Martineau
Part of the Furniture
Use the diagnostics command
Code:
e = Exit Script [?]
E:Option ==> diagWireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)
- Thread starter Martineau
- Start date
Server:
when i create a new device - default route 0.0.0.0/0.
If i change manualy route to 192.168.1.0/24 in file wg21.conf and multi.conf in allowed ip: 192.168.1.0/24 and then restart server, when i connected from mobile device/PC... nothing working.
i see in diag (everethyng route 0.0.0.0.0/0
Split tunneling only working if i change in client allowed IP to 192.168.1.0/24.
if i create the new device from wg_manager how to specified allowed ip to LAN only?
my diag is:
Thank you.
Martineau
Part of the Furniture
Fixed in v4.11b2 (May 4, 2021)
You can create a LAN-Only 'device' Road-Warrior Peer using
Code:
E:Option ==> createsplit multi
Creating Wireguard Private/Public key pair for device 'multi'
Device 'multi' Public key=oSAES951SLymItBS76/HOwzs7eQSWV2vIgmdAR5yKSo=
Using Public key for 'server' Peer 'wg21'
WireGuard config for Peer device 'multi' created (Allowed IP's 192.168.1.0/24 # Split Traffic LAN Only)
Press y to Display QR Code for Scanning into WireGuard App on device 'multi' or press [Enter] to SKIP.or if the 'device' Road-Warrior 'Peer' already exists
wg_manager v4.11b2 (May 4, 2021) added the peer xxxxxx allowedips= command to allow modification and implementation of the desired Road-Warrior 'device' Peer change.Use the following to download the latest beta from the Github 'dev' branch
Code:
e = Exit Script [?]
E:Option ==> uf dev
Last edited:
Thanks. this working. i see in "peer multi show" = allowed IP = 192.168.1.0/24. but if i change manually in client from Phone or Windows to allowed IP = 0.0.0.0/0 - this always working and all trafic go to the wireguard server. If possible how to prevent this?
if i put peer multi allowedips=192.168.1.0/24 - this is change - i show it only in wg_manager - peer multi show.
but if i open for example multi.conf from /opt/etc/wireguard.d/ - i see allowed ip = 0.0.0.0/0 (nothing change in config files in wireguard.d directory (maybe i have wrong rights...:
if i create file wg11.conf and import from wg_manager - than connect. (it's successful) - not working my server when i connect from mobile phone. (not working split tunneling - i'm not able access my LAN devices.
diag show:
I need to run Wireguard Server and VPN simultaneously.
for Wireguard Server (when i connect from client) i only need to access my LAN Devices - 192.168.1.0/24
IPSet:
i have IPSet - for example Netflix_DNS. and i need to Bypass Routing from wg11 client? how do i set it?
if i put:
this is automatically add to wg11 interface.
i need to change this IPSet - go to WAN interface, not WG11 Client.
Thank you very much for help.
Last edited:
At a high-level, there are 2 steps to setup the ipset feature.
The first one (essential) is to have a stable, working client peer connection to the server peer (i.e. regular handshakes, a site of your choice like 'https://www.whatismyip.com/' detecting the configured WireGuard server peer's IP etc.)
NOTE: the WireGuard configuration files generated by VPN providers have, in most cases, a limited life span if unused. So, trying to import "an old wg11 client config" may be a questionable starting point.
In any case, this step is a prerequisite.
The second step is to 'add' the 'ipset' i.e.
Code:
peer wg11 add ipset IPSET
Code:
ipset -L IPSETThere are a number of configurable parameters depending on your requirements - FwMark, destination/source, enable/disable.
Run:
Code:
peer wg11 upd ipset Netflix_DNS fwmark 0x8000
Code:
peer wg11Thanks.
maybe if your know what i need to set - if i connected client. and i connected from my phone to wg server (i need to access my LAN device )
I set up routing, byt this is not working. sorry, i don't know how.
when i connected to wg server - my ip 10.50.1.2/32 - i need to access my LAN device 192.168.1.0/24
3 ID rule - what i need change?
Thank you.
