Wireguard on 1.13.0

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

Lantis
Moderator
Posts: 6924
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Wireguard on 1.13.0

Post by Lantis »

Apologies for the delay.
In your client peers, when you export the wgconf, under the allowedips section change
10.64.0.1/24
to
10.64.0.0/24

Then load it to the clients and test.
If you want to just go and fix it quickly, you can change it directly in your /etc/config/network for the client, then /usr/lib/gargoyle/restart_network.sh

Please report back if that works fine for you.
I assume that from each of your clients you've had no trouble accessing the other clients right? It was just the server giving you trouble?
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

JeffinTx
Posts: 27
Joined: Sat Jan 23, 2016 8:01 pm

Re: Wireguard on 1.13.0

Post by JeffinTx »

Long reply, but hope it is helpful...

Ok, thanks for the responses. And I understand the time lag, absolutely no worries. Your efforts are super and very much appreciated. I've done my best to document the process with specifics in the hope that it may help you and others.

1. When you say, "In your client peers", I assume you mean (detailed process below):
a) Sign into the router that is acting as a Server (running Gargoyle v1.14.0)
b) Go to menu Connection/Wireguard
c) Under Allowed Clients, use Add to generate a Configured Client with name, keys, settings to be used for this Server
d) Save the Allowed Clients settings and download the result, by default to a wg-<client name>.conf file
e) Manually edit the downloaded .conf file and find its section under [Peer] AllowedIPs= (if users already have downloaded config files, they can skip to this step)
f) There should be an AllowedIPs setting for the internal IP address of the Server, typically the first address in the same range as the address the [Interface] Address at the top of the same .conf file. For example, if .conf file starts with [Interface] Address=10.64.0.10/32, then the [Peer] AllowedIP= will likely start 10.64.0.1/24. The /32, a CIDR mask, indicating that the address ending in .10 is specifically only .10 and the /24 indicating that the .1 address could be any value from .1 to .255 .
g) Using the editor, change the [Peer] address to end in .0/24 instead of .1/24. In the example above, the result should start with [Peer] AllowedIPs= 10.64.0.0/24 instead of [Peer] AllowedIPs= 10.64.0.1/24
h) Save the edited file from the Server Gargoyle router and put it somewhere that can be accessed when managing a Client Gargoyle router.
i) Sign into a Client Gargoyle router (assumed also running v1.14.0) and go to its Connection/Wireguard menu.
j) Under Client Config, choose Upload Config File and click Browse, then browse to the downloaded, previously edited, file from the Server.
k) Choose the downloaded Server file and click Upload Config, then Save Changes.
l) Test that devices on the network under the Client Gargoyle router now can access devices on the Server network as before, but now devices on the Server network (and its shared networks) can access devices on the Client network.

2. Alternatively, as you suggest, instead of editing, importing and reloading Server-generated configuration files onto Clients, it should be possible to edit Client configurations in place on the Client. I did NOT try this method, but believe the process should be:
a) Sign into a Gargoyle Client router, i.e., a router running Gargoyle router intending to attach to a master, Server router via Wireguard and access the Server's network devices.
b) Ensure that the Client router has the Gargoyle Plugin for Webshell installed. If not, go to the menu under System/Plugins, scroll down to and choose Refresh Plugins, then find and install Webshell for Gargoyle.
c) Under System/Webshell enter into the Command box, cat /etc/config/network and click Execute.
d) Scroll through the response in the resulting output to find both <config interface 'wg0'> and <config wireguard_wg0 'wgserver'>. They should be next to each other, near the end of the output display.
e) The section for <config interface 'wg0'> will have a line with "list addresses '<some address and range>'. Typically, as in the example in section 1. above, this will be 10.64.0.2/32 or some similar value ending with .3/32 or .4/32, etc. Consider the first three numbers of this address, e.g., 10.64.0, as the range for allowed_ips in the next step.
f) The section for <config wireguard_wg0 'wgserver'> should have one or more lines with "list allowed_ips", the first of which should match the range found above, in this example this section has <list allowed_ips '10.64.0.1/24'> This will be the line that needs edited in place on the Client router.
g) Enter into the command box a request to change the line identified in the previous step using the 'sed' program as follows: sed 's/<old address value>/<new address value/' /etc/config/network In this example, uing escape notations for regex matching of periods, the command would be: sed 's/10\.64\.0\.1/10\.64\.0\.0/' /etc/config/network
h) Again in the Command line, enter the following and click Execute in order to restart the Client router's network connection and make the changes in the configuration take effect: /usr/lib/gargoyle/restart_network.sh


3. SUCCESS! I went through the steps in item 1. above and now have a two-way link between Gargoyle router networks over a Wireguard-encrypted internet connection!

4. Your last comment about assuming that clients had no trouble accessing other clients was a bit confusing. Without this change, each Client router and its devices could access devices on the Server network, but no Client device could access devices beyond the Server network, including attempts to access devices on other Client networks. With this change, though, that has also been fixed and any Client device can now access any other Client device as well as any Server device. So, double success!

Lantis
Moderator
Posts: 6924
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Wireguard on 1.13.0

Post by Lantis »

Yes exactly, and thanks for your verbose instructions. That will help others before the code fix hits (https://github.com/ericpaulbishop/gargo ... 9629d706fa).

I’m surprised by result 4, I thought it would have been ok anyway. But if this fixed that as well that’s a good thing.
I’ve not had enough clients to try that setup personally but I will set something my up sooner or later.

Apologies again for the delay in fixing it. Glad it is now working.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

boldga
Posts: 22
Joined: Sat Sep 18, 2010 10:05 am

Re: Wireguard on 1.13.0

Post by boldga »

Thanks, guys!
It solved my problem. :lol:

Post Reply