Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

[Martineau]

My S50wireguard

Spoiler: S50wireguard

#!/bin/sh

PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Mode=client #server or client

#server
export Subnet= #e.g.)10.50.50.1/24
export wgport=

#client
export LocalIP=192.168.1.1 #e.g.)10.50.50.2
Route=default #default or policy
export wgdns=1.1.1.1
export Nipset=wgvpn

case $1 in
start)
logger "Starting WireGuard service."
if [ "$Mode" == "server" ] ; then
/opt/etc/wireguard/wg-server

elif [ "$Mode" == "client" ] && [ "$Route" != "policy" ] ; then
/opt/etc/wireguard/wg-up
else
/opt/etc/wireguard/wg-policy
fi
;;
stop)
logger "Stopping WireGuard service."
/opt/etc/wireguard/wg-down
;;
restart)
logger "Restarting WireGuard service."
/opt/etc/wireguard/wg-down
sleep 2
if [ "$Mode" == "server" ] ; then
/opt/etc/wireguard/wg-server

elif [ "$Mode" == "client" ] && [ "$Route" != "policy" ] ; then
/opt/etc/wireguard/wg-up
else
/opt/etc/wireguard/wg-policy
fi
;;
*)
echo "Usage: $0 {start|stop|restart}"
;;
esac

wg_manager does not use S50wireguard nor indeed any of the original scripts in '/opt/etc/wireguard'

 

[Torson]

Please help, what did I do/set wrong?

You have the private and public keys mixed up. The easiest approach while using the wgcf utility would be to first register an account and then generate the .conf file. Once you have the .conf file just copy the keys to wg11.conf. Everything else looks alright.

 

[heysoundude]

The lack of a DDNS should not be an issue. The script checks for the existence of the DDNS and if not defined it will use the WAN IP.

Thanks for clarifying...isn't suggesting to use DDNS in the case of a non-static WAN address the best way to go??

 

[Sh0cker54]

Thanks for the feeback.

wg_manager Beta Hotfix v3.05 available and Hotfix v1.13



EDIT:



Do you see the 'device' Peer connect to your 'server' Peer?


Assuming your 'server' Peer in listening on port 51820, run the following, then try to connect

conntrack -E --event-mask UPDATE -p udp -o timestamp | grep 51820

Hello Mr @Martineau
For update
I still have the same reboot problem, my wireguard server is active, but if I connect my road warrior client no download, no internet access, no lan access.
I have to launch wgm and select option 6 to restart the wireguard server and then it works fine.
Maybe I should put a scheduled task to restart the wireguard server after the router reboot ?
I also suspect that my scheduled tasks (skynet + diversion) break my wireguard server after some time.
What do you think?

55 5 15 * * service reboot #amtm_RebootScheduler#
00 2 * * Mon sh /opt/share/diversion/file/update-bl.div reset #Diversion_UpdateBL#
20 5 * * * sh /opt/share/diversion/file/rotate-logs.div #Diversion_RotateLogs#
20 17 * * * diversion count_ads count #Diversion_CountAds#
25 10 * * * sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
21 1 * * Mon sh /jffs/scripts/firewall update #Skynet_autoupdate#
0 * * * * sh /jffs/scripts/firewall save #Skynet_save#
31 */12 * * * sh /jffs/scripts/firewall debug genstats #Skynet_genstats#
30 12 * * * service restart_letsencrypt #LetsEncrypt#

