1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[Experimental] Wireguard for RT-AC86U

Discussion in 'VPN' started by Odkrys, Apr 19, 2018.

  1. Odkrys

    Odkrys Senior Member

    Joined:
    Jul 28, 2016
    Messages:
    273
    Wireguard still work in progress, therefore, using it at your own risk.


    1. Install Wireguard

    https://drive.google.com/open?id=1p3GDgBdfasO8YbzsbDkkiAoC1FIpLbBr

    You need Entware-aarch64-3.10 to use wireguard without a new firmware build.

    Code:
    opkg install /path/wireguard_0.0.20181119-b6cec63_aarch64-3.10.ipk
    

    2. Client configuration setting.

    nano /opt/etc/init.d/S50wireguard
    Code:
    Mode=client
    
    export LocalIP=
    Route=default   #default or policy
    export wgdns=
    export Nipset=wgvpn
    
    Init file has 5 options.
    Mode=client

    LocalIP is provided by VPN provider (e.g. AzireVPN, Mullvad) or your VPS.

    default route will redirect your all internet traffic to VPN server.
    policy work like Policy Rules (strict) on Merlin.

    wgdns is option to change dns server.
    Nipset is the name of ipset for ipset based policy routing.

    AzireVPN and Mullvad support wireguard servers.
    https://www.azirevpn.com/cfg/wg
    https://mullvad.net/en/servers/#wireguard

    nano /opt/etc/wireguard/wg0.conf (example of AzireVPN)
    Code:
    [Interface]
    PrivateKey = -------
    Address = 10.40.12.49/19
    DNS = 192.211.0.2
    
    [Peer]
    PublicKey = ----------
    AllowedIPs = 0.0.0.0/0
    Endpoint = IP:PORT
    
    AzireVPN's config file looks like above one.
    Fill the Address 10.40.12.49 at LocalIP of init file.
    Code:
    export LocalIP=10.40.12.49 (without prefix)
    export wgdns=192.211.0.2
    
    And remove Address and DNS in the config file.
    Then config file should looks like this. (I highly recommend you add keepalive.)
    Code:
    [Interface]
    PrivateKey = -------
    
    [Peer]
    PublicKey = -------
    AllowedIPs = 0.0.0.0/0
    Endpoint = IP:PORT
    PersistentKeepalive = 25
    
    Done. Start wireguard.
    Code:
    /opt/etc/init.d/S50wireguard start
    

    3. Advanced settings.

    For using Route=policy, wg-policy script has some rules.
    Adjust to your situation.
    Default table is 117.

    nano /opt/etc/wireguard/wg-policy
    Code:
    #
    ##For ipset based Policy Routing
    #
    
    #ipset -N $Nipset hash:ip
    
    #ip rule del prio 9997 2>/dev/null
    #ip rule add fwmark 0x7000 table 117 prio 9997
    #iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
    #iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000
    
    #service restart_dnsmasq
    

    4. Server configuration setting.

    Code:
    (umask 077 && printf "[Interface]\nPrivateKey = " | tee /opt/etc/wireguard/wg1.conf > /dev/null) 
    wg genkey | tee -a /opt/etc/wireguard/wg1.conf | wg pubkey | tee /opt/etc/wireguard/server-publickey
    
    nano /opt/etc/init.d/S50wireguard (example)
    Code:
    Mode=server
    
    export Subnet=10.50.50.1/24   #e.g.)10.50.50.1/24
    export wgport=51820
    
    nano /opt/etc/wireguard/wg1.conf (Server uses wg1)
    Code:
    [Interface]
    PrivateKey = ----------
    ListenPort = 51820
    
    [Peer]
    PublicKey = ----------
    AllowedIPs = 10.50.50.2/32
    
    Done. Start wireguard.
    Code:
    /opt/etc/init.d/S50wireguard start
    


    Wireguard use iptable so when the firewall is restarted, the rules will gone.
    Please add this in nat-start script.

