What's new

Wireguard Session Manager - Discussion (2nd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Question for the experts.
I am considering doing a factory reset on my remote AX86U. I am at the remote site and have had a few reboots the past week or so.
I will use nsrum to backup many of the nvram settings and have backed up the /jffs partition.

Once I do the factory reset, ssh will generate new keys.

Will my keys created by wg_manager for my remote (Cabin) and Home still be valid? In other words, can I just restore /jffs, reboot and be good to go?
See @Martineau ,I am a bit lazy ;-)

Thanks
 
If the reboots weren't initiated by you, I don't see the point of using any of the saved settings from the current configuration.

You will be going to the remote site to perform the reset, correct? :)
 
Question for the experts.
I am considering doing a factory reset on my remote AX86U. I am at the remote site and have had a few reboots the past week or so.
I will use nsrum to backup many of the nvram settings and have backed up the /jffs partition.

Once I do the factory reset, ssh will generate new keys.

Will my keys created by wg_manager for my remote (Cabin) and Home still be valid? In other words, can I just restore /jffs, reboot and be good to go?
Yes the keys/.confs should still be valid if they are restored to Entware's repository '/opt/etc/wireguard.d/' (not /jffs/)

It is important to therefore rename '/opt/etc/wireguard.d/' or ideally you should also externally clone it e.g. WinSCP drag'n'drop to Windows etc.

Best practice is to rename the Entware directory before the Factory Reset.

So make sure you remove the USB stick/SSD before the Factory Reset, then the first thing you should do after the Factory Reset is re-insert the USB/SSD and use amtm to either install a new fresh Entware repository or allow amtm to reuse the existing Entware repository if you didn't rename it - your choice.

See @Martineau ,I am a bit lazy ;-)
:D
 
Will do next
I have run
Code:
 ip6tables -t nat -I POSTROUTING -s fd36:7ef1:2add:aa88::/64 -o eth0 -j SNAT --to-source 2a02:c7f:f0c3:1000::1
and checked
Code:
admin@RT-AX88U-5050:/tmp/home/root# ip6tables -nvL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all      *      br0     fd36:7ef1:2add:aa88::/64  ::/0                 /* WireGuard 'server clients to LAN' */
    0     0 SNAT       all      *      eth0    fd36:7ef1:2add:aa88::/64  ::/0                 to:2a02:c7f:f0c3:1000::1
as wg21-up.sh is
Code:
#!/bin/sh
#Masquarade ipv6 packets from clients to WAN
#ip6tables -t nat -I POSTROUTING -s  fd36:7ef1:2add:aa88::1/64 -o eth0 -j MASQUERADE -m comment --comment "WireGuard 'server'"
#Masquarade ipv6 packets from clients to br0 (is this needed/wanted)?
#ip6tables -t nat -I POSTROUTING -s fd36:7ef1:2add:aa88::1/64 -o br0 -j MASQUERADE -m comment --comment "WireGuard 'server'"
I am not sure where the MASQUERADE response came from.

Still no ipv6 or ping responses on eth0
Whilst I have no IPv6 knowledge, I'm not sure if it isn't worthwhile starting again? - tedious I know.

For IPv6 WireGuard interfaces must use 1420 MTU ???

However, for your current configuration....assuming wg21 is configured, then depending on the wg21 ListenPort manually issue
Code:
ip6tables -I PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport 51820 -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:51820
or
Code:
ip6tables -I PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport 11501 -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:11501

If it works then you can put these in
wg21.conf
Code:
#PreUp = ip6tables -I PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport %p -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:%p
#PreDown = ip6tables -D PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport %p -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:%p

NOTE: This may save you time,

Code:
e  = Exit Script [?]

E:Option ==> diag
then simply scroll up and as the IPv6 rules are listed last you should be able to quickly spot them for cut'n'paste.
 
I have 2x RT-56u with 386.5 (at home and office). The first one has static ipv6 with prefix /48 stateless, Router Advertisement enabled, advertising adguards DNS, no scripts. The second one runs 6in4 he tunnel with /48 prefix, Router Advertisement enabled, advertising adguards DNS, no scripts.

