Wireguard Session Manager - Discussion (3rd) thread

Martineau

Part of the Furniture
I imported my ISP's client wireguard conf and i cannot start it. I get this error

Code:
        Requesting WireGuard VPN Peer start for Category 'Clients' (wg11)

        WireGuard-clientwg11: Initialising WireGuard VPN 'client' Peer (wg11) to wireguard.5july.net:48574 (# N/A) DNS=
Line unrecognized: `dns=2001:9b1:8826::53,2001:9b0:4:2601::53,98.128.186.86,155.4.89.136'
Configuration parsing error
Cannot find device "wg11"

        ***ERROR Initialisation ABORTED - 'wg setconf wg11 /tmp/wg11.9581 (/opt/etc/wireguard.d/wg11.conf)' FAILED

What is wrong? =)
Several days ago, I had to make changes to accommodate the import of '.conf' files created by Unraid.

Upgrade to wireguard_manager Beta v4.17b6
Code:
e  = Exit Script [?]

E:Option ==> uf dev

EDIT: Try manually editing/changing the KEYWORD to UPPER CASE
e.g.
Code:
dns=2001:9b1:8826::53,2001:9b0:4:2601::53,98.128.186.86,155.4.89.136
to
Code:
DNS=2001:9b1:8826::53,2001:9b0:4:2601::53,98.128.186.86,155.4.89.136

then retry the import.


Who is your WIreGuard ISP?

If it still fails then obfuscate the Private/Public Keys then PM me an example of the ',conf' file you are trying to import.
 
Last edited:

johndoe85

Regular Contributor
Several days ago, I had to make changes to accommodate the import of '.conf' files created by Unraid.

Upgrade to wireguard_manager Beta v4.17b6
Code:
e  = Exit Script [?]

E:Option ==> uf dev

EDIT: Try manually editing/changing the KEYWORD to UPPER CASE
e.g.
Code:
dns=2001:9b1:8826::53,2001:9b0:4:2601::53,98.128.186.86,155.4.89.136'
to
Code:
DNS=2001:9b1:8826::53,2001:9b0:4:2601::53,98.128.186.86,155.4.89.136'

then retry the import.


Who is your WIreGuard ISP?

If it still fails then obfuscate the Private/Public Keys then PM me an example of the ',conf' file you are trying to import.
Ah it was the uppercase that were causing the problem.
My ISP is running its own services i belive. Or in collaboration with some company.

Integrity VPN
 

Martineau

Part of the Furniture
Ah it was the uppercase that were causing the problem.
OK Thanks - probably you mean the 'lack of UPPERCASE' as used in all of the example WireGuard configurations published on the Internet (well all those that I have seen!)

Sorry for the inconvenience, I'll create a patch for wireguard_manager Beta v4.17b7 to allow DNS = specification to be case insensitive.
 
Last edited:

johndoe85

Regular Contributor
OK Thanks.

Sorry for the inconvenience, I'll create a patch for wireguard_manager Beta v4.17b7 to allow DNS = specification to be case insensitive.
Ok nice. Can i force DNS to go through my own DNS server?
I tried
Code:
peer wg11 dns=192.168.50.1
but i dont see any hits on webpages i visit in adguard.
Do i have to remove the other DNS records in the config?
Code:
 peer wg11 config
shows this
DNS = 192.168.50.1 2001:9b0:4:2601::53, 98.128.186.86, 155.4.89.136

The IPv6 record could stay i guess, since i don't have native ipv6 yet and im not gonna tunnel IPv6 (except what i get from the VPN)
 

chongnt

Very Senior Member
Ok nice. Can i force DNS to go through my own DNS server?
I tried
Code:
peer wg11 dns=192.168.50.1
but i dont see any hits on webpages i visit in adguard.
Do i have to remove the other DNS records in the config?
Code:
 peer wg11 config
shows this
DNS = 192.168.50.1 2001:9b0:4:2601::53, 98.128.186.86, 155.4.89.136

The IPv6 record could stay i guess, since i don't have native ipv6 yet and im not gonna tunnel IPv6 (except what i get from the VPN)
I use DNS = 192.168.1.1 in wg11.conf. 192.168.1.1 is my router ip.
In wgm, if you run peer wg11, what is the DNS show?
 

johndoe85

Regular Contributor
I use DNS = 192.168.1.1 in wg11.conf. 192.168.1.1 is my router ip.
In wgm, if you run peer wg11, what is the DNS show?
I changed the config file and re-imported it instead. Having my routers ip 192.168.50.1 as first DNS and then the other two IPv6 adresses that came with the config.
And it seems to be working.
 

