Wireguard Session Manager - Discussion (3rd) thread

[evlo]

well, it is kinda flooded with the tuple, but i did not anything to fight it as it does not affect anything it seems, i don't think syslog is writing to flash memory and would kill the device like older tesla S did, right?
So i did set this

mainly in hopes i will forget this setting when i need to debug something later

 

[ZebMcKayhan]

i don't think syslog is writing to flash memory and would kill the device like older tesla S did, right?

Nope, it's in /tmp/syslog.log so its in the RAM portion.

You could try to change log level to "error" and see if it goes away if you dont want to install Scribe to filter them out.

Edit: ooh, maybee I misunderstood. Setting it to "warning" made it dissapear? Sounds like a resonable log-level to me.

 

[evlo]

well yes, it is gone if i set it to warning

but i noticed another issue now, if i restart the router, i need to go into amtm > wg and do reset otherwise even if VPN is up traffic is not routed from other site to the local machines on the asus

 

[ZebMcKayhan]

well yes, it is gone if i set it to warning

but i noticed another issue now, if i restart the router, i need to go into amtm > wg and do reset otherwise even if VPN is up traffic is not routed from other site to the local machines on the asus

Ok... guess you mean restart and not reset?

Did you set the peer to auto=S?

 

[evlo]

E:Option ==> 8

        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX68U Server #1
wg22    S     10.9.8.1/32   61820  #  - 192.168.50.0/24


        Peers (Auto=X - External i.e. Cell/Mobile/Site)
Device  Auto  IP           DNS  Allowed IPs                   Annotate
Cabin     X     10.9.8.2/32       10.9.8.1/32, 192.168.50.0/24  #  Site-to-Site LAN 19

E:Option ==> 8 Cabin auto=S

        ***ERROR 'device' Peer 'Cabin' does not support 'auto=S'

 

[Martineau]

E:Option ==> 8

        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet        Port   Annotate
wg21    Y     10.50.1.1/24  51820  # RT-AX68U Server #1
wg22    S     10.9.8.1/32   61820  #  - 192.168.50.0/24


        Peers (Auto=X - External i.e. Cell/Mobile/Site)
Device  Auto  IP           DNS  Allowed IPs                   Annotate
Cabin     X     10.9.8.2/32       10.9.8.1/32, 192.168.50.0/24  #  Site-to-Site LAN 19

E:Option ==> 8 Cabin auto=S

        ***ERROR 'device' Peer 'Cabin' does not support 'auto=S'

Only wg_manager 'server' Peers can have auto=s (means always listen for unsolicited inbound site-connection requests @ BOOT etc.)

i.e. remote 'device'/'site' Peers etc. cannot be auto-started from the local Home site, but on remote Cabin you can set the appropriate 'server' Peer wg2x auto=s to always listen @ BOOT for site-connection requests from the Home site.

 

[Martineau]

uf dev output:
View attachment 43194

I did try firefox, as I think it is only remaining non chromium browser, but same, this is in console
View attachment 43196

I guess it should be plus empty string or no plus at all?
View attachment 43197

Many thanks for the following WebUI bug report.

I've uploaded WebUI Beta v1.04

To upgrade use

e  = Exit Script [?]

E:Option ==> uf dev

As for the missing '/jffs/addons/wireguard' files

...not 100% sure why they would be missing.

After upgrading the WebUI, can you post the output of

ls -l /jffs/addons/wireguard/

 

[evlo]

admin@asusAX68U:/tmp/home/root# ls -l /jffs/addons/wireguard/
-rw-rw-rw-    1 admin    root         11638 Aug  1 10:53 Help.md
-rw-rw-rw-    1 admin    root            72 Aug  1 10:53 UDP_Updater.md5
-rwxrwxrwx    1 admin    root          4219 Aug  1 10:52 UDP_Updater.sh
-rw-rw-rw-    1 admin    root          3861 Jul 30 20:47 WireguardVPN.conf
-rw-rw-rw-    1 admin    root            42 Aug  1 10:53 config.htm
-rw-rw-rw-    1 admin    root            79 Aug  1 10:53 wg_ChkEndpointDDNS.md5
-rwxrwxrwx    1 admin    root          8456 Aug  1 10:52 wg_ChkEndpointDDNS.sh
-rwxrwxrwx    1 admin    root         71042 Aug  1 10:52 wg_client
-rw-rw-rw-    1 admin    root            67 Aug  1 10:53 wg_client.md5
-rw-rw-rw-    1 admin    root         62444 Aug  1 10:53 wg_manager.asp
-rw-rw-rw-    1 admin    root            71 Aug  1 10:53 wg_manager.md5
-rwxrwxrwx    1 admin    root        445089 Aug  1 10:52 wg_manager.sh
-rwxrwxrwx    1 admin    root         33883 Aug  1 10:52 wg_server
-rw-rw-rw-    1 admin    root            67 Aug  1 10:53 wg_server.md5
-rw-rw-rw-    1 admin    root            68 Aug  1 10:53 wgmExpo.md5
-rwxrwxrwx    1 admin    root          3508 Aug  1 10:53 wgmExpo.sh
-rw-rw-rw-    1 admin    root            36 Aug  1 10:53 www-installed.md5

i still don't totally understand the autostart thing, but i guess it means with WGM other side should try to reconnect when connection is lost basically?

