Wireguard Session Manager - Discussion thread (CLOSED/EXPIRED Oct 2021 use http://www.snbforums.com/threads/session-manager-discussion-2nd-thread.75129/)

[ZebMcKayhan]

Will that also wipe all of my configs?

I downloaded Sqlite Editor Master for android to fix various quirks from my initial attempts. It was remarkably easy to use to alter, add or delete stuff in the database. I usually end up using this tool on my phone instead of commands in wgm.
The arrangement of data in the database is soo intuitively so I would recommended to stop wgm, edit the database from the bad entries, put it back and start wgm again.
Keep a copy of the original database just in case.
You will find the database here: /opt/etc/wireguard.d/wireguard.db

//Zeb

 

[Torson]

I downloaded Sqlite Editor Master for android to fix various quirks from my initial attempts. It was remarkably easy to use to alter, add or delete stuff in the database. I usually end up using this tool on my phone instead of commands in wgm.
The arrangement of data in the database is soo intuitively so I would recommended to stop wgm, edit the database from the bad entries, put it back and start wgm again.
Keep a copy of the original database just in case.
You will find the database here: /opt/etc/wireguard.d/wireguard.db

//Zeb

I'm using a similar approach to editing the database - if really required - on Ubuntu and Win 10: https://sqlitebrowser.org. It can also be used as an editing addon to WinSCP (which runs natively on Win 10 and with some Wine on Ubuntu.)

That being said, there are 3 parameters (known to me) that would also need an update on the respective wgxx.conf file: private & public keys and Endpoint.

The database on my routers is: /opt/etc/wireguard.d/WireGuard.db.

 

[Torson]

@Martineau, here are 2 (aesthetic) issues I recently encountered:

- if a client peer is stopped before traffic passing through, it comes up with:

E:Option ==> 5 wg12

        Requesting WireGuard VPN Peer stop (wg12)

expr: non-numeric argument
expr: non-numeric argument
expr: non-numeric argument
[: 0: unknown operand
        wg12: transfer: 31.82 KiB received, 27.12 KiB sent              0 Days, 00:02:46 from 2021-07-18 09:43:24 >>>>>>
        wg12: period : N/A received, N/A sent (Rx=;Tx=)
        wireguard-clientwg12: Removing Wireguard 'client' Peer rule 9921 from routing policy

- Reverse Path Filtering status is now shown as enabled or disabled as a toggle. However, there are 3 possible states for the filter and a value of '2' will show it as disabled.

...other than that, 'wg_manager' is still going strong (and spectacularly fast) in parallel with the OVPN revamped F/W with selective IPset and policy based routing.

EDIT - I believe that the first one is addressed in 'b9' - thank you!

 

[ZebMcKayhan]

Just got back from 4 weeks vacation out on our Mobile home... wireguard is still up and operational as we got back! I love it @Martineau
//Zeb

 

[Jeffrey Young]

As I sit here in a remote location, how I wish Wireguard was supported on the AX58U...

Do you have another linux machine, RasPi, or old laptop hiding in a closet? Install wireguard on those and port forward to that machine.

I loved having wireguard on my AC86, until an entware update to wireguard totally destroyed my configs. I had a Ubuntu AD DC lab machine handy, so I ended up putting wireguard server on it. Not ideal, but it will get you back working remote again

 

[JGrana]

Thanks, I might try this - I usually have a Pi ready for trying new things.
I do unfortunately miss out on @Martineau fine script though...

 

[ZebMcKayhan]

@Martineau I would like to put out an idea for improvement / seed for discussion.

I was impressed when I saw you matched client peer source vpn rules to create DNAT entry for DNS redirect to vpn DNS. This was really clever!
It got me thinking, It would be possible to do the same for masquarading?

Currently only lan subnet source adress is masquaraded and when using yazfi (or maybee even wg server routed out wg client?) It would be really nice to have the masquarading included automagically.

Good or bad idea?

//Zeb

 

[Martineau]

@Martineau I would like to put out an idea for improvement / seed for discussion.

I was impressed when I saw you matched client peer source vpn rules to create DNAT entry for DNS redirect to vpn DNS. This was really clever!
It got me thinking, It would be possible to do the same for masquarading?

Currently only lan subnet source adress is masquaraded and when using yazfi (or maybee even wg server routed out wg client?) It would be really nice to have the masquarading included automagically.

Good or bad idea?

//Zeb

Never installed YazFi, so wouldn't know where its subnet config is stored.

However, I assume you have already used the appropriate unbound_manager (or firmware firewall) event script to achieve your goal?

 

[ZebMcKayhan]

Never installed YazFi, so wouldn't know where its subnet config is stored.

