What's new

[Experimental] WireGuard for RT-AC86U/AX88U

Reynald

New Around Here
Are these nat-stat configs required for
- WireGuard Client Setup
- or only for WireGuard Server setup
- or both?
I'd say both

I'm stuck. have setup a WG server on Vultr. connecting with a macOS client works fine.
Trying to install on Asus AX88.
When I start Wireguard on the ASUS I get:
Code:
/opt/etc/init.d/S50wireguard: export: line 13: 10.10.15.5: bad variable name
What's wrong here?
Remove spaces in your config files.

I.e:
Code:
#server
export Subnet = 10.10.15.1/32  #e.g.)10.10.15.1/24
shall be:
Code:
#server
export Subnet=10.10.15.1/32  #e.g.)10.10.15.1/24
And for this:
Also would someone have a bit more info if i just want to route two IPs through wireguard (192.168.1.12 and .1.34)? Where exactly do I add the ip rules in wg-policy?

Code:
ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule add from 192.168.1.10 lookup 117 prio 11111
ip rule add from 192.168.1.20 lookup 117 prio 11112
Place it at the end of the file.
 

busch09

Regular Contributor
So it doesnt like the Address line in wg0.conf. Tried with spaces, without spaces...

Code:
Interface]
PrivateKey=xxx
Address=10.10.15.10/32 #<--- !
DNS=8.8.8.8
Code:
Line unrecognized: `Address=10.10.15.10/32'
Configuration parsing error
need at least a destination address
still not sure what's wrong...
 
Last edited:

Lost Dog

Regular Contributor
So it doesnt like the Address line in wg0.conf. Tried with spaces, without spaces...

Code:
Interface]
PrivateKey=xxx
Address=10.10.15.10/32. #<--- !
DNS=8.8.8.8
Code:
Line unrecognized: `Address=10.10.15.10/32'
Configuration parsing error
need at least a destination address
still not sure what's wrong...
Does your Address line have a "." after then /32 as shown above? That's probably throwing the error if that's the case.
 

adv3

Occasional Visitor
del.
made it work, but for some moment got a lot of next errors:
kernel: ^[[0;33;41m[ERROR mcast] bcm_mcast_blog_process,819: blog allocation failure^[[0m
 
Last edited:

adv3

Occasional Visitor
After 1 day testing all devices that were connected via wg lost internet connection. Only manual S50wireguard stop/start helped. I thought it should work with PersistentKeepalive option
 

aramisathei

Occasional Visitor
After 1 day testing all devices that were connected via wg lost internet connection. Only manual S50wireguard stop/start helped. I thought it should work with PersistentKeepalive option
I've run into this issue as well with two different routers (AC68U and AX88U).
Still haven't found a solution for it.
 

adv3

Occasional Visitor
I've run into this issue as well with two different routers (AC68U and AX88U).
Still haven't found a solution for it.
in this case it seems like that I will return to OpenVPN in-build solution.. pity, that was promising
 

Odkrys

Senior Member
I've run into this issue as well with two different routers (AC68U and AX88U).
Still haven't found a solution for it.
in this case it seems like that I will return to OpenVPN in-build solution.. pity, that was promising
I don't use the default route option.
Since it is always used as a policy option, I only assume that the problem is probably related to the dhcp lease time.
One thing I can suggest is to use the policy option and add rule to the script.
Code:
ip rule del prio 11111 2>/dev/null
ip rule add from 192.168.50.0/24 lookup 117 prio 11111
 

adv3

Occasional Visitor
I don't use the default route option.
Since it is always used as a policy option, I only assume that the problem is probably related to the dhcp lease time.
One thing I can suggest is to use the policy option and add rule to the script.
Code:
ip rule del prio 11111 2>/dev/null
ip rule add from 192.168.50.0/24 lookup 117 prio 11111
yeah, lease time is set to 3600 - 1 day.
Does it make sense to increase it?

Code:
ip rule del prio 11111 2>/dev/null
ip rule add from 192.168.50.0/24 lookup 117 prio 11111
did you add the whole subnet to the script?
I already have such rules for my 3 ips that are using wg:

ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule del prio 11113 2>/dev/null
ip rule add from 172.100.1.46 lookup 117 prio 11111
ip rule add from 172.100.1.205 lookup 117 prio 11112
ip rule add from 172.100.1.118 lookup 117 prio 11113


from the first post:
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.

nano /jffs/scripts/nat-start

Code:
#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
       logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
       /opt/etc/init.d/S50wireguard restart
fi
I added this in nat-start script, made it executable and from my logs:

