Wireguard Session Manager - Discussion (3rd) thread

[ZebMcKayhan]

Regarding site-2-multisite / mesh, I've found this educational, but in my opinion rather complex.
https://www.aroundtheglobe.biz/posts/20210817-Multisite_Wireguard_VPN_Mesh_with_OpenBSD.html
I don't get it, A typical server could have several peers connected to it, wouldnt it be possible to create a server peer at each of the 3 sites each containing public key, endpoint and lan of the other 2 sites? Why does it have to be so messy as to involve several peers at many sites??

Pinging @Martineau as I think he might know the answer, but I appreciate answers from anyone.

 

[Martineau]

Regarding site-2-multisite / mesh, I've found this educational, but in my opinion rather complex.
https://www.aroundtheglobe.biz/posts/20210817-Multisite_Wireguard_VPN_Mesh_with_OpenBSD.html
I don't get it, A typical server could have several peers connected to it, wouldnt it be possible to create a server peer at each of the 3 sites each containing public key, endpoint and lan of the other 2 sites? Why does it have to be so messy as to involve several peers at many sites??

Pinging @Martineau as I think he might know the answer, but I appreciate answers from anyone.

Without clarification of the overall mesh topology (i.e. what data traffic flows primarily outbound from each node), there could be political/logistical reasons for the need to configure the meshed nodes in such a manner?




TLDR;

If we assume the other nodes are sites (rather than individual Road-Warrior devices), then the nodes could be categorised as follows

e.g.

• Node 1. HQ - handling timesheets/HR etc., so all employees at each Node needs to send Timesheets/Overtime requests/New Hire requests etc.
• Node 2. Central Material Control - where the manufacturing/distribution/Sales is managed
• Node 3. Sales Showroom
• Node 4. Warehouse/Stocking
• Node 5. Factory/Assembly

Clearly the author has simplified the mesh topology, so whilst FULL resiliency between the nodes isn't depicted/warranted?, it doesn't mean that the nodes are single-failure hardware nodes, but the wg0 interfaces could actually be hosted on VM images etc.

IMHO, I suspect the author is merely attempting to show the flexibility of WireGuard® and how a script can generate seemingly complex routing solutions - although I suspect the same topology can/could be created using OpenVPN.

Other primary examples of different site topologies

• Point to Point
• Hub and Spoke / Star
• Point to Site
• Site to Site

that can be deployed to allow a business to create its own unique operating model for providing services such as access to Web Servers or shared folders etc. exploiting the fact that unlike other VPN technologies, WireGuard® does not need to adhere to the traditional strict 'server'/'client' roles for sites.

 

[Martineau]

Thats really cool!

Soo, by the creation of SiteC you also update SiteB.conf to include SiteC peer (AllowedIPs)? Or will you have to import these at each sites as devices (and copy-paste if wg-quick is used)?

If I get how this works, SiteA is going to be the site all connects via and then SiteC could access SiteB via SiteA and vice versa. But if SiteA is down, all failes? Could all Sites include endpoints and Peer info to all other sites or is that somehow prohibited?

I've uploaded wg_manager Beta v4.19b3

Update wg_manager.sh · MartineauUK/wireguard@fc2d19c

FIX: Command 'site2site add Home BeachHut lan=nnn.nnn.nnn.nnn/24' fails to append the correct BeachHut config details to Home.conf; and BeachHut.conf incorrectly mangles its references to s...

github.com

Spoiler: Create 'Home'/'Cabin' Site-to-Site then add third location to the 'Home'/'Cabin' Site-to-Site pair

e  = Exit Script [?]

E:Option ==> site2site Home Cabin lan=172.16.2.0/24

    Creating WireGuard® Private/Public key-pair for Site-to-Site (IPv4/IPv6) Peers Home/Cabin

    Enter Cabin Endpoint remote IP, or Cabin DDNS name or press [Enter] to SKIP.
Cabin.DDNS

    Warning: No DDNS is configured! to reach local Home Endpoint from remote Cabin
    Press y to use the current WAN IP or enter Home Endpoint IP or DDNS name or press [Enter] to SKIP.
Home.DDNS

========== Home configuration =====================================================

# Home - 192.168.55.0/24 Home.DDNS
[Interface]
PrivateKey = UHtwXL81J8fmNd+gucq/W9WqHApJ5o0tDdzKay4bvng=
Address = 10.9.8.1/32, fd10:9:8::1/128
ListenPort = 61820

# Cabin LAN
[Peer]
PublicKey = 4iv/K2Xc1XeqszMl6xHsdeE6kBeku06FdEk/ethWXnc=
AllowedIPs = 10.9.8.2/32, 172.16.2.0/24
Endpoint = Cabin.DDNS:61821
#PresharedKey = 
PersistentKeepalive = 25

