What's new

Is wireguard available on RT-AC86U ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

theinfinityjoe

Occasional Visitor
Ive seen some posts about wireguard around the forums but just wondered if it's usable on RT-AC86U. i'm currently running asus merlin on firmware
386.4
 
EDIT: I just checked the changelog - the wireguard kernel module and workspace tool was added to the 386.4 firmware, so you are good.

I forget when the wireguard kernel module was added to the AC86U, but I am pretty sure it was after v386.4, so you will need to update your firmware a bit. But, yes, the newer firmware has the wireguard kernel module and the workspace tool (wg).

Depending on your knowledge of wireguard and what you want to do with it, you can set up yourself or use AMTM and install the wireguard-manager addon that will allow to to setup pretty well any setup configuration you want. I went with the DYI route as I did not want a lot of bloat taking up room on the jffs partition. My server and client needs were pretty simple.

Just a note, wireguard and NAT acceleration do not get along, so you must disbale that. You can use iptables and mark the wireguard traffic to be exempt from NAT acceleration (that is what I use). It is unpredictable through as some report that the iptable trick does not work on some newer HND routers. It worked for me both on the AC86U and the AX88U.
 
Ive seen some posts about wireguard around the forums but just wondered if it's usable on RT-AC86U. i'm currently running asus merlin on firmware
386.4
You will need to use something like the Wireguard Manager add-on. See the Add-On subforum and use the filter option to find more discussion on using Wireguard on the AC series routers. Note: You may need to update your firmware however since 386.4 is almost a year old. Latest version is 386.7_2.

The AC series routers will not be getting the 388.x firmware which includes Wireguard. The 388.x firmware is for the AX series of routers only. RMerlin has several posts about the AC routers not getting the 388.x firmware.
 
Last edited:
You can use iptables and mark the wireguard traffic to be exempt from NAT acceleration (that is what I use). It is unpredictable through as some report that the iptable trick does not work on some newer HND routers. It worked for me both on the AC86U and the AX88U.
How did you setup the iptable 'trick' - are there notes on this? Thanks Archiel
 
How did you setup the iptable 'trick' - are there notes on this? Thanks Archiel

It is the mark directives in my server script below.


Code:
#!/bin/sh

KERNEL=$(uname -r)
WGaddress=10.100.10.1/24
WGport=51006

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg1 2>/dev/null
ip link add dev wg1 type wireguard
wg setconf wg1 /jffs/addons/wireguard/wg1.conf
ip address add dev wg1 $WGaddress
ip link set up dev wg1
#ifconfig wg1 mtu 1380 # origional set by setup script
ifconfig wg1 mtu 1380
ifconfig wg1 txqueuelen 1000

iptables -t mangle -D PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -D INPUT -p udp --dport $WGport -j ACCEPT 2>/dev/null
iptables -D INPUT -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -o wg1 -j ACCEPT 2>/dev/null
iptables -D OUTPUT -o wg1 -j ACCEPT 2>/dev/null
iptables -t nat -D PREROUTING -p udp --dport $WGport -j ACCEPT 2>/dev/null

iptables -t mangle -I FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7

iptables -I INPUT -p udp --dport $WGport -j ACCEPT
iptables -I INPUT -i wg1 -j ACCEPT
iptables -I FORWARD -i wg1 -j ACCEPT
iptables -I FORWARD -o wg1 -j ACCEPT
iptables -I OUTPUT -o wg1 -j ACCEPT
iptables -t nat -I PREROUTING -p udp --dport $WGport -j ACCEPT
 
It is the mark directives in my server script below.


Code:
#!/bin/sh

KERNEL=$(uname -r)
WGaddress=10.100.10.1/24
WGport=51006

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg1 2>/dev/null
ip link add dev wg1 type wireguard
wg setconf wg1 /jffs/addons/wireguard/wg1.conf
ip address add dev wg1 $WGaddress
ip link set up dev wg1
#ifconfig wg1 mtu 1380 # origional set by setup script
ifconfig wg1 mtu 1380
ifconfig wg1 txqueuelen 1000

iptables -t mangle -D PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null

iptables -D INPUT -p udp --dport $WGport -j ACCEPT 2>/dev/null
iptables -D INPUT -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -i wg1 -j ACCEPT 2>/dev/null
iptables -D FORWARD -o wg1 -j ACCEPT 2>/dev/null
iptables -D OUTPUT -o wg1 -j ACCEPT 2>/dev/null
iptables -t nat -D PREROUTING -p udp --dport $WGport -j ACCEPT 2>/dev/null

iptables -t mangle -I FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg1 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg1 -j MARK --set-xmark 0x01/0x7

iptables -I INPUT -p udp --dport $WGport -j ACCEPT
iptables -I INPUT -i wg1 -j ACCEPT
iptables -I FORWARD -i wg1 -j ACCEPT
iptables -I FORWARD -o wg1 -j ACCEPT
iptables -I OUTPUT -o wg1 -j ACCEPT
iptables -t nat -I PREROUTING -p udp --dport $WGport -j ACCEPT
Thanks for this, but it is way above my level of understanding. I am using Wireguard Manager for both 'server' and 'client' (AzireVPN) so ideally I would like to have NAT acceleration engaged, but excluding traffic on wg1 and wg2 - I think I may have a lot a reading up to do in 2023 :eek:
 
Thanks for this, but it is way above my level of understanding. I am using Wireguard Manager for both 'server' and 'client' (AzireVPN) so ideally I would like to have NAT acceleration engaged, but excluding traffic on wg1 and wg2 - I think I may have a lot a reading up to do in 2023 :eek:

The client side is not much different. Just need to add the routing information. Here is my client script below (I have two Oracle Free Tier servers that I extend my local network too). The added routes in my script just send local lan data to my Oracle network. I start this script from the wan-event script on a "connected" event where as the serv er can get started from services-start.

