[Experimental] WireGuard for HND platform (4.1.x kernels)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Rpony

Occasional Visitor
Hi Everyone, trying to use the PIA config generator. Tried USA east as it was noted that server was working with wireguard. However, it connects but I have no internet connection. Is there something I need to change in the config file after generating?
 

Goned75

Occasional Visitor
Hi Everyone, trying to use the PIA config generator. Tried USA east as it was noted that server was working with wireguard. However, it connects but I have no internet connection. Is there something I need to change in the config file after generating?

Verify your config files - It suppose to working i have try last month
 

ZebMcKayhan

New Around Here
can the router be a client while the rpi is behind it as the server? thats what i am trying to achieve.
Did you ever solve your issues borris?

Port forwarding usually means an entry in NAT prerouting chain to change destination adress (dnat) of wireguard port packages to your local destination (rpi local adress). Then an entry in FILTER forward chain to allow packages with wireguard port between wan to rpi local adress.

Usually routing table does not require any change since the router already keeps track of its clients.

/Zeb
 

ZebMcKayhan

New Around Here
Just installed YazFi to manage guest network and typically you will have firewall issues that the guest wifi is only allowed to access WAN, and not allowed to access wireguard wg0 client.
This means that if you use wireguard with default routing the guest network will not be able to connect anywhere.

Luckily YazFi allows us to run custom scripts to add our own firewall rules.

I'm using the first 2.4GHz guest network (wl0.1) and the first 5GHz guest network (wl1.1) and this is what I did to get them to work:

Create and edit a new script:
Code:
nano /jffs/addons/YazFi.d/userscripts.d/wg-yazfi.sh

Populate the file with these rules:
Code:
#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o wg0 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.1 -o wg0 -j ACCEPT
iptables -I YazFiFORWARD -i wg0 -o wl0.1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I YazFiFORWARD -i wg0 -o wl1.1 -m state --state RELATED,ESTABLISHED -j ACCEPT

save and exit

Make the script executable:
Code:
Chmod +x /jffs/addons/YazFi.d/userscripts.d/wg-yazfi.sh

Run the script manually to get the rules added:
Code:
/jffs/addons/YazFi.d/userscripts.d/wg-yazfi.sh

It will run automatically from now on.

my previous post about changing masquarading to /16 is also nessisary for this to work.

Adjust for your own need.
 
Last edited:

Xentrk

Part of the Furniture
Hello Community,
Does Wireguard also work with OpenVPN on RT-AC88U with Asuswrt-Merlin?
Thanks a lot
No. CPU does not support it is my understanding.
 

Xentrk

Part of the Furniture
@Odkrys Thank you for putting the instructions together. Took me a few tries though before I got it dialed in. I was able to get Wireguard working on RT-AX88U with TorGuard using Policy Rules for two AppleTV boxes for a site I support. Massive increase in speed. I always experience buffering issues with a FireTV over OpenVPN. No buffering with Wireguard. I now see how I can implement support for Wireguard in x3mRouting project. I am now in posession of an RT-AC86U that I can use to develop on. The only conflict I see is the wg-policy file uses fwmark/bitmask of 0x7000/0x7000. x3mRouting also uses it for VPN Client 4. Will need to figure out that one along with how to configure more than one Wireguard tunnel.
 
Last edited:

abir1909

Regular Contributor
@Odkrys Thank you for putting the instructions together. Took me a few tries though before I got it dialed in. I was able to get Wireguard working on RT-AX88U with TorGuard using Policy Rules for two AppleTV boxes for a site I support. Massive increase in speed. I always experience buffering issues with a FireTV over OpenVPN. No buffering with Wireguard. I now see how I can implement support for Wireguard in x3mRouting project. I am now in posession of an RT-AC86U that I can use to develop on. The only conflict I see is the wg-policy file uses fwmark/bitmask of 0x7000/0x7000. x3mRouting also uses it for VPN Client 4. Will need to figure out that one along with how to configure more than one Wireguard tunnel.
these are exciting news! i would love to see support for Wireguard in x3mRouting project! from your experience so far, can you tell if i can run both Wireguard client and open vpn client at the same time with routing policy on both? for example wireguard for the apple tv and open vpn for the firestick? thanks
 

Xentrk

Part of the Furniture
these are exciting news! i would love to see support for Wireguard in x3mRouting project! from your experience so far, can you tell if i can run both Wireguard client and open vpn client at the same time with routing policy on both? for example wireguard for the apple tv and open vpn for the firestick? thanks
Yes, I was able to run both Wireguard and OpenVPN at the same time. My big question now is running two or more Wireguard tunnels concurrently with my VPN provider as each WG connection uses the same port.
 

abir1909

Regular Contributor
Yes, I was able to run both Wireguard and OpenVPN at the same time. My big question now is running two or more Wireguard tunnels concurrently with my VPN provider as each WG connection uses the same port.
I asked the same question before and didn’t get an answer. I hope you will be able to figure it out.
 

here1310

Regular Contributor
Code:
#printf "Endpoint = $(nvram get wan0_ipaddr):" >> /opt/etc/wireguard/$clientname.conf
printf "Endpoint = $(nvram get ddns_hostname_x):" >> /opt/etc/wireguard/$clientname.conf
cat /opt/etc/wireguard/wg1.conf | grep ListenPort | awk '{print $3}' >> /opt/etc/wireguard/$clientname.conf

Hello everybody, i changed my qr code script a bit ...
 