I found something that broke my wireguard server on my system log

Mar 22 14:01:09 rc_service: amas_lib 1218:notify_rc restart_firewall
Mar 22 14:01:09 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
Mar 22 14:01:09 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Mar 22 14:01:09 custom_script: Running /jffs/scripts/nat-start
Mar 22 14:01:09 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Mar 22 14:01:09 custom_script: Running /jffs/scripts/service-event-end (args: restart firewall)
Mar 22 14:01:14 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when adding flow net_p=ffffffc012d68010  dir=1 old_key=0x200003e3 new_key=0x200003e4
Mar 22 14:01:14 kernel: ^[[0m
Mar 22 14:01:15 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when adding flow net_p=ffffffc012d68010  dir=1 old_key=0x200003e4 new_key=0x200003e5
Mar 22 14:01:15 kernel: ^[[0m
Mar 22 14:01:15 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when adding flow net_p=ffffffc012d68010  dir=1 old_key=0x200003e5 new_key=0x200003e6
Mar 22 14:01:15 kernel: ^[[0m
Mar 22 14:01:16 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when adding flow net_p=ffffffc012d68010  dir=1 old_key=0x200003e6 new_key=0x200003e7
Mar 22 14:01:16 kernel: ^[[0m
Mar 22 14:01:18 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when adding flow net_p=ffffffc012d68010  dir=1 old_key=0x200003e7 new_key=0x200003e8
Mar 22 14:01:18 kernel: ^[[0m
Mar 22 14:03:02 Skynet: [i] Mounting Skynet Web Page As user1.asp
Mar 22 14:03:08 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when deleting flowfor net_p=ffffffc012d68010
Mar 22 14:03:08 kernel: ^[[0m
Mar 22 14:04:02 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when deleting flowfor net_p=ffffffc012d68010
Mar 22 14:04:02 kernel: ^[[0m
Mar 22 14:04:11 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when deleting flowfor net_p=ffffffc012d68010
Mar 22 14:04:11 kernel: ^[[0m
Mar 22 14:04:11 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when deleting flowfor net_p=ffffffc012d68010
Mar 22 14:04:11 kernel: ^[[0m
Mar 22 14:04:11 kernel: ^[[0;33;41mBLOG ERROR blog_request :blog_key corruption when deleting flowfor net_p=ffffffc012d68010
Mar 22 14:04:11 kernel: ^[[0m

Thanks for your fast reply and for the credits

 

[Torson]

Thanks for clarifying...isn't suggesting to use DDNS in the case of a non-static WAN address the best way to go??

It depends on the context - the OP had an issue with some modules not being installed locally - no real connection to DDNS. Also if there is no desire/requirement to use the router as a server of sorts (which results from the next entry) then what's 'best' may be a mute issue.
Also, the script can handle either or - that was is my message.

So while I'm in agreement that DDNS is the preferred approach I see no relation with the original issue.

 

[heysoundude]

So while I'm in agreement that DDNS is the preferred approach I see no relation with the original issue.

DDNS or a native static WAN IP preferred...that's what I was after. thank you.

 

[ZebMcKayhan]

Following this closely and will probably give this a try as soon as is is out of alpha/beta (or sooner). Looks really great and a big leap in the right direction!

Just some reflections/questions:
- What about policy based routing (client) for locally generated packages? Using source adress 192.168.1.1 is at least not working for me today (ip rule add from...), need to use wan ip since source adress is set based on most likely routing path which is routing out through wan. How to set this up in wg session manager? This would be packets originating from router software I.e. Unbound or Transmission.

- I'm currently using x3mrouting to create ipsets which I then use to mark packages and choose routing path by manually adding them in wg-policy. Is there any support for adding custom scripts so I don't need to edit existing files that will be overwritten in the next update?

Keep up the great work!

//Zeb

 

[Torson]

I still have the same reboot problem, my wireguard server is active, but if I connect my road warrior client no download, no internet access, no lan access.
I have to launch wgm and select option 6 to restart the wireguard server and then it works fine.
Maybe I should put a scheduled task to restart the wireguard server after the router reboot ?
I also suspect that my scheduled tasks (skynet + diversion) break my wireguard server after some time.
What do you think?

I also use Diversion and Skynet and have not seen any need for a host peer restart after reboot (i.e. no need to run wgm restart wg2*.) As a side note I have the wg2* host peer set to Y (auto-restart) in the .conf file.

Do you see any wg_manager.sh entry in the /jffs/scripts/post-mount script? What router model and firmware do you have?

 

[Martineau]

Hello Mr @Martineau
For update
I still have the same reboot problem, my wireguard server is active, but if I connect my road warrior client no download, no internet access, no lan access.
I have to launch wgm and select option 6 to restart the wireguard server and then it works fine.
Maybe I should put a scheduled task to restart the wireguard server after the router reboot ?
I also suspect that my scheduled tasks (skynet + diversion) break my wireguard server after some time.
What do you think?