========== Cabin configuration =====================================================

# Cabin - 172.16.2.0/24
[Interface]
PrivateKey = +NgRYunBDiLJY1t8q4Sl/UIjE9s+MvBg5cTIqs9p5G8=
Address = 10.9.8.2/32
ListenPort = 61821

#
# WireGuard® (%p - ListenPort; %wan - WAN interface; %lan - LAN subnet; %net - IPv4 Tunnel subnet ONLY recognised by Martineau's WireGuard® Manager©/wg-quick2)
#

# wg-quick2
# =========
#PostUp =   iptables -I INPUT -p udp --dport %p -j ACCEPT; iptables -I INPUT -i %i -j ACCEPT; iptables -I FORWARD -i %i -j ACCEPT
#PostDown = iptables -D INPUT -p udp --dport %p -j ACCEPT; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i %i -j ACCEPT

# wg-quick
# ========
#PostUp =   iptables -I INPUT -p udp --dport 61821 -j ACCEPT; iptables -I INPUT -i %i -j ACCEPT; iptables -I FORWARD -i %i -j ACCEPT
#PostDown = iptables -D INPUT -p udp --dport 61821 -j ACCEPT; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i %i -j ACCEPT


# Home LAN
[Peer]
PublicKey = 1bIKfd0NHZzPJW8rDEhXWL7+22TYGvKTlX24i+CXNnQ=
AllowedIPs = 10.9.8.1/32, fd10:9:8::1/128 192.168.55.0/24
Endpoint = Home.DDNS:
#PresharedKey = 
PersistentKeepalive = 25

=======================================================================================


    WireGuard® Site-to-Site Peers Home and Cabin created


    Copy Cabin/Home files: (included in ZIP '/opt/etc/wireguard.d/WireGuard_Cabin.7z')

2022-08-03 21:19:38 ....A         1070          501  Cabin.conf
2022-08-03 21:19:19 ....A           45           49  Cabin_private.key
2022-08-03 21:19:19 ....A           45           49  Cabin_public.key
2022-08-03 21:19:38 ....A          350          294  Home.conf
2022-08-03 21:19:19 ....A           45           49  Home_private.key
2022-08-03 21:19:19 ....A           45           49  Home_public.key

    to remote location


    Import Home.conf on remote site using 'import Home type=device'


    Press y to import Home or press [Enter] to SKIP.

now add the additional site....

e  = Exit Script [?]

E:Option ==> site2site add Home BeachHut lan=172.16.3.0/24

    Creating WireGuard® Private/Public key-pair for Site-to-Site (IPv6) Peers Home/BeachHut

    Enter BeachHut Endpoint remote IP, or BeachHut DDNS name or press [Enter] to SKIP.
BeachHut.DDNS

========== Home configuration =====================================================

# Home - 192.168.55.0/24 Home.DDNS
[Interface]
PrivateKey = UHtwXL81J8fmNd+gucq/W9WqHApJ5o0tDdzKay4bvng=
Address = 10.9.8.1/32, fd10:9:8::1/128
ListenPort = 61820

# Cabin LAN
[Peer]
PublicKey = 4iv/K2Xc1XeqszMl6xHsdeE6kBeku06FdEk/ethWXnc=
AllowedIPs = 10.9.8.2/32, 172.16.2.0/24
Endpoint = Cabin.DDNS:61821
#PresharedKey = 
PersistentKeepalive = 25

# BeachHut LAN
[Peer]
PublicKey = BiRR4WfLbojW5Y2NdONvgmCSEZ6/DRMmuAfJz4RgXBg=
AllowedIPs = 10.9.8.3/32, 172.16.3.0/24
Endpoint = BeachHut.DDNS:61822
#PresharedKey = 
PersistentKeepalive = 25

========== BeachHut configuration =====================================================

# BeachHut - 172.16.3.0/24
[Interface]
PrivateKey = kIdFR2/0R04dMWJTH57NK4aO8a5tgEenZUetcNM8+k4=
Address = 10.9.8.3/32
ListenPort = 61823

#
# WireGuard® (%p - ListenPort; %wan - WAN interface; %lan - LAN subnet; %net - IPv4 Tunnel subnet ONLY recognised by Martineau's WireGuard® Manager©/wg-quick2)
#

# wg-quick2
# =========
#PostUp =   iptables -I INPUT -p udp --dport %p -j ACCEPT; iptables -I INPUT -i %i -j ACCEPT; iptables -I FORWARD -i %i -j ACCEPT
#PostDown = iptables -D INPUT -p udp --dport %p -j ACCEPT; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i %i -j ACCEPT