    nano /jffs/scripts/nat-start
    Code:
    WVPNROUTE=`ip route show | grep -i -a "dev wg"` 
    logger -s -t "($(basename $0))" $$ "Checking if Wireguard is UP...."$WVPNROUTE 
    if [ "$WVPNROUTE" != "" ];then 
            logger -s -t "($(basename $0))" $$ "**Warning Wireguard is UP.... restarting Wireguard" 
            /opt/etc/init.d/S50wireguard restart 
    fi 
    

    5. Remove Wireguard
    Code:
    /opt/etc/init.d/S50wireguard stop
    opkg remove wireguard
    rm -r /opt/etc/wireguard
    

    Scripts are not beautiful. They just work. Sorry, this is my best.
    They have some rules to prevent duplicate.
    The error messages (e.g. iptables) are not real error.
    Don't worry.


    Edit: iperf benchmark result.

    Wireguard server on RT-AC86U. Windows 10 Tunsafe client. (https://tunsafe.com/download)
    Wireguard author does not assure Tunsafe security. I just used it for benchmark purpose.

    C:\iperf-2.0.9-win64>iperf -c 192.168.50.246 -N -M 1400 -t 20 -w 2M -P 5
    WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
    WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
    WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
    WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
    WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
    ------------------------------------------------------------
    Client connecting to 192.168.50.246, TCP port 5001
    TCP window size: 2.00 MByte
    ------------------------------------------------------------
    [ 5] local 10.50.50.2 port 1911 connected with 192.168.50.246 port 5001
    [ 7] local 10.50.50.2 port 1913 connected with 192.168.50.246 port 5001
    [ 4] local 10.50.50.2 port 1910 connected with 192.168.50.246 port 5001
    [ 6] local 10.50.50.2 port 1912 connected with 192.168.50.246 port 5001
    [ 3] local 10.50.50.2 port 1909 connected with 192.168.50.246 port 5001
    [ ID] Interval Transfer Bandwidth
    [ 5] 0.0-20.0 sec 220 MBytes 92.4 Mbits/sec
    [ 7] 0.0-20.0 sec 205 MBytes 86.1 Mbits/sec
    [ 4] 0.0-20.1 sec 230 MBytes 96.1 Mbits/sec
    [ 6] 0.0-20.0 sec 227 MBytes 95.2 Mbits/sec
    [ 3] 0.0-20.0 sec 212 MBytes 89.1 Mbits/sec
    [SUM] 0.0-20.1 sec 1.07 GBytes 457 Mbits/sec
     
    Last edited: Dec 11, 2018 at 10:59 PM
    umarmung, kamoj and Xentrk like this.
  2. Geraner

    Geraner Regular Contributor

    Joined:
    Jul 19, 2009
    Messages:
    131
    Location:
    Stockholm / Sweden
    Sounds interesting. Will try to take a look at it and test it during the weekend.
    Will comeback with a followup. Will be nice to compare with my recent VPN speed test done, using OpenVPN.
     
  3. Geraner

    Geraner Regular Contributor

    Joined:
    Jul 19, 2009
    Messages:
    131
    Location:
    Stockholm / Sweden
    Finally managed to set it up and did a speed test.
    You are right ... 400+ Mbps is possible.

    [​IMG]

    At the same time, the CPU use is about 100% on both CPU's.

    Wrote a short blog article about this test on my page.
     
    Last edited: Apr 21, 2018
    kamoj likes this.
  4. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,579
    Location:
    San Diego, CA
    Nice work... no worries about top sending performance to 100% - I've had machines at 400-800 percent, and things are fine...

    Lately my attention is more focused on SD-WAN applications, which is similar, but Layer 3 vs. Layer 2...

    Good example of layer 3 implementations, and something worthing thinking about - ZeroTier
     
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,974
    Location:
    UK
    I think you might be conflating his CPU utilization with CPU load (each core cannot exceed 100% utilization). Indeed, in his screen shot the CPU load is 5.34.
     
    Last edited: Apr 22, 2018
  6. Odkrys

    Odkrys Senior Member

    Joined:
    Jul 28, 2016
    Messages:
    273
    Thanks for benchmark info.
    There is no wireguard server or cheap vps in my country.
    So I could not test max speed of it.
     
    Geraner likes this.
  7. Odkrys

    Odkrys Senior Member

    Joined:
    Jul 28, 2016
    Messages:
    273
    Entware already have Zerotier.
     