Same problems
Are you running Wireguard with 6-in-4?... could be why its not working. I think wgm only accept setting up wireguard on native. Maybee possible to work around but I dont know much about it.

What does 6-in-4 mean? Do you still have an outgoing ipv6 interface (ppp0?)? But I guess no ipv6 on eth0?

if you pm me the output of
Code:
ip -6 rule
ip -6 route
ifconfig wg21
ifconfig eth0
ifconfig ppp0

I might be able to kit something together for you.
 
Last edited:
Ahhh, you mean that the message
Code:
wireguard-server1: Initialising Wireguard VPN (IPv6) [fdff:a37f:fa75:1::1] 'Server' Peer (wg21) on 100.126.96.1:11501 (# RT-AC86U (IPv4/IPv6) Server 1)
should actually include the IPv6 'server' Peer tunnel socket together with the IPv4 IP as you have defined a Dual-stack
i.e.
Code:
wireguard-server1: Initialising Wireguard VPN (IPv6) [fdff:a37f:fa75:1::1] 'Server' Peer (wg21) on 100.126.96.1,fdff:a37f:fa75:100::101:11501 (# RT-AC86U (IPv4/IPv6) Server 1)
where the value in between the square brackets '[ ]' is naively o_O assumed to be the IPv6 WAN IP :rolleyes:derived as follows:
Code:
WAN_IPV6=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)
aah, sound alright then... guess there is a downside by keeping all ipv6 in the same prefix ;), hard on the eye to tell them apart at a quick glimpse.
 
So I finally tried wireguard but encountered the first problem:

E:Option ==> peer new ipv6=2001:XXXX:XXXX:dd20::/64

***ERROR: '2001:XXXX:XXXX:dd20::/64' must be Private IPv6 address

I have a static prefix 2001:XXXX:XXXX::/48

According to ZebMcKayhans manual I can you use global addresses instead of private ones (ULA). Any idea what can be wrong? Running 4.16b
I've uploaded wireguard_manager Beta v4.16b2 to remove the restriction of only allowing IPv6 Private (ULA) to be specified.

To apply the patch use
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 
Whilst I have no IPv6 knowledge, I'm not sure if it isn't worthwhile starting again? - tedious I know.

For IPv6 WireGuard interfaces must use 1420 MTU ???

However, for your current configuration....assuming wg21 is configured, then depending on the wg21 ListenPort manually issue
Code:
ip6tables -I PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport 51820 -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:51820
or
Code:
ip6tables -I PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport 11501 -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:11501

If it works then you can put these in
wg21.conf
Code:
#PreUp = ip6tables -I PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport %p -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:%p
#PreDown = ip6tables -D PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport %p -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:%p

NOTE: This may save you time,

Code:
e  = Exit Script [?]

E:Option ==> diag
then simply scroll up and as the IPv6 rules are listed last you should be able to quickly spot them for cut'n'paste.
@Martineau When you say start again, can you clarify - for each set of changes I am removing both device and server (including from the hone)
e.g. peer {device} del, peer {sever} del and rebuilding them. Equally for each rule added e.g.
Code:
ip6tables -t nat -I POSTROUTING -s fd36:7ef1:2add:aa88::/64 -o eth0 -j SNAT --to-source 2a02:c7f:f0c3:1000::1
if it is not working I remove it
Code:
ip6tables -t nat -D POSTROUTING -s fd36:7ef1:2add:aa88::/64 -o eth0 -j SNAT --to-source 2a02:c7f:f0c3:1000::1
So the only permanent change I have not reversed is installing entware iptables.
My current setup is
Code:
E:Option ==> 8

        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet                                  Port   Annotate
wg21    N     10.50.1.1/24,fd36:7ef1:2add:aa88::1/64  11501  # RT-AX88U (IPv4/IPv6) Server 1
wg22    N     10.50.2.1/24,2a02:c7f:f0c3:1010::1/64   11502  # RT-AX88U (IPv4/IPv6) Server 2


        Peers (Auto=X - External i.e. Cell/Mobile/Site)
Device  Auto  IP                                      DNS                        Allowed IPs      Annotate
sam20   X     10.50.1.2/32,fd36:7ef1:2add::2/128      10.50.1.1,2620:119:35::35  0.0.0.0/0, ::/0  # sam20 "Device"
sam22   X     10.50.2.2/32,2a02:c7f:f0c3:1010::2/128  10.50.2.1,2620:119:35::35  0.0.0.0/0, ::/0  # sam22 "Device"
and only wg21 is started. I have checked and wg21 has MTU 1420
I have tried entering the instruction above but it fails with
Code:
ip6tables -I PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport 11501 -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:11501
ip6tables: No chain/target/match by that name.
What am I missing?
 
