Wireguard Session Manager - Discussion (2nd) thread

[Chewie420]

I wasn't sure how to divide my hardwire device. I wanted 192.168.5.100 to be on VPN 192.168.5.102 and 109 to be on LAN. That is what I came up with but I am sure there is a better way I just wasn't sure what that was.

I have tested the config file on my iPhone with my Torguard config file and it works I also got 400 mbps on a speed test!

 

[Chewie420]

This sounds very doable.

But you seem to have alot of rules you are not using? Where do these come from:

9910: from 192.168.56.0/24 lookup main
9910: from 192.168.50.0/24 lookup main
9910: from 192.168.224.0/24 lookup main
9911: from 192.168.55.0/24 lookup 121
9911: from 192.168.24.0/24 lookup 121
10012: from 192.168.56.0/24 lookup main
10014: from 192.168.224.0/24 lookup main

Are these subnets you are not using? If soo, could you remove them.

Anyhow, until you get your peer to handshake, there is no point in working with the rules but try to reduce complexity of your system. So it is understandable. Just make a single rule for your test computer and scrap all else. add more as it starts to work.

Try out your Torguard conf file on another system (I.e android wireguard) just to check that the conf file is good (some seem to die after some inactivity and you need to generate a new one).

I tried cleaning up my rules and this is what I have now.

ID Peer Interface Source Destination Description
1 wg11 WAN 192.168.5.103 Any VPN Director: XBOX One
2 wg11 WAN 192.168.5.109 Any VPN Director: PiVPN and PiHole
3 wg11 VPN 192.168.5.0/24 Any VPN Director: LAN and Wookiee Wireless
4 wg11 VPN 192.168.24.0/24 Any VPN Director: Wookiee IoT 2.4GHz
5 wg11 VPN 192.168.55.0/24 Any VPN Director: Wookiee IoT 5GHz

 

[Chewie420]

Still not having any luck.

Maybe I am missing something very basic so I will say everything I have done so far since updating my Asus firmware earlier.

1) Installed wgm
2) imported my Torguard config file - import torguard.conf name=wg11
3) ran command - peer wg11 auto=P
4) start wg11
5) installed update for Policy Director - uf dev and ran Policy Director Clone - vpndirector clone
6) Rebooted and made sure client and server were active.
7) Tried Torguard.config on iPhone and was able to make a handshake.

 

[Martineau]

Maybe I am missing something very basic so I will say everything I have done so far since updating my Asus firmware earlier.

1) Installed wgm
2) imported my Torguard config file - import torguard.conf name=wg11
3) ran command - peer wg11 auto=P
4) start wg11
5) installed update for Policy Director - uf dev and ran Policy Director Clone - vpndirector clone
6) Rebooted and made sure client and server were active.
7) Tried Torguard.config on iPhone and was able to make a handshake.

Can you delete the Torguard 'client' Peer

e  = Exit Script [?]

E:Option ==> peer wg11 del

    Deleting 'client' Peer (wg11)

    Press y to CONFIRM or press [Enter] to SKIP.
y

    'client' Peer wg11 DELETED

then update to wireguard_manager Beta v4.14b

e  = Exit Script [?]

E:Option ==> uf dev

then re-import the Torguard .conf, and try and start it

e  = Exit Script [?]

E:Option ==> start wg11

and see if the Peer summary status shows if there is a handshake/date transfer metrics shown

e  = Exit Script [?]

E:Option ==> list

 

[Chewie420]

Connected!

 

[Martineau]

Connected!

Good news, so ALL LAN traffic is routed via Torguard's WiireGuard tunnel.

Now you can clone the VPN Director Policy rules and remember to start the Torguard 'client' Peer in Policy mode

 

[Chewie420]

Good news, so ALL LAN traffic is routed via Torguard's WiireGuard tunnel.

Now you can clone the VPN Director Policy rules and remember to start the Torguard 'client' Peer in Policy mode

Thank you so much just one last question can I have wg11 auto start? After a reboot of router I need to ssh to wgm and type start wg11. Is there a way to have it done automatically?

