Wireguard Session Manager - Discussion (3rd) thread

[Martineau]

Yes, it appears the first two rules are created from wg21 and wg22. I had this since the first time I enabled it in earlier release. I never have issue with it though. Later I learn from you to name table 121 etc to wgc1, I also name table 210 and 220 to wgs1 and wgs2.

Setting a human-friendly alias for the routing tables (main is available to reference table 254 by default) was indeed a personal technique I used for many years

i.e.

ip route from MyLaptop table NewYork

vs.

ip route from MyLaptop table 113

but my point is that I honestly can't recall how/why/if one of my scripts creates the actual RPDB rule(s) containing the references to your custom the aliases wgs1 and wgs2.

So, I've uploaded wireguard_manager Beta v4.17b3

Now, rather than have the annoying prompt to delete these 'rogue' rules, you can specify ROGUE220IGNORE in '/jffs/addons/wireguard/WireguardVPN.conf' and the check for their existence will be skipped (assuming they are indeed valid)

Upgrade using

e  = Exit Script [?]

E:Option ==> uf dev

e  = Exit Script [?]

E:Option ==> createconfig

then use

e  = Exit Script [?]

E:Option ==> vx

to uncomment the ROGUE220IGNORE line

 

[chongnt]

Setting a human-friendly alias for the routing tables (main is available to reference table 254 by default) was indeed a personal technique I used for many years

i.e.

ip route from MyLaptop table NewYork

vs.

ip route from MyLaptop table 113

but my point is that I honestly can't recall how/why/if one of my scripts creates the actual RPDB rule(s) containing the references to your custom the aliases wgs1 and wgs2.

So, I've uploaded wireguard_manager Beta v4.17b3

Now, rather than have the annoying prompt to delete these 'rogue' rules, you can specify ROGUE220IGNORE in '/jffs/addons/wireguard/WireguardVPN.conf' and the check for their existence will be skipped (assuming they are indeed valid)

Upgrade using

e  = Exit Script [?]

E:Option ==> uf dev

e  = Exit Script [?]

E:Option ==> createconfig

then use

e  = Exit Script [?]

E:Option ==> vx

to uncomment the ROGUE220IGNORE line

Just to be sure, the following rules created by peer wg21 add and peer wg22 add respectively. Is this expected?

9810:   from all fwmark 0xd2 lookup 210
9820:   from all fwmark 0xdc lookup 220

I rebooted and have a look again, looks like ip 6 rule is the one that hit the "vague rule". I have no idea where this come from, I don't have ipv6 enabled. It is likely not from wgm as I try to stop it from bootup and yet I still have this rule.

admin@RT-AC86U-DBA8:/tmp/home/root# ip -6 rule
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main

 

[Martineau]

I rebooted and have a look again, looks like ip 6 rule is the one that hit the "vague rule". I have no idea where this come from, I don't have ipv6 enabled. It is likely not from wgm as I try to stop it from bootup and yet I still have this rule.

admin@RT-AC86U-DBA8:/tmp/home/root# ip -6 rule
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main

Are you sure?!

I too don't have IPv6, but sometimes both the IPv4 and IPv6 rule is detected.

If it is definitely the firmware creating the RPDB PRIO 220 rule(s), then perhaps you too should define ROGUE220DELETE in wireguard_manager to auto delete the rule, although IIRC, only the existence of the IPv6 rule (in a IPv6 environment) impacted wireguard_manager (or seemed to) when I was able to briefly test IPv4+IPv6 (Dual-stack) (a few weeks ago) when I was temporarily camped at a friend's house behind a SKY router with IPv6 passthru enabled to the RT-AX86U.

 

[endiz]

I have a relatively simple use case: tunnel all traffic from one site to another. The server will be a linux endpoint (unraid), and the client is an ac86u with an at&t hotspot (pixel 4a) ethernet tethered into the WAN port.

Would open-vpn be suffice for my needs or should I look into wireguard?

 

[Martineau]

I have a relatively simple use case: tunnel all traffic from one site to another. The server will be a linux endpoint (unraid), and the client is an ac86u with an at&t hotspot (pixel 4a) ethernet tethered into the WAN port.

Would open-vpn be suffice for my needs or should I look into wireguard?

Are the three opening paragraphs enough to sway you towards WireGuard?