# wg-quick
# ========
#PostUp =   iptables -I INPUT -p udp --dport 61823 -j ACCEPT; iptables -I INPUT -i %i -j ACCEPT; iptables -I FORWARD -i %i -j ACCEPT
#PostDown = iptables -D INPUT -p udp --dport 61823 -j ACCEPT; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i %i -j ACCEPT


# Home LAN
[Peer]
PublicKey = 1bIKfd0NHZzPJW8rDEhXWL7+22TYGvKTlX24i+CXNnQ=
AllowedIPs = 10.9.8.1/32, 192.168.55.0/24
Endpoint = Home.DDNS:61820
#PresharedKey = 
PersistentKeepalive = 25

=======================================================================================


    WireGuard® Site-to-Site Peers Home additional link with BeachHut created


    Copy BeachHut/Home files: (included in ZIP '/opt/etc/wireguard.d/WireGuard_BeachHut.7z')

2022-08-03 21:21:10 ....A         1062          493  BeachHut.conf
2022-08-03 21:20:51 ....A           45           49  BeachHut_private.key
2022-08-03 21:20:51 ....A           45           49  BeachHut_public.key
2022-08-03 21:21:10 ....A          543          356  Home.conf
2022-08-03 21:19:19 ....A           45           49  Home_private.key
2022-08-03 21:19:19 ....A           45           49  Home_public.key

    to remote location


    Import Home.conf on remote site using 'import Home type=device'


    Press y to import Home or press [Enter] to SKIP.

Clearly re-import of the Home.conf will be required to include the BeachHut definition, and optionally you can have the BeachHut.conf include the Cabin LAN in its AllowedIP list but I don't currently modify Cabin.Conf although perhaps I should but such customisation is only for Advanced users.....

Obviously it would have been easier to simply specify 0.0.0.0/0 for the AllowedIPs, but explicitly stating the accessible LANs would be deemed more secure?

I'm still keeping the old-skool 'server'/'client' concept (i.e. 'server' accepting Road-Warrior 'device' clients) so if 'server' site Home is DOWN, then clearly client connections will be impossible.

 

[ZebMcKayhan]

Clearly re-import of the Home.conf will be required to include the BeachHut definition, and optionally you can have the BeachHut.conf include the Cabin LAN in its AllowedIP list but I don't currently modify Cabin.Conf although perhaps I should but such customisation is only for Advanced users.....

So by just using the peers as they are siteA have access to both sites but siteB and siteC only have access to siteA. No routes will exist between siteB and siteC

And by adding these in allowedIPs you have effectively created a hub-and-spoke site-2-site topology? SiteB and siteC could communicate via siteA

However by adding SiteB peer info on SiteC and vice versa they could communicate directly, but this requires atleast 2 sites to have public ip / ddns. Would wgm do this if importing siteC.conf at siteB type=device?

As another example, for a WireGuard network joining three office LANs plus two cloud sites, you might use the Site to Site topology between each individual site, creating a separate WireGuard tunnel from the WireGuard host in each site to each of the other four sites. Or you might decide to use a combination Hub and Spoke with Site to Site, allowing you to centralize your site-to-site routing and access control in one place, and connect the WireGuard host at each site only to a single hub host, to which all the other sites also connect.

Ill think I need to make some examples on my github whenever I find the time of the 2 variant of setups.

 

[evlo]

What happens if you don't have OpenVPN client 2 auto start?....perhaps there is a conflict with the WireGuard RPDB rules etc.

Seems to be ok after forced power outage today.

 

[ZebMcKayhan]

I've uploaded wg_manager Beta v4.19b3

Update wg_manager.sh · MartineauUK/wireguard@fc2d19c

FIX: Command 'site2site add Home BeachHut lan=nnn.nnn.nnn.nnn/24' fails to append the correct BeachHut config details to Home.conf; and BeachHut.conf incorrectly mangles its references to s...

github.com

Spoiler: Create 'Home'/'Cabin' Site-to-Site then add third location to the 'Home'/'Cabin' Site-to-Site pair

e  = Exit Script [?]

