Wireguard install Wireguard

laclac

New Around Here
Hello,

I would like to install Wireguard on my RT-AX58U with asusWRT 386.7_2.
But I am not very strong and I did not succeed.

When I launch the installation of https://github.com/MartineauUK/wireguard

Capture d’écran 2022-08-27 010737.png


It tells me : ***ERROR: Entware directory '/opt/etc/' not found? - Please install Entware (amtm Diversion)


So I tried to install Entware following the explanation of https://wiki.dd-wrt.com/wiki/index.php/Installing_Entware.
I formatted a USB key in ext2 and renamed Optware .I plugged it to the router and rebooted, but my opt remains inaccessible:
cd /opt
-sh: cd: can't cd to /opt

So I don't know what to do. Could you help me?
 

visortgw

Very Senior Member
From ssh session into router, launch amtm. From the amtm menu, enter ep.
 

L&LD

Part of the Furniture
In addition to what @visortgw states, you also need to (permanently) attach a USB stick to the router. Format it as Ext4 with journaling. Give it a 2GB or larger Swap File. Then, go ahead and install Entware via amtm.
 

laclac

New Around Here
Oh thank you very much, I was very afraid. The installation was very complicated and finally, your orders were very simple.
I was able to install it without any problem.

I just have one more question.
I would like all the routing to the internet to go to a vpn.
I already have the client configuration, but I don't know how to configure/add it.

I've seen the configuration to set my router as a server and set up the clients. But not to put it as a client. At least I'm afraid I'm wrong?
 

ZebMcKayhan

Very Senior Member
Just a heads-up. Wgm used to handle the disabling of hw-nat acceleration but quite resonably stopped. The reason is that there are simply too many use cases to account for.

For an internet client on a AX58U I would expect you to need to have wgm disable nat hw-acceleration. But you should try normally first.
If you only get 1-5 mbit/s speeds and syslog filling up with blog mcast errors, then you know its needed:
Code:
# Disable Flow Cache Permanently. (Checked each time wireguard_manager is INITialised or command 'wgm start' is issued)
#     Use command 'vx' to edit this setting or command 'fc {disable | enable}'
#DISABLE_FLOW_CACHE

I really should get to update my guide with this but I have little time for the moment.

Good luck!
 

laclac

New Around Here
Oh thank you so much.
Thank you archiel because I did not know this guide. it is very well done.
In 2,3 orders I was able to make my import. It worked right away!

Really without this guide I would never have been able to.
In addition I was using putty and as indicated it doesn't work very well, but it's very reassuring to see that it's normal.

Finally a big thank you to ZebMcKayhan. Your guide is really great.
It's very clear, well written. It really helps!

Personally, I thought I would never succeed and finally it went very well.
I have no errors in the syslog, so I'm very happy :)

I got the solution I wanted from start to finish (redirecting my traffic from my home to my vpn that I installed on my vps). And it works great thanks !

And thank you for your welcome and your responsiveness.
I am new and very happy to know this forum with a great community.
 

laclac

New Around Here
Hello,

Oh dear, I spoke a little too quickly.
After several hours of use, I had no access to the internet.
I didn't touch the KILL-Switch at all, I think that by default it is disabled.

In the syslog I had a lot of :
Code:
Aug 28 11:53:41 wlceventd : wlceventd_proc_event(505) : eth5 : Auth 0C:2F:B0:E0:4C:7E, status : Successful (0)
Aug 28 11:53:41 wlceventd : wlceventd_proc_event(515) : eth5 : ReAssoc 0C:2F:B0:E0:4C:7E, status : Successful (0)
Aug 28 11:55:52 wlceventd : wlceventd_proc_event(469) : eth5 : Deauth_ind 0C:2F:B0:E0:4C:7E, status : 0, reason : Reason not specified (1)
Aug 28 11:55:52 wlceventd : wlceventd_proc_event(505) : eth5 : Auth 0C:2F:B0:E0:4C:7E, status : Successful (0)
Aug 28 11:55:52 wlceventd : wlceventd_proc_event(515) : eth5 : ReAssoc 0C:2F:B0:E0:4C:7E, status : Successful (0


[...]