I did have entware busybox installed (i was trying strongswan ipsec before) and then uninstalled it, so that is probably why something is missing.

Web UI is fixed now, thank you.

 

[Martineau]

admin@asusAX68U:/tmp/home/root# ls -l /jffs/addons/wireguard/
-rw-rw-rw-    1 admin    root         11638 Aug  1 10:53 Help.md
-rw-rw-rw-    1 admin    root            72 Aug  1 10:53 UDP_Updater.md5
-rwxrwxrwx    1 admin    root          4219 Aug  1 10:52 UDP_Updater.sh
-rw-rw-rw-    1 admin    root          3861 Jul 30 20:47 WireguardVPN.conf
-rw-rw-rw-    1 admin    root            42 Aug  1 10:53 config.htm
-rw-rw-rw-    1 admin    root            79 Aug  1 10:53 wg_ChkEndpointDDNS.md5
-rwxrwxrwx    1 admin    root          8456 Aug  1 10:52 wg_ChkEndpointDDNS.sh
-rwxrwxrwx    1 admin    root         71042 Aug  1 10:52 wg_client
-rw-rw-rw-    1 admin    root            67 Aug  1 10:53 wg_client.md5
-rw-rw-rw-    1 admin    root         62444 Aug  1 10:53 wg_manager.asp
-rw-rw-rw-    1 admin    root            71 Aug  1 10:53 wg_manager.md5
-rwxrwxrwx    1 admin    root        445089 Aug  1 10:52 wg_manager.sh
-rwxrwxrwx    1 admin    root         33883 Aug  1 10:52 wg_server
-rw-rw-rw-    1 admin    root            67 Aug  1 10:53 wg_server.md5
-rw-rw-rw-    1 admin    root            68 Aug  1 10:53 wgmExpo.md5
-rwxrwxrwx    1 admin    root          3508 Aug  1 10:53 wgmExpo.sh
-rw-rw-rw-    1 admin    root            36 Aug  1 10:53 www-installed.md5

Well the 'missing' files now seem to be intact......presumably there were no errors reported when executing uf dev

i still don't totally understand the autostart thing, but i guess it means with WGM other side should try to reconnect when connection is lost basically?

If you decide not to use wg_manager, i.e. you opt to use wg-quick instead, then you would have to decide how/when you would issue wg-quick up xxxx for each of your WireGuard interfaces.

The auto= flag is a convenient method used by wg_manager to selectively control the UP state of the defined WireGuard interfaces (on an individual basis) during the BOOT process

i.e. when wgm start is issued rather than controlling the auto-reconnect (WireGuard is a routing protocol)

Web UI is fixed now, thank you.

 

[ZebMcKayhan]

but i noticed another issue now, if i restart the router, i need to go into amtm > wg and do reset otherwise even if VPN is up traffic is not routed from other site to the local machines on the asus

I've heard this before, recently:
https://www.snbforums.com/threads/session-manager-discussion-3rd-thread.78317/post-777184
and
https://www.snbforums.com/threads/session-manager-discussion-3rd-thread.78317/post-777872

Wonder what's up with all this, and why now... maybee something changed in firmware recently.

I'm circling back to my statement that only having wg_firewall executed from firewall-start may not be enough?

What if you put this in nat-start as well:

/jffs/scripts/nat-start

/jffs/addons/wireguard/wg_firewall # Wireguard

 

[evlo]

Well the 'missing' files now seem to be intact......presumably there were no errors reported when executing uf dev

Nope, it still reported files as missing

 

[Martineau]

Nope, it still reported files as missing

Can you issue:

e  = Exit Script [?]

E:Option ==> debug

e  = Exit Script [?]

E:Debug mode enabledOption ==> ?

and post the output

Remember to turn debugging OFF

e  = Exit Script [?]

E:Debug mode enabledOption ==> debug

 

[Martineau]

I'm circling back to my statement that only having wg_firewall executed from firewall-start may not be enough?
What if you put this in nat-start as well:

/jffs/scripts/nat-start

/jffs/addons/wireguard/wg_firewall # Wireguard

....and risk the wrath/ire of some zealot?

Perhaps posting Syslog detailing the sequence of events would be better .....might show if there is a timing issue on the RT-AX68U or unexpected multiple concurrent events?

Spoiler: Event log

RT-AX86U WAN_Connection: WAN(0) link down.
RT-AX86U WAN_Connection: WAN(0) link up.