E:Option ==> site2site Home Cabin lan=172.16.2.0/24

    Creating WireGuard® Private/Public key-pair for Site-to-Site (IPv4/IPv6) Peers Home/Cabin

    Enter Cabin Endpoint remote IP, or Cabin DDNS name or press [Enter] to SKIP.
Cabin.DDNS

    Warning: No DDNS is configured! to reach local Home Endpoint from remote Cabin
    Press y to use the current WAN IP or enter Home Endpoint IP or DDNS name or press [Enter] to SKIP.
Home.DDNS

========== Home configuration =====================================================

# Home - 192.168.55.0/24 Home.DDNS
[Interface]
PrivateKey = UHtwXL81J8fmNd+gucq/W9WqHApJ5o0tDdzKay4bvng=
Address = 10.9.8.1/32, fd10:9:8::1/128
ListenPort = 61820

# Cabin LAN
[Peer]
PublicKey = 4iv/K2Xc1XeqszMl6xHsdeE6kBeku06FdEk/ethWXnc=
AllowedIPs = 10.9.8.2/32, 172.16.2.0/24
Endpoint = Cabin.DDNS:61821
#PresharedKey = 
PersistentKeepalive = 25

========== Cabin configuration =====================================================

# Cabin - 172.16.2.0/24
[Interface]
PrivateKey = +NgRYunBDiLJY1t8q4Sl/UIjE9s+MvBg5cTIqs9p5G8=
Address = 10.9.8.2/32
ListenPort = 61821

#
# WireGuard® (%p - ListenPort; %wan - WAN interface; %lan - LAN subnet; %net - IPv4 Tunnel subnet ONLY recognised by Martineau's WireGuard® Manager©/wg-quick2)
#

# wg-quick2
# =========
#PostUp =   iptables -I INPUT -p udp --dport %p -j ACCEPT; iptables -I INPUT -i %i -j ACCEPT; iptables -I FORWARD -i %i -j ACCEPT
#PostDown = iptables -D INPUT -p udp --dport %p -j ACCEPT; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i %i -j ACCEPT

# wg-quick
# ========
#PostUp =   iptables -I INPUT -p udp --dport 61821 -j ACCEPT; iptables -I INPUT -i %i -j ACCEPT; iptables -I FORWARD -i %i -j ACCEPT
#PostDown = iptables -D INPUT -p udp --dport 61821 -j ACCEPT; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i %i -j ACCEPT


# Home LAN
[Peer]
PublicKey = 1bIKfd0NHZzPJW8rDEhXWL7+22TYGvKTlX24i+CXNnQ=
AllowedIPs = 10.9.8.1/32, fd10:9:8::1/128 192.168.55.0/24
Endpoint = Home.DDNS:
#PresharedKey = 
PersistentKeepalive = 25

=======================================================================================


    WireGuard® Site-to-Site Peers Home and Cabin created


    Copy Cabin/Home files: (included in ZIP '/opt/etc/wireguard.d/WireGuard_Cabin.7z')

2022-08-03 21:19:38 ....A         1070          501  Cabin.conf
2022-08-03 21:19:19 ....A           45           49  Cabin_private.key
2022-08-03 21:19:19 ....A           45           49  Cabin_public.key
2022-08-03 21:19:38 ....A          350          294  Home.conf
2022-08-03 21:19:19 ....A           45           49  Home_private.key
2022-08-03 21:19:19 ....A           45           49  Home_public.key

    to remote location


    Import Home.conf on remote site using 'import Home type=device'


    Press y to import Home or press [Enter] to SKIP.

now add the additional site....

e  = Exit Script [?]

E:Option ==> site2site add Home BeachHut lan=172.16.3.0/24

    Creating WireGuard® Private/Public key-pair for Site-to-Site (IPv6) Peers Home/BeachHut

    Enter BeachHut Endpoint remote IP, or BeachHut DDNS name or press [Enter] to SKIP.
BeachHut.DDNS

========== Home configuration =====================================================

# Home - 192.168.55.0/24 Home.DDNS
[Interface]
PrivateKey = UHtwXL81J8fmNd+gucq/W9WqHApJ5o0tDdzKay4bvng=
Address = 10.9.8.1/32, fd10:9:8::1/128
ListenPort = 61820

# Cabin LAN
[Peer]
PublicKey = 4iv/K2Xc1XeqszMl6xHsdeE6kBeku06FdEk/ethWXnc=
AllowedIPs = 10.9.8.2/32, 172.16.2.0/24
Endpoint = Cabin.DDNS:61821
#PresharedKey = 
PersistentKeepalive = 25

# BeachHut LAN
[Peer]
PublicKey = BiRR4WfLbojW5Y2NdONvgmCSEZ6/DRMmuAfJz4RgXBg=
AllowedIPs = 10.9.8.3/32, 172.16.3.0/24
Endpoint = BeachHut.DDNS:61822
#PresharedKey = 
PersistentKeepalive = 25

========== BeachHut configuration =====================================================

# BeachHut - 172.16.3.0/24
[Interface]
PrivateKey = kIdFR2/0R04dMWJTH57NK4aO8a5tgEenZUetcNM8+k4=
Address = 10.9.8.3/32
ListenPort = 61823

