Asus Merlin on Asus ZenWIFI Pro XT12 cant install Entware as USB is required but router doesn't have one.

[Jeffrey Young]

Can you tell me if the following gives you any output?

nvram show lan_ipaddr

I am actually just about done with the setup files. It was not as hard as I thought. Mind you, I don't have a way of testing. I am currently not at home this week and am actually using my Wiregaurd SERVER to check setting on my router So, I can't test anything (if I had your permission to use your vpn.cong file you provided).

I am just proof reading what I have. The script I've made is going to route ALL traffic through your tunnel. If you want selective traffic, then that will require a little more work.

I'll get back to you once you confirm the output of the command above.

 

[rayyan]

Can you tell me if the following gives you any output?

nvram show lan_ipaddr

I am actually just about done with the setup files. It was not as hard as I thought. Mind you, I don't have a way of testing. I am currently not at home this week and am actually using my Wiregaurd SERVER to check setting on my router So, I can't test anything (if I had your permission to use your vpn.cong file you provided).

I am just proof reading what I have. The script I've made is going to route ALL traffic through your tunnel. If you want selective traffic, then that will require a little more work.

I'll get back to you once you confirm the output of the command above.

yea u can use my file if u want just ask anytime i put the ouput in a text file as its kinda long so yea

 

[Jeffrey Young]

yea sure man take your time and im here for testing btw i really appreciate it man thanks bro

OK, try these files. First, just so that we can control things, remove the execute permission from services-start and nat-start (chmod u-x *-start). This is so we can keep the router under control until we are certain this works.

Reboot the router to clean up any left over stuff.

We have a new Wireguard conf file. To keep things separate, we will call this one wg0.conf and put it in /jffs/addons/wireguard

Spoiler: wg0.conf

#
# Use this configuration with WireGuard client
#
[Interface]
PrivateKey = *********** # insert your private key from the VPN provider

[Peer]
PublicKey = ********** # insert the public key from the VPN Provider
AllowedIPs = 0.0.0.0/0
Endpoint = uk-lon.prod.surfshark.com:51820

And this will be our wg-client file. Put this file in /jffs/addons/wireguard
EDIT2: Added subnet to the address and moved comment in case it was being added to LocalIP variable
EDIT3: Changed MTU to 1350 as suggested for SurfShark
EDIT4: Updated file wg-client

Spoiler: wg-client

#!/bin/sh
#set -x   # uncomment this if troubleshooting is needed

KERNEL=$(uname -r)

# This is the IP address provided by your VPN provider
LocalIP=10.14.0.2
wgdns1=162.252.172.57
wgdns2=149.154.159.92

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg0 2>/dev/null
ip link add dev wg0 type wireguard
wg setconf wg0 /jffs/addons/wireguard/wg0.conf
ip address add dev wg0 $LocalIP
ip link set up dev wg0

# For SurfShark, it has been suggested to use 1350 as MTU, otherwise use 1380
ifconfig wg0 mtu 1350
ifconfig wg0 txqueuelen 1000

host="$(wg show wg0 endpoints | sed -n 's/.*\t\(.*\):.*/\1/p')"
ip route add $(ip route get $host | sed '/ via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/{s/^\(.* via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*/\1/}' | head -n 1) 2>/dev/null
ip route add 0/1 dev wg0
ip route add 128/1 dev wg0

iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE 2>/dev/null
iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -t mangle -I FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7
iptables -t nat -I POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE

cp /tmp/resolv.dnsmasq /tmp/resolv.dnsmasq_backup 2>/dev/null
echo "server=$wgdns1" > /tmp/resolv.dnsmasq
echo "server=$wgdns2" >> /tmp/resolv.dnsmasq
service restart_dnsmasq

Lastly, we will need a new wg-down script in /jffs/addons/wireguard
EDIT1 - removed a couple of lines not needed (was for selective routing)

Spoiler: wg-down

#!/bin/sh

host="$(wg show wg0 endpoints | sed -n 's/.*\t\(.*\):.*/\1/p')" 2>/dev/null
ip route del $(ip route get $host | sed '/ via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/{s/^\(.* via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*/\1/}' | head -n 1) 2>/dev/null

rmmod wireguard 2>/dev/null

iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE 2>/dev/null
iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null

ip route flush table 117 2>/dev/null
ip rule del prio 9997 2>/dev/null

mv /tmp/resolv.dnsmasq_backup /tmp/resolv.dnsmasq 2>/dev/null
service restart_dnsmasq

From the directory /jffs/addons/wireguard, set the execute permission on the files, then you can run the wg-client script and see what happens (./wg-client)

To shut the client down, use ./wg-down

Once you are happy, edit the /jffs/scripts/nat-start script and make the required changes there.

 

[Jeffrey Young]

yea u can use my file if u want just ask anytime i put the ouput in a text file as its kinda long so yea

Thanks, yeah, sorry, the command should have been nvram show | grep lan_ipaddr. But I got what I needed from your file.