Also found some cosmetic stuff where the ipv6 goes through some transformation during creation but in the end turns out correct:

wg21.conf
#Address = 192.168.100.1/24,fdff:a37f:fa75:100::101/120
AllowedIPs = 192.168.100.2/32,fdff:a37f:fa75:100::2/128

myvpn.conf:
Address = 192.168.100.2/32,fdff:a37f:fa75:100::2/128[/CODE]

I was kind of thinking that the device would turn out ::102 but I guess wgm replaces the last numbers completally. Doesn't matter really.
aah, sound alright then... guess there is a downside by keeping all ipv6 in the same prefix ;), hard on the eye to tell them apart at a quick glimpse.
I've uploaded wireguard_manager Beta v4.16b2 to address both of your issues

To apply the changes
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 
What am I missing?
Think you need to add the -t nat for it to work.

Altough this addresses the tunnel udp port Whilst your tunnel is up (over ipv4) and client ipv6 packages arrives at router wg21 I would assume the problem is with routing/firewall and not the tunnel. But I could be wrong.
 
@Martineau When you say start again, can you clarify - for each set of changes I am removing both device and server (including from the hone)
e.g. peer {device} del, peer {sever} del and rebuilding them. Equally for each rule added
So the only permanent change I have not reversed is installing entware iptables.
Apologies , I wasn't sure how diligent you were reverting the suggestions proposed by @ZebMcKayhan....it's all to easy (as you experienced) to experiment and actually cause additional frustrating issues.

I'll butt-out then and keep my unsubstantiated idiotic IPv6 (typo-ridden :oops:) suggestions to myself.
 
Apologies , I wasn't sure how diligent you were reverting the suggestions proposed by @ZebMcKayhan....it's all to easy (as you experienced) to experiment and actually cause additional frustrating issues.

I'll butt-out then and keep my unsubstantiated idiotic IPv6 (typo-ridden :oops:) suggestions to myself.
All suggestions are always welcome, otherwise how will any of us learn anything.
 
Think you need to add the -t nat for it to work.

Altough this addresses the tunnel udp port Whilst your tunnel is up (over ipv4) and client ipv6 packages arrives at router wg21 I would assume the problem is with routing/firewall and not the tunnel. But I could be wrong.
I tried with the amended PREROUTING
Code:
ip6tables -t nat -I PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport 11501 -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:11501
but still no IPv6 (and have have now reversed this out)

I will run
Code:
ip6tables -nvL PREROUTING -t nat
ip6tables -nvL PREROUTING -t mangle
ip6tables -nvL FORWARD -t mangle
against the 2600:: ping next and report
and dropped packets via
Code:
ip -s link show wg21

A random thought: Is it worth taking out DoT (reverting to standard DNS) and or shutting down the OpenVPN client - VPN Director (Policy Rules). I wouldn't have thought they should be relevant as they should only be working on the client traffic, not the Router?
 
@archiel
I tried with the amended PREROUTING
Code:
ip6tables -t nat -I PREROUTING -d 2a02:c7f:f0c3:1000::1 -p udp --dport 11501 -j DNAT --to-destination [fd36:7ef1:2add:aa88::1]:11501
but still no IPv6 (and have have now reversed this out)

I will run
Code:
ip6tables -nvL PREROUTING -t nat
ip6tables -nvL PREROUTING -t mangle
ip6tables -nvL FORWARD -t mangle
against the 2600:: ping next and report
and dropped packets via
Code:
ip -s link show wg21

A random thought: Is it worth taking out DoT (reverting to standard DNS) and or shutting down the OpenVPN client - VPN Director (Policy Rules). I wouldn't have thought they should be relevant as they should only be working on the client traffic, not the Router?
Could be... maybee openvpn routes this package for some reason.

