[Experimental] WireGuard for HND platform (4.1.x kernels)

[helio58]

No one can help you without any further useful info...
All I can say is that server works fine on my side.

Thanks Odkrys . I have upgrade to 384.11_2 no internet connection. Factory restore. Internet working but no wireguard. Trying to figure out how to do this and have wireguard running with old settings. Thanks

 

[Odkrys]

Factory restore.

Probably you look to lose scripts in /jffs for entware.

 

[helio58]

Thanks will look at scripts i /jffs

 

[Smellvine]

Thanks will look at scripts i /jffs

I also had some problems after I updated my firmware. Mainly I lost speed and had a really unstable connection, sometimes being unable to connect at all. I ended up deleting wireguard with this from the initial post:

/opt/etc/init.d/S50wireguard stop
opkg remove wireguard
rm -r /opt/etc/wireguard

Then I went through all the steps again and it seems to be working.

EDIT: So I ran into some issues with my router once again and decided to clear jffs and reformat my USB-drive to reinstall everything. This seems to have fixed my issues. I don't know if the new merlin firmware update changed something but for now I'm just hoping it will keep working.

EDIT2: Apparently this didn't solve the issue either. I occasionally drop down to around 5 Mbit/s with Wireguard running (if it works at all) and I'm on a 1000 Mbit/s contract.

EDIT3:
Without Wireguard:

Spoiler

Currently with Wireguard:

Spoiler

 

[Odkrys]

Mainly I lost speed

WireGuard can be considered non-standard and uncategorized traffic.
And its traffic can be easily detected and throttled.
Try OpenVPN UDP and see what happens.

 

[Geraner]

No issues here.
Running on 384.11_2 without any issues.
Try to update your Wireguard version as well, by downloading and install the latest version which is linked in the first post in this thread and updated regulary.
Then set your configuration files up again if not taken any backup before upgrading.

 

[Geraner]

BTW, is there any way to get a script to enter so WireGuard is automatically restarting in case the WAN connection is going down for a few seconds?
This happened on my site a few times resulting in the internet connection lost. Fist when I manually stop Wireguard and then restart it, it's working again.

 

[aramisathei]

BTW, is there any way to get a script to enter so WireGuard is automatically restarting in case the WAN connection is going down for a few seconds?
This happened on my site a few times resulting in the internet connection lost. Fist when I manually stop Wireguard and then restart it, it's working again.

Second this. Mine usually goes down about once a day and I have to manually restart wireguard. Otherwise it works flawlessly on 384.12

 

[Odkrys]

Second this. Mine usually goes down about once a day and I have to manually restart wireguard. Otherwise it works flawlessly on 384.12

If you guys have a issue on full routing mode, sorry I am running only policy mode.
Just disconnection or get down is not useful. WireGuard doesn't have detail logs like openvpn.
Need to investigate furture yourselves.

 

[aramisathei]

If you guys have a issue on full routing mode, sorry I am running only policy mode.
Just disconnection or get down is not useful. WireGuard doesn't have detail logs like openvpn.
Need to investigate furture yourselves.

I'm running policy as well. It just occasionally stops routing anything on policy (probably once every day or two) so I was wondering if it'd be possible to put together a script to auto restart if it detects it's unable to route for whatever reason.

 

[Odkrys]

I'm running policy as well. It just occasionally stops routing anything on policy (probably once every day or two) so I was wondering if it'd be possible to put together a script to auto restart if it detects it's unable to route for whatever reason.

Well.. I never had the problem over a year. Server is running on my VPS.. super fine.
You need to be clear whether it is a server-side or client-side issue.
When the issue happen again, please check everything.
ping test, ip rule, iptables rules, wg status, system log and etc.

 

[Geraner]

I'm running policy as well. It just occasionally stops routing anything on policy (probably once every day or two) so I was wondering if it'd be possible to put together a script to auto restart if it detects it's unable to route for whatever reason.

I found the reason and the solution for it.
It's written in the release notes of Merlin Firmware 384.12.

