What's new

Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Well, you could always turn it off:
Code:
E:Option ==> killswitch off

You should really consider to update to the latest dev build, it is more stable:
Code:
E:Option ==> uf dev
However, the database has been updated for improved stats,
Check post #321 to update your database without starting over:
http://www.snbforums.com/threads/session-manager.70787/post-696141

//Zeb
I was able to update to the latest dev build. Thanks!!!

I can't honestly say with the short time I've using wgm, it's actually pretty stable! It's ready to be out of beta in my books lol

Thanks again, everyone!!!

Curious, if you can use Diversion with wgm? Anyone here using them together for blocking ads?
 
Curious, if you can use Diversion with wgm? Anyone here using them together for blocking ads?
I am using them together, but it requires you to change vpn dns to 192.168.1.1 so clients are using dnsmasq and also your vpn provider is ok with using other dns:s

You could of course setup dnsmasq to use your vpn dns and probably bind it to use vpn connection or even using unbound and bind it to vpn... it is all about how much energy you want to put into it but the experience gained in the process is everything.

//Zeb
 
Curious, if you can use Diversion with wgm? Anyone here using them together for blocking ads?
Yes, with Diversion, Unbound and the router's internal IP as DNS (i.e. 192.168.1.1) since the get go...

Glad you got it going.
 
I was able to update to the latest dev build. Thanks!!!

I can't honestly say with the short time I've using wgm, it's actually pretty stable! It's ready to be out of beta in my books lol

Thanks again, everyone!!!

Curious, if you can use Diversion with wgm? Anyone here using them together for blocking ads?
Very nice!
Maybe unbound with wg is your next move? :)
 
Very nice!
Maybe unbound with wg is your next move? :)
Yes I messaged u on the other thread. I would not mind trying this out.
 
Got it. I got it work with Swinson script. @ZebMcKayhan got unbound bind with wg without that script. He tried to help me but I get lazy and gave up after get it work with Swinson's script. His approach may worth a try too.
Im not sure which way is best, I guess both ways has it's pro's and con's.

in "my way" I replaced the
Code:
peer wg11 rule add wan 192.168.1.1 comment Router to WAN
with:
Code:
E:Option ==> peer wg11 rule add wan 0.0.0.0/0 192.168.0.0/16 comment ToLocalUseWan

the idea is that 192.168.1.1 does not need to be routed out to WAN (since internet access from local process will not use this source address anyway) but it must using main routing table to be able to contact local network clients since there are no routes for them in the VPN routing table. if you have local subnets outside 192.168.x.x (like wireguard server or OVPN server or VLANS or similar (like @chongnt had)) then these will need to be added as well. so this rule will make all packages that have DESTINATION 192.168.x.x (i.e. local packages) to use main routing table.
for me this covers my LAN and my guest networks which is enough for me.

then I stop unbound (it needs to be stopped otherwise config changes will be overwritten)
then edit
Code:
nano opt/var/lib/unbound/unbound.conf

change this line:
Code:
#outgoing-interface: xxx.xxx.xxx.xxx        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

to
Code:
outgoing-interface: 192.168.1.1        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

save and exit.

start unbound again.

if you hit ? in unbound manager you should now get:
Code:
[✔] unbound requests via VPN Client (192.168.1.1) tunnel ENABLED

and for me that was it...

since unbound now uses address "192.168.1.1" it will be routed out VPN since we removed the rule for it to use WAN. for replying to local clients it will use the WAN(main) routing table to find which interface it should be sent out on.

//Zeb

Edit: oh, yea, I forgot: you also need to set wg client (wg11) dns to 192.168.1.1 for this to work.
 
Last edited:
I stop unbound (it needs to be stopped otherwise config changes will be overwritten)
then edit
Code:
nano opt/var/lib/unbound/unbound.conf

change this line:
Code:
#outgoing-interface: xxx.xxx.xxx.xxx        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

to
Code:
outgoing-interface: 192.168.1.1        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

save and exit.

start unbound again.
FYI, if you are using unbound_manager, then there is no need to manually stop unbound then tediously invoke nano manually

i.e. using command vx to modify (or using command v to safely view) the current unbound config file

e.g. edit the config file
Code:
unbound (pid 11765) is running... uptime: 3 days 07:17:47 version: 1.13.2 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Sun Sep 19 13:57:46 DST 2021)

1  = Update unbound files and configuration                     5  = Uninstall Ad and Tracker blocker (Ad Block)
2  = Remove unbound/unbound_manager                             6  = Uninstall Graphical Statistics GUI Add-on TAB
3  = Stop unbound                                               7  = Disable   DNS Firewall [?]
4  = Show unbound statistics                                    8  = Uninstall YouTube Ad blocker
                                                                9  = Install Safe Search e.g. google.com->forcesafesearch.google.com

?  = About Configuration                   
v  = View ('/opt/var/lib/unbound/unbound.conf')    

e  = Exit Script [?]

