What's new

[Experimental] WireGuard for RT-AC86U/AX88U

Odkrys

Senior Member
1. Install WireGuard

You need Entware-aarch64-3.10 to use wireguard without a new firmware build.


ㅡ Kernel Module ㅡ

RT-AC86U - 4.1.27
https://drive.google.com/file/d/1kzLo8k6J3lv2bzbw3uZL0eTVLbefXDOD/view?usp=sharing

Code:
opkg install /path/wireguard-kernel_1.0.20200611-ac_aarch64-3.10.ipk

RT-AX88U - 4.1.51
https://drive.google.com/file/d/1d3J5AmYDHbLkJfyD8QvhMW5dJnpI2mNe/view?usp=sharing

Code:
opkg install /path/wireguard-kernel_1.0.20200611-ax_aarch64-3.10.ipk

ㅡ User space tool ㅡ

https://drive.google.com/open?id=1WO62W2IKyxthsQMhETJnEGTuHkXdLLpn

Code:
opkg install /path/wireguard-tools_1.0.20200513-2_aarch64-3.10.ipk

cp /opt/etc/wireguard/S50wireguard /opt/etc/init.d

2. as Client configuration setting.

nano /opt/etc/init.d/S50wireguard
Code:
Mode=client

export LocalIP=
Route=default   #default or policy
export wgdns=
export Nipset=wgvpn
Init file has 5 options.
Mode=client

LocalIP is provided by VPN provider (e.g. AzireVPN, Mullvad) or your VPS.

default route will redirect your all internet traffic to VPN server.
policy work like Policy Rules (strict) on Merlin.

wgdns is option to change dns server.
Nipset is the name of ipset for ipset based policy routing.

AzireVPN, Mullvad, IVPN, TorGuard support WireGuard servers.

AzireVPN https://www.azirevpn.com/cfg/wg
Mullvad https://mullvad.net/en/servers/#wireguard
IVPN https://www.ivpn.net/wireguard
TorGuard https://torguard.net/knowledgebase.php?action=displayarticle&id=250

nano /opt/etc/wireguard/wg0.conf (example of AzireVPN)
Code:
[Interface]
PrivateKey = -------
Address = 10.40.12.49/19
DNS = 192.211.0.2

[Peer]
PublicKey = ----------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT
AzireVPN's config file looks like above one.
Fill the Address 10.40.12.49 at LocalIP of init file.
Code:
export LocalIP=10.40.12.49 (without prefix)
export wgdns=192.211.0.2
And comment out Address and DNS in the config file.
Then config file should looks like this. (I highly recommend you add keepalive.)
Code:
[Interface]
PrivateKey = -------
#Address = 10.40.12.49/19
#DNS = 192.211.0.2

[Peer]
PublicKey = -------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT
PersistentKeepalive = 25
Done. Start WireGuard.
Code:
/opt/etc/init.d/S50wireguard start

3. Advanced client settings.

For using Route=policy, wg-policy script has some rules.
Adjust to your situation.
Default table is 117.

nano /opt/etc/wireguard/wg-policy
Code:
#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997 2>/dev/null
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq

4. as Server configuration setting.

Code:
(umask 077 && printf "[Interface]\nPrivateKey = " | tee /opt/etc/wireguard/wg1.conf > /dev/null) 
wg genkey | tee -a /opt/etc/wireguard/wg1.conf | wg pubkey | tee /opt/etc/wireguard/server-publickey
nano /opt/etc/init.d/S50wireguard (example)
Code:
Mode=server

export Subnet=10.50.50.1/24   #e.g.)10.50.50.1/24
export wgport=51820
nano /opt/etc/wireguard/wg1.conf (Server uses wg1)
Code:
[Interface]
PrivateKey = ----------
ListenPort = 51820

[Peer]
PublicKey = ----------
AllowedIPs = 10.50.50.2/32
Done. Start WireGuard.
Code:
/opt/etc/init.d/S50wireguard start