Martineau

Part of the Furniture
Ok nice. Can i force DNS to go through my own DNS server?
I tried
Code:
peer wg11 dns=192.168.50.1
but i dont see any hits on webpages i visit in adguard.
Once imported, you should be able to update the DNS for 'nnn.nnn.nnn.nnn' and 'xxxx:xxxx:xxxx::nnnn' e.g. 192.168.1.1/1.1.1.1 and/or '2606:4700:4700::1111'
Code:
peer wg11 dns=nnn.nnn.nnn.nnn[,xxxx:xxxx:xxxx::nnnn]
then after a restart of the 'client' Peer, you can check Chain WGDNS1 for configuration/metrics...
Code:
e  = Exit Script [?]

E:Option ==> diag firewall
 
Last edited:

johndoe85

Regular Contributor
Once imported, you should be able to update the DNS for 'nnn.nnn.nnn.nnn' and 'xxxx:xxxx:xxxx::nnnn' e.g. 192.168.1.1/1.1.1.1 and/or '2606:4700:4700::1111'
Code:
peer wg11 dns=nnn.nnn.nnn.nnn[,xxxx:xxxx:xxxx::nnnn]
then you can check Chain WGDNS1 for configuration/metrics...
Code:
e  = Exit Script [?]

E:Option ==> diag firewall
Yeah i did that but the old DNS records where still there, just my router IP was added to that list.
 

johndoe85

Regular Contributor
i cannot connect to my server anymore tho after setting up the client.
And i ran this
Code:
peer wg21 passthru add wg11 all
and got this result
Code:
        [✔] Updated Passthru Routing rule for wg21


        WireGuard 'client' Peer needs to be restarted to implement '10.50.1.1/24' passthru
        Press y to restart 'client' Peer (wg11) or press [Enter] to SKIP.
y

        Requesting WireGuard VPN Peer restart (wg11)

        Restarting Wireguard 'client' Peer (wg11)

        WireGuard-clientwg11: WireGuard VPN 'client' Peer (wg11) to wireguard.5july.net:48574 (# N/A) Terminated
        WireGuard-clientwg11: Initialising WireGuard VPN 'client' Peer (wg11) to wireguard.5july.net:48574 (# N/A) DNS=192.168.50.1, 2001:9b1:8826::53, 2001:9b0:4:2601::53,
        WireGuard-clientwg11: Initialisation complete.

But it still does not work
 

Martineau

Part of the Furniture
Yeah i did that but the old DNS records where still there, just my router IP was added to that list.
Probably because the imported DNS list isn't recognised as CSV string with no embedded spaces
DNS = 192.168.50.1 2001:9b0:4:2601::53, 98.128.186.86, 155.4.89.136, but the actual DNS used will be the one saved/shown in the SQL database
Code:
e  = Exit Script [?]

E:Option ==> peer wg11
I'll add a patch in wireguard_manager Beta v4.17b7
 

johndoe85

Regular Contributor
Probably because the imported DNS list isn't recognised as CSV string with no embedded spaces
DNS = 192.168.50.1 2001:9b0:4:2601::53, 98.128.186.86, 155.4.89.136, but the actual DNS used will be the one saved/shown in the SQL database
Code:
e  = Exit Script [?]

E:Option ==> peer wg11
I'll add a patch in wireguard_manager Beta v4.17b7
Ok
Code:
E:Option ==> peer wg11

Client  Auto  IP                                          Endpoint                   DNS                                                    MTU  Annotate
wg11    Y     10.0.117.180/24,fdab:1337:1337:117::180/64  wireguard.5july.net:48574  192.168.50.1, 2001:9b1:8826::53, 2001:9b0:4:2601::53,       # N/A


Server  Client  Passthru
wg21    wg11    10.50.1.1/24

        WireGuard ACTIVE Peer Status: Clients 1, Servers 1
 

Martineau

Part of the Furniture
Ok
Code:
E:Option ==> peer wg11

Client  Auto  IP                                          Endpoint                   DNS                                                    MTU  Annotate
wg11    Y     10.0.117.180/24,fdab:1337:1337:117::180/64  wireguard.5july.net:48574  192.168.50.1, 2001:9b1:8826::53, 2001:9b0:4:2601::53,       # N/A


Server  Client  Passthru
wg21    wg11    10.50.1.1/24

        WireGuard ACTIVE Peer Status: Clients 1, Servers 1
I've uploaded wireguard_manager Beta v4.17b7

To Upgrade use:
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 

johndoe85

Regular Contributor
I've uploaded wireguard_manager Beta v4.17b7

To Upgrade use:
Code:
e  = Exit Script [?]