- NEW: Re-added option to extend the WAN's TTL (from stock firmware, was previously disabled as it used to be broken)

Changing the settings "WAN -> Special Requirement from ISP -> Extend the TTL value" to "Yes", solves the issue for me.

 

[Froghut]

I'm trying to route all traffic from Wireguard through a VPN client connection.
I added the Wireguard ip's to the Selective Routing GUI (on the VPN client GUI page) and added a new iptables rule, inspired from here: https://www.snbforums.com/threads/openvpn-server-and-client-question.38378/#post-316743
My Wireguard ips are 10.5.5.0, and the iptables line I use is:
iptables -I POSTROUTING -t nat -s 10.5.5.0/24 -o tun11 -j MASQUERADE
Sometimes it works, but most of time it does not - anyone got any suggestions what I could be missing or doing wrong?

 

[Martineau]

I'm running policy as well. It just occasionally stops routing anything on policy (probably once every day or two) so I was wondering if it'd be possible to put together a script to auto restart if it detects it's unable to route for whatever reason.

You should check the RPDB rules and routing table when it is working vs. when it stops

ip rule

ip route show table 117

or has the 'peer handshake' process stalled?

e.g. my home WireGuard Server (interface wg1) shows that an Android phone is no longer connected as it has been nearly an hour since the last successful 'handshake', and for the WireGuard Client (interface wg0) connection, it apparently checks approximately every 2 minutes:

wg

interface: wg1

       public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
       private key: (hidden)
       listening port: 1196

     peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
       endpoint: 213.xxx.xxx.xxx:31512
       allowed ips: 10.81.196.22/32
       latest handshake: 58 minutes, 23 seconds ago
       transfer: 13.97 KiB received, 17.10 KiB sent

interface: wg0

       public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
       private key: (hidden)
       listening port: 54440

     peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
       endpoint: 190.xxx.xxx.xxx:51840
       allowed ips: 0.0.0.0/0
       latest handshake: 1 minute, 28 seconds ago
       transfer: 1.33 KiB received, 22.93 KiB sent
       persistent keepalive: every 25 seconds

So for the WireGuard Client connection, if the 'latest-handshake' time exceeds say 5 minutes, then this may be cause for concern and the WireGuard Client should probably be restarted?

 

[Martineau]

What if I want to put 2 gadgets LAN IPs (ex. 192.168.1.45 & 192.168.1.50) off (exclude) from Wireguard. How to do this?

If the subnet for the WireGuard peers covers the complete LAN, then the following should work

ip rule add from 192.168.1.45 table main prio 9990
ip rule add from 192.168.1.50 table main prio 9990

ip route flush cache

 

[Yoni80]

Allowed IPs set to 0.0.0.0/0, ::0/0

The code will put my entire home network out of Wireguard. Not just the 2 IPs. How do I fix this?

Found any solution for this? Also need to set a device outside of wireguard

 

[Marin]

Few questions to clarify:

1. If you have set up your own VPN server (under the VPN server tab) then anyone can install Wireguard according to instructions according to the initial posts, correct?

2. Otherwise, if you only want the “client” setup then your VPN (you are subscribed to) must offer Wireguard feature in order to install it, correct?


Sent from my iPhone using Tapatalk

 

[Martineau]

Few questions to clarify:

1. If you have set up your own VPN server (under the VPN server tab) then anyone can install Wireguard according to instructions according to the initial posts, correct?

2. Otherwise, if you only want the “client” setup then your VPN (you are subscribed to) must offer Wireguard feature in order to install it, correct?

A. YES to both questions, and the client access credentials are authorised on the server.

 

[Marin]

A. YES to both questions, and the client access credentials are authorised on the server.

Thank you!


Sent from my iPhone using Tapatalk

 

[Froghut]

I set up the wireguard server and it works, but is it possible to route all traffic from connected wireguard clients through an active VPN client connection (VPN client configured in VPN settings tab)?