 

[rayyan]

bruhhh same thing

Home@ZenWiFi_Pro_XT12-DD10:/jffs/addons/wireguard# ./wg-client
insmod: can't insert '/lib/modules/4.19.183/kernel/net/wireguard/wireguard.ko': File exists
Home@ZenWiFi_Pro_XT12-DD10:/jffs/addons/wireguard#

 

[rayyan]

bruhhh same thing

Home@ZenWiFi_Pro_XT12-DD10:/jffs/addons/wireguard# ./wg-client
insmod: can't insert '/lib/modules/4.19.183/kernel/net/wireguard/wireguard.ko': File exists
Home@ZenWiFi_Pro_XT12-DD10:/jffs/addons/wireguard#


so i had to use ./wg-down as once i ran ./wg-client lost internet connection

 

[Jeffrey Young]

Make sure that the server script is not being run (remove the execute permission from /jffs/scripts/services-start and /jffs/scripts/nat-start so they do not interfere.

Do a clean boot, then make sure the server did not start (ip show addr | grep wg*). You should get nothing.

Then edit the wg-client script and uncomment the set-x line and rerun the script. Afterwards, do the ip show addr | grep wg* command again to see if the wg0 interface is up. If so, can you show me what ip route shows.

 

[rayyan]

Make sure that the server script is not being run (remove the execute permission from /jffs/scripts/services-start and /jffs/scripts/nat-start so they do not interfere.

Do a clean boot, then make sure the server did not start (ip show addr | grep wg*). You should get nothing.

Then edit the wg-client script and uncomment the set-x line and rerun the script. Afterwards, do the ip show addr | grep wg* command again to see if the wg0 interface is up. If so, can you show me what ip route shows.

okay ill do it sometime tomorrow as i got family over and dont want reboot the router and not to disturb them but anywasy thanks for your help

 

[Jeffrey Young]

okay ill do it sometime tomorrow as i got family over and dont want reboot the router and not to disturb them but anywasy thanks for your help

Great. This is where things get hard to trouble shoot. I may have to wait until I am back home where I can set this up (using your conf file) on my router to test.

Have a great weekend

 

[rayyan]

Great. This is where things get hard to trouble shoot. I may have to wait until I am back home where I can set this up (using your conf file) on my router to test.

Have a great weekend

update: VPN works cant appreciate it man love for your work but phase 2 is getting the speed so i have a 1G connection witch is symmetrical so i chose the falsest server which is London for me so once i ran ./wg-client i was connected but the speed so i only got half the speed witch doesn't make sense as if was to connect to the vpn on my desktop i get 800-900mbs so if its on the router shouldn't it be the same speed as if it wasn't connected to a vpn??hmmm what i read online it could be the MTU size but 1500 is default but high-end routers should allow to go upto 9000 so ill see of i can figure out how to change that

 

[Jeffrey Young]

update: VPN works cant appreciate it man love for your work but phase 2 is getting the speed so i have a 1G connection witch is symmetrical so i chose the falsest server which is London for me so once i ran ./wg-client i was connected but the speed so i only got half the speed witch doesn't make sense as if was to connect to the vpn on my desktop i get 800-900mbs so if its on the router shouldn't it be the same speed as if it wasn't connected to a vpn??hmmm what i read online it could be the MTU size but 1500 is default but high-end routers should allow to go upto 9000 so ill see of i can figure out how to change that

That is super news!! I'm not surprised though by the speed. It is pretty much in line with what can expected with an AC86U. I know you have a router, but I am betting the issue is the same. The issue is CPU throttling at the CPU. You're asking the router to serve a 1Gbit pipe, a 1Gbit VPN and a 1Gbit switch to get the data to your computer. Over simplified explanation, but the point is the router CPU is just stressed.

Adjusting the MTU to 1500 will likely cause issues as, don't forget, you now have VPN overhead traffic per frame. You could maybe try 1420. There are simple tests that you can do with ping to determine the best MTU. Just google "determining best MTU".

You may want to look at a policy routing VPN next. It's just a different setup (again)

Anyway, my pleasure. I had a blast, and it also keeps my mind busy and refreshed.

 

[Jeffrey Young]

@rayyan

Also, just so that I can fix up any of my scripts above, did you have to make any changes to any of the scripts? Besides adding your keys? If so, I can fix up the scripts above so that others may benefit.

 

[rayyan]

@rayyan

Also, just so that I can fix up any of my scripts above, did you have to make any changes to any of the scripts? Besides adding your keys? If so, I can fix up the scripts above so that others may benefit.

No changes were made everything works perfectly so far

 

[Jeffrey Young]

Thanks. I did find one article that suggests SurrfShark Wireguard MTU should be set to 1350. You can change that in the wg-client script.

 

[rayyan]

Thanks. I did find one article that suggests SurrfShark Wireguard MTU should be set to 1350. You can change that in the wg-client script.

love it cool ill check it out but could it be possible to add this on the webui like if i need to quickly need to go to the US to watch netflix instead of ssh into the router edit the file and save and apply and turn it on again

 

[Jeffrey Young]

You might be able to use the following Merlin feature. I'm not talented enough to make my own web pages (too old).