E:Option ==> uf dev
Ok i have upgraded. What do i need to do in order to make this work?
Do i need to redo the process of deleting wg11, re-import the .conf file and the passthru line?

EDIT:
Code:
E:Option ==> 6

        Requesting WireGuard® VPN Peer restart (wg21 wg11)

        Restarting Wireguard® 'server' Peer (wg21)
        wg_manager-serverwg21: WireGuard® VPN (IPv6) [fdab:1337:1337:117::180] 'Server' Peer (wg21) on 10.50.1.1:51820 (# RT-AX86U Server #1) Terminated

        wg_manager-serverwg21: Initialising WireGuard® VPN (IPv6) [fdab:1337:1337:117::180] 'Server' Peer (wg21) on 10.50.1.1:51820 (# RT-AX86U Server #1)
        wg_manager-serverwg21: Initialisation complete.

        WireGuard 'client' Peer needs to be restarted to refresh Passthru rules
        Press y to restart 'client' Peer (wg11) or press [Enter] to SKIP.
y

        wg_manager-clientwg11: WireGuard® VPN 'client' Peer (wg11) to wireguard.5july.net:48574 (# N/A) Terminated
        wg_manager-clientwg11: Initialising WireGuard® VPN 'client' Peer (wg11) to wireguard.5july.net:48574 (# N/A) DNS=192.168.50.1, 2001:9b1:8826::53, 2001:9b0:4:2601::53,
        wg_manager-clientwg11: Initialisation complete.

        Restarting Wireguard® 'client' Peer (wg11)

        wg_manager-clientwg11: WireGuard® VPN 'client' Peer (wg11) to wireguard.5july.net:48574 (# N/A) Terminated
        wg_manager-clientwg11: Initialising WireGuard® VPN 'client' Peer (wg11) to wireguard.5july.net:48574 (# N/A) DNS=192.168.50.1, 2001:9b1:8826::53, 2001:9b0:4:2601::53,
        wg_manager-clientwg11: Initialisation complete.

        WireGuard® ACTIVE Peer Status: Clients 1, Servers 1

I cannot connect to the VPN server after the reboot. Just as before.

I have deleted wg11 and re-imported it, redid
Code:
peer wg21 passthru add wg11 all
and restarted both server and client. Still cannot connect to the server. It cannot complete handshake it says.

Edit2: I deleted the server and tried to re-create it. But i get an error.
Code:
E:Option ==> create Samsung-S9 wg21 dns=local

        ***ERROR Invalid WireGuard® 'server' Peer 'wg21'


        WireGuard® ACTIVE Peer Status: Clients 1, Servers 0
 
Last edited:

chongnt

Very Senior Member
Recently I started using VPNMON-R2 script by @Viktor Jaep for NordVPN. While the script is mainly for openvpn, it seems NordVPN API is common and applicable to NordLynx wireguard implementation. This got me thinking if some of the feature like changing server based on server load or timed based randomly changing server endpoint can be applied here. What I noticed with NordVPN, the server public key remains the same for each country. The difference is the endpoint server ip.
@Martineau, I’m wondering how difficult it is to randomly changing the server endpoint? Is it feasible since new config have to be imported?
 

Martineau

Part of the Furniture
@Martineau, I’m wondering how difficult it is to randomly changing the server endpoint? Is it feasible since new config have to be imported?
IIRC, should the 'client' Peer Endpoint be defined using a DDNS reference (rather than a hard-coded IPv4/IPv6 address), then a cron job is scheduled
Code:
cru a WireGuard_ChkDDNSwg1X */5 * * * * /jffs/addons/wireguard/wg_ChkEndpointDDNS.sh wg1X
when the 'client' Peer is initialised.

The cron script currently ONLY monitors for a FAILED handshake and then blindly assumes the DDNS no longer resolves to the correct IPv4/IPv6 address, so requests the WireGuard Tool to dynamically resolve/update the Endpoint without the need to restart the 'client' Peer using a simple command
Code:
wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
NOTE: This is all theory having read the WireGuard notes written by Jason A. Donenfeld, so I've no idea if it actually works.

