What's new

[Experimental] WireGuard for HND platform (4.1.x kernels)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Code:
@RT-AC86U-69B8:/tmp/mnt/ssd/movie# ./nordvpn set technology NordLynx
Technology is successfully set to 'NordLynx'.
@RT-AC86U-69B8:/tmp/mnt/ssd/movie# ./nordvpn c
Please enter your login details.
Email / Username:

Maybe need a few more steps, but I can't proceed now because I don't have an account.

@Odkrys,

If you don't mind, would you be able share the steps you took to get to this point, please?

I downloaded the .deb file but I am obviously having hard time installing it from my Windows folder via SSH. Do I need to, somehow, figure out how to share the Windows folder where this file is downloaded? Also, do I need to save it to the USB I have attached to my router and create a directory?

Also, I tried to install in Ubuntu per instructions but when I get to the 'nordvpn set technology NordLynx' step, I couldn't get any further.

Appreciate any tips you could provide at your convenience.

Thanks!
 
This may sound silly but figuring out the correct "/path/" to put in the install instructions is what's giving me the hard time....I am able to tell what it is from the properties of the file but when I add it, for some reason the install command will not take it. I am sure, I am not typing it correctly somehow.
 
If you don't mind, would you be able share the steps you took to get to this point, please?
I used https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_3.3.0-4_aarch64.deb.
Unzip the deb file using 7zip and copy binaries (nordvpnd, nordvpn) to router.
BUT nordvpn binary require /run folder to generate its socket so you need a custom firmware for it.

Code:
--- a/release/src/router/others/rootprep_arm_94908hnd.sh
+++ b/release/src/router/others/rootprep_arm_94908hnd.sh
@@ -17,6 +17,7 @@
 mkdir -p -m 0755 tmp
 rm -rf media
 #ln -sf tmp/var var
+ln -sf var/run run
 ln -sf tmp/media media
 (cd $ROOTDIR/usr && ln -sf ../tmp)
 
I used https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_3.3.0-4_aarch64.deb.
Unzip the deb file using 7zip and copy binaries (nordvpnd, nordvpn) to router.
BUT nordvpn binary require /run folder to generate its socket so you need a custom firmware for it.

Code:
--- a/release/src/router/others/rootprep_arm_94908hnd.sh
+++ b/release/src/router/others/rootprep_arm_94908hnd.sh
@@ -17,6 +17,7 @@
 mkdir -p -m 0755 tmp
 rm -rf media
 #ln -sf tmp/var var
+ln -sf var/run run
 ln -sf tmp/media media
 (cd $ROOTDIR/usr && ln -sf ../tmp)

Thank you! I will give it a try!


Sent from my iPhone using Tapatalk
 
I used https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_3.3.0-4_aarch64.deb.
Unzip the deb file using 7zip and copy binaries (nordvpnd, nordvpn) to router.
BUT nordvpn binary require /run folder to generate its socket so you need a custom firmware for it.

Code:
--- a/release/src/router/others/rootprep_arm_94908hnd.sh
+++ b/release/src/router/others/rootprep_arm_94908hnd.sh
@@ -17,6 +17,7 @@
 mkdir -p -m 0755 tmp
 rm -rf media
 #ln -sf tmp/var var
+ln -sf var/run run
 ln -sf tmp/media media
 (cd $ROOTDIR/usr && ln -sf ../tmp)

Where do I copy these binaries in the router using WinSCP? Could you please share some steps on how to proceed? Sorry, I have not attempted this before.
 
Where do I copy these binaries in the router using WinSCP? Could you please share some steps on how to proceed? Sorry, I have not attempted this before.
Did we get anywhere? Or are we in a holding pattern on Nord?
 
Did we get anywhere? Or are we in a holding pattern on Nord?

Still trying....have not had a lot of time....will try again this weekend!


Sent from my iPhone using Tapatalk
 
I used https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_3.3.0-4_aarch64.deb.
Unzip the deb file using 7zip and copy binaries (nordvpnd, nordvpn) to router.
BUT nordvpn binary require /run folder to generate its socket so you need a custom firmware for it.

