What's new

[Experimental] WireGuard for HND platform (4.1.x kernels)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@Odkrys Just wanted to say thank you! I got wireguard setup as a server on my AC86U and tested with iOS client and it worked flawlessly.

I'm still a noob when it comes to network routing.. think about trying out Mozilla's wireguard service. I don't want the whole internet traffic be routed to Mozilla, just select devices, this is where I need to read up more on iptables and such.

Does anyone know how to cross compile the wg-tool userspace binary (I have Ubuntu 18.04, I can code but I'm not good with tools and setups)? I would like to build the binary from source myself. Any tip will be tremendously appreciated!
 
@Odkrys Just wanted to say thank you! I got wireguard setup as a server on my AC86U and tested with iOS client and it worked flawlessly.

I'm still a noob when it comes to network routing.. think about trying out Mozilla's wireguard service. I don't want the whole internet traffic be routed to Mozilla, just select devices, this is where I need to read up more on iptables and such.

Does anyone know how to cross compile the wg-tool userspace binary (I have Ubuntu 18.04, I can code but I'm not good with tools and setups)? I would like to build the binary from source myself. Any tip will be tremendously appreciated!

Figured out the ipk build for wireguard. I downloaded Entware repo and rebuild from source... took hours but now I can build the ipk from source which is good, however, the default source didn't have all the associated scripts from @Odkrys . Is there a fork somewhere I can clone for the wireguard IPK build so it has the same scripts as OP's?

Thanks.
 
Hi Everybody, new here! is there any way/script for restarting wireguard if the connection drops? im still trying to learn all of this, any help?
 
its been a few days, but I can confirm that wireguard works on asus gt-ax11000. It works extremely well! Now if only someone could point me to the script for restoring it when it drops out.
 
1. Install WireGuard

You need Entware-aarch64-3.10 to use wireguard without a new firmware build.


ㅡ Kernel Module ㅡ

RT-AC86U - 4.1.27
https://drive.google.com/file/d/1kzLo8k6J3lv2bzbw3uZL0eTVLbefXDOD/view?usp=sharing

Code:
opkg install /path/wireguard-kernel_1.0.20200611-ac_aarch64-3.10.ipk


RT-AX88U - 4.1.51
https://drive.google.com/file/d/1d3J5AmYDHbLkJfyD8QvhMW5dJnpI2mNe/view?usp=sharing

Code:
opkg install /path/wireguard-kernel_1.0.20200611-ax_aarch64-3.10.ipk


ㅡ User space tool ㅡ

https://drive.google.com/open?id=1WO62W2IKyxthsQMhETJnEGTuHkXdLLpn

Code:
opkg install /path/wireguard-tools_1.0.20200513-2_aarch64-3.10.ipk

cp /opt/etc/wireguard/S50wireguard /opt/etc/init.d


2. as Client configuration setting.

nano /opt/etc/init.d/S50wireguard
Code:
Mode=client

export LocalIP=
Route=default   #default or policy
export wgdns=
export Nipset=wgvpn

Init file has 5 options.
Mode=client

LocalIP is provided by VPN provider (e.g. AzireVPN, Mullvad) or your VPS.

default route will redirect your all internet traffic to VPN server.
policy work like Policy Rules (strict) on Merlin.

wgdns is option to change dns server.
Nipset is the name of ipset for ipset based policy routing.

AzireVPN, Mullvad, IVPN, TorGuard support WireGuard servers.

AzireVPN https://www.azirevpn.com/cfg/wg
Mullvad https://mullvad.net/en/servers/#wireguard
IVPN https://www.ivpn.net/wireguard
TorGuard https://torguard.net/knowledgebase.php?action=displayarticle&id=250

nano /opt/etc/wireguard/wg0.conf (example of AzireVPN)
Code:
[Interface]
PrivateKey = -------
Address = 10.40.12.49/19
DNS = 192.211.0.2

[Peer]
PublicKey = ----------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT

