What's new

[Experimental] WireGuard for RT-AC86U/AX88U

faux123

Regular Contributor
@Odkrys Just wanted to say thank you! I got wireguard setup as a server on my AC86U and tested with iOS client and it worked flawlessly.

I'm still a noob when it comes to network routing.. think about trying out Mozilla's wireguard service. I don't want the whole internet traffic be routed to Mozilla, just select devices, this is where I need to read up more on iptables and such.

Does anyone know how to cross compile the wg-tool userspace binary (I have Ubuntu 18.04, I can code but I'm not good with tools and setups)? I would like to build the binary from source myself. Any tip will be tremendously appreciated!
 

faux123

Regular Contributor
@Odkrys Just wanted to say thank you! I got wireguard setup as a server on my AC86U and tested with iOS client and it worked flawlessly.

I'm still a noob when it comes to network routing.. think about trying out Mozilla's wireguard service. I don't want the whole internet traffic be routed to Mozilla, just select devices, this is where I need to read up more on iptables and such.

Does anyone know how to cross compile the wg-tool userspace binary (I have Ubuntu 18.04, I can code but I'm not good with tools and setups)? I would like to build the binary from source myself. Any tip will be tremendously appreciated!
Figured out the ipk build for wireguard. I downloaded Entware repo and rebuild from source... took hours but now I can build the ipk from source which is good, however, the default source didn't have all the associated scripts from @Odkrys . Is there a fork somewhere I can clone for the wireguard IPK build so it has the same scripts as OP's?

Thanks.
 

chinaa108

New Around Here
Hi Everybody, new here! is there any way/script for restarting wireguard if the connection drops? im still trying to learn all of this, any help?
 

chinaa108

New Around Here
its been a few days, but I can confirm that wireguard works on asus gt-ax11000. It works extremely well! Now if only someone could point me to the script for restoring it when it drops out.
 

gspannu

Regular Contributor
1. Install WireGuard

You need Entware-aarch64-3.10 to use wireguard without a new firmware build.


ㅡ Kernel Module ㅡ

RT-AC86U - 4.1.27
https://drive.google.com/file/d/1kzLo8k6J3lv2bzbw3uZL0eTVLbefXDOD/view?usp=sharing

Code:
opkg install /path/wireguard-kernel_1.0.20200611-ac_aarch64-3.10.ipk

RT-AX88U - 4.1.51
https://drive.google.com/file/d/1d3J5AmYDHbLkJfyD8QvhMW5dJnpI2mNe/view?usp=sharing

Code:
opkg install /path/wireguard-kernel_1.0.20200611-ax_aarch64-3.10.ipk

ㅡ User space tool ㅡ

https://drive.google.com/open?id=1WO62W2IKyxthsQMhETJnEGTuHkXdLLpn

Code:
opkg install /path/wireguard-tools_1.0.20200513-2_aarch64-3.10.ipk

cp /opt/etc/wireguard/S50wireguard /opt/etc/init.d

2. as Client configuration setting.

nano /opt/etc/init.d/S50wireguard
Code:
Mode=client

export LocalIP=
Route=default   #default or policy
export wgdns=
export Nipset=wgvpn
Init file has 5 options.
Mode=client

LocalIP is provided by VPN provider (e.g. AzireVPN, Mullvad) or your VPS.

default route will redirect your all internet traffic to VPN server.
policy work like Policy Rules (strict) on Merlin.

wgdns is option to change dns server.
Nipset is the name of ipset for ipset based policy routing.

AzireVPN, Mullvad, IVPN, TorGuard support WireGuard servers.

AzireVPN https://www.azirevpn.com/cfg/wg
Mullvad https://mullvad.net/en/servers/#wireguard
IVPN https://www.ivpn.net/wireguard
TorGuard https://torguard.net/knowledgebase.php?action=displayarticle&id=250

nano /opt/etc/wireguard/wg0.conf (example of AzireVPN)
Code:
[Interface]
PrivateKey = -------
Address = 10.40.12.49/19
DNS = 192.211.0.2