Setting Up WireGuard® on Unraid

How to guide on setting up WireGuard on your Unraid server.

unraid.net

This more detailed Unraid guide should help to understand the Unraid GUI option 'Remote tunneled access'

WireGuard quickstart

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk. What can you do with WireGuard? Let's walk through each of the connection types: Remote access to server: Use your phone or computer to remotely access your Unr...

forums.unraid.net

which by default is the first topology i.e. Remote inbound access to the Unraid server/services.

so be sure to select LAN to LAN access from the GUI drop-down menu.

Using wireguard_manager, the configuration on the RT-AC86U should take 5 mins assuming that it can successfully import the 'client' Peer config generated by the Unraid WireGuard 'server' Peer - but not 100% sure as I've never tried it.

However @JGrana has had success with a WireGuard site-to-site between two ASUS routers - not sure if there was a speed/stability comparison between OpenVPN vs. WireGuard for his configuration to justify his choice of protocol.

 

[ZebMcKayhan]

I have no idea where this come from, I don't have ipv6 enabled

If you dont have ipv6 enabled you could probably just disregard the rule as routing rules for ipv6 is not enabled/used.

But out of curiosity, what does it ipv6 table 220 contain?

ip -6 route show table 220

If its empty it should also not interfere as if a route was not found in the directed table the kernel should continue traversing the rules until a table with default route is appointed.

 

[JGrana]

However @JGrana has had success with a WireGuard site-to-site between two ASUS routers - not sure if there was a speed/stability comparison between OpenVPN vs. WireGuard for his configuration to justify his choice of protocol.

I am still running the site-to-site - running great.
I was running OpenVPN but wanted to try Wireguard, mainly based on numerous articles I read about the simplicity, speed and security of Wireguard. One of my main use cases is to do remote backups of my NAS’s photo albums and various documents. Offsite backup in addition to the NAS. Occasionally I upload a lot of large photos to my PC which the NAS then copies overnight and then it backups up the data to the remote site. Classic backup scenario.

IMHO, both OpenVPN and Wireguard are stable. So, for stability - either does well with Asuswrt-merlin (especially with @RMerlin ’s work on OpenVPN).
Wireguard (using iperf3) showed a typical 30% better performance during large transfers. So, performance - Wireguard.
The other reason I like Wireguard (and wg_manager) is the simplicity in setting up the network connection (using wg_manager). The wg.conf files are easily readable and understandable and pretty short and concise.
Once @Martineau and @ZebMcKayhan worked with me on getting site-to-site supported by wg_manager - works great and easy.

I am NOT and IT/Network Security expert - but setting up Wireguard using wg_manager (and Zebs fine documentation) - very easy and quick. I would guess you could be up and running in 15 minutes (or less ;-)

 

[chongnt]

Are you sure?!

I too don't have IPv6, but sometimes both the IPv4 and IPv6 rule is detected.

If it is definitely the firmware creating the RPDB PRIO 220 rule(s), then perhaps you too should define ROGUE220DELETE in wireguard_manager to auto delete the rule, although IIRC, only the existence of the IPv6 rule (in a IPv6 environment) impacted wireguard_manager (or seemed to) when I was able to briefly test IPv4+IPv6 (Dual-stack) (a few weeks ago) when I was temporarily camped at a friend's house behind a SKY router with IPv6 passthru enabled to the RT-AX86U.

So far I only have prio 220 in ipv6 rule. It looks like coming from the firmware, I can see the rule before NTP is sync.

If you dont have ipv6 enabled you could probably just disregard the rule as routing rules for ipv6 is not enabled/used.

But out of curiosity, what does it ipv6 table 220 contain?

ip -6 route show table 220

If its empty it should also not interfere as if a route was not found in the directed table the kernel should continue traversing the rules until a table with default route is appointed.

It has nothing in the table, at least for my case with ipv6 not enabled. I have not encounter any problem and not aware of it. I only come to know of it after update wgm and see the vague rule message.

admin@RT-AC86U-DBA8:/tmp/home/root# ip -6 rule
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main
admin@RT-AC86U-DBA8:/tmp/home/root# ip -6 route show table 220
admin@RT-AC86U-DBA8:/tmp/home/root#

 

[ZebMcKayhan]

Trying to continue discussion about blog mcast error from @Torson without hijacking his thread any more.
https://www.snbforums.com/threads/w...throughput-and-flood-of-syslog-entries.70937/

both @doczenith1 and @chongnt reported seeing these errors on ac86u and when I went through my scribe filters I found the same at some specific times, today between 15:57 - 16:17 there are about 100 of these:

May 12 16:15:26 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:26 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:44 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:44 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:57 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:57 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:20 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:20 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:41 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:41 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:17:01 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:17:01 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m

They seem to come in pair of 2 and usually ~20 sec in between. There have been wast internet usage after this that dont produce any error so it seems to be linked to some special packages from some app I presume (my doughter was the only one home at the time so possibly youtube).