You also need to add a check in nat-start as the iptable rules get zapped each time the fire wall service gets restarted by Asus.

Code:
#!/bin/sh
set -x

KERNEL=$(uname -r)

LocalIP="10.100.20.1" 

modprobe xt_set
insmod /lib/modules/${KERNEL}/kernel/net/wireguard/wireguard.ko

ip link del dev wg0 2>/dev/null
ip link add dev wg0 type wireguard
wg setconf wg0 /jffs/addons/wireguard/wg0.conf
ip address add dev wg0 $LocalIP
ip link set up dev wg0
ifconfig wg0 mtu 1380
ifconfig wg0 txqueuelen 1000

ip route add 10.100.20.0/24 dev wg0
ip route add 10.0.0.0/24 dev wg0

iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7 2>/dev/null
iptables -t mangle -D FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -t mangle -D FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 2>/dev/null
iptables -D INPUT -i wg0 -j ACCEPT 2>/dev/null
iptables -D FORWARD -i wg0 -j ACCEPT 2>/dev/null
iptables -D FORWARD -o wg0 -j ACCEPT 2>/dev/null
iptables -D OUTPUT -o wg0 -j ACCEPT 2>/dev/null

iptables -I FORWARD -i wg0 -j ACCEPT
iptables -I FORWARD -o wg0 -j ACCEPT
iptables -I OUTPUT -o wg0 -j ACCEPT
iptables -I INPUT -i wg0 -j ACCEPT
iptables -t mangle -I FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -I FORWARD -o wg0 -j MARK --set-xmark 0x01/0x7
iptables -t mangle -I PREROUTING -i wg0 -j MARK --set-xmark 0x01/0x7

And the corresponding wg0.conf file is

Code:
#
# Use this configuration with WireGuard client
#
[Interface]
PrivateKey = {Private Key}

[Peer]
PublicKey = {Peer (server) Public Key}
PresharedKey = {preshare key, if used}
AllowedIPs = 10.100.20.2/32, 10.0.0.0/24
Endpoint = {End Point IP}:{Port}
PersistentKeepalive = 25
 
Just a note, wireguard and NAT acceleration do not get along, so you must disbale that. You can use iptables and mark the wireguard traffic to be exempt from NAT acceleration (that is what I use). It is unpredictable through as some report that the iptable trick does not work on some newer HND routers. It worked for me both on the AC86U and the AX88U.

Not 100 percent accurate. The AC86U is one of the few models where WireGuard is compatible with NAT acceleration. I am currently running my AC86U this way. No need for doing anything with iptables.
 
Last edited:
Coming back to this i just bought an AX router and flashed the 388.1 merlin firmware. openvpn works as normal but when I setup wireguard, it says connected but my ip doesn't change at all , any idea what i've done wrong ?
 
Coming back to this i just bought an AX router and flashed the 388.1 merlin firmware. openvpn works as normal but when I setup wireguard, it says connected but my ip doesn't change at all , any idea what i've done wrong ?
You need to select which client to redirect, through VPN Director. This is similar to stock firmware which requires you to configure clients through VPN Fusion.
 
Thanks that fixed things,really appreciate it! Was just wondering if there are plans to implement Automatic start at boot time and the killswitch for wireguard? also seemed to be getting dns leaks until i enabled dns director, is there any way of setting DNS Configuration to strict for wireguard? again really appreciate the help and thanks so much !
 
implement Automatic start at boot time
That`s what the Enable switch already does.

nd the killswitch for wireguard
Makes little sense with WireGuard because WireGuard is not based on a traditional client/server setup, it's more like a tunnel/route setup. If the route doesn't work, then traffic will be dropped by default.

is there any way of setting DNS Configuration to strict for wireguard
"Strict" does not prevent leaks, you need "Exclusive" mode for that, and that's already what the WG implementation does.
 
Hello. I am using an AC86u with OpenVPN without issue, on the latest Merlin 386.9.
I would like to try wireguard without having to use a USB stick for entware, amtm, etc. An earlier post stated it could be done manually. Are there any instructions somewhere for how to do this? Or alternatively, can it be setup with amtm and then used without a USB attached?

Thank you in advance.
 
Thanks, I will look at that.

Do you know what the statement below refers to (taken from post #2 above) where its stated you can set it up yourself, DIY way without amtm?

"Depending on your knowledge of wireguard and what you want to do with it, you can set up yourself or use AMTM and install the wireguard-manager addon that will allow to to setup pretty well any setup configuration you want. I went with the DYI route as I did not want a lot of bloat taking up room on the jffs partition. My server and client needs were pretty simple"
 
One is automated installation via AMTM, the other manual in CLI. Both require Entware though.
 
Thank you. I understand now.

Just another related question. If the usb drive with entware is removed, does the router crash, or does the vpn just stop working?

also, can openvpn run simultaneously?

I Appreciate your help.
 
I never tested this scenario, but I guess on reboot you'll have no more WireGuard.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top