#
# WireGuard® (%p - ListenPort; %wan - WAN interface; %lan - LAN subnet; %net - IPv4 Tunnel subnet ONLY recognised by Martineau's WireGuard® Manager©/wg-quick2)
#

# wg-quick2
# =========
#PostUp =   iptables -I INPUT -p udp --dport %p -j ACCEPT; iptables -I INPUT -i %i -j ACCEPT; iptables -I FORWARD -i %i -j ACCEPT
#PostDown = iptables -D INPUT -p udp --dport %p -j ACCEPT; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i %i -j ACCEPT

# wg-quick
# ========
#PostUp =   iptables -I INPUT -p udp --dport 61823 -j ACCEPT; iptables -I INPUT -i %i -j ACCEPT; iptables -I FORWARD -i %i -j ACCEPT
#PostDown = iptables -D INPUT -p udp --dport 61823 -j ACCEPT; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i %i -j ACCEPT


# Home LAN
[Peer]
PublicKey = 1bIKfd0NHZzPJW8rDEhXWL7+22TYGvKTlX24i+CXNnQ=
AllowedIPs = 10.9.8.1/32, 192.168.55.0/24
Endpoint = Home.DDNS:61820
#PresharedKey = 
PersistentKeepalive = 25

=======================================================================================


    WireGuard® Site-to-Site Peers Home additional link with BeachHut created


    Copy BeachHut/Home files: (included in ZIP '/opt/etc/wireguard.d/WireGuard_BeachHut.7z')

2022-08-03 21:21:10 ....A         1062          493  BeachHut.conf
2022-08-03 21:20:51 ....A           45           49  BeachHut_private.key
2022-08-03 21:20:51 ....A           45           49  BeachHut_public.key
2022-08-03 21:21:10 ....A          543          356  Home.conf
2022-08-03 21:19:19 ....A           45           49  Home_private.key
2022-08-03 21:19:19 ....A           45           49  Home_public.key

    to remote location


    Import Home.conf on remote site using 'import Home type=device'


    Press y to import Home or press [Enter] to SKIP.

Clearly re-import of the Home.conf will be required to include the BeachHut definition, and optionally you can have the BeachHut.conf include the Cabin LAN in its AllowedIP list but I don't currently modify Cabin.Conf although perhaps I should but such customisation is only for Advanced users.....

Obviously it would have been easier to simply specify 0.0.0.0/0 for the AllowedIPs, but explicitly stating the accessible LANs would be deemed more secure?

I'm still keeping the old-skool 'server'/'client' concept (i.e. 'server' accepting Road-Warrior 'device' clients) so if 'server' site Home is DOWN, then clearly client connections will be impossible.

Maybee I'm just slow/thick but if we assume all peers are asus routers running wgm:
Home:

E:Option ==> site2site Home Cabin lan=172.16.2.0/24

then Y to import Home.conf as server peer.

E:Option ==> site2site add Home BeachHut lan=172.16.3.0/24

and again select Y to re-import new Home.conf as server peer.

At Cabin site:

E:Option ==> import Cabin.conf type=server
E:Option ==> import Home.conf type=device
E:Option ==> import BeachHut.conf type=device

At BeachHut:

E:Option ==> import BeachHut.conf type=server
E:Option ==> import Home.conf type=device
E:Option ==> import Cabin.conf type=device

Now all peers shall be connected as a triangle, with direct contact between all peers?

Edit: Cabin.conf AllowedIps are missing a "," between last 2 ips. Don't know if it matters.

Found this tool for generating wg-mesh, which seems to generate a mesh setup with only a single peer at each site as I tried to explain:
https://github.com/k4yt3x/wg-meshconf
but I have not yet tested it...

 

[knatterton]

Installing this seems to have messed up my RT-AX58U pretty badly. Can't access the router anymore in any way. I guess there's not much else to do other that reset the whole thing?

Edit: I was able to connect to the router with a static IP. Now I can open the web ui and can get an ssh connection too. Now just need to figure out what went wrong.

 

[ZebMcKayhan]

Edit: I was able to connect to the router with a static IP. Now I can open the web ui and can get an ssh connection too. Now just need to figure out what went wrong.

Check syslog so there are no dnsmasq errors. If there are dnsmasq wont start up and there will be no dhcp server.

Wgm adds an entry in dnsmasq.conf.add:

admin@RT-AC86U-D7D8:/# cat /jffs/configs/dnsmasq.conf.add
interface=wg*     # WireGuard

Also check this entry in the active dnsmasq config:

admin@RT-AC86U-D7D8:/tmp/home/root# cat /etc/dnsmasq.conf

Look so this entry been added as it's own line and no funny things going on.

 

[knatterton]

Check syslog so there are no dnsmasq errors. If there are dnsmasq wont start up and there will be no dhcp server.

