Wireguard Session Manager - Discussion (2nd) thread

[Martineau]

This thread

Wireguard - Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

Thanks to @Odkrys, WireGuard as an alternative to established VPN tunnel protocols OpenVPN and IPSec has been available on some specific ASUS Routers for a while, although the instructions posted by the OP...

www.snbforums.com

has now expired.

Thanks for the heads-up SNB Forum member @Ubimo

 

[Ubimo]

I know, this has nothing to do with the Session Manager, but i'll ask anyway.

Wireguard itself is still under developement.
Do we profit from these ongoing developments/updates? Are there any relevant updates (eg. security) anyways?
I see, the kernel module and tools are from February/March.
Does @Odkrys incooperate these developements in his releases?

 

[Martineau]

I know, this has nothing to do with the Session Manager, but i'll ask anyway.

Wireguard itself is still under developement.
Do we profit from these ongoing developments/updates? Are there any relevant updates (eg. security) anyways?
I see, the kernel module and tools are from February/March.
Does @Odkrys incooperate these developements in his releases?

Given there has already been a snarky post regarding lack of foresight for recklessly allowing exposure to undisclosed wireguard security issues, I am rapidly accepting the fact that this wireguard_manager project is effectively dead.

i.e. unless the Entware team (pinging @ryzhov_al ) can provide/compile/release the necessary Kernel binaries on a scheduled regular basis (as they currently do for the 'Go' userspace-version ?), I will probably take down wireguard_manager if I convince myself that supporting both the Kernel and 'Go' versions isn't practical or even required.

 

[ZebMcKayhan]

Given there has already been a snarky post regarding lack of foresight for recklessly allowing exposure to undisclosed wireguard security issues, I am rapidly accepting the fact that this wireguard_manager project is effectively dead.

i.e. unless the Entware team (pinging @ryzhov_al ) can provide/compile/release the necessary Kernel binaries on a scheduled regular basis (as they currently do for the 'Go' userspace-version ?), I will probably take down wireguard_manager if I convince myself that supporting both the Kernel and 'Go' versions isn't practical or even required.

sad to hear this, but I agree.

didnt the 'Go' version have some security implications as well? feels like going back to the stone-age to revert to Open VPN, like walking in a pool of mud...

//Zeb

 

[DreaZ]

This is a shame. I mean I can't speak about security. But WG is so much faster than OpenVPN.

 

[ZebMcKayhan]

wonder what it would take to compile this ourselves? looking at @Odkrys github page it looks like instructions on how to compile this, perhaps he wishes someone to take over the compilation process?

it looks like he points to the source of packages here:
wireguard-linux-compat - WireGuard kernel module backport for Linux 3.10 - 5.5 (zx2c4.com)

latest release is: 2021-06-06
could it be compiled on my router (AC86) or desktop (dont have any linux desktop)? I have not compiled anything for many years now and especially not embedded so I dont know if I have what it takes. or are there some better than me to attempt this??

//Zeb

 

[Martineau]

wonder what it would take to compile this ourselves? looking at @Odkrys github page it looks like instructions on how to compile this, perhaps he wishes someone to take over the compilation process?

it looks like he points to the source of packages here:
wireguard-linux-compat - WireGuard kernel module backport for Linux 3.10 - 5.5 (zx2c4.com)

latest release is: 2021-06-06
could it be compiled on my router (AC86) or desktop (dont have any linux desktop)? I have not compiled anything for many years now and especially not embedded so I dont know if I have what it takes. or are there some better than me to attempt this??

//Zeb

Back in March 2020, as an excercise, I half heartedly tried to spend a couple of hours trying to compile for the RT-AX56U/RT-AX58U, but didn't succeed, so I posted a query

[Experimental] WireGuard for HND platform (4.1.x kernels)

Is there a way to have wireguard reliably cover ipv6 as well? I started using it this time around and noticed if I don't use a browser-based socks proxy then there are leaks. Edit: Specifically location leaks; not dns. From the Wireguard homepage: "Any combination of IPv4 and IPv6 can be used...

www.snbforums.com

and was eventually pointed to a compatible module -although the module location went AWOL.

I really didn't actually need wireguard on the RT-AX58U, but over the last few months I resigned myself to reluctantly eventually revisiting attempts to compile the module for the RT-AC86U router but really haven't had the time.

