What's new

[Experimental] WireGuard for HND platform (4.1.x kernels)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I'm getting the following error when trying to start the Wireguard although the file is there. Any suggestions?
Gqd5fUf.png
 
I'm getting the following error when trying to start the Wireguard although the file is there. Any suggestions?

Navigate to the directory, e.g. cd /opt/etc/init.d. Then, issue the command to list the directory contents so the owner and file permissions show up. (ls -l)
 
Navigate to the directory, e.g. cd /opt/etc/init.d. Then, issue the command to list the directory contents so the owner and file permissions show up. (ls -l)

Thanks for the reply. I did that and it looks like the following.
qn9hEVu.png
 
Thanks for the reply. I did that and it looks like the following.
qn9hEVu.png

Do you have AMTM installed? Try updating entware using the menu option 3 if the update option appears. Then, see if you still have problems.

upload_2019-3-7_17-17-55.png
 
I downloaded AMTM and updated entware. I also played around a bit more and now I'm at permission denied. So progress is being made. What's next?
cRSkXEO.png
Navigate to the directory. Issue the command
Code:
chmod 755 s50wireguard
to set the file permissions to be executable.

All of the entware packages use a capital "S" and not a lowercase "s" for the start up scripts in /opt/etc/init.d. Something the maintainer may want to change. But it should not impact the ability to start, stop, restart, etc.
 
I downloaded AMTM and updated entware. I also played around a bit more and now I'm at permission denied. So progress is being made. What's next?
cRSkXEO.png
Capital S50 in the first and second images but small s50 in the third image.
Did you write starting script yourself?
Try to reinstall wireguard.
 
Navigate to the directory. Issue the command
Code:
chmod 755 s50wireguard
to set the file permissions to be executable.

All of the entware packages use a capital "S" and not a lowercase "s" for the start up scripts in /opt/etc/init.d. Something the maintainer may want to change. But it should not impact the ability to start, stop, restart, etc.

Thanks a ton for all the help!

Capital S50 in the first and second images but small s50 in the third image.
Did you write starting script yourself?
Try to reinstall wireguard.

Thanks. When I saved it I didn't know and didn't put the capital S in front. I fixed it when reinstalling and editing all over again.

This has been a learning experience for me, not having used SSH before. But I'm glad it's working and I got some new knowledge along the way.

I reinstalled Wireguard and then I went through the configs all over again (since learning Putty a bit it's way easier) and then it started up properly.

x0xFVyd.png
 
Thanks a ton for all the help!



Thanks. When I saved it I didn't know and didn't put the capital S in front. I fixed it when reinstalling and editing all over again.

This has been a learning experience for me, not having used SSH before. But I'm glad it's working and I got some new knowledge along the way.

I reinstalled Wireguard and then I went through the configs all over again (since learning Putty a bit it's way easier) and then it started up properly.

x0xFVyd.png
Glad you got it working. I can't recall the last time I used Putty. Maybe 4 years ago.

MobaXterm is my client of choice. I mostly use the SSH and SFTP terminal sessions. SFTP gives me a windows explorer like view of the file system with access to an good user friendly editor. I also use the VNC terminal for GUI access to my Raspberry Pi. I've also used the COM session client. Able to save a terminal session for all of the sites I support. Luckily, there are many good free clients out there to select from to suite everyone's preferences.
 
I just bought an RT-AC86U and installed the latest merlin (384.9), entware and WireGuard 0.0.20190227. Have been running this setup for about 12hours and all works great except that I have noticed that 2 times during the day all computers behind the router is refused to connect to internet.

Internally I can reach all my servers and from internet I get ip of all sites I have tried to ping but they do not response (example; ping -c1 google.com)

I SSH into the router and the router can ping and curl any page so it is obviously able to reach internet. I can also ping the internal server that mullvad has internally "ping -c1 10.64.0.1" so I cant rely on my cronjob that tries to ping this ip once every 10th min and restart the vpn if that ip dont answer me.

But whn I run /opt/etc/init.d/S50wireguard restart and *POOF* all machine can reach internet again..