Code:
Aug 28 12:03:06 wlceventd : wlceventd_proc_event(534) : eth6 : Assoc 48:E7:DA:AC:38:75, status : Successful (0)
Aug 28 12:03:14 kernel: ^[[0;33;41m[ERROR archer] archer_mcast_activate,577: ADD_PORT: WLAN SSID has already been added: egress_port 7, current 0x0001, new 0x0001^[[0m
Aug 28 12:03:14 kernel: ^[[0;33;41m[FHW] _fhw_activate_hw ERROR: tuple_in <0x00300635>; flow modification failed
Aug 28 12:03:14 kernel: ^[[0m
Aug 28 12:03:22 wlceventd: wlceventd_proc_event(486): eth6: Disassoc 48:E7:DA:AC:38:75, status: 0, reason: Disassociated because of inactivity (4)
Aug 28 12:03:22 wlceventd : wlceventd_proc_event(486) : eth6 : Disassoc 48:E7:DA:AC:38:75, status : 0, reason : Disassociated because the transmitting station leaves (or has left) the BSS (8)
Aug 28 12:03:23 wlceventd : wlceventd_proc_event(505) : eth6 : Auth 48:E7:DA:AC:38:75, status : Successful (0)
Aug 28 12:03:23 wlceventd : wlceventd_proc_event(534) : eth6 : Assoc 48:E7:DA:AC:38:75, status : Successful (0)
Aug 28 12:03:23 kernel : ^[[0;33;41m[ERROR archer] archer_mcast_activate,577 : ADD_PORT : WLAN SSID has already been added : egress_port 7, current 0x0001, new 0x0001^[[0m
Aug 28 12:03:39 wlceventd : wlceventd_proc_event(486) : eth6 : Disassoc 48:E7:DA:AC:38:75, status : 0, reason : Deauthenticated because the transmitting station leaves (or has left) IBSS or ESS (3)
Aug 28 12:03:39 wlceventd: wlceventd_proc_event(486): eth6: Disassoc 48:E7:DA:AC:38:75, status: 0, reason: Disassociated because the sending station is leaving (or has left) BSS (8)
Aug 28, 12:03:50 kernel: ERROR [sysport_classifier_flow_port_add,768]: Egress port 1 is already in use
Aug 28, 12:03:50 kernel: ^[[0;33;41m[ERROR archer] archer_mcast_activate,592: ADD_PORT: Could not sysport_classifier_flow_port_add^[[0m


I was able to access the wgm once but then I got the error:
[*] Locked file detected (wg) (pid=12
624) - Exit (cpid=14161)

So I had to reboot the router. I had the net but in a poor quality with many errors.
So I disabled the vpn while waiting to fix the problem.
This may be the error you were reporting ZebMacKayban. (
[ERROR archer] archer_mcast_activate)
Thanks for anticipating the failure :)
 
Last edited:

ZebMcKayhan

Very Senior Member
I didn't touch the KILL-Switch at all, I think that by default it is disabled.
Yes, it should be disabled by default.

In the syslog I had a lot of :
Looks like Archer has some problems. This is also part of nat hw acceleration. The message looks different from what I've seen before, but its also a different router with different architecture. I would try to have wgm disable FlowCache (vx in wgm and remove the # for that line).
You might need to restart wgm after for the setting to get effect.

PS. The lock file is because you are trying to start wgm while it is already running (in another Session maybe). This usually resolves itself after acouple of minutes when processes from inactive sessions gets killed by the system.
 

laclac

New Around Here
Hello,

After deactivation, I had no more problems. It's still a bit early to guarantee that everything works but I'm optimistic. Thank you very much again

I have one last question.
I noticed that many sites I use block users with VPNs.
It's annoying because I'm in permanent vpn with my router.
Moreover when my vpn crashed it was very complicated.

I would like to activate the "guest wifi" on the router and I would like it not to go through the vpn.
It would make me a backup wifi outside my main wifi with the vpn, on the same router.

But I don't know if this configuration is possible, and how to do it?
Do you have an idea?
 