Code:
Jun 14 01:19:28 kernel: Init chrdev /dev/idp with major 190
Jun 14 01:19:28 kernel: tdts: tcp_conn_max = 8000
Jun 14 01:19:28 kernel: tdts: tcp_conn_timeout = 300 sec
Jun 14 01:19:30 kernel: SHN Release Version: 2.0.1 0679c74
Jun 14 01:19:30 kernel: UDB Core Version: 0.2.18
Jun 14 01:19:30 kernel: Init chrdev /dev/idpfw with major 191
Jun 14 01:19:30 kernel: IDPfw: flush fc
Jun 14 01:19:30 kernel: IDPfw: IDPfw is ready
Jun 14 01:19:30 kernel: sizeof forward pkt param = 280
Jun 14 01:19:30 BWDPI: fun bitmap = 3
Jun 14 01:19:46 BWDPI: force to flush flowcache entries
Jun 14 01:19:46 kernel: IDPfw: Exit IDPfw
Jun 14 01:19:46 kernel: mod epilog takes 0 jiffies
Jun 14 01:19:46 kernel: IDPfw: Exit IDPfw
Jun 14 01:19:47 kernel: Exit chrdev /dev/idpfw with major 191
Jun 14 01:19:47 kernel: Exit chrdev /dev/idp with major 190
Jun 14 01:19:47 BWDPI: rollback fc
Jun 14 01:19:47 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Jun 14 01:19:47 custom_script: Running /jffs/scripts/nat-start
Jun 14 01:19:47 (nat-start): 19391 Checking if WireGuard is UP....*.*.*.*/24 dev wg0 proto kernel scope link src *.*.*.*
Jun 14 01:19:47 (nat-start): 19391 **Warning WireGuard is UP.... restarting WireGuard
Jun 14 01:19:47 ax88: Restarting WireGuard service.
Jun 14 01:19:47 miniupnpd[11796]: shutting down MiniUPnPd
so I believe this happens due to firewall restart. and firewall, in turn, is restarting due to Yet another malware block script
I added a cron rule to /jffs/scripts/init-start, like in that thread, for every 6 hours. but I don't see that firewall restarts every 6 hours, seems the updates for that blocking script are not so frequent. I assume that can be related, in my example.
changed to 0 4 * * 1 - At 04:00 on Monday - and will check how it works
latest restart was 2 days ago, the previous - 5 days before the latest
 
Last edited:

adv3

Occasional Visitor
RT-AX88U - 4.1.51
https://drive.google.com/file/d/1d3J5AmYDHbLkJfyD8QvhMW5dJnpI2mNe/view?usp=sharing

Code:
opkg install /path/wireguard-kernel_1.0.20200611-ax_aarch64-3.10.ipk
More recent module has been release recently.

how did you get specific ipk for ax88? is there any difference with ac86 file? how did you compile it? from here? are there any instructions for this?

Since it's the experimental feature and you're not the wireguard maintainer all these questions are only for keeping files/modules/etc up-to-date by ourselves
 

Odkrys

Senior Member
#
# Copyright (C) 2016-2017 Jason A. Donenfeld <[email protected]>
# Copyright (C) 2016 Baptiste Jonglez <[email protected]>
# Copyright (C) 2016-2017 Dan Luedtke <[email protected]>
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.

# Wireguard's makefile needs this to know where to build the kernel module
export LINUX_DIR:=/krys/asuswrt-merlin.ng_build/release/src-rt-5.02hnd/kernel/linux-4.1
#export LINUX_DIR:=/krys/asuswrt-merlin.ng/release/src-rt-5.02axhnd/kernel/linux-4.1

include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk

PKG_NAME:=wireguard-kernel

PKG_VERSION:=1.0.20200520
PKG_RELEASE:=ac

PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/
#PKG_HASH:=7c0e576459c6337bcdea692bdbec561719a15da207dc739e0e3e60ff821a5491

PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING

PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/wireguard-linux-compat-$(PKG_VERSION)
PKG_BUILD_PARALLEL:=1

include $(INCLUDE_DIR)/package.mk

define Package/wireguard-kernel/Default
SECTION:=net
CATEGORY:=Network
SUBMENU:=VPN
URL:=https://www.wireguard.com
MAINTAINER:=Baptiste Jonglez <[email protected]>, \
Kevin Darbyshire-Bryant <[email protected]>, \
Dan Luedtke <[email protected]>, \
Jason A. Donenfeld <[email protected]>
endef

define Package/wireguard-kernel/description
WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes
state-of-the-art cryptography. It aims to be faster, simpler, leaner, and
more useful than IPSec, while avoiding the massive headache. It intends to
be considerably more performant than OpenVPN. WireGuard is designed as a
general purpose VPN for running on embedded interfaces and super computers
alike, fit for many different circumstances. It uses UDP.
endef

define Package/wireguard-kernel
$(call Package/wireguard-kernel/Default)
TITLE:=Wireguard kernel module
endef

include $(INCLUDE_DIR)/kernel-defaults.mk
include $(INCLUDE_DIR)/package-defaults.mk

define Build/Compile
$(MAKE) $(KERNEL_MAKEOPTS) M="$(PKG_BUILD_DIR)/src" modules \
EXTRA_CFLAGS="$(TARGET_CFLAGS) -fno-pie"
endef

define Package/wireguard-kernel/install
$(INSTALL_DIR) $(1)/opt/lib/modules
$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/wireguard.ko $(1)/opt/lib/modules
endef

$(eval $(call BuildPackage,wireguard-kernel))
Sorry.
I have moved to J4105 openwrt box recently and switched my ac86u to ap mode.
I am not sure if I will keep updating.
 

adv3

Occasional Visitor
#
# Copyright (C) 2016-2017 Jason A. Donenfeld <[email protected]>
# Copyright (C) 2016 Baptiste Jonglez <[email protected]>
# Copyright (C) 2016-2017 Dan Luedtke <[email protected]>
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.