So, if you can monitor the throughput of an interface such as OpenVPN interface 'tun11' then the same monitoring should be able to be applied to WireGuard interface 'wg11' without modification

i.e. Old-Skool; simply stop the current 'client' Peer then start one of the other 'client' Peers currently defined in the database.
Code:
wgm stop wg1X;wgm start wg11X

(Think I have have had either ten or eleven 'client' Peers concurrently defined - (wg11 thru wg19, and wg111 and wg112) but never all concurrently ACTIVE)

NOTE: Whilst I use Mullvad/TorGuard I have no idea if either have an API to assist in identifying the optimum 'client' Peer Endpoint based on the 'client' Peer requirements - be they Time-of-Day, throughput/performance degradation or justifiable paranoia!
 
Last edited:

chongnt

Very Senior Member
IIRC, should the 'client' Peer Endpoint be defined using a DDNS reference (rather than a hard-coded IPv4/IPv6 address), then a cron job is scheduled
Code:
cru a WireGuard_ChkDDNSwg1X */5 * * * * /jffs/addons/wireguard/wg_ChkEndpointDDNS.sh wg1X
when the 'client' Peer is initialised.

The cron script currently ONLY monitors for a FAILED handshake and then blindly assumes the DDNS no longer resolves to the correct IPv4/IPv6 address, so requests the WireGuard Tool to dynamically resolve/update the Endpoint without the need to restart the 'client' Peer using a simple command
Code:
wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
NOTE: This is all theory having read the WireGuard notes written by Jason A. Donenfeld, so I've no idea if it actually works.

So, if you can monitor the throughput of an interface such as OpenVPN interface 'tun11' then the same monitoring should be able to be applied to WireGuard interface 'wg11' without modification

i.e. Old-Skool; simply stop the current 'client' Peer then start one of the other 'client' Peers currently defined in the database.
Code:
wgm stop wg1X;wgm start wg11X

(Think I have have had either ten or eleven 'client' Peers concurrently defined - (wg11 thru wg19, and wg111 and wg112) but never all concurrently ACTIVE)

NOTE: Whilst I use Mullvad/TorGuard I have no idea if either have an API to assist in identifying the optimum 'client' Peer Endpoint based on the 'client' Peer requirements - be they Time-of-Day, throughput/performance degradation or justifiable paranoia!

I have always use endpoint IP and didn’t realized the presence of this wg_ChkEndpointDDNS.sh script.

Handshake has been a good indicator of active peering but end of last year the server that I peer to acting up, intermittently dropping packets during certain hours of the day. It gets worse because I bind unbound DNS to this tunnel. Handshake is still successful at that time. Taking the unbound binding script logic that only bind DNS to tunnel after successful ping test, I apply a watchdog to ping over wg tunnel periodically to verify the tunnel is indeed operational up. Based on the operational state, I apply or remove RPDB ip rule of my devices. I have active openvpn tunnel on lower priority connected to a different vpn server acting as hot standby. In case ping test failed over wg tunnel and higher priority rule is withdrawn, all devices will failover to openvpn tunnel. I will explore to have different wg tunnel as standby.

I just test the wg set command with a new endpoint ip. It didn’t throw any error but still connected to the original endpoint server even after I restart wg client. I suppose this is not written into the db?

You sum it up the API nicely. For me it is more towards the later. :) NordVPN API able to give least busy server name and it’s ip upon query.
 

chongnt

Very Senior Member
I guess this is unnecessary… In my scenario, ip rules will be applied once ping over wg tunnel is passed. Traffic is automatically reverted to wg tunnel as it has higher priority. I’m thinking to add some sort of hold timer. I have watchdog that run ping test every minute. Say the tunnel has flapped three times within the last 10 minutes, I will wait for 10 minutes (10 continuous ping pass) before apply the rules again. If it happen again within a day then double the hold timer. :D
 

Martineau

Part of the Furniture
I just test the wg set command with a new endpoint ip. It didn’t throw any error but still connected to the original endpoint server even after I restart wg client. I suppose this is not written into the db?
wg set $INTERFACE peer $PUBLIC_KEY endpoint $ENDPOINT is designed to work where a DDNS name is defined for the Endpoint, so effectively nothing has to be changed in the '.conf'/SQL database as the DDNS name remains static, but the actual IP address it resolves to can legitimately change.
 

johndoe85

Regular Contributor
What is wrong with this one?
Code:
E:Option ==> create Samsung-S9 wg21 dns=local