Kingp1n

Very Senior Member
I'm trying to install wireguard for my AX88U but I keep getting this:

Code:
[email protected]:/tmp/home/root# opkg install /path/wireguard-kernel_1.0.20210124-ax_aarch64-3.10.ipk
Collected errors:
 * wfopen: /path/wireguard-kernel_1.0.20210124-ax_aarch64-3.10.ipk: No such file or directory.
 * pkg_init_from_file: Failed to extract control file from /path/wireguard-kernel_1.0.20210124-ax_aarch64-3.10.ipk.

Any way to get it going?
 

here1310

Regular Contributor
you have to indicate the path! download the ipk and the tools and put it on the usb device in a folder wg ... the command is then: opkg install /mnt/sda1/wg/wireguard-kernel_1.0.20210124-ax_aarch64-3.10.ipk don't forget the tools! opkg install /mnt/sda1/wg/wireguard-tools_1.0.20200827-2_aarch64-3.10.ipk
 

Kingp1n

Very Senior Member
Today I decided to upgrade to the 1.0.20210124 kernel for my RT-AX88U, when downloaded using "wget" followed by copying and pasting
the link from post number 1. When I tried to install it returned the same error you got, when I checked the size and compared to the one
I had downloaded on my PC it was more than 30k larger. Then I went to: https://github.com/odkrys/entware-makefile-for-merlin, clicked on
the proper file, on the next page there is a button marked "Download" right clicked on it and chose "Copy Link Location".
Pasted the link after the command "wget" downloaded, checked the size and installed immediately with no problems.
Note that I have been running wireguard for some time, I stopped it to do the upgrade and started it once the upgrade was done.
That error made me think of your post, thought the cause of your problem might be the same.
Thank you...this helped me install wireguard!!!!
 

Kingp1n

Very Senior Member
I was able to install wireguard. I tested using the 'wg' get this:


Code:
ASUSWRT-Merlin RT-AX88U 386.1_2 Fri Feb 12 22:48:22 UTC 2021
[email protected]:/tmp/home/root# wg
interface: wg0
  public key: *************
  private key: (hidden)
  listening port: 59355

peer: ******************
  endpoint: xx.xx.xx.145:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 26 seconds ago
  transfer: 8.20 MiB received, 1.46 MiB

However, none of my devices can't access the internet. Am I missing anything? I rebooted the modem/router as well. I'm using the guide provided earlier (Running WireGuard on an ASUS router – Skadligkod.se) and reading thru the forum as well.

Do I also need to configure openvpn thru the Merlin GUI? I'm trying out mullvad vpn for now.

I had these rules setup previously when using OPENVPN (Rules for routing client traffic through the tunnel):

192.168.1.0/24 (VPN)
192.168.1.1 (WAN)

I would like to setup the same way if possible with wireguard.

Any help is greatly appreciated.
 
Last edited:

here1310

Regular Contributor
überprüfen sie, ob der eintrag "interface=wg*" in der /jffs/configs/dnsmasq.conf.add vorhanden ist. bitte eintragen und "service restart_dnsmasq" ausführen.
 

here1310

Regular Contributor
sorry: check whether the entry "interface = wg *" is available in /jffs/configs/dnsmasq.conf.add. please enter and run service restart_dnsmasq.
 

here1310

Regular Contributor
also specify a dns server

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 10.150.60.11/32
DNS = "router-address"
MTU = 1500

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/1, 192.168.0.0/16, 10.255.0.0/16
Endpoint = dyndns-address:51820
PersistentKeepalive = 25
 

here1310

Regular Contributor
your server is listening on the wrong port: interface: wg0 public key: ************* private key: (hidden) listening port: 59355

/mnt/sda1/entware/etc/wireguard/S50wireguard

#server
export Subnet=10.150.60.1/24 #e.g.)10.50.50.1/24
export wgport=51820

und dann nach /mnt/sda1/entware/etc/init.d copy

/opt/etc/init.d/S50wireguard stop
/opt/etc/init.d/S50wireguard start

my config: interface wg1 for server!
[email protected]:/tmp/home/root# wg
interface: wg1
public key: xxxxxxxxxxxxxxxxxxxxxxxxxx
private key: (hidden)
listening port: 51820
 

abir1909

Regular Contributor
I was able to install wireguard. I tested using the 'wg' get this:


Code:
ASUSWRT-Merlin RT-AX88U 386.1_2 Fri Feb 12 22:48:22 UTC 2021
[email protected]:/tmp/home/root# wg
interface: wg0
  public key: *************
  private key: (hidden)
  listening port: 59355

peer: ******************
  endpoint: xx.xx.xx.145:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 26 seconds ago
  transfer: 8.20 MiB received, 1.46 MiB

However, none of my devices can't access the internet. Am I missing anything? I rebooted the modem/router as well. I'm using the guide provided earlier (Running WireGuard on an ASUS router – Skadligkod.se) and reading thru the forum as well.

Do I also need to configure openvpn thru the Merlin GUI? I'm trying out mullvad vpn for now.

I had these rules setup previously when using OPENVPN (Rules for routing client traffic through the tunnel):

192.168.1.0/24 (VPN)
192.168.1.1 (WAN)

I would like to setup the same way if possible with wireguard.

Any help is greatly appreciated.
I am not sure about Mullvad. I had the same problem.
I needed to add the

PresharedKey. See image.
Hope it helps.
 

Attachments

  • 50CA7ABE-F981-45AF-A787-41B37FF93FC3.jpeg
    50CA7ABE-F981-45AF-A787-41B37FF93FC3.jpeg
    57.8 KB · Views: 24
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top