RT-AX86U rc_service: wanduck 1442:notify_rc restart_wan_if 0
RT-AX86U custom_script: Running /jffs/scripts/service-event (args: restart wan_if)
RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 stopping)
RT-AX86U (wan-event): 29846 Script not defined for wan-event: wan0-stopping
RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 disconnected)
RT-AX86U dnsmasq[3930]: read /etc /hosts - 11 addresses
RT-AX86U dnsmasq[3930]: using nameserver 192.168.0.1#53 for domain Home
RT-AX86U dnsmasq[3930]: using nameserver 192.168.0.1#53
RT-AX86U (wan-event): 29873 Script not defined for wan-event: wan0-disconnected
RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 stopped)
RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 stopped)
RT-AX86U (wan-event): 29881 Script not defined for wan-event: wan0-stopped
RT-AX86U (wan-event): 29886 Script not defined for wan-event: wan0-stopped
RT-AX86U 6relayd[3398]: Termination requested by signal.
RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 init)
RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 connecting)
RT-AX86U (wan-event): 29939 Script not defined for wan-event: wan0-init
RT-AX86U custom_script: Running /jffs/scripts/service-event-end (args: restart wan_if)
RT-AX86U (wan-event): 29946 Script not defined for wan-event: wan0-connecting
RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 disconnected)
RT-AX86U dnsmasq[3930]: read /etc /hosts - 11 addresses
RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 stopped)
RT-AX86U (wan-event): 29958 Script not defined for wan-event: wan0-disconnected
RT-AX86U (wan-event): 29960 Script not defined for wan-event: wan0-stopped
RT-AX86U rc_service: udhcpc_wan 29982:notify_rc start_rdisc6
RT-AX86U rc_service: udhcpc_wan 29982:notify_rc start_dhcp6c
RT-AX86U rc_service: waitting "start_rdisc6" via udhcpc_wan ...
RT-AX86U custom_script: Running /jffs/scripts/service-event (args: start rdisc6)
RT-AX86U custom_script: Running /jffs/scripts/service-event-end (args: start rdisc6)
RT-AX86U custom_script: Running /jffs/scripts/wan-event (args: 0 connected)
RT-AX86U custom_script: Running /jffs/scripts/service-event (args: start dhcp6c)
RT-AX86U (wan-event): 30025 Script not defined for wan-event: wan0-connected
RT-AX86U custom_script: Running /jffs/scripts/service-event-end (args: start dhcp6c)


RT-AX86U custom_script: Running /jffs/scripts/firewall-start (args: eth0)


RT-AX86U dnsmasq[3930]: read /etc /hosts - 11 addresses
RT-AX86U dnsmasq[3930]: using nameserver 192.168.0.1#53 for domain Home
RT-AX86U dnsmasq[3930]: using nameserver 192.168.0.1#53

RT-AX86U (wg_firewall): 30091 Checking if WireGuard® VPN Peer KILL-Switch is required.....
RT-AX86U (wg_firewall): 30091 Restarting WireGuard® to reinstate RPDB/firewall rules

RT-AX86U wan: finish adding multi routes
RT-AX86U miniupnpd[3840]: shutting down MiniUPnPd
RT-AX86U (wg_manager.sh): 30122 v4.19b2 Requesting WireGuard® VPN Peer stop (wg14 wg21)
RT-AX86U (wg_manager.sh): 30122 v4.19b2 Requesting termination of WireGuard® VPN 'server' Peer ('wg21')

RT-AX86U WAN_Connection: WAN was restored.