Just found this in ip manual:
Code:
ip route get ROUTE_GET_FLAGS ADDRESS [ from ADDRESS iif STRING ] [ oif STRING ] [ mark MARK ] [ tos TOS ] [ vrf NAME ] [ ipproto PROTOCOL ] [ sport NUMBER ] [ dport NUMBER ]

Perhaps could be worth a try:
Code:
ip route get 2600:: from fd36:7ef1:2add:aa88::2 iif wg21

If it works it will show how the package gets routed through ip. And may show a different destination then eth0??
 
Are you running Wireguard with 6-in-4?... could be why its not working. I think wgm only accept setting up wireguard on native. Maybee possible to work around but I dont know much about it.

What does 6-in-4 mean? Do you still have an outgoing ipv6 interface (ppp0?)? But I guess no ipv6 on eth0?

if you pm me the output of
Code:
ip -6 rule
ip -6 route
ifconfig wg21
ifconfig eth0
ifconfig ppp0

I might be able to kit something together for you.
That would be amazing. I've sent you PM with those outputs. Please confirm.
 
@archiel

Could be... maybee openvpn routes this package for some reason.

Just found this in ip manual:
Code:
ip route get ROUTE_GET_FLAGS ADDRESS [ from ADDRESS iif STRING ] [ oif STRING ] [ mark MARK ] [ tos TOS ] [ vrf NAME ] [ ipproto PROTOCOL ] [ sport NUMBER ] [ dport NUMBER ]

Perhaps could be worth a try:
Code:
ip route get 2600:: from fd36:7ef1:2add:aa88::2 iif wg21

If it works it will show how the package gets routed through ip. And may show a different destination then eth0??
Code:
ip route get 2600:: from fd36:7ef1:2add:aa88::2 iif wg21
2600:: via fe80::4255:82ff:febd:9c3 dev eth0 metric 0 hoplimit 64 iif wg21 pref medium
where as noted above - looking at the routing table in the GUI
1646743716176.png

1646743764101.png
 
Code:
ip route get 2600:: from fd36:7ef1:2add:aa88::2 iif wg21
2600:: via fe80::4255:82ff:febd:9c3 dev eth0 metric 0 hoplimit 64 iif wg21 pref medium
where as noted above - looking at the routing table in the GUI
1646743716176.png

1646743764101.png
Ok.. then the package should be traversing the PREROUTING Chain then FORWARD chain (where it never reaches the filter table)... Unless the firmware asus/broadcom is not preventing the package it should be found in the firewall somewhere.


That would be amazing. I've sent you PM with those outputs. Please confirm.
Thanks, got it! Sorry, one more (as your interface were not ppp0)
Code:
ifconfig v6tun0
I'll look at it hopefully this evening.
 
That would be amazing. I've sent you PM with those outputs. Please confirm.
never really got what wg21 ipv6 prefix you were planning to use, so maybee you could fill in the wg21 address and the wg21Device Address (usually wg21 address +1):
Code:
1)    Add/check in /opt/etc/wireguard.d/wg21.conf (the PreUp must be with a #, it will be executed anyway):
AllowedIps = 10.50.1.2/32, <DeviceIpv6>/128
#PreUp = ip -6 address add dev wg21 <wg21Ipv6>/64
2)    Check /opt/etc/wireguard.d/device.conf (YourDeviceName.conf):
Address = 10.50.1.2/32, <DeviceIpv6>/128
3)    Restart wg21 and import new device config to client (i.e. Android phone or similar known working device).
4)    Check with ifconfig that wg21 has both ipv4 and ipv6 address
5)    Execute from the router shell (one by one):
ip6tables -t mangle -I FORWARD -o wg21 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment "WireGuard 'server'"
ip6tables -t mangle -I FORWARD -i wg21 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment "WireGuard 'server'"
ip6tables -t mangle -I FORWARD -o wg21 -j MARK --set-xmark 0x01/0x7 -m comment --comment "WireGuard 'server'"
ip6tables -t mangle -I PREROUTING -i wg21 -j MARK --set-xmark 0x01/0x7 -m comment --comment "WireGuard 'server'"
ip6tables -I INPUT -i wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"
ip6tables -I FORWARD -i wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"
ip6tables -I FORWARD -i br0 -o wg21 -j ACCEPT -m comment --comment "LAN to WireGuard 'server clients'"
ip6tables -I OUTPUT -o wg21 -j ACCEPT -m comment --comment "WireGuard 'server'"
6)    Check IPv4/IPv6 connection to Client (On Android use i.e. PingTools):
Ping wg21 ipv4
Ping wg21 ipv6
Ping internet client 2600::
7)    If all good, put the ip6tables commands in userscript /jffs/addons/wireguard/Scripts/wg21-up.sh (don’t forget the shebang and make it executable)
also remove the rules (Replace -I with -D) in userscript /jffs/addons/wireguard/Scripts/wg21-down.sh (don’t forget the shebang and make it executable)
 
