Wireguard Session Manager - Discussion (2nd) thread

[abir1909]

I had 2 lines with the same domains and the second line ipset were NOT populated, so I would say they must be unique.



I don't see any point in bypassing dnsmasq so someone else could look into this.



Good to know! I'm typically not using my guest networks daily so I can keep this on experimental for now. I was connected 1h yesterday with no problems at all and nothing in syslog. Will keep testing.

Hi Zeb, is there some kind of a tutorial or wiki page how to write the commands in wgm? for example how do i delete a rule i created? "peer wg11 rule add vpn src=192.168.1.x comment SingleIpToWg11"
thanks

 

[Martineau]

Hi Zeb, is there some kind of a tutorial or wiki page how to write the commands in wgm? for example how do i delete a rule i created? "peer wg11 rule add vpn src=192.168.1.x comment SingleIpToWg11"
thanks

You can list the database rules for the 'client' peer defined as 'Policy' mode

e.g. 'client' Peer 'wg15'

E:Option ==> peer wg15

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP                               Endpoint                    DNS             MTU  Public                                        Private                                       Annotate
wg15    P     fc00:bbbb:bbbb:bb01::2:c556/128  2001:ac8:21:ac::a22f:51820  193.138.218.74       deadnJvtHlh15E54kL/HJlZBL5yXkEQlC0AxOyDXNRU=  uL//HQ02jmorcPY6RyptwCMWH/6g/2ahrmoVzODx9Es=  # Mullvad UK, Manchester

    Selective Routing RPDB rules
ID  Peer  Interface  Source  Destination  Description
1   wg15  VPN        Any     ::0

...then delete the rule by specifying the ID number of the rule you wish to delete....

e.g.

e  = Exit Script [?]

E:Option ==> peer wg15 rule del 1

    [✔] Deleted RPDB Selective Routing rule for wg15


    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP                               Endpoint                    DNS             MTU  Public                                        Private                                       Annotate
wg15    P     fc00:bbbb:bbbb:bb01::2:c556/128  2001:ac8:21:ac::a22f:51820  193.138.218.74       deadnJvtHlh15E54kL/HJlZBL5yXkEQlC0AxOyDXNRU=  uL//HQ02jmorcPY6RyptwCMWH/6g/2ahrmoVzODx9Es=  # Mullvad UK, Manchester

    No RPDB Selective Routing/Passthru rules for 'client' Peer wg15

 

[abir1909]

You can list the database rules for the 'client' peer defined as 'Policy' mode

e.g. 'client' Peer 'wg15'

E:Option ==> peer wg15

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP                               Endpoint                    DNS             MTU  Public                                        Private                                       Annotate
wg15    P     fc00:bbbb:bbbb:bb01::2:c556/128  2001:ac8:21:ac::a22f:51820  193.138.218.74       deadnJvtHlh15E54kL/HJlZBL5yXkEQlC0AxOyDXNRU=  uL//HQ02jmorcPY6RyptwCMWH/6g/2ahrmoVzODx9Es=  # Mullvad UK, Manchester

    Selective Routing RPDB rules
ID  Peer  Interface  Source  Destination  Description
1   wg15  VPN        Any     ::0

...then delete the rule by specifying the number of the rule you wish to delete....

e.g.

e  = Exit Script [?]

E:Option ==> peer wg15 rule del 1

    [✔] Deleted RPDB Selective Routing rule for wg15


    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP                               Endpoint                    DNS             MTU  Public                                        Private                                       Annotate
wg15    P     fc00:bbbb:bbbb:bb01::2:c556/128  2001:ac8:21:ac::a22f:51820  193.138.218.74       BDTfnJvtHlh15E54kLYHJlZBL5yXkEQlC0AtOyDXNRU=  uLo6HQ02jmyrcPY6RyStwCMWH96g/2ahrmoVzODL9Es=  # Mullvad UK, Manchester

    No RPDB Selective Routing/Passthru rules for 'client' Peer wg15

Thank you

 

[ZebMcKayhan]

Zeb, is there some kind of a tutorial or wiki page how to write the commands in wgm? for example how do i delete a rule i created? "peer wg11 rule add vpn src=192.168.1.x comment SingleIpToWg11"
thanks

Yup, specific section about creating/managing rules here

If you scroll up to near the top you will find a table of content you could click on to link to different sections.

It is also linked to in Wireguard Session Manager if you enter ?.

//Zeb

 

[ZebMcKayhan]

How would source based routing work for ipv6? I've searched around the web only to find out the general consensus is that it is problematic.

With SLAAC where ip is mac- based, or SLAAC with privacy extention where it is seemingly random and changes when the lease expires???

The only device which I have ipv6 turned on is my Android phone which seems to keep pretty much the same ipv6 suffix even when I swap to guest wifi that has a different subnet. Even if I forget the network and reconnect it seems to give itself the same suffix and it does not match my Mac address.

What about when we get dynamic prefixes from our isp?