I have never tried that scenario because I never felt the need (or urge) to forward the entire LAN through the VPN tunnel. What I have, is devices grouped in IP ranges forwarded through the VPN as required. This way the access to the internal network works with no additional configuration. If you don't have CIDRs defined you can still forward individual devices through the VPN and change the autostart to 'policy':
Code:
peer wg1* auto=pThat is not a matter of "wrong rights". It's just the way the 'WireGuard Manager' script works; it adds an sqlite database between the front end ('wgm' in the CLI) and the WireGuard application. Also, it creates and/or modifies the .conf files to a format suitable to WirGuard's inner workings. After the .conf import and/or creation, 'wgm' populates and modifies the database as required. In its current iteration it does not go back to apply every database change to the .conf files.
That being said, I had the same experience with accessing the Internet through the split tunnel if changing the device peer setting from allowing LAN IPs (192.168.1.0/24) to allow everything (0.0.0.0/0). The immediate solution would be the equivalent of 'if it hurts don't do it.)
I see that, and other issues (reported or to be reported) in the context of beta testing the script.
What do I have to do, to use my router as a Wireguard client AND use Diversion?
I've already configured my router as a client using 1.1.1.1 as DNS, but this now circumvents Diversions ad-blocking capabilities. (I guess)
How do I configure my router to use Diversion again?
I've already configured my router as a client using 1.1.1.1 as DNS, but this now circumvents Diversions ad-blocking capabilities. (I guess)
How do I configure my router to use Diversion again?
ZebMcKayhan
Very Senior Member
ok, so I managed to import my VPN client, wg11. set it to policy mode and add rules to route my subnet 192.168.1.1/24 via VPN but the rest via WAN. this works great!
then I added my 2 ipsets (attempting to run these through WAN) but this has basically no effect:
so checking the iptables if the mark is set:
yep...
checking the rules:
nope...
manually adding
breaks the connection to these ipsets.
also setting the reverse path filter for wan to loose mode:
then it seems to work.
is there something I have failed to configure for ipsets? or am I meant to add the rest in my user sripts?
//Zeb
EDIT: did a search through the wg_manager and wg_client scripts and found basically no entries were any "ip rule add fwmark" is added. so I guess that answers it. unless this is done through NAT:ing but I cant find anything in the NAT table....
then I added my 2 ipsets (attempting to run these through WAN) but this has basically no effect:
Code:
E:Option ==> peer wg11
Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)
Client Auto IP Endpoint DNS MTU Public Private Annotate
wg11 P 10.0.69.214/24 wireguard.5july.net:48574 192.168.1.1 1420 <hidden> <hidden> # N/A
Selective Routing RPDB rules
ID Peer Interface Source Destination Description
2 wg11 WAN 0.0.0.0/0 192.168.1.1/16 local WAN
3 wg11 VPN 192.168.1.1/24 Any LAN to VPN
IPSet Enable Peer FWMark DST/SRC
NETFLIX-DNS Y wg11 0x8000 dst
MYIP Y wg11 0x8000 dst
WireGuard ACTIVE Peer Status: Clients 1, Servers 0
E:Option ==> ipset
Table:ipset Summary
Total IPSet
1 MYIP
1 NETFLIX-DNS
Total IPSet Peer
1 MYIP wg11
1 NETFLIX-DNS wg11
FWMark Interface
0x1000 wg11
0x2000 wg12
0x4000 wg13
0x7000 wg14
0x3000 wg15
0x8000 wanso checking the iptables if the mark is set:
Code:
admin@RT-AC86U-D7D8:/tmp/mnt/UsbDrv/entware/etc/wireguard# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 24275 packets, 11M bytes)
pkts bytes target prot opt in out source destination
4201 2612K MARK all -- wg11 any anywhere anywhere /* WireGuard 'client' */ MARK xset 0x1/0x7
0 0 MARK all -- any any anywhere anywhere match-set NETFLIX-DNS dst MARK or 0x8000
51 4623 MARK all -- any any anywhere anywhere match-set MYIP dst MARK or 0x8000checking the rules:
Code:
admin@RT-AC86U-D7D8:/tmp/mnt/UsbDrv/entware/etc/wireguard# ip rule
0: from all lookup local
9910: from all to 192.168.1.1/16 lookup main
9911: from 192.168.1.1/24 lookup 121
32766: from all lookup main
32767: from all lookup defaultmanually adding
Code:
ip rule add fwmark 0x8000 table main prio 9907also setting the reverse path filter for wan to loose mode:
Code:
echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filteris there something I have failed to configure for ipsets? or am I meant to add the rest in my user sripts?