4.5 Generate client QRcode.

Generator script will generate QRcode image for Android or iOS.
You need to install qrencode first.
Code:
opkg install qrencode
If you want to use your host address (192.168.50.1) as DNS server,
you have to add wg interface to Dnsmasq listening interface list.
Code:
sed -i '1s/^/interface=wg* \n/' /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
This script will ask you 3 options.
1. client name 2. client address 3. client DNS server



-------------------------------------------------------------------------
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.

nano /jffs/scripts/nat-start
Code:
#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"` 
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE 
if [ "$WVPNROUTE" != "" ];then 
        logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard" 
        /opt/etc/init.d/S50wireguard restart 
fi

5. Remove WireGuard
Code:
/opt/etc/init.d/S50wireguard stop
opkg remove wireguard-kernel wireguard-tools
rm -r /opt/etc/wireguard
rm /opt/etc/init.d/S50wireguard

Scripts are not beautiful. They just work. Sorry, this is my best.
They have some rules to prevent duplicate.
The error messages (e.g. iptables) are not real error.
Don't worry.


Edit: iperf benchmark result.

WireGuard server on RT-AC86U. Windows 10 Tunsafe client. (https://tunsafe.com/download)
WireGuard author does not assure Tunsafe security. I just used it for benchmark purpose.

C:\iperf-2.0.9-win64>iperf -c 192.168.50.246 -N -M 1400 -t 20 -w 2M -P 5
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
------------------------------------------------------------
Client connecting to 192.168.50.246, TCP port 5001
TCP window size: 2.00 MByte
------------------------------------------------------------
[ 5] local 10.50.50.2 port 1911 connected with 192.168.50.246 port 5001
[ 7] local 10.50.50.2 port 1913 connected with 192.168.50.246 port 5001
[ 4] local 10.50.50.2 port 1910 connected with 192.168.50.246 port 5001
[ 6] local 10.50.50.2 port 1912 connected with 192.168.50.246 port 5001
[ 3] local 10.50.50.2 port 1909 connected with 192.168.50.246 port 5001
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-20.0 sec 220 MBytes 92.4 Mbits/sec
[ 7] 0.0-20.0 sec 205 MBytes 86.1 Mbits/sec
[ 4] 0.0-20.1 sec 230 MBytes 96.1 Mbits/sec
[ 6] 0.0-20.0 sec 227 MBytes 95.2 Mbits/sec
[ 3] 0.0-20.0 sec 212 MBytes 89.1 Mbits/sec
[SUM] 0.0-20.1 sec 1.07 GBytes 457 Mbits/sec
 

Attachments

Last edited:

Geraner

Regular Contributor
Sounds interesting. Will try to take a look at it and test it during the weekend.
Will comeback with a followup. Will be nice to compare with my recent VPN speed test done, using OpenVPN.
 

Geraner

Regular Contributor
Finally managed to set it up and did a speed test.
You are right ... 400+ Mbps is possible.



At the same time, the CPU use is about 100% on both CPU's.

Wrote a short blog article about this test on my page.
 
Last edited:

sfx2000

Part of the Furniture
Nice work... no worries about top sending performance to 100% - I've had machines at 400-800 percent, and things are fine...

Lately my attention is more focused on SD-WAN applications, which is similar, but Layer 3 vs. Layer 2...

Good example of layer 3 implementations, and something worthing thinking about - ZeroTier
 

ColinTaylor

Part of the Furniture
Nice work... no worries about top sending performance to 100% - I've had machines at 400-800 percent, and things are fine...
I think you might be conflating his CPU utilization with CPU load (each core cannot exceed 100% utilization). Indeed, in his screen shot the CPU load is 5.34.
 
Last edited:

Odkrys

Senior Member
Finally managed to set it up and did a speed test.
You are right ... 400+ Mbps is possible.



At the same time, the CPU use is about 100% on both CPU's.

Wrote a short blog article about this test on my page.
Thanks for benchmark info.
There is no wireguard server or cheap vps in my country.
So I could not test max speed of it.
 

Odkrys

Senior Member
Nice work... no worries about top sending performance to 100% - I've had machines at 400-800 percent, and things are fine...