Ok.. then the package should be traversing the PREROUTING Chain then FORWARD chain (where it never reaches the filter table)... Unless the firmware asus/broadcom is not preventing the package it should be found in the firewall somewhere.
Testing with Ping 2600:: (2 sets of 3) from Android Ping - no PRE or POST ROUTING rules applied
ip6tables -nvL PREROUTING -t nat - No identified traffic at all
Code:
ip6tables -nvL PREROUTING -t nat
Chain PREROUTING (policy ACCEPT 12740 packets, 2455K bytes)
pkts bytes target     prot opt in     out     source               destination
Code:
admin@RT-AX88U-5050:/tmp/home/root# ip6tables -nvL PREROUTING -t nat
Chain PREROUTING (policy ACCEPT 12867 packets, 2483K bytes)
pkts bytes target     prot opt in     out     source               destination
ip6tables -nvL PREROUTING -t mangle
Code:
ip6tables -nvL PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT 422K packets, 322M bytes)
pkts bytes target     prot opt in     out     source               destination
  155 17750 MARK       all      wg21   *       ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
Code:
ip6tables -nvL PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT 423K packets, 322M bytes)
pkts bytes target     prot opt in     out     source               destination
  160 18270 MARK       all      wg21   *       ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
ip6tables -nvL FORWARD -t mangle - All empty
Code:
ip6tables -nvL FORWARD -t mangle
Chain FORWARD (policy ACCEPT 359K packets, 295M bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all      *      wg21    ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
    0     0 TCPMSS     tcp      wg21   *       ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp      *      wg21    ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 DNSFILTERF  udp      br+    *       ::/0                 ::/0                 udp dpt:53
    0     0 DNSFILTERF  tcp      br+    *       ::/0                 ::/0                 tcp dpt:53
    0     0 DNSFILTER_DOT  tcp      br+    *       ::/0                 ::/0                 tcp dpt:853
Code:
ip6tables -nvL FORWARD -t mangle
Chain FORWARD (policy ACCEPT 360K packets, 296M bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all      *      wg21    ::/0                 ::/0                 /* WireGuard 'server' */ MARK xset 0x1/0x7
    0     0 TCPMSS     tcp      wg21   *       ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp      *      wg21    ::/0                 ::/0                 tcp flags:0x06/0x02 /* WireGuard 'server' */ TCPMSS clamp to PMTU
    0     0 DNSFILTERF  udp      br+    *       ::/0                 ::/0                 udp dpt:53
    0     0 DNSFILTERF  tcp      br+    *       ::/0                 ::/0                 tcp dpt:53
    0     0 DNSFILTER_DOT  tcp      br+    *       ::/0                 ::/0                 tcp dpt:853
Packets ( ip -s link show wg21)
Code:
ip -s link show wg21
41: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none
    RX: bytes  packets  errors  dropped missed  mcast
    9428324    40594    6       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    38355524   51784    2       0       0       0
Code:
ip -s link show wg21
41: wg21: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none
    RX: bytes  packets  errors  dropped missed  mcast
    9433108    40633    6       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    38362676   51817    2       0       0       0
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top