Wgm adds an entry in dnsmasq.conf.add:

admin@RT-AC86U-D7D8:/# cat /jffs/configs/dnsmasq.conf.add
interface=wg*     # WireGuard

Also check this entry in the active dnsmasq config:

admin@RT-AC86U-D7D8:/tmp/home/root# cat /etc/dnsmasq.conf

Look so this entry been added as it's own line and no funny things going on.

Yeah the problem was with dnsmasq. I already had some lines in dnsmasq.conf.add file, and it added an entry in this way:

local=/0.1.168.192.in-addr.arpa/interface=wg*     # WireGuard

Also there was another error in the logs about /jffs/scripts/service-event not having execute permission.

Anyway, I uninstalled Wireguard Manager for now and everything seems to be back to normal. Might try it again later.

 

[Martineau]

Maybee I'm just slow/thick but if we assume all peers are asus routers running wgm:
Home:

E:Option ==> site2site Home Cabin lan=172.16.2.0/24

then Y to import Home.conf as server peer.

E:Option ==> site2site add Home BeachHut lan=172.16.3.0/24

and again select Y to re-import new Home.conf as server peer.

At Cabin site:

E:Option ==> import Cabin.conf type=server
E:Option ==> import Home.conf type=device
E:Option ==> import BeachHut.conf type=device

At BeachHut:

E:Option ==> import BeachHut.conf type=server
E:Option ==> import Home.conf type=device
E:Option ==> import Cabin.conf type=device

Now all peers shall be connected as a triangle, with direct contact between all peers?

Edit: Cabin.conf AllowedIps are missing a "," between last 2 ips. Don't know if it matters.

Whoops..

The Cabin AllowedIPs (which includes an IPv6 IP - significant perhaps?) data value stored in the database is indeed incorrect (when compressed)

    Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet                       Port   Annotate
wg21    Y     10.50.1.1/24                 51820  # RT-AX86U Server #1
wg22    S     10.9.8.1/32,fd10:9:8::1/128  61820  # Home - 192.168.55.0/24 Home.DDNS



    Peers (Auto=X - External i.e. Cell/Mobile/Site)
Device    Auto  IP            DNS          Allowed IPs                                 Annotate
SGS20+    X     10.50.1.2/32  192.168.0.1  0.0.0.0/0                                   # SGS20+ "Device"
Cabin     X     10.9.8.2/32                10.9.8.1/32,fd10:9:8::1/128192.168.55.0/24  # Cabin - 172.16.2.0/24
BeachHut  X     10.9.8.3/32                10.9.8.1/32,192.168.55.0/24,172.16.2.0/24   # BeachHut - 172.16.3.0/24

i.e.

10.9.8.1/32,fd10:9:8::1/128192.168.55.0/24

rather than

10.9.8.1/32,fd10:9:8::1/128,192.168.55.0/24

but I don't think it matters for the wg_client/wg_server/wg-quick scripts as all three tolerate either a space or comma between AllowedIPs?

Found this tool for generating wg-mesh, which seems to generate a mesh setup with only a single peer at each site as I tried to explain:
https://github.com/k4yt3x/wg-meshconf
but I have not yet tested it...

If using wg-quick at the remote sites, then renaming/retaining only the 'server' .conf should suffice.

However, if all remote sites use wg_manager then importing the 'sites' as 'device' Peers simply allows wg_manager to cosmetically translate the 'peer:' key into a human friendly identifier (if the Annotate tag wasn't defined), but more importantly can track data metrics (per site into the SQL database) and assign the next site2site .conf an unused IP in the range '10.9.8.*' - but this is now crudely generated by simply counting the site2site peer entries which could now unfortunately create non-consecutive IPs - but hey no duplicates!

 

[matssa]

Hey guys, quick question, I hope you can help

I'm using the wireguard from amtm on my Asus AX88u without any issues but in one case : a electrical black out.

Indeed, I have my router behind my service provider router (I can't replace it with my AX88U), so after a blackout both routers boot at the same time. However, the AX boots quicker than the provider's one, so when the AX is up and it tries to check if internet access is up as well, it goes into error. Therefore the server doesn't start, I have to login the router and launch it manually.

Anyone know how I can avoid this issue? Was maybe thinking of using my Home Assistant server to SSH in the router and launch a command to see if it is up and launch another command to start it if down.

Thanks!

 

[L&LD]

A UPS is highly recommended for all essential networking equipment.

 

[Martineau]

I'm using the wireguard from amtm on my Asus AX88u without any issues but in one case : a electrical black outI have my router behind my service provider router (I can't replace it with my AX88U), so after a blackout both routers boot at the same time. However, the AX boots quicker than the provider's one, so when the AX is up and it tries to check if internet access is up as well, it goes into error. Therefore the server doesn't start, I have to login the router and launch it manually.