I can't see anything in the info your post that would indicate a conflict.

However, it could be our old friend a tardy NTP synch.

i.e. currently @boot, I simply blindly wait 2 secs before executing.

To test, I have now added an explicit check for NTP in my v4.0 Beta, and rebooted.

No NTP Synch panic message was triggered/displayed so NTP synch is not an issue for me, so no Peer restart @boot hack is necessary (as per @Torson's observation)

i.e. the first message containing '(wg_manager.sh)' shows that the clock was correctly set before starting the Peers.

Mar 23 11:25:10 RT-AC86U-6160 (wg_manager.sh): 2807 v4.01b9 Requesting WireGuard VPN Peer start (wg13 wg21 wg22 )
Mar 23 11:25:10 RT-AC86U-6160 (wg_manager.sh): 2807 v4.01b9 Initialising Wireguard VPN 'client' Peer (wg13)
Mar 23 11:25:10 RT-AC86U-6160 kernel: wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information.
Mar 23 11:25:10 RT-AC86U-6160 kernel: wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

Can you confirm the timestamp of the WireGuard Manager messages in your Sylog during the next convenient boot? and could you issue the following if it is stuck before and after the manual wgm restart

e  = Exit Script [?]

E:Option ==> diag

 

[Martineau]

Following this closely and will probably give this a try as soon as is is out of alpha/beta (or sooner). Looks really great and a big leap in the right direction!

Just some reflections/questions:
- What about policy based routing (client) for locally generated packages? Using source adress 192.168.1.1 is at least not working for me today (ip rule add from...), need to use wan ip since source adress is set based on most likely routing path which is routing out through wan. How to set this up in wg session manager? This would be packets originating from router software I.e. Unbound or Transmission.

- I'm currently using x3mrouting to create ipsets which I then use to mark packages and choose routing path by manually adding them in wg-policy. Is there any support for adding custom scripts so I don't need to edit existing files that will be overwritten in the next update?

Keep up the great work!

//Zeb

wg_manager Beta v4.0 enforces management of a Peer database so upgrades and fresh installs should remain unaffected

i.e. through the console (or via a script for those SQL savvy enough)

e  = Exit Script [?]

E:Option ==> peer wg11 add ipset NetFlix Hulu

    [✔] Ipset 'NetFlix' Selective Routing added wg11

    [✔] Ipset 'Hulu' Selective Routing added wg11

        WireGuard ACTIVE Peer Status: Clients 1, Servers 2

e  = Exit Script [?]

E:Option ==> peer wg11

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP              Endpoint             DNS                     Public                                        Annotate                                   
wg11    N     10.66.16.14/32  82.106.142.93:51820  193.138.218.74          eKxLd40ozI//7rGo8t3VjglrCelxDY3Y+4BTEdmJSl0=  # Mullvad USA, New York

Peer  RPDB Selective Routing rules
wg11  <>

IPSet    Enabled  Peer  FWMark  DST/SRC
NetFlix  Y        wg11  0x1000  dst
Hulu     Y        wg11  0x1000  dst

ENABLED    WireGuard ACTIVE Peer Status: Clients 1, Servers 2

e  = Exit Script [?]

E:Option ==> peer wg11 auto=y

    [✔] Updated AUTO=Y:

e  = Exit Script [?]

E:Option ==> peer wg11

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP              Endpoint             DNS                     Public                                        Annotate                                   
wg11    Y     10.66.16.14/32  82.106.142.93:51820  193.138.218.74          eKxLd40ozI//7rGo8t3VjglrCelxDY3Y+4BTEdmJSl0=  # Mullvad USA, New York

Peer  RPDB Selective Routing rules
wg11  <>

IPSet    Enabled  Peer  FWMark  DST/SRC
NetFlix  Y        wg11  0x1000  dst
Hulu     Y        wg11  0x1000  dst

However, to remain backwards compatible, I have also now added two Event triggers UP and DOWN as per your suggestion

e.g.