//Zeb
EDIT: did a search through the wg_manager and wg_client scripts and found basically no entries were any "ip rule add fwmark" is added. so I guess that answers it. unless this is done through NAT:ing but I cant find anything in the NAT table....
Last edited:
Martineau
Part of the Furniture
ZebMcKayhan
Very Senior Member
Thanks! just wanted to make sure I had not missed any important step of configuration.
instead of using nat-start scripts I made use of your nice custom scripts "/jffs/addons/wireguard/Scripts/wg11-up.sh" and placed the rule and rp filter there. works perfectly!
realized that masquarading is still only on /24 subnet:
Code:
5327 558K MASQUERADE all -- any wg11 192.168.1.0/24 anywhere /* WireGuard 'client' */so I'm not able to route guest network through VPN (not as is anyway)...
curious on why that is, running
Code:
brctl show
Code:
bridge name bridge id STP enabled interfaces
br0 8000.244bfebcd7d8 yes eth1
eth2
eth3
eth4
eth5
eth6
wl0.1
wl1.1so this is basically because br1 and br2 is not used, since Im running Yazfi, which removes Asus VLAN's.
is there any need for being so sparse in what is masquaraded? checking how wan does it:
Code:
42 2670 MASQUERADE all -- any eth0 !xxx.xxx.xxx.xx anywhereor are we using masquarading as another means of access control?
//Zeb
ZebMcKayhan
Very Senior Member
Well, I set my dns in the wg11.conf to router lan ip (192.168.1.1). So unbound and diversion works as normal. This works for me...
//Zeb
Martineau
Part of the Furniture
FYI, Depending on the router housekeeping/GUI interaction, the custom fwmarks used by the Selective IPSET routing can unfortunately be silently deleted.
So when using '/jffs/addons/wireguard/Scripts/wg1X-up.sh' to customise the WireGuard iptables, it is prudent to ensure that in the event that
nat-start is unexpectedly executed by the firmware, nat-start should still be customised to make sure any ACTIVE WireGuard connections are forced to re-execute the appropriate '/jffs/addons/wireguard/Scripts/wg1X-up.sh' script (either explicitly or by bouncing the WireGuard connection).That is sound advice... thank you! I opt for bouncing the WireGuard client peers rather than re-execute the interfaces' 'up-down' scripts inFYI, Depending on the router housekeeping/GUI interaction, the custom fwmarks used by the Selective IPSET routing can unfortunately be silently deleted.
So when using '/jffs/addons/wireguard/Scripts/wg1X-up.sh' to customise the WireGuard iptables, it is prudent to ensure that in the event thatnat-startis unexpectedly executed by the firmware,nat-startshould still be customised to make sure any ACTIVE WireGuard connections are forced to re-execute the appropriate '/jffs/addons/wireguard/Scripts/wg1X-up.sh' script (either explicitly or by bouncing the WireGuard connection).
nat-start - easier to maintain.I tried the 2 relevant bouncing options from the command line first. Here is the outcome:
Code:
asmin@RT-AX86U:/tmp/mnt/asus/conf# /jffs/addons/wireguard/wg_manager.sh restart clients
(wg_firewall): 20461 Checking if WireGuard VPN Peer KILL-Switch is required.....
(wg_firewall): 20461 Restarting WireGuard to reinstate RPDB/firewall rules
Requesting WireGuard VPN Peer stop (wg21 wg14 wg12 wg13 wg11)
<snip>
Requesting WireGuard VPN Peer start (wg11 wg14 wg12 wg13 wg21)
<snip>
Requesting WireGuard VPN Peer stop for Category 'Clients' (wg11 wg14 wg12 wg13)
<snip>
Requesting WireGuard VPN Peer start for Category 'Clients' (wg11 wg14 wg12 wg13)
<snip>The other option - restarting an individual client peer looks like that:
Code:
asmin@RT-AX86U:/tmp/mnt/asus/conf# /jffs/addons/wireguard/wg_manager.sh restart wg12
(wg_firewall): 9045 Checking if WireGuard VPN Peer KILL-Switch is required.....
