Releases: MartineauUK/wireguard
Production Stable Release
Stable Release (2 month Roll-up from Development)
Production Stable Release
Stable Release (2 month Roll-up from Development)
Production Stable Release
FIX: When creating Road Warrior peer 'create xxxx' eliminate spurious prompt for non-existant 'server' Peer
Press y to ADD device Peer 'xxxx' to remote 'server' Peer () or press [Enter] to SKIP.
y
cat: can't open '/tmp/xxxx.conf': No such file or directory
cat: can't open '/opt/etc/wireguard.d/_public.key': No such file or directory
FIX: 'create xxxx site=ssss' command defaults to DNS '1.1.1.1'; should include tunnel DNS servers i.e. '10.9.8.1,1.1.1.1'
FIX: 'peer xxxx del' for a Site-to-Site 'server' should delete its sibling 'device' Peer
CHANGE: Allow 'auto=S' when creating/importing Site-to-Site 'server' Peer
CHANGE: When creating a new Road Warrior Peer, only display QRCode if it is bound to its target 'server' Peer
FIX: Command 'peer xxxx comment This is a descriptive comment' request was not applied for 'device' Peers
FIX: Command 'site2site Home Cabin' now includes 'Home.conf' in list of files to be ported to remote site and instructions to then import as 'device'
CHANGE: Reorder Peer initialisation sequence during @boot 'start' command i.e. Servers first but in ascending order 'wg21' then 'wg22' etc.
CHANGE: Before appending Road Warrior Peers to 'server' Peer .conf file(s); delete all trailing blank lines.
EXPERIMENTAL: Add 'bind' option 'peer server_peer bind device_peer [allowed_ips]' e.g. peer wg21 bind iPad
FIX: When initialising 'server' Peer, route for its Subnet (say 10.50.1.1/24) is already added to 'wg2x' interface, but processing function cmd(); 'AllowedIPS=' Road Warrior 'client' Peer can generate duplicates:
ip route add 10.50.1.2/32 dev wg21
RTNETLINK answers: File exists
FIX: Command 'peer new wg27' fails because 'ip=' directive is not specified, so imply/use 'ip=10.50.7.0/24'
***ERROR: '' must be IPv4 CIDR
CHANGE: If using wg-quick Pre*/Post* directives in the .conf files, attempt to prevent duplicate firewall rules being created on Peer initialisation.
FIX: Issue 'chmod 600 ${CONFIG_DIR}wgxx.conf' etc. for 'import xxxx/peer new' and 'site2site' commands to prevent wg-quick issuing
"Warning: '/opt/etc/wireguard.d/wgxx.conf' is world accessible"
FIX: 'unbound' file reference corrected to 'wg_manager'
CHANGE: Change 'livin' command to allow any source IP/CIDR
NEW: 'menu [ hide | show ]' to temporarily suppress the menu being display after every command (useful on mobiles)
Uncomment 'NOMENU' in '/jffs/addons/wireguard/WireguardVPN.conf' for permanent suppression.
NEW: 'colo[u]r { on | off }' to permanently disable the ANSI/ASCII colour/attribute escape sequences
CHANGE: Suppress ANSI colours/attributes escape sequences if menu command 'colo[u]r off' was used.
FIX: Revert detection of possible duplicate 'AllowIPs' routes for Site-to-Site 'server' Peers- SNB Forums member @jgrana
FIX: 'site2site' command prevent duplicate site names
CHANGE: Recognise/allow use of '^MTU =' in 'server' .conf to override 1420 default - SNB Forums member @bearnet
FIX: 'site2site' command should not allow duplicate site names
CHANGE: 'site2site' command will (if 7z installed) now create ZIP file of remote Peer files to be copied to remote site
WireGuard Site-to-Site Peers Home and Cabin created
Copy Cabin/Home files: (included in ZIP '/opt/etc/wireguard.d/WireGuard_Cabin.7z')
2022-02-17 09:01:49 ....A 645 395 Cabin.conf
2022-02-17 09:01:33 ....A 45 49 Cabin_private.key
2022-02-17 09:01:33 ....A 45 49 Cabin_public.key
2022-02-17 09:01:49 ....A 642 393 Home.conf
2022-02-17 09:01:33 ....A 45 49 Home_private.key
2022-02-17 09:01:33 ....A 45 49 Home_public.key
to remote location
Import Home.conf on remote site using 'import Home type=device'
Press y to import Home or press [Enter] to SKIP.