RT-AX86U dnsmasq[3930]: read /etc /hosts - 11 addresses
RT-AX86U dnsmasq[3930]: using nameserver 192.168.0.1#53 for domain Home
RT-AX86U dnsmasq[3930]: using nameserver 192.168.0.1#53
RT-AX86U wg_manager-serverwg21: WireGuard® VPN 'server' Peer (wg21) on 10.50.1.1:51820 Terminated
RT-AX86U (wg_manager.sh): 30122 v4.19b2 Requesting termination of WireGuard® VPN 'client' Peer ('wg14')
RT-AX86U (wg_manager.sh): 30122 wg14:[97m transfer: 253.64 MiB received, 141.21 MiB sent        [97m0 Days, 17:52:38 since [92mSun Jul 31 19:00:18 2022[0m >>>>>>[91m Mon Aug 1 12:52:56 2022 [0m
RT-AX86U (wg_manager.sh): 30122 wg14: period : 22.30 MiB received, 8.94 MiB sent (Rx=23383245;Tx=9374269)
RT-AX86U wg_manager-clientwg14: WireGuard® VPN 'client' Peer (wg14) to 146.70.51.98:1443 (# TorGuard USA, Miami) Terminated
RT-AX86U (wg_manager.sh): 31324 v4.19b2 Requesting WireGuard® VPN Peer start (wg11 wg14 wg21)
RT-AX86U (wg_manager.sh): 31324 v4.19b2 Initialising Wireguard® VPN 'server' Peer (wg21)
RT-AX86U wg_manager-serverwg21: Initialising WireGuard® VPN (IPv6) [2a02:c7e:3f0b:e800:3e7c:3fff:fe6c:22b0] 'Server' Peer (wg21) on 10.50.1.1:51820
RT-AX86U wg_manager-serverwg21: Initialisation complete.
RT-AX86U (wg_manager.sh): 31324 v4.19b2 Initialising Wireguard® VPN 'client' Peer (wg11)
RT-AX86U wg_manager-clientwg11: Initialising WireGuard® VPN client Peer (wg11) to 86.106.143.93:51820 (# Mullvad USA, New York)
RT-AX86U miniupnpd[578]: HTTP listening on port 43721
RT-AX86U miniupnpd[578]: Listening for NAT-PMP/PCP traffic on port 5351
RT-AX86U rc_service: udhcpc_wan 29982:notify_rc stop_samba
RT-AX86U rc_service: udhcpc_wan 29982:notify_rc start_samba
RT-AX86U rc_service: waitting "stop_samba" via udhcpc_wan ...
RT-AX86U custom_script: Running /jffs/scripts/service-event (args: stop samba)
RT-AX86U wsdd2[3955]: Terminated received.
RT-AX86U wsdd2[3955]: terminating.
RT-AX86U wg_manager-clientwg11: Initialisation complete.
RT-AX86U Samba_Server: smb daemon is stopped
RT-AX86U custom_script: Running /jffs/scripts/service-event-end (args: stop samba)
RT-AX86U miniupnpd[578]: private/reserved address 192.168.0.48 is not suitable for external IP
RT-AX86U (wg_manager.sh): 31324 v4.19b2 Initialising Wireguard® VPN 'client' Peer (wg14)
RT-AX86U wg_manager-clientwg14: Initialising WireGuard® VPN client Peer (wg14) to 146.70.51.98:1443 (# TorGuard USA, Miami)
RT-AX86U dhcp_client: bound 192.168.0.48/255.255.255.0 via 192.168.0.1 for 86400 seconds.
RT-AX86U custom_script: Running /jffs/scripts/service-event (args: start samba)
RT-AX86U dnsmasq[3930]: exiting on receipt of SIGTERM
RT-AX86U custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
RT-AX86U custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
RT-AX86U dnsmasq[961]: started, version 2.85 cachesize 1500
RT-AX86U dnsmasq[961]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile
RT-AX86U dnsmasq[961]: warning: interface br2 does not currently exist
RT-AX86U dnsmasq[961]: warning: interface br1 does not currently exist
RT-AX86U dnsmasq[961]: warning: interface pptp* does not currently exist
RT-AX86U dnsmasq[961]: asynchronous logging enabled, queue limit is 5 messages
RT-AX86U dnsmasq-dhcp[961]: DHCP, IP range 192.168.102.2 -- 192.168.102.254, lease time 1d
RT-AX86U dnsmasq-dhcp[961]: DHCP, IP range 192.168.101.2 -- 192.168.101.254, lease time 1d
RT-AX86U dnsmasq-dhcp[961]: DHCP, IP range 192.168.55.2 -- 192.168.55.254, lease time 1d
RT-AX86U dnsmasq[961]: read /etc /hosts - 11 addresses
RT-AX86U dnsmasq[961]: using nameserver 192.168.0.1#53 for domain Home
RT-AX86U dnsmasq[961]: using nameserver 192.168.0.1#53
RT-AX86U Samba_Server: daemon is started
RT-AX86U custom_script: Running /jffs/scripts/service-event-end (args: start samba)
RT-AX86U wsdd2[1040]: starting.
RT-AX86U wg_manager-clientwg14: Initialisation complete.

 

[evlo]

Spoiler: debug

E:Debug mode enabledOption ==> ?
+ + sed s/^[ \t]*//;s/[ \t]*$//
printf %s ?
+ menu1=?
+ Validate_User_Choice ?
+ local menu1=?
+ [ Y == Y ]
+ echo ?
+ menu1=?
+ Process_User_Choice ?
+ local menu1=?
+ echo ?
+ awk {print $1}
+ local ACTION=?
+ Show_Info_HDR
+ echo ?
+ awk {print $1}
+ local ACTION=?
+ local CHANGELOG=\e[0m(\e[96mChange Log: \e[93mhttps://github.com/MartineauUK/wireguard/commits/main/wg_manager.sh\e[0m)
+ echo v4.19b2+ grep b

+ [ -n v4.19b2 ]
+ local CHANGELOG=\e[0m(\e[96mChange Log: \e[93mhttps://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh\e[0m)
+ echo -e \e[97m\n\tRouter\e[95m RT-AX68U \e[0mFirmware \e[95m(v386.7_2)

        Router RT-AX68U Firmware (v386.7_2)
+ [ -f /opt/etc/entware_release ]
+ [ -f /opt/etc/entware_release ]
+ grep -E ^arch /opt/etc/entware_release
+ echo -e \e[92m\n\t[✔]\e[97m Entware Architecture\e[95m arch=aarch64\n\e[0m

        [✔] Entware Architecture arch=aarch64

+ echo -e \e[95m\n\tv4.19b2\e[97m WireGuard® Session Manager \e[0m(\e[96mChange Log: \e[93mhttps://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh\e[0m)\e[0m

        v4.19b2 WireGuard® Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
+ [ -d /jffs/addons/wireguard/ ]
+ Show_MD5 script
+ local TYPE=script
+ [ script == script ]
+ awk {print $0} /jffs/addons/wireguard/wg_manager.md5
+ echo -e \e[96m\tMD5=3191daf23c180527dbad985ba624d6cc /jffs/addons/wireguard/wg_manager.sh
        MD5=3191daf23c180527dbad985ba624d6cc /jffs/addons/wireguard/wg_manager.sh
+ grep+ awk -F" {print $2}
-E ^VERSION= /jffs/addons/wireguard/wg_client
+ local AVERSION=v4.17.9
+ echo -e \e[95m\n\t\tv4.17.9\e[97m (\e[96mwg_client\e[0m)