${INSTALL_DIR}/Scripts/wg12-up.sh

${INSTALL_DIR}/Scripts/wg12-down.sh

 

[Sh0cker54]

I also use Diversion and Skynet and have not seen any need for a host peer restart after reboot (i.e. no need to run wgm restart wg2*.) As a side note I have the wg2* host peer set to Y (auto-restart) in the .conf file.

Do you see any wg_manager.sh entry in the /jffs/scripts/post-mount script? What router model and firmware do you have?

RT-AC86U firmwareAsuswrt-Merlin 384.17

my post-mount script

!/bin/sh
swapon /tmp/mnt/250/myswap.swp # Swap file created by amtm


. /jffs/addons/diversion/mount-entware.div # Added by Diversion
/jffs/addons/wireguard/wg_manager.sh init "" & # WireGuard Manager

 

[Martineau]

Looking for a couple of willing wg_manager Beta v4.0 testers...

What I need is someone brave enough to test the migration/conversion process where an in-situ v3.0 installation exists.

i.e. I want to gauge how successful the migration process/code actually is (without expecting a user to uninstall v3.0 then perform a fresh install of v4.0 which may be a tad inconvenient)

Please PM me and I'll send the instructions.

 

[Ubimo]

You have the private and public keys mixed up. The easiest approach while using the wgcf utility would be to first register an account and then generate the .conf file. Once you have the .conf file just copy the keys to wg11.conf. Everything else looks alright.

Hi, I'm sad, I can't get it to run...

Please have a look at my wgcf-profile.conf I generated on my PC.

Spoiler: wgcf-profile.conf

[Interface]
PrivateKey = IEHeMhHGWIpsW5LZvuu1Tyun4TW+Jk+9ldVp4oolHEM=
Address = 172.16.0.2/32
Address = fd01:5ca1:ab1e:81fc:c572:50b1:e4f:5bc3/128
DNS = 1.1.1.1
MTU = 1280
[Peer]
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = engage.cloudflareclient.com:2408

And this is my wg11.conf

Spoiler: wg11.conf

[Interface]
#Address = 10.10.10.2/24
#DNS = 10.10.10.1
PrivateKey = IEHeMhHGWIpsW5LZvuu1Tyun4TW+Jk+9ldVp4oolHEM=

[Peer]
Endpoint = engage.cloudflareclient.com:2408
PublicKey = bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Is this OK?
Do I also have to change some other files? Like wg11_private.key or wg11_public.key?

After starting with "4", I get this:

Spoiler: output

1 = Update Wireguard modules 7 = Display QR code for a Peer {device} e.g. iPhone
2 = Remove WireGuard/wg_manager 8 = Peer management [ "list" | "category" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
9 = Create Key-pair for Peer {Device} e.g. Nokia6310i (creates Nokia6310i.conf etc.)
3 = List ACTIVE Peers Summary [Peer...] [full]
4 = Start [ [Peer [nopolicy]...] | category ] e.g. start clients
5 = Stop [ [Peer... ] | category ] e.g. stop clients
6 = Restart [ [Peer... ] | category ] e.g. restart servers

? = About Configuration
v = View ('/jffs/addons/wireguard/WireguardVPN.conf')

e = Exit Script [?]

E:Option ==> 3

WireGuard VPN Peer Status

interface: wg11 # ****THIS IS NOT A REAL PEER** Edit 'wg11.conf' with real DATA!
peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
transfer: 228 B received, 292 B sent

WireGuard ACTIVE Peer Status: Clients 1, Servers 0

But no website will load.

 

[Torson]

Hi, I'm sad, I can't get it to run...

Make sure that the wg11 line in /jffs/addons/wireguard/WireguardVPN.conf looks like this:

wg11       Y     172.16.0.2/32         engage.cloudflareclient.com:2408   1.1.1.1      #Cloudflare Warp

You can edit the file from the session manager screen - type vx, replace the wg11 line with the one above, press F3 to save and F2 to return to the options screen.

 

[ZebMcKayhan]

wg_manager Beta v4.0 enforces management of a Peer database so upgrades and fresh installs should remain unaffected

i.e. through the console (or via a script for those SQL savvy enough)

e  = Exit Script [?]