Import Home.conf on remote site using 'import Home type=device'
CHANGE: 'site2site' command will not add remote SiteB to SQL table 'devices' unless local SiteA .config is imported.
NEW: Include @ZebMcKayhan's 'wgmExpo.sh' script during install/'uf' request
NEW: Expose 'uninstall' to command line
NEW: Expose menu option (3) 'list' to command line
FIX: Generate Stats for Site-to-Site configuration ALWAYS shows Bytes received Rx=0; Bytes sent Tx=0 for 'Period:' - Thanks SNB forums member @jgrana
Feb 24 03:59:00 RT-AX86U-Cabin (wg_manager.sh): 21734 Home: transfer: 94.80 MiB received, 163.31 MiB sent 1 days 09:39:35 from 2022-02-22 18:19:25
Feb 24 03:59:00 RT-AX86U-Cabin (wg_manager.sh): 21734 Home: period : 0 Bytes received, 0 Bytes sent (Rx=0;Tx=0)
NEW: If Site-to-Site configuration uses DDNS as the Endpoints rather than resolved IPv4(IPv6?) addresses, then use cru (cron) to schedule 'wg_ChkEndpointDDNS.sh' to refresh the DDNS IP address if Peer is found to be dormant.
NOTE: This is also applicable to 'client' Peers although most WireGuard VPN ISPs such as Mullvad only use resolved IPv4(IPv6?) Endpoint addresses?
(Road Warrior Peers will be exposed unless they can use say Tasker on Android etc. to perform a similar function otherwise force restart the Road Warrior WireGuard connection profile).
FIX: Site2-to-Site for hourly ('generatestats') Period metrics are negative???.... Beta fix to attempt to reset on interface start....
NEW: Creation of a 'server' Peer can now be IPv4 (default or forced via 'NOIPV6') or Dual-stack (IPv4+IPv6) or IPv6 ONLY.
peer help
peer new [peer_name [options]] - Create new server Peer e.g. peer new wg27 ip=10.50.99.1/24 port=12345
peer new [peer_name] {ipv6} - Create new IPv4+IPv6 server Peer e.g. peer new ipv6
peer new [peer_name] {ipv6 noipv4} - Create new IPv6 Only server Peer e.g. peer new ipv6 noipv4
NEW: Creation of a Road-Warrior 'client' Peer will honour the 'server' Peer it is bound to - i.e. 'client' Peer Address = IPv4 (default) or IPv4+IPv6 or IPv6 Only
NEW: Expose menu option '?' to command line
FIX: Allow user to specify both IPv4 & IPv6 subnets when creating the Dual-stack 'server' Peer
peer new ip=192.168.100.1/24 ipv6=fc00:192:168:100::1/64
FIX: Reinstate missing 'server' Peer rule 'iptables -I FORWARD -i $VPN_ID -j ACCEPT' - SNB Forums member @ZebMcKayhan
FIX: When creating 'server' Peer, only NAT IPv4 addresses
CHANGE: When creating 'server' Peer, add both IPv4 & IPv6 addresses to interface for Dual-stack (IPv4+IPv6)
FIX: Creating Road-Warrior 'device' Peer uses corrupted IPv6 - Thanks SNB Forums member @ZebMcKayhan
e.g. ipv6=fc00:192:168:100::1/64 used to create 'server' Peer but
Road-Warrior 'device' Peer iPhone assigned fc00:192:168::2/128
FIX: Road-Warrior 'device' Peers get duplicate IPv6 address
NEW: Allow purging of stale statistics records using command
trimdb { '?' | days [ 'traffic' | 'sessions' ] ['auto'] }
e.g. Manually schedule cron to purge records older than 90 days @07:00 every Sunday
cru a Wireguard_Database "0 7 * * 6 /jffs/addons/wireguard/wireguard_manager.sh trimdb 90"
trimdb ?
Table traffic: oldest Tue Mar 8 11:09:17 2022 records 12345
Table session: oldest Mon Mar 7 20:08:30 2022 records 45
Contributors
Assets 2
Production Stable Release
Update wg_manager.sh
HOTFIX: 'wg' module not downloaded for any model eek!