AzireVPN's config file looks like above one.
Fill the Address 10.40.12.49 at LocalIP of init file.
Code:
export LocalIP=10.40.12.49 (without prefix)
export wgdns=192.211.0.2

And comment out Address and DNS in the config file.
Then config file should looks like this. (I highly recommend you add keepalive.)
Code:
[Interface]
PrivateKey = -------
#Address = 10.40.12.49/19
#DNS = 192.211.0.2

[Peer]
PublicKey = -------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT
PersistentKeepalive = 25

Done. Start WireGuard.
Code:
/opt/etc/init.d/S50wireguard start


3. Advanced client settings.

For using Route=policy, wg-policy script has some rules.
Adjust to your situation.
Default table is 117.

nano /opt/etc/wireguard/wg-policy
Code:
#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997 2>/dev/null
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq


4. as Server configuration setting.

Code:
(umask 077 && printf "[Interface]\nPrivateKey = " | tee /opt/etc/wireguard/wg1.conf > /dev/null)
wg genkey | tee -a /opt/etc/wireguard/wg1.conf | wg pubkey | tee /opt/etc/wireguard/server-publickey

nano /opt/etc/init.d/S50wireguard (example)
Code:
Mode=server

export Subnet=10.50.50.1/24   #e.g.)10.50.50.1/24
export wgport=51820

nano /opt/etc/wireguard/wg1.conf (Server uses wg1)
Code:
[Interface]
PrivateKey = ----------
ListenPort = 51820

[Peer]
PublicKey = ----------
AllowedIPs = 10.50.50.2/32

Done. Start WireGuard.
Code:
/opt/etc/init.d/S50wireguard start


4.5 Generate client QRcode.

Generator script will generate QRcode image for Android or iOS.
You need to install qrencode first.
Code:
opkg install qrencode

If you want to use your host address (192.168.50.1) as DNS server,
you have to add wg interface to Dnsmasq listening interface list.
Code:
sed -i '1s/^/interface=wg* \n/' /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

This script will ask you 3 options.
1. client name 2. client address 3. client DNS server



-------------------------------------------------------------------------
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.

nano /jffs/scripts/nat-start
Code:
#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
        logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /opt/etc/init.d/S50wireguard restart
fi


5. Remove WireGuard
Code:
/opt/etc/init.d/S50wireguard stop
opkg remove wireguard-kernel wireguard-tools
rm -r /opt/etc/wireguard
rm /opt/etc/init.d/S50wireguard


Scripts are not beautiful. They just work. Sorry, this is my best.
They have some rules to prevent duplicate.
The error messages (e.g. iptables) are not real error.
Don't worry.


Edit: iperf benchmark result.

WireGuard server on RT-AC86U. Windows 10 Tunsafe client. (https://tunsafe.com/download)
WireGuard author does not assure Tunsafe security. I just used it for benchmark purpose.

C:\iperf-2.0.9-win64>iperf -c 192.168.50.246 -N -M 1400 -t 20 -w 2M -P 5
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
------------------------------------------------------------
Client connecting to 192.168.50.246, TCP port 5001
TCP window size: 2.00 MByte
------------------------------------------------------------
[ 5] local 10.50.50.2 port 1911 connected with 192.168.50.246 port 5001
[ 7] local 10.50.50.2 port 1913 connected with 192.168.50.246 port 5001
[ 4] local 10.50.50.2 port 1910 connected with 192.168.50.246 port 5001
[ 6] local 10.50.50.2 port 1912 connected with 192.168.50.246 port 5001
[ 3] local 10.50.50.2 port 1909 connected with 192.168.50.246 port 5001
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-20.0 sec 220 MBytes 92.4 Mbits/sec
[ 7] 0.0-20.0 sec 205 MBytes 86.1 Mbits/sec
[ 4] 0.0-20.1 sec 230 MBytes 96.1 Mbits/sec
[ 6] 0.0-20.0 sec 227 MBytes 95.2 Mbits/sec
[ 3] 0.0-20.0 sec 212 MBytes 89.1 Mbits/sec
[SUM] 0.0-20.1 sec 1.07 GBytes 457 Mbits/sec

Does this install on the latest firmware 384.19 on RT-AX88U ?
 