 

[Martineau]

Thank you so much just one last question can I have wg11 auto start?

When you rebooted last time, didn't both 'server' Peer 'wg21' and 'client' Peer 'wg11' auto-start/initialise ?

If you don't want a Peer to auto-start, then set auto=n for the Peer

e.g. if you have no need to connect to your router from your mobile via WireGuard, then no point in starting the 'server' Peer during the boot process, so issue

e  = Exit Script [?]

E:Option ==> peer wg21 auto=n

 

[Chewie420]

ok so I am doing testing and my 192.158.55.x and 192.168.24.0 can't browse when connected on that.

It works great on 192.168.5.0/24 but anything else says no internet connection.

 

[Chewie420]

E:Option ==> vpndirector list

        VPN Director Selective Routing RPDB rules

ID  Peer  Interface  Source           Destination  Description
1   wg11  WAN        192.168.5.103    Any          VPN Director: XBOX One
2   wg11  WAN        192.168.5.109    Any          VPN Director: PiVPN and PiHole
3   wg11  VPN        192.168.5.0/24   Any          VPN Director: LAN and Wookiee Wireless
4   wg11  VPN        192.168.24.0/24  Any          VPN Director: Wookiee IoT 2.4GHz
5   wg11  VPN        192.168.55.0/24  Any          VPN Director: Wookiee IoT 5GH

Tested on 192.168.5.103 and 109 they are getting LAN IP

192.168.5.0/24 works but any other subnet does not get internet access.

I've also remove wg22 from auto start and wg11 is set to auto=p

 

[Chewie420]

Sooooooooooo damn close. If I can get 192.168.24.0 and 192.168.55.0 to go to VPN everything would be perfect.

 

[Martineau]

192.168.5.0/24 works but any other subnet does not get internet access.

E:Option ==> vpndirector list

        VPN Director Selective Routing RPDB rules

ID  Peer  Interface  Source           Destination  Description
1   wg11  WAN        192.168.5.103    Any          VPN Director: XBOX One
2   wg11  WAN        192.168.5.109    Any          VPN Director: PiVPN and PiHole
3   wg11  VPN        192.168.5.0/24   Any          VPN Director: LAN and Wookiee Wireless
4   wg11  VPN        192.168.24.0/24  Any          VPN Director: Wookiee IoT 2.4GHz
5   wg11  VPN        192.168.55.0/24  Any          VPN Director: Wookiee IoT 5GH

e  = Exit Script [?]

E:Option ==> ?

    Router RT-AX86U Firmware (v3.0.0.4.386.4_alpha2-g952c6bdecc)

    [✔] Entware Architecture arch=aarch64


    v4.14b WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=e3952cf476801c0869803d7dc02ebdd7 /jffs/addons/wireguard/wg_manager.sh

    [✔] WireGuard Kernel module/User Space Tools included in Firmware (1.0.20210124)


    [✔] DNSmasq is listening on ALL WireGuard interfaces 'wg*'

    [✔] firewall-start is monitoring WireGuard Firewall rules

    [✖] WAN KILL-Switch is DISABLED (use 'vx' command for info)
    [✖] UDP monitor is DISABLED

    [ℹ ] Reverse Path Filtering ENABLED

    [✔] Statistics gathering is ENABLED

    [ℹ ] Speedtest quick link https://fast.com/en/gb/

    [ℹ ] @ZebMcKayhan's Hint's and Tips Guide https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#table-of-content

then click on @ZebMcKayhan's Hints and Tips Guide URL, and look under section yasfi, for examples of how to add your subnets to the WireGuard tunnel.

 

[Chewie420]

I wanted to mention that in YazWi I have one way and two way to guest = No would that be an issue?

 

[Chewie420]

e  = Exit Script [?]

E:Option ==> ?

