What's new

Wireguard Session Manager - Discussion (3rd) thread

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I can be of your assistance. Tell me what i need to do and i do it in that order.
That's great!

are you running a server or a client on your router (or both)?

I will try to kit together something to help the process (nothing fancy, just a script that you could run and provide the mark and it will setup the rules according to your mark, wait some time for you to test, then reset back to old values)
 
That's great!

are you running a server or a client on your router (or both)?

I will try to kit together something to help the process (nothing fancy, just a script that you could run and provide the mark and it will setup the rules according to your mark, wait some time for you to test, then reset back to old values)
@ZebMcKayhan , as you know, I am running site-to-site (AX88U to AX86U). If you are doing a test script and I can be of assistance - let me know!
 
@ZebMcKayhan , as you know, I am running site-to-site (AX88U to AX86U). If you are doing a test script and I can be of assistance - let me know!
Appreciate it! AX88U works with the old marks, only interested in AX86U but I dont know what wrong marks will do to the router (temporarily) that's why I want to make a script that makes the change for i.e. 1min and then back so if something gets stuck it should reset itself. if all else fails a reboot should always set everything back to normal. I know you have 2 locations and I think this would be risky to try on a router on a remote location. or are you at the AX86U location?
 
That's great!

are you running a server or a client on your router (or both)?

I will try to kit together something to help the process (nothing fancy, just a script that you could run and provide the mark and it will setup the rules according to your mark, wait some time for you to test, then reset back to old values)
I am running a server. But i can run a client too if you want me to. Got one provided from my ISP.
 
I am running a server. But i can run a client too if you want me to. Got one provided from my ISP.
Server is fine...

ive made a script
https://pastebin.com/djNd98EG
which you can paste into your router and save in i.e /opt/tmp

Give whatever filename you want.

Make executable:
Code:
chmod +x /opt/tmp/filename

make sure you only have wg21 running and no other people using the router. Connect a road-worrior device to router and make some speed test.

You could run it once with the original mark to see what happens when Flow cache is enabled:
Code:
sh /opt/tmp/filename wg21 0x01/0x7

The script will pause during 1 minute where Flow cache is enabled. Redo your speed test during this minute. Probably your speed is cut down to 1-2Mb/s. Also check your syslog, it is probably reeking with blog errors.

After the minute is up the script reset everything. Change the "sleep 60" if you want more/less time.

When you feel you know and can tell how Flow cache is affecting Wireguard then start testing various masks from my previous post https://www.snbforums.com/threads/session-manager-discussion-3rd-thread.78317/post-763229
 
Last edited:
Server is fine...

ive made a script
https://pastebin.com/djNd98EG
which you can paste into your router and save in i.e /opt/tmp

Give whatever filename you want.

Make executable:
Code:
chmod +x /opt/tmp/filename

make sure you only have wg21 running and no other people using the router. Connect a road-worrior device to router and make some speed test.

You could run it once with the original mark to see what happens when Flow cache is enabled:
Code:
sh /opt/tmp/filename wg21 0x01/0x7

The script will pause during 1 minute where Flow cache is enabled. Redo your speed test during this minute. Probably your speed is cut down to 1-2Mb/s. Also check your syslog, it is probably reeking with blog errors.

After the minute is up the script reset everything. Change the "sleep 60" if you want more/less time.

When you feel you know and can tell how Flow cache is affecting Wireguard then start testing various masks from my previous post https://www.snbforums.com/threads/session-manager-discussion-3rd-thread.78317/post-763229
djNd98EG: line 1: syntax error: unexpected newline
 
Appreciate it! AX88U works with the old marks, only interested in AX86U but I dont know what wrong marks will do to the router (temporarily) that's why I want to make a script that makes the change for i.e. 1min and then back so if something gets stuck it should reset itself. if all else fails a reboot should always set everything back to normal. I know you have 2 locations and I think this would be risky to try on a router on a remote location. or are you at the AX86U location?
I see and no, the remote is an AX86U. I could open (temporarily) ssh to WAN with odd port number to check/reset if the wg tunnel goes wonky.
Your call, Im good with the ssh WAN (don't tell anyone ;-)
 
I see and no, the remote is an AX86U. I could open (temporarily) ssh to WAN with odd port number to check/reset if the wg tunnel goes wonky.
Your call, Im good with the ssh WAN (don't tell anyone ;-)
I appreciate it but why dont we wait and see how @johndoe85 progresses, he was first on the ball and a simpler setup and there is no point of having more people testing the same thing. If you want to, i would appreciate if you like to review my script linked above.
 
I appreciate it but why dont we wait and see how @johndoe85 progresses, he was first on the ball and a simpler setup and there is no point of having more people testing the same thing. If you want to, i would appreciate if you like to review my script linked above.
Code:
Admin@RT-AX86U-3FD8:/tmp/mnt/sda1/entware/tmp# ./djNd98EG
Removing original rules
Adding new rules with xmark  to interface
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.
Enables Flow Cache
Broadcom Packet Flow Cache learning via BLOG enabled.
Broadcom Packet Flow Cache flushing the flows

Sleeping 60sec before disabling flow cache again

That is after dos2unix djNd98EG

Code:
Admin@RT-AX86U-3FD8:/tmp/mnt/sda1/entware/tmp# ./djNd98EG
Removing original rules
Adding new rules with xmark  to interface
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.
Enables Flow Cache
Broadcom Packet Flow Cache learning via BLOG enabled.
Broadcom Packet Flow Cache flushing the flows

Sleeping 60sec before disabling flow cache again
Disables Flow Cache and removes rules with xmark  to interface  and restores original rules
Broadcom Packet Flow Cache learning via BLOG disabled.
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.