Anyone know how I can avoid this issue?

Check the wg_manager configuration

grep -i initdelay /jffs/addons/wireguard//WireguardVPN.conf

# During Boot 'init' request process, specify a delay period e.g. INITDELAY 90s
INITDELAY 20s

If it doesn't exist try executing

e  = Exit Script [?]

E:Option ==> createconfig

Then if the default 20 second delay isn't sufficient use the editor

e  = Exit Script [?]

E:Option ==> vx

to customise/increase the value.

 

[ZebMcKayhan]

Ive tried to add Site-2-Multisite / Mesh info to the best of my knowledge:
https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#site-2-multisite--mesh

This was rather quickly made so I bet it is reeking with spelling errors, capitalization errors and such.

@Martineau whenever you have the time, I would appreciate if you were to look through it and provide feedback. I feel as I'm out on rather thin ice here.

As always any positive/negative feedback from anyone is highly appreciated.

//Zeb

 

[Martineau]

Ive tried to add Site-2-Multisite / Mesh info to the best of my knowledge:
https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#site-2-multisite--mesh

This was rather quickly made so I bet it is reeking with spelling errors, capitalization errors and such.

@Martineau whenever you have the time, I would appreciate if you were to look through it and provide feedback. I feel as I'm out on rather thin ice here.

As always any positive/negative feedback from anyone is highly appreciated.

//Zeb

As always; complex configuration options explained in a simple manner.

Only one minor issue - 'SiteB.conf' (unlike 'SiteC.conf') seems to be missing the complete socket definition to SiteA's Endpoint?

Perhaps as a future tweak, I should allow selection of the type of remote Site configuration being created, i.e. explicitly allow the user to specify that only wg-quick is available at the remote site? then I suppose I should only create the standard wg0.conf 'server' Peer with the standard ListenPort=51820 etc.

However, the intention was wg_manager should be able to coexist with a wg-quick environment and even ASUS' proposed WireGuard implementation.

Still, not too shabby for a Beta script!

 

[ZebMcKayhan]

Only one minor issue - 'SiteB.conf' (unlike 'SiteC.conf') seems to be missing the complete socket definition to SiteA's Endpoint?

Well spotted! Thanks! Makes you wonder if copy/paste function actually has saved anyone a minute of time

I working on a config where we add 2 peers both behind a CGNAT, where one connects to SiteA and the other to SiteB (to minimize loss of function if any peer goes down). It looks interesting but my head starts to hurt.

Perhaps as a future tweak, I should allow selection of the type of remote Site configuration being created, i.e. explicitly allow the user to specify that only wg-quick is available at the remote site? then I suppose I should only create the standard wg0.conf 'server' Peer with the standard ListenPort=51820 etc.

possibly... or just add the information during the creation as a text splash... but importing the device config is rather confusing as it actually doesnt add anything to the conf files. possiby only change the type=device as you actually dont import any device... like type=device_info

Still, not too shabby for a Beta script!

certainly not! great job!

Edit: Combination Mesh/Star topology example added, but it gets a tad messy... look at the end of section.

 

[JGrana]

However, the intention was wg_manager should be able to coexist with a wg-quick environment and even ASUS' proposed WireGuard implementation.

Still, not too shabby for a Beta script!

That is an understatement if I have ever read one. ;-)

 

[Martineau]

I working on a config where we add 2 peers both behind a CGNAT, where one connects to SiteA and the other to SiteB (to minimize loss of function if any peer goes down). It looks interesting but my head starts to hurt.

Edit: Combination Mesh/Star topology example added, but it gets a tad messy... look at the end of section.

Flexibility + Resiliency + CGNAT.....all through simple cut'n'paste!

I think you should stop now..... you will be exhausted if you attempted to document all possible combinations of the four topologies!

Fortunately not hampered here by CGNAT but it seems it isn't the show-stopper that I first thought?

 

[ZebMcKayhan]

I think you should stop now..... you will be exhausted if you attempted to document all possible combinations of the four topologies!

Thanks for your concern of my mental health, I think I didn't break anything that cant be fixed with some alcohol.
Right, these will have to do as demonstrative examples, I will leave it at that, as every setup will be unique in it's own way so its going to be up to the network maintainer as to figure out how to mix'n-match this themselves. Now that everything is prepared, I'm hoping for some nice report from @evlo to setup his 3 sites and let us know how it works!

Fortunately not hampered here by CGNAT but it seems it isn't the show-stopper that I first thought?

nope, as long as at least one site/peer has public ip all others could use that to relay packets. You could use a server service for that but unfortunately all packages will need to go through the server which could be costly...