Acouple of options from the ip6tables:

eui64

This module matches the EUI-64 part of a stateless autoconfigured IPv6 address. It compares the EUI-64 derived from the source MAC address in Ehternet frame with the lower 64 bits of the IPv6 source address. But "Universal/Local" bit is not compared. This module doesn't match other link layer frame, and is only valid in the PREROUTING, FORWARD or INPUT chains.

Or:

mac

--mac-source [!] addressMatch source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.

Any other idea?

 

[abir1909]

Yup, specific section about creating/managing rules here

If you scroll up to near the top you will find a table of content you could click on to link to different sections.

It is also linked to in Wireguard Session Manager if you enter ?.

//Zeb

Hi Zeb, is there an ssh command to turn on/off wgm client? in other words i want to be able to turn wgm on and off from my iphone using shortcuts with ssh.
thanks

 

[Martineau]

Hi Zeb, is there an ssh command to turn on/off wgm client? in other words i want to be able to turn wgm on and off from my iphone using shortcuts with ssh.
thanks

To stop an individual Peer

e.g.

wgm stop wg12

    Requesting WireGuard VPN Peer stop (wg12)

    wg12: transfer: 0 B received, 888 B sent            0 Days, 00:00:31 from 2022-01-06 07:13:58 >>>>>>
    wg12: period : 0 Bytes received, 888 Bytes sent (Rx=0;Tx=888)
    wireguard-clientwg12: Wireguard VPN 'client' Peer (wg12) to 193.32.126.66:51820 (# Mullvad France, Paris) Terminated

To stop ALL ACTIVE Peers; don't specify the Peer (or category name)

wgm stop

    Requesting WireGuard VPN Peer stop (wg21 wg11)

    wireguard-server1: Wireguard VPN (IPv6) [2a02:c7f:644f:1000:42b0:76ff:fe37:6160] 'Server' Peer (wg21) on 192.168.0.1:51820 (# RT-AC86U Server #1) Terminated

    wg11: transfer: 0 B received, 4.05 KiB sent            0 Days, 00:02:23 from 2022-01-06 07:13:44 >>>>>>
    wg11: period : 0 Bytes received, 4.05 KiB sent (Rx=0;Tx=4147)
    wireguard-clientwg11: Wireguard VPN 'client' Peer (wg11) to 89.45.90.2:51820 (# Mullvad USA, Los Angeles) Terminated

Substitute start/restart directive for stop as appropriate

 

[abir1909]

To stop an individual Peer

e.g.

wgm stop wg12

    Requesting WireGuard VPN Peer stop (wg12)

    wg12: transfer: 0 B received, 888 B sent            0 Days, 00:00:31 from 2022-01-06 07:13:58 >>>>>>
    wg12: period : 0 Bytes received, 888 Bytes sent (Rx=0;Tx=888)
    wireguard-clientwg12: Wireguard VPN 'client' Peer (wg12) to 193.32.126.66:51820 (# Mullvad France, Paris) Terminated

To stop ALL ACTIVE Peers; don't specify the Peer (or category name)

wgm stop

    Requesting WireGuard VPN Peer stop (wg21 wg11)

    wireguard-server1: Wireguard VPN (IPv6) [2a02:c7f:644f:1000:42b0:76ff:fe37:6160] 'Server' Peer (wg21) on 192.168.0.1:51820 (# RT-AC86U Server #1) Terminated

    wg11: transfer: 0 B received, 4.05 KiB sent            0 Days, 00:02:23 from 2022-01-06 07:13:44 >>>>>>
    wg11: period : 0 Bytes received, 4.05 KiB sent (Rx=0;Tx=4147)
    wireguard-clientwg11: Wireguard VPN 'client' Peer (wg11) to 89.45.90.2:51820 (# Mullvad USA, Los Angeles) Terminated

Substitute start/restart directive for stop as appropriate

Perfect, it’s working! Thx

 

[abir1909]

Perfect, it’s working! Thx

Well. It’s working great with ssh/terminal client from my iPhone However, I can’t figure it out with shortcuts. I guess it’s looking for wgm actual location so it can start / stop it.
what’s the path for the wgm file?

 

[Martineau]

Well. It’s working great with ssh/terminal client from my iPhone However, I can’t figure it out with shortcuts. I guess it’s looking for wgm actual location so it can start / stop it.
what’s the path for the wgm file?

In the terminal profile an alias (shortcut) is created; effectively

wgm()  { /jffs/addons/wireguard/wg_manager.sh $@; }          # WireGuard Session Manager

or legacy Entware symlinked

wgm='wg_manager'

together with Entware path '/opt/bin' the symlink is as follows

ls -l /opt/bin/wg*

lrwxrwxrwx    1 admin    root            36 Dec 30 15:38 wg_manager -> /jffs/addons/wireguard/wg_manager.sh*

 

[ZebMcKayhan]

Well. It’s working great with ssh/terminal client from my iPhone However, I can’t figure it out with shortcuts. I guess it’s looking for wgm actual location so it can start / stop it.
what’s the path for the wgm file?

I tested a similar app for Android "SSH button". For it to work I had to enter the full command:

sh /jffs/addons/wireguard/wg_manager.sh start wg12

Then I could start/stop wg12 using buttons on my home screen.

