What's new

[Experimental] WireGuard for RT-AC86U/AX88U

RMerlin

Asuswrt-Merlin dev
did you tested personally?
I tested on ac86u but I dont have other devices. (no improvement on ac86u)
Not with OpenVPN, but themiron tested Dropbear with Chacha20 vs AES. On non-accelerated CPUs, Chacha20 gave a clear performance gain over AES.
 

adv3

Occasional Visitor
sorry for off topic, I don't want to create a whole new thread.
will be WireGuard client available for RT-AC88U? Or can I use the instructions from the 1st post for AC88? OpenVPN client is very slow.
I wanted to buy AX88 some time ago, but saw a thread regarding 6E routers and devices in the next year, so I don't have any reasons to replace my AC88U.
 
Last edited:

CaptainSTX

Part of the Furniture
Anyone with a gig connection done some testing with WireGuard on their AC86 or AX88?

Just wondering as I saw a report from someone running PIA with WireGuard on their PC was getting fantastic speeds. Just interested.
Screenshot_2020-05-04 More Wireguard.png
 

adv3

Occasional Visitor
no reply, ok.
Wireguard requires Linux kernel ≥ 3.10 (released 5 years ago), but asuswrt-merlin seems to use 2.6.36 (released 8 years ago) - very first comment from here
@RMerlin will the kernel be updated for AC-88U? if we cannot get wireguard OOB - could you give us possibility to install and use it?
 

L&LD

Part of the Furniture
@adv3 doesn't seem reasonable for the old RT-AC88U to be receiving an updated kernel at this time (almost end of life).

RMerlin has already stated that he won't be enabling wireguard support on his firmware.

HTH. :)
 

RMerlin

Asuswrt-Merlin dev
no reply, ok.
Wireguard requires Linux kernel ≥ 3.10 (released 5 years ago), but asuswrt-merlin seems to use 2.6.36 (released 8 years ago) - very first comment from here
@RMerlin will the kernel be updated for AC-88U? if we cannot get wireguard OOB - could you give us possibility to install and use it?
No. Broadcom (and other manufacturers as well) never upgrade their SDK kernels.
 

Yoni80

Occasional Visitor
Is it possible to run nordlynx with that tutorial? Thanks
I think Nordlynx is a "wrapper" arround Wireguard that NordVPN offers as a wireguard solution. If that is the case I would say nope! If NordVPN offers support for "normal" wireguard clients I don't see why it should not work. But my man guess goes for option 1 and then nope
 

The Chief

Occasional Visitor
Last userspace tool ipk (wireguard-tools_1.0.20200513-1_aarch64-3.10.ipk) does not have S50wireguard in conffiles. So, all 'exports' settings are completely gone after package upgrade. A bug?
 

The Chief

Occasional Visitor
If the S50wireguard file is included in the conffiles, process duplication will occur.
Complete service startup script removal upon package upgrade is not a best option. Maybe it's better to move it's default installation location to /opt/etc/wireguard as sample startup script?
 

Odkrys

Senior Member
Complete service startup script removal upon package upgrade is not a best option. Maybe it's better to move it's default installation location to /opt/etc/wireguard as sample startup script?
changed. And I added one more step.

Code:
opkg install /path/wireguard-tools_1.0.20200513-2_aarch64-3.10.ipk
cp /opt/etc/wireguard/S50wireguard /opt/etc/init.d
 

The Chief

Occasional Visitor
Thanks. But be warned — update from wireguard-tools_1.0.20200513-1_aarch64-3.10.ipk to 20200513-2 will remove S50wireguard as well 'as obsolete'. :)

Upgrading wireguard-tools on root from 1.0.20200513-1 to 1.0.20200513-2...
Removing obsolete file /opt/etc/init.d/S50wireguard.
 

adv3

Occasional Visitor
@adv3 doesn't seem reasonable for the old RT-AC88U to be receiving an updated kernel at this time (almost end of life).

RMerlin has already stated that he won't be enabling wireguard support on his firmware.

HTH. :)
@L&LD already got it, but.. old? really? what’s new then? AX-88U? AX89X (no Merlin FW, btw)? or should I wait for 6E routers due to the fact that ax88 and ax89 will become legacy soon amid such news?
 

L&LD

Part of the Furniture
Reviewed in December 2015 on this site is old to me. :)

Waiting is also a silly game that never ends. The RT-AX88U is the top RMerlin powered router today. If the hardware and feature set is unusable to you, then you need to look for another product or build it yourself.

There is no guarantee that WiFi 6E routers will have better hardware (overall). History has shown that the opposite will most likely be true. The first to be badged 'WiFi 6E' will be deficient in some area or other. Support for the latest kernel isn't only up to Asus either. They don't just want bleeding-edge features in their firmware, they also want a possibility of stability and backward compatibility too. :)
 

Zonkd

Very Senior Member
I see you provide newer kernel and user-space tools. Mine are out of date. How do I upgrade safely? Must I opkg remove the old before opkg install the new? I don't want to break my current config.

Wireguard is working excellent on AC86U.
 

Reynald

New Around Here
Hello all,

Long time reader, I don't think I posted a lot (or even once) here.

But I have to shime in :D

First:
1. Install WireGuard
Thank you very much Odkrys for your scripts. Work awesome on RT-AX88U, with Torguard provider.

I'm going to modify it to run server and client from the same starting script, but also, I'd like to run several clients because I am in a dual wan configuration, and I have several wireguard provider to load balance or fallback on. I see RT-AX88U seems to have enough CPU power to handle at least 2 clients.
I don't know if Martineau still play with this, but I will probably need some guidance for routing rules :)

I see you provide newer kernel and user-space tools. Mine are out of date. How do I upgrade safely? Must I opkg remove the old before opkg install the new? I don't want to break my current config.

Wireguard is working excellent on AC86U.
I would just opkg install the new packages, without removing the older.
You should save files from /opt/etc/wireguard/ in case they are overwritten.

++
 

gspannu

Regular Contributor
Going through your instructions...

These below bits ( just under Section 4.5)

-------------------------------------------------------------------------
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.

nano /jffs/scripts/nat-start
Code:
#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
        logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /opt/etc/init.d/S50wireguard restart
fi

Are these nat-stat configs required for
- WireGuard Client Setup
- or only for WireGuard Server setup
- or both?

Apologies, but could not figure out .... whether these are part of server or client config?
 

busch09

Regular Contributor
I'm stuck. have setup a WG server on Vultr. connecting with a macOS client works fine.
Trying to install on Asus AX88.
When I start Wireguard on the ASUS I get:
Code:
/opt/etc/init.d/S50wireguard: export: line 13: 10.10.15.5: bad variable name
Code:
nano /opt/etc/init.d/S50wireguard

Mode=client   #server or client

#server
export Subnet = 10.10.15.1/32  #e.g.)10.10.15.1/24
export wgport=

#client
export LocalIP= 10.10.15.5   #e.g.)10.10.15.5

Route=default   #default or policy
export wgdns=
export Nipset=wgvpn
Code:
nano /opt/etc/wireguard/wg0.conf

[Interface]
PrivateKey = xxx
Address = 10.10.15.5/32
DNS = 8.8.8.8

[Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/0
Endpoint = 80.xx.xx.123:51820
PersistentKeepalive = 25
What's wrong here?

Alsowould someone have a bit more info if i just want to route two IPs through wireguard (192.168.1.12 and .1.34)? Where exactly do I add the ip rules in wg-policy?

Code:
ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule add from 192.168.1.10 lookup 117 prio 11111
ip rule add from 192.168.1.20 lookup 117 prio 11112
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top