FIX: Correct Kernel module 3rd-party download filename for RT-AX86U i.e. "k27" ==> "k52"
FIX: During import, comment-out 'Listenport = 51820' from Torguard generated 'client' .config, as when installed on a device it's both a 'server' and 'client' but this conflicts with router 'server' Peer 'wg21'"
FIX: Correct 'Is_IPv4_CIDR()' function (it didn't explicitly validate the '/xx' suffix to be in range 1x-32)
CHANGE: Command 'vpndirector clone [ [ { wan | openvpn_index [ wireguard_index ]} ]' now allows selecting which OVPN VPN Director rules are cloned and allows Wireguard interface redirect.
NEW: 'peer wg1x add subnet [ ip_subnet ]...' command to facilitate downstream subnets such as WiFi Guests.
NEW: 'useentware [ yes | no ]' command to set 'USEENTWAREMODULES' config directive.
CHANGE: '?' command incudes display of 'USEENTWAREMODULES' status if Firmware contains modules.
NEW: 'peer wg2x port=nnnnn' command allows changing 'ListenPort' for 'server' Peers where the default Port 51820 may conflict with Torguard 'client' Peers.
FIX: When terminating a 'client' Peer, its metrics report can still fail with non-numeric arithmetic operations e.g. 'expr nn - *'
FIX: amtm install will retain existing '/opt/etc/wireguard.d/WireGuard.db' Peer definitions if they exist.
FIX: To prevent stalls when 'wgm' is used to show initial menu, change 'iptables -L FORWARD' to 'iptables -nvL FORWARD'
FIX: 'AllowedIPs' routes not honoured i.e. default ALL routes '0.0.0.0/0' and '::/0' always set; and command doesn't update .config
FIX: 'vpndirector' command does not clone VPN Director OVPN4/5 rules
CHANGE: 'peer wg1x allowedips=[ list of_IPs_or subnets | default | default6 | 4 | 6 ] [,]...]' command
CHANGE: 'diag' command will list ALL defined SQL tables with their individual schema definitions.
NEW: Allow use of 'PreUp', 'PostUp', 'PreDown' and 'PostDown' directives in 'client' Peer .conf
NEW: Expose option '12' - 'vpndirector [ "clone" [ "wan" | "ovpn"n [ changeto_wg1n ]] | "delete" | "list" ]' command in menu
FIX: 'create new' command doesn't save Public Key, (it saved Private Key twice)
NEW: 'fc [ enable | disable | ? ]' command to manage Flow Cache status
NEW: Use of 'PreUp', 'PostUp', 'PreDown' and 'PostDown' directives in 'client' Peer .conf now allows special '%i' placeholder to be substituted for the current interface
FIX: Remove spurious text from error message; change
'Invalid Option " Invalid Option "dfgh" Please enter a valid option" Please enter a valid option'
to
'Invalid Option "dfgh" Please enter a valid option" Please enter a valid option'
FIX: For Alpha releases use 'nvram get innverver' otherwise use 'nvram get extendno' to identify firmware
Alpha: Router RT-AC86U Firmware (v3.0.0.4.386.4_beta1)
Beta: Router RT-AC86U Firmware (v386.4_beta3)
NEW: 'pgupkey { on | off }' command to allow ENABLING/DISABLING the use of 'Pg-Up' Key to retrieve any of the previous five commands
NEW: Use of 'PreUp', 'PostUp', 'PreDown' and 'PostDown' directives in 'server' Peer .conf now allows special '%i' placeholder to be substituted for the current interface
FIX: '?' command incorrectly reports status of 'Pg-Up' key feature as ALWAYS DISABLED
FIX: 'peer wgnn delX' to force deletion of orphan entry in a 'server' Peer .conf for nominated 'client' doesn't remove the peer entry
FIX: 'server' Peers do not honour/create multiple 'client' AllowedIPs routes
FIX: 'create xxxx' command should not allow single/double quotes in the name xxxx
FIX: 'import' command should comment out 'SaveConfig =' directive in Peer .conf
CHANGE: Explicity reference Busybox version of '/bin/uname' as Entware version (coreutils-uname installed) now reports different output - Thanks SNB Forums member @HTMLSpinnr
CHANGE: Use of 'PreUp', 'PostUp', 'PreDown' and 'PostDown' directives in Peer .conf now allows multiple commands per line separated with ';'
NEW: Use of 'PreUp', 'PostUp', 'PreDown' and 'PostDown' directives in Peer .conf now allows special '%w' placeholder to be substituted for the current WAN interface
FIX: Command '2|z|remove' now prompts for confirmation BEFORE removing wireguard_manager - @SNB Forums member @ZebMcKayhan
CHANGE: 'list' command will identify 'client' Peer Endpoint by actual physical Endpoint (rather than extract from .conf/SQL)
CHANGE: 'list' command 'underline' attribute for default 'client' changed to 'reverse' attribute
CHANGE: Improve 'vpndirector' rule parsing for clone request
CHANGE: Improve IPv6 rules ?
