the connection, but the router used wg11 vpn connection.

I am doing exactly this on my router.

If you want to route only a client:

peer wg21 passthru add wg11 name_of_the_client

If you want to route ALL clients through wg21:

 peer wg21 passthru add wg11 all

Regards

 

[Olivier L]

Probably i am missing something. When I run peer wg21 passthru add wg11 all, I have no connection on my smartphone.

 

[juanantonio]

Probably i am missing something. When I run peer wg21 passthru add wg11 all, I have no connection on my smartphone.

Can you ping wg21 IP from your smartphone?
Is there traffic between your smartphone and your Wireguard server?
You can find it out on Android Wireguard app on your smartphone.

 

[ZebMcKayhan]

Probably i am missing something. When I run peer wg21 passthru add wg11 all, I have no connection on my smartphone.

You may need to restart wg11. I remember something about this when I tried it. The tricky thing is that part of what is happening actually ends up on wg11 and gets applied/wiped when wg11 start/stop.

https://github.com/ZebMcKayhan/WireguardManager#route-wg-server-to-internet-via-wg-client

 

[Olivier L]

Thank you so much guys, I re-did with you advises and it works great. Wonderful.

 

[Olivier L]

Hello
I am trying to create a 2nd instance (wg12) with a routing policy to my 2nd labtop. wg12 is created and well connected, wan & vpn rules are created, and killswitch is globally off.
But non internet connection on the labtop when wg12 is started.

 

[ZebMcKayhan]

Hello
I am trying to create a 2nd instance (wg12) with a routing policy to my 2nd labtop. wg12 is created and well connected, wan & vpn rules are created, and killswitch is globally off.
But non internet connection on the labtop when wg12 is started.

Check the ordinary stuff, did the import turn out ok? Does dns work properly? Is there wg handshakes? A.s.o

https://github.com/ZebMcKayhan/WireguardManager#check-connection

 

[Olivier L]

indeed I have no handshake

 

[ZebMcKayhan]

indeed I have no handshake

Did you test your config file on some other unit to make sure it works?

Sometimes you need to generate several config files until you get one that works.

 

[Olivier L]

Hello
What is the purpose of

64 # **EXPERIMENTAL** Enable UDP Monitoring of 'server' Peer client connections when WireGuard_manager is INITialised
65 #     Use command 'vx' to edit this setting
66 #ENABLE_UDPMON

?

 

[ZebMcKayhan]

Hello
What is the purpose of

64 # **EXPERIMENTAL** Enable UDP Monitoring of 'server' Peer client connections when WireGuard_manager is INITialised
65 #     Use command 'vx' to edit this setting
66 #ENABLE_UDPMON

?

Ive never used this, but according to the code it uses conntrack to log udp connections and then processes this log to figure out which devices connected when. This gets into the sql database so I guess you could get some historical connection list from this. It also looks like it generates log entries when devices connects to your server.

Not sure how it is presented to the user though.

 

[wgetmerlin]

I've noticed my wireguard drops off sometimes, and have scripted a bash script to check every 5 mins to see if it's connected, and is not the same IP as my WAN. The script does also restart if the connection times out, but while that's happening, the traffic goes through WAN.

Is there anything I can do to kill off the connection while the client restarts? No devices go through the WAN, however I do have selective routing with x3mrouting to allow connections to WAN, therefore the killswitch isn't ideal for my use case.

Thanks!

 

[ZebMcKayhan]

I've noticed my wireguard drops off sometimes

Just out of curiosity, is the endpoint in your config a domain name, or is it an ip?
The reason Im asking was the only time this happened to me was when my isp did some work and my connection seemed flakey. Wgm could not resolve the domain and gave up.

Is there anything I can do to kill off the connection while the client restarts? No devices go through the WAN, however I do have selective routing with x3mrouting to allow connections to WAN, therefore the killswitch isn't ideal for my use case.

Guess you can create a firewall rule that only applies to source ip (-s LanIp/24) and not marked with fwmark for wan.

Edit: something like this maybe. But I have not tested it:

iptables -I FORWARD -i br0 -o eth0 -m mark ! --mark 0x8000/0x8000 -j REJECT

 

[wgetmerlin]

Just out of curiosity, is the endpoint in your config a domain name, or is it an ip?
The reason Im asking was the only time this happened to me was when my isp did some work and my connection seemed flakey. Wgm could not resolve the domain and gave up.


Guess you can create a firewall rule that only applies to source ip (-s LanIp/24) and not marked with fwmark for wan.

Edit: something like this maybe. But I have not tested it:

iptables -I FORWARD -i br0 -o eth0 -m mark ! --mark 0x8000/0x8000 -j REJECT

It is a domain that is setup.

Regarding the iptables, should I add that to the wg11-down? And remove in up?