                v4.17.9 (wg_client)
+ grep+ awk -F" {print $2}
-E ^VERSION= /jffs/addons/wireguard/wg_server
+ local AVERSION=v4.17.1
+ echo -e \e[95m\t\tv4.17.1\e[97m (\e[96mwg_server\e[0m)
                v4.17.1 (wg_server)
+ Show_Info
+ [ -f /usr/sbin/wg ]
+ modprobe --show-depends wireguard
+ awk {print $2}
+ local FPATH=/lib/modules/4.1.52/kernel/net/wireguard/wireguard.ko
+ strings /lib/modules/4.1.52/kernel/net/wireguard/wireguard.ko
+ cut -d= -f2
+ grep ^version
+ local FVERSION=1.0.20210124
+ which wg
+ [ /usr/sbin/wg != /opt/bin/wg ]
+ echo -e \e[92m\n\t[✔]\e[97m WireGuard® Kernel module/User Space Tools included in Firmware\e[31m (1.0.20210124)\n\e[0m

        [✔] WireGuard® Kernel module/User Space Tools included in Firmware (1.0.20210124)

+ which wg
+ [ /usr/sbin/wg == /opt/bin/wg ]
+ [ -f /tmp/menuTree.js ]
+ grep -i WireGuard® Manager /tmp/menuTree.js
+ [ -n {url: "user4.asp", tabName: "WireGuard® Manager"}, ]
+ echo -e \e[92m\n\t[✔]\e[97m WebUI Addon Enabled\e[0m

        [✔] WebUI Addon Enabled
+ echo -e \e[0m

+ DNSmasq_Listening_WireGuard_Status
+ grep -F wg* /etc/dnsmasq.conf
+ [ -z interface=wg*     # WireGuard ]
+ echo -e \e[92m\t[✔]\e[97m DNSmasq \e[92mis listening on ALL WireGuard® interfaces 'wg*'\n\e[0m
        [✔] DNSmasq is listening on ALL WireGuard® interfaces 'wg*'

+ [ -f /jffs/scripts/firewall-start ]
+ grep -i wireguard /jffs/scripts/firewall-start
+ [ -z /jffs/addons/wireguard/wg_firewall            # WireGuard ]
+ echo -e \e[92m\t[✔]\e[97m firewall-start \e[92mis monitoring WireGuard® Firewall rules\n\e[0m
        [✔] firewall-start is monitoring WireGuard® Firewall rules

+ [ -f /jffs/addons/wireguard/WireguardVPN.conf ]
+ grep -E ^NOMENU /jffs/addons/wireguard/WireguardVPN.conf
+ [ -n  ]
+ [ -f /jffs/addons/wireguard/WireguardVPN.conf ]
+ grep -F Y_
+ Manage_KILL_Switch
+ local ACTION=
+ local SILENT=N
+ local TEMP_PERM=temporarily
+ Get_WAN_IF_Name
+ ip route
+ awk /^default/{print $NF}
+ local IF_NAME=eth0
+ nvram get wan0_ifname
+ local IF_NAME=eth0
+ nvram get wan0_gw_ifname
+ [ eth0 != eth0 ]
+ nvram get wan0_pppoe_ifname
+ [ ! -z  ]
+ echo eth0
+ local WAN_IF=eth0
+ [ -n  ]
+ iptables -nvL+ grep WireGuard KILL-Switch
FORWARD
+ [ -n  ]
+ STATUS=N
+ echo N_temporarily
+ echo N_temporarily
+ [ -n  ]
+ local TEMP_PERM=temporarily
+ grep -oE ^KILLSWITCH /jffs/addons/wireguard/WireguardVPN.conf
+ [ -z  ]
+ local TEMP_PERM=
+ echo -e \e[31m\t[✖]\e[97m WAN \e[92mKILL-Switch is \e[91m\e[7mDISABLED\e[0m (use 'vx' command for info)
        [✖] WAN KILL-Switch is DISABLED (use 'vx' command for info)
+ Manage_UDP_Monitor
+ local TYPE=
+ local ACTION=
+ local WATCH=
+ [ -z  ]
+ WATCH=&
+ date +%Y%m%d-%H%M%S
+ local TS=20220801-155058
+ [ -n  ]
+ pidof UDP_Monitor.sh
+ [ -n  ]
+ pidof UDP_Updater.sh
+ [ -n  ]
+ echo -e N
+ [ N == Y ]
+ echo -e \e[31m\t[✖]\e[97m UDP \e[92mmonitor is \e[91mDISABLED\e[0m
        [✖] UDP monitor is DISABLED
+ Manage_FC ?
+ local STATUS=
+ which fc
+ [ /bin/fc == /bin/fc ]
+ fc status
+ grep Flow Learning Enabled
+ [ -n  Flow Learning Enabled : Max<16383>, Active<168>, Cummulative [ 66208 - 66040 ] ]
+ local STATUS=\tFlow Cache Enabled
+ echo \tFlow Cache Enabled
+ local FC_STATUS=\tFlow Cache Enabled
+ echo -e \e[92m\n\t[✔]\e[97m Flow Cache \e[92mis ENABLED\e[0m