    Router RT-AX86U Firmware (v3.0.0.4.386.4_alpha2-g952c6bdecc)

    [✔] Entware Architecture arch=aarch64


    v4.14b WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
    MD5=e3952cf476801c0869803d7dc02ebdd7 /jffs/addons/wireguard/wg_manager.sh

    [✔] WireGuard Kernel module/User Space Tools included in Firmware (1.0.20210124)


    [✔] DNSmasq is listening on ALL WireGuard interfaces 'wg*'

    [✔] firewall-start is monitoring WireGuard Firewall rules

    [✖] WAN KILL-Switch is DISABLED (use 'vx' command for info)
    [✖] UDP monitor is DISABLED

    [ℹ ] Reverse Path Filtering ENABLED

    [✔] Statistics gathering is ENABLED

    [ℹ ] Speedtest quick link https://fast.com/en/gb/

    [ℹ ] @ZebMcKayhan's Hint's and Tips Guide https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#table-of-content

then click on @ZebMcKayhan's Hints and Tips Guide URL, and look under section yasfi, for examples of how to add your subnets to the WireGuard tunnel.

Oh ok thanks!

 

[Chewie420]

Can I ask what you changed in the new version to have it all working?

 

[Martineau]

Can I ask what you changed in the new version to have it all working?

If you compare the resulting imported '/opt/etc/wireguard.d/wg11.conf' with the pre-import Torguard generated file '/opt/etc/wireguard.d/xxxxxxx.conf_imported' you should be able to deduce the very simple one-liner 'fix' ?

Spoiler: Give up? TLDR; Answer!

When you said the Torguard created WireGuard .conf worked perfectly on your iPhone, but not on the router, it had to be a directive that was unusual/unknown to me! that was causing the connection failure.

Clearly someone at Torguard thought why not set the target device i.e. your iPhone to be both a 'Server' and a 'Client' Peer?
(unsolicited inbound requests anyone?, err alarm bells?)

So guess what is already listening on Port 51820?..... yup the default wireguard_manager 'Server' Peer 'wg21' so removed the conflict!

Simples really

P.S. You are probably the first to use wireguard_manager with Torguard; Mullvad certainly don't push that directive, but I should have asked for a copy of the (redacted) Torguard generated file when there was no handshake/data transfer much earlier in the debugging process - ahh well next time eh?

 

[L&LD]

It's YazFi.

 

[DragonOfJustice]

Hi @Martineau ,

I do a fresh install of the wg manager and found out that there's maybe issue with the script. Currently trying to install the and found some issue

a fresh install return error with this. Upon trying to see which place it failed, i found some error

i usually do wgm to enter the manager instead of wg_manager. Not sure what happen to hope you can help me. Both dev and main branch throw the same error
Let me know if you need any additional info i can extract from the router. Cheers!

 

[ZebMcKayhan]

Clearly someone at Torguard thought why not set the target device i.e. your iPhone to be both a 'Server' and a 'Client' Peer?

so are Torguard using internet clients to relay data through? like some mesh networking? who knows what shady stuff that is coming out of that hole... plausible deniability?

how are wgm handling this? just blocking off incoming connections on this port or does it need it to be open? what if you are behind a CGNat (like me), then it really wouldnt work (?).

//Zeb

 

[Martineau]

so are Torguard using internet clients to relay data through? like some mesh networking? who knows what shady stuff that is coming out of that hole... plausible deniability?

how are wgm handling this? just blocking off incoming connections on this port or does it need it to be open? what if you are behind a CGNat (like me), then it really wouldnt work (?).

//Zeb

In order to configure multi-site/devices to implement a WireGuard topology from any of the following

1. Point to Point
2. Hub and Spoke
3. Point to Site
4. Site to Site

then clearly each 'client' Peer .conf legitimately needs to include the 'ListenPort = 51820' directive, and with appropriate firewall rules it will be secure.

In the interim, wireguard_manager 'client' Peers can function without the directive, so I will need to give some thought on how to allow its use.
Obviously changing 'wg21' to listen on a different Port would be one simple/quick hack, but most 'client' peers expect the default 51820 on the 'Server' Peer.