Did someone get Wireguard working on the AX88U? Seems to be still in the works. I have no clue what forks are or how to get a command line on the router. Am I supposed to SSH into the router? Sorry for the noob questions.
 
Yes. Please ssh into the router as admin and you password. And follow the instructions on page 1. It works well! I have even managed to get it working with the ax11000 using the ax88u software
 
Yes. Please ssh into the router as admin and you password. And follow the instructions on page 1. It works well! I have even managed to get it working with the ax11000 using the ax88u software
Nice! Thank you I'll give it a try
 
Yes. Please ssh into the router as admin and you password. And follow the instructions on page 1. It works well! I have even managed to get it working with the ax11000 using the ax88u software

Yes, works like a charm. I use the router as a WireGuard server to access my NAS (and other machines) from remote locations. WireGuard is super fast.
 
Figured out the ipk build for wireguard. I downloaded Entware repo and rebuild from source... took hours but now I can build the ipk from source which is good, however, the default source didn't have all the associated scripts from @Odkrys . Is there a fork somewhere I can clone for the wireguard IPK build so it has the same scripts as OP's?

Thanks.

Were you able to compile the ipk? or able to provide scripts to build?
 
Weird situation... any help would be much appreciated.

Totally clean install - build from scratch.
1) RT AX-88U, v384.19, JFFS enabled, 2GB Swap
2) Entware installed; SpeedMerlin installed, NO other amtm components or scripts

Steps undertaken:
  1. Installed Wireguard
  2. Running it as a server
  3. Configured exactly as per instructions in Post 1 (wg1.conf, S50wireguard, dnsmasq.conf.add, nat-start)
  4. Operates as expected; able to connect from clients.
  5. Reboot the router, everything works as expected.
  6. Wireguard server operates as expected; able to connect from clients. No issues.
  7. Repeated Step 5 multiple times, no problems.
Problem starts now:
- Installed Diversion Lite (Medium list, fairly standard configuration - email notifications, etc, - nothing very complicated)
- WireGuard client can still connect, no issues.

- Reboot Router
- Diversion still work as expected
- Wireguard clients can no longer connect.
- Checked SysLog. Wireguard service started (but with time shown as May 5 06:05:xx)

Working Resolution:
- Manually execute command to restart WireGuard
/opt/etc/init.d/S50wireguard restart
- Wireguard clients can connect again !!!

It seems that WireGuard server does not start properly after reboot (but only if Diversion installed !)

Any clues; or any script/ method to force WireGuard server to restart on reboot?
Or any other configuration setting that needs to be changed due to Diversion.
 
Weird situation... any help would be much appreciated.

Totally clean install - build from scratch.
1) RT AX-88U, v384.19, JFFS enabled, 2GB Swap
2) Entware installed; SpeedMerlin installed, NO other amtm components or scripts

Steps undertaken:
  1. Installed Wireguard
  2. Running it as a server
  3. Configured exactly as per instructions in Post 1 (wg1.conf, S50wireguard, dnsmasq.conf.add, nat-start)
  4. Operates as expected; able to connect from clients.
  5. Reboot the router, everything works as expected.
  6. Wireguard server operates as expected; able to connect from clients. No issues.
  7. Repeated Step 5 multiple times, no problems.
Problem starts now:
- Installed Diversion Lite (Medium list, fairly standard configuration - email notifications, etc, - nothing very complicated)
- WireGuard client can still connect, no issues.

- Reboot Router
- Diversion still work as expected
- Wireguard clients can no longer connect.
- Checked SysLog. Wireguard service started (but with time shown as May 5 06:05:xx)

Working Resolution:
- Manually execute command to restart WireGuard
/opt/etc/init.d/S50wireguard restart
- Wireguard clients can connect again !!!

It seems that WireGuard server does not start properly after reboot (but only if Diversion installed !)

Any clues; or any script/ method to force WireGuard server to restart on reboot?
Or any other configuration setting that needs to be changed due to Diversion.