This is after the 60 seconds have passed
 
Code:
Admin@RT-AX86U-3FD8:/tmp/mnt/sda1/entware/tmp# ./djNd98EG
Removing original rules
Adding new rules with xmark  to interface
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.
Enables Flow Cache
Broadcom Packet Flow Cache learning via BLOG enabled.
Broadcom Packet Flow Cache flushing the flows

Sleeping 60sec before disabling flow cache again

That is after dos2unix djNd98EG

Code:
Admin@RT-AX86U-3FD8:/tmp/mnt/sda1/entware/tmp# ./djNd98EG
Removing original rules
Adding new rules with xmark  to interface
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.
Enables Flow Cache
Broadcom Packet Flow Cache learning via BLOG enabled.
Broadcom Packet Flow Cache flushing the flows

Sleeping 60sec before disabling flow cache again
Disables Flow Cache and removes rules with xmark  to interface  and restores original rules
Broadcom Packet Flow Cache learning via BLOG disabled.
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MARK'
Try `iptables -h' or 'iptables --help' for more information.

This is after the 60 seconds have passed
Ok, great! Looks like its working, but you need to start the script with your interface (wg21) and the mark you like to test as arguments:

Start with the current mark:
Code:
./djNd98EG wg21 0x01/0x7
then make some speed test over wireguard during this minute.
 
Ok, great! Looks like its working, but you need to start the script with your interface (wg21) and the mark you like to test as arguments:

Start with the current mark:
Code:
./djNd98EG wg21 0x01/0x7
then make some speed test over wireguard during this minute.
I get 0,96 Mbps down and 2,33 Mbps up
This is over internet.

When back to normal again i get 129 down and 122 up to the same server.
 
I get 0,96 Mbps down and 2,33 Mbps up
This is over internet.

When back to normal again i get 129 down and 122 up to the same server.
Ok, great!

Then we can test with same mark but with various masks, one at the time and make same speed test on each one.
Code:
./djNd98EG wg21 0x01/0x1
./djNd98EG wg21 0x01/0x3
./djNd98EG wg21 0x01/0xf
./djNd98EG wg21 0x01/0x1f
./djNd98EG wg21 0x01/0x3f
./djNd98EG wg21 0x01/0x7f
./djNd98EG wg21 0x01/0xff
./djNd98EG wg21 0x01/0x1ff

The plan is to find a mark where you get same speed during this minute as normal.
 
Ok, great!
Then we can test with same mark but with various masks, one at the time and make same speed test on each one.
Code:
./djNd98EG wg21 0x01/0x1
./djNd98EG wg21 0x01/0x3
./djNd98EG wg21 0x01/0xf
./djNd98EG wg21 0x01/0x1f
./djNd98EG wg21 0x01/0x3f
./djNd98EG wg21 0x01/0x7f
./djNd98EG wg21 0x01/0xff
./djNd98EG wg21 0x01/0x1ff

The plan is to find a mark where you get same speed during this minute as normal.
All marks gave aprox the same result. 1-3 Mbps up and down. Most around 1 Mbps.
 
Ok, great!

All marks gave aprox the same result. 1-3 Mbps up and down. Most around 1 Mbps.
Ok, thanks!

So if my reasoning is right the mask merely makes sure we dont affect other bits than the 3 least significant. We could test various marks with a fairly large mask:

Code:
./djNd98EG wg21 0x02/0x1ff
./djNd98EG wg21 0x03/0x1ff
./djNd98EG wg21 0x04/0x1ff
./djNd98EG wg21 0x05/0x1ff
./djNd98EG wg21 0x06/0x1ff
./djNd98EG wg21 0x07/0x1ff

If none of these work we might have to give up, if someone dont have a better idea.
 
Ok, thanks!

So if my reasoning is right the mask merely makes sure we dont affect other bits than the 3 least significant. We could test various marks with a fairly large mask:

Code:
./djNd98EG wg21 0x02/0x1ff
./djNd98EG wg21 0x03/0x1ff
./djNd98EG wg21 0x04/0x1ff
./djNd98EG wg21 0x05/0x1ff
./djNd98EG wg21 0x06/0x1ff
./djNd98EG wg21 0x07/0x1ff

If none of these work we might have to give up, if someone dont have a better idea.
Same results. Pure crap speeds and high load on the CPU.
 
Same results. Pure crap speeds and high load on the CPU.
Ok, crap... fwmark is 32bits which means 4.3 billion combinations. Going further would mean some script that test different marks and perform the speed test on its own but even if a mark is tested each minute it will take like 8000 years to test. So either the mark is completely shifted somewere else or removed from the closed source kernel module.

Anyway, many thanks for testing! A router reboot is probably proper so we dont leave some residue.
 
I imported my ISP's client wireguard conf and i cannot start it. I get this error

Code:
        Requesting WireGuard VPN Peer start for Category 'Clients' (wg11)

        WireGuard-clientwg11: Initialising WireGuard VPN 'client' Peer (wg11) to wireguard.5july.net:48574 (# N/A) DNS=
Line unrecognized: `dns=2001:9b1:8826::53,2001:9b0:4:2601::53,98.128.186.86,155.4.89.136'
Configuration parsing error
Cannot find device "wg11"

        ***ERROR Initialisation ABORTED - 'wg setconf wg11 /tmp/wg11.9581 (/opt/etc/wireguard.d/wg11.conf)' FAILED

What is wrong? =)
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top