        ***ERROR Invalid WireGuard® 'server' Peer 'wg21'

Code:
E:Debug mode enabledOption ==> create Samsung-S9 wg21 dns=local
+ + sed s/^[ \t]*//;s/[ \t]*$//
printf %s create Samsung-S9 wg21 dns=local
+ menu1=create Samsung-S9 wg21 dns=local
+ Validate_User_Choice create Samsung-S9 wg21 dns=local
+ local menu1=create Samsung-S9 wg21 dns=local
+ [ Y == Y ]
+ echo create Samsung-S9 wg21 dns=local
+ menu1=create Samsung-S9 wg21 dns=local
+ Process_User_Choice create Samsung-S9 wg21 dns=local
+ local menu1=create Samsung-S9 wg21 dns=local
+ echo create Samsung-S9 wg21 dns=local
+ awk {print $1}
+ local ACTION=create
+ local ARG=
+ echo create Samsung-S9 wg21 dns=local
+ wc -w
+ [ 4 -ge 2 ]
+ printf+  %scut create Samsung-S9 wg21 dns=local
 -d  -f2
+ local ARG=Samsung-S9
+ [ Samsung-S9 == help ]
+ echo Samsung-S9
+ tr -cd "'
+ [ -z  ]
+ Create_RoadWarrior_Device create Samsung-S9 wg21 dns=local
+ local DEVICE_NAME=Samsung-S9
+ local DEVICE_USE_IPV6=N
+ echo create Samsung-S9 wg21 dns=local
+ sed -n s/^.*tag=//p
+ awk {print $0}
+ local TAG=
+ echo create Samsung-S9 wg21 dns=local
+ sed -n s/^.*ips=//p
+ awk {print $0}
+ local ADD_ALLOWED_IPS=
+ echo create Samsung-S9 wg21 dns=local
+ sed -n s/^.*dns=//p
+ awk {print $0}
+ local DNS_RESOLVER=local
+ [ local == push ]
+ [ local == local ]
+ local PUSHDNS=Y
+ local DNS_RESOLVER=
+ echo create Samsung-S9 wg21 dns=local
+ sed -n s/^.*port=//p
+ awk {print $0}
+ local REMOTE_LISTEN_PORT=
+ local SERVER_PEER=
+ local PEER_TOPOLOGY=device
+ [ 4 -gt 0 ]
+ ACTION=create
+ shift
+ [ 3 -gt 0 ]
+ shift
+ [ 2 -gt 0 ]
+ SERVER_PEER=wg21
+ shift
+ [ 1 -gt 0 ]
+ shift
+ [ 0 -gt 0 ]
+ [ -z wg21 ]
+ [ -z wg21 ]
+ [ -z wg21 ]
+ [ -f /opt/etc/wireguard.d/wg21.conf ]
+ echo -e \e[91m\a\n\t***ERROR Invalid WireGuard® 'server' Peer 'wg21'\n\e[0m

        ***ERROR Invalid WireGuard® 'server' Peer 'wg21'

+ return 1
+ set +x
 
Last edited:

Martineau

Part of the Furniture
Handshake has been a good indicator of active peering but end of last year the server that I peer to acting up, intermittently dropping packets during certain hours of the day. In my scenario, ip rules will be applied once ping over wg tunnel is passed. Traffic is automatically reverted to wg tunnel as it has higher priority. I’m thinking to add some sort of hold timer. I have watchdog that run ping test every minute. Say the tunnel has flapped three times within the last 10 minutes, I will wait for 10 minutes (10 continuous ping pass) before apply the rules again. If it happen again within a day then double the hold timer.
Commercial VPN providers have a lot to answer for when a paid subscription service is erratic either by design or simply oversubscribed etc.

Clearly you have needed to engineer a sophisticated resilient VPN environment...auto fallback to OpenVPN when WireGuard fails! - most impressive :cool:

....although I haven't noticed any blips with either the Mullvad nor TorGuard WireGuard tunnels that I use but DNS issues could have occurred although I don't bind Unbound thru' either vendor.

P.S. I have now implemented (locally for as yet unpublished Beta v4.17b8) a new command to allow modification of the Endpoint (updates both the '.conf' and SQL database) to save having to delete/re-import.
Code:
e  = Exit Script [?]

E:Option ==> peer wg17 endpoint=wot:1224

    [✔] Updated 'client' Peer Endpoint

Client  Auto  IP              Endpoint     DNS      MTU   Annotate
wg17    N     10.13.55.61/24  wot:1234     1.1.1.1  1292  # TorGuard USA, Miami
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top