Addons API

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Another option, if you have your router set up with RSA Key to ssh into the router is to use a remote ssh command. Something like this;

ssh -p 22 -i <path to key file> admin@192.168.50.1 "/jffs/addons/wireguard/wg-client" to start the tunnel

Assuming you are using windows. Apple must have a similar ssh variant

 

[rayyan]

You might be able to use the following Merlin feature. I'm not talented enough to make my own web pages (too old).

Addons API

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Another option, if you have your router set up with RSA Key to ssh into the router is to use a remote ssh command. Something like this;

ssh -p 22 -i <path to key file> admin@192.168.50.1 "/jffs/addons/wireguard/wg-client" to start the tunnel

Assuming you are using windows. Apple must have a similar ssh variant

okay lest forget that but i need to get the speeds right i dont know why im only getting hafl the speed btw the router is powerful enough to Handel the load as it technically can Handel 5g connection if i comnined both 2.5gb enternet ports so id need to find something witch can make the speeds at least 900mbs

 

[Jeffrey Young]

okay lest forget that but i need to get the speeds right i dont know why im only getting hafl the speed btw the router is powerful enough to Handel the load as it technically can Handel 5g connection if i comnined both 2.5gb enternet ports so id need to find something witch can make the speeds at least 900mbs

True, but many of those features are being handled by the NIC chip and NAT HW acceleration hardware. The Wireguard encryption and encapsulation is being done in the kernel, which is means it's limited by CPU spec. The speeds you are getting are pretty consistent with what I have seen elsewhere. You get better speeds with the client working on your desktop computer as it has an infinitely more powerful processor.

Couple of things I did think of during the night (it is amazing what comes to you in the middle of the night)

1. The nat-start script will still be needed, even if you are using the WG Client ad-hoc. This is to keep you from loosing your firewall rules while using WG if Asus restarts the firewall.

2. Check your syslog. It's long been know that WG and NAT acceleration don't get along. Many expect this will get fixed as Asus works toward officially supporting WG in their 388 base code. In the meantime, if you see a bunch of "blog mcast" errors in the syslog while you are using WG, try to disable flow cache. If there is no option in the GUI to do that, then try the command fc disable from a ssh shell. Note though that with a 1Gbit pipe, disabling flow cache will have a big impact on performance. Since you are getting speeds above 500mbits, I really don't think flow cache is bothering you.

Been great working with a fella from the mother land

 

[rayyan]

True, but many of those features are being handled by the NIC chip and NAT HW acceleration hardware. The Wireguard encryption and encapsulation is being done in the kernel, which is means it's limited by CPU spec. The speeds you are getting are pretty consistent with what I have seen elsewhere. You get better speeds with the client working on your desktop computer as it has an infinitely more powerful processor.

Couple of things I did think of during the night (it is amazing what comes to you in the middle of the night)

1. The nat-start script will still be needed, even if you are using the WG Client ad-hoc. This is to keep you from loosing your firewall rules while using WG if Asus restarts the firewall.

2. Check your syslog. It's long been know that WG and NAT acceleration don't get along. Many expect this will get fixed as Asus works toward officially supporting WG in their 388 base code. In the meantime, if you see a bunch of "blog mcast" errors in the syslog while you are using WG, try to disable flow cache. If there is no option in the GUI to do that, then try the command fc disable from a ssh shell. Note though that with a 1Gbit pipe, disabling flow cache will have a big impact on performance. Since you are getting speeds above 500mbits, I really don't think flow cache is bothering you.

Been great working with a fella from the mother land

further testing now vpn dosnt work

 

[Jeffrey Young]

further testing now vpn dosnt work

Before we start to troubleshoot, I think I see a problem with the wg-client script that might be affecting things. Basically, the DNS is not being handled right. Can you replace the contents of your wg-client file with the following;

Spoiler: wg-client

#!/bin/sh

KERNEL=$(uname -r)

# This is the IP address provided by your VPN provider
LocalIP="10.14.0.2" 
wgdns1="162.252.172.57"
wgdns2="149.154.159.92"

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg0 2>/dev/null
ip link add dev wg0 type wireguard
wg setconf wg0 /jffs/addons/wireguard/wg0.conf
ip address add dev wg0 $LocalIP
ip link set up dev wg0
ifconfig wg0 mtu 1350
ifconfig wg0 txqueuelen 1000

host="$(wg show wg0 endpoints | sed -n 's/.*\t\(.*\):.*/\1/p')"
ip route add $(ip route get $host | sed '/ via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/{s/^\(.* via [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\).*/\1/}' | head -n 1) 2>/dev/null
ip route add 0/1 dev wg0
ip route add 128/1 dev wg0

iptables -t nat -D POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE 2>/dev/null
iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -t mangle -I FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7
iptables -t nat -I POSTROUTING -s $(nvram get lan_ipaddr)/24 -o wg0 -j MASQUERADE

cp /tmp/resolv.dnsmasq /tmp/resolv.dnsmasq_backup 2>/dev/null
echo "server=$wgdns1" > /tmp/resolv.dnsmasq
echo "server=$wgdns2" >> /tmp/resolv.dnsmasq
service restart_dnsmasq

I also changed the MTU to 1350 to see if that improve things as well.

Note to that I have updated the original post

Let me know
(the trouble with not being able to test before hand)