NEW: Strip 'SaveConfig =' directive from 'client' Peer .conf
NEW: Command 'start ['interface'|'category'] [debug]' command now allows 'debug' literal for verbose display of 'client' Peer 'ip/iptables' commands issued - similar to wg-quick (c)
NEW: If 'client' Peers in Policy mode have been set to 'auto=N'; allow command 'start [policy] wg1x' to override 'auto=N' per client - @SNB Forums member @abir1909
EXPERIMENTAL: For 'client' Peer add cURL connectivity test to Mullvad to retrieve actual server that is connected.
FIX: Using command 'uf [dev]', explicity 'stop' ALL Peers BEFORE the Kernel modules are unloaded/reloaded (prevents WGDNSx errors)
FIX: Command '1/Update' should only reload WireGuard Kernel module if it is already in firmware rather than perform FULL wireguard_manager install.
FIX: Message 'Press Y to Remove WireGuard ('/opt/etc/wireguard.d/') or press [Enter] to cancel request.'
changed to
'Press Y to Remove WireGuard Manager or press [Enter] to cancel request.'
or if WireGuard isn't in the firmware
'Press Y to Remove WireGuard/WireGuard Manager or press [Enter] to cancel request.'
FIX: Allow mix of IPv4 and IPv6 DNS for a 'client' Peer, and assign Policy IPv4/IPv6 IPs to their appropriate DNS chain. Also correctly tear down DNS -t nat chains etc.
FIX: RT-AX86U - issues error 'non local variable'
FIX: Remove route from table main, and IPv6 RPDB rules for 'stop wg1x' command - @SNB Forums member @ZebMcKayhan
FIX: 'peer wg2x delX' command baulks if there are no wg2x.configs (doesn't detect 'server' type so fallback to name check i.e. wg2x)
NEW: If 'client' Peers in Policy mode ('auto=P'); allow command 'start [nopolicy] wg1x' to override 'auto=P' per client
NEW: Allow 'client' Peer cURL Endpoint connectivity test per interface for retrieve of actual server that is connected. see WireguardVPN.conf
FIX: 'diag' command uses "SELECT name FROM sqlite_schema"; sqlite3 v3.25 included in firmware but feature requires v3.33 from Entware ('opkg install sqlite3-cli')
FIX: Add explicit IPv6 LAN to 'client' Peer rule in lieu of the missing ASUS IPv6 firmware rule 'LAN to ANY'
CHANGE: Enhance Command input validation to trap typos such as 'stopwg22' from being interpreted/executed as 'stop' ALL!
CHANGE: Add missing ASUS IPv6 LAN to ANY rule 'ip6tables -I FORWARD -i br0 -j ACCEPT'
CHANGE: Creation of 'server' Peer i.e. 'peer new' command, add '#Address =' for documentation to .conf, and remove messy comment block
CHANGE: Allow/document 'peer import' command - same as 'import' command but seems logical
NEW: Command 'start ['interface'|'category'] [debug]' command now allows 'debug' literal for verbose display of 'server' Peer 'ip/iptables' commands issued - similar to wg-quick (c)
NEW: Allow importing of a 'server' Peer with explicit 'type=server' directive e.g. 'site2site' usage
EXPERIMENTAL: 'site2site'command to create and import 'SiteA'/'SiteB' template .configs
FIX: Detection of hybrid Site-to-Site wg2x type e.g. 'Endpoint' directive may now be present in 'server' Peer .conf
CHANGE: If 'wg setconf wgxx' command fails with syntax errors, destroy 'wgxx' Peer interface
NEW: Allow starting of 'server' Peers ('start wg2x') to use ONLY wg-quick directives; for Site-to-Site?