Code:
--- a/release/src/router/others/rootprep_arm_94908hnd.sh
+++ b/release/src/router/others/rootprep_arm_94908hnd.sh
@@ -17,6 +17,7 @@
 mkdir -p -m 0755 tmp
 rm -rf media
 #ln -sf tmp/var var
+ln -sf var/run run
 ln -sf tmp/media media
 (cd $ROOTDIR/usr && ln -sf ../tmp)

@Odkrys

I am having hard time following this as written. Sorry, this is a little above my skill set. I was able to extract both binaries: nordvpn and nordvpnd.

Currently using WinSCP to copy them to router but where? (any particular folder? tmp? which specific one?)

Then, I am looking at your code info....and I am stuck...

Any chance you could describe everything in easy-to-follow steps?

Also, what custom firmware is needed to have nordvpn binary generate its socket and would the /run folder be at?

Appreciate any assistance with this!
 
@Marin

It looks nordlynx require changing /etc/resolv.conf for its dns setting. BUT on merlin firmware, the file is not overwritable.
Code:
./nordvpn c au
Connecting to Australia #296 (au296.nordvpn.com)
We could not disable IPv6. For more information, please check activity log.
We're having trouble configuring your DNS settings. If the issue persists, please contact our customer support.

I contacted nordvpn support, they said WireGuard is on testing now.

"The configuration files will most likely show up in ucp.nordvpn.com when it's ready."

It would be better to wait.
 
@Marin

It looks nordlynx require changing /etc/resolv.conf for its dns setting. BUT on merlin firmware, the file is not overwritable.
Code:
./nordvpn c au
Connecting to Australia #296 (au296.nordvpn.com)
We could not disable IPv6. For more information, please check activity log.
We're having trouble configuring your DNS settings. If the issue persists, please contact our customer support.

I contacted nordvpn support, they said WireGuard is on testing now.

"The configuration files will most likely show up in ucp.nordvpn.com when it's ready."

It would be better to wait.


I was able to install it on my Ubuntu last night and was able to connect a few times but at times I couldn’t due to either servers being down or something else.

I guess I will wait.

Thanks so much for your assistance! Have a great weekend!


Sent from my iPhone using Tapatalk
 
I don't use Wireguard either.

At some point - might want to play with it - decent performance, easy config, and a lot less lines of code than OpenVPN.

On IPQ4028 - I'm seeing 4x better performance compared to OpenVPN on OpenWRT master...

IPQ4028 is a quad Cortex A7 at 717MHz with Neon and VFPv4 - the newer HND platforms from Broadcom, they should be very performant there...
 
At some point - might want to play with it - decent performance, easy config, and a lot less lines of code than OpenVPN.

On IPQ4028 - I'm seeing 4x better performance compared to OpenVPN on OpenWRT master...

IPQ4028 is a quad Cortex A7 at 717MHz with Neon and VFPv4 - the newer HND platforms from Broadcom, they should be very performant there...

Agreed! I was sceptical of the graphs on https://www.wireguard.com/performance/ but it seems fairly accurate. Cloudflare is using it now- their 1.1.1.1 app allows users to subscribe to their “WARP” VPN which uses it ($7/month).
Given recent developments in asuswrt-Merlin, it seems like it might be a good fit...perhaps when it’s less of a “work in progress”


Sent from my iPhone using Tapatalk
 
At some point - might want to play with it - decent performance, easy config, and a lot less lines of code than OpenVPN.

Why? I don't feel like re-implementing everything surrounding OpenVPN: the user interface, the server/client config handling, multiple client profiles, RPDB handling, firewall management, DNS management, dealing with nvram space limitations that varies between platforms... Re-implementing all of this would take me months of work, just for the sake of supporting yet another VPN technology that may or may not be relevant 5 years from now.

The OpenVPN implementation is already there right now, and maintaining it is already a good amount of work - not because of the OpenVPN code itself, but because of all the features that surround it. I'm not gonna add the extra workload of maintaining a fifth (!) VPN protocol, then to get asked to also add Shadowsock, and then be asked to also add IPSEC IKEv2, and... it never ends.

So I draw the line at OpenVPN. It's there, it's universal, it's proven, it's actively developed, and I've already done all the heavy lifting involved in FULLY implementing it.