E:Option ==> vx

and nano will open the unbound config to allow you to perform your edits.

Hit F2 when you have finished, and you will be prompted to save your changes and unbound_manager will subsequently automatically detect any changes, and then you will be prompted to restart unbound to apply your changes....

e.g.
Code:
Do you want to restart unbound to apply your config changes?

    Reply 'y' or press [Enter]  to skip
 
Last edited:
I'm curious about how wireguard/wgm works if anyone would enlighten me.

Understanding that wireguard is a connectionless protocol, how does wgm track whether the connection works or not? I guess that @Kingp1n s problem gives the answer: it doesn't (or?)

So if an internet client gets cut off for some reason, clients routed out vpn would just loose internet connection? Then what is the point with the kill-switch? Or are wgm doing some magic here?

Since wireguard is connectionless then restarting a client would really not do much good since as the communication is back it would just start to work again?

I have really had zero problems the last 6 months... it just works, 100% uptime, yet still I'm continously monitoring my ip but I'm starting to think that its not nessissary unless the router has rebooted (to make sure wgm has started properly), if internet works, it's vpn?

//Zeb
 
When I start wg11, I cannot connect to my local LTU Pro anymore.
How do I add an exception, to connect to my LTU Pro (IP 172.16.253.6)
 
When I start wg11, I cannot connect to my local LTU Pro anymore.
How do I add an exception, to connect to my LTU Pro (IP 172.16.253.6)
Well, if you use policy based routing, there are no routes to that adress in the VPN table. Which would mean client setup to use vpn will not be able to contact other subnets.

If you have subnets out of your ordinary lan these will need to be directed to main routing table. Since you dont give the extent of the subnet you wish to communicate to I would assume it to be /24 (172.16.253.x) you could just issue in wgm:
Code:
E:Option ==> peer wg11 rule add wan 0.0.0.0/0 172.16.253.6/24 comment ToLocalUseWan

if you only (ever) need to communicate to this specific ip just change /24 to /32 but /24 will allow routes to be found to entire subnets.

Entire class B adress range would be /12 (no internet client is allowed to use this)

Assuming all is OK in the firewall between your adresses/subnets, this should be it.

//Zeb
 
Last edited:
Thanks for your detailled information, but that didn't work. I still cannot access my LTU Pro. No big problem.

Before that, I noticed an error when starting wg11, see screenshot. Internet is working, so I guess this is not a big problem?
 

Attachments

  • Screenshot_20210930-235847_JuiceSSH.jpg
    Screenshot_20210930-235847_JuiceSSH.jpg
    53.6 KB · Views: 100
Before that, I noticed an error when starting wg11, see screenshot. Internet is working, so I guess this is not a big problem?
Check post #321 to update your database with the new columns:
http://www.snbforums.com/threads/session-manager.70787/post-696141
It was updated to fix metrics problem. the error message is because wgm is trying to write to colums that does not exist in your table.

About your connection issue:
I don't know if the rule gets added immediately or if you need to restart the client. Did you restart wg11?

I think you need give more information about your system. What is this subnet, how is it setup, from which subnet? Is dns involved, does it work before wg11 is started?

What is the output of (in wgm after applied the rule above)
Code:
peer wg11
Remove keys and other sensitive data before posting

//Zeb
 
Last edited:
@ZebMcKayhan, I don’t get the syntax peer add wan. It seems to allow two ip addresses. In peer help example, the second ip is DNS. What is the first and second IP address entry for?

Code:
peer peer_name {rule [del {id_num} |add [wan] rule_def]}                - Manage Policy rules e.g. peer wg13 rule add 172.16.1.0/24 comment All LAN
                                                                                       peer wg13 rule add wan 52.97.133.162 comment smtp.office365.com
                                                                                       peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS
 
@ZebMcKayhan, I don’t get the syntax peer add wan. It seems to allow two ip addresses. In peer help example, the second ip is DNS. What is the first and second IP address entry for?