ZebMcKayhan

Very Senior Member
I noticed that many sites I use block users with VPNs.
I deal with streaming sites (like netflix) by using ipsets and dnsmasq to have these sites to go outside vpn... look into ipset sections of my guide.

I would like to activate the "guest wifi" on the router and I would like it not to go through the vpn.
It would make me a backup wifi outside my main wifi with the vpn, on the same router.
If you dont have any particular reason for router local processes to access internet via VPN, the simplest way is to switch to policy based routing and add a rule for your lan to vpn. Anything not covered by the rule will go through wan. YazFi is an excellent addon and will help you manage your guest network access, ip range and dns.

If you insist in keeping Wireguard in default (all) mode, then the only way I know is the reverse policy based routing which works, especially when combine with YazFi. You could make rules based on interface (iif) so it works even if ips overlap with your lan(as without YazFi).

I'm currently running my whole lan(192.168.1.x) to wg11 via policy rules and guest1(192.168.2.x) to wan and guest2(192.168.3.x) to wg12 (different country). All using different dns lookup och each output.

Its all how to do it in my guide but you may need to jump back and forth alittle. Make sure to read all sections you plan on using before starting. And just ask if anything is unclear, Im here to help.

/Zeb

PS. Its a start:
https://github.com/ZebMcKayhan/WireguardManager#disable-flowcache
 
Last edited:

laclac

New Around Here
Hello Thank you very much
Your tutorial is amazing. It is very complete and exactly what I wanted to do.
Many thanks for writing it.

I tried but unfortunately I didn't succeed.
I created ipsets, followed the procedure to make the consolidation with dnsmasq, but the "ipset test NETFLIX-DNS 52.217.164.72" wasn't detected.
I didn't want to change my DNS (I use adguard+unbound on my vpn).
So I didn't test with the script with the firewall, no better.

(Note: in "Create and setup IPSET" your examples are with "NETFLIX-DNS", but in "Manage/Setup IPSETs for policy based routing"
your examples are with "NETFLIX_DNS". I think this can be a source of error if you are not careful and just copy/paste your examples :) )

So I added manually the ips (I couldn't put the mac address of wg11-mac, because I don't know how to get it. ifconfig doesn't give me it)
And manually the test passes.
I added the ipset to wg11

IPSet Enable Peer FWMark DST/SRC
NETFLIX-DNS Y wg11 0x8000 dst
NETFLIX-DNS6 Y wg11 0x8000 dst

I disabled the rp_filter and set persistence after reboot
I edited the file wg11-up.sh and wg11-down.sh
I restarted wg11 (restart wg11)

But when I go on netflix (or an other website with a fixed ip) , it's always blocked :(
 
Last edited:

ZebMcKayhan

Very Senior Member
I tried but unfortunately I didn't succeed.
I created ipsets, followed the procedure to make the consolidation with dnsmasq, but the "ipset test NETFLIX-DNS 52.217.164.72" wasn't detected.
Are you sure you are using dnsmasq? Dnsmasq only populates the ips in the set when it looks up the domain. So it will add ips as it is used, so if this ip has not been looked up by dnsmasq its not going to be in the set.
Don't know if adguard home bypasses dnsmasq. If it does, perhaps AGH to could populate ipsets (pinging @SomeWhereOverTheRainBow) in the same way as dnsmasq?

Edit: found this post by @chongnt:
https://www.snbforums.com/threads/r...dguardhome-installer-amaghi.76506/post-759939
Looks like AGH does support ipset autopopulation. Plug in the top-domains and ipsets in the .yaml file and it will do the same thing as dnsmasq.

Note: in "Create and setup IPSET" your examples are with "NETFLIX-DNS", but in "Manage/Setup IPSETs for policy based routing"
your examples are with "NETFLIX_DNS". I think this can be a source of error if you are not careful and just copy/paste your examples
Hence my Preface:
Following all parts of this guide as-is may cause conflicts in your system as many parts are stand alone demonstrative examples.

So I added manually the ips (I couldn't put the mac address of wg11-mac, because I don't know how to get it. ifconfig doesn't give me it)
Mac addresses is only for source routing. Check arp table(command "arp" in ssh) on router to get macs on connected clients. Not usable for redirecting streaming content.