        [✔] Flow Cache is ENABLED
+ nvram get ipv6_service
+ [ disabled == disabled ]
+ echo -e \e[91m\n\t[✖]\e[97m IPv6 Service is \e[91mDISABLED\e[0m

        [✖] IPv6 Service is DISABLED
+ wget -O - -q http://ip4.me/api+ sed s/,Remain.*$//

+ echo -e \e[92m\t[ℹ ] \e[97mIPv4,46.xxx,v1.1,,,See http://ip6.me/docs/ for api documentation
        [ℹ ] IPv4,46.xxx,v1.1,,,See http://ip6.me/docs/ for api documentation
+ Get_WAN_IF_Name
+ ip route
+ awk /^default/{print $NF}
+ local IF_NAME=eth0
+ nvram get wan0_ifname
+ local IF_NAME=eth0
+ nvram get wan0_gw_ifname
+ [ eth0 != eth0 ]
+ nvram get wan0_pppoe_ifname
+ [ ! -z  ]
+ echo eth0
+ local WAN_IF=eth0
+ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
+ local VAL=1
+ [ 1 == 1 ]
+ STATE=ENABLED
+ echo -e \e[92m\n\t[✔] \e[97mReverse Path Filtering\e[92m ENABLED\n\e[0m

        [✔] Reverse Path Filtering ENABLED

+ [ -f /jffs/addons/wireguard/WireguardVPN.conf ]
+ grep -E ^NOTCPMSS /jffs/addons/wireguard/WireguardVPN.conf
+ [ -n  ]
+ [ -f /jffs/addons/wireguard/WireguardVPN.conf ]
+ grep -E ^NOSETXMARK /jffs/addons/wireguard/WireguardVPN.conf
+ [ -n  ]
+ [ -f /jffs/addons/wireguard/WireguardVPN.conf ]
+ grep -E ^NOIP[Vv]6 /jffs/addons/wireguard/WireguardVPN.conf
+ [ -n  ]
+ [ -f /jffs/addons/wireguard/WireguardVPN.conf ]
+ grep -oE USE_ENTWARE_KERNEL_MODULE /jffs/addons/wireguard/WireguardVPN.conf
+ [ -n USE_ENTWARE_KERNEL_MODULE ]
+ [ -f /usr/sbin/wg ]
+ grep -oE ^USE_ENTWARE_KERNEL_MODULE /jffs/addons/wireguard/WireguardVPN.conf
+ [ -n  ]
+ echo -e \e[91m\t[✖]\e[97m Use 3rd-party Entware/Userspace Tools \e[92mmodules is \e[91mDENIED\n\e[0m
        [✖] Use 3rd-party Entware/Userspace Tools modules is DENIED

+ cru l
+ grep ChkDDNS
+ wc -l
+ [ 0 -gt 0 ]
+ + grep -E wg_manager.*trimdb
cru l
+ wc -l
+ [ 1 -gt 0 ]
+ awk /wg_manager.sh trimdb/ {print $9}
+ cru l
+ + awk /wg_manager.sh trimdb/ {print $1" "$2" "$3" "$4" "$5}
cru l
+ + awk /wg_manager.sh trimdb/ {print $8}
cru l
+ echo -e \e[92m\t[✔] \e[97mCron schedule \e[92m#WireGuard_DB# (0 7 * * 6)\e[97m to trim older than \e[92m99 days\e[97m from WireGuard® SQL Database \e[92mENABLED\n\e[0m
        [✔] Cron schedule #WireGuard_DB# (0 7 * * 6) to trim older than 99 days from WireGuard® SQL Database ENABLED

+ [ ReadLine == ReadLine ]
+ echo -e \e[92m\t[✔]\e[97m Use of 'Pg-Up' Key \e[92mfor command retrieval is ENABLED\n\e[0m
        [✔] Use of 'Pg-Up' Key for command retrieval is ENABLED

+ Manage_Stats
+ local ACTION=
+ local STATUS=0
+ cru l
+ grep WireGuard
+ [ -n 59 * * * * /jffs/addons/wireguard/wg_manager.sh generatestats #WireGuard#
0 7 * * 6 /jffs/addons/wireguard/wg_manager.sh trimdb 99 #WireGuard_DB# ]
+ local TXT=\e[92m\t[✔] \e[97mStatistics gathering is \e[92mENABLED\e[0m
+ STATUS=1
+ echo -e \e[92m\t[✔] \e[97mStatistics gathering is \e[92mENABLED\e[0m
        [✔] Statistics gathering is ENABLED
+ return 1
+ echo -e \e[92m\n\t[ℹ ] \e[0mSpeedtest link\e[93m https://fast.com/en/gb/ \n\e[0m

        [ℹ ] Speedtest link https://fast.com/en/gb/

+ echo -e \e[92m\t[ℹ ] \e[0mIPv6 Test link\e[93m https://ipv6-test.com/ \n\e[0m
        [ℹ ] IPv6 Test link https://ipv6-test.com/

+ echo -e \e[92m\t[ℹ ] \e[0mWireGuard© Official Site \e[93mhttps://www.wireguard.com/ \n\e[0m
        [ℹ ] WireGuard© Official Site https://www.wireguard.com/