Lately my attention is more focused on SD-WAN applications, which is similar, but Layer 3 vs. Layer 2...

Good example of layer 3 implementations, and something worthing thinking about - ZeroTier
Entware already have Zerotier.
 

Geraner

Regular Contributor
I think you might be conflating his CPU usage with CPU load (each core cannot exceed 100% use). Indeed, in his screen shot the CPU load is 5.34.
Well this high CPU usage was only while I have done the Speedtest with Speedtest.net. Under normal usage, the CPU is around 1-2 %.
Did a couple of Speed tests in a row, before I took the screen shot. So it's not only one speed test I did once I got WireGuard running.
 

Geraner

Regular Contributor
3. Advanced settings.

For using Route=policy, wg-policy script has some rules.
Adjust to your situation.
Default table is 117.

nano /opt/etc/wireguard/wg-policy
Code:
#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq
Can you explain more in detail how to use this config if I want to use policy based routing.
Everything works fine when I use the default and all my LAN devices are going out using the WireGuard connection.
All devices have fixed IP addresses locked by MAC address.

Please write an example how to wg-policy config should look like if I for example want to route LAN device 192.168.1.10 + 192.168.1.20 through the WireGuard connection.
 

Odkrys

Senior Member
Can you explain more in detail how to use this config if I want to use policy based routing.
Everything works fine when I use the default and all my LAN devices are going out using the WireGuard connection.
All devices have fixed IP addresses locked by MAC address.

Please write an example how to wg-policy config should look like if I for example want to route LAN device 192.168.1.10 + 192.168.1.20 through the WireGuard connection.
change Route to policy and add this to end of wg-policy script.
Code:
ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule add from 192.168.1.10 lookup 117 prio 11111
ip rule add from 192.168.1.20 lookup 117 prio 11112
This may enough for you.
Don't touch ##For ipset based Policy Routing part.
This two rules should be added to wg-down script too.

ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
 
Last edited:

RMerlin

Asuswrt-Merlin dev
For best performance, make sure you run it on the second CPU core, so it won't share the same core as the rest of the routing/NATing code. For OpenVPN that provides a very significant performance boost.
 

Geraner

Regular Contributor
@RMerlin, would it be possible to implement WireGuard inte Merlin firmware?
As Odkrys said, it's multicore aware. Uses both cores while testing. No extra configuration is necessary.
 

RMerlin

Asuswrt-Merlin dev
@RMerlin, would it be possible to implement WireGuard inte Merlin firmware?
As Odkrys said, it's multicore aware. Uses both cores while testing. No extra configuration is necessary.
No.

I have people asking me to implement Shadowsocks, Wireguard, L2TP, PPTP, XOR-patched OpenVPN... It just never ends, everyone wants his personal favorite tunneling solution implemented.

This is beyond the scope of my project, not gonna devote countless hours maintaining all of these different solutions. OpenVPN suits pretty much everyone's needs, it's highly flexible, and just supporting that one already takes a large chunk of development time. Not gonna duplicate this 3-4 times by also supporting a bunch of other technologies.
 

RMerlin

Asuswrt-Merlin dev
Beside, implementing Wireguard makes even less sense than the other solutions, since out of 8 different routers, only one single model would be able to support it.
 

sfx2000

Part of the Furniture
I have people asking me to implement Shadowsocks, Wireguard, L2TP, PPTP, XOR-patched OpenVPN... It just never ends, everyone wants his personal favorite tunneling solution implemented.
I agree...

That being said - OpenVPN, while very portable, is getting to be the not first choice, mostly for folks behind great country firewalls in my experience...

And the "solutions" there will never end - that is a bit of a race there...
 

RMerlin

Asuswrt-Merlin dev
That being said - OpenVPN, while very portable, is getting to be the not first choice, mostly for folks behind great country firewalls in my experience...
The tls-crypt support added in 2.4 takes care of that.
 

Shasarak

Occasional Visitor
Does anyone have a slightly more "starting from first principles", "step-by-step" guide to getting this working?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top