Once again, adding new features is not the goal of this project, and it's even less realistic considering how complex the existing code base has grown over the years, and there is still only one single developer maintaining all of this on his own. This project has been in maintenance mode for over a year now. The only real major feature addition during that period (DoT) came from another developer, and there are some special reasons (which I cannot discuss) why it actually made it into my code base.
 
Message received: it’s there for those of us who are up to making it happen on our own.

Maybe someone (or a team?) out there might want to step up and work alongside RMerlin on this, replacing openvpn etc if that’s feasible/possible? Probably more work than I’m aware of or even able to take into consideration...


Sent from my iPhone using Tapatalk
 
@Marin

It looks nordlynx require changing /etc/resolv.conf for its dns setting. BUT on merlin firmware, the file is not overwritable.
Code:
./nordvpn c au
Connecting to Australia #296 (au296.nordvpn.com)
We could not disable IPv6. For more information, please check activity log.
We're having trouble configuring your DNS settings. If the issue persists, please contact our customer support.

I contacted nordvpn support, they said WireGuard is on testing now.

"The configuration files will most likely show up in ucp.nordvpn.com when it's ready."

It would be better to wait.
You can overwrite\change /etc/resolve.conf
You can us pc_append \ pc_delete to change the content of /etc/resolve.conf.
You can do this (each time dnsmasq restarts, it will do this)

nano /jffs/scripts/dnsmasq.postconf

Code:
#!/bin/sh
source /usr/sbin/helper.sh
 pc_append "XXXXX" /etc/resolve.conf //this will add XXXX to resolve.conf

 pc_delete "YYYYY" /etc/resolve.conf /// this will remove  YYYYY from resolve.conf

 pc_replace "XXXX" "YYYY" /etc/resolve.conf //this will replace XXXX in resolve.conf with YYYY

chmod 755 /jffs/scripts/dnsmasq.postconf
 
Last edited:
You can overwrite\change /etc/resolve.conf
/etc/resolve.conf can't be over-writable when user set [Wan: Use local caching DNS server as system resolver (default: No)] to YES.
After I changed the option to NO, DNS error message was gone.
But after that with changing of ip rule, wan died.
Code:
ip rule add not fwmark $fwmark table $table
This is a main reason what I wrote scripts for Merlin firmware instead of using wg-quick.
 
Why? I don't feel like re-implementing everything surrounding OpenVPN: the user interface, the server/client config handling, multiple client profiles, RPDB handling, firewall management, DNS management, dealing with nvram space limitations that varies between platforms... Re-implementing all of this would take me months of work, just for the sake of supporting yet another VPN technology that may or may not be relevant 5 years from now.

Point made - and folks can experient under the hood, just don't expect GUI support unless it comes from Asus...

For the rest on this thread - It's interesting tech, no doubt, and worth experimenting with - but consider that full support for WG is going to have to come from Asus directly, and there, if it's done, likely will be on the HND platforms, not the older ones.

Devil's Advocate - there's still a lot of concerns with WG compared to OpenVPN (and also L2TP/IPSec).
  • OpenVPN is Layer 3, so it's easier to work with - WG is Layer 2, deeper in the stack, so unusual network configs are going to be harder to debug, and many use cases with OpenVPN might not be possible to solve with WG
  • Should also note that in general - WG is route based, not policy based, and this would break a fair amount of scripts and efforts for the community that is supporting the extensions of AsusWRT.
  • Crypto is also a bit of a concern - it's monolithic and built into WG directly, so if there's bugs there, that's a fair amount of work to solve, and this would be on both ends of the link
  • IPSec is similar in performance to WG, and both are faster with less overhead than OpenVPN
WG is interesting - I've got it up and running on OpenWRT, and controlling both ends, performance is similar to L2TP/IPSec, just much easier to set up, and I think that is the appeal of why WG is so very interesting (consider the cloud space, WG makes some sense here)

Like I said - OpenWRT has capability here with WG, but with the Broadcom platforms, OpenWRT has problems with WiFi and some of the vertical "cool stuff" that the Broadcom SDK and HND platforms have to offer, so moving a Broadcom based Asus device over for WG would be a challenge.

sfx
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top