# Wireguard's makefile needs this to know where to build the kernel module
export LINUX_DIR:=/krys/asuswrt-merlin.ng_build/release/src-rt-5.02hnd/kernel/linux-4.1
#export LINUX_DIR:=/krys/asuswrt-merlin.ng/release/src-rt-5.02axhnd/kernel/linux-4.1

include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk

PKG_NAME:=wireguard-kernel

PKG_VERSION:=1.0.20200520
PKG_RELEASE:=ac

PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/
#PKG_HASH:=7c0e576459c6337bcdea692bdbec561719a15da207dc739e0e3e60ff821a5491

PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING

PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/wireguard-linux-compat-$(PKG_VERSION)
PKG_BUILD_PARALLEL:=1

include $(INCLUDE_DIR)/package.mk

define Package/wireguard-kernel/Default
SECTION:=net
CATEGORY:=Network
SUBMENU:=VPN
URL:=https://www.wireguard.com
MAINTAINER:=Baptiste Jonglez <[email protected]>, \
Kevin Darbyshire-Bryant <[email protected]>, \
Dan Luedtke <[email protected]>, \
Jason A. Donenfeld <[email protected]>
endef

define Package/wireguard-kernel/description
WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes
state-of-the-art cryptography. It aims to be faster, simpler, leaner, and
more useful than IPSec, while avoiding the massive headache. It intends to
be considerably more performant than OpenVPN. WireGuard is designed as a
general purpose VPN for running on embedded interfaces and super computers
alike, fit for many different circumstances. It uses UDP.
endef

define Package/wireguard-kernel
$(call Package/wireguard-kernel/Default)
TITLE:=Wireguard kernel module
endef

include $(INCLUDE_DIR)/kernel-defaults.mk
include $(INCLUDE_DIR)/package-defaults.mk

define Build/Compile
$(MAKE) $(KERNEL_MAKEOPTS) M="$(PKG_BUILD_DIR)/src" modules \
EXTRA_CFLAGS="$(TARGET_CFLAGS) -fno-pie"
endef

define Package/wireguard-kernel/install
$(INSTALL_DIR) $(1)/opt/lib/modules
$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/wireguard.ko $(1)/opt/lib/modules
endef

$(eval $(call BuildPackage,wireguard-kernel))
Sorry.
I have moved to J4105 openwrt box recently and switched my ac86u to ap mode.
I am not sure if I will keep updating.
It's that the makefile for ax88? where did you compile it? what dependencies?
 

adv3

Occasional Visitor
@RMerlin
this part of Odkrys's makefile reference to AC-86U
# Wireguard's makefile needs this to know where to build the kernel module
export LINUX_DIR:=/krys/asuswrt-merlin.ng_build/release/src-rt-5.02hnd/kernel/linux-4.1

I'm going to build ipk for AX88 based on your ax branch. Could you clarify what is the correct path for the kernel?
 

RMerlin

Asuswrt-Merlin dev
@RMerlin
this part of Odkrys's makefile reference to AC-86U
# Wireguard's makefile needs this to know where to build the kernel module
export LINUX_DIR:=/krys/asuswrt-merlin.ng_build/release/src-rt-5.02hnd/kernel/linux-4.1

I'm going to build ipk for AX88 based on your ax branch. Could you clarify what is the correct path for the kernel?
Code:
release/src-rt-5.02axhnd/kernel/linux-4.1/
 

adv3

Occasional Visitor
@Odkrys since there is no 'personal messages' option here - how I can contact you? I'm not a Linux engineer or developer, only the DevOps :) I've a couple of questions ^^
 

gspannu

Regular Contributor
@RMerlin
this part of Odkrys's makefile reference to AC-86U
# Wireguard's makefile needs this to know where to build the kernel module
export LINUX_DIR:=/krys/asuswrt-merlin.ng_build/release/src-rt-5.02hnd/kernel/linux-4.1

I'm going to build ipk for AX88 based on your ax branch. Could you clarify what is the correct path for the kernel?
Await any updates on your progress to build a AX88 version...
 

adv3

Occasional Visitor
Await any updates on your progress to build a AX88 version...
in last 10 days I got tons of errors, read tons of openwrt articles, solved a lot of issues, but for now there is no result. I'm not a developer and not so good in linux as most of devs here, unfortunately.
since I got a lot of errors during AX88U compile to get the kernel and a failure in the end I cannot just type make packages/wireguard/compile in openwrt folder.
@Odkrys didn't answer here, I don't want to bother @RMerlin, I believe Eric is too busy for such things.
I even tried 2xlarge instances in aws to speed up the compile/builds/etc. I just got the same errors faster :)
but anyway, thank you for your interest, @gspannu. I'm still working on it :)
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top