  8. Geraner

    Geraner Regular Contributor

    Joined:
    Jul 19, 2009
    Messages:
    131
    Location:
    Stockholm / Sweden
    Well this high CPU usage was only while I have done the Speedtest with Speedtest.net. Under normal usage, the CPU is around 1-2 %.
    Did a couple of Speed tests in a row, before I took the screen shot. So it's not only one speed test I did once I got WireGuard running.
     
  9. Geraner

    Geraner Regular Contributor

    Joined:
    Jul 19, 2009
    Messages:
    131
    Location:
    Stockholm / Sweden
    Can you explain more in detail how to use this config if I want to use policy based routing.
    Everything works fine when I use the default and all my LAN devices are going out using the WireGuard connection.
    All devices have fixed IP addresses locked by MAC address.

    Please write an example how to wg-policy config should look like if I for example want to route LAN device 192.168.1.10 + 192.168.1.20 through the WireGuard connection.
     
  10. Odkrys

    Odkrys Senior Member

    Joined:
    Jul 28, 2016
    Messages:
    273
    change Route to policy and add this to end of wg-policy script.
    Code:
    ip rule del prio 11111 2>/dev/null
    ip rule del prio 11112 2>/dev/null
    ip rule add from 192.168.1.10 lookup 117 prio 11111
    ip rule add from 192.168.1.20 lookup 117 prio 11112
    
    This may enough for you.
    Don't touch ##For ipset based Policy Routing part.
    This two rules should be added to wg-down script too.

    ip rule del prio 11111 2>/dev/null
    ip rule del prio 11112 2>/dev/null
     
    Last edited: Apr 22, 2018
  11. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,550
    Location:
    Canada
    For best performance, make sure you run it on the second CPU core, so it won't share the same core as the rest of the routing/NATing code. For OpenVPN that provides a very significant performance boost.
     
    sfx2000 likes this.
  12. Odkrys

    Odkrys Senior Member

    Joined:
    Jul 28, 2016
    Messages:
    273
    Wireguard supports multicore.
     
  13. Geraner

    Geraner Regular Contributor

    Joined:
    Jul 19, 2009
    Messages:
    131
    Location:
    Stockholm / Sweden
    @RMerlin, would it be possible to implement WireGuard inte Merlin firmware?
    As Odkrys said, it's multicore aware. Uses both cores while testing. No extra configuration is necessary.
     
  14. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,550
    Location:
    Canada
    No.

    I have people asking me to implement Shadowsocks, Wireguard, L2TP, PPTP, XOR-patched OpenVPN... It just never ends, everyone wants his personal favorite tunneling solution implemented.

    This is beyond the scope of my project, not gonna devote countless hours maintaining all of these different solutions. OpenVPN suits pretty much everyone's needs, it's highly flexible, and just supporting that one already takes a large chunk of development time. Not gonna duplicate this 3-4 times by also supporting a bunch of other technologies.
     
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,550
    Location:
    Canada
    Beside, implementing Wireguard makes even less sense than the other solutions, since out of 8 different routers, only one single model would be able to support it.
     
  16. Odkrys

    Odkrys Senior Member

    Joined:
    Jul 28, 2016
    Messages:
    273
    I totally agree with him.
    Only RT-AC86U is able to run wireguard on Merlin firmware.
     
  17. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,579
    Location:
    San Diego, CA
    I agree...

    That being said - OpenVPN, while very portable, is getting to be the not first choice, mostly for folks behind great country firewalls in my experience...

    And the "solutions" there will never end - that is a bit of a race there...
     
  18. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,550
    Location:
    Canada
    The tls-crypt support added in 2.4 takes care of that.
     
  19. Odkrys

    Odkrys Senior Member

    Joined:
    Jul 28, 2016
    Messages:
    273
    no more kernel error messages.
    it will work smoothly from now on.
    thanks.
     
  20. Shasarak

    Shasarak Occasional Visitor

    Joined:
    May 17, 2018
    Messages:
    40
    Does anyone have a slightly more "starting from first principles", "step-by-step" guide to getting this working?