[Peer]
PublicKey = ----------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT
AzireVPN's config file looks like above one.
Fill the Address 10.40.12.49 at LocalIP of init file.
Code:
export LocalIP=10.40.12.49 (without prefix)
export wgdns=192.211.0.2
And comment out Address and DNS in the config file.
Then config file should looks like this. (I highly recommend you add keepalive.)
Code:
[Interface]
PrivateKey = -------
#Address = 10.40.12.49/19
#DNS = 192.211.0.2

[Peer]
PublicKey = -------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT
PersistentKeepalive = 25
Done. Start WireGuard.
Code:
/opt/etc/init.d/S50wireguard start

3. Advanced client settings.

For using Route=policy, wg-policy script has some rules.
Adjust to your situation.
Default table is 117.

nano /opt/etc/wireguard/wg-policy
Code:
#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997 2>/dev/null
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq

4. as Server configuration setting.

Code:
(umask 077 && printf "[Interface]\nPrivateKey = " | tee /opt/etc/wireguard/wg1.conf > /dev/null)
wg genkey | tee -a /opt/etc/wireguard/wg1.conf | wg pubkey | tee /opt/etc/wireguard/server-publickey
nano /opt/etc/init.d/S50wireguard (example)
Code:
Mode=server

export Subnet=10.50.50.1/24   #e.g.)10.50.50.1/24
export wgport=51820
nano /opt/etc/wireguard/wg1.conf (Server uses wg1)
Code:
[Interface]
PrivateKey = ----------
ListenPort = 51820

[Peer]
PublicKey = ----------
AllowedIPs = 10.50.50.2/32
Done. Start WireGuard.
Code:
/opt/etc/init.d/S50wireguard start

4.5 Generate client QRcode.

Generator script will generate QRcode image for Android or iOS.
You need to install qrencode first.
Code:
opkg install qrencode
If you want to use your host address (192.168.50.1) as DNS server,
you have to add wg interface to Dnsmasq listening interface list.
Code:
sed -i '1s/^/interface=wg* \n/' /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
This script will ask you 3 options.
1. client name 2. client address 3. client DNS server



-------------------------------------------------------------------------
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.

nano /jffs/scripts/nat-start
Code:
#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
        logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /opt/etc/init.d/S50wireguard restart
fi

5. Remove WireGuard
Code:
/opt/etc/init.d/S50wireguard stop
opkg remove wireguard-kernel wireguard-tools
rm -r /opt/etc/wireguard
rm /opt/etc/init.d/S50wireguard

Scripts are not beautiful. They just work. Sorry, this is my best.
They have some rules to prevent duplicate.
The error messages (e.g. iptables) are not real error.
Don't worry.


Edit: iperf benchmark result.

WireGuard server on RT-AC86U. Windows 10 Tunsafe client. (https://tunsafe.com/download)
WireGuard author does not assure Tunsafe security. I just used it for benchmark purpose.

C:\iperf-2.0.9-win64>iperf -c 192.168.50.246 -N -M 1400 -t 20 -w 2M -P 5
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
------------------------------------------------------------
Client connecting to 192.168.50.246, TCP port 5001
TCP window size: 2.00 MByte
------------------------------------------------------------
[ 5] local 10.50.50.2 port 1911 connected with 192.168.50.246 port 5001
[ 7] local 10.50.50.2 port 1913 connected with 192.168.50.246 port 5001
[ 4] local 10.50.50.2 port 1910 connected with 192.168.50.246 port 5001
[ 6] local 10.50.50.2 port 1912 connected with 192.168.50.246 port 5001
[ 3] local 10.50.50.2 port 1909 connected with 192.168.50.246 port 5001
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-20.0 sec 220 MBytes 92.4 Mbits/sec
[ 7] 0.0-20.0 sec 205 MBytes 86.1 Mbits/sec
[ 4] 0.0-20.1 sec 230 MBytes 96.1 Mbits/sec
[ 6] 0.0-20.0 sec 227 MBytes 95.2 Mbits/sec
[ 3] 0.0-20.0 sec 212 MBytes 89.1 Mbits/sec
[SUM] 0.0-20.1 sec 1.07 GBytes 457 Mbits/sec
Does this install on the latest firmware 384.19 on RT-AX88U ?
 