However, I assume you have already used the appropriate unbound_manager (or firmware firewall) event script to achieve your goal?

well, yes, of course. I typically put this is wg11-up.conf. I just figured it could be done by the script automatically in the same fashion as you already do with DNS DNAT as a possible improvement. the suggestion is not specifically linked to Yazfi but there could be any numbers of reasons that other subnet is wanted to be routed out wg (i.e OVPN Server where clients is accessing internet through wg).

adding custom script and/or configuration is not really a practical problem (for most of us) but it would ease usage and management if done automatically, altough at the same time limit the possibilities.

if I add a wg VPN rule to route i.e. 192.168.2.40/32 to VPN in wg11 peer config you automatically create a DNAT for 192.168.2.40/32 for DNS purpose. my suggestion is that in the same way you could add masquarading for 192.168.2.40/32 as the user obviously wants to route this ip / range to wg client and we could expect package from this source. no need to access any external config.
but maybee it is not right to anticipate that masquarading is always wanted/needed?

or if you think its just a bad idea or not worth the effort I'll be completely fine with it, but I would appreciate your opinion.

//Zeb

 

[here1310]

Note: wg_manager.sh: ipk-module cannot be downloaded (request error 404)

 

[Kingp1n]

Is this wireguard script still in beta? I would like to try it out but im currently using unbound and openvpn. Would I need disable openvpn 1st or does the script commands automatically do this?

It would be nice once it's out of beta to possibly include it in amtm. Hopefully in the near future.

 

[Torson]

Is this wireguard script still in beta? I would like to try it out but im currently using unbound and openvpn. Would I need disable openvpn 1st or does the script commands automatically do this?

It would be nice once it's out of beta to possibly include it in amtm. Hopefully in the near future.

As it stands, it's still in beta (a very solid one, though.)
About the OpenVPN questions - the wg_manager.sh script does not disable OpenVPN, and depending on how you wish to proceed there may be no need to disable it.

I still have 4 OVPN clients with some @Xentrk selective routing full steam on for things that (I believe) need the proven OVPN platform. At the same time I have 4 wg client peers and one server peer running in parallel with the same kind of selective routing (manually setup.) They coexist and perform very well in parallel. Selective IPset routing works among clients of the same sort.
The decision point though is if you want to route you're entire network through a tunnel, or not. In my case, I never felt the need to have every single device on the network redirected through a VPN. I selectively route IPs and CIDRs through different VPN clients and that's how it all works together.

Even so, there is a very important aspect to consider - OVPN has a client based kill-switch while the wg_manager.sh has a global one. In other words, if you want to redirect all the network through a VPN client the simple, reasonable approach would be to use one or another.

 

[Martineau]

....maybee it is not right to anticipate that masquarading is always wanted/needed?

or if you think its just a bad idea or not worth the effort I'll be completely fine with it, but I would appreciate your opinion.

IIRC, recent firmwares appear to masquerade everything for OpenVPN? - so perhaps a precedent has already been set regardless of any security implications/personal concerns etc.

So I may reconsider adding the wg auto masquerade in a future update, if I have time to determine the best implementation method/criteria.

 

[here1310]

@ the developers: a question, is it possible to change the "ListenPort" with "peer wg21 port=44820"? or is the change in the wg21.conf sufficient?

 

[Martineau]

@ the developers: a question, is it possible to change the "ListenPort" with "peer wg21 port=44820"? or is the change in the wg21.conf sufficient?

IIRC, currently (for both Server and Client) the value defined in the WireGuard .conf file is used.

 

[heysoundude]

has anyone noticed Tailscale.com riding these coat tails commercially?
I'd like to know if the config is as automagic as they imply

 

[JGrana]

has anyone noticed Tailscale.com riding these coat tails commercially?
I'd like to know if the config is as automagic as they imply

The one potentially encouraging thing about Tailscale is that it uses the user space Go variant of Wireguard. If we can convince @ryzhov_al to add wireguard-go to Entware it could open up Wireguard to more of our routers (like AX58U).

 

[heysoundude]

The one potentially encouraging thing about Tailscale is that it uses the user space Go variant of Wireguard. If we can convince @ryzhov_al to add wireguard-go to Entware it could open up Wireguard to more of our routers (like AX58U).

ah, you're aware...good. But my understanding is that the Go version has more security issues, so if that's correct and unremedied, this implementation may be a better one.

 

[JGrana]

There could still be hope for Wireguard on the AX58U. Asus has started to beta 386 rc3 and it includes (among other things) Wireguard server and client support for AX routers:

Beta - ASUSWRT 386 RC3-1 public beta

Hi All, After waiting a long time, ASUSWRT is going to upgrade from 386 rc2 to 386 rc3. What's new in 386 RC3-1 New VPN client interface Clients can be assigned to a specific VPN profile. This function is similar to VPN fusion. (AX models' features) Support WirdGuard server and client. (AX...

www.snbforums.com

I'm hoping that this support extends to the AX58U. No compiled version yet, but I will keep an out.

@Martineau , looks like you will need to make a few mods to Session Manager.

 

[ryzhov_al]

If we can convince @ryzhov_al to add wireguard-go to Entware it could open up Wireguard to more of our routers (like AX58U).

Is it something wrong with existing wireguard-go package?