(wg_firewall): 9045 Restarting WireGuard to reinstate RPDB/firewall rules
Requesting WireGuard VPN Peer stop (wg11 wg14 wg12 wg13 wg21)
<snip>
Requesting WireGuard VPN Peer start (wg11 wg14 wg12 wg13 wg21)
<snip>
Requesting WireGuard VPN Peer stop (wg12)
<snip>
Requesting WireGuard VPN Peer start (wg12)Any suggestion?
ZebMcKayhan
Very Senior Member
I'm confused. wg_manager puts this in nat-startFYI, Depending on the router housekeeping/GUI interaction, the custom fwmarks used by the Selective IPSET routing can unfortunately be silently deleted.
So when using '/jffs/addons/wireguard/Scripts/wg1X-up.sh' to customise the WireGuard iptables, it is prudent to ensure that in the event thatnat-startis unexpectedly executed by the firmware,nat-startshould still be customised to make sure any ACTIVE WireGuard connections are forced to re-execute the appropriate '/jffs/addons/wireguard/Scripts/wg1X-up.sh' script (either explicitly or by bouncing the WireGuard connection).
Code:
/jffs/addons/wireguard/wg_firewall # WireGuardwhich executes
Code:
if [ -n "$(wg show interfaces)" ];then
logger -st "($(basename "$0"))" $$ "Restarting WireGuard to reinstate RPDB/>
/jffs/addons/wireguard/wg_manager.sh stop
/jffs/addons/wireguard/wg_manager.sh start
fiso this should do it, right? or are'nt the custom script executed at stop/start? or how do you mean?
anyway, been running my client now for a couple of un-eventful days, however the syslog looks strange:
Code:
Jun 7 20:59:00 RT-AC86U-D7D8 (wg_manager.sh): 6941 Clients [97m1[95m, Servers [97m0
Jun 7 20:59:01 RT-AC86U-D7D8 (wg_manager.sh): 6941 wg11:[97m transfer: 392.88 MiB received, 14.18 MiB sent [97m0 Days, 02:28:50 from 2021-06-07 18:30:11 >>>>>>[0m
Jun 7 20:59:01 RT-AC86U-D7D8 (wg_manager.sh): 6941 wg11: period : 367.07 MiB received, 11.97 MiB sent (Rx=384900792;Tx=12555459)
Code:
E:Option ==> diag sql traffic
DEBUG: SQL '/opt/etc/wireguard.d/WireGuard.db'
Table:traffic
Peer Timestamp RX TX
wg11 2021-06-07 18:14:53 0 0
wg11 2021-06-07 18:16:50 34437 16056
wg11 2021-06-07 18:26:34 0 0
wg11 2021-06-07 18:27:44 5304 5816
wg11 2021-06-07 18:28:28 2786 3963
wg11 2021-06-07 18:30:11 0 0
wg11 2021-06-07 18:36:07 4194304 331540
wg11 2021-06-07 18:59:01 82659246 3212647
wg11 2021-06-07 19:59:01 27063747 2313349
wg11 2021-06-07 20:59:01 384900792 12555459//Zeb
Similar threads
DomainVPNRouting
Domain VPN Routing v3.2.2 ***Release***
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
|
How to get Unbound Manager to display logs in Scribe? | Asuswrt-Merlin AddOns | 15 | |
|
Wireguard VPN Director for VPN - WireGuard® Manager© v1.04 by Martineau | Asuswrt-Merlin AddOns | 3 |
Similar threads
-
How to get Unbound Manager to display logs in Scribe?
- Started by Davidncali001
- Replies: 15
-
Wireguard VPN Director for VPN - WireGuard® Manager© v1.04 by Martineau
- Started by unclebuk
- Replies: 3
Latest threads
-
i have a public ip block with dns names but when set domain router does not resolve them
- Started by lgkahn
- Replies: 1
-
GNP unable to change VLAN ID on LAN | VLAN | Profile tab - bug?- Started by kstamand
- Replies: 0
-
Guest Network Pro not broadcasting on XT8 nodes (GT-AX11000 Pro + XT8 mesh setup)
- Started by ComputerSteve
- Replies: 43
-
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!