But when I go on netflix (or an other website with a fixed ip) , it's always blocked
I have 8 top domains adding ips for Netflix. Currently over 1500ips for each set have been populated. Adding 1 ip is not going to cut it.
Besides from that, for ipset routing to work in wgm the peer needs to be in policy mode (updated guide with this note as it was not obvious).
Alternatively for default(all) mode, use reverse policy routing and plug the ipset into the script according to my examples.

Edit2: just realized disabling of rp filter is not part of the guide for reverse policy based routing... will add it...
Edit3: and the iptables command is missing... and nothing in reverse policy based routing is adapted for ipv6.... will have to think about if I want to add it. Let me know if you need it.
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
Are you sure you are using dnsmasq? Dnsmasq only populates the ips in the set when it looks up the domain. So it will add ips as it is used, so if this ip has not been looked up by dnsmasq its not going to be in the set.
Don't know if adguard home bypasses dnsmasq. If it does, perhaps AGH to could populate ipsets (pinging @SomeWhereOverTheRainBow) in the same way as dnsmasq?

Edit: found this post by @chongnt:
https://www.snbforums.com/threads/r...dguardhome-installer-amaghi.76506/post-759939
Looks like AGH does support ipset autopopulation. Plug in the top-domains and ipsets in the .yaml file and it will do the same thing as dnsmasq.


Hence my Preface:



Mac addresses is only for source routing. Check arp table(command "arp" in ssh) on router to get macs on connected clients. Not usable for redirecting streaming content.


I have 8 top domains adding ips for Netflix. Currently over 1500ips for each set have been populated. Adding 1 ip is not going to cut it.
Besides from that, for ipset routing to work in wgm the peer needs to be in policy mode (updated guide with this note as it was not obvious).
Alternatively for default(all) mode, use reverse policy routing and plug the ipset into the script according to my examples.

Edit2: just realized disabling of rp filter is not part of the guide for reverse policy based routing... will add it...
Yep it definitely supports ipset. @chongnt might share his scripts if you request. Also, I would recommend using the latest edge addition as well if you are wanting to try out the latest improvements in regards to ipset and adguardhome. If IRC they recently added reliability improvements to ipset. But the feature works just fine on stable as well.
 
Last edited:

chongnt

Very Senior Member
Are you sure you are using dnsmasq? Dnsmasq only populates the ips in the set when it looks up the domain. So it will add ips as it is used, so if this ip has not been looked up by dnsmasq its not going to be in the set.
Don't know if adguard home bypasses dnsmasq. If it does, perhaps AGH to could populate ipsets (pinging @SomeWhereOverTheRainBow) in the same way as dnsmasq?

Edit: found this post by @chongnt:
https://www.snbforums.com/threads/r...dguardhome-installer-amaghi.76506/post-759939
Looks like AGH does support ipset autopopulation. Plug in the top-domains and ipsets in the .yaml file and it will do the same thing as dnsmasq.


Hence my Preface:



Mac addresses is only for source routing. Check arp table(command "arp" in ssh) on router to get macs on connected clients. Not usable for redirecting streaming content.


I have 8 top domains adding ips for Netflix. Currently over 1500ips for each set have been populated. Adding 1 ip is not going to cut it.
Besides from that, for ipset routing to work in wgm the peer needs to be in policy mode (updated guide with this note as it was not obvious).
Alternatively for default(all) mode, use reverse policy routing and plug the ipset into the script according to my examples.

Edit2: just realized disabling of rp filter is not part of the guide for reverse policy based routing... will add it...
Edit3: and the iptables command is missing... and nothing in reverse policy based routing is adapted for ipv6.... will have to think about if I want to add it. Let me know if you need it.