E:Option ==> peer wg11 add ipset NetFlix Hulu

    [✔] Ipset 'NetFlix' Selective Routing added wg11

    [✔] Ipset 'Hulu' Selective Routing added wg11

        WireGuard ACTIVE Peer Status: Clients 1, Servers 2

e  = Exit Script [?]

E:Option ==> peer wg11

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP              Endpoint             DNS                     Public                                        Annotate                                 
wg11    N     10.66.16.14/32  82.106.142.93:51820  193.138.218.74          eKxLd40ozI//7rGo8t3VjglrCelxDY3Y+4BTEdmJSl0=  # Mullvad USA, New York

Peer  RPDB Selective Routing rules
wg11  <>

IPSet    Enabled  Peer  FWMark  DST/SRC
NetFlix  Y        wg11  0x1000  dst
Hulu     Y        wg11  0x1000  dst

ENABLED    WireGuard ACTIVE Peer Status: Clients 1, Servers 2

e  = Exit Script [?]

E:Option ==> peer wg11 auto=y

    [✔] Updated AUTO=Y:

e  = Exit Script [?]

E:Option ==> peer wg11

    Peers (Auto=P - Policy, Auto=X - External i.e. Cell/Mobile)

Client  Auto  IP              Endpoint             DNS                     Public                                        Annotate                                 
wg11    Y     10.66.16.14/32  82.106.142.93:51820  193.138.218.74          eKxLd40ozI//7rGo8t3VjglrCelxDY3Y+4BTEdmJSl0=  # Mullvad USA, New York

Peer  RPDB Selective Routing rules
wg11  <>

IPSet    Enabled  Peer  FWMark  DST/SRC
NetFlix  Y        wg11  0x1000  dst
Hulu     Y        wg11  0x1000  dst

However, to remain backwards compatible, I have also now added two Event triggers UP and DOWN as per your suggestion

e.g.

${INSTALL_DIR}/Scripts/wg12-up.sh

${INSTALL_DIR}/Scripts/wg12-down.sh

Wow, This is just what I needed!

Any thoughts on how to set up rules for routing local packages through vpn? Currently the best way I found was to use:

ip rule add iif lo table xxyyzz

since my wan ip changes every now and then.

//Zeb

 

[Ubimo]

Make sure that the wg11 line in /jffs/addons/wireguard/WireguardVPN.conf looks like this:

wg11       Y     172.16.0.2/32         engage.cloudflareclient.com:2408   1.1.1.1      #Cloudflare Warp

You can edit the file from the session manager screen - type vx, replace the wg11 line with the one above, press F3 to save and F2 to return to the options screen.

Thanks, I did as you said. I use WinSCP to edit files on my router.
This is my WireguardVPN.conf

Spoiler: WireguardVPN.conf

# NOTE: Auto=Y Command 'wg_manager.sh start' will auto-start this Peer
# Auto=P Command 'wg_manager.sh start' will auto-start this Peer using it's Selective Routing RPDB Policy rules if defined e.g 'rp11'
#
#
# VPN Auto Local Peer IP Remote Peer Socket DNS Annotation Comment
wg11 Y 172.16.0.2/32 engage.cloudflareclient.com:2408 1.1.1.1 #Cloudflare Warp
wg12 N xxx.xxx.xxx.xxx/32 209.58.188.180:51820 193.138.218.74 # Mullvad China, Hong Kong
wg13 N xxx.xxx.xxx.xxx/32 103.231.88.18:51820 193.138.218.74 # Mullvad Oz, Melbourne
wg14 N xxx.xxx.xxx.xxx/32 193.32.126.66:51820 193.138.218.74 # Mullvad France, Paris
wg15 N #

# For each 'server' Peer you need to allocate a unique VPN subnet
# VPN Subnet
wg21 N 10.50.1.1/24 # RT-AC86U Local Host Peer 1
wg22 N 10.50.2.1/24 # RT-AC86U Local Host Peer 2

# The following default 'wg0' interface retained for backward compatibility!
wg0 N xxx.xxx.xxx.xxx/32 86.106.143.93:51820 193.138.218.74 # Mullvad USA, New York