+ echo -e \e[92m\t[ℹ ] \e[0m@ZebMcKayhan's\e[92m Hint's and Tips Guide\e[93m https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#table-of-content \n\e[0m
        [ℹ ] @ZebMcKayhan's Hint's and Tips Guide https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#table-of-content

+ [ -f /opt/etc/init.d/S50wireguard ]
+ set +x

        WireGuard® ACTIVE Peer Status: Clients 0, Servers 2

I will try syslog thing later, simply rebooting asus router did not result in wg noc becoming connected, yesterday i needed to shut down power in the house to do some electrical work, i will try longer disconnection sometime later and post log (i set system log to log debug level and more)

 

[ZebMcKayhan]

I will try syslog thing later, simply rebooting asus router did not result in wg noc becoming connected, yesterday i needed to shut down power in the house to do some electrical work

Interesting... I suppose your fibre media-converter / modem / gateway / whatever also lost power. What if this device boots slower than your router (I know mine is indeed slower)? That would mess up the timing of things (and fits with a previous reported problem).
What if you just reboot your media-converter / modem / gateway / whatever while leaving the asus router running. Will you break site2site connection then?

...and risk the wrath/ire of some zealot?

After dealing with my wife I cant imagine this to be any worse.

 

[Martineau]

Ooh, 3 sites.... dunno if wgm is capable of this (@Martineau?).

If a Site-to-Site configuration say 'Home' to 'Cabin' was successfully created, then the following command should create 'SiteC' and bind it to 'Home'

site2site add Home SiteC lan=172.16.3.3

but sadly there are a couple of typos, so it doesn't actually fully work, so it is probably quicker to simply manually replicate (using copy'n'paste) the 'Cabin site' section in Home.conf as 'SiteC' etc.

I'll see if I can generate a quick patch for Beta 4.19b3

 

[evlo]

Interesting... I suppose your fibre media-converter / modem / gateway / whatever also lost power. What if this device boots slower than your router (I know mine is indeed slower)? That would mess up the timing of things (and fits with a previous reported problem).

still good, maybe it was just a fluke; I report if (not when) it happens again, i still need to install one breaker i forgot, so we will see how long will I keep putting that of

 

[ZebMcKayhan]

If a Site-to-Site configuration say 'Home' to 'Cabin' was successfully created, then the following command should create 'SiteC' and bind it to 'Home'

Thats really cool!

Soo, by the creation of SiteC you also update SiteB.conf to include SiteC peer (AllowedIPs)? Or will you have to import these at each sites as devices (and copy-paste if wg-quick is used)?

If I get how this works, SiteA is going to be the site all connects via and then SiteC could access SiteB via SiteA and vice versa. But if SiteA is down, all failes? Could all Sites include endpoints and Peer info to all other sites or is that somehow prohibited?

 

[evlo]

Hmm so I was testing it wrong and i tested routing from home to cabin, actually link is up, but routing from cabin to home does not work until i do restart in WGM when WAN is lost and restored

Aug  1 23:09:44 WAN_Connection: WAN was restored.
Aug  1 23:09:46 miniupnpd[13300]: HTTP listening on port 51354
Aug  1 23:09:46 miniupnpd[13300]: Listening for NAT-PMP/PCP traffic on port 5351
Aug  1 23:09:46 rc_service: udhcpc_wan 13106:notify_rc start_vpnclient2
Aug  1 23:09:46 dhcp_client: bound 46.xxx/255.255.255.0 via 46.xxx for 86400 seconds.

Aug  1 23:09:50 kernel: ^[[0;33;41mFCACHEfc_vblog_list_add ERROR: Duplicate blog: list blog<0xffffffc015a61300> JOIN blog<0xffffffc015a8ee40>^[[0m
Aug  1 23:09:50 kernel: ^[[0;33;41mFCACHEfc_vblog_list_add ERROR: Duplicate blog: list blog<0xffffffc015a8ee40> JOIN blog<0xffffffc015aab7c0>^[[0m
Aug  1 23:09:50 kernel: ^[[0;33;41mFCACHEfc_vblog_list_add ERROR: Duplicate blog: list blog<0xffffffc015aab7c0> JOIN blog<0xffffffc015a404c0>^[[0m
Aug  1 23:09:50 kernel: ^[[0;33;41mFCACHEfc_vblog_list_add ERROR: Duplicate blog: list blog<0xffffffc015a404c0> JOIN blog<0xffffffc015a3a980>^[[0m

Aug  1 23:09:52 kernel: blog_link: 17 callbacks suppressed
Aug  1 23:09:52 kernel: blog_link:overwriting ct_p=ffffffc010147970, new_ct=ffffffc010053970 idx=0