FIX: 'peer xxxx del' doesn't wipe 'Site-to-Site' Road Warrior 'client' xxxx Peer from 'server' Peer .config.
CHANGE: 'create xxxx [site=remote_config]' allows management of remote 'Site-to-Site' multi Road Warrior 'client' Peers
e.g. Suppose 'site2site Home Cabin' command has been used to create local/remote 'wg22' 'server' Peer.
Now you wish to add a Road Warrior mobile device to access either Site.
Command 'create iPhone site=Cabin' on the local 'Home' site will create the new 'iPhone' 'client' Peer and add it to both 'wg22.conf' and 'Cabin.conf'.
NOTE: 'Cabin.conf' will need to be transferred to the remote 'Cabin' site either as-is for import, or renamed as 'wg22.conf' and restart remote 'wg22'
CHANGE: 'create xxxx site=remote_config' now adds the Site-to-Site Peer to xxxx.conf, so both Endpoints are reachable.
CHANGE: 'create xxxx site=remote_config' now forces DNS = 1.1.1.1 (if ommitted) if first Peer connection DNS is unavailable.
Production Stable Release
Update wg_manager.sh
FIX: @server' Peer Passthru feature is missing the necessary RPDB rule (Rewite regression) - Thanks SNB Forum member @ Chongnt)
FIX: When terminating a @server' Peer configured forPassthru, the passthru 'client' Peer wgxx-down.sh script is executed rather than the 'server' Peer script - Thanks SNB Forum member @ Chongnt)
FIX: When 'loadmodules' command is used (especially when using Firmware Kernel modules) restart any prior ACTIVE WireGuard Peers.
CHANGE: 'getmodules' now explicitly checks ZebMcKayhan's files to first match model number 'RT-xxxx' in filename before matching hardcoded 'Kxx' Kernel version.
NEW: 'vpndirector [list | clone | delete]' command will clone (and subsequently manage) VPN Director Policy rules to 'client' Peer SQL rules
FIX: During initial install on say RT-AX58U, if Firmware contains kernel module, allow install, but as 'arch != aarch64' then display
Installing WireGuard Manager - Router RT-AX58U (v3.0.0.4.386.3_beta3) arch=arm
***ERROR: 3rd-Party Entware version not compatible with WireGuard!
as there are currently no compiled 3rd-Party Entware 'arm' version packages
NEW: when using '?' command, display clickable URL to @ZebMcKayhan's Hints and Tips Guide
e = Exit Script [?]
E:Option ==> ?
Router RT-AC86U Firmware (v3.0.0.4.386.4_alpha3-g7d7073bf09)
[✔] Entware Architecture arch=aarch64
v4.13b WireGuard Session Manager (Change Log: https://github.com/MartineauUK/wireguard/commits/dev/wg_manager.sh)
MD5=c9a6b7d4cb671b32e971dcae99b57c8d /jffs/addons/wireguard/wg_manager.sh
<snip>
[✔] Statistics gathering is ENABLED
[ℹ ] Speedtest quick link https://fast.com/en/gb/
[ℹ ] @ZebMcKayhan's Hint's and Tips Guide https://github.com/ZebMcKayhan/WireguardManager/blob/main/README.md#table-of-content
Production Stable Release v4.12
Production stable release v4.12 now supports inbuilt Firmware WireGuard Kernel Modules/User-space Tools, with a configuration option to override them with 3rd-Party Entware packages by @Odkrys/@ZebMcKayhan
Contributors
Assets 2
WireGuard session manager stable v4.11
Production Release that only supports Entware\3rd-party compiled modules
Public Release
WireGuard Session Manager is now Menu driven, although the command line may still be used for certain tasks.
Unlike the original Beta, the S50wireguard script is no longer required/used, nor is there any dependency on '/opt/etc/init.d/' for WireGuard Peer sessions required to start with WAN (defined with Auto=Y (or Auto=P) in '/jffs/addons/wireguard/WireguardVPN.conf')
WireGuard session manager Pre-release Beta b4
Public Release candidate Beta RC1