 

[ZebMcKayhan]

over the last few months I resigned myself to reluctantly eventually revisiting attempts to compile the module for the RT-AC86U router but really haven't had the time.

please let me know if I can assist in any way. I support you 100%

 

[Odkrys]

The broadcom sdk has a lot of patches in the kernel, which causes the RT-AX86U to turn off hardware acceleration to use WireGuard.
Besides, RT-AX58U is having issues with rebooting.
Asus has added WireGuard to the RC3 and I look forward to porting them to other models.

 

[RMerlin]

Given there has already been a snarky post regarding lack of foresight for recklessly allowing exposure to undisclosed wireguard security issues, I am rapidly accepting the fact that this wireguard_manager project is effectively dead.

With Asus formally introducing Wireguard support in the near future, you might find a new purpose in tying in with their implementation, and possibly extending it a bit beyond what their UI offers. At the very least kernel modules and userspace tools will be part of the firmware.

Personally, I have only seen pre-beta code so far, so I don't know yet how well integrated it will be on my end. Knowing that WG was coming was one of the reasons why I developed VPN Director actually... I expect I will have a good amount of work to do on the client web interface, as I don't plan to use their new unified VPN client interface. I also don't know yet which models I will technically be able to support. It's possible the RT-AC86U wasn't support in their public beta due to a temporary technical issue. We'll see once updated code becomes available.

But what I do know is that, at least in the pre-beta code, it was open sourced, and not tied to their proprietary libvpn.so, so I should be able to fully support it.

 

[heysoundude]

didnt the 'Go' version have some security implications as well? feels like going back to the stone-age to revert to Open VPN, like walking in a pool of mud...

I have the recollection that there is a warning against using Wireguard-Go as well, but I can't find sources to confirm/cite at the moment

The broadcom sdk has a lot of patches in the kernel, which causes the RT-AX86U to turn off hardware acceleration to use WireGuard.

this might not be an issue for people who use whichever of the scripts in the @RMerlin universe that needs Hardware Acceleration disabled. <thoughtful shrug> I may be mistaken, but is it CakeQoS perhaps?

With Asus formally introducing Wireguard support in the near future,

aha, so they do listen/pay attention...this is all very good.

I'm hoping @Martineau takes @RMerlin 's advice to not get discouraged and to stick around to see what Asus ' folks put out - I don't believe there is anyone here better versed in it who can point out (and possibly suggest fixes/workarounds) just what some issues might be if/when they should happen to arise. Perhaps they'll be able to be the "impartial 3rd party" with outside perspective that might help push the firmware along from RC to GM...if its possible to loop them in on the process, that is.

 

[Odkrys]

this might not be an issue for people who use whichever of the scripts in the @RMerlin universe that needs Hardware Acceleration disabled. <thoughtful shrug> I may be mistaken, but is it CakeQoS perhaps?

Wireguard - Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

Here are some of my observations and input from a new install of wg_manager v4.11b3: 1. On a remote peer server I created a device peer: Device Auto IP DNS Allowed IPs Annotate MSG X 10.50.1.3/32 192.168.2.1 0.0.0.0/0 # MSG "Device" From the local PC I logged...

www.snbforums.com

[Experimental] WireGuard for HND platform

Hi, can we help me? I now installed Wireguard to Asus RT-AX86U... but speed is slow... when i run speedtest - my CPU in AX86U - is 100 %... and result of testspeed - download is max 2-3 Mbps.... maybe I missed something when setting up? i'm using latest enware package and wireguard from...

www.snbforums.com

The startup script has a mark rule to bypass hardware acceleration, but it doesn't seem to work well on newer models.

iptables -t mangle -I FORWARD -o $VPN_ID -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i $VPN_ID -j MARK --set-xmark 0x01/0x7

 

[ZebMcKayhan]

Despite my puny software skills, I managed to setup a build enviroment in ubuntu, running as a virtual machine on windows 10. following @Odkrys guide was actually rather straight forward.

I had to

git clone https://github.com/RMerl/asuswrt-merlin.ng.git

and direct the path in the makefile, also update the package to download and enter the correct hash.

went smoothly all the way till the end, where it craps out:

~/Entware$ make package/wireguard-kernel/compile V=s

.....

make[3]: Entering directory '/USERNAME/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1'

  ERROR: Kernel configuration is invalid.
         include/generated/autoconf.h or include/config/auto.conf are missing.
         Run 'make oldconfig && make prepare' on kernel src to fix it.