: Update

Reinstalled everything again from scratch and it all works fine now.

The only thing I guess is that the nat-start script (jffs/scripts/nat-start) had somehow lost its 'executable' (chmod +x) attribute and was probably not being executed at startup.

Really don't know... but WireGuard works fine as a server now and survives a reboot. Happy again. :) :)
 
Hello all,
I have just finished following the instructions on page 1 for my Asus RT-AX88U router with the latest firmware and wireguard is up and running.
I have selected 10.10.10.1 for the WG interface.

I have two clients configured: my phone (10.10.10.2) and a dd-wrt router (10.10.10.3).

When I connect my phone, all is well, I can ssh to a lan ip and get a connection without a problem, and the phone public ip becomes the public ip of the ASUS router (as I was expecting).

The dd-wrt router is connected to the internet with a usb 3g modem (because I want to simulate a remote connection) and I have a laptop connected to that router. The router lan range is 192.168.10.xx. While the ASUS lan range is 192.168.1.xxx

The router gets a connection but I cannot reach anything in the ASUS lan. I cannot even ping the wireguard server ip (100.100.10.1). I can however ping the wireguard dd-wrt router IP (100.100.10.3) ONLY from the ASUS router. Not from ASUS lan.

What I would like to happen is to be able to access the dd-wrt lan from the ASUS lan and vice-versa.

Here is the wg1.conf file:

[Interface]
ListenPort = port
PrivateKey = secret

[Peer]
PublicKey = secret
AllowedIPs = 10.10.10.3/32, 192.168.10.0/24

[Peer]
PublicKey = secret
AllowedIPs = 10.10.10.2/32

Here is the S50wireguard file:

#!/bin/sh

PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Mode=server #server or client

#server
export Subnet=10.10.10.1/24 #e.g.)10.50.50.1/24
export wgport=port

#client
export LocalIP= #e.g.)10.50.50.2
Route=default #default or policy
export wgdns=
export Nipset=wgvpn

case $1 in
start)
logger "Starting WireGuard service."
if [ "$Mode" == "server" ] ; then
/opt/etc/wireguard/wg-server

elif [ "$Mode" == "client" ] && [ "$Route" != "policy" ] ; then
/opt/etc/wireguard/wg-up
else
/opt/etc/wireguard/wg-policy
fi
;;
stop)
logger "Stopping WireGuard service."
/opt/etc/wireguard/wg-down
;;
restart)
logger "Restarting WireGuard service."
/opt/etc/wireguard/wg-down
sleep 2
if [ "$Mode" == "server" ] ; then
/opt/etc/wireguard/wg-server

elif [ "$Mode" == "client" ] && [ "$Route" != "policy" ] ; then
/opt/etc/wireguard/wg-up
else
/opt/etc/wireguard/wg-policy
fi
;;
*)
echo "Usage: $0 {start|stop|restart}"
;;
esac

Can anyone help me with this please?
 
Hi Everyone I'm really interested in getting wire guard going on my 86U. I've seen the instructions on page 1. But, I'm alittle gun shy in trying to get this going without screwing up my router. Does anyone have any easy step by step guide tutorial for a complete noob with scripting?
 
Hi Everyone I'm really interested in getting wire guard going on my 86U. I've seen the instructions on page 1. But, I'm alittle gun shy in trying to get this going without screwing up my router. Does anyone have any easy step by step guide tutorial for a complete noob with scripting?
My favorite:


asuswrt-merlin has a built in editor called nano. Get a good SSH client. Web search for "top ssh clients" if you want to use an alternate editor. Some are happy with WinSCP as a starting point.

You need to have a USB formatted in linux format with entware installed. Use the amtm utility to format the USB and install entware.
 
just trying to install this on the 384.18 version of merlin on a RT-AC86U router.

sended the first file to /root/ path (the same where the ssh client starts) but if I try to use the command says opkg not found

¿any help? thanks
 
Is there a list somewhere of the routers that support wireguard? I'd like to buy a new router and it would be nice to run a vpn server on it.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top