Yesgeek

Occasional Visitor
Did someone get Wireguard working on the AX88U? Seems to be still in the works. I have no clue what forks are or how to get a command line on the router. Am I supposed to SSH into the router? Sorry for the noob questions.
 

chinaa108

New Around Here
Yes. Please ssh into the router as admin and you password. And follow the instructions on page 1. It works well! I have even managed to get it working with the ax11000 using the ax88u software
 

Yesgeek

Occasional Visitor
Yes. Please ssh into the router as admin and you password. And follow the instructions on page 1. It works well! I have even managed to get it working with the ax11000 using the ax88u software
Nice! Thank you I'll give it a try
 

gspannu

Regular Contributor
Yes. Please ssh into the router as admin and you password. And follow the instructions on page 1. It works well! I have even managed to get it working with the ax11000 using the ax88u software
Yes, works like a charm. I use the router as a WireGuard server to access my NAS (and other machines) from remote locations. WireGuard is super fast.
 

jobhax

New Around Here
Figured out the ipk build for wireguard. I downloaded Entware repo and rebuild from source... took hours but now I can build the ipk from source which is good, however, the default source didn't have all the associated scripts from @Odkrys . Is there a fork somewhere I can clone for the wireguard IPK build so it has the same scripts as OP's?

Thanks.
Were you able to compile the ipk? or able to provide scripts to build?
 

gspannu

Regular Contributor
Weird situation... any help would be much appreciated.

Totally clean install - build from scratch.
1) RT AX-88U, v384.19, JFFS enabled, 2GB Swap
2) Entware installed; SpeedMerlin installed, NO other amtm components or scripts

Steps undertaken:
  1. Installed Wireguard
  2. Running it as a server
  3. Configured exactly as per instructions in Post 1 (wg1.conf, S50wireguard, dnsmasq.conf.add, nat-start)
  4. Operates as expected; able to connect from clients.
  5. Reboot the router, everything works as expected.
  6. Wireguard server operates as expected; able to connect from clients. No issues.
  7. Repeated Step 5 multiple times, no problems.
Problem starts now:
- Installed Diversion Lite (Medium list, fairly standard configuration - email notifications, etc, - nothing very complicated)
- WireGuard client can still connect, no issues.

- Reboot Router
- Diversion still work as expected
- Wireguard clients can no longer connect.
- Checked SysLog. Wireguard service started (but with time shown as May 5 06:05:xx)

Working Resolution:
- Manually execute command to restart WireGuard
/opt/etc/init.d/S50wireguard restart
- Wireguard clients can connect again !!!

It seems that WireGuard server does not start properly after reboot (but only if Diversion installed !)

Any clues; or any script/ method to force WireGuard server to restart on reboot?
Or any other configuration setting that needs to be changed due to Diversion.
 

gspannu

Regular Contributor
Weird situation... any help would be much appreciated.

Totally clean install - build from scratch.
1) RT AX-88U, v384.19, JFFS enabled, 2GB Swap
2) Entware installed; SpeedMerlin installed, NO other amtm components or scripts

Steps undertaken:
  1. Installed Wireguard
  2. Running it as a server
  3. Configured exactly as per instructions in Post 1 (wg1.conf, S50wireguard, dnsmasq.conf.add, nat-start)
  4. Operates as expected; able to connect from clients.
  5. Reboot the router, everything works as expected.
  6. Wireguard server operates as expected; able to connect from clients. No issues.
  7. Repeated Step 5 multiple times, no problems.
Problem starts now:
- Installed Diversion Lite (Medium list, fairly standard configuration - email notifications, etc, - nothing very complicated)
- WireGuard client can still connect, no issues.

- Reboot Router
- Diversion still work as expected
- Wireguard clients can no longer connect.
- Checked SysLog. Wireguard service started (but with time shown as May 5 06:05:xx)

Working Resolution:
- Manually execute command to restart WireGuard
/opt/etc/init.d/S50wireguard restart
- Wireguard clients can connect again !!!

It seems that WireGuard server does not start properly after reboot (but only if Diversion installed !)

Any clues; or any script/ method to force WireGuard server to restart on reboot?
Or any other configuration setting that needs to be changed due to Diversion.
: Update

Reinstalled everything again from scratch and it all works fine now.

The only thing I guess is that the nat-start script (jffs/scripts/nat-start) had somehow lost its 'executable' (chmod +x) attribute and was probably not being executed at startup.

Really don't know... but WireGuard works fine as a server now and survives a reboot. Happy again. :) :)
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top