Code:
peer peer_name {rule [del {id_num} |add [wan] rule_def]}                - Manage Policy rules e.g. peer wg13 rule add 172.16.1.0/24 comment All LAN
                                                                                       peer wg13 rule add wan 52.97.133.162 comment smtp.office365.com
                                                                                       peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS
ALL RPDB Selective Routing Policy rules technically require two arguments

i.e. both a Source and a Destination (usually IPs, but Ports or interfaces e.g. 'IIF eth0' etc. can be used by advanced users) - and for convenience implied in this positional order

I coded wireguard_manager to try and be intelligent to save having to always specify both arguments,.........if there is no ambiguity.

So for this example ALL LAN devices must access 52.97.133.162 via the WAN
Code:
peer wg13 rule add wan 52.97.133.162 comment smtp.office365.com
52.97.133.162 is not a private LAN IP/Subnet, so it is assumed to be a Destination target IP, therefore the Source IP/Subnet is implied to be everything from ALL 0.0.0.0/0.

For this example the specific LAN device must always access Quad9 DNS over the WAN
Code:
peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS
so although there is no ambiguity, wireguard_manager will honour the order of the args supplied and treats 172.16.1.100 as the Source IP and 9.9.9.9 as the intended Destination target IP.

In the case where there could be ambiguity, for convenience you can explicitly specify which IP is the desired Source IP and the desired Destination target IP

i.e. the implied shorthand version
Code:
peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS
can be explicitly entered at the menu prompt as
Code:
peer wg13 rule add wan dst=9.9.9.9 src=172.16.1.100 comment Quad9 DNS
overriding any attempt by wireguard_manager to undermine your true intention e.g. suppose both IPs were valid Local IPs?

i.e. would you expect this to be a valid request? - no doubt a suicidal invitation for "gurus" to reply "Well it depends...." :p
Code:
peer wg13 rule add wan 9.9.9.9 172.16.1.100 comment Quad9 DNS
 
Last edited:
@ZebMcKayhan, I don’t get the syntax peer add wan. It seems to allow two ip addresses. In peer help example, the second ip is DNS. What is the first and second IP address entry for?

Code:
peer peer_name {rule [del {id_num} |add [wan] rule_def]}                - Manage Policy rules e.g. peer wg13 rule add 172.16.1.0/24 comment All LAN
                                                                                       peer wg13 rule add wan 52.97.133.162 comment smtp.office365.com
                                                                                       peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS
Reading @Martineau excellent answer I realize that my rule might be misinterpreted by wgm, I simply thought the first ip was source ip and second was destination ip and if only one was given it was source ip. so I thought I had to add the 0.0.0.0/0 to be able to give the second ip. since we needed to add the local ip as destination guess the 0.0.0.0/0 did fill a purpose but not really as I thought.

I added this rule on my system many script revisions ago so how wgm enterprets this might have changed.

so according to @Martineau to prevent misinterpretation:
Code:
E:Option ==> peer wg11 rule add wan dst=172.16.253.6/24 comment ToLocalUseMain
then source would be assumed to be 0.0.0.0/0 (any ip) and there wont be any confusion about what is destination and what is source.

@Ubimo: if you list your rules using:
Code:
E:Option ==> peer wg11
and make sure the rule you added got source ip 0.0.0.0/0 and destination ip 172.16.253.6/24 otherwise you will need to remove the rule you added and add the new syntax above.

//Zeb
 
ALL RPDB Selective Routing Policy rules technically require two arguments

i.e. both a Source and a Destination (usually IPs, but Ports or interfaces e.g. 'IIF eth0' etc. can be used by advanced users) - and for convenience implied in this positional order

I coded wireguard_manager to try and be intelligent to save having to always specify both arguments,.........if there is no ambiguity.

So for this example ALL LAN devices must access 52.97.133.162 via the WAN
Code:
peer wg13 rule add wan 52.97.133.162 comment smtp.office365.com
52.97.133.162 is not a private LAN IP/Subnet, so it is assumed to be a Destination target IP, therefore the Source IP/Subnet is implied to be everything from ALL 0.0.0.0/0.

For this example the specific LAN device must always access Quad9 DNS over the WAN
Code:
peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS
so although there is no ambiguity, wireguard_manager will honour the order of the args supplied and treats 172.16.1.100 as the Source IP and 9.9.9.9 as the intended Destination target IP.