then i do restart in WGM

Spoiler: wgm restart

Aug  1 23:13:01 (wg_manager.sh): 8643 v4.19b2 Requesting WireGuard® VPN Peer restart (wg21 wg22)
Aug  1 23:13:01 (wg_manager.sh): 8643 v4.19b2 Restarting Wireguard® 'server' Peer (wg21)
Aug  1 23:13:01 lldpd[1231]: removal request for address of 10.50.1.1%38, but no knowledge of it
Aug  1 23:13:01 wg_manager-serverwg21: WireGuard® VPN 'server' Peer (wg21) on 10.50.1.1:51820 Terminated
Aug  1 23:13:01 (wg_manager.sh): 8643 v4.19b2 Initialising Wireguard® VPN 'server' Peer (wg21)
Aug  1 23:13:01 wg_manager-serverwg21: Initialising WireGuard® VPN 'Server' Peer (wg21) on 10.50.1.1:51820
Aug  1 23:13:02 wg_manager-serverwg21: Initialisation complete.
Aug  1 23:13:02 (wg_manager.sh): 8643 v4.19b2 Restarting Wireguard® 'server' Peer (wg22)
Aug  1 23:13:02 lldpd[1231]: removal request for address of 10.9.8.1%39, but no knowledge of it
Aug  1 23:13:02 wg_manager-wg22: Executing PostDown: 'iptables -D INPUT -p udp --dport 61820 -j ACCEPT'
Aug  1 23:13:02 wg_manager-wg22: Executing PostDown: 'iptables -D INPUT -i wg22 -j ACCEPT'
Aug  1 23:13:02 wg_manager-wg22: Executing PostDown: 'iptables -D FORWARD -i wg22 -j ACCEPT'
Aug  1 23:13:02 wg_manager-serverwg22: WireGuard® VPN 'server' Peer (wg22) on 10.9.8.1:61820 Terminated
Aug  1 23:13:02 (wg_manager.sh): 8643 v4.19b2 Initialising Wireguard® VPN 'server' Peer (wg22)
Aug  1 23:13:02 wg_manager-serverwg22: Initialising WireGuard® VPN 'Server' Peer (wg22) on 10.9.8.1:61820
Aug  1 23:13:03 wg_manager-wg22: Executing PostUp: 'iptables -I INPUT -p udp --dport 61820 -j ACCEPT'
Aug  1 23:13:03 wg_manager-wg22: Executing PostUp: 'iptables -I INPUT -i wg22 -j ACCEPT'
Aug  1 23:13:03 wg_manager-wg22: Executing PostUp: 'iptables -I FORWARD -i wg22 -j ACCEPT'
Aug  1 23:13:03 wg_manager-serverwg22: Initialisation complete.

I thing, if it is possible easiest, which i do not know, if it is, would be to do restart when there is event WAN_Connection: WAN was restored.

as a workaround maybe it is possible to restart router on wan connection restore?

 

[Martineau]

Hmm so I was testing it wrong and i tested routing from home to cabin, actually link is up, but routing from cabin to home does not work until i do restart in WGM when WAN is lost and restored

Aug  1 23:09:44 WAN_Connection: WAN was restored.
Aug  1 23:09:46 miniupnpd[13300]: HTTP listening on port 51354
Aug  1 23:09:46 miniupnpd[13300]: Listening for NAT-PMP/PCP traffic on port 5351
Aug  1 23:09:46 rc_service: udhcpc_wan 13106:notify_rc start_vpnclient2
Aug  1 23:09:46 dhcp_client: bound 46.xxx/255.255.255.0 via 46.xxx for 86400 seconds.

Aug  1 23:09:50 kernel: ^[[0;33;41mFCACHEfc_vblog_list_add ERROR: Duplicate blog: list blog<0xffffffc015a61300> JOIN blog<0xffffffc015a8ee40>^[[0m
Aug  1 23:09:50 kernel: ^[[0;33;41mFCACHEfc_vblog_list_add ERROR: Duplicate blog: list blog<0xffffffc015a8ee40> JOIN blog<0xffffffc015aab7c0>^[[0m
Aug  1 23:09:50 kernel: ^[[0;33;41mFCACHEfc_vblog_list_add ERROR: Duplicate blog: list blog<0xffffffc015aab7c0> JOIN blog<0xffffffc015a404c0>^[[0m
Aug  1 23:09:50 kernel: ^[[0;33;41mFCACHEfc_vblog_list_add ERROR: Duplicate blog: list blog<0xffffffc015a404c0> JOIN blog<0xffffffc015a3a980>^[[0m

Aug  1 23:09:52 kernel: blog_link: 17 callbacks suppressed
Aug  1 23:09:52 kernel: blog_link:overwriting ct_p=ffffffc010147970, new_ct=ffffffc010053970 idx=0

then i do restart in WGM

What happens if you don't have OpenVPN client 2 auto start?....perhaps there is a conflict with the WireGuard RPDB rules etc.

So prior to issuing the wgm restart command, perhaps you could try dumping the diagnostics.

e  = Exit Script [?]

E:Option ==> diag

and again, after you have successfully issued wgm restart to make a comparison of the rules.
You can PM the diags, or if you post the diags in the forum, remember to redact your WAN IP/Private Keys etc.

I thing, if it is possible easiest, which i do not know, if it is, would be to do restart when there is event WAN_Connection: WAN was restored.

as a workaround maybe it is possible to restart router on wan connection restore?

I wrote this script

GitHub - MartineauUK/Chk-WAN: ASUS Router Check WAN status

ASUS Router Check WAN status. Contribute to MartineauUK/Chk-WAN development by creating an account on GitHub.

github.com

which can indeed reboot the router, but you should really try and identify the reason for the (frequent) WAN failures.