 

[abir1909]

In the terminal profile an alias (shortcut) is created; effectively

wgm()  { /jffs/addons/wireguard/wg_manager.sh $@; }          # WireGuard Session Manager

or legacy Entware symlinked

wgm='wg_manager'

together with Entware path '/opt/bin' the symlink is as follows

ls -l /opt/bin/wg*

lrwxrwxrwx    1 admin    root            36 Dec 30 15:38 wg_manager -> /jffs/addons/wireguard/wg_manager.sh*

Works! Using “wg_manager”. Thanks again

 

[abir1909]

Works! Using “wg_manager”. Thanks again

So i have 3 wg clients, they all start automatically after reboot... is there a way to make only selected clients to start after reboot? thx

 

[ZebMcKayhan]

So i have 3 wg clients, they all start automatically after reboot... is there a way to make only selected clients to start after reboot? thx

only clients set as Y | P will autostart, so in order to not having a peer start at boot you need to set it to N, issue in wgm:

E:Option ==> peer wg11 auto=N

to disable wg11 from autostart.

however, as wg11 now has auto=N it will no longer start at generic commands as:

E:Option ==> start
# or
wgm start

but only when explicitly called:

E:Option ==> start wg11
# or
wgm start wg11

but when the peer start it will be in Y (Default route) mode. Don't think there is a way to have this behavior for P (Policy) mode.

if more then one peer is started in this mode, the latest started will be the one used (if memory serves).

 

[abir1909]

only clients set as Y | P will autostart, so in order to not having a peer start at boot you need to set it to N, issue in wgm:

E:Option ==> peer wg11 auto=N

to disable wg11 from autostart.

however, as wg11 now has auto=N it will no longer start at generic commands as:

E:Option ==> start
# or
wgm start

but only when explicitly called:

E:Option ==> start wg11
# or
wgm start wg11

but when the peer start it will be in Y (Default route) mode. Don't think there is a way to have this behavior for P (Policy) mode.

if more then one peer is started in this mode, the latest started will be the one used (if memory serves).

well, that's kind of a bummer. as i have 3 peers set to P... i don't mind setting one/two to N but when i will manually turn it on it will set to Y which isn't good. well.....

 

[ZebMcKayhan]

well, that's kind of a bummer. as i have 3 peers set to P... i don't mind setting one/two to N but when i will manually turn it on it will set to Y which isn't good. well.....

Perhaps you could try the Geo-location feature in wgm instead?

GitHub - ZebMcKayhan/WireguardManager: Manage/Install WireGuard on applicable ASUS routers

Manage/Install WireGuard on applicable ASUS routers - ZebMcKayhan/WireguardManager

github.com

This way you could instantly move ips/subnets between different wireguard clients (or wan).

Think that @Martineau took care of the dns redirect bug so I think it works as expected now.

But as far as I know it cant be executed outside wgm (but with some clever shell scripting maybee... ?).

 

[ZebMcKayhan]

Have not tested this, but I'm thinking something like:

echo -e "livin wg11 192.168.1.38\ne" | wg_manager

livin wg11 192.168.1.38 = command inside wgm
\n = enter
e = exit

Test in terminal Window if it works first (maybee something simple like):

echo -e "peer help\ne" | wg_manager

you should see above wgm has started, executed peer help and then exit

you could put in more commands if needed:

echo -e "peer help\npeer wg11\ne" | wg_manager

and so on... just have \n between commands and end with e.

 

[ZebMcKayhan]

just realized... you could probably achieve what you wished by:

echo -e "peer wg11 auto=P\nstart wg11\ne" | wg_manager

and

echo -e "stop wg11\npeer wg11 auto=N\ne" | wg_manager

if this works, the peer will basically boot up with it's latest setting it had before shutting down... but it sound like the livin option might be better suited for you?

please report back how it works out for you and how you did it!

Edit: Beware of using \n2... I made a typo and pressed enter without checking. unfortunately 2 means uninstall
Spent the last hour rewriting files... good that I have post as much of it here, and the rest I found in an excellent tutorial on github that someone had written that perfectly matched my setup
@Martineau a confirmation if I really want to uninstall would be nice... now I have backup (lessons learned)

 

[abir1909]

just realized... you could probably achieve what you wished by:

echo -e "peer wg11 auto=P\nstart wg11\ne" | wg_manager

and

echo -e "stop wg11\npeer wg11 auto=N\ne" | wg_manager

if this works, the peer will basically boot up with it's latest setting it had before shutting down... but it sound like the livin option might be better suited for you?

please report back how it works out for you and how you did it!

Edit: Beware of using \n2... I made a typo and pressed enter without checking. unfortunately 2 means uninstall
Spent the last hour rewriting files... good that I have post as much of it here, and the rest I found in an excellent tutorial on github that someone had written that perfectly matched my setup
@Martineau a confirmation if I really want to uninstall would be nice... now I have backup (lessons learned)

I feel guilty

 

[ZebMcKayhan]

I feel guilty

Don't worry about it, it's not your fault. It's an occupational hazard when tinkering (specially with fat-fingers)