Anyone else have this problem? Really frustrating since I cant figure out what it could be :)
In the router I am using 2 different DNS1 "9.9.9.9" and DNS2 "1.1.1.1"
 
Last edited:
I just bought an RT-AC86U and installed the latest merlin (384.9), entware and WireGuard 0.0.20190227. Have been running this setup for about 12hours and all works great except that I have noticed that 2 times during the day all computers behind the router is refused to connect to internet.
Internally I can reach all servers and I get ip of all host I try to ping but no response on the ping.
I SSH into the router and the router can ping and curl any page so it is obviously able to reach internet. I run /opt/etc/init.d/S50wireguard restart and *POOF* all machine can reach internet again..
Anyone else have this problem? Really frustrating since I cant figure out what it could be :)
In the router I am using 2 different DNS1 "9.9.9.9" and DNS2 "1.1.1.1"

After installing RMerlin, did you do a full reset to factory defaults and then proceed to minimally and manually configure the router to secure it and connect to your ISP? Did you do a clean install of the scripts and programs mentioned after that?
 
After installing RMerlin, did you do a full reset to factory defaults and then proceed to minimally and manually configure the router to secure it and connect to your ISP? Did you do a clean install of the scripts and programs mentioned after that?

The first thing I did when I got my router was to just do the minimal thing I could to before I was able to flash it with RMerlin.
But after the flash I started installing entware and wireguard directly after that.

So should I try a full factory reset and then install everything?
 
The first thing I did when I got my router was to just do the minimal thing I could to before I was able to flash it with RMerlin.
But after the flash I started installing entware and wireguard directly after that.

So should I try a full factory reset and then install everything?

Yes. 100% you should. Recommended in the RMerlin readme file you downloaded with the firmware. ;)

See my signature below for detailed steps.
 
Yes. 100% you should. Recommended in the RMerlin readme file you downloaded with the firmware. ;)

See my signature below for detailed steps.

Just . Also noticed that Administrator > Restore/Save/Upload Setting > Factory default (Restore).
Basically:
  1. Reset router
  2. Install AMTM
  3. Install Entware from AMTM
  4. Enable JFFS custom script in Admin > System > Enable JFFS custom scripts and configs
  5. Added my scripts to /jffs/scripts/post-mount and services-start
  6. opkg install wireguard_0.0.20190227-ab146d9....
And then just fixed my wg.conf to comment out the Adress and Dns and put them into S50wireguard .. And it was here I got my slap in the face and told my self OMG RTFM! I forgot the net-stat script last time :oops:. So most likely my firewall rebooted at this points that I saw.. At least I have a clean router now :p

Thanks for the help! Hopefully my router will work properly now :)
 
Just . Also noticed that Administrator > Restore/Save/Upload Setting > Factory default (Restore).
Basically:
  1. Reset router
  2. Install AMTM
  3. Install Entware from AMTM
  4. Enable JFFS custom script in Admin > System > Enable JFFS custom scripts and configs
  5. Added my scripts to /jffs/scripts/post-mount and services-start
  6. opkg install wireguard_0.0.20190227-ab146d9....
And then just fixed my wg.conf to comment out the Adress and Dns and put them into S50wireguard .. And it was here I got my slap in the face and told my self OMG RTFM! I forgot the net-stat script last time :oops:. So most likely my firewall rebooted at this points that I saw.. At least I have a clean router now :p

Thanks for the help! Hopefully my router will work properly now :)


For prospective future readers, the order should be:
  1. Reset router. Make sure to check the 'initialize all settings' checkbox in the GUI.
  2. If you didn't use that checkbox, format the jffs partition at next boot and reboot the router 3 times in the next 15 minutes or so, waiting for at least 5 to 10 minutes between reboots.
  3. Enable jffs custom scripts.
  4. Install amtm (it installs in jffs)
  5. Format the USB drive to Ext4 with journalling. The router will reboot.
  6. Enable the disk check in amtm (verifies the USB drive on reboot).
  7. Create a swap file (I use the 2GB option, always).
  8. Install the scripts you need and want.
  9. Reboot the router and check that the disk check shows 'clean'.
Glad to be of some assistance and I hope it works properly for you now too.
 
