Is wireguard available on RT-AC86U ?

[Jeffrey Young]

That is correct if you want all internet traffic directed through the VPN tunnel. If you only want to access your local network and have regular internet traffic go through the host network, set AllowedIP to your local network subnet as well as the Wireguard subnet.

With respect to your router not responding to DNS requests when DNS is pointed to your router, I suspect a configuration issue with your router. I have my DNS set to my router so that I can resolve to my Active Directory when connected remotely and all works great.

 

[Jherb]

Thank you. Is there a limit to the number of clients you can add to the wireguard server? I read that on the ax86u, the gui sets a limit of 10. But is that really a hardware limit, and does that correspond to the script method you set up?

Thanks again.

 

[Jeffrey Young]

Thank you. Is there a limit to the number of clients you can add to the wireguard server? I read that on the ax86u, the gui sets a limit of 10. But is that really a hardware limit, and does that correspond to the script method you set up?

Thanks again.

Peer wise? To be honest I don't know. I believe the limit of 10 on the 388 codebase is more of a GUI/NVRAM limitation and not so much a limit from the wg workspace perspective.

My tool is progressing. Kind of got carried away with it and have made it to function very close to the official wg-quick tool from the official wireguard distribution (with some modification to suit to Asus-Merlin). It is nearly finished. I took the day off today to go snowshoeing with the wife. I will work on it more this week. I will post it on my github repo when done.

 

[Jherb]

Great. Thank you. You’ve been a great help.

How do I find your github?

 

[Jeffrey Young]

@Jherb @ZebMcKayhan

OK, I am a super novice using GitHub. I created the master and a development branch. Or at least, I think I did.

Here is the link to my wg-quick equivalent script for Merlin. What I have called wg-tool.sh

GitHub - Bandsaw12/Asus-Merlin-Wireguard: WG-Quick Replacement for Asus-Merlin Routers

WG-Quick Replacement for Asus-Merlin Routers. Contribute to Bandsaw12/Asus-Merlin-Wireguard development by creating an account on GitHub.

github.com

I'll make a seperate thread at some point to introduce the script. I really don't think there will be much use for it, but you never know.

Give it a whirl. I hope the instructions are good enough. Cheers

 

[Jeffrey Young]

@Jherb

Wireguard - Standalone wg-quick alternative (no Entware/USB Drive required)

WG-TOOL.SH Wg-tool.sh is a “wg-quick (8)” replacement tool for Asus-Merlin firmware based routers that support the Wireguard user space tool. The script does not require Entware to be installed or a USB drive to be used. I built this script - in part - as over the last couple of years I have...

www.snbforums.com

 

[Jherb]

@Jeffrey Young
Thank you for your help. I learned a lot and its been working perfectly with your assistance.

I look forward to trying the new script.

 

[alannts425]

EDIT: I just checked the changelog - the wireguard kernel module and workspace tool was added to the 386.4 firmware, so you are good.

I forget when the wireguard kernel module was added to the AC86U, but I am pretty sure it was after v386.4, so you will need to update your firmware a bit. But, yes, the newer firmware has the wireguard kernel module and the workspace tool (wg).

Depending on your knowledge of wireguard and what you want to do with it, you can set up yourself or use AMTM and install the wireguard-manager addon that will allow to to setup pretty well any setup configuration you want. I went with the DYI route as I did not want a lot of bloat taking up room on the jffs partition. My server and client needs were pretty simple.

Just a note, wireguard and NAT acceleration do not get along, so you must disbale that. You can use iptables and mark the wireguard traffic to be exempt from NAT acceleration (that is what I use). It is unpredictable through as some report that the iptable trick does not work on some newer HND routers. It worked for me both on the AC86U and the AX88U.

Hi, I have config wireguard on RT-AC86U and each time reboot the wireguard is gone. Everything need to be reconfigured again. Do you mind share how to do that? Thanks!

 

[Jeffrey Young]

Sure. I won't be home for a few days.

Basically, for a server, you call your setup script from the services-start script or the wan-event script (on a connected event). For a client, your script needs to be called from the wan-event script.

I can elaborate more when I am back at home later this week.

 

[alannts425]

Sure. I won't be home for a few days.

Basically, for a server, you call your setup script from the services-start script or the wan-event script (on a connected event). For a client, your script needs to be called from the wan-event script.

I can elaborate more when I am back at home later this week.

Alright noted with thanks! I'm config wireguard client and was successful connected. But am curious that each time am performing a reboot router then the wireguard script is gone and need reconfigured again. I have added restart wireguard script but it's now working. Here the script:
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.

nano /jffs/scripts/nat-start
Code:
#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
/opt/etc/init.d/S50wireguard restart
fi

Thanks

 

[alannts425]

Alright noted with thanks! I'm config wireguard client and was successful connected. But am curious that each time am performing a reboot router then the wireguard script is gone and need reconfigured again. I have added restart wireguard script but it's now working. Here the script:
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.

nano /jffs/scripts/nat-start
Code:
#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
/opt/etc/init.d/S50wireguard restart
fi

Thanks

Sorry is typo error is NOT WORKING THE SCRIPT FOR RESTART WIREGUARD CONNECTION ONCE ROUTER REBOOT.

 

[Jeffrey Young]

Ok, so your client script is working when you start it manually right?

The nat-start will only fire if the interface is up. Unless your WAN is a static IP, you will need to start the interface from your wan-event script. The nat-start script is just there to re add the firewall rules should firewall restart event happens after the interface is up.

If so, where did you put your script (the filename and path)?

 

[alannts425]

Ok, so your client script is working when you start it manually right?

The nat-start will only fire if the interface is up. Unless your WAN is a static IP, you will need to start the interface from your wan-event script. The nat-start script is just there to re add the firewall rules should firewall restart event happens after the interface is up.

If so, where did you put your script (the filename and path)?

Yes, the client script is working by manually.

My WAN IP is dynamic.

The script has been created under:
nano /jffs/scripts/nat-start
maybe this step i have done something wrong. I just created then save it.

 

[Jeffrey Young]

But the nat-script is calling the script S50wiregaurd

Is this your client start script? If not, you need to change that line to point to your script.

You still also need to start the client from somewhere.

 

[alannts425]

Yes, is client start script opt/etc/init.d/S50wireguard start

By right,it should restart the wireguard client once the router reboot of the script:
/opt/etc/init.d/S50wireguard restart

Or I have done wrongly?

 

[Jeffrey Young]

starting from init.d is ok if you have entware installed, but the entware startup scripts are specific. Can you post your startup script (remove keys)?

Also, the entware script may be starting too early as your wan needs to be up for the client interface to start. That is why I think it is better to start your script from the wan-event script. If I get a chance tonight, I will about remote into my router and post content of my wan-event script.

 

[alannts425]

starting from init.d is ok if you have entware installed, but the entware startup scripts are specific. Can you post your startup script (remove keys)?

Also, the entware script may be starting too early as your wan needs to be up for the client interface to start. That is why I think it is better to start your script from the wan-event script. If I get a chance tonight, I will about remote into my router and post content of my wan-event script.

You mean this one startup script?

 

[Jeffrey Young]

That is your conf file, I mean the script to actually start your wg interface.

 

[Jeffrey Young]

If you have entware installed, you might be better off just installing wireguard-manager via AMTM and up your client that way.

 

[alannts425]

That is your conf file, I mean the script to actually start your wg interface.

After the config file save then command /opt/etc/init.d/S50wireguard start