In the case where there could be ambiguity, for convenience you can explicitly specify which IP is the desired Source IP and the desired Destination target IP

i.e. the implied shorthand version
Code:
peer wg13 rule add wan 172.16.1.100 9.9.9.9 comment Quad9 DNS
can be explicitly entered at the menu prompt as
Code:
peer wg13 rule add wan dst=9.9.9.9 src=172.16.1.100 comment Quad9 DNS
overriding any attempt by wireguard_manager to undermine your true intention e.g. suppose both IPs were valid Local IPs?

i.e. would you expect this to be a valid request? - no doubt a suicidal invitation for "gurus" to reply "Well it depends...." :p
Code:
peer wg13 rule add wan 9.9.9.9 172.16.1.100 comment Quad9 DNS
Thanks @Martineau for your detail explanation.
 
Realizing how little I actually know about wgm and its potential (as recently proven) I thought it might be a good idea to look into the code and list all possible commands. We'll, I just realize just how far behind I am with my puny coding skills, yeez @Martineau were have you found the time to develop all this? The amount of possibilities are virtually endless.

I simply don't have the skills to complete this (I am yet a simple hardware engineer (and most humble at this time)). So either I could scrap what I have done, or I could publish it here and hope that some better person than me could pick up the ball and restructure and finalize this, as I still believe it to be a good idea.

(Disclamer)Beware that the following information could be wrong/incomplete and/or harmful to execute. If you are not prepared to destroy your setup, don't execute anything not documented from the author himself.

0 - show credits
1 | i - Install Wireguard Manager
2 | z - Remove/uninstall Wireguard manager
3 | list | show - show peer status
4 | start - start all
{Peer} - start peer (start wg11)
{Category} - start category (start clients)
{nopolicy} - ???
5 | stop - stop all
{Peer} - stop peer (stop wg11)
{Category} - stop category (stop clients)
6 | restart
{Peer} - restart peer (restart wg11)
{Category} - restart category (restart clients)
{nopolicy} - ???
7 | qrcode - display qrcode for a server peer.
8 | peer - show all peers
{peer} - show peer info
{'new'} -
{'auto='} - yYnNpPZ
{'del' | 'delX'} - delete peer
{'comment'} - set peer comment
{'dump' | 'config'} - display peer .conf file
{'import'} - import peer
{'rule'} - manage peer rules
{[rule def]}
{'allowedips='} - set allowed ip:s
{'ip='} - ???
{'dns='} - set peer dns
{'mtu='} - set peer mtu
{'add' | 'del' | 'upd'}
{'ipset'}
9 | create
- create key pair for server peer
createsplit
10 | ipset

Multiple choices...tbd
u | uf | uf {branch} - update, force update
ip - display VPN pool ???
getmod - download modules
loadmod - load modules
dns - dnsmasq listening on...
natstart - nat-start monitoring of firewall rules
alias {alias}={'scriptPath'}- create shell alias with script execution
diag - display diagnose data
{'route' | 'rpdp'} - display routes and rules
{'udp' | 'sockets'} - display udp sockets
{'firewall'} - display firewall rules
{'sql'} - display all tables?
{'sql' table} - show table (tra*, sess*, pol*, dev*, ips*, fwm*)
{'sql' ?} - show valid tables
{'sqlx'} - Expose SQL
debug - debug mode on/off
initdb | migrate - ???
stats - statistics on/off
wg | wg" " - Expose the WG Userspace Tool
scripts {backup/restore} - backup event scripts
import {peer} - import peer config from file
udpmon {enable/disable} - udp monitor on/off
jump | geo | livin - ???
generatestats - generate statistics
killswitch{=on/off} - killswitch on/off
killinter - kill interface (ip link del dev...)
rpfilter | rp_filter {=1|2|disable|enable|""|"?"} - WAN reverse path filter on/off
h | help - show help
v | vx - view | edit WireguardVPN.conf
e | exit - exit

//Zeb
 
Last edited:
Hey!

Wireguard is as default routing all traffic through the tunnel. Does anyone have a clue how to route everything through 192.168.1.0/24 except ip 192.168.1.x ?
 
Last edited:
Hey!

Wireguard is as default routing all traffic through the tunnel. Doesn anyone have a clue how to route everything in a 192.168.1.0/24 except ip 192.168.1.x ?
I suppose @Martineau explanation above mentioned it.
Assuming you are using wg11, add this rule in wgm.
Code:
E:Option ==> peer wg11 rule add wan src=192.168.1.x/24 comment ToUseWAN
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top