Once ipset is created, adding it into /opt/etc/AdGuardHome/AdGuardHome.yaml file is straight forward. I usually restart AGH after editing.
Code:
  ipset:
    - netflix.com,netflix.net,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net/NETFLIX

By the way, I use x3mRouting to create ipset. It can create ipset with no routing rules in a single command line. Much easier than having to do it step by step manually.
Code:
x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

For my use case, I route it to WAN, thus bypassing any VPN by adding these in nat-start:
Code:
iptables -t mangle -D PREROUTING -m set --match-set NETFLIX dst -j MARK --set-mark "0x8000/0x8000" -m comment --comment "ipset_rule Netflix to WAN" 2>/dev/null
iptables -t mangle -A PREROUTING -m set --match-set NETFLIX dst -j MARK --set-mark "0x8000/0x8000" -m comment --comment "ipset_rule Netflix to WAN"
 

ZebMcKayhan

Very Senior Member
By the way, I use x3mRouting to create ipset. It can create ipset with no routing rules in a single command line. Much easier than having to do it step by step manually.
I did this too but some trix are needed to have it make/maintain ipv6 ipsets, altough possible. Not in scope of my guide though.

Once ipset is created, adding it into /opt/etc/AdGuardHome/AdGuardHome.yaml file is straight forward. I usually restart AGH after editing.
Thanks! I hope you dont mind if I add this to my guide, I will credit you ofcource?
 

chongnt

Very Senior Member
I did this too but some trix are needed to have it make/maintain ipv6 ipsets, altough possible. Not in scope of my guide though.


Thanks! I hope you dont mind if I add this to my guide, I will credit you ofcource?
I only use ipv4 so did not aware what is needed for ipv6.
No worry, you can use it.
 

chongnt

Very Senior Member
Once ipset is created, adding it into /opt/etc/AdGuardHome/AdGuardHome.yaml file is straight forward. I usually restart AGH after editing.
Code:
  ipset:
    - netflix.com,netflix.net,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net/NETFLIX

By the way, I use x3mRouting to create ipset. It can create ipset with no routing rules in a single command line. Much easier than having to do it step by step manually.
Code:
x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

For my use case, I route it to WAN, thus bypassing any VPN by adding these in nat-start:
Code:
iptables -t mangle -D PREROUTING -m set --match-set NETFLIX dst -j MARK --set-mark "0x8000/0x8000" -m comment --comment "ipset_rule Netflix to WAN" 2>/dev/null
iptables -t mangle -A PREROUTING -m set --match-set NETFLIX dst -j MARK --set-mark "0x8000/0x8000" -m comment --comment "ipset_rule Netflix to WAN"
In the latest AdGuard Home v0.108.0-b.15 release, ipset list can be stored in a file.
Instead of
Code:
  ipset:
    - hbogoasia.com,hbogo.com,hbomax.com,hbolb.onwardsmg.com,hbogoprod-vod.akamaized.net,dai3fd1oh325y.cloudfront.net/HBO
    - netflix.com,netflix.net,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net/Netflix
  ipset_file: ""

I put the list in /opt/etc/AdGuardHome/ipset.txt
Code:
hbogoasia.com,hbogo.com,hbomax.com,hbolb.onwardsmg.com,hbogoprod-vod.akamaized.net,dai3fd1oh325y.cloudfront.net/HBO
netflix.com,netflix.net,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net/Netflix

and call it from /opt/etc/AdGuardHome/AdGuardHome.yaml file.
Code:
  ipset: []
  ipset_file: /opt/etc/AdGuardHome/ipset.txt
 

SomeWhereOverTheRainBow

Part of the Furniture
In the latest AdGuard Home v0.108.0-b.15 release, ipset list can be stored in a file.
Instead of
Code:
  ipset:
    - hbogoasia.com,hbogo.com,hbomax.com,hbolb.onwardsmg.com,hbogoprod-vod.akamaized.net,dai3fd1oh325y.cloudfront.net/HBO
    - netflix.com,netflix.net,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net/Netflix
  ipset_file: ""

I put the list in /opt/etc/AdGuardHome/ipset.txt
Code:
hbogoasia.com,hbogo.com,hbomax.com,hbolb.onwardsmg.com,hbogoprod-vod.akamaized.net,dai3fd1oh325y.cloudfront.net/HBO
netflix.com,netflix.net,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net/Netflix

and call it from /opt/etc/AdGuardHome/AdGuardHome.yaml file.
Code:
  ipset: []
  ipset_file: /opt/etc/AdGuardHome/ipset.txt
Brilliant work. You have taken alittle niche feature of adguardhome and made it yours.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top