I have not seen any drop in throughput, still gets 100/100, same as my subscription. Nor have I seen any issues for normal usage).

Is it even caused by wireguard or something else?

I have started thinking about possible conflicts between the Xmark set by wgm to bypass hw-acceleration and other marks, like ipset marks (fwmark and Xmark are the same right? Just Xmark XOR the value with the mask). Don't we mess up this mark when marking packages for I.e ipset routing?

Pinging @Martineau as he usually has great knowledge about these stuff.

 

[chongnt]

Trying to continue discussion about blog mcast error from @Torson without hijacking his thread any more.
https://www.snbforums.com/threads/w...throughput-and-flood-of-syslog-entries.70937/

both @doczenith1 and @chongnt reported seeing these errors on ac86u and when I went through my scribe filters I found the same at some specific times, today between 15:57 - 16:17 there are about 100 of these:

May 12 16:15:26 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:26 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:44 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:44 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:57 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:57 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:20 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:20 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:41 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:16:41 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:17:01 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:17:01 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m

They seem to come in pair of 2 and usually ~20 sec in between. There have been wast internet usage after this that dont produce any error so it seems to be linked to some special packages from some app I presume (my doughter was the only one home at the time so possibly youtube).

I have not seen any drop in throughput, still gets 100/100, same as my subscription. Nor have I seen any issues for normal usage).

Is it even caused by wireguard or something else?

I have started thinking about possible conflicts between the Xmark set by wgm to bypass hw-acceleration and other marks, like ipset marks (fwmark and Xmark are the same right? Just Xmark XOR the value with the mask). Don't we mess up this mark when marking packages for I.e ipset routing?

Pinging @Martineau as he usually has great knowledge about these stuff.

Good observation. Just realized in my case, it always come in 2 pairs of log at a time. I had 2 x wg servers and 2 x wg clients; and now 2 x wg servers and 3 x wg clients still exhibit the same behavior. I briefly go through my historical logs, these logs started to appear a week after I had wgm installed. Looking at wgm hourly summary log, I think that is about the time I divert traffic from ovpn to wgm client. These logs mostly started when streaming YouTube in Google Chromecast TV box.
Do you happen to have 1 x wg server? Not sure if the 2 pairs of log I seen has any relation with the 2 x wg server. Later I will try to del one wg server, reboot and see what happen.

 

[Martineau]

Trying to continue discussion about blog mcast error from @Torson without hijacking his thread any more.
Is it even caused by wireguard or something else?

May 12 16:15:26 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:26 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m
May 12 16:15:44 RT-AC86U-D7D8 kernel: [0;33;41m[ERROR mcast] bcm_mcast_blog_process,789: blog allocation failure[0m

There have been wast internet usage after this that dont produce any error so it seems to be linked to some special packages from some app I presume

I have not seen any drop in throughput, still gets 100/100, same as my subscription. Nor have I seen any issues for normal usage).

Whilst WireGuard/wireguard_manager could indeed possibly contribute to the proliferation, the messages can seemingly occur due to other confirmed factors....

AX88U - Merlin 384.17 - [ERROR mcast]

Noticed a lot of errors in the log, there was nothing like that on AC88U: Jun 12 22:42:59 kernel: ^[[0;33;41m[ERROR mcast] bcm_mcast_blog_process,819: blog allocation failure^[[0m Jun 12 22:42:59 kernel: ^[[0;33;41m[ERROR mcast] bcm_mcast_blog_process,819: blog allocation failure^[[0m Jun 12...

www.snbforums.com

...although the timeline is unclear to prove if the experimental WireGuard was also being used.

 

[ZebMcKayhan]

Do you happen to have 1 x wg server? Not sure if the 2 pairs of log I seen has any relation with the 2 x wg server.

I have a server setup but it is always off (and were off during the time interval). I too have 2 clients. LAN routed all to WgClient 1, Guest wifi 1 routed to WAN and guest wifi 2 routed to WgClient 2.

the messages can seemingly occur due to other confirmed factors....

Thanks! wow, also errors in pairs of 2 and roughly 20sec in between... seems to match pretty well. Hmm, yea, doesnt say anything about wireguard but could be, altough as I read it it feels unlikely. Seems to not be related to wireguard.