Makefile:421: ../../.config: No such file or directory
make[3]: *** No rule to make target '../../.config'.  Stop.

now I don't know what to do. "make oldconfig" from '/USERNAME/asuswrt-merlin.ng/release/src-rt-5.02hnd/kernel/linux-4.1' doesnt work.

any help?

//Zeb

 

[Odkrys]

any help?

build firmware image first.

 

[ZebMcKayhan]

build firmware image first.

Thanks! and how do I do that? from '/asuswrt-merlin.ng/release/src-rt-5.02hnd' here I guess? 'make target'

 

[Odkrys]

Thanks! and how do I do that? from '/asuswrt-merlin.ng/release/src-rt-5.02hnd' here I guess? 'make target'

amcfwm - AsusWRT-Merlin Custom Firmware Manager | SmallNetBuilder Forums (snbforums.com)

 

[Martineau]

Interesting... only use ipset for policy based routing with ni other rules might be a use case not considered in wgm?
Wgm was made to not accept policy mode if there are no rules, but I guess ipset is not part of that check. Something to look into @Martineau?

I guess you can circumvent this by adding a rule for some bogus ip that you will never have:

E:Option ==> peer wg11 rule add vpn src=192.168.152.214 comment BogusRule

If you by some freak-of-nature actually use this particular ip, then change it to one you dont use.

After adding the rule you should be able to put the peer in policy mode.

//Zeb

@The Chief,@ZebMcKayhan

I've uploaded a patched wireguard_manager v4.11bB to the Github dev branch:

Update wg_manager.sh · MartineauUK/wireguard@868c037

Attempts to apply Policy routing using ONLY IPSETs using command 'peer wg1N' auto=p' will produce error message '***ERROR No Policy rules exist for wg1N' Add menu option descri...

github.com

to eliminate the ugly workaround when attempting to enable Policy mode for a WireGuard 'client' peer that wishes to Selectively Route ONLY IPSETs (rather than specify at least one LAN devices as is usually the norm).

To upgrade use:

1  = Update Wireguard modules                       7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]     10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
                                                    11 = Import Wireguard configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ rename_as ] ]} 

4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                     
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                    
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                 

?  = About Configuration                    
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')      

e  = Exit Script [?]

E:Option ==> uf dev

 

[abir1909]

@The Chief,@ZebMcKayhan

I've uploaded a patched wireguard_manager v4.11bB to the Github dev branch:

Update wg_manager.sh · MartineauUK/wireguard@868c037

Attempts to apply Policy routing using ONLY IPSETs using command 'peer wg1N' auto=p' will produce error message '***ERROR No Policy rules exist for wg1N' Add menu option descri...

github.com

to eliminate the ugly workaround when attempting to enable Policy mode for a WireGuard 'client' peer that wishes to Selectively Route ONLY IPSETs (rather than specify at least one LAN devices as is usually the norm).

To upgrade use:

1  = Update Wireguard modules                       7  = Display QR code for a Peer {device} e.g. iPhone
2  = Remove WireGuard/wg_manager                    8  = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                    9  = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3  = List ACTIVE Peers Summary [Peer...] [full]     10 = IPSet management [ "list" ] | [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] ] } ]
                                                    11 = Import Wireguard configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ rename_as ] ]}

4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients                                    
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                                   
6  = Restart [ [Peer... ] | category ] e.g. restart servers                                

?  = About Configuration                   
v  = View ('/jffs/addons/wireguard/WireguardVPN.conf')     

e  = Exit Script [?]

E:Option ==> uf dev

Hi Martineau, why is your script not a part of amtm?
besides, i got 2 clients setup (wg11 & wg12 ) but i can't get the routing policy working. both of them route all devices through the vpn. how do i put them in policy? thanks

 

[abir1909]

i am also getting that error below once starting wg11. not sure what it means. thank you.

wireguard-clientwg11: Initialising Wireguard VPN 'client' Peer (wg11) DNS=1.0.0.1
Error: table traffic has 6 columns but 4 values were supplied
wireguard-clientwg11: Initialisation complete.

 

[ryzhov_al]

i.e. unless the Entware team (pinging @ryzhov_al ) can provide/compile/release the necessary Kernel binaries on a scheduled regular basis (as they currently do for the 'Go' userspace-version ?), I will probably take down wireguard_manager if I convince myself that supporting both the Kernel and 'Go' versions isn't practical or even required.

We can't provide any kernel-specific binaries as long as Entware stays firmware-independent repo, sorry.
It's up to firmware users.