One issue I had that that the Wireguard startup on router reboot was interfering with the process of getting a WAN IP from my ISP when booting up the router.
To solve this issue I just added a "sleep 20! command into the S50wireguard file.

#!/bin/sh

PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
sleep 20
Mode=client #server or client
.
.

Now everytime I need to reboot my router or in case of an power outage, when the router is starting up whe WireGuard script is having a 20 seconds delay from starting.
 
One issue I had that that the Wireguard startup on router reboot was interfering with the process of getting a WAN IP from my ISP when booting up the router.
To solve this issue I just added a "sleep 20! command into the S50wireguard file.

Now everytime I need to reboot my router or in case of an power outage, when the router is starting up whe WireGuard script is having a 20 seconds delay from starting.

Noticed the same but for me the sleep was sometimes enough and sometimes not since I do not have a static ip. So created a script that is being executed at at post-mount to do a restart. Will tweak it a bit better so this is part of S50wireguard instead. But for now it will be like this :)

#!/bin/sh

tries=1
while [[ $tries -lt 120 ]]
do
if /bin/ping -c 1 google.com
then
echo "`date` Internet after $tries pings" >> /tmp/home/root/logs-start
/opt/etc/init.d/S50wireguard restart
fi
tries=$((tries+1))
done

Also have an equivalent script that I add during service-start
cru a wg "*/10 * * * * /jffs/scripts/wg-watcher.sh"

This is pinging an ip that only is available when running the vpn. And if that does not answer after 3 tries I will run a restart on wg
 
Wireguard update from ExpressVPN:

https://www.expressvpn.com/blog/exp...&utm_source=newsletter201903&utm_content=link


Sent from my iPhone using Tapatalk

In case the link doesn’t work:

ExpressVPN WireGuard Update

internet privacy •2 min read

ExpressVPN
We’re fanatical about your privacy and security.
March 14, 2019
The WireGuard logo: A dragon atop a burgundy oval.
WireGuard is a free and open-source VPN protocol originally written by Jason A. Donenfeld (you can support Wireguard in their efforts here) and currently developed by Edge Security LLC. WireGuard works directly on the kernel level of a device’s operating system, making it possible to encrypt and decrypt data more quickly and securely and with fewer risks of leaks, compared with other VPN protocols.

So far, the hope is that WireGuard can establish itself as a widespread protocol that makes VPN connections ubiquitous (including on mobile phones and the internet of things) without the risk of arbitrary disconnects or high battery usage.

It’s exciting to see such significant improvements, and, understandably, many are excited about seeing this protocol deployed commercially. We at ExpressVPN are frequently asked about our immediate plans and opinions on WireGuard, and we’d like to take the opportunity to clarify our position.

WireGuard: A great idea in development

WireGuard is easier to set up and handle than other VPN protocols, although more development is required before it’s ready for a large production environment with countless users.

This is an opinion shared by the developers of WireGuard, who state on their website:

“WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change.”

One of the challenges WireGuard faces is to ensure anonymity for VPNs. No single user should be statically allocated a single IP address, neither on a public nor a virtual network. A user’s internal IP address might be discovered by an adversary (through WebRTC, for example), who might then be able to match it with records acquired from a VPN provider (through theft, sale, or legal seizure). A good VPN must be unable to match such an identifier to a single user. Currently, this setup is not easily achieved with WireGuard.

ExpressVPN will be supporting efforts to review and audit the WireGuard code, as we have done in the past with OpenVPN. We will contribute code and report bugs whenever we can and raise security and privacy concerns directly with the development team. And, due to WireGuard’s reduced complexity, any public audit will be more comprehensive and provide a higher level of assurance.

On Android, Linux, Mac, and routers, WireGuard performs very well. ExpressVPN puts the security and privacy of its users first, though, so we will await further testing before we roll out WireGuard to our large customer base.

ExpressVPN



Sent from my iPhone using Tapatalk
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top