 

[heysoundude]

@ZebMcKayhan and @Martineau have you noticed https://www.snbforums.com/threads/386-7-alpha-build-s-testing-available-build-s.78901/post-762502
I suspect it might be a good idea to dig a little deeper into it for WireGuard and unbound (and maybe whoever is SkyNet's dev should too)

Sorry for interrupting the flow - we now return you to regularly scheduled programming

 

[ZebMcKayhan]

@ZebMcKayhan and @Martineau have you noticed https://www.snbforums.com/threads/386-7-alpha-build-s-testing-available-build-s.78901/post-762502
I suspect it might be a good idea to dig a little deeper into it for WireGuard and unbound (and maybe whoever is SkyNet's dev should too)

Sorry for interrupting the flow - we now return you to regularly scheduled programming

Cool! But no HND-router available (yet)... waiting (and hoping) for ipv6 DNAT and NETMAP.
As eager as I might be to test whenever available for ac86u i dont know if I'm allowed by family. My testing is limited to whenever they sleep and if all dont work when they wake up all hell breaks loose... I've gone from an alpha-guy to beta-guy to stable-release-guy and now a late-adopter-stable-release-guy.

 

[doczenith1]

These logs mostly started when streaming YouTube in Google Chromecast TV box.

I will corroborate the YouTube possible causing the log entries. When I saw the entries it was after I was watching YouTube on my mobile device connected to my router via WireGuard.

 

[heysoundude]

Cool! But no HND-router available (yet)... waiting (and hoping) for ipv6 DNAT and NETMAP.
As eager as I might be to test whenever available for ac86u i dont know if I'm allowed by family. My testing is limited to whenever they sleep and if all dont work when they wake up all hell breaks loose... I've gone from an alpha-guy to beta-guy to stable-release-guy and now a late-adopter-stable-release-guy.

Lol I understand...but I posted that for a glimpse into where Asus might be going so you folks can maybe start looking into what may need to change with your stuff to work with it when it gets to release

 

[johndoe85]

Is it normal to get 1,82/Mbps down and 3,42/Mbps up when running wireguard server on RT-AX86U ?
I get a huge cpu load when running the speedtest. And im connecting from WiFi to the wireguard server when running the speedtest.

I am using the built in wireguard module in the firmware.
And all settings are default, except from this one create Samsung-S9 wg21 dns=local

EDIT: When connecting to the router via WiFi and connecting to my ISP's wireguard server i get 140/Mbps down and 164/Mbps up

 

[ZebMcKayhan]

Is it normal to get 1,82/Mbps down and 3,42/Mbps up when running wireguard server on RT-AX86U ?

I would say no, what's your internet speed?

If you hit vx inside wgm. Try to remove the comment:

DISABLE_FLOW_CACHE

AX86 needs flow cache disabled or the speed sucks and the syslog fills up with blog mcast errors...

But we really need more info about your system. Are you running wg client as well on your router? Ipv6? Passthru? Or are you only running wg server? How was your speedtest done? Towards lan or to internet via wan?

 

[johndoe85]

I would say no, what's your internet speed?

If you hit vx inside wgm. Try to remove the comment:

DISABLE_FLOW_CACHE

AX86 needs flow cache disabled or the speed sucks and the syslog fills up with blog mcast errors...

But we really need more info about your system. Are you running wg client as well on your router? Ipv6? Passthru? Or are you only running wg server? How was your speedtest done? Towards lan or to internet via wan?

A reboot "solved" the problem.
Im getting 141/Mbps down and 169/Mbps up now.

I am only running the wg server. And no IPv6.
No extra passthrough or such.

The speedtest was done towards internet, SUNET to be more precise.

My internet speed is 250/250

EDIT: I don't have any DISABLE_FLOW_CACHE in the config file. No result when searching for flow or cache.

 

[ZebMcKayhan]

A reboot "solved" the problem.
Im getting 141/Mbps down and 169/Mbps up now.

I am only running the wg server. And no IPv6.
No extra passthrough or such.

The speedtest was done towards internet, SUNET to be more precise.

My internet speed is 250/250

EDIT: I don't have any DISABLE_FLOW_CACHE in the config file. No result when searching for flow or cache.

Ok, great you've solved it!

If you are running latest wgm you might need to re-create your config to take full advantage of latest settings:

E:Option ==> createconfig

Any addons that may interfere?