# RPDB Selection Routing rules same format as 'nvram get vpn_clientX_clientlist'
# < Desciption > Source IP/CIDR > [Target IP/CIDR] > WAN_or_VPN[...]
rp11 <>
rp12
rp13 <Dummy VPN 3>172.16.1.3>>VPN<Plex>172.16.1.123>1.1.1.1>VPN<Router>172.16.1.1>>WAN<All LAN>172.16.1.0/24>>VPN
rp14
rp15 <Router>192.168.1.0/24>>VPN<LAN>192.168.1.1>>WAN

# Custom 'client' Peer interfaces - simply to annotate
SGS8 N 1.2.3.4 xxx.xxx.xxx.xxx dns.xxx.xxx.xxx # A comment here
wg0-client5 N 4.3.2.1 # Mullvad UK, London

# Categories
NoNe=

# WAN KILL-Switch
#KILLSWITCH

# Optionally define the 'server' Peer 'clients' so they can be identified by name in the enhanced WireGuard Peer status report
# (These entries are automatically added below when the 'create' command is used)
# Public Key DHCP IP Annotation Comment
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= 10.50.1.11/32 # A Cell phone for 'server' 1

Still, websites won't load. I think I cannot resolve DNS.

 

[Torson]

You can try replacing both occurrences of 'engage.cloudflareclient.com:2408' with 162.159.192.1:2408.

Run diag, sanitize it and post here.

 

[Ubimo]

You can try replacing both occurrences of 'engage.cloudflareclient.com:2408' with 162.159.192.1:2408.

Run diag, sanitize it and post here.

This is the output of diag:

Spoiler: diag

E:Option ==> diag

WireGuard VPN Peer Status

interface: wg11 #Cloudflare Warp
public key: LV3dypJQPVbpU62iCthHmM1pARGChvUjRUgUizy3G04=
private key: (hidden)
listening port: 37735

peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
endpoint: 162.159.192.1:2408
allowed ips: 0.0.0.0/0
latest handshake: 3 seconds ago
transfer: 344 B received, 420 B sent
persistent keepalive: every 25 seconds

DEBUG: Routing Table main

0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link

DEBUG: Routing Table 121 (wg11) #Cloudflare Warp

0.0.0.0/1 dev wg11 scope link
128.0.0.0/1 dev wg11 scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1

DEBUG: RPDB rules

0: from all lookup local
32766: from all lookup main
32767: from all lookup default

DEBUG: Routing info MTU etc.

36: wg11: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 172.16.0.2/32 scope global wg11
valid_lft forever preferred_lft forever

DEBUG: UDP sockets.

udp 0 0 0.0.0.0:37735 0.0.0.0:* -
udp 0 0 :::37735 :::* -

DEBUG: Firewall rules

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- br2 wg11 0.0.0.0/0 0.0.0.0/0 /* WireGuard Guest_VLAN */
2 0 0 ACCEPT all -- br1 wg11 0.0.0.0/0 0.0.0.0/0 /* WireGuard Guest_VLAN */

Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * wg11 192.168.0.0/16 0.0.0.0/0 /* WireGuard 'client' */

Chain POSTROUTING (policy ACCEPT 68 packets, 11494 bytes)
num pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 72 packets, 12262 bytes)
num pkts bytes target prot opt in out source destination


WireGuard ACTIVE Peer Status: Clients 1, Servers 0

Edit:
The first public key listed in diag..., I don't know this key or where it comes from...

 

[Torson]

This is the output of diag:

Looks pretty much the same as my working configuration...

Did you reboot the router at any point during all the testing?
To check that the .conf file is valid, you can download the wireguard software of your choice from here: https://www.wireguard.com/install/. Load the .conf file and see where it takes you....

 

[Ubimo]

I did not reboot the router anytime.
The .conf is working fine when I import it in Wireguard on PC...
I don't understand why it's not working on my AC86U...

Edit:
Maybe I get some fundamentals wrong. Do I need a "server" running on my router? I don't need encryption "behind" my router.
I wish, that my router establishes the WARP tunnel, so all my traffic from the clients connected to the router is routed through WARP.
I have a very basic setup. My router (192.168.1.1.) connects via PPPoE to the internet. My clients (1 phone, 1 PC and 1 iPad) are connected to the router.

Edit:
How can I set MTU?