The dream would be to accomplish something like this:
https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/
Where only the server would be relaying info on how the peers could contact each other. Then the connection is direct and no packages is needed anymore to the server... but maybe it will remain a dream, it is for sure way to complicated for me to attempt.

 

[Ubimo]

Hello
I'm getting an error during clean installation:

Spoiler

This installs WireGuard Session Manager
on your router.

Author: Martineau
https://www.snbforums.com/forums/asuswrt-merlin-addons.60/?prefix_id=32&starter_id=13215

Contributors: odkrys, Torson, ZebMcKayhan, jobhax, elorimer
Sh0cker54, here1310, defung, The Chief
_____________________________________________

Continue? [1=Yes e=Exit] 1


Creating 'wg_manager' alias for 'wg_manager.sh'

+======================================================================+
| Welcome to the WireGuard® Manager/Installer script (Asuswrt-Merlin) |
| |
| Version v4.18 by Martineau |
| |
| Requirements: HND or AX router with Kernel 4.1.xx or later |
| e.g. RT-AC86U or RT-AX86U etc. |
| |
| USB drive with Entware installed |
| |
| ******************************************************************** |
| * NOTE: WireGuard® is incompatible with Hardware Acceleration * |
| * You can disable Hardware Acceleration using command * |
| * * |
| * E:Option ==> fc disable * |
| * * |
| * but you will most likely limit the throughput via WAN * |
| * to match the maximum WireGuard® speed * |
| ******************************************************************** |
| |
| 1 = Install WireGuard |
| o1. Enable firewall-start protection for Firewall rules |
| o2. Enable DNS |
| |
| |
+======================================================================+

WireGuard® ACTIVE Peer Status: Clients 0, Servers 0



1 = Begin WireGuard® Installation Process

e = Exit Script [?]

E:Option ==> 1

Installing WireGuard® Manager - Router RT-AC86U (v386.7_2) arch=aarch64

Downloading scripts
wg_client downloaded successfully
wg_server downloaded successfully
UDP_Updater.sh downloaded successfully
wg_ChkEndpointDDNS.sh downloaded successfully
wg_manager.asp downloaded successfully
Help.md downloaded successfully
wgmExpo.sh downloaded successfully

Package column (2.38-2) installed in root is up to date.
Package coreutils-mkfifo (9.1-1) installed in root is up to date.
Package p7zip (16.02-3) installed in root is up to date.

Creating/Updating WireGuard® configuration file '/jffs/addons/wireguard/WireguardVPN.conf' (v4.18)

Creating 'wg_manager' alias for 'wg_manager.sh'

Warning: Aliases and shell functions for wg_manager.sh already exist


No Peer entries to auto-migrate from '/jffs/addons/wireguard/WireguardVPN.conf', but you will need to manually import the 'device' Peer '*.conf' files:



[✔] WireGuard® Peer SQL Database Initialised OK


Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)


Peers (Auto=X - External i.e. Cell/Mobile/Site)
Creating WireGuard® 'Server' Peer (wg21)'
Creating WireGuard® Private/Public key-pairs for RT-AC86U (v386.7_2)
Initialising WireGuard® VPN 'server' Peer

Requesting WireGuard® VPN Peer start (wg21)

wg_manager-serverwg21: Initialising WireGuard® VPN 'Server' Peer (wg21) on 10.50.1.1:51820 (# RT-AC86U Server #1)
RTNETLINK answers: Operation not supported
Unable to modify interface: Protocol not supported
Unable to modify interface: Protocol not supported
Cannot find device "wg21"

***ERROR Initialisation ABORTED - 'wg setconf wg21 /tmp/wg21.27321 (/opt/etc/wireguard.d/wg21.conf)' FAILED

[✔] Statistics gathering is ENABLED

firewall-start updated to protect WireGuard® firewall rules
Restarting DNSmasq to add 'wg*' interfaces

Done.

Event scripts

Adding Peer Auto-start @boot
Installing QR rendering module
Package qrencode (4.1.1-1) installed in root is up to date.
Installing xargs module
Package findutils (4.9.0-1) installed in root is up to date.
Do you want to create a 'device' Peer for 'server' Peer (wg21) ?
Press y to create 'device' Peer or press [Enter] to skip

WireGuard® Peer Status

v4.18 WireGuard® Session Manager install COMPLETED.


WireGuard® ACTIVE Peer Status: Clients 0, Servers 0



1 = Begin WireGuard® Installation Process

e = Exit Script [?]

E:Option ==>

Or is this normal?

Edit:
Is this the latest kernel/module?
[✔] WireGuard® Kernel module/User Space Tools included in Firmware (1.0.20210124)

How can I update the kernel/module?